virtumonde got me too

D

didymustoo

New member
Help! I went to Kapersky and ran the scanner. It found 15 viruses and 135 (not sure) places. When it finished there was a notification at the bottom of the webpage stating "error on page". There was no button visible to save as text. Next, I ran spybot in safe mode and it found Virtumonde and several other items. I clicked fix problems and all came up with green check. I then rebooted back into windows and launced IE explorer 7 to dl Hijackthis. IE then opened up 14 windows. I ctrl-alt-del and shut down IE. I fired up Opera 9.24, dl'd HJT 2.0.2 and ran it. Here is the log: Thanks in advance!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:25 PM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\oppop.exe
F2 - REG:system.ini: UserInit=userinit.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\FJW\Application Data\Mozilla\Profiles\default\brw22mi9.slt\prefs.js)
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [d422d49c] rundll32.exe "C:\WINDOWS\system32\uwdnihak.dll",b
O4 - HKLM\..\Run: [BMd711e700] Rundll32.exe "C:\WINDOWS\system32\qogdaoim.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {03A0F84E-3E69-4B3E-B4D3-019CB73B57B3} (AuthWebWizardMain.DHTMLPage1) - http://www3.authentium.com/cssrelease/bin/WizMain.exe
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4692/mcfscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - c:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5657 bytes
 
Hi didymustoo

Rename HijackThis.exe to didymustoo.exe and post back a fresh HijackThis log, please :)
 
didymustoo.exe post

Thanks for your help. I really appreciate it.

Here is the listing of HJT renamed didymustoo.exe.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:02 AM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\oppop.exe
F2 - REG:system.ini: UserInit=userinit.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\FJW\Application Data\Mozilla\Profiles\default\brw22mi9.slt\prefs.js)
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [d422d49c] rundll32.exe "C:\WINDOWS\system32\eyhltecu.dll",b
O4 - HKLM\..\Run: [BMd711e700] Rundll32.exe "C:\WINDOWS\system32\iijfonay.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {03A0F84E-3E69-4B3E-B4D3-019CB73B57B3} (AuthWebWizardMain.DHTMLPage1) - http://www3.authentium.com/cssrelease/bin/WizMain.exe
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4692/mcfscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - c:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5624 bytes
 
Hi

Unfortunately it didn't went right.

Rename HijackThis.exe to didymustoo.exe by doing the following;

  • Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
  • Right-click on the HijackThis.exe
  • Choose from the pull-down menu; "Rename"
  • And now Rename HijackThis.exe to didymustoo.exe
  • When you've renamed HijackThis, open HijackThis again.
  • Take a fresh HijackThis log (click Do a system scan and save a log file)
  • Post the fresh HijackThis log here.
 
Oops sorry! I only renamed the shortcut the first time. Duh!. Here it is.

C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRAM FILES\LOGITECH\VIDEO\FXSVR2.EXE
C:\WINDOWS\SYSTEM32\LVCOMSX.EXE
C:\Program Files\Trend Micro\HijackThis\didymustoo.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\oppop.exe
F2 - REG:system.ini: UserInit=userinit.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\FJW\Application Data\Mozilla\Profiles\default\brw22mi9.slt\prefs.js)
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {57CDE877-1115-4B40-8455-6D159A00CA36} - C:\WINDOWS\system32\oppop.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: {6ac86db7-7385-301b-c404-be1d10e3c93c} - {c39c3e01-d1eb-404c-b103-58377bd68ca6} - C:\WINDOWS\system32\pohwibin.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\wvuurpq.dll (file missing)
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [d422d49c] rundll32.exe "C:\WINDOWS\system32\eyhltecu.dll",b
O4 - HKLM\..\Run: [BMd711e700] Rundll32.exe "C:\WINDOWS\system32\iijfonay.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {03A0F84E-3E69-4B3E-B4D3-019CB73B57B3} (AuthWebWizardMain.DHTMLPage1) - http://www3.authentium.com/cssrelease/bin/WizMain.exe
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4692/mcfscan.cab
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\
O20 - Winlogon Notify: wvuurpq - wvuurpq.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - c:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6638 bytes
 
Hi

Yes, now it's better :)

Is this up-to-date?

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - c:\Program Files\Common Files\Command Software\dvpapi.exe

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
 
The HJT version I used was downloaded two days ago when I made my first post.

Here is the combofix log. Note I had to break it into two posts to fit.

ComboFix 08-02-19.2 - fjw 2008-02-19 8:43:24.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.678 [GMT -6:00]
Running from: C:\Documents and Settings\fjw\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\guard.tmp
C:\Documents and Settings\fjw\Application Data\ICROSO~1
C:\Documents and Settings\fjw\Application Data\macromedia\Flash Player\#SharedObjects\K7BXFSVM\www.broadcaster.com
C:\Documents and Settings\fjw\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\fjw\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\winupdate
C:\WINDOWS\cookies.ini
C:\WINDOWS\start.exe
C:\WINDOWS\SYSTEM32\000070.exe
C:\WINDOWS\SYSTEM32\000080.exe
C:\WINDOWS\SYSTEM32\akferhlk.ini
C:\WINDOWS\system32\asgtxevg.dll
C:\WINDOWS\system32\bvmivvlm.dll
C:\WINDOWS\system32\cfwyjgkd.dll
C:\WINDOWS\system32\cqmmbeyu.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\cunbxjyh.dll
C:\WINDOWS\system32\dawlrvkx.dll
C:\WINDOWS\system32\dhlytgul.dll
C:\WINDOWS\SYSTEM32\druamxel.ini
C:\WINDOWS\SYSTEM32\dryvguvn.ini
C:\WINDOWS\SYSTEM32\ebafspdw.ini
C:\WINDOWS\system32\ehvhsute.dll
C:\WINDOWS\system32\enipjeie.dll
C:\WINDOWS\system32\epmuqjre.dll
C:\WINDOWS\system32\eyhltecu.dll
C:\WINDOWS\system32\fgvgeoyw.dll
C:\WINDOWS\system32\gqktdkul.dll
C:\WINDOWS\SYSTEM32\gyqgrkyn.ini
C:\WINDOWS\system32\htjqefbw.dll
C:\WINDOWS\SYSTEM32\hwdxwbsn.ini
C:\WINDOWS\SYSTEM32\hxqtkrje.ini
C:\WINDOWS\system32\hyuluxek.dll
C:\WINDOWS\system32\ibnxcxsu.dll
C:\WINDOWS\system32\ifrobeor.dll
C:\WINDOWS\SYSTEM32\iijcpufg.ini
C:\WINDOWS\system32\iijfonay.dll
C:\WINDOWS\system32\infidjge.dll
C:\WINDOWS\SYSTEM32\jbtgrwlq.ini
C:\WINDOWS\system32\jikklstw.dll
C:\WINDOWS\system32\jjfyafpe.dll
C:\WINDOWS\system32\jopiwaiu.dll
C:\WINDOWS\system32\kaynflju.dll
C:\WINDOWS\system32\kgqfyeng.dll
C:\WINDOWS\system32\kpiygyod.dll
C:\WINDOWS\SYSTEM32\ledbbvnc.ini
C:\WINDOWS\system32\lexmaurd.dll
C:\WINDOWS\SYSTEM32\lgxvyhov.ini
C:\WINDOWS\system32\lixxmeks.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mrjtduel.dll
C:\WINDOWS\SYSTEM32\mrynfgiy.ini
C:\WINDOWS\system32\nmrheveg.dll
C:\WINDOWS\SYSTEM32\noiqhjda.ini
C:\WINDOWS\system32\nojhboue.dll
C:\WINDOWS\system32\nsbwxdwh.dll
C:\WINDOWS\system32\okgterca.dll
C:\WINDOWS\system32\omfsyygy.dll
C:\WINDOWS\system32\onxlwkmd.dll
C:\WINDOWS\system32\oppop.dll
C:\WINDOWS\system32\oppop.exe
C:\WINDOWS\system32\pohwibin.dll
C:\WINDOWS\SYSTEM32\poppo.ini
C:\WINDOWS\SYSTEM32\poppo.ini2
C:\WINDOWS\system32\pvmfdxkx.dll
C:\WINDOWS\system32\qogdaoim.dll
C:\WINDOWS\SYSTEM32\qtvaitnp.ini
C:\WINDOWS\system32\qvkdjrrn.dll
C:\WINDOWS\system32\qwlbrbhh.dll
C:\WINDOWS\system32\RCXD.tmp
C:\WINDOWS\system32\rdjrctnw.dll
C:\WINDOWS\system32\rplvmnnr.dll
C:\WINDOWS\system32\rsapyvfp.dll
C:\WINDOWS\system32\rvckajue.dll
C:\WINDOWS\system32\sqhaxkas.dll
C:\WINDOWS\system32\thvdfbkm.dll
C:\WINDOWS\SYSTEM32\ucetlhye.ini
C:\WINDOWS\system32\uguedion.dll
C:\WINDOWS\SYSTEM32\uiawipoj.ini
C:\WINDOWS\system32\uwjxnmwa.dll
C:\WINDOWS\SYSTEM32\valgnqxf.ini
C:\WINDOWS\system32\vaubnybh.dll
C:\WINDOWS\system32\vkcnjxyt.dll
C:\WINDOWS\system32\vmckrlyo.dll
C:\WINDOWS\system32\vohyvxgl.dll
C:\WINDOWS\system32\xcyeawxw.dll
C:\WINDOWS\system32\xebrdxtv.dll
C:\WINDOWS\SYSTEM32\xkxdfmvp.ini
C:\WINDOWS\SYSTEM32\xqacmxny.ini
C:\WINDOWS\system32\xqpvyafu.dll
C:\WINDOWS\system32\ycariooq.dll
C:\WINDOWS\system32\yhdnkuln.dll
C:\WINDOWS\system32\yltfcxlb.dll
C:\WINDOWS\winsysupd71.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS


