My son just got the computer a few weeks ago and has been loading all sorts of games and software on it. He also does online RPGs -- I suspect that may be where the nasties may have originated.

Thanks very much for your suggestions. I'm in the process of scanning after removing the items you listed.

Holy cows! AVG is still plugging away and has found 686 (so far) instances of files infected with win32/virut. The AVG spyware scanner found 49 instances of trojans, downloaders, rootkits, etc. I haven't even started AdAware or SpyBot yet.

The PC came running OEM WinXP and the disk sent with the system is for Windows Vista. We don't want to install Vista because it is incompatible all the games he wants to run. System restore refused to work (probably because of the infections). I may have to research making an XP boot disk next.

I'll let you know what happens once all these scans d their thing.
Thank you!

Ugh -- the scans literally took hours.

Results -- 49+ trojans, downloaders, backdoors, and 8886 Win32/Virut infected files. I was sure AVG was going to make the PC self-ooze a plastic hermetic shield to quarantine the infections.

Interestingly, the virus did not show up until after deleting some of the suspicious entries in the HiJackThis log. I had already done multiple scans with AVG and SpyBot and other tools.

Unfortunately, even after fixing with AVG's Win32/Virut remover, there are still "uncleaned" files, and the nasties in the posted HJT log keep showing back up despite deletion. The "restore" was totally infested.

Since it is the "workweek" now and between work (2 jobs) and class I don't have a lot of time at my machine or others, I will devote myself more to ridding the PC of these pesky nasties Friday through Sunday. Woohoo -- another weekend of nerdy fun.... It is really a challenge -- I hope I win it!

I am still able to boot in safe mode but unable to in normal mode. (I get to the desktop, but no icons, task manager will not actually load, etc.)

If anyone has further suggestions, I'd appreciate them!
Thank you!

with some of the files listed in windows or windows/system32 they have a nasty way of coming back even when you delete them so the only way around it to do the spyware/awadare scans. also delete any instance of a restore point and turn it off for now as any thing that saved will be infected too. make sure to manually delet all cookies and temp files. i know it can be painstakingly long, i had to deal with it once took me 2 days but back then i had time. keep at it did u try righ click on the desktop and show desktop icon

PS did u get a set of restore cd with the PC?

I turned off system restore, and after numerous scans and multiple AVG virus fixer programs run in safe mode, I was finally able to boot in normal mode. Once in normal mode I was able to actually run AVG virus scanner which found 47 more instances of viruses, trojans, and downloaders. AVG spyware was finally able to get rid of one of the pesky files that kept reappearing. I'm not going to call it completely cured yet -- I want to run additional scans tomorrow just to be sure -- but I'm thrilled the desktop is finally back and functioning. I'm going to wait till after running additional scans before rehooking to the internet and the home network.

The restore CD that came with the PC is Windows Vista -- I did not want to restore with that. The machine came running Windows XP. That's the OS that my son's games work on -- they will not run on Vista.

Thanks again for your help and guidance!

Note that it is essential that after fixing any 04 entry with hijackthis, that you must delete the related file!! Same goes for the 020 and others.

==

1. Download this file from one of the following links :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply, along with a new hijackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Unfortunately CombFix will not run on the machine. It ran fine on my PC, but on my son's (infected) PC it flashes 2 cmd prompt screens too quickly to see then closes. I tried in both normal mode and safe mode.
The nasty files are not letting me manually delete in either safe mode or normal mode. Checking them to be fixed in HiJackThis does nothing -- immediate re-scanning shows they are still there. (Particularly persistant file basesr.dll .)
I'm scanning with Kapersky antivirus right now. I'll re-try HiJackThis and ComboFix once that scan completes. (The scan seems very slow -- stops for many minutes on certain files.)

Well, Kapersky found 119 more problems. After cleaning, I still cannot get ComboFix to run.

new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:32 PM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Documents and Settings\Administrator\Desktop\gotcha.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2A5E9D6E-869C-4140-9C09-C3FA34134658} - C:\WINDOWS\system32\basesr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159453796765
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Volume Shadow Copy VSSThemes (VSSThemes) - Unknown owner - C:\WINDOWS\system32\4dbb33d0t.exe (file missing)

--
End of file - 4194 bytes

When I briefly hooked to the home network to transfer the HJT log, Kapersky detected a hidden install and stopped the process.

Some nasty is still residing on the machine, not letting me fix things with HiJackThis nor to manually delete them.

Suggestions?

Thank you!

The Jotti and virustotal scans of basesr.dll (which has a file size of 103kb on the PC) gave the following results:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

I still cannot delete it or overwrite it -- access denied.

