Posts by gerbil

Hello, polop... I'm not going to take the time to examine each of the pests and their usual actions. I know of malwares which deliberately search for and delete jpg and vid files. Damage is done. I can give you another forensic tool [free] which will scan your disk thoroughly and find files [if they exist] even in deleted partitions. But not if they have been overwritten.... nothing can help then.
By the way... and I know that you have heard this advice before, but now there is a hammer behind it to drive it home... BACKUP!!! It's not as if it's a chore.... once you set it up it is automatic, in the background, no finger lifting required.
First thing to do when stuff vanishes is to check with cmd.exe's dir command, just in case it is a simple case of changed attributes.
Get TestDisk 6.9 ... It's not a simple tool to learn and run, but it works. If it doesn't find your missing files, then just accept that some lessons are hard. Beware!! that pgm can destroy your installation if you misuse it. So think before you press buttons... it does not ask for confirmations.

Uninstall and reinstall your firewall. Some of its rules may be corrupted/incorrect now.

Yep, Partition Magic does a great job of either doing what you want, or destroying what you want... :)
I just glanced at your screenshot; you've got 175GB of data on D: ... I would not DREAM of interfering with D: with ANY partitioning tool. Just make the unallocated space a new partition. Like E:
A much safer play.
And I wondered where that firewall post got to.. it's in the wrong thread! Here boy, tweet tweet... cmhere, ya sod...

Umm... defrag runs under [1] mmc.exe, and employs...
[2] dfrg.msc
[3] dfrgres.dll
and [4] either dfrgfat.exe or dfrgntfs.exe, whichever is relevant to your file system.
You might copy in the four files to system32, or at least check that they exist, and try again.
Then to do a more complete job, navigate to Windows\inf\dfrg.inf ... rclick that file and choose Install.
This last step will tizzy-up your registry entries.

K. Not a lot of detail there... Lessee, some logon changers alter boot.ini to start their logon screen, others replace the bitmaps in logonui.exe, some replace logonui, some just get called by a Run key.
So, what logon changer are you using?

Uninstall and reinstall your firewall. Some of its rules may be corrupted/incorrect now.
GPartEd -live-0.3.4.7 works for me; I cannot get the GUI working with the 3.7.7 version, and anyway it's much bigger on file and does nothing more. Pmagic works fiine for me also.

Get GPartEd or Pmagic [which includes Gparted..], free GNU bootable cds which will do that which you desire.

If you don't have those 3 pgms in system32 you would have a multitude of problems.
ole32.dll links objects from one app to another. schannel is used in secure transmissions, shell32 functions are used by windows when opening files, viewing pages.
But didn't you already run sfc /scannow? That would have replaced them..
No... then do it. You will need your installation cd.
Go Start, Run [from TM will do...], and enter:
sfc /scannow
No fanfare or report at conclusion; it just closes.

If you've got something that breaks utube dls.. I think I shall leave it out there to spread. Hopefully.

I am not sure how a Sys Rest would interact with pgms installed after a used restore point, because of the dating of files.
Try going to the pgm folders and dclicking the uninstaller exe.
Add/Rmv Pgms uninstalls by using the pgms own uninstaller files.

RH is resource hacker. Easy to find on the net.
Unzip to a new folder, dclick the .exe to start it, and drag the windows file into it to open it. Two files with icons are explorer.exe and shell32.dll. There are resources on the web which detail the icons in those files.
Good luck.

Looks sweet. Did you delete the old one?
Try it from Safe Mode.

I do not know from where you can dl a complete OS ..
Your problem is that the BIOS cannot find an MBR - is your hd reported in BIOS? Then it could be a problem on the hd... the MBR, for example.
You can get an XP/2000 Recovery Console from this link:
http://www.thecomputerparamedic.com/files/rc.iso
The console runs from the cd so you don't need an OS cd or any files from your C drive to use it. I know it works. All you need is an image burner like Nero 6, CD Writer...
Tips... take the iso and then BURN THE IMAGE. Do not use Data CD or any other mode cos all you will get is a copy of the iso [which you have already...and your new CD will not be bootable]; if you look at the files on your new cd and see .iso mentioned anywhere, start over. If you use Nero 6 then the defaults for image burning are fine, skip the silly advice that you may find on the web. You merely select Burn an Image, browse to and select the .iso and press Burn. That is all it takes. Burn it to a CD-RW if you wish; there is no need to close/finalise the CD whether it is a RW or R. Multisession works fine. If you use a CD-RW then hold the burn speed lowish, say 4x.

