Suspected rootkit infection

The other day I came back to my computer to see it open to one of those fake, "your computer has been infected, press okay to scan" pages. I immediately asked my girlfriend, who was using it, if she had opened it or pressed anything. She said no, and that she had left it open on facebook.

I started noticing problems almost instantly. I ran malwarebytes and it picked up a few things, and it seemed satisfied that there was nothing left. I started looking around and I noticed that I had an extra CD drive mounted; previously I had 2 virtual drives via daemontools and a single DVD-RW drive. Now I have an extra CD drive mixed in there.

I tried to install HJT, and the install program wouldn't open. From there I began to suspect something worse, so I started searching for malware/rootkit removal. After typing it into yahoo/google/any search engine, it shuts down the browser (Firefox). Same thing with IE. I've downloaded multiple rootkit tools on my ubuntu partition and moved them over, none of them will run. I can confirm that GMER does work. I did all of this before finding this website.....I won't try anything else until you guys advise.

Thanks

<>

I have system security in my tray as well....

Last edited by dbaker84 on 9th July 2009, 7:07 pm; edited 1 time in total

Managed to get HJT to work, using a renamed version from another post. I know that this is the first thing you'll want, so here it is.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:35 PM, on 7/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\andLinux\colinux-daemon.exe
C:\Program Files\andLinux\colinux-slirp-net-daemon.exe
C:\Program Files\andLinux\colinux-net-daemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\andLinux\Launcher\menu.exe
C:\Program Files\andLinux\pulseaudio\pulseaudio.exe
C:\Program Files\RivaTuner v2.22\RivaTuner.exe
C:\Program Files\andLinux\Xming\Xming.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\All Users\Application Data\15376564\15376564.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Daniel\Desktop\winlogon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.22\RivaTuner.exe" /S
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickCare2.2] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QuickCare2.2
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [15376564] C:\Documents and Settings\All Users\Application Data\15376564\15376564.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlayNC Launcher] C:\Program Files\NCSoft\Launcher\NCLauncher.exe /Minimized
O4 - HKCU\..\Run: [Livestation] C:\Program Files\Livestation\Livestation.exe -startup
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Daniel] C:\Documents and Settings\Daniel\Daniel.exe /i
O4 - HKUS\.DEFAULT\..\Run: [systemprofile] C:\WINDOWS\system32\config\systemprofile\systemprofile.exe /i (User 'Default user')
O4 - Startup: KDE Menu (andLinux).lnk = C:\Program Files\andLinux\Launcher\menu.exe
O4 - Startup: PulseAudio (andLinux).lnk = C:\Program Files\andLinux\pulseaudio\pulseaudio.exe
O4 - Startup: RivaTuner.lnk = C:\Program Files\RivaTuner v2.22\RivaTuner.exe
O4 - Startup: Xming (andLinux).lnk = C:\Program Files\andLinux\Xming\Xming.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DB1CA38-4D77-403D-B7E0-25F66DB6F6D8}: NameServer = 192.168.0.1,205.171.3.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{745B3C77-0576-482A-8D87-865C22222FC6}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: C:\DOCUME~1\Daniel\LOCALS~1\Temp\179546746mxx.dll
O20 - Winlogon Notify: aaebadacdaaaecdca - C:\WINDOWS\system32\aaebadacdaaaecdca.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O22 - SharedTaskScheduler: rtasgvfu76ew8ndkfno94 - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\gsf83iujid.dll (file missing)
O23 - Service: andLinux - Unknown owner - C:\Program Files\andLinux\colinux-daemon.exe
O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: BrlAPI - Unknown owner - C:\cygwin\bin\cygrunsrv.exe (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9fb98a3fc9f9b) (gupdate1c9fb98a3fc9f9b) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 9923 bytes

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
  O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
  O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
  O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
  O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
  O4 - HKLM\..\Run: [15376564] C:\Documents and Settings\All Users\Application Data\15376564\15376564.exe
  O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
  O4 - HKCU\..\Run: [Daniel] C:\Documents and Settings\Daniel\Daniel.exe /i
  O4 - HKUS\.DEFAULT\..\Run: [systemprofile] C:\WINDOWS\system32\config\systemprofile\systemprofile.exe /i (User 'Default user')
  O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
  O20 - AppInit_DLLs: C:\DOCUME~1\Daniel\LOCALS~1\Temp\179546746mxx.dll
  O20 - Winlogon Notify: aaebadacdaaaecdca - C:\WINDOWS\system32\aaebadacdaaaecdca.dll
  O22 - SharedTaskScheduler: rtasgvfu76ew8ndkfno94 - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\gsf83iujid.dll (file missing)
  O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

After selecting the language on the installer, something is killing it.