((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-18 07:19 . 2008-02-18 07:19 <DIR> d--hs---- C:\FOUND.000
2008-02-17 13:13 . 2008-02-18 13:14 2,034,575 ---hs---- C:\WINDOWS\SYSTEM32\oxyfjhwa.ini
2008-02-16 21:09 . 2008-02-16 21:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-16 14:48 . 2008-02-16 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-16 14:47 . 2008-02-16 14:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-16 09:10 . 2008-02-17 13:11 2,396,761 ---hs---- C:\WINDOWS\SYSTEM32\kahindwu.ini
2008-02-15 09:04 . 2008-02-18 13:10 6,014 --a------ C:\WINDOWS\BMd711e700.xml
2008-02-15 09:04 . 2008-02-19 07:11 22 --a------ C:\WINDOWS\pskt.ini
2008-02-15 08:33 . 2008-02-15 08:33 <DIR> d-------- C:\mGame
2008-02-14 09:14 . 2008-02-15 07:22 1,944,987 ---hs---- C:\WINDOWS\SYSTEM32\tpkoyoea.ini
2008-02-14 09:11 . 2008-02-14 09:12 2,061,204 ---hs---- C:\WINDOWS\SYSTEM32\jpiqejvx.ini
2008-02-13 09:11 . 2008-02-14 07:12 2,507,492 ---hs---- C:\WINDOWS\SYSTEM32\tqhttets.ini
2008-02-13 09:08 . 2008-02-13 09:08 2,140,513 ---hs---- C:\WINDOWS\SYSTEM32\pprijqhf.ini
2008-02-12 09:11 . 2008-02-13 07:05 2,107,305 ---hs---- C:\WINDOWS\SYSTEM32\gxgjmrhb.ini
2008-02-12 09:08 . 2008-02-12 09:08 2,119,031 ---hs---- C:\WINDOWS\SYSTEM32\chwxhmmf.ini
2008-02-11 09:11 . 2008-02-12 07:11 2,075,362 ---hs---- C:\WINDOWS\SYSTEM32\xpdbncvm.ini
2008-02-11 09:08 . 2008-02-11 09:09 2,092,109 ---hs---- C:\WINDOWS\SYSTEM32\xooaomjm.ini
2008-02-10 09:10 . 2008-02-11 07:06 2,088,273 ---hs---- C:\WINDOWS\SYSTEM32\vsrrdylm.ini
2008-02-10 09:07 . 2008-02-10 09:08 2,090,475 ---hs---- C:\WINDOWS\SYSTEM32\cirueasx.ini
2008-02-09 09:09 . 2008-02-10 06:44 2,092,776 ---hs---- C:\WINDOWS\SYSTEM32\kltgfybn.ini
2008-02-09 09:06 . 2008-02-09 09:07 2,095,002 ---hs---- C:\WINDOWS\SYSTEM32\ofxflobj.ini
2008-02-08 09:12 . 2008-02-09 07:37 2,094,453 ---hs---- C:\WINDOWS\SYSTEM32\lkgjgnxy.ini
2008-02-08 09:06 . 2008-02-08 09:06 2,098,133 ---hs---- C:\WINDOWS\SYSTEM32\xotboipg.ini
2008-02-07 18:15 . 2008-02-07 18:15 67 --a------ C:\WINDOWS\101_ASB.INI
2008-02-07 18:14 . 2008-02-07 18:14 <DIR> d-------- C:\DISNEY
2008-02-07 09:11 . 2008-02-08 07:12 2,075,018 ---hs---- C:\WINDOWS\SYSTEM32\oufrpeds.ini
2008-02-07 09:05 . 2008-02-07 09:05 2,077,268 ---hs---- C:\WINDOWS\SYSTEM32\xgqyrpni.ini
2008-02-06 09:04 . 2008-02-07 09:04 2,080,720 ---hs---- C:\WINDOWS\SYSTEM32\tytemlnm.ini
2008-02-05 09:08 . 2008-02-06 08:46 2,059,879 ---hs---- C:\WINDOWS\SYSTEM32\lujpuouu.ini
2008-02-05 09:02 . 2008-02-05 09:04 2,061,632 ---hs---- C:\WINDOWS\SYSTEM32\puculuhy.ini
2008-02-03 20:39 . 2008-02-05 08:57 2,058,177 ---hs---- C:\WINDOWS\SYSTEM32\btvxjnce.ini
2008-02-03 20:33 . 2008-02-03 20:33 2,054,401 ---hs---- C:\WINDOWS\SYSTEM32\koxuytol.ini
2008-02-02 21:39 . 2008-02-02 21:39 <DIR> d-------- C:\Documents and Settings\fjw\DoctorWeb
2008-01-31 22:34 . 2008-01-31 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 20:34 . 2008-02-03 07:10 2,082,396 ---hs---- C:\WINDOWS\SYSTEM32\jinvuulv.ini
2008-01-31 20:31 . 2008-01-31 20:32 1,959,292 ---hs---- C:\WINDOWS\SYSTEM32\rewjlbep.ini
2008-01-31 07:49 . 2008-01-31 18:00 2,004,858 ---hs---- C:\WINDOWS\SYSTEM32\nkgudkqh.ini
2008-01-31 07:43 . 2008-01-31 07:47 2,053,516 ---hs---- C:\WINDOWS\SYSTEM32\ytytwepr.ini
2008-01-30 07:35 . 2008-01-31 07:42 2,095,133 ---hs---- C:\WINDOWS\SYSTEM32\oognqwkq.ini
2008-01-25 16:27 . 2008-01-25 16:27 110 --a------ C:\WINDOWS\HandySnap.INI
2008-01-22 22:01 . 2008-01-22 22:01 <DIR> d-------- C:\OutputFolder
2008-01-22 21:59 . 2008-01-22 21:59 <DIR> d-------- C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 19:10 15,360 ----a-w C:\WINDOWS\SYSTEM32\ctfmon .exe
2008-01-16 14:39 186,000 ----a-w C:\Documents and Settings\fjw\Application Data\GDIPFONTCACHEV1.DAT
2008-01-14 13:49 155,648 ----a-w C:\WINDOWS\SYSTEM32\NeroCheck .exe
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
2007-12-26 05:07 8,413 ----a-w C:\WINDOWS\system32\drivers\mcstrm.sys
2007-12-26 05:07 --------- d-----w C:\Program Files\Common Files\Real
2007-12-26 05:03 --------- d-----w C:\Program Files\Best Buy Rhapsody
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mrxdav.sys
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2007-12-08 05:21 3,592,192 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-12-06 11:01 625,664 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\dllcache\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\SYSTEM32\oleaut32.dll
2006-12-23 16:04 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2006-01-11 02:13 159,312 ----a-w C:\Documents and Settings\Jeremy\Application Data\GDIPFONTCACHEV1.DAT
2005-04-04 22:23 0 ---h--w C:\Program Files\AppUpdate.log
2004-09-21 20:07 86,016 ----a-w C:\Program Files\SPInstall.exe
2004-09-21 16:54 975 ----a-w C:\Program Files\ReadMe.txt
2004-09-21 16:05 1,841 ----a-w C:\Program Files\PackingList.txt
2004-09-21 15:36 908 ----a-w C:\Program Files\Setup.ini
2004-09-21 15:36 19,443,744 ----a-w C:\Program Files\Data1.cab
2004-09-21 15:36 1,591,952 ----a-w C:\Program Files\SundayPlus.msi
2004-09-21 15:35 225,280 ----a-w C:\Program Files\SPSetupHelper.exe
2004-09-15 02:35 49,152 ----a-w C:\Program Files\EnglishUI.dll
2004-04-23 00:02 560 ----a-w C:\Program Files\Global.sw
2004-01-10 02:34 266 --sh--w C:\Program Files\desktop.ini
2003-02-25 15:04 4,632 ----a-w C:\Program Files\0x0409.ini
2006-03-27 03:50 3,766 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2006-03-27 03:50 88 --sh--r C:\WINDOWS\SYSTEM32\D4B12B0226.sys
.
Code: 
<pre>
----a-w           155,648 2008-01-14 13:49:00  C:\WINDOWS\SYSTEM32\NeroCheck .exe
----a-w            15,360 2008-02-17 19:10:12  C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w           158,208 2008-02-17 03:04:04  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w           649,728 2008-01-14 22:45:12  C:\Program Files\QuickTime\qttask    .exe
----a-w           649,728 2008-01-15 05:18:12  C:\Program Files\QuickTime\qttask     .exe
----a-w           649,728 2008-01-15 13:34:46  C:\Program Files\QuickTime\qttask      .exe
----a-w           649,728 2008-01-16 04:01:32  C:\Program Files\QuickTime\qttask       .exe
----a-w           649,728 2008-01-16 13:52:08  C:\Program Files\QuickTime\qttask        .exe
----a-w           649,728 2008-01-17 13:34:58  C:\Program Files\QuickTime\qttask         .exe
----a-w           282,624 2008-01-17 13:35:46  C:\Program Files\QuickTime\qttask          .exe
----a-w         1,235,456 2008-01-15 05:18:08  C:\Program Files\FolderShare\FolderShare     .exe
----a-w         1,235,456 2008-01-15 13:34:42  C:\Program Files\FolderShare\FolderShare      .exe
----a-w         1,235,456 2008-01-16 04:01:30  C:\Program Files\FolderShare\FolderShare       .exe
----a-w         1,235,456 2008-01-16 13:52:06  C:\Program Files\FolderShare\FolderShare        .exe
----a-w         1,235,456 2008-01-17 13:34:56  C:\Program Files\FolderShare\FolderShare         .exe
----a-w         1,235,456 2008-01-18 13:01:00  C:\Program Files\FolderShare\FolderShare          .exe
----a-w         1,235,456 2008-01-19 05:28:52  C:\Program Files\FolderShare\FolderShare           .exe
----a-w         1,235,456 2008-01-19 14:49:44  C:\Program Files\FolderShare\FolderShare            .exe
----a-w         1,235,456 2008-01-19 22:07:26  C:\Program Files\FolderShare\FolderShare             .exe
----a-w         1,235,456 2008-01-20 13:05:32  C:\Program Files\FolderShare\FolderShare              .exe
----a-w         1,235,456 2008-01-21 00:57:40  C:\Program Files\FolderShare\FolderShare               .exe
----a-w         1,235,456 2008-01-21 13:45:58  C:\Program Files\FolderShare\FolderShare                .exe
----a-w         1,235,456 2008-01-22 13:30:02  C:\Program Files\FolderShare\FolderShare                 .exe
----a-w         1,235,456 2008-01-24 13:23:50  C:\Program Files\FolderShare\FolderShare                  .exe
----a-w         1,235,456 2008-01-25 13:12:52  C:\Program Files\FolderShare\FolderShare                   .exe
----a-w         1,235,456 2008-01-26 14:00:48  C:\Program Files\FolderShare\FolderShare                    .exe
----a-w         1,235,456 2008-01-27 13:10:08  C:\Program Files\FolderShare\FolderShare                     .exe
----a-w         1,235,456 2008-01-28 00:02:38  C:\Program Files\FolderShare\FolderShare                      .exe
----a-w         1,235,456 2008-01-29 13:21:38  C:\Program Files\FolderShare\FolderShare                       .exe
----a-w         1,235,456 2008-01-30 13:26:08  C:\Program Files\FolderShare\FolderShare                        .exe
----a-w         1,235,456 2008-01-30 15:22:54  C:\Program Files\FolderShare\FolderShare                         .exe
----a-w         1,235,456 2008-01-30 16:10:46  C:\Program Files\FolderShare\FolderShare                          .exe
----a-w         1,235,456 2008-01-31 12:52:42  C:\Program Files\FolderShare\FolderShare                           .exe
----a-w         1,235,456 2008-01-31 13:46:00  C:\Program Files\FolderShare\FolderShare                            .exe
----a-w         1,235,456 2008-02-01 04:46:42  C:\Program Files\FolderShare\FolderShare                             .exe
----a-w         1,235,456 2008-02-01 13:14:42  C:\Program Files\FolderShare\FolderShare                              .exe
----a-w         1,235,456 2008-02-02 13:54:24  C:\Program Files\FolderShare\FolderShare                               .exe
----a-w         1,235,456 2008-02-02 16:06:34  C:\Program Files\FolderShare\FolderShare                                .exe
----a-w         1,235,456 2008-02-02 23:20:48  C:\Program Files\FolderShare\FolderShare                                 .exe
----a-w         1,235,456 2008-02-03 00:33:20  C:\Program Files\FolderShare\FolderShare                                  .exe
----a-w         1,235,456 2008-02-03 03:53:04  C:\Program Files\FolderShare\FolderShare                                   .exe
----a-w         1,235,456 2008-02-03 13:09:24  C:\Program Files\FolderShare\FolderShare                                    .exe
----a-w         1,235,456 2008-02-04 13:50:12  C:\Program Files\FolderShare\FolderShare                                     .exe
----a-w         1,235,456 2008-02-05 14:56:58  C:\Program Files\FolderShare\FolderShare                                      .exe
----a-w         1,235,456 2008-02-05 18:28:32  C:\Program Files\FolderShare\FolderShare                                       .exe
----a-w         1,235,456 2008-02-06 14:46:12  C:\Program Files\FolderShare\FolderShare                                        .exe
----a-w         1,235,456 2008-02-06 16:40:16  C:\Program Files\FolderShare\FolderShare                                         .exe
----a-w         1,235,456 2008-02-06 17:39:54  C:\Program Files\FolderShare\FolderShare                                          .exe
----a-w         1,235,456 2008-02-07 13:29:04  C:\Program Files\FolderShare\FolderShare                                           .exe
----a-w         1,235,456 2008-02-08 13:12:16  C:\Program Files\FolderShare\FolderShare                                            .exe
----a-w         1,235,456 2008-02-09 13:36:42  C:\Program Files\FolderShare\FolderShare                                             .exe
----a-w         1,235,456 2008-02-10 12:43:56  C:\Program Files\FolderShare\FolderShare                                              .exe
----a-w         1,235,456 2008-02-11 13:05:44  C:\Program Files\FolderShare\FolderShare                                               .exe
----a-w         1,235,456 2008-02-12 13:11:24  C:\Program Files\FolderShare\FolderShare                                                .exe
----a-w         1,235,456 2008-02-13 13:05:02  C:\Program Files\FolderShare\FolderShare                                                 .exe
----a-w         1,235,456 2008-02-14 01:54:00  C:\Program Files\FolderShare\FolderShare                                                  .exe
----a-w         1,235,456 2008-02-14 13:11:14  C:\Program Files\FolderShare\FolderShare                                                   .exe
----a-w         1,235,456 2008-02-15 13:22:34  C:\Program Files\FolderShare\FolderShare                                                    .exe
----a-w         1,235,456 2008-02-16 14:04:36  C:\Program Files\FolderShare\FolderShare                                                     .exe
----a-w         1,235,456 2008-02-16 16:48:18  C:\Program Files\FolderShare\FolderShare                                                      .exe
----a-w         1,235,456 2008-02-16 19:32:28  C:\Program Files\FolderShare\FolderShare                                                       .exe
----a-w         1,235,456 2008-02-16 20:49:34  C:\Program Files\FolderShare\FolderShare                                                        .exe
----a-w         1,743,360 2008-01-14 22:45:08  C:\Program Files\TGTSoft\StyleXP\StyleXP .exe
----a-w         1,372,160 2008-01-17 13:35:48  C:\Program Files\TGTSoft\StyleXP\StyleXP  .exe
----a-w         1,694,208 2008-02-14 00:24:30  C:\Program Files\Messenger\msmsgs .exe
</pre>
 