I scanned suspicious looking basesr.1 file (size 89kb) just above it and got this result at virustotal and similar at Jotti:

Antivirus Version Last Update Result
AhnLab-V3 2007.10.20.0 2007.10.19 -
AntiVir 7.6.0.27 2007.10.20 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.10.20 -
Avast 4.7.1051.0 2007.10.20 Win32:Delf-GBT
AVG 7.5.0.488 2007.10.20 -
BitDefender 7.2 2007.10.21 Trojan.Conhook.Y
CAT-QuickHeal 9.00 2007.10.20 -
ClamAV 0.91.2 2007.10.20 -
DrWeb 4.44.0.09170 2007.10.20 Trojan.Iespy
eSafe 7.0.15.0 2007.10.15 Suspicious File
eTrust-Vet 31.2.5225 2007.10.20 -
Ewido 4.0 2007.10.20 -
FileAdvisor 1 2007.10.21 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.20 -
F-Secure 6.70.13030.0 2007.10.19 -
Ikarus T3.1.1.12 2007.10.21 -
Kaspersky 7.0.0.125 2007.10.21 -
Additional information
File size: 88064 bytes
MD5: b2f53f92def15dd6e0203cd4ad114edc
SHA1: b210f098d33a7f37a0ffa4f576721b05934550b0
packers: Morphine, UPX
packers: Morphine

I deleted it.

I did the registry fixes -- had to copy the regedit.exe from my PC on to the infected one to get it to open. Did the .exe and zip registry fixes first (since other registry zip files would not unzip and register), but then went throught the whole list fine.

Ran VundoFix and got this:

VundoFix V6.5.10
Checking Java version...
Scan started at 8:54:03 PM 10/20/2007
Listing files found while scanning....

C:\windows\system32\drvdezr.dll

Beginning removal...
Attempting to delete C:\windows\system32\drvdezr.dll
C:\windows\system32\drvdezr.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.10
Checking Java version...
Scan started at 10:00:48 PM 10/20/2007
Listing files found while scanning....
No infected files were found.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:47:37 PM 10/20/2007
+ Scan result:
Nothing found.
::Report end

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:04 PM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2A5E9D6E-869C-4140-9C09-C3FA34134658} - C:\WINDOWS\system32\basesr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159453796765
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Volume Shadow Copy VSSThemes (VSSThemes) - Unknown owner - C:\WINDOWS\system32\4dbb33d0t.exe (file missing)

--
End of file - 4199 bytes

Still cannot seem to fix:
O2 - BHO: (no name) - {2A5E9D6E-869C-4140-9C09-C3FA34134658} - C:\WINDOWS\system32\basesr.dll
O23 - Service: Volume Shadow Copy VSSThemes (VSSThemes) - Unknown owner - C:\WINDOWS\system32\4dbb33d0t.exe (file missing)

The PC is certainly performing much better than it had been (not surprising with more than 1000 malwares removed!!)

I still could not get ComboFix to run.

Does it look like I still have more cleaning to do?

Thank you for all your help. And Crunchie, the registry fix site was excellent!

The safe mode AVG anti-spyware report is in the previous reply just above the HJT log. It found nothing.

Avenger was unable to delete basesr.dll . I tried in normal and safe mode with the same result. HiJackThis was unable to remove the file still too. (Log below.)

I found I could get ComboFix to run by overwriting the cmd.exe and regedit.exe files on the infected PC with ones from my PC. However, at stage 17 the system would blue screen crash and reboot itself. (ComboFix does run in safe mode BTW -- tried it both ways with the same crash at stage 17 result.)

I downloaded and ran Dr.Web CureIt -- the express scan instantly grabbed basesr.dll as trojan.sentinel and moved it. (Said it was incurable.) It also deleted 2 other files as trojan.sentinel. I decided to run the complete scan with it and it found the AVG virus vault stuff and some other infected files on the PC. It cured, quarantined, and deleted as needed.

After that process I was able to run ComboFix without crashing. (Log below.)

I've discovered I am (as Administrator) locked out of the User Center in the Control Panel. Any way to change that?!? Result of the infections, apparently.

I ran HiJackThis again (renamed gotcha.exe) and was still unable to get rid of
O23 - Service: Volume Shadow Copy VSSThemes (VSSThemes) - Unknown owner - C:\WINDOWS\system32\4dbb33d0t.exe (file missing)

That file is not in C:\WINDOWS\system32 , but 4dbb33d0.exe is (no "t" on the end.)
New HJT Log below.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\glrhpixn

*******************

Script file located at: \??\C:\Documents and Settings\okhqcolc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Could not open file C:\WINDOWS\system32\basesr.dll for deletion
Deletion of file C:\WINDOWS\system32\basesr.dll failed!

Could not process line:
C:\WINDOWS\system32\basesr.dll
Status: 0xc0000022

Completed script processing.

ComboFix 07-10-20.6 - Administrator 2007-10-21 12:15:16.4 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Program Files\Common Files\mantec~1
C:\Program Files\Common Files\mantec~1\??mantec\
C:\Program Files\SecCenter
C:\WINDOWS\system32\2_exception.nls
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\gln.dll
C:\WINDOWS\system32\ocxloader.exe
C:\WINDOWS\system32\qmopt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_LANMANDRV
-------\LEGACY_LDRSVC
-------\LEGACY_PROTECT
-------\lanmandrv
-------\ldrsvc
-------\protect

((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.

