Here's the log file. fwiw, everytime my computer was re-started, i had to manually disable AVIRA antivirus. there was no permanent setting.
again, thanks.
ComboFix 09-12-04.05 - Buff 12/05/2009 12:03.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.605 [GMT -8]
Running from: c:\documents and settings\Buff\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Outdated) {8615ACC4-FFA4-0122-0D24-347CA8A3377C}
** please note: there were many of these lines of text, but the file was too large to post **
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated) {86E77A5C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated) {86E7A4BC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated) {86ED8604-FFA4-0110-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated) {BADB0D00-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated) {FFDFF121-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated) {FFFFFFFF-FFA4-00DE-0D24-347CA8A3377C}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Buff\Local Settings\Application Data\aegius
c:\documents and settings\Buff\Local Settings\Application Data\aegius\ugalsysguard.exe
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\Tasks\pnxvuest.job
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))
.
2009-12-05 17:18 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-05 17:17 . 2009-12-05 17:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-05 17:17 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 15:17 . 2009-10-30 19:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-03 15:17 . 2009-11-09 19:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-03 15:17 . 2009-10-07 00:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-03 15:17 . 2009-09-03 17:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-01 01:59 . 2009-12-01 01:59 -------- d-----w- c:\program files\Trend Micro
2009-11-29 19:32 . 2009-12-05 16:57 -------- d-----w- c:\program files\Enigma Software Group
2009-11-29 06:56 . 2009-11-29 06:56 -------- d-----w- c:\documents and settings\Buff\Application Data\Malwarebytes
2009-11-29 06:24 . 2009-11-29 06:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-29 00:04 . 2009-11-29 00:04 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-11-29 00:04 . 2009-11-29 00:04 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-11-29 00:04 . 2009-11-29 00:04 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-11-29 00:03 . 2009-11-29 00:03 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-11-28 23:55 . 2009-11-28 23:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AOL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-05 20:16 . 2006-12-12 15:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-05 20:13 . 2009-10-31 02:47 -------- d-----w- c:\program files\Spyware Doctor
2009-12-05 20:13 . 2005-06-19 15:32 17242 ----a-w- c:\windows\system32\tablet.dat
2009-12-05 19:34 . 2004-09-03 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-03 15:26 . 2009-10-29 01:13 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-10 18:28 . 2009-10-31 02:55 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-10 18:28 . 2009-10-31 02:55 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-10 18:28 . 2009-10-31 02:55 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-11-10 18:26 . 2009-10-31 02:55 767952 ----a-w- c:\windows\BDTSupport.dll
2009-10-31 02:47 . 2009-10-31 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-29 01:16 . 2009-10-29 01:16 -------- d-----w- c:\documents and settings\Buff\Application Data\Registry Mechanic
2009-10-28 09:36 . 2009-10-31 02:55 1152444 ----a-w- c:\windows\UDB.zip
2009-10-07 22:21 . 2009-06-21 05:13 -------- d-----w- c:\program files\AOL 9.1
2009-10-02 17:15 . 2008-05-01 06:20 2341 -c--a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2009-10-02 16:03 . 2008-05-01 06:15 816392 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\Components\DownloadQB17\Patch\qbpatch2.exe
2009-09-11 14:18 . 2008-11-15 20:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2007-05-19 02:39 . 2006-11-18 17:16 848 -csha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\\SmartDoctor.exe " [X]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"IMONTRAY"="c:\program files\Intel\Intel(R) Active Monitor\imontray.exe" [2003-11-03 32768]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-02 4640768]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"HostManager"="c:\program files\Common Files\AOL\1134844876\ee\AOLSoftware.exe" [2008-06-24 41824]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="e:\itunes storage\iTunesHelper.exe" [2009-06-05 292136]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-05-02 323584]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-8-8 113664]
Adobe Gamma Loader.lnk - c:\fonts\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-13 113664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-3-18 972064]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2005-6-19 77824]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1134844876\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI CD-Maker\\LiveUpdate.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Common Files\\AOL\\1134844876\\EE\\aolsoftware.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"e:\\more utils\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"e:\\Itunes storage\\iTunes.exe"=
"c:\\Program Files\\Logitech\\MouseWare\\system\\EM_EXEC.EXE"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [12/3/2009 7:17 AM 207792]
R1 ANVIOCTL;ANVIOCTL;c:\windows\system32\drivers\anvioctl.sys [8/8/2004 11:05 PM 233280]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/27/2009 6:18 PM 108289]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [10/30/2009 6:55 PM 112592]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [10/28/2009 5:13 PM 583640]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/3/2009 7:17 AM 359624]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/12/2008 6:41 PM 24652]
S3 Ndppogoo;Ndppogoo; [x]
--- Other Services/Drivers In Memory ---
*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder
2009-10-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Buff\Application Data\Mozilla\Firefox\Profiles\c8p4awzl.Default User\
FF - prefs.js: browser.startup.homepage - hxxp://www.mckinleyink.com
FF - component: c:\documents and settings\Buff\Application Data\Mozilla\Firefox\Profiles\c8p4awzl.Default User\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: e:\itunes storage\Mozilla Plugins\npitunes.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-_{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91} - c:\program files\Corel\CorelDRAW Graphics Suite 13\Programs\MSILauncher {7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}
AddRemove-{08082022-2a50-4196-8196-a6f86d6e8f12} - c:\program files\Installshield Installation Information\{08082022-2a50-4196-8196-a6f86d6e8f12}\QBReplace.exe {08082022-2a50-4196-8196-a6f86d6e8f12}#{01288593-26bb-4b3a-a04e-0a4ed28cc937}
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-05 12:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\tabhook.dll
- - - - - - - > 'explorer.exe'(2472)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\pctgmhk.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\windows\system32\tabhook.dll
c:\program files\Common Files\AOL\ACS\WLHook.dll
c:\program files\Logitech\iTouch\iTchHk.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WS_FTP Pro\nsftpch.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\Tablet.exe
c:\windows\wanmpsvc.exe
c:\program files\Intel\Intel(R) Active Monitor\imonnt.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\program files\ASUS\SmartDoctor\SmartDoctor.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\MDM.EXE
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2009-12-05 12:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-05 20:19
Pre-Run: 4,044,537,856 bytes free
Post-Run: 4,090,617,856 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - 44F23DBEFD3CBFD8DF816B711F90AD3C