Section two of combofix log:


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 21:34 8460288 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:07 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 16:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 16:22 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 16:22 86016]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 106544 C:\WINDOWS\SYSTEM32\TWEAKUI.CPL]
"ATIPTA"="atiptaxx.exe" [2001-09-27 01:39 245760 C:\WINDOWS\SYSTEM32\atiptaxx.exe]

C:\Documents and Settings\fjw\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-01-08 21:22:17 2746104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"= 00000000
"NoFavoritesMenu"= 01000000
"NoLogoff"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"= 00000000
"NoFavoritesMenu"= 01000000
"NoActiveDesktopChanges"= 0 (0x0)
"NoLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuurpq]
wvuurpq.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel MEDIA FOLDERS INDEXER 8.LNK]
backup=C:\WINDOWS\pss\Corel MEDIA FOLDERS INDEXER 8.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Encoder Agent.lnk]
backup=C:\WINDOWS\pss\Encoder Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Cody^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2001-09-27 01:39 245760 C:\WINDOWS\SYSTEM32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AuthConsoleStart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d422d49c]
C:\WINDOWS\system32\ynxmcaqx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopIconToy]
--a------ 2006-10-26 21:03 278528 C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ESP]
--a------ 2006-07-30 12:09 63008 C:\Program Files\Cox\Applications\app\start.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FolderShare]
--a------ 2008-02-16 14:49 1235456 C:\Program Files\FolderShare\FolderShare .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 15:49 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-03-26 05:34 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 10:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 10:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaGateway]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobipocket Reader Notifications]
--a------ 2006-06-20 16:54 57344 C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-02-13 18:24 2226688 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-17 07:35 282624 C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2008-02-16 14:49 2441216 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StarSkin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
--a------ 2008-01-17 07:35 1372160 C:\Program Files\TGTSoft\StyleXP\StyleXP .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-14 17:22 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
"LogitechSoftwareUpdate"="C:\PROGRAM FILES\LOGITECH\VIDEO\MANIFESTENGINE.EXE" boot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"SiS Tray"=C:\WINDOWS\SYSTEM32\sistray.exe
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\stimon.exe

R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-04-01 19:16]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2001-09-27 00:32]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Gpotato\Flyff\GameGuard\dump_wmimmc.sys []
S3 PhilCam8116;Logitech QuickCam Pro 3000 (08B0);C:\WINDOWS\system32\DRIVERS\CamDrO21.sys [2001-08-17 14:05]
S3 XDva090;XDva090;C:\WINDOWS\system32\XDva090.sys []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MmoptPreferredAudioDevices]
rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,@0,SUSB\VID_046D&PID_08B0&MI_01\1USB&VID_046D&PID_08B0&INST_0

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 08:53:06
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
.
**************************************************************************
.
Completion time: 2008-02-19 8:55:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-19 14:54:58
.
2008-02-15 05:58:29 --- E O F ---
 
Hi

Thanks for the info.

We don't install another antivirus yet as you have vundo file infector which might infect that.