2007-10-21 10:09 d-------- C:\Documents and Settings\Administrator\DoctorWeb
2007-10-21 10:03 884 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-21 07:55 146,432 --a------ C:\WINDOWS\system32\dllcache\regedit.exe
2007-10-21 07:55 146,432 --a------ C:\WINDOWS\REGEDIT.EXE
2007-10-21 07:54 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-20 21:39 146,432 --a------ C:\WINDOWS\system32\REGEDIT.EXE
2007-10-20 20:54 d-------- C:\VundoFix Backups
2007-10-19 23:07 673 --ahs---- C:\WINDOWS\system32\xybeg.ini2
2007-10-19 19:48 158,432 --a------ C:\WINDOWS\system32\a7ee17a6.sys
2007-10-19 19:48 158,432 --a------ C:\WINDOWS\system32\a6a766d2.sys
2007-10-19 19:31 158,432 --a------ C:\WINDOWS\system32\16b63a6.sys
2007-10-19 19:31 158,432 --a------ C:\WINDOWS\system32\123ed5ea.sys
2007-10-19 18:37 158,432 --a------ C:\WINDOWS\system32\579608b4.sys
2007-10-19 18:37 158,432 --a------ C:\WINDOWS\system32\1a475112.sys
2007-10-19 18:36 d-------- C:\Program Files\Kaspersky Lab
2007-10-19 18:36 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-19 18:36 4,276,256 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-19 18:36 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-10-19 18:36 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-10-19 18:36 25,632 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-19 18:29 d-------- C:\KAV
2007-10-19 15:26 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2007-10-14 20:50 158,432 --a------ C:\WINDOWS\system32\e5356696.sys
2007-10-14 20:50 158,432 --a------ C:\WINDOWS\system32\e37ebc2c.sys
2007-10-14 12:37 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-14 12:37 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-14 10:14 d-------- C:\Program Files\BHODemon
2007-10-13 18:56 d-------- C:\Program Files\CCleaner
2007-10-07 17:46 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-07 17:46 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-07 17:40 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-07 17:39 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-07 17:38 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-07 17:38 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-07 14:44 d-------- C:\WINDOWS\ServicePackFiles
2007-10-07 13:40 13,922 --a------ C:\WINDOWS\system32\drivers\EBIOS32.SYS
2007-10-07 13:39 d-------- C:\EbuDllTmpDir
2007-10-07 13:38 d-------- C:\Program Files\Intel
2007-10-07 13:20 158,464 --a------ C:\WINDOWS\system32\cf07e6e.sys
2007-10-07 13:20 158,464 --a------ C:\WINDOWS\system32\ced8d6c.sys
2007-10-07 13:20 158,464 --a------ C:\WINDOWS\system32\cea9f80.sys
2007-10-07 13:19 158,464 --a------ C:\WINDOWS\system32\ce7b752.sys
2007-10-07 13:17 158,464 --a------ C:\WINDOWS\system32\ce47790.sys
2007-10-07 13:05 d--h----- C:\WINDOWS\system32\GroupPolicy
2007-10-07 13:05 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-07 13:05 d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-10-07 13:05 d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-10-07 11:47 158,464 --a------ C:\WINDOWS\system32\fe4226ac.sys
2007-10-07 11:46 158,464 --a------ C:\WINDOWS\system32\a4be6ed6.sys
2007-10-07 11:45 158,464 --a------ C:\WINDOWS\system32\be6898f2.sys
2007-10-07 11:45 158,464 --a------ C:\WINDOWS\system32\bca4d3f0.sys
2007-10-07 11:45 158,464 --a------ C:\WINDOWS\system32\30660e58.sys
2007-10-07 10:38 158,464 --a------ C:\WINDOWS\system32\ce5d6f4c.sys
2007-10-07 10:36 158,464 --a------ C:\WINDOWS\system32\e02f36a2.sys
2007-10-07 10:36 158,464 --a------ C:\WINDOWS\system32\d74d842.sys
2007-10-07 10:36 158,464 --a------ C:\WINDOWS\system32\8499006a.sys
2007-10-07 10:36 158,464 --a------ C:\WINDOWS\system32\5fca5e06.sys
2007-10-07 10:36 158,464 --a------ C:\WINDOWS\system32\59229ba8.sys
2007-10-07 10:35 158,464 --a------ C:\WINDOWS\system32\c698a70.sys
2007-10-07 10:35 158,464 --a------ C:\WINDOWS\system32\7167ac60.sys
2007-10-07 10:35 158,464 --a------ C:\WINDOWS\system32\3d6b917e.sys
2007-10-07 10:35 158,464 --a------ C:\WINDOWS\system32\226bba2e.sys
2007-10-07 10:35 158,464 --a------ C:\WINDOWS\system32\2009285a.sys
2007-10-07 10:35 0 --a------ C:\WINDOWS\system32\bc56151a.sys
2007-10-07 09:55 109 --ahs---- C:\WINDOWS\system32\1009854801.dat
2007-10-06 16:51 158,464 --a------ C:\WINDOWS\system32\ff08da8a.sys
2007-10-06 16:51 158,464 --a------ C:\WINDOWS\system32\6b019b9c.sys
2007-10-06 16:51 158,464 --a------ C:\WINDOWS\system32\365bb420.sys
2007-10-06 16:51 0 --a------ C:\WINDOWS\system32\aca3740a.sys
2007-10-06 16:49 158,464 --a------ C:\WINDOWS\system32\c09e91ae.sys
2007-10-06 16:48 158,464 --a------ C:\WINDOWS\system32\fbf1ce.sys
2007-10-06 16:48 158,464 --a------ C:\WINDOWS\system32\92bc4e8c.sys
2007-10-06 16:48 158,464 --a------ C:\WINDOWS\system32\9233357c.sys
2007-10-06 16:48 158,464 --a------ C:\WINDOWS\system32\13e6a3b8.sys
2007-10-06 16:35 158,464 --a------ C:\WINDOWS\system32\b785072e.sys
2007-10-06 16:35 158,464 --a------ C:\WINDOWS\system32\7b5022.sys
2007-10-06 16:35 158,464 --a------ C:\WINDOWS\system32\3abf5fd2.sys
2007-10-06 16:35 158,464 --a------ C:\WINDOWS\system32\32258f70.sys
2007-10-06 16:26 158,464 --a------ C:\WINDOWS\system32\d9ebe688.sys