Run chkdsk to perform a simple check of the drive. …

... and installed the almost-100 missing security updates?

Sorry, bistered.. I should have mentioned that Panda will actually clean only virii, but it is superb at listing other malwares which can then be targeted. Nice work on removing the baddies.
Note that it shows two M$ updates described in those two bulletins as not installed.
This is how the combofix CFScript.txt should have been presented... I had another long list to edit, and because a somewhat similar tool does accept the idents I thought I would give it a shot. Anyway, now I know.
I have removed the reg fixes because they were dealt with... I suggest you run this as before, but first delete your version of Combofix and dl the latest version [yours will have timed-out by now, and not run].

Killall::

File::
C:\WINDOWS\system32\sups.dll
C:\WINDOWS\system32\odiw.dll
C:\WINDOWS\system32\2.ico
C:\x
C:\WINDOWS\system32\1.ico
C:\d1.exe
C:\uoju.exe
C:\oitkxr.exe
C:\accq.exe
C:\ubcs.exe
C:\WINDOWS\system32\gjm86akm34.dll
C:\944064064
C:\WINDOWS\system32\CodecBHO.dll
C:\WINDOWS\inf\SETA1.tmp
C:\WINDOWS\inf\SET83.tmp
C:\WINDOWS\inf\SET79.tmp
C:\WINDOWS\inf\SET64.tmp
C:\WINDOWS\inf\SET58.tmp
C:\WINDOWS\@@desktop.dat
C:\WINDOWS\system32\2D10762079.sys
C:\WINDOWS\system32\792076102D.sys
C:\WINDOWS\system32\kddwe.exe
C:\WINDOWS\Temp\kddwe.ren

Re the blue screens...It might pay to remove and then swap RAM modules if you have more than one, unplug and replug any connections you can lay a hand to... Simple stuff, but they get real mean on the gold on those connectors, if gold there is.

Resource Hacker. Find the icon or bitmap in the library, and RH will show you that image plus the byte size.

Thank you for the feedback, bkt. I have removed msjava.dll from the list [who would have that, now?]
But ole32.dll, schannel.dll and shell32.dll should be on your machine, and all in system32. Interesting.

Did you get around to completing the malware cleaning, rogue, and remove the cracks? Cracks which modify the existing executables can be doing anything their authors wish, and they will be doing it under the name of the original executable. Fairly undetectable behaviour can result.
Your call.

hide it in anpther app, and npw ome wo;; even

Mmm... these are the two that you should [must] have:
ntdetect.com
ntdlr
Copy them in from another sys. If your sys is still running don't shut it down until you have replaced them into the root of your System Drive. [usually C:\]

You should have:
C:\boot.ini
C:\ntldr
C:\ntdetect.com [usually]
If so then C: is your System drive - it contains those boot files, and that is why Windows on D: will not let you remove those files on C:.. it would make your sys unbootable. Right.
COPY those files into D: root.
See if you can set D: as Active using Disk Management [make C: not Active first].If you CANNOT make D: Active then leave C: as Active. We will do it then another way.

In case your redirection problem is a simple set of alterations to your Hosts File you might try this as a first step:
==download HostsXpert from http://www.funkytoad.com/content/view/13/31/
-click the top button Make Writable if it is available
-click Restore MS Hosts File button.
If instead you would like to clear your hosts file manually [C:\Windows\system32\drivers\etc\hosts] then apart from the helpful guff from M$ which may or may not exist in your hosts file, this should be the only [or bare minimum!!] entry:
127.0.0.1 localhost
Drag Hosts into an empty notepad, edit it and Save.
You may find that you are not able to save the changed/corrected file. This is because some security applications, possibly also various malware, will lock your Hosts file [make it read-only] as a protection. Lock/Unlock hosts exists in Zonealarm and Spybot S&D.
ZoneAlarm : look under firewall, advanced;
Spybot : click Tools, Hosts File, uncheck "Lock Hosts file read-only as protection against hijackers"
Or just...[but a Spybot setting may over-ride this command....] do this:
Go Start, run, type cmd ...and press Enter. Paste this line into the window at the prompt, press Enter, close the window and try to save the file again.
attrib -r -h -s %SystemRoot%\system32\drivers\etc\HOSTS
Now try to get MBAM.