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
RenV::
----a-w           155,648 2008-01-14 13:49:00  C:\WINDOWS\SYSTEM32\NeroCheck .exe
----a-w            15,360 2008-02-17 19:10:12  C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w           158,208 2008-02-17 03:04:04  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w           649,728 2008-01-14 22:45:12  C:\Program Files\QuickTime\qttask    .exe
----a-w           649,728 2008-01-15 05:18:12  C:\Program Files\QuickTime\qttask     .exe
----a-w           649,728 2008-01-15 13:34:46  C:\Program Files\QuickTime\qttask      .exe
----a-w           649,728 2008-01-16 04:01:32  C:\Program Files\QuickTime\qttask       .exe
----a-w           649,728 2008-01-16 13:52:08  C:\Program Files\QuickTime\qttask        .exe
----a-w           649,728 2008-01-17 13:34:58  C:\Program Files\QuickTime\qttask         .exe
----a-w           282,624 2008-01-17 13:35:46  C:\Program Files\QuickTime\qttask          .exe
----a-w         1,235,456 2008-01-15 05:18:08  C:\Program Files\FolderShare\FolderShare     .exe
----a-w         1,235,456 2008-01-15 13:34:42  C:\Program Files\FolderShare\FolderShare      .exe
----a-w         1,235,456 2008-01-16 04:01:30  C:\Program Files\FolderShare\FolderShare       .exe
----a-w         1,235,456 2008-01-16 13:52:06  C:\Program Files\FolderShare\FolderShare        .exe
----a-w         1,235,456 2008-01-17 13:34:56  C:\Program Files\FolderShare\FolderShare         .exe
----a-w         1,235,456 2008-01-18 13:01:00  C:\Program Files\FolderShare\FolderShare          .exe
----a-w         1,235,456 2008-01-19 05:28:52  C:\Program Files\FolderShare\FolderShare           .exe
----a-w         1,235,456 2008-01-19 14:49:44  C:\Program Files\FolderShare\FolderShare            .exe
----a-w         1,235,456 2008-01-19 22:07:26  C:\Program Files\FolderShare\FolderShare             .exe
----a-w         1,235,456 2008-01-20 13:05:32  C:\Program Files\FolderShare\FolderShare              .exe
----a-w         1,235,456 2008-01-21 00:57:40  C:\Program Files\FolderShare\FolderShare               .exe
----a-w         1,235,456 2008-01-21 13:45:58  C:\Program Files\FolderShare\FolderShare                .exe
----a-w         1,235,456 2008-01-22 13:30:02  C:\Program Files\FolderShare\FolderShare                 .exe
----a-w         1,235,456 2008-01-24 13:23:50  C:\Program Files\FolderShare\FolderShare                  .exe
----a-w         1,235,456 2008-01-25 13:12:52  C:\Program Files\FolderShare\FolderShare                   .exe
----a-w         1,235,456 2008-01-26 14:00:48  C:\Program Files\FolderShare\FolderShare                    .exe
----a-w         1,235,456 2008-01-27 13:10:08  C:\Program Files\FolderShare\FolderShare                     .exe
----a-w         1,235,456 2008-01-28 00:02:38  C:\Program Files\FolderShare\FolderShare                      .exe
----a-w         1,235,456 2008-01-29 13:21:38  C:\Program Files\FolderShare\FolderShare                       .exe
----a-w         1,235,456 2008-01-30 13:26:08  C:\Program Files\FolderShare\FolderShare                        .exe
----a-w         1,235,456 2008-01-30 15:22:54  C:\Program Files\FolderShare\FolderShare                         .exe
----a-w         1,235,456 2008-01-30 16:10:46  C:\Program Files\FolderShare\FolderShare                          .exe
----a-w         1,235,456 2008-01-31 12:52:42  C:\Program Files\FolderShare\FolderShare                           .exe
----a-w         1,235,456 2008-01-31 13:46:00  C:\Program Files\FolderShare\FolderShare                            .exe
----a-w         1,235,456 2008-02-01 04:46:42  C:\Program Files\FolderShare\FolderShare                             .exe
----a-w         1,235,456 2008-02-01 13:14:42  C:\Program Files\FolderShare\FolderShare                              .exe
----a-w         1,235,456 2008-02-02 13:54:24  C:\Program Files\FolderShare\FolderShare                               .exe
----a-w         1,235,456 2008-02-02 16:06:34  C:\Program Files\FolderShare\FolderShare                                .exe
----a-w         1,235,456 2008-02-02 23:20:48  C:\Program Files\FolderShare\FolderShare                                 .exe
----a-w         1,235,456 2008-02-03 00:33:20  C:\Program Files\FolderShare\FolderShare                                  .exe
----a-w         1,235,456 2008-02-03 03:53:04  C:\Program Files\FolderShare\FolderShare                                   .exe
----a-w         1,235,456 2008-02-03 13:09:24  C:\Program Files\FolderShare\FolderShare                                    .exe
----a-w         1,235,456 2008-02-04 13:50:12  C:\Program Files\FolderShare\FolderShare                                     .exe
----a-w         1,235,456 2008-02-05 14:56:58  C:\Program Files\FolderShare\FolderShare                                      .exe
----a-w         1,235,456 2008-02-05 18:28:32  C:\Program Files\FolderShare\FolderShare                                       .exe
----a-w         1,235,456 2008-02-06 14:46:12  C:\Program Files\FolderShare\FolderShare                                        .exe
----a-w         1,235,456 2008-02-06 16:40:16  C:\Program Files\FolderShare\FolderShare                                         .exe
----a-w         1,235,456 2008-02-06 17:39:54  C:\Program Files\FolderShare\FolderShare                                          .exe
----a-w         1,235,456 2008-02-07 13:29:04  C:\Program Files\FolderShare\FolderShare                                           .exe
----a-w         1,235,456 2008-02-08 13:12:16  C:\Program Files\FolderShare\FolderShare                                            .exe
----a-w         1,235,456 2008-02-09 13:36:42  C:\Program Files\FolderShare\FolderShare                                             .exe
----a-w         1,235,456 2008-02-10 12:43:56  C:\Program Files\FolderShare\FolderShare                                              .exe
----a-w         1,235,456 2008-02-11 13:05:44  C:\Program Files\FolderShare\FolderShare                                               .exe
----a-w         1,235,456 2008-02-12 13:11:24  C:\Program Files\FolderShare\FolderShare                                                .exe
----a-w         1,235,456 2008-02-13 13:05:02  C:\Program Files\FolderShare\FolderShare                                                 .exe
----a-w         1,235,456 2008-02-14 01:54:00  C:\Program Files\FolderShare\FolderShare                                                  .exe
----a-w         1,235,456 2008-02-14 13:11:14  C:\Program Files\FolderShare\FolderShare                                                   .exe
----a-w         1,235,456 2008-02-15 13:22:34  C:\Program Files\FolderShare\FolderShare                                                    .exe
----a-w         1,235,456 2008-02-16 14:04:36  C:\Program Files\FolderShare\FolderShare                                                     .exe
----a-w         1,235,456 2008-02-16 16:48:18  C:\Program Files\FolderShare\FolderShare                                                      .exe
----a-w         1,235,456 2008-02-16 19:32:28  C:\Program Files\FolderShare\FolderShare                                                       .exe
----a-w         1,235,456 2008-02-16 20:49:34  C:\Program Files\FolderShare\FolderShare                                                        .exe
----a-w         1,743,360 2008-01-14 22:45:08  C:\Program Files\TGTSoft\StyleXP\StyleXP .exe
----a-w         1,372,160 2008-01-17 13:35:48  C:\Program Files\TGTSoft\StyleXP\StyleXP  .exe
----a-w         1,694,208 2008-02-14 00:24:30  C:\Program Files\Messenger\msmsgs .exe

File::
C:\WINDOWS\SYSTEM32\oxyfjhwa.ini
C:\WINDOWS\SYSTEM32\kahindwu.ini
C:\WINDOWS\SYSTEM32\tpkoyoea.ini
C:\WINDOWS\SYSTEM32\jpiqejvx.ini
C:\WINDOWS\SYSTEM32\tqhttets.ini
C:\WINDOWS\SYSTEM32\pprijqhf.ini
C:\WINDOWS\SYSTEM32\gxgjmrhb.ini
C:\WINDOWS\SYSTEM32\chwxhmmf.ini
C:\WINDOWS\SYSTEM32\xpdbncvm.ini
C:\WINDOWS\SYSTEM32\xooaomjm.ini
C:\WINDOWS\SYSTEM32\vsrrdylm.ini
C:\WINDOWS\SYSTEM32\cirueasx.ini
C:\WINDOWS\SYSTEM32\kltgfybn.ini
C:\WINDOWS\SYSTEM32\ofxflobj.ini
C:\WINDOWS\SYSTEM32\lkgjgnxy.ini
C:\WINDOWS\SYSTEM32\xotboipg.ini
C:\WINDOWS\SYSTEM32\oufrpeds.ini
C:\WINDOWS\SYSTEM32\xgqyrpni.ini
C:\WINDOWS\SYSTEM32\tytemlnm.ini
C:\WINDOWS\SYSTEM32\lujpuouu.ini
C:\WINDOWS\SYSTEM32\puculuhy.ini
C:\WINDOWS\SYSTEM32\btvxjnce.ini
C:\WINDOWS\SYSTEM32\koxuytol.ini
C:\WINDOWS\SYSTEM32\jinvuulv.ini
C:\WINDOWS\SYSTEM32\rewjlbep.ini
C:\WINDOWS\SYSTEM32\nkgudkqh.ini
C:\WINDOWS\SYSTEM32\ytytwepr.ini
C:\WINDOWS\SYSTEM32\oognqwkq.ini

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuurpq]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d422d49c]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaGateway]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
Here is the combofix log:

