ERROR-Starting on Demand Scanner

I have problems with my personal computer, My computer started getting slow, then I tried to run a scan with my McAffe but I could not do it, I just have the message:ERROR-Starting on Demand Scanner. Then I tried to run the Malwarebytes AntiMalware and I then start and then disappear from my screen. I follow your instructions about updating Java and run the HijackThis and it just disappear from my screen too. Could you please help me out, I do not know what else to do?

Hello, can you rename HijackThis to winlogon.exe and see if it runs.

The Hijackthis file was already named winlogon.exe. I wanted to unnistalled it but it did not work, neither rename it: I have a message as: Cannot copy winlogo acces is denied. Make sure the disk is not full or write-protected and that the file is not currently in use. Please, let me know what else I should do?

I did download the DDS file, but every time that I click on it a screen opens and does not do anything. what else should I do now?

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Sorry, but this did not work neither. I followed all your instructions, I downloaded, change the name, I disable My antivirus. When I double click the combo-fix it opens the blue screen, start doing the scanner, complete until phase 50 and then my computer shuts down by itself. the first time shuted down by itself, when I wanted to run it again it send me a message saying that I need to disable my antivirus completly, which I did, start doing the scanner and shuted down by itself, saying something about an error. What should I do now?

Could you please tell me what else should I do? Please Help me t ofix my computer

BUMP

Hello.
I have not missed you, thanks for the bump. I was recently told about a new piece of malware and we believe you have it.

There isn't that much known about it. For now, lets try this.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 23:46 on 08/08/2009 by XP PRO (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll --a--- 181248 bytes [02:35 24/09/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll --a--- 180224 bytes [05:56 04/08/2004] [05:56 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A

Searching for "netlogon.dll"
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll --a--- 407040 bytes [02:34 24/09/2008] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll --a--- 60928 bytes [05:56 04/08/2004] [05:56 04/08/2004] (Unable to calculate MD5)

-=End Of File=-

Hello.

I'm back with new info, and now we can attack, I know what's up and how to stop it. Doing this fix will allow us to run stuff normally again, but you'll also need to uninstall and re-install Mcafee after, the virus has corrupted it.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\netlogon.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\netlogon.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Hi, me again.
See my Origins instructions will work, my source tells me it should now, that netlogon.dll was patched causing the problems.

Malwarebytes' Anti-Malware 1.40
Database version: 2589
Windows 5.1.2600 Service Pack 2

8/10/2009 12:36:21 AM
mbam-log-2009-08-10 (00-36-21).txt

Scan type: Quick Scan
Objects scanned: 90824
Time elapsed: 7 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 19
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\flashd32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{38101905-d80f-4788-96f6-986a8186178a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a36d2a01-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a36d2a01-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a36d2a01-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{38101905-d80f-4788-96f6-986a8186178a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a36d2a01-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msWindows restore service (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows System Recover! (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mms (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\sfx (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\flashd32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\prxid93ps.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\XP PRO\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Hello.
Still not done. I'd like you to run Combofix, your log looks pretty messy.

I posted Combofix instructions back on page 1.
http://www.geekpolice.net/virus-spyware-malware-removal-f11/error-starting-on-demand-scanner-t12398.htm#80323

hi, thanks for all your help. here is the report: ComboFix 09-08-10.02 - XP PRO 08/10/2009 23:46.5.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.144 [GMT -4:00]
Running from: c:\documents and settings\XP PRO\Desktop\Combo-Fix.exe
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\netlogon.dll was found and disinfected
Restored copy from - c:\windows\system32\ntelogon.dll

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 )))))))))))))))))))))))))))))))
.