It is telling me that AVG is still running; the process isn't there and there is no tray icon. Also, when starting the computer I get a debug error for the avg program itself.

Okay, we'll fix that later, for now, just run Combofix, even if it says AVG is active.

Here is the result for combofix.

ComboFix 09-07-09.02 - Daniel 07/09/2009 13:43.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1567 [GMT -6:00]
Running from: c:\documents and settings\Daniel\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\15376564
c:\documents and settings\All Users\Application Data\15376564\15376564
c:\documents and settings\All Users\Application Data\15376564\15376564.exe
c:\documents and settings\All Users\Application Data\90946866.ini
c:\documents and settings\Daniel\Daniel.exe
c:\recycler\S-1-5-21-0718494114-1866707683-619660861-4671
c:\recycler\S-1-5-21-1160805227-4959090417-612701221-4084
c:\recycler\S-1-5-21-5155561738-1164446227-841426928-3071
c:\recycler\S-1-5-21-5856383967-3709391649-338712272-8850
c:\windows\Installer\1990ec.msi
c:\windows\system32\aaebadacdaaaecdca.dll
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\config\systemprofile\Application Data\ShoppingReport
c:\windows\system32\config\systemprofile\Application Data\ShoppingReport\cs\Config.xml
c:\windows\system32\config\systemprofile\Application Data\ShoppingReport\cs\report\aggr_storage.xml
c:\windows\system32\config\systemprofile\Application Data\ShoppingReport\cs\report\send_storage.xml
c:\windows\system32\config\systemprofile\Desktop\System Security 2009.lnk
c:\windows\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security\System Security
c:\windows\system32\drivers\98a15b97.sys
c:\windows\system32\drivers\amd64si.sys
c:\windows\system32\drivers\ati64si.sys
c:\windows\system32\drivers\ecc19235.sys
c:\windows\system32\drivers\hjgruimpcfmukl.sys
c:\windows\system32\drivers\i386si.sys
c:\windows\system32\drivers\netsik.sys
c:\windows\system32\hjgruiowfqjpiq.dll
c:\windows\system32\hjgruiudtpveqb.dat
c:\windows\system32\hjgruiuwmyxyme.dll
c:\windows\system32\hjgruivnswiwio.dat
c:\windows\system32\mukmil.dll

c:\windows\system32\drivers\ndis.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruivscdiyqr
-------\Legacy_ati64si
-------\Legacy_avast!antivirus
-------\Legacy_i386si
-------\Legacy_netsik
-------\Legacy_port135sik
-------\Legacy_{79007602-0cdb-4405-9dbf-1257bb3226ed}
-------\Legacy_{79007602-0cdb-4405-9dbf-1257bb3226ee}
-------\Service_98a15b97
-------\Service_ati64si
-------\Service_avast!antivirus
-------\Service_ecc19235
-------\Service_i386si
-------\Service_netsik
-------\Legacy_amd64si
-------\Service_amd64si