Like Bob says, phil, hide em. Otherwise your wife is gunna be a little uneasy about those locked folders....
And I think we need to get you a finger sharpener, bob. They work a bit like a pencil sharpener. Some pain may be involved.... :)

That is sometimes how it goes with virii. Because you have MBRWiz you have the opportunity to save to a FLOPPY a copy of your MBR. Most likely will never need it, however... If you wish to make a copy of it wait until you have laid down your last primary or your extended partition, then the MBR partition table is no more changed. Adding more logicals has no effect.
Cheers.

rbor, enable viewing of hidden op sys files, then check in the root of C: and D: for boot.ini, ntldr, ntdetect.com. Where are they?

Whoops, an XP MBR contains these 3 messages:
Invalid partition table.Error loading operating system.Missing operating system.
It is the BIOS which has the "Operating System not found" msg. Which in your case really means that it cannot find a valid MBR, or bootable cd. Since you have the cd first in the boot order it could be a bad drive [two cd's themselves bad is asking too much], dirty lens...whatever... so it is skipping onto the hd and checking that.

Hello, ritz, "operating system not found" is one of the messages encoded into the MBR of a hd. I can assure you that no matter the spinning of your cd, it is not being looked at. Your sys is trying to boot off the hd...ie BIOS is searching there for an OS.. it has read the MBR and loaded its code, but the code cannot find an active partition or ntldr.
Check again that the cd drive is foremost in your boot list, and that it works.
And yes, the "F6 to load a driver" prompt does come up after Setup has started copying files from the cd.

Safe mode, with those words in the corner should have a few icons, plus Start, Run..... and you can get TM with ctrl-alt-del.
Considering the date.. you may have blown up a M$ update or two.
Okay, on you way into safe mode did you try system restore?

Oops! I meant, of course, MBRWiz [or MBRWhiskey]... but you'd have found it.
Sorry...
http://red.boot-land.net/index.html
This dl contains both tools, the latest versions.
The commandline tool is straightfwd, as I said earlier... just save it [may have to unzip first], open cmd, cd to the path and then type..
mbrwiz -to see the parameter helplist.
So basically:
mbrwiz /list
mbrwiz /disk= yours, counts from zero
mbrwiz /part= yours, counts from zero
So: mbrwiz /disk= the one /part=the one /type=07
07 is ntfs...
0c is FAT32...

If it is XP, merely delete the C:\Windows directory. Edit your boot.ini so it no longer suggests it as an option.

I puthis up b4, then removed it.Running it certainly will not break anything.
To fix the explorer shell:
You could save this to a floppy, or to your desktop. If it will not run by dclicking then run it from task manager by inputting its pathname. The entries should be valid... but it's too long for me to check them all. The way regsvr works is that if it does not recognise a name it just ignores it.
==Please copy the text in the box to a notepad and save as fixexplorer.bat, as type "all files", to your desktop; dclick it to run it.

