Same computer that suffered the security virus, new issue

OK,

So after a week of trying to clean up the computer, and several times thinking that it was repaired, a new issue. Now when I go to google and find the site that I want, I click the link, and the computer takes me elsewhere.

Is it just time to format the C drive, reload and go from there. I really hate to do that because of all of the time required, but I'm working on messing with this for the second weekend in a row, plus all of the time during the week. Not to mention the time that you folks have spent helping me.

Is there a "simple" fix to this??

Hijack This file for the latest issue.



Logfile of HijackThis v1.99.1
Scan saved at 11:37:00 AM, on 7/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\hijack this\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070504
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070504
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
  
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  
• When prompted to run the scan, click Yes.
  
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
  

Thanks for the reply. Here is the file.

GooredFix by jpshortstuff (12.07.09)
Log created at 17:19 on 18/07/2009 (Torrie)
Firefox version 3.5.1 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{3112ca9c-de6d-4884-a869-9855de68056c} [02:42 10/05/2007]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:57 18/07/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(none)

-=E.O.F=-

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

OK,

I've downloaded. I've clicked the icon to start, and the computer is doing nothing. I've tried right clicking the Icon and telling it to run also. Nothing.

I see, please do the following:

• Download combofix from here
  Link 1
  Link 2
  

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouse click combofix's window whilst it's running. That may cause it to stall.
  

Combo-fix is saying that it has detected rootkit activity and needs to reboot the machine. Is that OK.

The file names that it is listing to write down are:

c:\windows\system32\drivers\UACqpmhsipctobwuwpyv.sys
c:\windows\system32\UACyxvklneoyqerdbmlv.dll
c:\windows\system32\UACmppqlrklwqjyiacgo.dll
c:\windows\system32\UACdmqyxbwughvbafkti.dat
c:\windows\system32\UACumlijebybavfsfpbk.dll
c:\windows\system32\UACybrkjdupdetyufojt.dll
c:\windows\system32\UACqjeulbbvtlgxvdvyc.db
c:\windows\system32\UACuenxsjeahrwrdxisc.dll

Yes its ok after that continue scanning.

ComboFix 09-07-14.08 - Torrie 07/18/2009 18:20.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.640 [GMT -4:00]
Running from: c:\documents and settings\Torrie\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanup.exe
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\Install.txt
c:\windows\Installer\334e460.msi
c:\windows\system32\drivers\UACqpmhsipctobwuwpyv.sys
c:\windows\system32\Install.txt
c:\windows\system32\UACdmqyxbwughvbafkti.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmppqlrklwqjyiacgo.dll
c:\windows\system32\UACqjeulbbvtlgxvdvyc.db
c:\windows\system32\uactmp.db
c:\windows\system32\UACuenxsjeahrwrdxisc.dll
c:\windows\system32\UACumlijebybavfsfpbk.dll
c:\windows\system32\UACybrkjdupdetyufojt.dll
c:\windows\system32\UACyxvklneoyqerdbmlv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_6TO4
-------\Legacy_MSNCACHE
-------\Legacy_PCMSTUB
-------\Legacy_SOPIDKC
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_6to4
-------\Service_pcmstub


((((((((((((((((((((((((( Files Created from 2009-06-18 to 2009-07-18 )))))))))))))))))))))))))))))))
.