2009-08-11 04:10 . 2009-08-11 04:10 -------- d-----w- c:\windows\system32\xircom
2009-08-11 04:10 . 2009-08-11 04:10 -------- d-----w- c:\windows\system32\wbem\snmp
2009-08-11 04:10 . 2009-08-11 04:10 -------- d-----w- c:\program files\microsoft frontpage
2009-08-11 03:55 . 2004-08-04 05:56 407040 ----a-w- c:\windows\system32\netlogon.dll
2009-08-10 11:00 . 2009-08-10 11:00 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-10 10:56 . 2009-08-10 10:58 -------- d-----w- c:\documents and settings\XP PRO\Application Data\McAfee.com Personal Firewall
2009-08-10 05:20 . 2009-08-10 05:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2009-08-10 05:12 . 2009-08-11 03:39 -------- d-----w- c:\program files\McAfee
2009-08-10 05:10 . 2009-08-10 10:57 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2009-08-10 04:26 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 04:26 . 2009-08-10 04:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 04:26 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-07 03:58 . 2009-08-07 03:58 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-06 23:45 . 2009-08-06 23:45 -------- d-sh--w- c:\documents and settings\XP PRO\PrivacIE
2009-08-06 23:43 . 2009-08-06 23:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-06 23:41 . 2009-08-06 23:41 -------- d-sh--w- c:\documents and settings\XP PRO\IETldCache
2009-08-06 23:26 . 2009-08-06 23:30 -------- dc-h--w- c:\windows\ie8
2009-08-01 23:53 . 2009-08-01 23:52 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 02:55 . 2009-08-01 12:14 0 ----a-w- c:\windows\system32\drivers\f5f3e641.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-11 03:36 . 2007-08-02 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-08-11 03:35 . 2007-08-02 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-06 03:46 . 2007-03-06 02:14 616760 ----a-w- c:\documents and settings\XP PRO\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-01 23:52 . 2007-03-06 02:18 -------- d-----w- c:\program files\Java
2009-07-03 01:14 . 2009-07-03 01:14 -------- d-----w- c:\documents and settings\XP PRO\Application Data\Malwarebytes
2009-07-03 01:14 . 2009-07-03 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-01 12:01 . 2008-10-18 18:26 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-06-28 07:17 . 2007-03-06 02:18 -------- d-----w- c:\program files\LimeWire
2009-06-26 04:15 . 2009-06-26 04:10 -------- d-----w- c:\documents and settings\XP PRO\Application Data\Move Networks
2009-06-26 04:12 . 2009-06-26 04:10 34062 ----a-w- c:\documents and settings\XP PRO\Application Data\Move Networks\ie_bin\Uninst.exe
2009-06-26 04:12 . 2009-06-26 04:12 1047224 ----a-w- c:\documents and settings\XP PRO\Application Data\Move Networks\MoveMediaPlayer_071303000005.exe
2009-06-17 09:07 . 2009-04-06 03:17 -------- d-----w- c:\documents and settings\XP PRO\Application Data\Skype
2009-06-16 14:45 . 2006-10-21 08:35 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:45 . 2004-08-04 05:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:24 . 2006-09-26 09:26 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-01-01 18:33 . 2007-03-06 02:23 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-01-01 18:33 . 2007-03-06 02:23 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-01 18:33 . 2007-03-06 02:23 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-01-01 18:34 . 2007-03-06 02:23 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-01-01 18:34 . 2007-03-06 02:23 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfcfiles.dll
[-] 2006-10-21 08:43 1580544 6BE24F6A7B6B8F45D0A9A168794D36CE c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-04-04 1368064]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-07-15 1961984]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-27 24103720]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-01 148888]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-776561741-725345543-1003\Scripts\Logoff\0\0]
"Script"=c:\program files\Privacy Shield\xp.cmd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 1:56 AM 14336]
R2 PDSched;PDScheduler;c:\program files\Raxco\PerfectDisk\PDSched.exe [11/29/2005 12:16 PM 241731]
S1 f5f3e641;f5f3e641;c:\windows\system32\drivers\f5f3e641.sys [7/23/2009 10:55 PM 0]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-08-11 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Globe7 - c:\program files\Globe7\Globe7.exe
Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\XP PRO\Application Data\Mozilla\Firefox\Profiles\pqe8343d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\progra~1\MOZILL~1\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-11 00:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2880)
c:\windows\system32\browselc.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Brmfrmps.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WgaTray.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-08-11 0:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-11 04:22

Pre-Run: 31,557,406,720 bytes free
Post-Run: 31,448,072,192 bytes free

204 --- E O F --- 2009-08-06 23:32

Hello.

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

BitZipper 5.1
Java(TM) 6 Update 7
LimeWire 4.18.3

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\drivers\f5f3e641.sys

Driver::
f5f3e641

FCopy::
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfcfiles.dll | c:\windows\system32\sfcfiles.dll

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

I followed all your instructions, but the only I couldn't find BitZipper 5.1 and I uninstalled another version of Java like Java(TM) 6 Update 5 & 17 and another version of LimeWire 4.14.3 and here is the report of Combo-fix.

ComboFix 09-08-10.06 - XP PRO 08/11/2009 19:48.6.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.115 [GMT -4:00]
Running from: c:\documents and settings\XP PRO\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\XP PRO\Desktop\CFScript.txt
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\drivers\f5f3e641.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\f5f3e641.sys

c:\windows\system32\proquota.exe . . . is missing!!