regsvr32 acelpdec.ax /s
regsvr32 actxprxy.dll /s
regsvr32 asctrls.ocx /s
regsvr32 browseui.dll /i /s 
regsvr32 browseui.dll /s
regsvr32 browsewm.dll /s
regsvr32 cdfview.dll /s
regsvr32 comcat.dll /s
regsvr32 comctl32.dll /i /s
regsvr32 corpol.dll /s
regsvr32 crswpp.dll /s
regsvr32 cryptdlg.dll /s
regsvr32 cryptdlg.dll /s
regsvr32 cryptext.dll /s
regsvr32 csseqchk.dll /s
regsvr32 danim.dll /s
regsvr32 datime.dll /s
regsvr32 daxctle.ocx /s
regsvr32 digest.dll /i /s
regsvr32 directdb.dll /s
regsvr32 dispex.dll /s
regsvr32 dssenh.dll /s 
regsvr32 dxmasf.dll /s
regsvr32 dxtmsft.dll /s
regsvr32 dxtrans.dll /s
regsvr32 fpwpp.dll /s
regsvr32 ftpwpp.dll /s
regsvr32 gpkcsp.dll /s
regsvr32 hhctrl.ocx /s
regsvr32 hlink.dll /s
regsvr32 hmmapi.dll /s
regsvr32 icmfilter.dll /s
regsvr32 iedkcs32.dll /s
regsvr32 iepeers.dll /s
regsvr32 iesetup.dll /i /s
regsvr32 ils.dll /s
regsvr32 imgutil.dll /s
regsvr32 inetcfg.dll /s
regsvr32 inetcomm.dll /s
regsvr32 inetcpl.cpl /i /s
regsvr32 initpki.dll /s
regsvr32 inseng.dll /s
regsvr32 jscript.dll /s
regsvr32 l3codecx.ax /s
regsvr32 licdll.dll /s
regsvr32 licmgr10.dll /s …

I am not sure a Repair will do it, bob.. Repair would want to format the drive [partition]. I think all that his virus/pest has done is alter the piece of code in the boot sector which defines partition encoding type... ie changed it from NTFS or FAT32 to RAW . And it would only have to alter the code in the boot partition [usually C:] That code can be directly edited to whatever it was using [free] 3rd party tools. I have not done it, though. May have a scout around.
I'm looking for tools which you can boot with as well; I have a couple of tools which can directly edit partition type from a running XP.. so Sparkax would have to slave the drive to use them... but there is no problem there. Both are straightfwd to use, both can do EXTREME damage [it is their nature].
Testdisk-6.9
MBRWhiz [command line tool] [or MBRWhiskey for a GUI version] - the latter is simpler to use.
Anyway, both will allow you to edit the file structure type. They don't ask for confirmation... eg. if you set them to delete a partition, they just do it. BANG.

Umm.. lessee... fixboot to the best of my knowledge only repairs the actual boot sector code ie the code that gets loaded into memory. I think what you need is bootcfg in Recovery Console. That can be used to detect and build a boot.ini file. A command sequence might be:
bootcfg /list -shows the current file.
bootcfg /scan -finds all Windows OS.
bootcfg /rebuild -you select and build a file.
You will need some sort of XP cd though, so just borrow one. Almost any XP cd will do.

chkdsk /f

Oh boy!! I do love a race. Given that a lot of folk first off google for answers be prepared to get the same one. You can join in... search this string: 0xC0000005

Frank, if you look at the boot.ini that I proposed you willl see that the Default entry points to XP on its partition - this is the OS that ntldr will turn to if you do not make any selection within the time allotted by Timeout. Having Default point to an OS for which the path and directory are not specified will cause a hiccup. The original Default pointed to the entry Setup makes in boot.ini so as to restart Setup from your hd during installation - it should have been removed later by Setup but obviously there was a glitch. A glitch!!? Windows?

Randal, normally I would have simply deleted your whole C:\temp folder with its contents but it would appear that you have used it as a download folder, plus as a store for some of your own files. This directory should be reserved for system use, then its contents can be systematically deleted from time to time. May I suggest that you create Downloads and Scratch Pad folders?
Anyway, the prospect of deleting all those file idents made me hopeful that Combofix would ignore them... it doesn't so I have had to reissue the block of text for saving as CFScript.txt. Use this lot:

Killall::

File::
C:\WINDOWS\system32\drivers\lvuvc.hs
C:\TEMP\sv9l5.tmp
C:\TEMP\sv9l5.tmp
C:\WINDOWS\dv11mxv_0$1_783482.drv

