it's in safe mode, here's the combofix file, I believe my Outlook email is still working in normal mode, or I can run the utilities in normal mode then go into safe mode to send to you...
ComboFix 08-12-06.04 - Administrator 2008-12-06 19:15:03.3 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1254 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.
2008-12-06 14:22 . 2008-12-06 14:22
d-------- c:\program files\Microsoft Windows OneCare Live
2008-12-06 13:33 . 2008-12-06 13:34 78,790,542 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-12-06 09:04 . 2008-12-06 09:05 d-------- c:\documents and settings\Administrator\Application Data\AVG7
2008-11-28 07:42 . 2008-11-28 07:42 d-------- c:\program files\Reality Pump
2008-11-28 07:31 . 2008-12-06 18:05 d-------- c:\program files\Common
2008-11-12 12:55 . 2008-12-05 20:58 43,520 --a------ c:\windows\system32\CmdLineExt03.dll
2008-11-12 12:43 . 2008-11-12 12:43 d-------- C:\Extras
2008-11-12 09:08 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 09:06 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-08 17:59 . 2008-11-08 17:59 d-------- c:\documents and settings\All Users\Application Data\Age of Empires 3
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 17:40 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-12-06 00:23 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-05 19:18 --------- d-----w c:\program files\Flash Menu Factory
2008-11-12 18:43 --------- d-----w c:\program files\THQ
2008-11-09 04:17 --------- d-----w c:\program files\Java
2008-11-08 23:42 --------- d-----w c:\program files\Microsoft Games
2008-11-07 04:02 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-04 01:44 --------- d-----w c:\program files\BearShare
2008-11-01 16:09 --------- d-----w c:\program files\Common Files\AVSMedia
2008-11-01 16:09 --------- d-----w c:\program files\AVS4YOU
2008-10-29 21:55 --------- d-----w c:\program files\The KMPlayer
2008-10-29 21:40 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-12 06:50 --------- d-----w c:\program files\DarkSwords
2008-10-11 23:28 --------- d-----w c:\program files\Eidos Interactive
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2002-07-27 01:02 153,088 ----a-w c:\program files\UNWISE.EXE
2008-05-07 20:48 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050720080508\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2007-12-17 660136]
"EzPrint"="c:\program files\Lexmark 2600 Series\ezprint.exe" [2007-12-17 107176]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-01-22 219136]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-08 113664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 22:56 64512 c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-12 08:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2005-09-21 11:41 1605740 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-02 00:35 49152 c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--a------ 2005-07-14 23:35 1961984 c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 13:50 155648 c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 11:22 7700480 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 11:22 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2USBDRV]
--a------ 2006-12-19 11:07 38296 c:\windows\MICROI~1\PS2USBKbdDrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-04 19:07 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
--a------ 2005-08-03 01:19 77312 c:\windows\arpwrmsg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 11:22 1622016 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"IDriverT"=3 (0x3)
"Fax"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WS_FTP\\ws_ftp95.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\THQ\\Titan Quest Immortal Throne\\Tqit.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\EA Games\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdntime.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnjswx.exe"=
"c:\\Program Files\\Adobe\\Photoshop CS\\Photoshop.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnwbgw.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Reality Pump\\Two Worlds\\TwoWorlds.exe"=
"c:\\Program Files\\Reality Pump\\Two Worlds\\TwoWorlds_RADEON.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnlscn.exe"=
"c:\\WINDOWS\\system32\\lxdncoms.exe"=
"c:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 3\\Dreamweaver.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\SWGB\\Game\\Battlegrounds.exe"=
S2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service []
S2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdnserv.exe [2008-07-08 98984]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2005-12-23 100480]
S3 Vob621kdiaf;Vob621kdiaf;c:\windows\system32\drivers\ati1tuxx.sys [2008-05-07 36463]
.
Contents of the 'Scheduled Tasks' folder
2008-12-06 c:\windows\Tasks\SyncBack Downloads.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 11:00]
2008-12-06 c:\windows\Tasks\SyncBack Music.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 11:00]
2008-12-06 c:\windows\Tasks\SyncBack ROUTINESYNC.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 11:00]
2008-12-06 c:\windows\Tasks\SyncBack Videos.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 11:00]
2008-12-06 c:\windows\Tasks\User_Feed_Synchronization-{3A60586B-A6B1-4783-A820-BA54CBAA296E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 19:18:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-06 19:20:35
ComboFix-quarantined-files.txt 2008-12-07 01:19:19
ComboFix2.txt 2008-12-07 00:28:37
ComboFix3.txt 2008-12-07 00:09:51
Pre-Run: 125,767,458,816 bytes free
Post-Run: 125,757,566,976 bytes free
204 --- E O F --- 2008-11-12 15:13:18