Having Trouble Removing Malware Doctor

Hi,

Hoping someone can help. I'm having trouble completely removing Malware Doctor.
Here's my approach so far
1. Run Hijackthis
2. Run Malwarebytes antiMalware
3. Run Combofix (renamed to Cfix)

Log files in the next post

Each time I reboot Malware Doctor reappears!

Thanks in advance,
Cathal

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:20:34, on 17/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200349604562
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.beazleygateway.com/whalecomb947ad817dec8373a3e7e4e33f4e/whalecom0/InternalSite/inc/customupdate/msrdp.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://www.beazleygateway.com/InternalSite/WhlCompMgr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: mqhwoxjv - mqhwoxjv.dll (file missing)
O23 - Service: AGRESSO 5.5 Server - agresso - Unknown owner - C:\Agresso\Bin\AgrBusinessServer.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 7176 bytes

Malwarebytes antiMalware log

Malwarebytes' Anti-Malware 1.37
Database version: 2279
Windows 5.1.2600 Service Pack 2
17/06/2009 01:23:42
mbam-log-2009-06-17 (01-23-42).txt
Scan type: Quick Scan
Objects scanned: 94401
Time elapsed: 2 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\355f8bf8 (Rootkit.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\avast!AntiVirus (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\drivers\355f8bf8.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.

ComboFix 09-06-16.01 - Administrator 17/06/2009 1:25.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.772 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\cfix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Drivers\nuiim.sys
c:\windows\system32\Drivers\qqaqr.sys
c:\documents and settings\LocalService\Application Data\1361538659.exe
c:\windows\system32\drivers\nuiim.sys
c:\windows\system32\drivers\qqaqr.sys
.
---- Previous Run -------
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_avast!antivirus
-------\Service_kgwwqoos
-------\Legacy_avast!antivirus
-------\Service_zwki


((((((((((((((((((((((((( Files Created from 2009-05-17 to 2009-06-17 )))))))))))))))))))))))))))))))
.

2009-06-16 23:21 . 2009-06-16 23:31 -------- d-s---w- C:\cf
2009-06-15 21:29 . 2009-06-15 21:29 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-06-15 18:49 . 2009-06-15 18:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-15 18:48 . 2009-06-15 19:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-15 18:48 . 2009-06-15 19:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-06-12 17:11 . 2009-06-12 17:11 83984 ----a-w- c:\documents and settings\Administrator\Application Data\Cisco\Cisco Secure Desktop\Cache\Temp8-P00h\CSDWebLaunch.exe
2009-06-12 17:11 . 2009-06-12 17:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Cisco
2009-05-31 18:55 . 2009-05-31 18:55 390664 ----a-w- c:\documents and settings\Administrator\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-17 00:33 . 2009-05-06 21:36 87164 ----a-w- c:\windows\system32\drivers\c53c2f57.sys
2009-06-17 00:33 . 2009-05-05 20:39 111100 ----a-w- c:\windows\system32\drivers\b694d1b1.sys
2009-06-17 00:23 . 2009-06-17 00:23 204 ----a-w- c:\program files\tnmkstcr.txt
2009-06-16 23:20 . 2009-06-16 23:20 2168 ----a-w- c:\program files\zpefai.txt
2009-06-15 23:57 . 2007-10-22 20:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-06-15 19:57 . 2007-07-30 21:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-14 23:52 . 2008-08-13 17:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-14 22:15 . 2006-11-28 13:47 90112 ----a-w- c:\windows\DUMP66c8.tmp
2009-06-14 22:14 . 2006-11-28 13:47 90112 ----a-w- c:\windows\DUMP67d2.tmp
2009-06-14 22:07 . 2006-11-28 13:47 90112 ----a-w- c:\windows\DUMP6929.tmp
2009-06-14 21:52 . 2006-11-28 13:47 90112 ----a-w- c:\windows\DUMP6755.tmp
2009-06-14 18:01 . 2006-11-28 13:47 90112 ----a-w- c:\windows\DUMP6716.tmp
2009-06-14 17:54 . 2006-11-28 13:47 90112 ----a-w- c:\windows\DUMP6561.tmp
2009-06-14 17:54 . 2006-11-28 13:47 90112 ----a-w- c:\windows\DUMP6793.tmp
2009-06-07 17:38 . 2007-04-09 23:55 -------- d-----w- c:\program files\PartyGaming
2009-05-26 12:20 . 2008-08-13 17:30 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 12:19 . 2008-08-13 17:30 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-05 20:38 . 2004-08-04 12:00 212480 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-05-04 18:32 . 2006-11-30 18:51 -------- d-----w- c:\program files\LimeWire
2009-05-04 13:37 . 2009-02-04 13:37 51712 --sha-w- c:\windows\system32\bokiluve.exe
2009-04-04 10:51 . 2009-04-04 10:51 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.