2009-07-18 04:50 . 2009-07-18 04:50 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-18 04:50 . 2005-08-25 23:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-07-18 04:50 . 2009-07-18 04:50 -------- d-----w- c:\program files\SpywareBlaster
2009-07-18 04:18 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-18 04:10 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-18 04:10 . 2009-07-18 04:10 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-18 01:30 . 2009-07-18 02:03 -------- d-----w- c:\documents and settings\Torrie\DoctorWeb
2009-07-17 23:10 . 2009-07-17 23:10 -------- d-s---w- c:\documents and settings\Torrie\UserData
2009-07-12 19:17 . 2009-07-12 19:17 6500 ----a-w- C:\backup.reg
2009-07-12 19:17 . 2009-07-12 19:17 574 ----a-w- C:\cleanup.bat
2009-07-12 19:17 . 2009-07-12 19:17 135168 ----a-w- C:\zip.exe
2009-07-12 18:28 . 2009-07-12 18:28 -------- d--h--w- c:\windows\PIF
2009-07-12 17:49 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-07-12 17:48 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-07-12 17:31 . 2008-04-14 00:12 1306624 -c----w- c:\windows\system32\dllcache\msxml6.dll
2009-07-12 17:31 . 2008-04-13 17:27 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2009-07-12 12:56 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-07-12 12:56 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-07-12 12:56 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-07-12 12:56 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-12 05:24 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-12 05:24 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-12 05:24 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-12 05:24 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-12 05:24 . 2009-07-12 05:24 -------- d-----w- c:\program files\Avira
2009-07-12 05:24 . 2009-07-12 05:24 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Avira
2009-07-12 03:21 . 2009-07-12 03:21 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-07-11 22:14 . 2009-07-11 22:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-11 20:33 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-11 20:33 . 2009-07-12 01:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-11 20:33 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-11 20:08 . 2009-07-11 20:08 -------- d-----w- c:\documents and settings\Torrie\Application Data\Malwarebytes
2009-07-11 17:14 . 2009-07-11 17:14 -------- d-----w- C:\39a2554cf0d79fa50378
2009-07-11 17:13 . 2009-07-11 17:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-11 17:13 . 2009-07-11 17:13 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-11 16:26 . 2004-08-04 10:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2009-07-11 16:26 . 2004-08-04 10:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2009-07-11 16:24 . 2001-08-18 02:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-07-11 16:23 . 2004-08-04 10:00 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2009-07-11 16:22 . 2001-08-18 02:36 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2009-07-11 16:22 . 2001-08-18 02:36 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2009-07-11 16:18 . 2004-08-04 10:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2009-07-11 16:06 . 2004-08-04 10:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-07-11 16:06 . 2004-08-04 10:00 13312 ----a-w- c:\windows\system32\irclass.dll
2009-07-11 16:06 . 2004-08-04 10:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2009-07-11 16:06 . 2004-08-04 10:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-07-11 16:05 . 2009-07-11 16:05 -------- d-s---w- c:\windows\system32\config\systemprofile\History
2009-07-11 15:08 . 2009-07-12 01:28 -------- d-----w- C:\548ca78a225ca7b10dd01ced95
2009-07-11 14:52 . 2009-07-12 01:28 -------- d-----w- C:\4b5b4d4025c336b9d9cb2cea
2009-07-11 14:52 . 2009-07-12 01:29 -------- d-----w- C:\8cd5ec16322eb47e7bf192fcc0
2009-07-11 14:52 . 2009-07-12 01:29 -------- d-----w- C:\8b6834c03fe75a46e9ca0b01
2009-07-11 14:52 . 2009-07-11 14:52 -------- d-----w- C:\b8a00336a77ab642de
2009-07-11 14:26 . 2009-07-12 01:28 -------- d-----w- C:\350dee6cda85300f8ae3d635a7f6