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfcfiles.dll --> c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_f5f3e641


((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))
.

2009-08-11 05:01 . 2009-08-11 05:01 -------- d-----w- c:\windows\ie8updates
2009-08-11 04:19 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-08-11 04:19 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-11 04:10 . 2009-08-11 04:10 -------- d-----w- c:\windows\system32\xircom
2009-08-11 04:10 . 2009-08-11 04:10 -------- d-----w- c:\windows\system32\wbem\snmp
2009-08-11 04:10 . 2009-08-11 04:10 -------- d-----w- c:\program files\microsoft frontpage
2009-08-11 03:55 . 2004-08-04 05:56 407040 ----a-w- c:\windows\system32\netlogon.dll
2009-08-10 11:00 . 2009-08-10 11:00 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-10 10:56 . 2009-08-10 10:58 -------- d-----w- c:\documents and settings\XP PRO\Application Data\McAfee.com Personal Firewall
2009-08-10 05:20 . 2009-08-10 05:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2009-08-10 05:12 . 2009-08-11 03:39 -------- d-----w- c:\program files\McAfee
2009-08-10 05:10 . 2009-08-10 10:57 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2009-08-10 04:26 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 04:26 . 2009-08-10 04:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 04:26 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-07 03:58 . 2009-08-07 03:58 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-06 23:45 . 2009-08-06 23:45 -------- d-sh--w- c:\documents and settings\XP PRO\PrivacIE
2009-08-06 23:43 . 2009-08-06 23:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-06 23:41 . 2009-08-06 23:41 -------- d-sh--w- c:\documents and settings\XP PRO\IETldCache
2009-08-06 23:26 . 2009-08-06 23:30 -------- dc-h--w- c:\windows\ie8
2009-08-01 23:53 . 2009-08-01 23:52 410984 ----a-w- c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-11 23:42 . 2007-03-06 02:18 -------- d-----w- c:\program files\LimeWire
2009-08-11 23:41 . 2007-03-06 02:18 -------- d-----w- c:\program files\Java
2009-08-11 03:36 . 2007-08-02 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-08-11 03:35 . 2007-08-02 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-06 03:46 . 2007-03-06 02:14 616760 ----a-w- c:\documents and settings\XP PRO\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-03 17:09 . 2006-09-26 09:29 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-03 01:14 . 2009-07-03 01:14 -------- d-----w- c:\documents and settings\XP PRO\Application Data\Malwarebytes
2009-07-03 01:14 . 2009-07-03 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-01 12:01 . 2008-10-18 18:26 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-06-26 04:15 . 2009-06-26 04:10 -------- d-----w- c:\documents and settings\XP PRO\Application Data\Move Networks
2009-06-26 04:12 . 2009-06-26 04:10 34062 ----a-w- c:\documents and settings\XP PRO\Application Data\Move Networks\ie_bin\Uninst.exe
2009-06-26 04:12 . 2009-06-26 04:12 1047224 ----a-w- c:\documents and settings\XP PRO\Application Data\Move Networks\MoveMediaPlayer_071303000005.exe
2009-06-17 09:07 . 2009-04-06 03:17 -------- d-----w- c:\documents and settings\XP PRO\Application Data\Skype
2009-06-16 14:45 . 2006-10-21 08:35 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:45 . 2004-08-04 05:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:24 . 2006-09-26 09:26 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-01-01 18:33 . 2007-03-06 02:23 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-01-01 18:33 . 2007-03-06 02:23 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-01 18:33 . 2007-03-06 02:23 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-01-01 18:34 . 2007-03-06 02:23 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-01-01 18:34 . 2007-03-06 02:23 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfcfiles.dll
[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-11_04.13.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-10-17 18:33 . 2009-03-08 08:31 55296 c:\windows\system32\msfeedsbs.dll
+ 2006-10-17 18:33 . 2009-07-03 17:09 55296 c:\windows\system32\msfeedsbs.dll
- 2006-09-26 09:28 . 2009-03-08 08:33 25600 c:\windows\system32\jsproxy.dll
+ 2006-09-26 09:28 . 2009-07-03 17:09 25600 c:\windows\system32\jsproxy.dll
+ 2009-08-01 23:53 . 2006-05-03 06:19 53346 c:\windows\system32\javaw.exe
+ 2009-08-01 23:53 . 2006-05-03 06:19 49248 c:\windows\system32\java.exe
- 2007-05-10 02:28 . 2009-03-08 08:31 55296 c:\windows\system32\DllCache\msfeedsbs.dll
+ 2007-05-10 02:28 . 2009-07-03 17:09 55296 c:\windows\system32\DllCache\msfeedsbs.dll
- 2006-10-17 18:33 . 2009-03-08 08:33 25600 c:\windows\system32\DllCache\jsproxy.dll