------- Sigcheck -------

[-] 2009-05-05 20:38 212480 791778A1F54D4B3F36773F11783A53FC c:\windows\system32\dllcache\ndis.sys
[-] 2009-05-05 20:38 212480 791778A1F54D4B3F36773F11783A53FC c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-14 118784]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-18 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-25 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-26 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-14 34880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2006-11-29 69632]
SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2007-5-1 6395464]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-11-29 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mqhwoxjv]
mqhwoxjv.dll [BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [28/11/2006 16:57 58016]
R2 AGRESSO 5.5 Server - agresso;AGRESSO 5.5 Server - agresso;c:\agresso\Bin\AgrBusinessServer.exe [01/02/2006 14:19 325136]
S1 63f18e3f;63f18e3f;c:\windows\system32\drivers\63f18e3f.sys --> c:\windows\system32\drivers\63f18e3f.sys [?]
S1 66273cf8;66273cf8;c:\windows\system32\drivers\66273cf8.sys --> c:\windows\system32\drivers\66273cf8.sys [?]
S1 66e6e21c;66e6e21c;c:\windows\system32\drivers\66e6e21c.sys --> c:\windows\system32\drivers\66e6e21c.sys [?]
S1 6771f740;6771f740;c:\windows\system32\drivers\6771f740.sys --> c:\windows\system32\drivers\6771f740.sys [?]
S1 8683d7d4;8683d7d4;c:\windows\system32\drivers\8683d7d4.sys --> c:\windows\system32\drivers\8683d7d4.sys [?]
S1 a27d0d4b;a27d0d4b;c:\windows\system32\drivers\a27d0d4b.sys --> c:\windows\system32\drivers\a27d0d4b.sys [?]
S1 c5a1b198;c5a1b198;c:\windows\system32\drivers\c5a1b198.sys --> c:\windows\system32\drivers\c5a1b198.sys [?]
S1 saskutil;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 DMService;Whale Component Manager;c:\windows\DOWNLO~1\DMService.exe [28/09/2007 19:35 423576]
S3 MSSQL$AGRESSO;MSSQL$AGRESSO;c:\progra~1\MICROS~4\MSSQL$~1\binn\sqlservr.exe -sAGRESSO --> c:\progra~1\MICROS~4\MSSQL$~1\binn\sqlservr.exe -sAGRESSO [?]
S3 SQLAgent$AGRESSO;SQLAgent$AGRESSO;c:\progra~1\MICROS~4\MSSQL$~1\binn\sqlagent.exe -i AGRESSO --> c:\progra~1\MICROS~4\MSSQL$~1\binn\sqlagent.exe -i AGRESSO [?]
.
Contents of the 'Scheduled Tasks' folder

2009-05-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local;
uInternet Settings,ProxyServer = http=localhost:7171
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\progra~1\WHALEC~1\CLIENT~1\31265D~1.0\WhlLSP.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-17 01:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\controlset005\Services\b694d1b1]
"ImagePath"="\SystemRoot\System32\drivers\b694d1b1.sys"
--

[HKEY_LOCAL_MACHINE\System\controlset005\Services\c53c2f57]
"ImagePath"="\SystemRoot\System32\drivers\c53c2f57.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2784)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\progra~1\MICROS~2\OFFICE11\MCPS.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\progra~1\WinZip\WZQKPICK.EXE
c:\program files\TechSmith\SnagIt 8\TscHelp.exe
c:\program files\TechSmith\SnagIt 8\SnagPriv.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2009-06-17 1:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-17 00:34