ComboFix 08-02-19.2 - fjw 2008-02-19 12:42:30.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.739 [GMT -6:00]
Running from: C:\Documents and Settings\fjw\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\fjw\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SYSTEM32\btvxjnce.ini
C:\WINDOWS\SYSTEM32\chwxhmmf.ini
C:\WINDOWS\SYSTEM32\cirueasx.ini
C:\WINDOWS\SYSTEM32\gxgjmrhb.ini
C:\WINDOWS\SYSTEM32\jinvuulv.ini
C:\WINDOWS\SYSTEM32\jpiqejvx.ini
C:\WINDOWS\SYSTEM32\kahindwu.ini
C:\WINDOWS\SYSTEM32\kltgfybn.ini
C:\WINDOWS\SYSTEM32\koxuytol.ini
C:\WINDOWS\SYSTEM32\lkgjgnxy.ini
C:\WINDOWS\SYSTEM32\lujpuouu.ini
C:\WINDOWS\SYSTEM32\nkgudkqh.ini
C:\WINDOWS\SYSTEM32\ofxflobj.ini
C:\WINDOWS\SYSTEM32\oognqwkq.ini
C:\WINDOWS\SYSTEM32\oufrpeds.ini
C:\WINDOWS\SYSTEM32\oxyfjhwa.ini
C:\WINDOWS\SYSTEM32\pprijqhf.ini
C:\WINDOWS\SYSTEM32\puculuhy.ini
C:\WINDOWS\SYSTEM32\rewjlbep.ini
C:\WINDOWS\SYSTEM32\tpkoyoea.ini
C:\WINDOWS\SYSTEM32\tqhttets.ini
C:\WINDOWS\SYSTEM32\tytemlnm.ini
C:\WINDOWS\SYSTEM32\vsrrdylm.ini
C:\WINDOWS\SYSTEM32\xgqyrpni.ini
C:\WINDOWS\SYSTEM32\xooaomjm.ini
C:\WINDOWS\SYSTEM32\xotboipg.ini
C:\WINDOWS\SYSTEM32\xpdbncvm.ini
C:\WINDOWS\SYSTEM32\ytytwepr.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\btvxjnce.ini
C:\WINDOWS\SYSTEM32\chwxhmmf.ini
C:\WINDOWS\SYSTEM32\cirueasx.ini
C:\WINDOWS\SYSTEM32\gxgjmrhb.ini
C:\WINDOWS\SYSTEM32\jinvuulv.ini
C:\WINDOWS\SYSTEM32\jpiqejvx.ini
C:\WINDOWS\SYSTEM32\kahindwu.ini
C:\WINDOWS\SYSTEM32\kltgfybn.ini
C:\WINDOWS\SYSTEM32\koxuytol.ini
C:\WINDOWS\SYSTEM32\lkgjgnxy.ini
C:\WINDOWS\SYSTEM32\lujpuouu.ini
C:\WINDOWS\SYSTEM32\nkgudkqh.ini
C:\WINDOWS\SYSTEM32\ofxflobj.ini
C:\WINDOWS\SYSTEM32\oognqwkq.ini
C:\WINDOWS\SYSTEM32\oufrpeds.ini
C:\WINDOWS\SYSTEM32\oxyfjhwa.ini
C:\WINDOWS\SYSTEM32\pprijqhf.ini
C:\WINDOWS\SYSTEM32\puculuhy.ini
C:\WINDOWS\SYSTEM32\rewjlbep.ini
C:\WINDOWS\SYSTEM32\tpkoyoea.ini
C:\WINDOWS\SYSTEM32\tqhttets.ini
C:\WINDOWS\SYSTEM32\tytemlnm.ini
C:\WINDOWS\SYSTEM32\vsrrdylm.ini
C:\WINDOWS\SYSTEM32\xgqyrpni.ini
C:\WINDOWS\SYSTEM32\xooaomjm.ini
C:\WINDOWS\SYSTEM32\xotboipg.ini
C:\WINDOWS\SYSTEM32\xpdbncvm.ini
C:\WINDOWS\SYSTEM32\ytytwepr.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-18 07:19 . 2008-02-18 07:19 <DIR> d--hs---- C:\FOUND.000
2008-02-16 21:09 . 2008-02-16 21:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-16 14:48 . 2008-02-16 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-16 14:47 . 2008-02-16 14:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-15 09:04 . 2008-02-18 13:10 6,014 --a------ C:\WINDOWS\BMd711e700.xml
2008-02-15 09:04 . 2008-02-19 07:11 22 --a------ C:\WINDOWS\pskt.ini
2008-02-15 08:33 . 2008-02-15 08:33 <DIR> d-------- C:\mGame
2008-02-07 18:15 . 2008-02-07 18:15 67 --a------ C:\WINDOWS\101_ASB.INI
2008-02-07 18:14 . 2008-02-07 18:14 <DIR> d-------- C:\DISNEY
2008-02-02 21:39 . 2008-02-02 21:39 <DIR> d-------- C:\Documents and Settings\fjw\DoctorWeb
2008-01-31 22:34 . 2008-01-31 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-25 16:27 . 2008-01-25 16:27 110 --a------ C:\WINDOWS\HandySnap.INI
2008-01-22 22:01 . 2008-01-22 22:01 <DIR> d-------- C:\OutputFolder
2008-01-22 21:59 . 2008-01-22 21:59 <DIR> d-------- C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 19:10 15,360 ----a-w C:\WINDOWS\SYSTEM32\ctfmon .exe
2008-02-17 03:04 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
2008-02-17 02:23 500,736 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp
2008-01-16 14:39 186,000 ----a-w C:\Documents and Settings\fjw\Application Data\GDIPFONTCACHEV1.DAT
2008-01-14 13:49 155,648 ----a-w C:\WINDOWS\SYSTEM32\NeroCheck .exe
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
2007-12-26 05:07 8,413 ----a-w C:\WINDOWS\system32\drivers\mcstrm.sys
2007-12-26 05:07 --------- d-----w C:\Program Files\Common Files\Real
2007-12-26 05:03 --------- d-----w C:\Program Files\Best Buy Rhapsody
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mrxdav.sys
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2007-12-08 05:21 3,592,192 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-12-06 11:01 625,664 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\dllcache\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\SYSTEM32\oleaut32.dll
2006-12-23 16:04 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2006-01-11 02:13 159,312 ----a-w C:\Documents and Settings\Jeremy\Application Data\GDIPFONTCACHEV1.DAT
2005-11-05 03:58 33,750 ----a-w C:\WINDOWS\Internet Logs\GLB98_2nd_2005_11_04_21_58_33.dmp.zip
2005-11-05 03:58 33,668 ------w C:\WINDOWS\Internet Logs\GLB8F_2nd_2005_11_04_21_57_55.dmp.zip
2005-10-05 00:50 89,304 ------w C:\WINDOWS\Internet Logs\vsmon_2nd_2005_10_04_18_41_53_small.dmp.zip
2005-10-05 00:50 79,592 ------w C:\WINDOWS\Internet Logs\vsmon_2nd_2005_10_04_18_41_35_small.dmp.zip
2005-10-05 00:50 79,542 ------w C:\WINDOWS\Internet Logs\vsmon_2nd_2005_10_04_18_42_35_small.dmp.zip
2005-10-05 00:40 12,377,066 ------w C:\WINDOWS\Internet Logs\ZLCLIENT_2nd_2005_10_04_17_59_25_full.dmp.zip
2005-04-04 22:23 0 ---h--w C:\Program Files\AppUpdate.log
2004-09-21 20:07 86,016 ----a-w C:\Program Files\SPInstall.exe
2004-09-21 16:54 975 ----a-w C:\Program Files\ReadMe.txt
2004-09-21 16:05 1,841 ----a-w C:\Program Files\PackingList.txt
2004-09-21 15:36 908 ----a-w C:\Program Files\Setup.ini
2004-09-21 15:36 19,443,744 ----a-w C:\Program Files\Data1.cab
2004-09-21 15:36 1,591,952 ----a-w C:\Program Files\SundayPlus.msi
2004-09-21 15:35 225,280 ----a-w C:\Program Files\SPSetupHelper.exe
2004-09-15 02:35 49,152 ----a-w C:\Program Files\EnglishUI.dll
2004-04-23 00:02 560 ----a-w C:\Program Files\Global.sw
2004-01-10 02:34 266 --sh--w C:\Program Files\desktop.ini
2003-02-25 15:04 4,632 ----a-w C:\Program Files\0x0409.ini
2006-03-27 03:50 3,766 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2006-03-27 03:50 88 --sh--r C:\WINDOWS\SYSTEM32\D4B12B0226.sys
.
Code: 
<pre>
----a-w           155,648 2008-01-14 13:49:00  C:\WINDOWS\SYSTEM32\NeroCheck .exe
----a-w            15,360 2008-02-17 19:10:12  C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w           158,208 2008-02-17 03:04:04  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w           649,728 2008-01-14 22:45:12  C:\Program Files\QuickTime\qttask    .exe
----a-w           649,728 2008-01-15 05:18:12  C:\Program Files\QuickTime\qttask     .exe
----a-w           649,728 2008-01-15 13:34:46  C:\Program Files\QuickTime\qttask      .exe
----a-w           649,728 2008-01-16 04:01:32  C:\Program Files\QuickTime\qttask       .exe
----a-w           649,728 2008-01-16 13:52:08  C:\Program Files\QuickTime\qttask        .exe
----a-w           649,728 2008-01-17 13:34:58  C:\Program Files\QuickTime\qttask         .exe
----a-w           282,624 2008-01-17 13:35:46  C:\Program Files\QuickTime\qttask          .exe
----a-w         1,235,456 2008-01-15 05:18:08  C:\Program Files\FolderShare\FolderShare     .exe
----a-w         1,235,456 2008-01-15 13:34:42  C:\Program Files\FolderShare\FolderShare      .exe
----a-w         1,235,456 2008-01-16 04:01:30  C:\Program Files\FolderShare\FolderShare       .exe
----a-w         1,235,456 2008-01-16 13:52:06  C:\Program Files\FolderShare\FolderShare        .exe
----a-w         1,235,456 2008-01-17 13:34:56  C:\Program Files\FolderShare\FolderShare         .exe
----a-w         1,235,456 2008-01-18 13:01:00  C:\Program Files\FolderShare\FolderShare          .exe
----a-w         1,235,456 2008-01-19 05:28:52  C:\Program Files\FolderShare\FolderShare           .exe
----a-w         1,235,456 2008-01-19 14:49:44  C:\Program Files\FolderShare\FolderShare            .exe
----a-w         1,235,456 2008-01-19 22:07:26  C:\Program Files\FolderShare\FolderShare             .exe
----a-w         1,235,456 2008-01-20 13:05:32  C:\Program Files\FolderShare\FolderShare              .exe
----a-w         1,235,456 2008-01-21 00:57:40  C:\Program Files\FolderShare\FolderShare               .exe
----a-w         1,235,456 2008-01-21 13:45:58  C:\Program Files\FolderShare\FolderShare                .exe
----a-w         1,235,456 2008-01-22 13:30:02  C:\Program Files\FolderShare\FolderShare                 .exe
----a-w         1,235,456 2008-01-24 13:23:50  C:\Program Files\FolderShare\FolderShare                  .exe
----a-w         1,235,456 2008-01-25 13:12:52  C:\Program Files\FolderShare\FolderShare                   .exe
----a-w         1,235,456 2008-01-26 14:00:48  C:\Program Files\FolderShare\FolderShare                    .exe
----a-w         1,235,456 2008-01-27 13:10:08  C:\Program Files\FolderShare\FolderShare                     .exe
----a-w         1,235,456 2008-01-28 00:02:38  C:\Program Files\FolderShare\FolderShare                      .exe
----a-w         1,235,456 2008-01-29 13:21:38  C:\Program Files\FolderShare\FolderShare                       .exe
----a-w         1,235,456 2008-01-30 13:26:08  C:\Program Files\FolderShare\FolderShare                        .exe
----a-w         1,235,456 2008-01-30 15:22:54  C:\Program Files\FolderShare\FolderShare                         .exe
----a-w         1,235,456 2008-01-30 16:10:46  C:\Program Files\FolderShare\FolderShare                          .exe
----a-w         1,235,456 2008-01-31 12:52:42  C:\Program Files\FolderShare\FolderShare                           .exe
----a-w         1,235,456 2008-01-31 13:46:00  C:\Program Files\FolderShare\FolderShare                            .exe
----a-w         1,235,456 2008-02-01 04:46:42  C:\Program Files\FolderShare\FolderShare                             .exe
----a-w         1,235,456 2008-02-01 13:14:42  C:\Program Files\FolderShare\FolderShare                              .exe
----a-w         1,235,456 2008-02-02 13:54:24  C:\Program Files\FolderShare\FolderShare                               .exe
----a-w         1,235,456 2008-02-02 16:06:34  C:\Program Files\FolderShare\FolderShare                                .exe
----a-w         1,235,456 2008-02-02 23:20:48  C:\Program Files\FolderShare\FolderShare                                 .exe
----a-w         1,235,456 2008-02-03 00:33:20  C:\Program Files\FolderShare\FolderShare                                  .exe
----a-w         1,235,456 2008-02-03 03:53:04  C:\Program Files\FolderShare\FolderShare                                   .exe
----a-w         1,235,456 2008-02-03 13:09:24  C:\Program Files\FolderShare\FolderShare                                    .exe
----a-w         1,235,456 2008-02-04 13:50:12  C:\Program Files\FolderShare\FolderShare                                     .exe
----a-w         1,235,456 2008-02-05 14:56:58  C:\Program Files\FolderShare\FolderShare                                      .exe
----a-w         1,235,456 2008-02-05 18:28:32  C:\Program Files\FolderShare\FolderShare                                       .exe
----a-w         1,235,456 2008-02-06 14:46:12  C:\Program Files\FolderShare\FolderShare                                        .exe
----a-w         1,235,456 2008-02-06 16:40:16  C:\Program Files\FolderShare\FolderShare                                         .exe
----a-w         1,235,456 2008-02-06 17:39:54  C:\Program Files\FolderShare\FolderShare                                          .exe
----a-w         1,235,456 2008-02-07 13:29:04  C:\Program Files\FolderShare\FolderShare                                           .exe
----a-w         1,235,456 2008-02-08 13:12:16  C:\Program Files\FolderShare\FolderShare                                            .exe
----a-w         1,235,456 2008-02-09 13:36:42  C:\Program Files\FolderShare\FolderShare                                             .exe
----a-w         1,235,456 2008-02-10 12:43:56  C:\Program Files\FolderShare\FolderShare                                              .exe
----a-w         1,235,456 2008-02-11 13:05:44  C:\Program Files\FolderShare\FolderShare                                               .exe
----a-w         1,235,456 2008-02-12 13:11:24  C:\Program Files\FolderShare\FolderShare                                                .exe
----a-w         1,235,456 2008-02-13 13:05:02  C:\Program Files\FolderShare\FolderShare                                                 .exe
----a-w         1,235,456 2008-02-14 01:54:00  C:\Program Files\FolderShare\FolderShare                                                  .exe
----a-w         1,235,456 2008-02-14 13:11:14  C:\Program Files\FolderShare\FolderShare                                                   .exe
----a-w         1,235,456 2008-02-15 13:22:34  C:\Program Files\FolderShare\FolderShare                                                    .exe
----a-w         1,235,456 2008-02-16 14:04:36  C:\Program Files\FolderShare\FolderShare                                                     .exe
----a-w         1,235,456 2008-02-16 16:48:18  C:\Program Files\FolderShare\FolderShare                                                      .exe
----a-w         1,235,456 2008-02-16 19:32:28  C:\Program Files\FolderShare\FolderShare                                                       .exe
----a-w         1,235,456 2008-02-16 20:49:34  C:\Program Files\FolderShare\FolderShare                                                        .exe
----a-w         1,743,360 2008-01-14 22:45:08  C:\Program Files\TGTSoft\StyleXP\StyleXP .exe
----a-w         1,372,160 2008-01-17 13:35:48  C:\Program Files\TGTSoft\StyleXP\StyleXP  .exe
----a-w         1,694,208 2008-02-14 00:24:30  C:\Program Files\Messenger\msmsgs .exe
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 21:34 8460288 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:07 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 16:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 16:22 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 16:22 86016]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 106544 C:\WINDOWS\SYSTEM32\TWEAKUI.CPL]
"ATIPTA"="atiptaxx.exe" [2001-09-27 01:39 245760 C:\WINDOWS\SYSTEM32\atiptaxx.exe]

