Well this is the log from when I ran it last night. It just came straight back again though. I know exactly where this thing came from and that file is long since gone. My download directory is now empty as you can see so its not that I am just re-infecting myself. So. . I dunno heh. Should I just quit while i'm ahead and reformat?
ComboFix 08-05-24.1 - Si 2008-05-26 1:12:09.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1478 [GMT 1:00]
Running from: C:\Documents and Settings\Si\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Si\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\awilfnfm.dll
C:\WINDOWS\system32\bjplpfrh.dll
C:\WINDOWS\system32\hvysivrm.dll
C:\WINDOWS\system32\lbcwfjft.dll
C:\WINDOWS\system32\loqujxku.dll
C:\WINDOWS\system32\nnghfptn.dll
C:\WINDOWS\system32\tfjfwcbl.ini
C:\WINDOWS\system32\tyfpwfma.dll
C:\WINDOWS\system32\vdbeakhn.dll
H:\autoplay.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM2bc670ba.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awilfnfm.dll
C:\WINDOWS\system32\bjplpfrh.dll
C:\WINDOWS\system32\hvysivrm.dll
C:\WINDOWS\system32\lbcwfjft.dll
C:\WINDOWS\system32\loqujxku.dll
C:\WINDOWS\system32\mmnpcecg.ini
C:\WINDOWS\system32\nnghfptn.dll
C:\WINDOWS\system32\nXbJlUtv.ini
C:\WINDOWS\system32\nXbJlUtv.ini2
C:\WINDOWS\system32\tfjfwcbl.ini
C:\WINDOWS\system32\tyfpwfma.dll
C:\WINDOWS\system32\vdbeakhn.dll
C:\WINDOWS\system32\vtUlJbXn.dll
.
((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.
2008-05-26 00:33 . 2008-05-26 00:33 135,168 --a------ C:\WINDOWS\system32\bbdavqrb.dll
2008-05-26 00:27 . 2008-05-26 00:27 114,176 --a------ C:\WINDOWS\system32\gcecpnmm.dll
2008-05-26 00:25 . 2008-05-26 00:25 128,000 --a------ C:\WINDOWS\system32\xscvfuyu.dll
2008-05-26 00:25 . 2008-05-26 00:25 92,160 --a------ C:\WINDOWS\system32\lwarivac.dll
2008-05-25 14:58 . 2008-05-25 14:58 <DIR> d-------- C:\_OTMoveIt
2008-05-25 11:45 . 2008-05-25 11:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-25 01:17 . 2008-05-25 01:17 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-25 01:17 . 2008-05-25 01:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-24 18:49 . 2008-05-24 18:49 <DIR> d-------- C:\Program Files\Uniblue
2008-05-24 18:49 . 2008-05-24 18:49 <DIR> d-------- C:\Documents and Settings\Si\Application Data\Uniblue
2008-05-24 18:49 . 2008-05-24 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-05-24 06:17 . 2008-05-24 06:17 <DIR> d-------- C:\Program Files\Flagship Studios
2008-05-23 16:59 . 2008-05-23 16:59 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-05-20 18:53 . 2008-05-20 18:53 <DIR> d-------- C:\WINDOWS\Money Tree
2008-05-19 23:06 . 2008-05-19 23:06 <DIR> d-------- C:\WINDOWS\Profitville
2008-05-19 23:06 . 2008-05-19 23:07 <DIR> d-------- C:\Program Files\Profitville
2008-05-19 19:08 . 2008-05-19 19:10 <DIR> d-------- C:\Documents and Settings\Si\Application Data\LTOA
2008-05-19 18:21 . 2008-05-19 18:21 13,952 --a------ C:\WINDOWS\system32\drivers\soundman.sys
2008-05-19 18:16 . 2008-05-19 18:16 <DIR> d-------- C:\WINDOWS\The Lost Treasures Of Alexandria
2008-05-19 18:16 . 2008-05-25 17:46 <DIR> d-------- C:\Program Files\The Lost Treasures Of Alexandria
2008-05-19 17:51 . 2008-05-19 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-05-19 17:50 . 2008-05-19 17:50 <DIR> d-------- C:\Program Files\BFG
2008-05-11 23:02 . 2008-05-11 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-11 23:00 . 2008-05-11 23:00 <DIR> d-------- C:\Program Files\Bonjour
2008-05-11 22:54 . 2008-05-11 22:54 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-11 15:38 . 2008-05-26 00:08 <DIR> dr-h----- C:\$VAULT$.AVG
2008-05-08 22:21 . 2008-05-08 22:22 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-04-30 17:59 . 2008-04-30 17:59 <DIR> d-------- C:\Documents and Settings\Si\Application Data\GlobalSCAPE
2008-04-30 17:59 . 2008-04-30 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
2008-04-30 17:57 . 2008-04-30 17:57 <DIR> d-------- C:\Program Files\GlobalSCAPE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 17:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-24 14:34 --------- d-----w C:\Documents and Settings\Si\Application Data\AVG7
2008-05-23 06:31 --------- d-----w C:\Documents and Settings\Si\Application Data\uTorrent
2008-05-22 17:30 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-11 22:00 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-06 21:23 --------- d-----w C:\Program Files\PCL-W310
2008-04-30 16:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-25 22:44 --------- d-----w C:\Program Files\The Witcher
2008-04-25 17:06 --------- d-----w C:\Program Files\Cheat Engine
2008-04-19 21:27 --------- d-----w C:\Documents and Settings\Si\Application Data\Ahead
2008-04-19 09:54 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-04-19 09:54 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-04-19 01:40 --------- d-----w C:\Program Files\ACDSee32
2008-04-17 19:07 --------- d-----w C:\Program Files\Warcraft III