Folder::
C:\temp\WERe9e6.dir00
C:\temp\WER6ac8.dir00
C:\temp\WERf0b7.dir00
C:\temp\WER8778.dir00
C:\temp\{C90C518C-0720-4961-B9B5-B579B33311AB}
C:\temp\nsb6.tmp
C:\temp\WER5e41.dir00
C:\temp\WERad76.dir00
C:\temp\nsu7D.tmp
C:\temp\wzf3e4
C:\temp\wz0a83
C:\temp\{ECAB36B7-1453-4DA2-8308-CCA67D1DA735}
C:\temp\{8F5E9A50-4A68-43F2-86D4-A696B7E2A532}
C:\temp\{D9C5206A-F48C-443C-84FE-F673674A4322}
C:\temp\{A3516346-06FD-4EB7-93D1-803542A697C1}
C:\temp\{A90AA336-24E8-4F06-9977-29ED693FC233}
C:\temp\~nsu.tmp
C:\temp\{6E58355A-6911-4A35-8A3B-808AB3A22FA7}
C:\temp\{3EC28456-29D6-40AB-B438-41CF3CCAD4CF}
C:\temp\{2A89E315-2DEC-42E4-934C-C94533E628E1}
C:\temp\{CCDC7478-97CC-4933-92F4-B836890DEFCB}
C:\temp\{2FAFDCAB-0E6C-4547-BB5E-96367B673B4C}
C:\temp\{C36080B7-84C3-4839-8B16-973DBC1CA2D7}
C:\temp\{408419FF-C461-4DCE-814D-8CD1C398DE23}
C:\temp\WERf713.dir00
C:\temp\plugtmp-6
C:\temp\iss33.tmp
C:\temp\iss17.tmp
C:\temp\WER2ba3.dir00
C:\temp\WER2a7a.dir00
C:\temp\plugtmp-5
C:\Program Files\Solitaire.Com
C:\temp\WERe465.dir00
C:\temp\WERb528.dir00
C:\temp\WERf5a3.dir00
C:\temp\WERdc43.dir00
C:\temp\WER8a9e.dir00
C:\temp\WER43b3.dir00
C:\temp\WERadbd.dir00
C:\temp\plugtmp-4
C:\temp\MCA6D.tmp
C:\temp\vsoaol8026.tmp
C:\temp\CDM
C:\temp\WER6d96.dir00
C:\temp\WERfd71.dir00
C:\temp\WER3812.dir00
C:\temp\pftA.tmp
C:\temp\pft13.tmp

And run that PandaActiveScan!

Bistered, I think I must have been a bit lazy... ok, hopeful, when I gave you that script to run.. I should not have included the prefixing file idents etc. I just tested it on my own machine and Combofix did not appreciate them.... Anyway, most are gone, but could you manually delete these files/folders please [it will save restarting combofix]:
C:\x
C:\d1.exe
C:\944064064
C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\@@desktop.dat

Now, that scanning problem. Just to see if any malware remains could you:
==Run CCleaner in all Accounts.
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/activescan/index/
-First Register [otherwise there will be no disinfection, merely detection] with a valid email address for the free online virus scan and follow through.
Unlike Kaspersky this scan does not require Java.
Please ATTACH to your post the log it produces.

You're welcome...

Hello, Sarah... I gotta suggest something good to get hold of those hugs... I'm not thinking it is malware [your log is clean...] but more firewall or modem settings related. AVG AS is hot onto Sasser/Blaster worms.
All this happened AFTER loading SP3? You might try uninstalling your Nvidia Network Access Manager [it is the UI for network settings and the NV firewall] in CP, Add/Rmv Pgms.
Of course, you may be one of the unlucky few who contracted problems with SP3...

Randal, I modified the code to run with Combofix; if you have not already done this step please use the following script instead of that in the post above [it includes a couple of files I missed].
And I would like to see the results of a PandaActiveScan. I am interested in those NewFiles you mention.

Killall::

File::
2008-08-31 15:35 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
C:\TEMP\sv9l5.tmp
C:\TEMP\sv9l5.tmp
1998-10-24 07:00 700 -csha-w C:\WINDOWS\dv11mxv_0$1_783482.drv