((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-09 19:18 . 2009-07-09 19:24 -------- d-s---w- C:\ComboFix
2009-07-09 18:44 . 2009-07-09 18:44 -------- d-----w- c:\program files\Trend Micro
2009-07-09 18:14 . 2009-07-09 18:13 286208 ------w- C:\72o1di4f.exe
2009-07-09 17:57 . 2009-07-09 17:57 -------- d-----w- c:\program files\Sophos
2009-07-09 16:43 . 2009-07-09 17:57 744853 ----a-w- C:\PAVARK.exe
2009-07-09 16:42 . 2009-07-09 16:42 1181383 ------w- C:\sarsfx(2).exe
2009-07-09 16:42 . 2009-07-09 16:42 1181383 ------w- C:\sarsfx.exe
2009-07-09 16:40 . 2009-07-09 16:38 3561744 ------w- C:\mbam-setup.exe
2009-07-08 18:07 . 2009-07-08 18:07 -------- d-----w- c:\documents and settings\Daniel\Application Data\Malwarebytes
2009-07-08 18:07 . 2009-06-17 17:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-08 18:07 . 2009-07-08 18:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 18:07 . 2009-07-08 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-08 18:07 . 2009-06-17 17:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-08 17:46 . 2009-07-08 17:46 -------- d-sh--w- c:\windows\System Volume Information
2009-07-08 05:34 . 2009-07-08 05:28 22940 ---h--w- c:\windows\system32\config\systemprofile\systemprofile.exe
2009-07-07 05:07 . 2009-07-07 05:07 2141 ----a-w- c:\documents and settings\Daniel\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-07-06 23:44 . 2009-07-06 23:44 -------- d-----w- c:\program files\Dangerous High School Girls In Trouble
2009-07-06 23:33 . 2009-07-06 23:33 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-07-03 05:02 . 2009-07-03 05:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-07-03 04:42 . 2009-07-03 04:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-06-27 08:15 . 2009-06-27 08:15 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\SCE
2009-06-25 22:47 . 2009-06-25 22:47 488960 ----a-w- c:\documents and settings\Daniel\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv302-0811070-0-main.dll
2009-06-25 22:46 . 2009-06-25 22:46 319488 ----a-w- c:\documents and settings\Daniel\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-06-24 03:37 . 2009-06-24 03:40 -------- d-----w- c:\documents and settings\Daniel\Application Data\vlc
2009-06-23 08:45 . 2009-06-23 09:30 -------- d-----w- c:\program files\Ryzom
2009-06-23 07:56 . 2009-06-23 07:56 -------- d-----w- c:\program files\Educational Simulations
2009-06-23 06:50 . 2009-06-23 06:50 1089 ----a-w- c:\documents and settings\Daniel\Application Data\.purple\certificates\x509\tls_peers\login.yahoo.com
2009-06-23 06:47 . 2009-06-23 06:47 -------- d-----w- c:\program files\Pidgin
2009-06-23 03:19 . 2009-06-23 04:08 299941 ----a-w- c:\windows\system32\autcache.dll
2009-06-23 03:17 . 2009-06-23 04:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-23 03:05 . 2009-06-23 03:06 -------- d-----w- c:\program files\WideStep Software
2009-06-22 06:09 . 2009-06-22 06:09 -------- d-----w- c:\program files\Curse
2009-06-22 05:03 . 2009-06-22 05:03 -------- d-----w- c:\documents and settings\Daniel\Application Data\Apple Computer
2009-06-22 02:43 . 2009-06-22 02:43 413696 ----a-w- c:\documents and settings\Daniel\Application Data\yoclient\native\OpenAL32.dll
2009-06-22 02:43 . 2009-06-22 02:43 153600 ----a-w- c:\documents and settings\Daniel\Application Data\yoclient\native\lwjgl.dll
2009-06-22 02:42 . 2009-06-22 02:43 -------- d-----w- c:\documents and settings\Daniel\Application Data\yoclient
2009-06-22 01:04 . 2009-06-28 21:51 -------- d-----w- c:\program files\World of Warcraft
2009-06-21 19:48 . 2009-06-21 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2009-06-21 19:47 . 2009-06-22 03:59 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-20 04:02 . 2009-06-20 04:02 2165 ----a-w- c:\documents and settings\Daniel\Application Data\.purple\certificates\x509\tls_peers\rsi.hotmail.com
2009-06-20 04:02 . 2009-06-20 04:02 2099 ----a-w- c:\documents and settings\Daniel\Application Data\.purple\certificates\x509\tls_peers\login.live.com
2009-06-15 21:47 . 2009-06-15 22:14 -------- d-----w- c:\documents and settings\Daniel\Application Data\W Photo Studio
2009-06-15 21:45 . 2009-06-15 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Walgreens