Pre-Run: 12,786,806,784 bytes free
Post-Run: 12,802,248,704 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
183

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\system32\drivers\c53c2f57.sys
c:\windows\system32\drivers\b694d1b1.sys
c:\program files\tnmkstcr.txt
c:\program files\zpefai.txt
c:\windows\DUMP66c8.tmp
c:\windows\DUMP67d2.tmp
c:\windows\DUMP6929.tmp
c:\windows\DUMP6755.tmp
c:\windows\DUMP6716.tmp
c:\windows\DUMP6561.tmp
c:\windows\DUMP6793.tmp
c:\windows\system32\bokiluve.exe

Folder::
c:\program files\LimeWire

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mqhwoxjv]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\StubInstaller.exe"=-
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
[-HKEY_LOCAL_MACHINE\System\controlset005\Services\b694d1b1]
[-HKEY_LOCAL_MACHINE\System\controlset005\Services\c53c2f57]

DDS::
uInternet Settings,ProxyOverride = *.local;
uInternet Settings,ProxyServer = http=localhost:7171

Driver::
63f18e3f
66273cf8
66e6e21c
6771f740
8683d7d4
a27d0d4b
c5a1b198
c53c2f57
b694d1b1

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

thanks for the response - unfortunately malware doctor still remains - here's the latest combofix log