Folder::
2008-10-06 18:51 . 2008-09-07 00:54 <DIR> d-------- C:\temp\WERe9e6.dir00
2008-10-06 18:48 . 2008-09-07 00:54 <DIR> d-------- C:\temp\WER6ac8.dir00
2008-09-23 03:06 . 2008-08-30 06:47 <DIR> d-------- C:\temp\WERf0b7.dir00
2008-09-23 01:06 . 2008-08-30 06:47 <DIR> d-------- C:\temp\WER8778.dir00
2008-09-06 19:45 . 2008-09-07 00:54 <DIR> d-------- C:\temp\{C90C518C-0720-4961-B9B5-B579B33311AB}
2008-09-06 15:18 . 2008-09-07 00:52 <DIR> d-------- C:\temp\nsb6.tmp
2008-09-06 15:07 . 2008-09-07 00:54 <DIR> d-------- C:\temp\WER5e41.dir00
2008-09-06 14:55 . 2008-09-07 00:54 <DIR> d-------- C:\temp\WERad76.dir00
2008-09-05 08:38 . 2008-09-07 00:52 <DIR> d-------- C:\temp\nsu7D.tmp
2008-08-30 15:44 . 2008-09-04 21:06 <DIR> d-------- C:\temp\wzf3e4
2008-08-30 15:42 . 2008-09-04 21:06 <DIR> d-------- C:\temp\wz0a83
2008-08-23 01:24 . 2008-08-23 01:24 <DIR> d-------- C:\temp\{ECAB36B7-1453-4DA2-8308-CCA67D1DA735}
2008-08-23 01:24 . 2008-08-30 06:48 <DIR> d-------- C:\temp\{8F5E9A50-4A68-43F2-86D4-A696B7E2A532}
2008-08-23 01:20 . 2008-08-30 06:48 <DIR> d-------- C:\temp\{D9C5206A-F48C-443C-84FE-F673674A4322}
2008-08-23 01:20 . 2008-08-23 01:20 <DIR> d-------- C:\temp\{A3516346-06FD-4EB7-93D1-803542A697C1}
2008-08-23 00:47 . 2008-08-30 06:48 <DIR> d-------- C:\temp\{A90AA336-24E8-4F06-9977-29ED693FC233}
2008-08-23 00:35 . 2008-09-23 03:03 <DIR> d-------- C:\temp\~nsu.tmp
2008-08-23 00:05 . 2008-08-30 06:48 <DIR> d-------- C:\temp\{6E58355A-6911-4A35-8A3B-808AB3A22FA7}
2008-08-23 00:05 . 2008-08-23 00:05 <DIR> d-------- C:\temp\{3EC28456-29D6-40AB-B438-41CF3CCAD4CF}
2008-08-23 00:05 . 2008-08-30 06:48 <DIR> d-------- C:\temp\{2A89E315-2DEC-42E4-934C-C94533E628E1}
2008-08-23 00:03 . 2008-08-30 06:48 <DIR> d-------- C:\temp\{CCDC7478-97CC-4933-92F4-B836890DEFCB}
2008-08-23 00:01 . 2008-08-30 06:48 <DIR> d-------- C:\temp\{2FAFDCAB-0E6C-4547-BB5E-96367B673B4C}
2008-08-22 23:58 …

Hello, choloe... this may help, it may just address the tip of an iceberg. Let's see what happens.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [inrhcvh4j0e19r] C:\Documents and Settings\Grischa\Local Settings\Temp\.tt12C.tmp.exe

Good, now delete this file:
C:\Documents and Settings\Grischa\Local Settings\Temp\.tt12C.tmp.exe

If it will not delete then in hijackthis select Misc Tools Section, press Delete a File on Reboot and in the window which opens paste into the text box the following pathname, press Open and then Yes...
C:\Documents and Settings\Grischa\Local Settings\Temp\.tt12C.tmp.exe

I see nothing else bad in that log. Btw, if you have Avast there is no real need to run Spyware Doctor as a service because Avast combines AV with AS.
See how you get on with those links I gave you.

WAIT!! You gotta edit the default line also. Go Start, Run, paste in:
control sysdm.cpl,,3
...then press Startup n Recovery Settings, Edit...

[Boot Loader]
Timeout=5
Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[Operating Systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

No, it is not bad. Just run the next part for me, please - I have re-submitted it because of a syntax error, so ignore the instruction in my previous post regarding this part.
And yep, MBAM broke, so delete all of it.

==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.