2007-10-06 16:26 158,464 --a------ C:\WINDOWS\system32\a9a2c1bc.sys
2007-10-06 16:26 158,464 --a------ C:\WINDOWS\system32\6185aae6.sys
2007-10-06 16:26 158,464 --a------ C:\WINDOWS\system32\387f5b58.sys
2007-10-06 16:23 158,464 --a------ C:\WINDOWS\system32\9d363e80.sys
2007-10-06 16:23 158,464 --a------ C:\WINDOWS\system32\3950f6c.sys
2007-10-06 16:23 0 --a------ C:\WINDOWS\system32\857af6c2.sys
2007-10-06 14:51 d-------- C:\Program Files\Intel Audio Studio
2007-10-06 14:51 274,432 --a------ C:\WINDOWS\system32\IASDLL.dll
2007-10-06 14:51 266,240 --a------ C:\WINDOWS\system32\IASMXDLL.dll
2007-10-06 14:51 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-10-06 14:51 61,440 --a------ C:\WINDOWS\system32\SFIDLOCK.dll
2007-10-06 14:51 53,248 --a------ C:\WINDOWS\system32\IASBB.dll
2007-10-06 14:51 40,960 --a------ C:\WINDOWS\system32\SFIMLARK.dll
2007-10-06 14:50 43,392 --a------ C:\WINDOWS\system32\drivers\HECI.sys
2007-10-06 14:49 142,976 --a------ C:\WINDOWS\system32\drivers\usbport.sys
2007-10-06 14:49 95,360 --a------ C:\WINDOWS\system32\drivers\atapi.sys
2007-10-06 14:49 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2007-10-06 14:49 57,600 --a------ C:\WINDOWS\system32\drivers\usbhub.sys
2007-10-06 14:49 26,624 --a------ C:\WINDOWS\system32\drivers\usbehci.sys
2007-10-06 14:49 25,088 --a------ C:\WINDOWS\system32\drivers\pciidex.sys
2007-10-06 14:49 20,480 --a------ C:\WINDOWS\system32\drivers\usbuhci.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 16:17 51,164 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-21 16:17 4,448 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-20 02:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-14 19:13 --------- d-----w C:\Program Files\GameSpy Arcade
2007-10-14 19:13 --------- d-----w C:\Program Files\GameShadow
2007-10-07 17:02 --------- d-----w C:\Program Files\Google
2007-09-23 16:50 --------- d-----w C:\Program Files\Firefly Studios
2007-09-23 02:25 --------- d-----w C:\Program Files\LucasArts
2007-09-22 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-21 22:46 --------- d-----w C:\Program Files\Eidos
2007-09-18 21:26 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-18 21:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Firefly Studios
2007-09-18 02:33 --------- d-----w C:\Program Files\AIM6
2007-09-18 02:33 --------- d-----w C:\Documents and Settings\Quinn Wolter\Application Data\acccore
2007-09-18 02:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-18 02:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-18 02:32 --------- d-----w C:\Program Files\Viewpoint
2007-09-18 02:32 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-18 02:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-18 02:08 --------- d-----w C:\Program Files\Rockstar Games
2007-09-17 21:43 --------- d-s---w C:\Program Files\Xfire
2007-09-17 21:37 --------- d-----w C:\Documents and Settings\Quinn Wolter\Application Data\Xfire
2007-09-17 21:05 --------- d-----w C:\Program Files\Java
2007-09-17 21:05 --------- d-----w C:\Program Files\Common Files\Java
2007-09-17 19:49 --------- d-----w C:\Program Files\Bethesda Softworks
2007-09-07 17:40 --------- d-----w C:\Documents and Settings\Quinn Wolter\Application Data\CyberLink
2007-09-07 17:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-09-07 17:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-09-07 14:54 --------- d-----w C:\Program Files\SigmaTel
2007-09-07 14:54 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-07 14:51 --------- d-----w C:\Program Files\CyberLink
2007-09-07 14:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-09-07 14:45 --------- d-----w C:\Program Files\MSXML 6.0
2007-09-07 14:45 --------- d-----w C:\Program Files\MSXML 4.0
2007-08-15 16:38 2,562,464 ----a-w C:\WINDOWS\Q936782.EXE
2007-08-15 16:28 708,488 ----a-w C:\WINDOWS\Q936357.EXE
2007-08-15 16:28 15,394,248 ----a-w C:\WINDOWS\Q928365.EXE
2007-08-15 16:26 9,249,736 ----a-w C:\WINDOWS\Q928366.EXE
2007-08-15 12:57 910,728 ----a-w C:\WINDOWS\Q936021.EXE
2007-08-15 12:57 5,652,328 ----a-w C:\WINDOWS\Q936181.EXE
2007-08-15 12:56 4,704,136 ----a-w C:\WINDOWS\Q937143.EXE
2007-08-15 12:55 7,939,032 ----a-w C:\WINDOWS\Q890830.EXE
2007-08-15 12:54 849,800 ----a-w C:\WINDOWS\Q938828.EXE
2007-08-15 12:51 806,792 ----a-w C:\WINDOWS\Q938127.EXE
2007-08-15 12:50 622,984 ----a-w C:\WINDOWS\Q938829.EXE
2007-08-15 12:49 749,448 ----a-w C:\WINDOWS\Q921503.EXE
2007-08-15 12:47 925,544 ----a-w C:\WINDOWS\Q933579.EXE
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 04:15]
"!AVG Anti-Spyware"="C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-20 06:05]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarsOnTaskbar"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 12:18:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-21 12:20:32 - machine was rebooted
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:04 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\gotcha.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159453796765
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Volume Shadow Copy VSSThemes (VSSThemes) - Unknown owner - C:\WINDOWS\system32\4dbb33d0t.exe (file missing)