ComboFix 09-06-16.01 - Administrator 17/06/2009 22:17.4 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.785 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\cfix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\program files\tnmkstcr.txt"
"c:\program files\zpefai.txt"
"c:\windows\DUMP6561.tmp"
"c:\windows\DUMP66c8.tmp"
"c:\windows\DUMP6716.tmp"
"c:\windows\DUMP6755.tmp"
"c:\windows\DUMP6793.tmp"
"c:\windows\DUMP67d2.tmp"
"c:\windows\DUMP6929.tmp"
"c:\windows\system32\bokiluve.exe"
"c:\windows\system32\drivers\b694d1b1.sys"
"c:\windows\system32\drivers\c53c2f57.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\LimeWire
c:\windows\system32\Drivers\mtjtwb.sys
c:\program files\LimeWire\.NetworkShare\LimeWirePackedJars4.12.6.7z
c:\program files\LimeWire\.NetworkShare\LimeWireWin4.12.6.exe
c:\program files\LimeWire\.NetworkShare\LimeWireWin5.1.2.exe
c:\program files\LimeWire\Buy LimeWire PRO.url
c:\program files\LimeWire\COPYING
c:\program files\LimeWire\data.ser
c:\program files\LimeWire\hs_err_pid3428.log
c:\program files\LimeWire\hs_err_pid5144.log
c:\program files\LimeWire\inspection.props
c:\program files\LimeWire\install.log
c:\program files\LimeWire\language.prop
c:\program files\LimeWire\lib\additional_resources.jar
c:\program files\LimeWire\lib\aopalliance.jar
c:\program files\LimeWire\lib\AppFramework.jar
c:\program files\LimeWire\lib\base64-2.2.2.jar
c:\program files\LimeWire\lib\clink.jar
c:\program files\LimeWire\lib\commons-codec-1.3.jar
c:\program files\LimeWire\lib\commons-logging.jar
c:\program files\LimeWire\lib\commons-math-1.2.jar
c:\program files\LimeWire\lib\daap.jar
c:\program files\LimeWire\lib\dnsjava-2.0.6.jar
c:\program files\LimeWire\lib\EventBus-1.2b.jar
c:\program files\LimeWire\lib\gettext-commons.jar
c:\program files\LimeWire\lib\glazedlists-1.7.0_java15.jar
c:\program files\LimeWire\lib\guice-assistedinject-snapshot.jar
c:\program files\LimeWire\lib\guice-snapshot.jar
c:\program files\LimeWire\lib\hashes
c:\program files\LimeWire\lib\hsqldb.jar
c:\program files\LimeWire\lib\httpclient-4.0-beta1.jar
c:\program files\LimeWire\lib\httpcore-4.0-beta2.jar
c:\program files\LimeWire\lib\httpcore-nio-4.0-beta2.jar
c:\program files\LimeWire\lib\icu4j.jar
c:\program files\LimeWire\lib\iTunes-0.0.1.jar
c:\program files\LimeWire\lib\jacob-1.14.1-x64.dll
c:\program files\LimeWire\lib\jacob-1.14.1-x86.dll
c:\program files\LimeWire\lib\jacob-1.14.1.jar
c:\program files\LimeWire\lib\jaudiotagger.jar
c:\program files\LimeWire\lib\jcip-annotations.jar
c:\program files\LimeWire\lib\jcraft.jar
c:\program files\LimeWire\lib\jdic.dll
c:\program files\LimeWire\lib\jdic.jar
c:\program files\LimeWire\lib\jdic_stub.jar
c:\program files\LimeWire\lib\jflac.jar
c:\program files\LimeWire\lib\jl.jar
c:\program files\LimeWire\lib\jmdns.jar
c:\program files\LimeWire\lib\jna.jar
c:\program files\LimeWire\lib\jogg.jar
c:\program files\LimeWire\lib\jorbis.jar
c:\program files\LimeWire\lib\jxlayer.jar
c:\program files\LimeWire\lib\LimeWire.ico
c:\program files\LimeWire\lib\LimeWire.jar
c:\program files\LimeWire\lib\log4j.jar
c:\program files\LimeWire\lib\log4j.properties
c:\program files\LimeWire\lib\messages.jar
c:\program files\LimeWire\lib\miglayout.jar
c:\program files\LimeWire\lib\mozdom4java.jar
c:\program files\LimeWire\lib\MozillaGlue-1.9.jar
c:\program files\LimeWire\lib\MozillaInterfaces-1.9.jar
c:\program files\LimeWire\lib\mozswing.jar
c:\program files\LimeWire\lib\mp3spi.jar
c:\program files\LimeWire\lib\onion-common.jar
c:\program files\LimeWire\lib\onion-fec.jar
c:\program files\LimeWire\lib\smack.jar
c:\program files\LimeWire\lib\smackx-debug.jar
c:\program files\LimeWire\lib\smackx.jar
c:\program files\LimeWire\lib\swing-worker-1.1.jar
c:\program files\LimeWire\lib\swingx-0.9.4.jar
c:\program files\LimeWire\lib\SystemUtilities.dll
c:\program files\LimeWire\lib\SystemUtilitiesA.dll
c:\program files\LimeWire\lib\tritonus.jar
c:\program files\LimeWire\lib\vorbisspi.jar
c:\program files\LimeWire\LimeWire On Startup.lnk
c:\program files\LimeWire\LimeWire.exe
c:\program files\LimeWire\LimeWire.ico
c:\program files\LimeWire\pmf.ico
c:\program files\LimeWire\root\magnet10\badge.img
c:\program files\LimeWire\root\magnet10\canHandle.img
c:\program files\LimeWire\root\magnet10\limewire.gif
c:\program files\LimeWire\root\magnet10\options.js
c:\program files\LimeWire\root\magnet10\silentdetect.js
c:\program files\LimeWire\SOURCE
c:\program files\LimeWire\spacer.gif
c:\program files\LimeWire\uninstall.exe
c:\program files\LimeWire\unpack.log
c:\program files\tnmkstcr.txt
c:\program files\zpefai.txt
c:\windows\DUMP6561.tmp
c:\windows\DUMP66c8.tmp
c:\windows\DUMP6716.tmp
c:\windows\DUMP6755.tmp
c:\windows\DUMP6793.tmp
c:\windows\DUMP67d2.tmp
c:\windows\DUMP6929.tmp
c:\windows\system32\bokiluve.exe
c:\windows\system32\drivers\b694d1b1.sys
c:\windows\system32\drivers\c53c2f57.sys
c:\windows\system32\drivers\mtjtwb.sys
c:\windows\system32\mqhwoxjv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_avast!antivirus
-------\Service_63f18e3f
-------\Service_66273cf8
-------\Service_66e6e21c
-------\Service_6771f740
-------\Service_8683d7d4
-------\Service_a27d0d4b
-------\Service_c5a1b198
-------\Service_ljvm


((((((((((((((((((((((((( Files Created from 2009-05-17 to 2009-06-17 )))))))))))))))))))))))))))))))
.