Killall::

File::
2008-09-06 13:24 . 2008-09-06 13:24 25,088 --a------ C:\WINDOWS\system32\sups.dll
2008-09-06 11:40 . 2008-09-06 11:40 21,504 --a------ C:\WINDOWS\system32\odiw.dll
2008-09-06 10:54 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\2.ico
2008-09-06 10:50 . 2008-09-05 17:07 31,232 --a------ C:\x
2008-09-06 10:50 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\1.ico
2008-09-06 10:40 . 2008-09-06 10:40 0 --a------ C:\d1.exe
2008-09-06 10:39 . 2008-09-06 10:39 66,048 --a------ C:\uoju.exe
2008-09-06 10:39 . 2008-09-06 10:39 66,048 --a------ C:\oitkxr.exe
2008-09-06 10:39 . 2008-09-06 10:39 34,816 --a------ C:\accq.exe
2008-09-06 10:39 . 2008-09-06 10:39 29,184 --a------ C:\ubcs.exe
2008-09-06 10:39 . 2008-09-06 10:39 10,000 --a------ C:\WINDOWS\system32\gjm86akm34.dll
2008-09-06 10:39 . 2008-09-06 10:39 0 --a------ C:\944064064
2008-09-06 07:27 . 2008-09-06 07:27 155,648 --a------ C:\WINDOWS\system32\CodecBHO.dll
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SETA1.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET83.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET79.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET64.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET58.tmp
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat
2006-05-25 05:05 88 --sh--r C:\WINDOWS\system32\2D10762079.sys
2006-06-12 05:09 56 --sh--r C:\WINDOWS\system32\792076102D.sys
C:\WINDOWS\system32\kddwe.exe
C:\WINDOWS\Temp\kddwe.ren

Folder::
2008-09-06 10:50 . 2008-09-07 22:11 <DIR> d-------- C:\Program Files\PCHealthCenter

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5BF49A2-94F3-42BD-F434-3604812C897D}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{C5BF49A2-94F3-42BD-F434-3604812C897D}"= -

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\WINDOWS\\system32\\kddwe.exe"=-
"384546ef"=-
"BM3b767573"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jnskdfmf9eldfd"=-

Good. Now …

==Please go to this web page http://virusscan.jotti.org/, click browse and submit this file for examination:
C:\WINDOWS\dv11mxv_0$1_783482.drv
Post the report in your next reply.
Okay, now disconnect from the web and turn off your Antivirus and Firewall while this next part runs.
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.

Killall::

Rootkit::
2008-08-31 15:35 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs

Folder::
2008-10-06 18:51 . 2008-09-07 00:54 <DIR> d-------- C:\temp\WERe9e6.dir00
2008-10-06 18:48 . 2008-09-07 00:54 <DIR> d-------- C:\temp\WER6ac8.dir00
2008-09-23 03:06 . 2008-08-30 06:47 <DIR> d-------- C:\temp\WERf0b7.dir00
2008-09-23 01:06 . 2008-08-30 06:47 <DIR> d-------- C:\temp\WER8778.dir00
2008-09-06 19:45 . 2008-09-07 00:54 <DIR> d-------- C:\temp\{C90C518C-0720-4961-B9B5-B579B33311AB}
2008-09-06 15:18 . 2008-09-07 00:52 <DIR> d-------- C:\temp\nsb6.tmp
2008-09-06 15:07 . 2008-09-07 00:54 <DIR> d-------- C:\temp\WER5e41.dir00
2008-09-06 14:55 . 2008-09-07 00:54 <DIR> d-------- C:\temp\WERad76.dir00
2008-09-05 08:38 . 2008-09-07 00:52 <DIR> d-------- C:\temp\nsu7D.tmp
2008-08-30 15:44 . 2008-09-04 21:06 <DIR> d-------- C:\temp\wzf3e4
2008-08-30 15:42 . 2008-09-04 21:06 <DIR> d-------- C:\temp\wz0a83
2008-08-23 01:24 . 2008-08-23 01:24 <DIR> d-------- C:\temp\{ECAB36B7-1453-4DA2-8308-CCA67D1DA735}
2008-08-23 01:24 . 2008-08-30 06:48 <DIR> d-------- C:\temp\{8F5E9A50-4A68-43F2-86D4-A696B7E2A532}
2008-08-23 01:20 . 2008-08-30 06:48 <DIR> d-------- C:\temp\{D9C5206A-F48C-443C-84FE-F673674A4322}
2008-08-23 01:20 . 2008-08-23 01:20 <DIR> d-------- C:\temp\{A3516346-06FD-4EB7-93D1-803542A697C1}
2008-08-23 00:47 . 2008-08-30 06:48 <DIR> d-------- C:\temp\{A90AA336-24E8-4F06-9977-29ED693FC233}
2008-08-23 00:35 . 2008-09-23 03:03 <DIR> d-------- C:\temp\~nsu.tmp
2008-08-23 00:05 . 2008-08-30 06:48 <DIR> d-------- C:\temp\{6E58355A-6911-4A35-8A3B-808AB3A22FA7}
2008-08-23 00:05 . 2008-08-23 00:05 <DIR> d-------- C:\temp\{3EC28456-29D6-40AB-B438-41CF3CCAD4CF}
2008-08-23 00:05 . 2008-08-30 06:48 <DIR> d-------- C:\temp\{2A89E315-2DEC-42E4-934C-C94533E628E1}
2008-08-23 00:03 . 2008-08-30 06:48 <DIR> …