2008-04-12 19:56 --------- d-----w C:\Program Files\ASUS
2008-04-11 19:54 --------- d-----w C:\Program Files\TweakNow RegCleaner Std
2008-04-11 19:51 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-04-11 19:51 --------- d-----w C:\Program Files\TuneXP
2008-04-11 18:57 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-04-11 18:56 --------- d-----w C:\Program Files\NVIDIA nTune Performance Application
2008-04-11 18:08 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-04-11 18:08 --------- d-----w C:\Documents and Settings\Si\Application Data\SystemRequirementsLab
2008-04-11 18:07 --------- d-----w C:\Program Files\Java
2008-04-11 18:06 --------- d-----w C:\Program Files\Common Files\Java
2008-04-04 21:44 --------- d-----w C:\Program Files\GameHouse
2008-03-26 19:25 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-03-18 20:58 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-03-18 20:58 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2008-03-10 23:20 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-05 15:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 15:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 15:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 14:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 14:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of D:\Downloads\Utils ----
D:\Downloads\Utils\
((((((((((((((((((((((((((((( snapshot@2008-05-25_15.18.12.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-24 23:04:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-26 00:14:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2001-07-14 16:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
+ 2008-05-26 00:14:58 16,384 --sha-w C:\WINDOWS\Temp\Cookies\index.dat
+ 2008-05-26 00:14:58 16,384 --sha-w C:\WINDOWS\Temp\History\History.IE5\index.dat
+ 2008-05-26 00:14:50 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4a4.dat
+ 2008-05-26 00:15:11 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_73c.dat
+ 2008-05-26 00:14:58 32,768 --sha-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{514A5C49-0C7D-42c3-A71B-38864A269B7A}]
2008-05-26 00:25 92160 --a------ C:\WINDOWS\system32\lwarivac.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{663656DF-6BAE-460C-A612-8133DF519346}]
C:\WINDOWS\system32\opnopQiF.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2d8bbff-e3c9-42c7-adf4-bd13bfb9b448}]
2008-05-26 00:33 135168 --a------ C:\WINDOWS\system32\bbdavqrb.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f98dc864-60d0-41d0-bbe5-07edf2001316}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f98dc864-60d0-41d0-bbe5-07edf2001316}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 11:21 153136]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-05-15 18:12 484904]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-03-14 12:55 486856]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25 81920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="C:\Program Files\XpertVision\TBPanel.exe" [2007-10-02 13:18 2165256]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 16:21 61952 C:\WINDOWS\system32\HdAShCut.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-21 10:11 925696]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 09:42 579584]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 23:54 37376]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2004-12-22 00:29 180312]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-07-29 12:07 188416]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 17:24 71216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 17:21 54832]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"28f54326"="C:\WINDOWS\system32\gcecpnmm.dll" [2008-05-26 00:27 114176]
"BM2bc670ba"="C:\WINDOWS\system32\xscvfuyu.dll" [2008-05-26 00:25 128000]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-29 20:41 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnopQiF]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-11-30 15:52 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"=
"C:\\Program Files\\RSBR-Software\\News File Grabber\\NFG.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
R1 SoundManager;SoundManager;C:\WINDOWS\system32\Drivers\soundman.sys [2008-05-19 18:21]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 17:51]
S3 Z302Mic;Vimicro Z302 Mic Audio Filter Driver;C:\WINDOWS\system32\drivers\UsbMicfilt.sys []
S3 ZSMC302;PCL-W310;C:\WINDOWS\system32\Drivers\usbvm302.sys []
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-05-25 16:35:28 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 01:15:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-05-26 1:18:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-26 00:18:23
ComboFix2.txt 2008-05-25 23:26:06
ComboFix3.txt 2008-05-25 16:39:20
ComboFix4.txt 2008-05-25 14:44:53
ComboFix5.txt 2008-05-25 14:18:41
Pre-Run: 41,088,958,464 bytes free
Post-Run: 41,080,283,136 bytes free
246