2009-06-17 21:23 . 2009-06-17 21:23 90624 ----a-w- c:\documents and settings\LocalService\Application Data\1361538659.exe
2009-06-16 23:21 . 2009-06-16 23:31 -------- d-s---w- C:\cf
2009-06-15 21:29 . 2009-06-15 21:29 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-06-15 18:49 . 2009-06-15 18:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-15 18:48 . 2009-06-15 19:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-15 18:48 . 2009-06-15 19:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-06-12 17:11 . 2009-06-12 17:11 83984 ----a-w- c:\documents and settings\Administrator\Application Data\Cisco\Cisco Secure Desktop\Cache\Temp8-P00h\CSDWebLaunch.exe
2009-06-12 17:11 . 2009-06-12 17:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Cisco
2009-05-31 18:55 . 2009-05-31 18:55 390664 ----a-w- c:\documents and settings\Administrator\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-17 21:25 . 2009-06-17 21:24 99422 ----a-w- c:\windows\system32\drivers\a38d43bf.sys
2009-06-17 21:23 . 2004-08-04 12:00 14336 ----a-w- c:\windows\system32\svchost.exe
2009-06-17 21:23 . 2009-06-17 21:23 29184 ----a-w- c:\windows\system32\jbnmck.dll
2009-06-17 21:23 . 2009-06-17 21:23 16896 ----a-w- c:\windows\system32\mqhwoxjv.dll
2009-06-17 21:23 . 2009-06-17 21:23 36864 ----a-w- c:\windows\system32\avast!Antivirus.exe
2009-06-17 21:00 . 2009-06-17 21:00 2484 ----a-w- c:\program files\wmbcgs.txt
2009-06-15 23:57 . 2007-10-22 20:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-06-15 19:57 . 2007-07-30 21:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-14 23:52 . 2008-08-13 17:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-07 17:38 . 2007-04-09 23:55 -------- d-----w- c:\program files\PartyGaming
2009-05-26 12:20 . 2008-08-13 17:30 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 12:19 . 2008-08-13 17:30 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-05 20:38 . 2004-08-04 12:00 212480 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-04-04 10:51 . 2009-04-04 10:51 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.