+ 2006-10-17 18:33 . 2009-07-03 17:09 25600 c:\windows\system32\DllCache\jsproxy.dll
+ 2009-08-11 05:01 . 2009-03-08 08:33 12288 c:\windows\ie8updates\KB972260-IE8\xpshims.dll
+ 2009-08-11 05:01 . 2009-03-08 08:31 55296 c:\windows\ie8updates\KB972260-IE8\msfeedsbs.dll
+ 2009-08-11 05:01 . 2009-03-08 08:33 25600 c:\windows\ie8updates\KB972260-IE8\jsproxy.dll
+ 2009-08-11 23:57 . 2009-08-11 23:57 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-11 03:56 . 2009-08-11 03:56 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-11 23:57 . 2009-08-11 23:57 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
- 2009-08-11 03:56 . 2009-08-11 03:56 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2004-08-04 05:56 . 2009-07-03 17:09 206848 c:\windows\system32\occache.dll
- 2006-10-17 18:33 . 2009-03-08 08:32 594432 c:\windows\system32\msfeeds.dll
+ 2006-10-17 18:33 . 2009-07-03 17:09 594432 c:\windows\system32\msfeeds.dll
+ 2009-08-01 23:53 . 2006-05-03 07:56 127078 c:\windows\system32\javaws.exe
+ 2006-09-26 09:28 . 2009-07-03 17:09 184320 c:\windows\system32\iepeers.dll
+ 2004-08-04 05:56 . 2009-07-03 17:09 386048 c:\windows\system32\iedkcs32.dll
- 2004-08-04 05:56 . 2009-03-08 08:32 173056 c:\windows\system32\ie4uinit.exe
+ 2004-08-04 05:56 . 2009-07-03 11:01 173056 c:\windows\system32\ie4uinit.exe
+ 2006-10-17 18:33 . 2009-07-03 17:09 915456 c:\windows\system32\DllCache\wininet.dll
+ 2006-10-17 18:04 . 2009-07-03 17:09 206848 c:\windows\system32\DllCache\occache.dll
- 2007-05-10 02:28 . 2009-03-08 08:32 594432 c:\windows\system32\DllCache\msfeeds.dll
+ 2007-05-10 02:28 . 2009-07-03 17:09 594432 c:\windows\system32\DllCache\msfeeds.dll
+ 2006-10-17 18:33 . 2009-07-03 17:09 184320 c:\windows\system32\DllCache\iepeers.dll
+ 2006-10-17 18:01 . 2009-07-03 17:09 386048 c:\windows\system32\DllCache\iedkcs32.dll
- 2006-10-17 18:00 . 2009-03-08 08:32 173056 c:\windows\system32\DllCache\ie4uinit.exe
+ 2006-10-17 18:00 . 2009-07-03 11:01 173056 c:\windows\system32\DllCache\ie4uinit.exe
+ 2009-08-11 05:01 . 2009-03-08 08:34 914944 c:\windows\ie8updates\KB972260-IE8\wininet.dll
+ 2009-08-11 05:01 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB972260-IE8\spuninst\updspapi.dll
+ 2009-08-11 05:01 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB972260-IE8\spuninst\spuninst.exe
+ 2009-08-11 05:01 . 2009-03-08 08:34 109568 c:\windows\ie8updates\KB972260-IE8\occache.dll
+ 2009-08-11 05:01 . 2009-03-08 08:32 594432 c:\windows\ie8updates\KB972260-IE8\msfeeds.dll
+ 2009-08-11 05:01 . 2009-03-08 08:33 246784 c:\windows\ie8updates\KB972260-IE8\ieproxy.dll
+ 2009-08-11 05:01 . 2009-03-08 08:31 183808 c:\windows\ie8updates\KB972260-IE8\iepeers.dll
+ 2009-08-11 05:01 . 2009-03-08 18:09 391536 c:\windows\ie8updates\KB972260-IE8\iedkcs32.dll
+ 2009-08-11 05:01 . 2009-03-08 08:32 173056 c:\windows\ie8updates\KB972260-IE8\ie4uinit.exe
+ 2009-08-11 23:57 . 2009-08-11 23:57 172032 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
- 2009-08-11 03:56 . 2009-08-11 03:56 241664 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-11 23:57 . 2009-08-11 23:57 241664 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-11 23:57 . 2009-08-11 23:57 237568 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
- 2009-08-11 03:56 . 2009-08-11 03:56 237568 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2006-09-26 09:29 . 2009-07-03 17:09 1208832 c:\windows\system32\urlmon.dll
+ 2006-09-26 09:29 . 2009-07-19 13:18 5937152 c:\windows\system32\mshtml.dll
- 2006-09-26 09:29 . 2009-03-08 08:41 5937152 c:\windows\system32\mshtml.dll
+ 2006-10-17 17:57 . 2009-07-03 17:09 1985536 c:\windows\system32\iertutil.dll
+ 2006-10-17 18:33 . 2009-07-03 17:09 1208832 c:\windows\system32\DllCache\urlmon.dll
- 2006-10-17 18:33 . 2009-03-08 08:41 5937152 c:\windows\system32\DllCache\mshtml.dll
+ 2006-10-17 18:33 . 2009-07-19 13:18 5937152 c:\windows\system32\DllCache\mshtml.dll
+ 2007-05-10 02:28 . 2009-07-03 17:09 1985536 c:\windows\system32\DllCache\iertutil.dll
+ 2009-08-11 05:01 . 2009-03-08 08:34 1206784 c:\windows\ie8updates\KB972260-IE8\urlmon.dll
+ 2009-08-11 05:01 . 2009-03-08 08:41 5937152 c:\windows\ie8updates\KB972260-IE8\mshtml.dll
+ 2009-08-11 05:01 . 2009-03-08 08:32 1985024 c:\windows\ie8updates\KB972260-IE8\iertutil.dll
+ 2009-08-11 23:57 . 2009-08-11 23:57 5750784 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
- 2009-08-11 03:56 . 2009-08-11 03:56 5750784 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
+ 2006-10-17 18:33 . 2009-07-19 22:48 11067392 c:\windows\system32\ieframe.dll
+ 2007-05-10 02:28 . 2009-07-19 22:48 11067392 c:\windows\system32\DllCache\ieframe.dll
+ 2009-08-11 05:01 . 2009-03-08 08:39 11063808 c:\windows\ie8updates\KB972260-IE8\ieframe.dll
.
-- Snapshot reset to current date --