2009-06-15 21:45 . 2009-06-15 21:45 -------- d-----w- c:\documents and settings\Daniel\Application Data\Walgreens
2009-06-15 21:45 . 2009-06-15 21:45 -------- d-----w- c:\program files\Common Files\HP
2009-06-15 21:45 . 2009-06-15 21:45 -------- d-----w- c:\program files\Walgreens
2009-06-15 21:35 . 2009-06-15 22:14 -------- d-----w- c:\documents and settings\Daniel\Application Data\W Photo Studio Viewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 19:07 . 2009-03-05 20:40 -------- d-----w- c:\documents and settings\Daniel\Application Data\DNA
2009-07-09 18:36 . 2008-04-22 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-07-09 18:17 . 2009-03-05 20:40 -------- d-----w- c:\program files\DNA
2009-07-09 18:00 . 2002-01-20 06:55 -------- d-----w- c:\documents and settings\Daniel\Application Data\.purple
2009-07-09 03:57 . 2008-06-09 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-08 17:33 . 2004-08-04 12:00 212480 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-07-08 00:42 . 2002-01-20 06:29 -------- d-----w- c:\documents and settings\Daniel\Application Data\uTorrent
2009-07-08 00:11 . 2009-04-15 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-07-06 22:11 . 2008-08-13 06:21 -------- d-----w- c:\documents and settings\Daniel\Application Data\CoreFTP
2009-07-06 21:09 . 2002-01-20 07:50 -------- d-----w- c:\program files\Steam
2009-07-05 21:12 . 2008-06-27 19:10 -------- d-----w- c:\documents and settings\Daniel\Application Data\GetRightToGo
2009-07-03 05:41 . 2008-06-23 21:35 -------- d-----w- c:\documents and settings\Daniel\Application Data\codeblocks
2009-07-03 04:43 . 2008-06-09 03:36 -------- d-----w- c:\program files\Google
2009-06-26 00:27 . 2009-05-03 06:38 -------- d-----w- c:\documents and settings\Daniel\Application Data\dvdcss
2009-06-04 02:46 . 2009-06-04 02:26 -------- d-----w- c:\program files\GameSpy Arcade
2009-05-29 05:17 . 2009-05-29 05:11 -------- d-----w- c:\program files\NCH Software
2009-05-29 05:11 . 2009-05-29 05:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2009-05-27 07:29 . 2008-04-28 05:29 -------- d-----w- c:\documents and settings\Daniel\Application Data\gtk-2.0
2009-05-23 19:08 . 2009-05-23 19:08 -------- d-----w- c:\program files\Microsoft Silverlight
2009-05-21 22:46 . 2008-07-30 20:33 -------- d-----w- c:\program files\SystemRequirementsLab
2009-05-21 17:15 . 2009-05-21 17:15 10134 ----a-r- c:\documents and settings\Daniel\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-05-21 17:15 . 2009-05-21 17:15 -------- d-----w- c:\program files\Microsoft WSE
2009-05-21 17:09 . 2002-04-22 05:50 -------- d-----w- c:\program files\Electronic Arts
2009-05-21 17:09 . 2002-01-20 06:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-18 01:52 . 2009-05-16 21:57 25 ----a-w- c:\windows\popcinfot.dat
2009-05-17 07:22 . 2009-05-14 05:33 -------- d-----w- c:\program files\andLinux
2009-05-16 21:42 . 2009-05-16 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-05-16 21:23 . 2009-05-16 21:15 -------- d-----w- c:\program files\Edraw Max
2009-05-11 03:04 . 2009-03-02 01:00 -------- d-----w- c:\program files\Enterbrain
2009-05-10 15:25 . 2008-05-09 17:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-10 15:25 . 2008-05-09 17:50 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-10 15:25 . 2008-05-09 17:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-10 15:25 . 2008-05-09 17:50 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-26 04:56 . 2002-01-20 06:37 74832 ----a-w- c:\documents and settings\Daniel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 07:13 . 2009-04-16 07:13 22328 ----a-w- c:\documents and settings\Daniel\Application Data\PnkBstrK.sys
2009-04-16 07:13 . 2009-04-16 07:13 22328 ----a-w- c:\documents and settings\Daniel\Application Data\PnkBstrK.sys
2009-04-16 07:13 . 2008-08-01 20:26 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-04-16 07:12 . 2008-08-01 20:26 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-04-16 07:12 . 2009-04-16 07:12 682280 ----a-w- c:\windows\system32\pbsvc.exe
2009-04-16 07:12 . 2008-08-01 20:26 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-03-03 06:35 . 2009-03-03 06:35 56 --sh--r- c:\windows\system32\605D0D681F.sys
2009-03-03 06:40 . 2009-03-03 06:35 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
<<<>>>>