Hello, Nicole... I am gooing to assume that you have XP Home.... Home will not show you the Administrator account unless you start in Safe Mode [this is the original account created when XP was installed]; further I am assuming that you, like most folk, did not apply a password to it....
So, restart in Safe Mode, select the Administrator account and press Enter for the password.... are you in? Good, bypass Sys Restore to go fully into Safe Mode, go to CP, Accounts and reset your password.

Oh dear, your sys has been whacked. Next skirmish follows... and I would like to point out that I much dislike the namers of codec, game and linux files....
==Uninstall MBAM and delete the downloaded files, it has been compromised because it has not removed files I know it should.
==Please go to this web page http://virusscan.jotti.org/, click browse and submit this file for examination:
C:\WINDOWS\system32\kddwe.exe
-I just wish to get it recognised... now you may not find it there cos Fixwareout should have dealt with it, but it may still be here:
C:\WINDOWS\Temp\kddwe.ren
-post the report.
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.

Help with Code Tags
(Toggle Plain Text)
Killall::

Files::
2008-09-06 13:24 . 2008-09-06 13:24 25,088 --a------ C:\WINDOWS\system32\sups.dll
2008-09-06 11:40 . 2008-09-06 11:40 21,504 --a------ C:\WINDOWS\system32\odiw.dll
2008-09-06 10:54 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\2.ico
2008-09-06 10:50 . 2008-09-05 17:07 31,232 --a------ C:\x
2008-09-06 10:50 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\1.ico
2008-09-06 10:40 . 2008-09-06 10:40 0 --a------ C:\d1.exe
2008-09-06 10:39 . 2008-09-06 10:39 66,048 --a------ C:\uoju.exe
2008-09-06 10:39 . 2008-09-06 10:39 66,048 --a------ C:\oitkxr.exe
2008-09-06 10:39 . 2008-09-06 10:39 34,816 --a------ C:\accq.exe
2008-09-06 10:39 . 2008-09-06 10:39 29,184 --a------ C:\ubcs.exe
2008-09-06 10:39 . 2008-09-06 10:39 10,000 --a------ C:\WINDOWS\system32\gjm86akm34.dll
2008-09-06 10:39 …

For the tough file, C:\WINDOWS\system32\gjm86akm34.dll :
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
I'll get back to you on the rest...

3000? extremely important? Then it's lucky that you have them backed-up.
But me saying smart stuff is not much help. Something may be causing them to be hidden, a bit of malware with a bad sense of humour.. but there are malwares which delete files. So.. cmd.exe does not seem to care about attributes, so go Start, run, and enter cmd
I dunno where your files are [a bit like you.. :)] so enter at the prompt:
cd ..
and then the drive letter of your folder eg D:
Then the path to the FOLDER eg. cd "My Stuff\Precious Files" ..the "" are in case you have spaces in names and your settings do not cope with that.
Finally enter:
dir |more
That is a generic set of commands, not necessarily the simplest, but they will get you to the folder no matter where it is, so just repeating them for clarity:
cd ..
D:
cd "My Stuff\Precious Files"
dir |more

Wotcha got?

I can live with that solution. Cheers.