2009-07-11 14:26 . 2009-07-12 01:28 -------- d-----w- C:\50b05749af5bfcb654
2009-07-11 11:54 . 2009-07-11 11:54 -------- d-----w- c:\windows\msapps
2009-07-11 11:54 . 2009-07-11 11:54 -------- d-----w- c:\windows\dell
2009-07-11 04:41 . 2009-07-11 04:41 204 ----a-w- c:\windows\3456665.bat
2009-06-30 05:04 . 2009-06-30 05:04 -------- d-----w- c:\program files\7-Zip
2009-06-29 17:21 . 2009-06-30 17:10 -------- d-----w- c:\program files\MuseScore 0.9
2009-06-28 20:07 . 2009-06-28 20:07 -------- d-----w- c:\documents and settings\Torrie\Local Settings\Application Data\MusE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-18 21:43 . 2007-06-26 02:14 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-07-18 21:14 . 2007-05-04 09:32 44985 ----a-w- c:\windows\system32\nvModes.dat
2009-07-18 05:37 . 2008-04-27 03:48 -------- d-----w- c:\program files\Conference
2009-07-18 04:48 . 2007-06-26 02:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-18 04:09 . 2007-06-26 02:26 -------- d-----w- c:\program files\Lavasoft
2009-07-12 19:15 . 2007-05-04 09:58 -------- d-----w- c:\program files\Google
2009-07-12 19:12 . 2007-05-04 09:44 -------- d-----w- c:\program files\Java
2009-07-12 12:42 . 2007-06-26 02:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-12 12:36 . 2007-06-26 02:26 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-07-12 01:58 . 2007-06-26 02:33 -------- d-----w- c:\program files\hijack this
2009-07-11 16:17 . 2004-08-10 18:02 23444 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-28 20:04 . 2009-03-23 02:48 -------- d-----w- c:\program files\Bonjour
2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 10:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-07 15:32 . 2004-08-04 10:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2006-03-04 03:33 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-07-15 20:30 . 2009-07-18 04:57 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-09-16 20:04 . 2007-11-01 03:44 168 --sha-r- c:\windows\system32\E621FEE4A0.sys
2008-09-16 20:04 . 2007-11-01 03:44 5642 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-31 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-21 7557120]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-03-21 1519616]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2006-03-21 73728]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Conference\\Conference.dll"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Ring Factory\\RingFactory.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/18/2009 12:10 AM 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/12/2009 1:24 AM 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
S2 hgko;hgko;c:\windows\system32\drivers\piiev.sys --> c:\windows\system32\drivers\piiev.sys [?]
S2 mpfpe;mpfpe;c:\windows\system32\drivers\jbvfol.sys --> c:\windows\system32\drivers\jbvfol.sys [?]
S3 busbcrw;USB Card Reader Writer driver;c:\windows\system32\drivers\busbcrw.sys [4/23/2003 9:45 AM 16896]
S3 VisorUsb;Handspring USB;c:\windows\system32\drivers\VisorUsb.sys [8/24/2007 12:15 AM 19968]
S4 dnopye;dnopye;c:\windows\system32\drivers\jsduvzg.sys --> c:\windows\system32\drivers\jsduvzg.sys [?]
S4 pxnuwsvv;pxnuwsvv;c:\windows\system32\drivers\dvpszx.sys --> c:\windows\system32\drivers\dvpszx.sys [?]
S4 rqzxzkcs;rqzxzkcs;c:\windows\system32\drivers\iffljt.sys --> c:\windows\system32\drivers\iffljt.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070504
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\docume~1\Torrie\APPLIC~1\Mozilla\Firefox\Profiles\64jqv8xt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - plugin: c:\documents and settings\Torrie\Application Data\Mozilla\Firefox\Profiles\64jqv8xt.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-18 18:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\wbem\Performance\WmiApRpl_new.h 357 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2636)
c:\program files\Google\Google Desktop Search\GoogleDesktopHyper.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-18 18:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-18 22:33