And the rest of the report is the follow:
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-04-04 1368064]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-07-15 1961984]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-27 24103720]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 36975]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-776561741-725345543-1003\Scripts\Logoff\0\0]
"Script"=c:\program files\Privacy Shield\xp.cmd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 1:56 AM 14336]
R2 PDSched;PDScheduler;c:\program files\Raxco\PerfectDisk\PDSched.exe [11/29/2005 12:16 PM 241731]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-08-12 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\XP PRO\Application Data\Mozilla\Firefox\Profiles\pqe8343d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\progra~1\MOZILL~1\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-11 20:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3116)
c:\windows\system32\WININET.dll
c:\windows\system32\browselc.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Brmfrmps.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WgaTray.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-08-12 20:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-12 00:06
ComboFix2.txt 2009-08-11 04:22

Pre-Run: 31,599,128,576 bytes free
Post-Run: 31,576,276,992 bytes free

275 --- E O F --- 2009-08-11 05:01

Hello.
Nearly done now, just two more things to do, then we can let you go.

We need to use SystemLook again.

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
proquota.exe

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 23:09 on 12/08/2009 by XP PRO (Administrator - Elevation successful)

========== filefind ==========

Searching for "proquota.exe"
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe --a--- 50176 bytes [02:35 24/09/2008] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8

-=End Of File=-

Hello.
One more script, then that should do it.

Now open a new notepad file.
Input this into the notepad file:

FCopy::
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe | c:\windows\system32\proquota.exe

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

ComboFix 09-08-10.06 - XP PRO 08/11/2009 19:48.6.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.115 [GMT -4:00]
Running from: c:\documents and settings\XP PRO\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\XP PRO\Desktop\CFScript.txt
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\drivers\f5f3e641.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\f5f3e641.sys

c:\windows\system32\proquota.exe . . . is missing!!

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfcfiles.dll --> c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_f5f3e641


((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))
.