------- Sigcheck -------

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
[-] 2009-07-08 17:33 212480 4E8B4F9E5CD6EB7042F726D1DEAD2DB7 c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 136600]
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.22\RivaTuner.exe" [2008-12-29 2732032]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-22 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-03-21 16126464]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-09 1657376]

c:\documents and settings\Daniel\Start Menu\Programs\Startup\
KDE Menu (andLinux).lnk - c:\program files\andLinux\Launcher\menu.exe [2009-5-13 66560]
PulseAudio (andLinux).lnk - c:\program files\andLinux\pulseaudio\pulseaudio.exe [2009-5-17 36352]
RivaTuner.lnk - c:\program files\RivaTuner v2.22\RivaTuner.exe [2008-12-29 2732032]
Xming (andLinux).lnk - c:\program files\andLinux\Xming\Xming.exe [2009-5-17 2106368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\logonui_black.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-10 15:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the wonderful end of the world demo\\main.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"58556:TCP"= 58556:TCP:Pando Media Booster
"58556:UDP"= 58556:UDP:Pando Media Booster
"56780:TCP"= 56780:TCP:Pando Media Booster
"56780:UDP"= 56780:UDP:Pando Media Booster

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/9/2008 11:50 AM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/9/2008 11:50 AM 108552]
R2 andLinux;andLinux;c:\program files\andLinux\colinux-daemon.exe [5/17/2009 1:19 AM 80896]
R2 CoLinuxDriver;CoLinuxDriver;c:\program files\andLinux\linux.sys [5/17/2009 1:19 AM 68096]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [1/20/2002 12:23 AM 38656]
R3 tap0801co;TAP-Win32 Adapter V8 (coLinux);c:\windows\system32\drivers\tap0801co.sys [8/6/2008 6:02 PM 25856]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 gupdate1c9fb98a3fc9f9b;Google Update Service (gupdate1c9fb98a3fc9f9b);c:\program files\Google\Update\GoogleUpdate.exe [7/2/2009 10:42 PM 133104]
S3 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe --> c:\cygwin\bin\cygrunsrv.exe [?]
S3 memsweep2;MEMSWEEP2;\??\c:\windows\system32\A.tmp --> c:\windows\system32\A.tmp [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-09 08:13]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-03 04:42]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-03 04:42]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PlayNC Launcher - c:\program files\NCSoft\Launcher\NCLauncher.exe
HKCU-Run-Livestation - c:\program files\Livestation\Livestation.exe
HKLM-Run-QuickCare2.2 - c:\program files\Qwest\QuickCare\bin\sprtcmd.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {3DB1CA38-4D77-403D-B7E0-25F66DB6F6D8} = 192.168.0.1,205.171.3.25
TCP: {745B3C77-0576-482A-8D87-865C22222FC6} = 208.67.222.222,208.67.220.220
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\lkhr2mds.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npJoostPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Tracker Software\PDF-XChange Viewer\pdf-viewer\npPDFXCviewNPPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 14:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\0754e129ad7ca0ce8d9c654e86b05c14.sys 39936 bytes executable
c:\windows\system32\_0754e129ad7ca0ce8d9c654e86b05c14.sys_.vir 39936 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\0754e129ad7ca0ce8d9c654e86b05c14]
"ImagePath"="system32\0754e129ad7ca0ce8d9c654e86b05c14.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\memsweep2]
"ImagePath"="\??\c:\windows\system32\A.tmp"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Raxco\PerfectDisk10\PDAgent.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wdfmgr.exe
c:\program files\andLinux\colinux-slirp-net-daemon.exe
c:\program files\andLinux\colinux-net-daemon.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-07-09 14:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-09 20:10

Pre-Run: 29,447,753,728 bytes free
Post-Run: 34,797,477,888 bytes free

310 --- E O F --- 2008-12-25 17:33

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
memsweep2
avg8emc
avg8wd
AvgLdx86
AvgTdiX

File::
C:\72o1di4f.exe
C:\PAVARK.exe
C:\sarsfx(2).exe
C:\sarsfx.exe
C:\mbam-setup.exe

RootKit::
c:\windows\system32\0754e129ad7ca0ce8d9c654e86b05c14.sys
c:\windows\system32\_0754e129ad7ca0ce8d9c654e86b05c14.sys_.vir

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\0754e129ad7ca0ce8d9c654e86b05c14]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\memsweep2]

FCopy::
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys | c:\windows\system32\drivers\ndis.sys