--
End of file - 4003 bytes

The fix.bat got rid of the offending file. Thank you!

Unfortunately, I went online to do the online scans and was "attacked" almost instantly -- remote disabling of Kapersky Anti-virus, files being and modules added -- I had to pull the plug on the internet.
Unfortunately, files/modules seem to have gotten through. :( It was amazing how fast it was.... I'm wary of rebooting (or shutting down at all) for fear of not getting back into the machine.

I'll start again with the scans and clean up. I'll post a new HJT log (hopefully) by Wednesday evening.
*sigh*

I ran all sorts of scans.
I updated the scanners that I could, but the nasties have disabled Firefox and IE is MIA. Some of the update processes simply say "no connection detected" and fail. SOmetimes when I (very quickly) plug into the internet connection, the entire display screen turns sickly yellow/green, so I've been avoiding plugging in as much as possible.

New HJT, Silent Runner, and ComboFix logs below.

New HJT log
(I have the logs in Safe Mode also, but I'll post the Normal mode ones -- let me know if you want to see the Safe Mode versions.)
BTW, the Google updater service (gusvc) is suspicious -- the folder is not on the machine and HJT cannot "fix" the 023 service entry.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:10 PM, on 10/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\gotcha.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159453796765
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 3967 bytes
**************************
ComboFix 07-10-20.6 - Administrator 2007-10-23 22:06:18.6 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.600 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-24 to 2007-10-24 )))))))))))))))))))))))))))))))
.