2009-08-11 05:01 . 2009-08-11 05:01 -------- d-----w- c:\windows\ie8updates
2009-08-11 04:19 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-08-11 04:19 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-11 04:10 . 2009-08-11 04:10 -------- d-----w- c:\windows\system32\xircom
2009-08-11 04:10 . 2009-08-11 04:10 -------- d-----w- c:\windows\system32\wbem\snmp
2009-08-11 04:10 . 2009-08-11 04:10 -------- d-----w- c:\program files\microsoft frontpage
2009-08-11 03:55 . 2004-08-04 05:56 407040 ----a-w- c:\windows\system32\netlogon.dll
2009-08-10 11:00 . 2009-08-10 11:00 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-10 10:56 . 2009-08-10 10:58 -------- d-----w- c:\documents and settings\XP PRO\Application Data\McAfee.com Personal Firewall
2009-08-10 05:20 . 2009-08-10 05:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2009-08-10 05:12 . 2009-08-11 03:39 -------- d-----w- c:\program files\McAfee
2009-08-10 05:10 . 2009-08-10 10:57 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2009-08-10 04:26 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 04:26 . 2009-08-10 04:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 04:26 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-07 03:58 . 2009-08-07 03:58 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-06 23:45 . 2009-08-06 23:45 -------- d-sh--w- c:\documents and settings\XP PRO\PrivacIE
2009-08-06 23:43 . 2009-08-06 23:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-06 23:41 . 2009-08-06 23:41 -------- d-sh--w- c:\documents and settings\XP PRO\IETldCache
2009-08-06 23:26 . 2009-08-06 23:30 -------- dc-h--w- c:\windows\ie8
2009-08-01 23:53 . 2009-08-01 23:52 410984 ----a-w- c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-11 23:42 . 2007-03-06 02:18 -------- d-----w- c:\program files\LimeWire
2009-08-11 23:41 . 2007-03-06 02:18 -------- d-----w- c:\program files\Java
2009-08-11 03:36 . 2007-08-02 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-08-11 03:35 . 2007-08-02 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-06 03:46 . 2007-03-06 02:14 616760 ----a-w- c:\documents and settings\XP PRO\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-03 17:09 . 2006-09-26 09:29 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-03 01:14 . 2009-07-03 01:14 -------- d-----w- c:\documents and settings\XP PRO\Application Data\Malwarebytes
2009-07-03 01:14 . 2009-07-03 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-01 12:01 . 2008-10-18 18:26 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-06-26 04:15 . 2009-06-26 04:10 -------- d-----w- c:\documents and settings\XP PRO\Application Data\Move Networks
2009-06-26 04:12 . 2009-06-26 04:10 34062 ----a-w- c:\documents and settings\XP PRO\Application Data\Move Networks\ie_bin\Uninst.exe
2009-06-26 04:12 . 2009-06-26 04:12 1047224 ----a-w- c:\documents and settings\XP PRO\Application Data\Move Networks\MoveMediaPlayer_071303000005.exe
2009-06-17 09:07 . 2009-04-06 03:17 -------- d-----w- c:\documents and settings\XP PRO\Application Data\Skype
2009-06-16 14:45 . 2006-10-21 08:35 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:45 . 2004-08-04 05:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:24 . 2006-09-26 09:26 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-01-01 18:33 . 2007-03-06 02:23 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-01-01 18:33 . 2007-03-06 02:23 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-01 18:33 . 2007-03-06 02:23 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-01-01 18:34 . 2007-03-06 02:23 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-01-01 18:34 . 2007-03-06 02:23 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfcfiles.dll
[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-11_04.13.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-10-17 18:33 . 2009-03-08 08:31 55296 c:\windows\system32\msfeedsbs.dll
+ 2006-10-17 18:33 . 2009-07-03 17:09 55296 c:\windows\system32\msfeedsbs.dll
- 2006-09-26 09:28 . 2009-03-08 08:33 25600 c:\windows\system32\jsproxy.dll
+ 2006-09-26 09:28 . 2009-07-03 17:09 25600 c:\windows\system32\jsproxy.dll
+ 2009-08-01 23:53 . 2006-05-03 06:19 53346 c:\windows\system32\javaw.exe
+ 2009-08-01 23:53 . 2006-05-03 06:19 49248 c:\windows\system32\java.exe
- 2007-05-10 02:28 . 2009-03-08 08:31 55296 c:\windows\system32\DllCache\msfeedsbs.dll
+ 2007-05-10 02:28 . 2009-07-03 17:09 55296 c:\windows\system32\DllCache\msfeedsbs.dll
- 2006-10-17 18:33 . 2009-03-08 08:33 25600 c:\windows\system32\DllCache\jsproxy.dll
+ 2006-10-17 18:33 . 2009-07-03 17:09 25600 c:\windows\system32\DllCache\jsproxy.dll