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

ComboFix 09-07-09.02 - Daniel 07/09/2009 14:55.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1296 [GMT -6:00]
Running from: c:\documents and settings\Daniel\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Daniel\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"C:\72o1di4f.exe"
"C:\mbam-setup.exe"
"C:\PAVARK.exe"
"C:\sarsfx(2).exe"
"C:\sarsfx.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\72o1di4f.exe
C:\mbam-setup.exe
C:\PAVARK.exe
C:\sarsfx(2).exe
C:\sarsfx.exe

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys --> c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVG8EMC
-------\Legacy_AVG8WD
-------\Legacy_AVGLDX86
-------\Legacy_AVGTDIX
-------\Legacy_memsweep2
-------\Service_avg8emc
-------\Service_avg8wd
-------\Service_AvgLdx86
-------\Service_AvgTdiX
-------\Service_0754e129ad7ca0ce8d9c654e86b05c14


((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-09 18:44 . 2009-07-09 18:44 -------- d-----w- c:\program files\Trend Micro
2009-07-09 17:57 . 2009-07-09 17:57 -------- d-----w- c:\program files\Sophos
2009-07-08 18:07 . 2009-07-08 18:07 -------- d-----w- c:\documents and settings\Daniel\Application Data\Malwarebytes
2009-07-08 18:07 . 2009-06-17 17:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-08 18:07 . 2009-07-08 18:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 18:07 . 2009-07-08 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-08 18:07 . 2009-06-17 17:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-08 17:46 . 2009-07-08 17:46 -------- d-sh--w- c:\windows\System Volume Information
2009-07-08 05:34 . 2009-07-08 05:28 22940 ---h--w- c:\windows\system32\config\systemprofile\systemprofile.exe
2009-07-07 05:07 . 2009-07-07 05:07 2141 ----a-w- c:\documents and settings\Daniel\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-07-06 23:44 . 2009-07-06 23:44 -------- d-----w- c:\program files\Dangerous High School Girls In Trouble
2009-07-06 23:33 . 2009-07-06 23:33 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-07-03 05:02 . 2009-07-03 05:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-07-03 04:42 . 2009-07-03 04:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-06-27 08:15 . 2009-06-27 08:15 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\SCE
2009-06-25 22:47 . 2009-06-25 22:47 488960 ----a-w- c:\documents and settings\Daniel\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv302-0811070-0-main.dll
2009-06-25 22:46 . 2009-06-25 22:46 319488 ----a-w- c:\documents and settings\Daniel\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-06-24 03:37 . 2009-06-24 03:40 -------- d-----w- c:\documents and settings\Daniel\Application Data\vlc
2009-06-23 08:45 . 2009-06-23 09:30 -------- d-----w- c:\program files\Ryzom
2009-06-23 07:56 . 2009-06-23 07:56 -------- d-----w- c:\program files\Educational Simulations
2009-06-23 06:50 . 2009-06-23 06:50 1089 ----a-w- c:\documents and settings\Daniel\Application Data\.purple\certificates\x509\tls_peers\login.yahoo.com
2009-06-23 06:47 . 2009-06-23 06:47 -------- d-----w- c:\program files\Pidgin
2009-06-23 03:19 . 2009-06-23 04:08 299941 ----a-w- c:\windows\system32\autcache.dll
2009-06-23 03:17 . 2009-06-23 04:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-23 03:05 . 2009-06-23 03:06 -------- d-----w- c:\program files\WideStep Software
2009-06-22 06:09 . 2009-06-22 06:09 -------- d-----w- c:\program files\Curse
2009-06-22 05:03 . 2009-06-22 05:03 -------- d-----w- c:\documents and settings\Daniel\Application Data\Apple Computer
2009-06-22 02:43 . 2009-06-22 02:43 413696 ----a-w- c:\documents and settings\Daniel\Application Data\yoclient\native\OpenAL32.dll
2009-06-22 02:43 . 2009-06-22 02:43 153600 ----a-w- c:\documents and settings\Daniel\Application Data\yoclient\native\lwjgl.dll
2009-06-22 02:42 . 2009-06-22 02:43 -------- d-----w- c:\documents and settings\Daniel\Application Data\yoclient
2009-06-22 01:04 . 2009-06-28 21:51 -------- d-----w- c:\program files\World of Warcraft
2009-06-21 19:48 . 2009-06-21 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2009-06-21 19:47 . 2009-06-22 03:59 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-20 04:02 . 2009-06-20 04:02 2165 ----a-w- c:\documents and settings\Daniel\Application Data\.purple\certificates\x509\tls_peers\rsi.hotmail.com
2009-06-20 04:02 . 2009-06-20 04:02 2099 ----a-w- c:\documents and settings\Daniel\Application Data\.purple\certificates\x509\tls_peers\login.live.com
2009-06-15 21:47 . 2009-06-15 22:14 -------- d-----w- c:\documents and settings\Daniel\Application Data\W Photo Studio
2009-06-15 21:45 . 2009-06-15 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Walgreens