2007-10-23 16:16 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-10-23 16:16 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-10-23 16:14 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2007-10-23 16:13 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-10-23 16:13 d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2007-10-23 16:13 d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2007-10-23 16:12 d-------- C:\Program Files\Sunbelt Software
2007-10-21 10:09 d-------- C:\Documents and Settings\Administrator\DoctorWeb
2007-10-21 10:03 870 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-21 07:55 146,432 --a------ C:\WINDOWS\system32\dllcache\regedit.exe
2007-10-21 07:55 146,432 --a------ C:\WINDOWS\REGEDIT.EXE
2007-10-21 07:54 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-20 21:39 146,432 --a------ C:\WINDOWS\system32\REGEDIT.EXE
2007-10-20 20:54 d-------- C:\VundoFix Backups
2007-10-19 23:07 673 --ahs---- C:\WINDOWS\system32\xybeg.ini2
2007-10-19 19:48 158,432 --a------ C:\WINDOWS\system32\a7ee17a6.sys
2007-10-19 19:48 158,432 --a------ C:\WINDOWS\system32\a6a766d2.sys
2007-10-19 19:31 158,432 --a------ C:\WINDOWS\system32\16b63a6.sys
2007-10-19 19:31 158,432 --a------ C:\WINDOWS\system32\123ed5ea.sys
2007-10-19 18:37 158,432 --a------ C:\WINDOWS\system32\579608b4.sys
2007-10-19 18:37 158,432 --a------ C:\WINDOWS\system32\1a475112.sys
2007-10-19 18:36 d-------- C:\Program Files\Kaspersky Lab
2007-10-19 18:36 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-19 18:36 4,313,376 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-19 18:36 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-10-19 18:36 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-10-19 18:36 32,032 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-19 18:29 d-------- C:\KAV
2007-10-19 15:26 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2007-10-14 20:50 158,432 --a------ C:\WINDOWS\system32\e5356696.sys
2007-10-14 20:50 158,432 --a------ C:\WINDOWS\system32\e37ebc2c.sys
2007-10-14 12:37 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-14 12:37 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-14 10:14 d-------- C:\Program Files\BHODemon
2007-10-13 18:56 d-------- C:\Program Files\CCleaner
2007-10-07 17:46 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-07 17:46 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-07 17:40 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-07 17:39 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-07 17:39 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-07 17:39 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-07 17:38 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-07 17:38 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-07 14:44 d-------- C:\WINDOWS\ServicePackFiles
2007-10-07 13:40 13,922 --a------ C:\WINDOWS\system32\drivers\EBIOS32.SYS
2007-10-07 13:39 d-------- C:\EbuDllTmpDir
2007-10-07 13:38 d-------- C:\Program Files\Intel
2007-10-07 13:20 158,464 --a------ C:\WINDOWS\system32\cf07e6e.sys
2007-10-07 13:20 158,464 --a------ C:\WINDOWS\system32\ced8d6c.sys
2007-10-07 13:20 158,464 --a------ C:\WINDOWS\system32\cea9f80.sys
2007-10-07 13:19 158,464 --a------ C:\WINDOWS\system32\ce7b752.sys
2007-10-07 13:17 158,464 --a------ C:\WINDOWS\system32\ce47790.sys
2007-10-07 13:05 d--h----- C:\WINDOWS\system32\GroupPolicy
2007-10-07 13:05 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-07 13:05 d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-10-07 13:05 d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-10-07 11:47 158,464 --a------ C:\WINDOWS\system32\fe4226ac.sys
2007-10-07 11:46 158,464 --a------ C:\WINDOWS\system32\a4be6ed6.sys
2007-10-07 11:45 158,464 --a------ C:\WINDOWS\system32\be6898f2.sys
2007-10-07 11:45 158,464 --a------ C:\WINDOWS\system32\bca4d3f0.sys
2007-10-07 11:45 158,464 --a------ C:\WINDOWS\system32\30660e58.sys
2007-10-07 10:38 158,464 --a------ C:\WINDOWS\system32\ce5d6f4c.sys
2007-10-07 10:36 158,464 --a------ C:\WINDOWS\system32\e02f36a2.sys
2007-10-07 10:36 158,464 --a------ C:\WINDOWS\system32\d74d842.sys
2007-10-07 10:36 158,464 --a------ C:\WINDOWS\system32\8499006a.sys
2007-10-07 10:36 158,464 --a------ C:\WINDOWS\system32\5fca5e06.sys
2007-10-07 10:36 158,464 --a------ C:\WINDOWS\system32\59229ba8.sys
2007-10-07 10:35 158,464 --a------ C:\WINDOWS\system32\c698a70.sys
2007-10-07 10:35 158,464 --a------ C:\WINDOWS\system32\7167ac60.sys
2007-10-07 10:35 158,464 --a------ C:\WINDOWS\system32\3d6b917e.sys
2007-10-07 10:35 158,464 --a------ C:\WINDOWS\system32\226bba2e.sys
2007-10-07 10:35 158,464 --a------ C:\WINDOWS\system32\2009285a.sys
2007-10-07 10:35 0 --a------ C:\WINDOWS\system32\bc56151a.sys
2007-10-07 09:55 109 --ahs---- C:\WINDOWS\system32\1009854801.dat
2007-10-06 16:51 158,464 --a------ C:\WINDOWS\system32\ff08da8a.sys
2007-10-06 16:51 158,464 --a------ C:\WINDOWS\system32\6b019b9c.sys
2007-10-06 16:51 158,464 --a------ C:\WINDOWS\system32\365bb420.sys
2007-10-06 16:51 0 --a------ C:\WINDOWS\system32\aca3740a.sys
2007-10-06 16:49 158,464 --a------ C:\WINDOWS\system32\c09e91ae.sys
2007-10-06 16:48 158,464 --a------ C:\WINDOWS\system32\fbf1ce.sys
2007-10-06 16:48 158,464 --a------ C:\WINDOWS\system32\92bc4e8c.sys
2007-10-06 16:48 158,464 --a------ C:\WINDOWS\system32\9233357c.sys
2007-10-06 16:48 158,464 --a------ C:\WINDOWS\system32\13e6a3b8.sys
2007-10-06 16:35 158,464 --a------ C:\WINDOWS\system32\b785072e.sys
2007-10-06 16:35 158,464 --a------ C:\WINDOWS\system32\7b5022.sys
2007-10-06 16:35 158,464 --a------ C:\WINDOWS\system32\3abf5fd2.sys
2007-10-06 16:35 158,464 --a------ C:\WINDOWS\system32\32258f70.sys
2007-10-06 16:26 158,464 --a------ C:\WINDOWS\system32\d9ebe688.sys