C:\Documents and Settings\fjw\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-01-08 21:22:17 2746104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"= 00000000
"NoFavoritesMenu"= 01000000
"NoLogoff"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"= 00000000
"NoFavoritesMenu"= 01000000
"NoActiveDesktopChanges"= 0 (0x0)
"NoLogoff"= 0 (0x0)



Continued in next post
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel MEDIA FOLDERS INDEXER 8.LNK]
backup=C:\WINDOWS\pss\Corel MEDIA FOLDERS INDEXER 8.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Encoder Agent.lnk]
backup=C:\WINDOWS\pss\Encoder Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Cody^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2001-09-27 01:39 245760 C:\WINDOWS\SYSTEM32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AuthConsoleStart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopIconToy]
--a------ 2006-10-26 21:03 278528 C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ESP]
--a------ 2006-07-30 12:09 63008 C:\Program Files\Cox\Applications\app\start.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FolderShare]
--a------ 2008-02-16 14:49 1235456 C:\Program Files\FolderShare\FolderShare .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 15:49 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-03-26 05:34 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 10:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 10:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobipocket Reader Notifications]
--a------ 2006-06-20 16:54 57344 C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-02-13 18:24 2226688 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-17 07:35 282624 C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2008-02-16 14:49 2441216 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StarSkin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
--a------ 2008-01-17 07:35 1372160 C:\Program Files\TGTSoft\StyleXP\StyleXP .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-14 17:22 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
"LogitechSoftwareUpdate"="C:\PROGRAM FILES\LOGITECH\VIDEO\MANIFESTENGINE.EXE" boot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"SiS Tray"=C:\WINDOWS\SYSTEM32\sistray.exe
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\stimon.exe

R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-04-01 19:16]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2001-09-27 00:32]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Gpotato\Flyff\GameGuard\dump_wmimmc.sys []
S3 PhilCam8116;Logitech QuickCam Pro 3000 (08B0);C:\WINDOWS\system32\DRIVERS\CamDrO21.sys [2001-08-17 14:05]
S3 XDva090;XDva090;C:\WINDOWS\system32\XDva090.sys []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MmoptPreferredAudioDevices]
rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,@0,SUSB\VID_046D&PID_08B0&MI_01\1USB&VID_046D&PID_08B0&INST_0

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 12:43:45
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-19 12:44:14
ComboFix-quarantined-files.txt 2008-02-19 18:44:14
ComboFix2.txt 2008-02-19 14:55:02
.
2008-02-15 05:58:29 --- E O F ---


and here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:14 PM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\SYSTEM32\LVCOMSX.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\didymustoo.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\FJW\Application Data\Mozilla\Profiles\default\brw22mi9.slt\prefs.js)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {03A0F84E-3E69-4B3E-B4D3-019CB73B57B3} (AuthWebWizardMain.DHTMLPage1) - http://www3.authentium.com/cssrelease/bin/WizMain.exe
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4692/mcfscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - c:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5640 bytes
 
Hi

Boot in safe mode

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
RenV::
----a-w           155,648 2008-01-14 13:49:00  C:\WINDOWS\SYSTEM32\NeroCheck .exe
----a-w            15,360 2008-02-17 19:10:12  C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w           158,208 2008-02-17 03:04:04  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w           649,728 2008-01-14 22:45:12  C:\Program Files\QuickTime\qttask    .exe
----a-w           649,728 2008-01-15 05:18:12  C:\Program Files\QuickTime\qttask     .exe
----a-w           649,728 2008-01-15 13:34:46  C:\Program Files\QuickTime\qttask      .exe
----a-w           649,728 2008-01-16 04:01:32  C:\Program Files\QuickTime\qttask       .exe
----a-w           649,728 2008-01-16 13:52:08  C:\Program Files\QuickTime\qttask        .exe
----a-w           649,728 2008-01-17 13:34:58  C:\Program Files\QuickTime\qttask         .exe
----a-w           282,624 2008-01-17 13:35:46  C:\Program Files\QuickTime\qttask          .exe
----a-w         1,235,456 2008-01-15 05:18:08  C:\Program Files\FolderShare\FolderShare     .exe
----a-w         1,235,456 2008-01-15 13:34:42  C:\Program Files\FolderShare\FolderShare      .exe
----a-w         1,235,456 2008-01-16 04:01:30  C:\Program Files\FolderShare\FolderShare       .exe
----a-w         1,235,456 2008-01-16 13:52:06  C:\Program Files\FolderShare\FolderShare        .exe
----a-w         1,235,456 2008-01-17 13:34:56  C:\Program Files\FolderShare\FolderShare         .exe
----a-w         1,235,456 2008-01-18 13:01:00  C:\Program Files\FolderShare\FolderShare          .exe
----a-w         1,235,456 2008-01-19 05:28:52  C:\Program Files\FolderShare\FolderShare           .exe
----a-w         1,235,456 2008-01-19 14:49:44  C:\Program Files\FolderShare\FolderShare            .exe
----a-w         1,235,456 2008-01-19 22:07:26  C:\Program Files\FolderShare\FolderShare             .exe
----a-w         1,235,456 2008-01-20 13:05:32  C:\Program Files\FolderShare\FolderShare              .exe
----a-w         1,235,456 2008-01-21 00:57:40  C:\Program Files\FolderShare\FolderShare               .exe
----a-w         1,235,456 2008-01-21 13:45:58  C:\Program Files\FolderShare\FolderShare                .exe
----a-w         1,235,456 2008-01-22 13:30:02  C:\Program Files\FolderShare\FolderShare                 .exe
----a-w         1,235,456 2008-01-24 13:23:50  C:\Program Files\FolderShare\FolderShare                  .exe
----a-w         1,235,456 2008-01-25 13:12:52  C:\Program Files\FolderShare\FolderShare                   .exe
----a-w         1,235,456 2008-01-26 14:00:48  C:\Program Files\FolderShare\FolderShare                    .exe
----a-w         1,235,456 2008-01-27 13:10:08  C:\Program Files\FolderShare\FolderShare                     .exe
----a-w         1,235,456 2008-01-28 00:02:38  C:\Program Files\FolderShare\FolderShare                      .exe
----a-w         1,235,456 2008-01-29 13:21:38  C:\Program Files\FolderShare\FolderShare                       .exe
----a-w         1,235,456 2008-01-30 13:26:08  C:\Program Files\FolderShare\FolderShare                        .exe
----a-w         1,235,456 2008-01-30 15:22:54  C:\Program Files\FolderShare\FolderShare                         .exe
----a-w         1,235,456 2008-01-30 16:10:46  C:\Program Files\FolderShare\FolderShare                          .exe
----a-w         1,235,456 2008-01-31 12:52:42  C:\Program Files\FolderShare\FolderShare                           .exe
----a-w         1,235,456 2008-01-31 13:46:00  C:\Program Files\FolderShare\FolderShare                            .exe
----a-w         1,235,456 2008-02-01 04:46:42  C:\Program Files\FolderShare\FolderShare                             .exe
----a-w         1,235,456 2008-02-01 13:14:42  C:\Program Files\FolderShare\FolderShare                              .exe
----a-w         1,235,456 2008-02-02 13:54:24  C:\Program Files\FolderShare\FolderShare                               .exe
----a-w         1,235,456 2008-02-02 16:06:34  C:\Program Files\FolderShare\FolderShare                                .exe
----a-w         1,235,456 2008-02-02 23:20:48  C:\Program Files\FolderShare\FolderShare                                 .exe
----a-w         1,235,456 2008-02-03 00:33:20  C:\Program Files\FolderShare\FolderShare                                  .exe
----a-w         1,235,456 2008-02-03 03:53:04  C:\Program Files\FolderShare\FolderShare                                   .exe
----a-w         1,235,456 2008-02-03 13:09:24  C:\Program Files\FolderShare\FolderShare                                    .exe
----a-w         1,235,456 2008-02-04 13:50:12  C:\Program Files\FolderShare\FolderShare                                     .exe
----a-w         1,235,456 2008-02-05 14:56:58  C:\Program Files\FolderShare\FolderShare                                      .exe
----a-w         1,235,456 2008-02-05 18:28:32  C:\Program Files\FolderShare\FolderShare                                       .exe
----a-w         1,235,456 2008-02-06 14:46:12  C:\Program Files\FolderShare\FolderShare                                        .exe
----a-w         1,235,456 2008-02-06 16:40:16  C:\Program Files\FolderShare\FolderShare                                         .exe
----a-w         1,235,456 2008-02-06 17:39:54  C:\Program Files\FolderShare\FolderShare                                          .exe
----a-w         1,235,456 2008-02-07 13:29:04  C:\Program Files\FolderShare\FolderShare                                           .exe
----a-w         1,235,456 2008-02-08 13:12:16  C:\Program Files\FolderShare\FolderShare                                            .exe
----a-w         1,235,456 2008-02-09 13:36:42  C:\Program Files\FolderShare\FolderShare                                             .exe
----a-w         1,235,456 2008-02-10 12:43:56  C:\Program Files\FolderShare\FolderShare                                              .exe
----a-w         1,235,456 2008-02-11 13:05:44  C:\Program Files\FolderShare\FolderShare                                               .exe
----a-w         1,235,456 2008-02-12 13:11:24  C:\Program Files\FolderShare\FolderShare                                                .exe
----a-w         1,235,456 2008-02-13 13:05:02  C:\Program Files\FolderShare\FolderShare                                                 .exe
----a-w         1,235,456 2008-02-14 01:54:00  C:\Program Files\FolderShare\FolderShare                                                  .exe
----a-w         1,235,456 2008-02-14 13:11:14  C:\Program Files\FolderShare\FolderShare                                                   .exe
----a-w         1,235,456 2008-02-15 13:22:34  C:\Program Files\FolderShare\FolderShare                                                    .exe
----a-w         1,235,456 2008-02-16 14:04:36  C:\Program Files\FolderShare\FolderShare                                                     .exe
----a-w         1,235,456 2008-02-16 16:48:18  C:\Program Files\FolderShare\FolderShare                                                      .exe
----a-w         1,235,456 2008-02-16 19:32:28  C:\Program Files\FolderShare\FolderShare                                                       .exe
----a-w         1,235,456 2008-02-16 20:49:34  C:\Program Files\FolderShare\FolderShare                                                        .exe
----a-w         1,743,360 2008-01-14 22:45:08  C:\Program Files\TGTSoft\StyleXP\StyleXP .exe
----a-w         1,372,160 2008-01-17 13:35:48  C:\Program Files\TGTSoft\StyleXP\StyleXP  .exe
----a-w         1,694,208 2008-02-14 00:24:30  C:\Program Files\Messenger\msmsgs .exe