2009-06-15 21:45 . 2009-06-15 21:45 -------- d-----w- c:\documents and settings\Daniel\Application Data\Walgreens
2009-06-15 21:45 . 2009-06-15 21:45 -------- d-----w- c:\program files\Common Files\HP
2009-06-15 21:45 . 2009-06-15 21:45 -------- d-----w- c:\program files\Walgreens
2009-06-15 21:35 . 2009-06-15 22:14 -------- d-----w- c:\documents and settings\Daniel\Application Data\W Photo Studio Viewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 19:07 . 2009-03-05 20:40 -------- d-----w- c:\documents and settings\Daniel\Application Data\DNA
2009-07-09 18:36 . 2008-04-22 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-07-09 18:17 . 2009-03-05 20:40 -------- d-----w- c:\program files\DNA
2009-07-09 18:00 . 2002-01-20 06:55 -------- d-----w- c:\documents and settings\Daniel\Application Data\.purple
2009-07-09 03:57 . 2008-06-09 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-08 00:42 . 2002-01-20 06:29 -------- d-----w- c:\documents and settings\Daniel\Application Data\uTorrent
2009-07-08 00:11 . 2009-04-15 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-07-06 22:11 . 2008-08-13 06:21 -------- d-----w- c:\documents and settings\Daniel\Application Data\CoreFTP
2009-07-06 21:09 . 2002-01-20 07:50 -------- d-----w- c:\program files\Steam
2009-07-05 21:12 . 2008-06-27 19:10 -------- d-----w- c:\documents and settings\Daniel\Application Data\GetRightToGo
2009-07-03 05:41 . 2008-06-23 21:35 -------- d-----w- c:\documents and settings\Daniel\Application Data\codeblocks
2009-07-03 04:43 . 2008-06-09 03:36 -------- d-----w- c:\program files\Google
2009-06-26 00:27 . 2009-05-03 06:38 -------- d-----w- c:\documents and settings\Daniel\Application Data\dvdcss
2009-06-04 02:46 . 2009-06-04 02:26 -------- d-----w- c:\program files\GameSpy Arcade
2009-05-29 05:17 . 2009-05-29 05:11 -------- d-----w- c:\program files\NCH Software
2009-05-29 05:11 . 2009-05-29 05:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2009-05-27 07:29 . 2008-04-28 05:29 -------- d-----w- c:\documents and settings\Daniel\Application Data\gtk-2.0
2009-05-23 19:08 . 2009-05-23 19:08 -------- d-----w- c:\program files\Microsoft Silverlight
2009-05-21 22:46 . 2008-07-30 20:33 -------- d-----w- c:\program files\SystemRequirementsLab
2009-05-21 17:15 . 2009-05-21 17:15 10134 ----a-r- c:\documents and settings\Daniel\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-05-21 17:15 . 2009-05-21 17:15 -------- d-----w- c:\program files\Microsoft WSE
2009-05-21 17:09 . 2002-04-22 05:50 -------- d-----w- c:\program files\Electronic Arts
2009-05-21 17:09 . 2002-01-20 06:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-18 01:52 . 2009-05-16 21:57 25 ----a-w- c:\windows\popcinfot.dat
2009-05-17 07:22 . 2009-05-14 05:33 -------- d-----w- c:\program files\andLinux
2009-05-16 21:42 . 2009-05-16 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-05-16 21:23 . 2009-05-16 21:15 -------- d-----w- c:\program files\Edraw Max
2009-05-11 03:04 . 2009-03-02 01:00 -------- d-----w- c:\program files\Enterbrain
2009-05-10 15:25 . 2008-05-09 17:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-10 15:25 . 2008-05-09 17:50 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-10 15:25 . 2008-05-09 17:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-10 15:25 . 2008-05-09 17:50 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-26 04:56 . 2002-01-20 06:37 74832 ----a-w- c:\documents and settings\Daniel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 07:13 . 2009-04-16 07:13 22328 ----a-w- c:\documents and settings\Daniel\Application Data\PnkBstrK.sys
2009-04-16 07:13 . 2009-04-16 07:13 22328 ----a-w- c:\documents and settings\Daniel\Application Data\PnkBstrK.sys
2009-04-16 07:13 . 2008-08-01 20:26 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-04-16 07:12 . 2008-08-01 20:26 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-04-16 07:12 . 2009-04-16 07:12 682280 ----a-w- c:\windows\system32\pbsvc.exe
2009-04-16 07:12 . 2008-08-01 20:26 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-03-03 06:35 . 2009-03-03 06:35 56 --sh--r- c:\windows\system32\605D0D681F.sys
2009-03-03 06:40 . 2009-03-03 06:35 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-07-09_20.03.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-09 20:59 . 2009-07-09 20:59 16384 c:\windows\temp\Perflib_Perfdata_a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 136600]
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.22\RivaTuner.exe" [2008-12-29 2732032]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-22 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-03-21 16126464]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-09 1657376]