2007-10-06 16:26 158,464 --a------ C:\WINDOWS\system32\a9a2c1bc.sys
2007-10-06 16:26 158,464 --a------ C:\WINDOWS\system32\6185aae6.sys
2007-10-06 16:26 158,464 --a------ C:\WINDOWS\system32\387f5b58.sys
2007-10-06 16:23 158,464 --a------ C:\WINDOWS\system32\9d363e80.sys
2007-10-06 16:23 158,464 --a------ C:\WINDOWS\system32\3950f6c.sys
2007-10-06 16:23 0 --a------ C:\WINDOWS\system32\857af6c2.sys
2007-10-06 14:51 d-------- C:\Program Files\Intel Audio Studio
2007-10-06 14:51 274,432 --a------ C:\WINDOWS\system32\IASDLL.dll
2007-10-06 14:51 266,240 --a------ C:\WINDOWS\system32\IASMXDLL.dll
2007-10-06 14:51 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-10-06 14:51 61,440 --a------ C:\WINDOWS\system32\SFIDLOCK.dll
2007-10-06 14:51 53,248 --a------ C:\WINDOWS\system32\IASBB.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 21:08 51,164 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-23 21:08 4,952 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-20 02:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-14 19:13 --------- d-----w C:\Program Files\xupsfufa
2007-10-14 19:13 --------- d-----w C:\Program Files\GameSpy Arcade
2007-10-14 19:13 --------- d-----w C:\Program Files\GameShadow
2007-10-14 16:17 --------- d-----w C:\Program Files\Elphciot
2007-09-23 22:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-23 16:50 --------- d-----w C:\Program Files\Firefly Studios
2007-09-23 13:55 --------- d-----w C:\Program Files\Dreamcatcher
2007-09-23 03:32 9,059 ----a-w C:\WINDOWS\system32\iefpmod.dll
2007-09-23 02:44 --------- d-----w C:\Documents and Settings\Quinn Wolter\Application Data\Petroglyph
2007-09-23 02:43 --------- d-----w C:\Documents and Settings\Quinn Wolter\Application Data\LucasArts
2007-09-23 02:25 --------- d-----w C:\Program Files\LucasArts
2007-09-23 02:13 --------- d-----w C:\Program Files\Microsoft Games
2007-09-22 22:16 --------- d--h--r C:\Documents and Settings\Quinn Wolter\Application Data\SecuROM
2007-09-22 22:04 --------- d-----w C:\Program Files\EA GAMES
2007-09-22 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-21 22:46 --------- d-----w C:\Program Files\Eidos
2007-09-18 21:26 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-18 21:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Firefly Studios
2007-09-18 02:33 --------- d-----w C:\Program Files\AIM6
2007-09-18 02:33 --------- d-----w C:\Documents and Settings\Quinn Wolter\Application Data\acccore
2007-09-18 02:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-18 02:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-18 02:32 --------- d-----w C:\Program Files\Viewpoint
2007-09-18 02:32 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-18 02:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-18 02:08 --------- d-----w C:\Program Files\Rockstar Games
2007-09-17 21:43 --------- d-s---w C:\Program Files\Xfire
2007-09-17 21:37 --------- d-----w C:\Documents and Settings\Quinn Wolter\Application Data\Xfire
2007-09-17 21:05 --------- d-----w C:\Program Files\Java
2007-09-17 21:05 --------- d-----w C:\Program Files\Common Files\Java
2007-09-17 19:49 --------- d-----w C:\Program Files\Bethesda Softworks
2007-09-07 17:40 --------- d-----w C:\Documents and Settings\Quinn Wolter\Application Data\CyberLink
2007-09-07 17:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-09-07 17:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-09-07 14:54 --------- d-----w C:\Program Files\SigmaTel
2007-09-07 14:54 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-07 14:51 --------- d-----w C:\Program Files\CyberLink
2007-09-07 14:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-09-07 14:45 --------- d-----w C:\Program Files\MSXML 6.0
2007-09-07 14:45 --------- d-----w C:\Program Files\MSXML 4.0
2007-08-27 15:26 27,120 ----a-w C:\WINDOWS\system32\SBBD.exe
2007-08-15 16:38 2,562,464 ----a-w C:\WINDOWS\Q936782.EXE
2007-08-15 16:28 708,488 ----a-w C:\WINDOWS\Q936357.EXE
2007-08-15 16:28 15,394,248 ----a-w C:\WINDOWS\Q928365.EXE
2007-08-15 16:26 9,249,736 ----a-w C:\WINDOWS\Q928366.EXE
2007-08-15 12:57 910,728 ----a-w C:\WINDOWS\Q936021.EXE
2007-08-15 12:57 5,652,328 ----a-w C:\WINDOWS\Q936181.EXE
2007-08-15 12:56 4,704,136 ----a-w C:\WINDOWS\Q937143.EXE
2007-08-15 12:55 7,939,032 ----a-w C:\WINDOWS\Q890830.EXE
2007-08-15 12:54 849,800 ----a-w C:\WINDOWS\Q938828.EXE
2007-08-15 12:51 806,792 ----a-w C:\WINDOWS\Q938127.EXE
2007-08-15 12:50 622,984 ----a-w C:\WINDOWS\Q938829.EXE
2007-08-15 12:49 749,448 ----a-w C:\WINDOWS\Q921503.EXE
2007-08-15 12:47 925,544 ----a-w C:\WINDOWS\Q933579.EXE
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-21_12.19.07.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-23 20:13:10 19,230 ----a-r C:\WINDOWS\Installer\{A5CC3E6E-CAC7-4D47-A5C8-743E549890D5}\ARPPRODUCTICON.exe
+ 2006-12-28 21:13:52 516,832 ----a-w C:\WINDOWS\system32\capicom.dll
- 2004-08-04 04:56:50 98,304 ----a-w C:\WINDOWS\system32\cscript.exe
+ 2004-08-10 19:00:00 98,304 ----a-w C:\WINDOWS\system32\cscript.exe
+ 2004-08-10 19:00:00 98,304 ----a-w C:\WINDOWS\system32\dllcache\cscript.exe
+ 2006-10-30 15:30:30 10,032 ----a-w C:\WINDOWS\system32\drivers\SBTEDrv.sys
- 2007-09-07 14:49:51 90,296 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-10-23 18:49:38 95,072 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2005-11-02 15:39:14 131,072 ----a-w C:\WINDOWS\system32\MD5.dll
+ 2005-11-02 15:39:16 24,924 ----a-w C:\WINDOWS\system32\openports.dll
+ 2003-02-21 11:16:08 49,152 ----a-w C:\WINDOWS\system32\REGTLIB.EXE
+ 2005-11-02 15:39:16 40,960 ----a-w C:\WINDOWS\system32\SDelete.dll
+ 2006-06-22 19:40:28 493,400 ----a-w C:\WINDOWS\system32\XceedZip.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-20 06:05]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09]