------- Sigcheck -------

[-] 2009-05-05 20:38 212480 791778A1F54D4B3F36773F11783A53FC c:\windows\system32\dllcache\ndis.sys
[-] 2009-05-05 20:38 212480 791778A1F54D4B3F36773F11783A53FC c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-06-17_00.31.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-17 21:23 . 2009-06-17 21:23 32768 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-17 21:21 . 2009-06-17 21:21 16384 c:\windows\temp\Perflib_Perfdata_c0.dat
+ 2009-06-17 21:23 . 2009-06-17 21:23 16384 c:\windows\temp\History\History.IE5\index.dat
+ 2009-06-17 21:23 . 2009-06-17 21:23 16384 c:\windows\temp\Cookies\index.dat
+ 2004-08-04 12:00 . 2009-06-17 00:32 78316 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2004-08-04 12:00 14336 c:\windows\system32\dllcache\svchost.exe
+ 2004-08-04 12:00 . 2009-06-17 21:23 14336 c:\windows\system32\dllcache\svchost.exe
+ 2006-11-28 15:34 . 2009-06-17 21:07 65536 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-11-28 15:34 . 2009-06-16 22:24 65536 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-11-28 15:34 . 2009-06-17 21:07 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-11-28 15:34 . 2009-06-16 22:24 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 12:00 . 2009-06-17 00:32 450368 c:\windows\system32\perfh009.dat
+ 2006-12-22 09:50 . 2009-06-17 21:21 212438 c:\windows\system32\inetsrv\MetaBase.bin
+ 2006-11-28 15:34 . 2009-06-17 21:07 770048 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-28 15:34 . 2009-06-16 22:24 770048 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFF01325-0FC2-4749-8914-FBF0565AD9CC}]
2009-06-17 21:23 29184 ----a-w- c:\windows\system32\jbnmck.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Malware Doctor"="c:\documents and settings\LocalService\Application Data\1361538659.exe" [2009-06-17 90624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-14 118784]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-18 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-25 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-26 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Malware Doctor"="c:\documents and settings\LocalService\Application Data\1361538659.exe" [2009-06-17 90624]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-14 34880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2006-11-29 69632]
SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2007-5-1 6395464]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-11-29 122880]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mqhwoxjv]
2009-06-17 21:23 16896 ----a-w- c:\windows\system32\mqhwoxjv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [28/11/2006 16:57 58016]
R2 AGRESSO 5.5 Server - agresso;AGRESSO 5.5 Server - agresso;c:\agresso\Bin\AgrBusinessServer.exe [01/02/2006 14:19 325136]
R2 avast!Antivirus;avast!Antivirus;c:\windows\System32\avast!Antivirus.exe -k netsvcs --> c:\windows\System32\avast!Antivirus.exe -k netsvcs [?]
S1 saskutil;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 FCI;FCI;c:\windows\system32\svchost.exe:ext.exe []
S3 DMService;Whale Component Manager;c:\windows\DOWNLO~1\DMService.exe [28/09/2007 19:35 423576]
S3 MSSQL$AGRESSO;MSSQL$AGRESSO;c:\progra~1\MICROS~4\MSSQL$~1\binn\sqlservr.exe -sAGRESSO --> c:\progra~1\MICROS~4\MSSQL$~1\binn\sqlservr.exe -sAGRESSO [?]
S3 SQLAgent$AGRESSO;SQLAgent$AGRESSO;c:\progra~1\MICROS~4\MSSQL$~1\binn\sqlagent.exe -i AGRESSO --> c:\progra~1\MICROS~4\MSSQL$~1\binn\sqlagent.exe -i AGRESSO [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVAST!ANTIVIRUS
.
Contents of the 'Scheduled Tasks' folder

2009-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\progra~1\WHALEC~1\CLIENT~1\31265D~1.0\WhlLSP.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-17 22:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\jbnmck.dll 29184 bytes executable
c:\windows\system32\mqhwoxjv.dll 16896 bytes executable
c:\windows\system32\svchost.exe:ext.exe 32768 bytes executable
c:\windows\system32\avast!Antivirus.exe 36864 bytes executable
c:\windows\system32\sft.res 134 bytes

scan completed successfully
hidden files: 5

**************************************************************************

[HKEY_LOCAL_MACHINE\System\controlset005\Services\FCI]
"ImagePath"="c:\windows\system32\svchost.exe:ext.exe"

[HKEY_LOCAL_MACHINE\System\controlset005\Services\a38d43bf]
"ImagePath"="\SystemRoot\System32\drivers\a38d43bf.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5424)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\progra~1\WinZip\WZQKPICK.EXE
c:\program files\TechSmith\SnagIt 8\TscHelp.exe
c:\program files\TechSmith\SnagIt 8\SnagPriv.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\avast!Antivirus.exe
c:\windows\temp\diw5.tmp
.
**************************************************************************
.
Completion time: 2009-06-17 22:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-17 21:26
ComboFix2.txt 2009-06-17 21:10
ComboFix3.txt 2009-06-17 00:34

Pre-Run: 12,826,550,272 bytes free
Post-Run: 12,786,122,752 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
313

Hello.
Do you have your XP disc? we can't fix this infection because a patched system file is regenerating all this malware.

Hi,
Unfortunately I don't have my OS on disk. Any other options?
Thank again

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
ndis.sys

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 23:10 on 18/06/2009 by Administrator (Administrator - Elevation successful)

No Context: filefind

No Context: ndis.sys

-=End Of File=-

Hello.
Not sure if that worked right?
Did you copy my script exactly as seen in the code box? not forgetting the : in front of filefind?

hi,
yes - copied as per your post - tried again -same log result
as an aside - i no longer get the malware doctor popups - all ooks good again but my wireless connection has been damaged - something you've come across before?
note: malwarebytes anti malware still finds infected files upon scaning
thanks