Pre-Run: 138,217,107,456 bytes free
Post-Run: 138,142,629,888 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
275 --- E O F --- 2009-07-18 13:45

Now open a new notepad file.
Input this into the notepad file:

Folder::
c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
C:\39a2554cf0d79fa50378
C:\548ca78a225ca7b10dd01ced95
C:\4b5b4d4025c336b9d9cb2cea
C:\8cd5ec16322eb47e7bf192fcc0
C:\8b6834c03fe75a46e9ca0b01
C:\b8a00336a77ab642de
C:\350dee6cda85300f8ae3d635a7f6
C:\50b05749af5bfcb654

Rootkit::
c:\windows\system32\E621FEE4A0.sys

Driver::
hgko
mpfpe
dnopye
pxnuwsv
rqzxzkcs

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

ComboFix 09-07-19.01 - Torrie 07/19/2009 12:50.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.697 [GMT -4:00]
Running from: c:\documents and settings\Torrie\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Torrie\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\350dee6cda85300f8ae3d635a7f6
c:\350dee6cda85300f8ae3d635a7f6\mrtstub.exe
C:\39a2554cf0d79fa50378
c:\39a2554cf0d79fa50378\$shtdwn$.req
c:\39a2554cf0d79fa50378\mrt.exe
c:\39a2554cf0d79fa50378\mrtstub.exe
c:\4b5b4d4025c336b9d9cb2cea\mrtstub.exe
C:\50b05749af5bfcb654
c:\50b05749af5bfcb654\mrtstub.exe
C:\548ca78a225ca7b10dd01ced95
c:\548ca78a225ca7b10dd01ced95\mrtstub.exe
C:\8b6834c03fe75a46e9ca0b01
C:\8cd5ec16322eb47e7bf192fcc0
c:\8cd5ec16322eb47e7bf192fcc0\mrtstub.exe
C:\b8a00336a77ab642de
c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.dat
c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.lan
c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.msi
c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.par
c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.res
c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}\instance.dat
c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}\mia.lib
C:\4b5b4d4025c336b9d9cb2cea . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HGKO
-------\Legacy_MPFPE
-------\Service_dnopye
-------\Service_hgko
-------\Service_mpfpe
-------\Service_rqzxzkcs


((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))
.