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
Combofix log part 1:

ComboFix 08-02-19.2 - fjw 2008-02-19 13:12:14.3 - FAT32x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.794 [GMT -6:00]
Running from: C:\Documents and Settings\fjw\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\fjw\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-18 07:19 . 2008-02-18 07:19 <DIR> d--hs---- C:\FOUND.000
2008-02-16 21:09 . 2008-02-16 21:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-16 14:48 . 2008-02-16 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-16 14:47 . 2008-02-16 14:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-15 09:04 . 2008-02-18 13:10 6,014 --a------ C:\WINDOWS\BMd711e700.xml
2008-02-15 09:04 . 2008-02-19 07:11 22 --a------ C:\WINDOWS\pskt.ini
2008-02-15 08:33 . 2008-02-15 08:33 <DIR> d-------- C:\mGame
2008-02-07 18:15 . 2008-02-07 18:15 67 --a------ C:\WINDOWS\101_ASB.INI
2008-02-07 18:14 . 2008-02-07 18:14 <DIR> d-------- C:\DISNEY
2008-02-02 21:39 . 2008-02-02 21:39 <DIR> d-------- C:\Documents and Settings\fjw\DoctorWeb
2008-01-31 22:34 . 2008-01-31 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-25 16:27 . 2008-01-25 16:27 110 --a------ C:\WINDOWS\HandySnap.INI
2008-01-22 22:01 . 2008-01-22 22:01 <DIR> d-------- C:\OutputFolder
2008-01-22 21:59 . 2008-01-22 21:59 <DIR> d-------- C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 19:10 15,360 ----a-w C:\WINDOWS\SYSTEM32\ctfmon .exe
2008-02-17 03:04 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
2008-02-17 02:23 500,736 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp
2008-01-16 14:39 186,000 ----a-w C:\Documents and Settings\fjw\Application Data\GDIPFONTCACHEV1.DAT
2008-01-14 13:49 155,648 ----a-w C:\WINDOWS\SYSTEM32\NeroCheck.exe
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
2007-12-26 05:07 8,413 ----a-w C:\WINDOWS\system32\drivers\mcstrm.sys
2007-12-26 05:07 --------- d-----w C:\Program Files\Common Files\Real
2007-12-26 05:03 --------- d-----w C:\Program Files\Best Buy Rhapsody
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mrxdav.sys
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2007-12-08 05:21 3,592,192 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-12-06 11:01 625,664 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\dllcache\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\SYSTEM32\oleaut32.dll
2006-12-23 16:04 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2006-01-11 02:13 159,312 ----a-w C:\Documents and Settings\Jeremy\Application Data\GDIPFONTCACHEV1.DAT
2005-11-05 03:58 33,750 ----a-w C:\WINDOWS\Internet Logs\GLB98_2nd_2005_11_04_21_58_33.dmp.zip
2005-11-05 03:58 33,668 ------w C:\WINDOWS\Internet Logs\GLB8F_2nd_2005_11_04_21_57_55.dmp.zip
2005-10-05 00:50 89,304 ------w C:\WINDOWS\Internet Logs\vsmon_2nd_2005_10_04_18_41_53_small.dmp.zip
2005-10-05 00:50 79,592 ------w C:\WINDOWS\Internet Logs\vsmon_2nd_2005_10_04_18_41_35_small.dmp.zip
2005-10-05 00:50 79,542 ------w C:\WINDOWS\Internet Logs\vsmon_2nd_2005_10_04_18_42_35_small.dmp.zip
2005-10-05 00:40 12,377,066 ------w C:\WINDOWS\Internet Logs\ZLCLIENT_2nd_2005_10_04_17_59_25_full.dmp.zip
2005-04-04 22:23 0 ---h--w C:\Program Files\AppUpdate.log
2004-09-21 20:07 86,016 ----a-w C:\Program Files\SPInstall.exe
2004-09-21 16:54 975 ----a-w C:\Program Files\ReadMe.txt
2004-09-21 16:05 1,841 ----a-w C:\Program Files\PackingList.txt
2004-09-21 15:36 908 ----a-w C:\Program Files\Setup.ini
2004-09-21 15:36 19,443,744 ----a-w C:\Program Files\Data1.cab
2004-09-21 15:36 1,591,952 ----a-w C:\Program Files\SundayPlus.msi
2004-09-21 15:35 225,280 ----a-w C:\Program Files\SPSetupHelper.exe
2004-09-15 02:35 49,152 ----a-w C:\Program Files\EnglishUI.dll
2004-04-23 00:02 560 ----a-w C:\Program Files\Global.sw
2004-01-10 02:34 266 --sh--w C:\Program Files\desktop.ini
2003-02-25 15:04 4,632 ----a-w C:\Program Files\0x0409.ini
2006-03-27 03:50 3,766 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2006-03-27 03:50 88 --sh--r C:\WINDOWS\SYSTEM32\D4B12B0226.sys
.
Code: 
<pre>
----a-w            15,360 2008-02-17 19:10:12  C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w           158,208 2008-02-17 03:04:04  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w           649,728 2008-01-14 22:45:12  C:\Program Files\QuickTime\qttask    .exe
----a-w           649,728 2008-01-15 05:18:12  C:\Program Files\QuickTime\qttask     .exe
----a-w           649,728 2008-01-15 13:34:46  C:\Program Files\QuickTime\qttask      .exe
----a-w           649,728 2008-01-16 04:01:32  C:\Program Files\QuickTime\qttask       .exe
----a-w           649,728 2008-01-16 13:52:08  C:\Program Files\QuickTime\qttask        .exe
----a-w           649,728 2008-01-17 13:34:58  C:\Program Files\QuickTime\qttask         .exe
----a-w           282,624 2008-01-17 13:35:46  C:\Program Files\QuickTime\qttask          .exe
----a-w         1,235,456 2008-01-15 05:18:08  C:\Program Files\FolderShare\FolderShare     .exe
----a-w         1,235,456 2008-01-15 13:34:42  C:\Program Files\FolderShare\FolderShare      .exe
----a-w         1,235,456 2008-01-16 04:01:30  C:\Program Files\FolderShare\FolderShare       .exe
----a-w         1,235,456 2008-01-16 13:52:06  C:\Program Files\FolderShare\FolderShare        .exe
----a-w         1,235,456 2008-01-17 13:34:56  C:\Program Files\FolderShare\FolderShare         .exe
----a-w         1,235,456 2008-01-18 13:01:00  C:\Program Files\FolderShare\FolderShare          .exe
----a-w         1,235,456 2008-01-19 05:28:52  C:\Program Files\FolderShare\FolderShare           .exe
----a-w         1,235,456 2008-01-19 14:49:44  C:\Program Files\FolderShare\FolderShare            .exe
----a-w         1,235,456 2008-01-19 22:07:26  C:\Program Files\FolderShare\FolderShare             .exe
----a-w         1,235,456 2008-01-20 13:05:32  C:\Program Files\FolderShare\FolderShare              .exe
----a-w         1,235,456 2008-01-21 00:57:40  C:\Program Files\FolderShare\FolderShare               .exe
----a-w         1,235,456 2008-01-21 13:45:58  C:\Program Files\FolderShare\FolderShare                .exe
----a-w         1,235,456 2008-01-22 13:30:02  C:\Program Files\FolderShare\FolderShare                 .exe
----a-w         1,235,456 2008-01-24 13:23:50  C:\Program Files\FolderShare\FolderShare                  .exe
----a-w         1,235,456 2008-01-25 13:12:52  C:\Program Files\FolderShare\FolderShare                   .exe
----a-w         1,235,456 2008-01-26 14:00:48  C:\Program Files\FolderShare\FolderShare                    .exe
----a-w         1,235,456 2008-01-27 13:10:08  C:\Program Files\FolderShare\FolderShare                     .exe
----a-w         1,235,456 2008-01-28 00:02:38  C:\Program Files\FolderShare\FolderShare                      .exe
----a-w         1,235,456 2008-01-29 13:21:38  C:\Program Files\FolderShare\FolderShare                       .exe
----a-w         1,235,456 2008-01-30 13:26:08  C:\Program Files\FolderShare\FolderShare                        .exe
----a-w         1,235,456 2008-01-30 15:22:54  C:\Program Files\FolderShare\FolderShare                         .exe
----a-w         1,235,456 2008-01-30 16:10:46  C:\Program Files\FolderShare\FolderShare                          .exe
----a-w         1,235,456 2008-01-31 12:52:42  C:\Program Files\FolderShare\FolderShare                           .exe
----a-w         1,235,456 2008-01-31 13:46:00  C:\Program Files\FolderShare\FolderShare                            .exe
----a-w         1,235,456 2008-02-01 04:46:42  C:\Program Files\FolderShare\FolderShare                             .exe
----a-w         1,235,456 2008-02-01 13:14:42  C:\Program Files\FolderShare\FolderShare                              .exe
----a-w         1,235,456 2008-02-02 13:54:24  C:\Program Files\FolderShare\FolderShare                               .exe
----a-w         1,235,456 2008-02-02 16:06:34  C:\Program Files\FolderShare\FolderShare                                .exe
----a-w         1,235,456 2008-02-02 23:20:48  C:\Program Files\FolderShare\FolderShare                                 .exe
----a-w         1,235,456 2008-02-03 00:33:20  C:\Program Files\FolderShare\FolderShare                                  .exe
----a-w         1,235,456 2008-02-03 03:53:04  C:\Program Files\FolderShare\FolderShare                                   .exe
----a-w         1,235,456 2008-02-03 13:09:24  C:\Program Files\FolderShare\FolderShare                                    .exe
----a-w         1,235,456 2008-02-04 13:50:12  C:\Program Files\FolderShare\FolderShare                                     .exe
----a-w         1,235,456 2008-02-05 14:56:58  C:\Program Files\FolderShare\FolderShare                                      .exe
----a-w         1,235,456 2008-02-05 18:28:32  C:\Program Files\FolderShare\FolderShare                                       .exe
----a-w         1,235,456 2008-02-06 14:46:12  C:\Program Files\FolderShare\FolderShare                                        .exe
----a-w         1,235,456 2008-02-06 16:40:16  C:\Program Files\FolderShare\FolderShare                                         .exe
----a-w         1,235,456 2008-02-06 17:39:54  C:\Program Files\FolderShare\FolderShare                                          .exe
----a-w         1,235,456 2008-02-07 13:29:04  C:\Program Files\FolderShare\FolderShare                                           .exe
----a-w         1,235,456 2008-02-08 13:12:16  C:\Program Files\FolderShare\FolderShare                                            .exe
----a-w         1,235,456 2008-02-09 13:36:42  C:\Program Files\FolderShare\FolderShare                                             .exe
----a-w         1,235,456 2008-02-10 12:43:56  C:\Program Files\FolderShare\FolderShare                                              .exe
----a-w         1,235,456 2008-02-11 13:05:44  C:\Program Files\FolderShare\FolderShare                                               .exe
----a-w         1,235,456 2008-02-12 13:11:24  C:\Program Files\FolderShare\FolderShare                                                .exe
----a-w         1,235,456 2008-02-13 13:05:02  C:\Program Files\FolderShare\FolderShare                                                 .exe
----a-w         1,235,456 2008-02-14 01:54:00  C:\Program Files\FolderShare\FolderShare                                                  .exe
----a-w         1,235,456 2008-02-14 13:11:14  C:\Program Files\FolderShare\FolderShare                                                   .exe
----a-w         1,235,456 2008-02-15 13:22:34  C:\Program Files\FolderShare\FolderShare                                                    .exe
----a-w         1,235,456 2008-02-16 14:04:36  C:\Program Files\FolderShare\FolderShare                                                     .exe
----a-w         1,235,456 2008-02-16 16:48:18  C:\Program Files\FolderShare\FolderShare                                                      .exe
----a-w         1,235,456 2008-02-16 19:32:28  C:\Program Files\FolderShare\FolderShare                                                       .exe
----a-w         1,235,456 2008-02-16 20:49:34  C:\Program Files\FolderShare\FolderShare                                                        .exe
----a-w         1,743,360 2008-01-14 22:45:08  C:\Program Files\TGTSoft\StyleXP\StyleXP .exe
----a-w         1,372,160 2008-01-17 13:35:48  C:\Program Files\TGTSoft\StyleXP\StyleXP  .exe
----a-w         1,694,208 2008-02-14 00:24:30  C:\Program Files\Messenger\msmsgs .exe
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 21:34 8460288 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:07 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 16:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 16:22 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 16:22 86016]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 106544 C:\WINDOWS\SYSTEM32\TWEAKUI.CPL]
"ATIPTA"="atiptaxx.exe" [2001-09-27 01:39 245760 C:\WINDOWS\SYSTEM32\atiptaxx.exe]