+ 2009-08-11 05:01 . 2009-03-08 08:33 12288 c:\windows\ie8updates\KB972260-IE8\xpshims.dll
+ 2009-08-11 05:01 . 2009-03-08 08:31 55296 c:\windows\ie8updates\KB972260-IE8\msfeedsbs.dll
+ 2009-08-11 05:01 . 2009-03-08 08:33 25600 c:\windows\ie8updates\KB972260-IE8\jsproxy.dll
+ 2009-08-11 23:57 . 2009-08-11 23:57 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-11 03:56 . 2009-08-11 03:56 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-11 23:57 . 2009-08-11 23:57 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
- 2009-08-11 03:56 . 2009-08-11 03:56 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2004-08-04 05:56 . 2009-07-03 17:09 206848 c:\windows\system32\occache.dll
- 2006-10-17 18:33 . 2009-03-08 08:32 594432 c:\windows\system32\msfeeds.dll
+ 2006-10-17 18:33 . 2009-07-03 17:09 594432 c:\windows\system32\msfeeds.dll
+ 2009-08-01 23:53 . 2006-05-03 07:56 127078 c:\windows\system32\javaws.exe
+ 2006-09-26 09:28 . 2009-07-03 17:09 184320 c:\windows\system32\iepeers.dll
+ 2004-08-04 05:56 . 2009-07-03 17:09 386048 c:\windows\system32\iedkcs32.dll
- 2004-08-04 05:56 . 2009-03-08 08:32 173056 c:\windows\system32\ie4uinit.exe
+ 2004-08-04 05:56 . 2009-07-03 11:01 173056 c:\windows\system32\ie4uinit.exe
+ 2006-10-17 18:33 . 2009-07-03 17:09 915456 c:\windows\system32\DllCache\wininet.dll
+ 2006-10-17 18:04 . 2009-07-03 17:09 206848 c:\windows\system32\DllCache\occache.dll
- 2007-05-10 02:28 . 2009-03-08 08:32 594432 c:\windows\system32\DllCache\msfeeds.dll
+ 2007-05-10 02:28 . 2009-07-03 17:09 594432 c:\windows\system32\DllCache\msfeeds.dll
+ 2006-10-17 18:33 . 2009-07-03 17:09 184320 c:\windows\system32\DllCache\iepeers.dll
+ 2006-10-17 18:01 . 2009-07-03 17:09 386048 c:\windows\system32\DllCache\iedkcs32.dll
- 2006-10-17 18:00 . 2009-03-08 08:32 173056 c:\windows\system32\DllCache\ie4uinit.exe
+ 2006-10-17 18:00 . 2009-07-03 11:01 173056 c:\windows\system32\DllCache\ie4uinit.exe
+ 2009-08-11 05:01 . 2009-03-08 08:34 914944 c:\windows\ie8updates\KB972260-IE8\wininet.dll
+ 2009-08-11 05:01 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB972260-IE8\spuninst\updspapi.dll
+ 2009-08-11 05:01 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB972260-IE8\spuninst\spuninst.exe
+ 2009-08-11 05:01 . 2009-03-08 08:34 109568 c:\windows\ie8updates\KB972260-IE8\occache.dll
+ 2009-08-11 05:01 . 2009-03-08 08:32 594432 c:\windows\ie8updates\KB972260-IE8\msfeeds.dll
+ 2009-08-11 05:01 . 2009-03-08 08:33 246784 c:\windows\ie8updates\KB972260-IE8\ieproxy.dll
+ 2009-08-11 05:01 . 2009-03-08 08:31 183808 c:\windows\ie8updates\KB972260-IE8\iepeers.dll
+ 2009-08-11 05:01 . 2009-03-08 18:09 391536 c:\windows\ie8updates\KB972260-IE8\iedkcs32.dll
+ 2009-08-11 05:01 . 2009-03-08 08:32 173056 c:\windows\ie8updates\KB972260-IE8\ie4uinit.exe
+ 2009-08-11 23:57 . 2009-08-11 23:57 172032 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
- 2009-08-11 03:56 . 2009-08-11 03:56 241664 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-11 23:57 . 2009-08-11 23:57 241664 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-11 23:57 . 2009-08-11 23:57 237568 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
- 2009-08-11 03:56 . 2009-08-11 03:56 237568 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2006-09-26 09:29 . 2009-07-03 17:09 1208832 c:\windows\system32\urlmon.dll
+ 2006-09-26 09:29 . 2009-07-19 13:18 5937152 c:\windows\system32\mshtml.dll
- 2006-09-26 09:29 . 2009-03-08 08:41 5937152 c:\windows\system32\mshtml.dll
+ 2006-10-17 17:57 . 2009-07-03 17:09 1985536 c:\windows\system32\iertutil.dll
+ 2006-10-17 18:33 . 2009-07-03 17:09 1208832 c:\windows\system32\DllCache\urlmon.dll
- 2006-10-17 18:33 . 2009-03-08 08:41 5937152 c:\windows\system32\DllCache\mshtml.dll
+ 2006-10-17 18:33 . 2009-07-19 13:18 5937152 c:\windows\system32\DllCache\mshtml.dll
+ 2007-05-10 02:28 . 2009-07-03 17:09 1985536 c:\windows\system32\DllCache\iertutil.dll
+ 2009-08-11 05:01 . 2009-03-08 08:34 1206784 c:\windows\ie8updates\KB972260-IE8\urlmon.dll
+ 2009-08-11 05:01 . 2009-03-08 08:41 5937152 c:\windows\ie8updates\KB972260-IE8\mshtml.dll
+ 2009-08-11 05:01 . 2009-03-08 08:32 1985024 c:\windows\ie8updates\KB972260-IE8\iertutil.dll
+ 2009-08-11 23:57 . 2009-08-11 23:57 5750784 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
- 2009-08-11 03:56 . 2009-08-11 03:56 5750784 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
+ 2006-10-17 18:33 . 2009-07-19 22:48 11067392 c:\windows\system32\ieframe.dll
+ 2007-05-10 02:28 . 2009-07-19 22:48 11067392 c:\windows\system32\DllCache\ieframe.dll
+ 2009-08-11 05:01 . 2009-03-08 08:39 11063808 c:\windows\ie8updates\KB972260-IE8\ieframe.dll
.
-- Snapshot reset to current date --