2009-07-18 04:50 . 2009-07-18 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-18 04:50 . 2005-08-25 23:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-07-18 04:50 . 2009-07-18 04:50 -------- d-----w- c:\program files\SpywareBlaster
2009-07-18 04:18 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-18 04:10 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-18 01:30 . 2009-07-18 02:03 -------- d-----w- c:\documents and settings\Torrie\DoctorWeb
2009-07-17 23:10 . 2009-07-17 23:10 -------- d-s---w- c:\documents and settings\Torrie\UserData
2009-07-12 19:17 . 2009-07-12 19:17 6500 ----a-w- C:\backup.reg
2009-07-12 19:17 . 2009-07-12 19:17 574 ----a-w- C:\cleanup.bat
2009-07-12 19:17 . 2009-07-12 19:17 135168 ----a-w- C:\zip.exe
2009-07-12 18:28 . 2009-07-12 18:28 -------- d--h--w- c:\windows\PIF
2009-07-12 17:53 . 2009-07-12 17:53 152576 ----a-w- c:\documents and settings\Torrie\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-07-12 17:49 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-07-12 17:48 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-07-12 17:31 . 2008-04-14 00:12 1306624 -c----w- c:\windows\system32\dllcache\msxml6.dll
2009-07-12 17:31 . 2008-04-13 17:27 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2009-07-12 12:56 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-07-12 12:56 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-07-12 12:56 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-07-12 12:56 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-12 12:36 . 2009-07-12 12:36 6944624 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aaw2008_upd.exe
2009-07-12 05:24 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-12 05:24 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-12 05:24 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-12 05:24 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-12 05:24 . 2009-07-12 05:24 -------- d-----w- c:\program files\Avira
2009-07-12 05:24 . 2009-07-12 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-12 03:21 . 2009-07-12 03:21 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-07-11 22:14 . 2009-07-11 22:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-11 20:33 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-11 20:33 . 2009-07-12 01:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-11 20:33 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-11 20:08 . 2009-07-11 20:08 -------- d-----w- c:\documents and settings\Torrie\Application Data\Malwarebytes
2009-07-11 17:13 . 2009-07-11 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-11 17:13 . 2009-07-11 17:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-11 16:26 . 2004-08-04 10:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2009-07-11 16:26 . 2004-08-04 10:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2009-07-11 16:24 . 2001-08-18 02:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-07-11 16:23 . 2004-08-04 10:00 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2009-07-11 16:22 . 2001-08-18 02:36 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2009-07-11 16:22 . 2001-08-18 02:36 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2009-07-11 16:18 . 2004-08-04 10:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2009-07-11 16:06 . 2004-08-04 10:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-07-11 16:06 . 2004-08-04 10:00 13312 ----a-w- c:\windows\system32\irclass.dll
2009-07-11 16:06 . 2004-08-04 10:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2009-07-11 16:06 . 2004-08-04 10:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-07-11 16:05 . 2009-07-11 16:05 -------- d-s---w- c:\windows\system32\config\systemprofile\History
2009-07-11 14:52 . 2009-07-19 16:55 -------- d-----w- C:\4b5b4d4025c336b9d9cb2cea
2009-07-11 11:54 . 2009-07-11 11:54 -------- d-----w- c:\windows\msapps
2009-07-11 11:54 . 2009-07-11 11:54 -------- d-----w- c:\windows\dell
2009-07-11 04:41 . 2009-07-11 04:41 204 ----a-w- c:\windows\3456665.bat
2009-06-30 05:04 . 2009-06-30 05:04 -------- d-----w- c:\program files\7-Zip
2009-06-29 17:21 . 2009-06-30 17:10 -------- d-----w- c:\program files\MuseScore 0.9
2009-06-28 20:07 . 2009-06-28 20:07 -------- d-----w- c:\documents and settings\Torrie\Local Settings\Application Data\MusE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-18 21:43 . 2007-06-26 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-18 21:14 . 2007-05-04 09:32 44985 ----a-w- c:\windows\system32\nvModes.dat
2009-07-18 05:37 . 2008-04-27 03:48 -------- d-----w- c:\program files\Conference
2009-07-18 04:48 . 2007-06-26 02:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-18 04:09 . 2007-06-26 02:26 -------- d-----w- c:\program files\Lavasoft
2009-07-12 19:15 . 2007-05-04 09:58 -------- d-----w- c:\program files\Google
2009-07-12 19:12 . 2007-05-04 09:44 -------- d-----w- c:\program files\Java
2009-07-12 12:42 . 2007-06-26 02:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-12 12:36 . 2007-06-26 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-12 01:58 . 2007-06-26 02:33 -------- d-----w- c:\program files\hijack this
2009-07-11 16:17 . 2004-08-10 18:02 23444 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-28 20:04 . 2009-03-23 02:48 -------- d-----w- c:\program files\Bonjour
2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 10:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-08 21:57 . 2009-05-08 19:17 140839968 ----a-w- c:\documents and settings\All Users\Application Data\Rosetta Stone\Updates\Download\Update.exe
2009-05-07 15:32 . 2004-08-04 10:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2006-03-04 03:33 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-07-15 20:30 . 2009-07-18 04:57 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-09-16 20:04 . 2007-11-01 03:44 5642 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-07-18_22.29.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-10 17:51 . 2009-07-19 16:46 64490 c:\windows\system32\perfc009.dat
- 2004-08-10 17:51 . 2009-07-18 22:30 64490 c:\windows\system32\perfc009.dat
+ 2004-08-10 17:51 . 2009-07-19 16:46 405024 c:\windows\system32\perfh009.dat
- 2004-08-10 17:51 . 2009-07-18 22:30 405024 c:\windows\system32\perfh009.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-31 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-21 7557120]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-03-21 1519616]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2006-03-21 73728]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Conference\\Conference.dll"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Ring Factory\\RingFactory.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/18/2009 12:10 AM 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/12/2009 1:24 AM 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
S3 busbcrw;USB Card Reader Writer driver;c:\windows\system32\drivers\busbcrw.sys [4/23/2003 9:45 AM 16896]
S3 VisorUsb;Handspring USB;c:\windows\system32\drivers\VisorUsb.sys [8/24/2007 12:15 AM 19968]
S4 pxnuwsvv;pxnuwsvv;c:\windows\system32\drivers\dvpszx.sys --> c:\windows\system32\drivers\dvpszx.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-05-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070504
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
FF - ProfilePath - c:\documents and settings\Torrie\Application Data\Mozilla\Firefox\Profiles\64jqv8xt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - plugin: c:\documents and settings\Torrie\Application Data\Mozilla\Firefox\Profiles\64jqv8xt.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-19 12:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1232)
c:\program files\Google\Google Desktop Search\GoogleDesktopHyper.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-19 13:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-19 17:03
ComboFix2.txt 2009-07-18 22:33

Pre-Run: 138,129,600,512 bytes free
Post-Run: 138,055,327,744 bytes free

Current=2 Default=2 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
281 --- E O F --- 2009-07-18 13:45

Now open a new notepad file.
Input this into the notepad file:

Folder::
C:\4b5b4d4025c336b9d9cb2cea

File::
c:\windows\3456665.bat

Driver::
pxnuwsvv

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.