c:\documents and settings\Daniel\Start Menu\Programs\Startup\
KDE Menu (andLinux).lnk - c:\program files\andLinux\Launcher\menu.exe [2009-5-13 66560]
PulseAudio (andLinux).lnk - c:\program files\andLinux\pulseaudio\pulseaudio.exe [2009-5-17 36352]
RivaTuner.lnk - c:\program files\RivaTuner v2.22\RivaTuner.exe [2008-12-29 2732032]
Xming (andLinux).lnk - c:\program files\andLinux\Xming\Xming.exe [2009-5-17 2106368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\logonui_black.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-10 15:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the wonderful end of the world demo\\main.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"58556:TCP"= 58556:TCP:Pando Media Booster
"58556:UDP"= 58556:UDP:Pando Media Booster
"56780:TCP"= 56780:TCP:Pando Media Booster
"56780:UDP"= 56780:UDP:Pando Media Booster

R2 andLinux;andLinux;c:\program files\andLinux\colinux-daemon.exe [5/17/2009 1:19 AM 80896]
R2 CoLinuxDriver;CoLinuxDriver;c:\program files\andLinux\linux.sys [5/17/2009 1:19 AM 68096]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [1/20/2002 12:23 AM 38656]
R3 tap0801co;TAP-Win32 Adapter V8 (coLinux);c:\windows\system32\drivers\tap0801co.sys [8/6/2008 6:02 PM 25856]
S2 gupdate1c9fb98a3fc9f9b;Google Update Service (gupdate1c9fb98a3fc9f9b);c:\program files\Google\Update\GoogleUpdate.exe [7/2/2009 10:42 PM 133104]
S3 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe --> c:\cygwin\bin\cygrunsrv.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-09 08:13]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-03 04:42]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-03 04:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {3DB1CA38-4D77-403D-B7E0-25F66DB6F6D8} = 192.168.0.1,205.171.3.25
TCP: {745B3C77-0576-482A-8D87-865C22222FC6} = 208.67.222.222,208.67.220.220
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\lkhr2mds.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npJoostPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Tracker Software\PDF-XChange Viewer\pdf-viewer\npPDFXCviewNPPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 15:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Raxco\PerfectDisk10\PDAgent.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wdfmgr.exe
c:\program files\andLinux\colinux-slirp-net-daemon.exe
c:\program files\andLinux\colinux-net-daemon.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-09 15:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-09 21:06
ComboFix2.txt 2009-07-09 20:10

Pre-Run: 34,796,376,064 bytes free
Post-Run: 34,754,760,704 bytes free

269 --- E O F --- 2008-12-25 17:33

Filename: autcache.dll
Status:
Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Thu 9 Jul 2009 23:16:48 (CET) Permalink

Hello.
That file looks okay, there is one malicious file left to kill, we'll get that soon. For now, lets deal with the AVG issue.

Please download this AVG Remover: avgremover.exe

Run it and it will want to reboot after it's done.
After reboot,

Please install Avira antivirus otherwise you won't be protected.

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Did the AVG remover and installed/ran Avira.

Seems like everything is good to go, anything else?

Nope, that should be it.