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-04-04 1368064]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-07-15 1961984]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-27 24103720]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 36975]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-776561741-725345543-1003\Scripts\Logoff\0\0]
"Script"=c:\program files\Privacy Shield\xp.cmd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 1:56 AM 14336]
R2 PDSched;PDScheduler;c:\program files\Raxco\PerfectDisk\PDSched.exe [11/29/2005 12:16 PM 241731]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-08-12 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\XP PRO\Application Data\Mozilla\Firefox\Profiles\pqe8343d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\progra~1\MOZILL~1\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-11 20:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3116)
c:\windows\system32\WININET.dll
c:\windows\system32\browselc.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Brmfrmps.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WgaTray.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-08-12 20:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-12 00:06
ComboFix2.txt 2009-08-11 04:22

Pre-Run: 31,599,128,576 bytes free
Post-Run: 31,576,276,992 bytes free

275 --- E O F --- 2009-08-11 05:01

Hello.
Is that an old log? or did you run the same script twice? That log shows the replacement of sfcfiles.dll, where as my script above your post there is for proquota.exe, not sfcfiles.

Maybe, yes. I think I send you an old report. The problem is that I closed the report without saving it in my desktop and I when to notepad and open recent files and open that one and send it to you. How can I open the rigth file know? Should I do the whole thing again?

No, this should be okay now.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

I am sorry that I couldn't answer your question. My computer looks fine, except that after I reinstalled McAffe the AV my computer started working slow, there is any way to stop some of the process that my computer does not need, to make it work faster.

Yes, post a new Hijack This log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:08 AM, on 8/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\XP PRO\Desktop\winlogon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)" -"http://www.shockwave.com/contentPlay/shockwave.jsp?id=jigsawpuzzles&refCode=&brand=ag"
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mymathtest.com/dl/TestGenXInstall.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173155577156
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12724 bytes

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
  O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
  O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
  O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
  O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
  O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
  O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
  O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
  O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
  O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
  O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
  O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
  O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
  O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
  O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
  O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)" -"http://www.shockwave.com/contentPlay/shockwave.jsp?id=jigsawpuzzles&refCode=&brand=ag"
  O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
  O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
  O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Reboot normally.

Let me know if it feels any faster now.

I followed all your instruccions, but when I open Internet Explorer it takes for ever to download the home page, I did clean all temp files, browsing history and cookies too. There is anything else I can do?

Press Start > Run.
Type in cmd, then press enter.

At the DOS prompt execute the following commands, one by one.
Press the enter key after each entry.

regsvr32 urlmon.dll
regsvr32 Shdocvw.dll
regsvr32 Msjava.dll
regsvr32 Actxprxy.dll
regsvr32 Oleaut32.dll
regsvr32 Mshtml.dll
regsvr32 Browseui.dll
regsvr32 Shell32.dll

Type Exit press enter to return the operating mode.

Reboot normally.

Is Internet Explorer available now?