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys
R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
S1 4ee09577.sys;4ee09577.sys;\??\C:\WINDOWS\system32\drivers\4ee09577.sys
S1 72ec21ad.sys;72ec21ad.sys;\??\C:\WINDOWS\system32\drivers\72ec21ad.sys
S1 8f746ec6.sys;8f746ec6.sys;\??\C:\WINDOWS\system32\drivers\8f746ec6.sys
S1 94409c70.sys;94409c70.sys;\??\C:\WINDOWS\system32\drivers\94409c70.sys
S1 edc23d3f.sys;edc23d3f.sys;\??\C:\WINDOWS\system32\drivers\edc23d3f.sys
S1 f0ee9811.sys;f0ee9811.sys;\??\C:\WINDOWS\system32\drivers\f0ee9811.sys
S2 EBIOS32;EBIOS32 - NT Driver;C:\WINDOWS\system32\Drivers\EBIOS32.SYS
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 SBAPIFS;SBAPIFS;\??\C:\WINDOWS\system32\drivers\sbapifs.sys

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-23 22:06:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-23 22:07:21
C:\ComboFix2.txt ... 2007-10-23 21:30
C:\ComboFix3.txt ... 2007-10-21 12:20
.
--- E O F ---
***********************
"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"SBCSTray" = "C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" ["Sunbelt Software"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete"
-> {HKLM...CLSID} = "IE Microsoft AutoComplete"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web Anti-Virus statistics"
-> {HKLM...CLSID} = "Web Anti-Virus statistics"
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll" ["Kaspersky Lab"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\ShellEx.dll" ["Kaspersky Lab"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\ShellEx.dll" ["Kaspersky Lab"]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Bliss.bmp"

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Web Anti-Virus statistics"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll" ["Kaspersky Lab"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_12"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll" ["Sun Microsystems, Inc."]

{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Web Anti-Virus statistics"

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]
AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
Kaspersky Anti-Virus 7.0, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r" ["Kaspersky Lab"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
SigmaTel Audio Service, STacSV, "C:\WINDOWS\system32\STacSV.exe" ["SigmaTel, Inc."]
Sunbelt CounterSpy Antispyware, SBCSSvc, ""C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe"" ["Sunbelt Software"]

---------- (launch time: 2007-10-23 22:16:04)
<>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 36 seconds, including 7 seconds for message boxes)
**************************

I guess I need to disable (again) some of the anti-virus scanners (or maybe uninstall?) They appear to all be starting despite being turned off....

Is it possible to clean up this mess?
Thank you for you time and input. I hope we can trump the bad 'uns!