C:\Documents and Settings\fjw\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-01-08 21:22:17 2746104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"= 00000000
"NoFavoritesMenu"= 01000000
"NoLogoff"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"= 00000000
"NoFavoritesMenu"= 01000000
"NoActiveDesktopChanges"= 0 (0x0)
"NoLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel MEDIA FOLDERS INDEXER 8.LNK]
backup=C:\WINDOWS\pss\Corel MEDIA FOLDERS INDEXER 8.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Encoder Agent.lnk]
backup=C:\WINDOWS\pss\Encoder Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Cody^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2001-09-27 01:39 245760 C:\WINDOWS\SYSTEM32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AuthConsoleStart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopIconToy]
--a------ 2006-10-26 21:03 278528 C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ESP]
--a------ 2006-07-30 12:09 63008 C:\Program Files\Cox\Applications\app\start.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FolderShare]
--a------ 2008-02-16 14:49 1235456 C:\Program Files\FolderShare\FolderShare .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 15:49 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-03-26 05:34 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 10:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
 
Combofix log part 2:


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 10:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobipocket Reader Notifications]
--a------ 2006-06-20 16:54 57344 C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-02-13 18:24 2226688 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2008-01-14 07:49 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-17 07:35 282624 C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2008-02-16 14:49 2441216 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StarSkin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
--a------ 2008-01-17 07:35 1372160 C:\Program Files\TGTSoft\StyleXP\StyleXP .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-14 17:22 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
"LogitechSoftwareUpdate"="C:\PROGRAM FILES\LOGITECH\VIDEO\MANIFESTENGINE.EXE" boot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"SiS Tray"=C:\WINDOWS\SYSTEM32\sistray.exe
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\stimon.exe

S2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-04-01 19:16]
S3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2001-09-27 00:32]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Gpotato\Flyff\GameGuard\dump_wmimmc.sys []
S3 PhilCam8116;Logitech QuickCam Pro 3000 (08B0);C:\WINDOWS\system32\DRIVERS\CamDrO21.sys [2001-08-17 14:05]
S3 XDva090;XDva090;C:\WINDOWS\system32\XDva090.sys []

*Newly Created Service* - MVDCODEC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MmoptPreferredAudioDevices]
rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,@0,SUSB\VID_046D&PID_08B0&MI_01\1USB&VID_046D&PID_08B0&INST_0

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 13:15:34
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-19 13:16:21
ComboFix-quarantined-files.txt 2008-02-19 19:16:18
ComboFix3.txt 2008-02-19 14:55:02
ComboFix2.txt 2008-02-19 18:44:16
.
2008-02-15 05:58:29 --- E O F ---


HFT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:22 PM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\didymustoo.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\FJW\Application Data\Mozilla\Profiles\default\brw22mi9.slt\prefs.js)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {03A0F84E-3E69-4B3E-B4D3-019CB73B57B3} (AuthWebWizardMain.DHTMLPage1) - http://www3.authentium.com/cssrelease/bin/WizMain.exe
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4692/mcfscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - c:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5233 bytes
 
Hi

Yes, no go.

That will mean that you will need to re-install some startup programs.

Make windows to show file extensions, see here

Rename these files:

C:\WINDOWS\SYSTEM32\ctfmon .exe
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
C:\Program Files\Messenger\msmsgs .exe

to these:

C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
C:\Program Files\Messenger\msmsgs.exe

Uninstall via add/remove programs:

QuickTime
FolderShare
StyleXP

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp

Folder::
C:\Program Files\TGTSoft\StyleXP
C:\Program Files\FolderShare
C:\Program Files\QuickTime

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
I tried renaming ctfmon .exe to ctfmon.exe. I received this message, “Cannot rename ctfmon : A file with the name you specified already exists. Specify a different name.”

So I tried renaming ctfmon.exe to ctfmon.exe.bak. I got the same message.
So I decided to try renaming MSConfig .exe to MSConfig.exe, got the same message. I renamed MSConfig.exe to MSConfig.exe.bak and still got the same message. I then decided to rename MSConfig.exe.bak back to MSConfig.exe and the computer won’t let me telling me a file with the same name already exists. Same problem with ctfmon.exe.bak. So,

I now have the following files on my computer:
ctfmon.exe
ctfmon .exe
ctfmon.exe.bak

MSConfig exe
MSConfig.exe
MSConfig.exe.bak
msconfig.exe.tmp

I thought I’d better let you know before I went on to the uninstall programs step.
 
Hi

Delete all these:

ctfmon .exe
ctfmon.exe.bak
MSConfig exe
MSConfig.exe
MSConfig.exe.bak

Download this
and unzip it to here:

C:\WINDOWS\pchealth\helpctr\binaries

Then just continue with my previous instructions, please :)
 
I appreciate your help and patience.

I was able to delete all files except for ctfmon.exe.bak. When I attempt to do so I get a message, "Cannot delete ctfmon.exe: Access is denied.":rolleyes:
 
You must log in or register to reply here.
Back
Top