windows anti virus

I have tried everything I could for the last day to remove it, I have gotten past task manager being disabled but that is all. If I could just get Hijackthis and malwarebytes to run i could get closer but the virus wont let me run them. It shuts them off right after I scan and wont let me run again unless I reinstall them. All my processes show legitimate programs as far as I can tell. There are 4 svchost.exe's......dont know if that is right. Well I have ran silent runners and have noticed some bad stuff just need help from here. Here is my log from that. Thank You in advance.


"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTStartup" = "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run" ["Creative Technology Ltd."]
"PCShield" = "regsvr32 /s "C:\WINDOWS\System32\sfg_2101.dll"" [MS]
"CTxfiHlp" = "CTXFIHLP.EXE" ["Creative Technology Ltd"]
"CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"nwiz" = "C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup" [MS]
"winupdate.exe" = "C:\windows\system32\winupdate.exe" [MS]
"KernelFaultCheck" = "C:\windows\system32\dumprep 0 -k"
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]
"12336034" = "C:\Documents and Settings\All Users\Application Data\12336034\12336034.exe" [null data]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}\(Default) = "Internet Explorer Version Update"
\StubPath = "C:\WINDOWS\system32\ieudinit.exe" [MS]
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig" [MS]
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}\(Default) = "Browser Customizations"
\StubPath = ""C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP" [MS]
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\(Default) = "Browser Customizations"
\StubPath = "RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\windows\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\(Default) = "Themes Setup"
\StubPath = "C:\windows\system32\regsvr32.exe /s /n /i:/UserInstall C:\windows\system32\themeui.dll" [MS]
{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Outlook Express 6"
\StubPath = ""C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install" [MS]
{5945c046-1e7d-11d1-bc44-00c04fd912be}\(Default) = "Windows Messenger 4.7"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser" [MS]
{7790769C-0471-11d2-AF11-00C04FA35D02}\(Default) = "Address Book 6"
\StubPath = ""C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4340}\(Default) = "Windows Desktop Update"
\StubPath = "regsvr32.exe /s /n /i:U shell32.dll" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4383}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe -BaseSettings" [MS]
{89B4C1CD-B018-4511-B0A1-5476DBF70820}\(Default) = (no title provided)
\StubPath = "c:\windows\system32\Rundll32.exe c:\windows\system32\mscories.dll,Install" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{BD56A320-23F2-42AD-F4E4-00AAC39CAA53}\(Default) = (no title provided)
-> {HKLM...CLSID} = "C:\windows\system32\hs7f3uhduhfukde.dll"
\InProcServer32\(Default) = "C:\windows\system32\hs7f3uhduhfukde.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\windows\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\windows\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\windows\system32\nvshell.dll" ["NVIDIA Corporation"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
-> {HKLM...CLSID} = "Groove Folder Synchronization"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
-> {HKLM...CLSID} = "Groove XML Icon Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "Yahoo! Mail Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YMMAPI.dll" ["Yahoo! Inc."]
"{11016101-E366-4D22-BC06-4ADA335C892B}" = "IE History and Feeds Shell Data Source for Windows Search"
-> {HKLM...CLSID} = "IE History and Feeds Shell Data Source for Windows Search"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{0561EC90-CE54-4f0c-9C55-E226110A740C}" = "Haali Column Provider"
-> {HKLM...CLSID} = "Haali Column Provider"
\InProcServer32\(Default) = "C:\Program Files\Essentials Codec Pack\Haali\mmfinfo.dll" [null data]
"{5574006C-28F5-4a65-A28C-74DE6BFBE0BB}" = "Haali Matroska Shell Property Page"
-> {HKLM...CLSID} = "Haali Matroska Shell Property Page"
\InProcServer32\(Default) = "C:\Program Files\Essentials Codec Pack\Haali\mmfinfo.dll" [null data]
"{327669A0-59A7-4be9-B99E-1C9F3A57611A}" = "Haali Matroska Thumbnail Extractor"
-> {HKLM...CLSID} = "Haali Matroska Thumbnail Extractor"
\InProcServer32\(Default) = "C:\Program Files\Essentials Codec Pack\Haali\mmfinfo.dll" [null data]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\windows\system32\nvcpl.dll" ["NVIDIA Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
<> "{BD56A320-23F2-42AD-F4E4-00AAC39CAA53}" = "LKMSFOIVAMFOMSFVIOSVJASIUENFJNDJV"
-> {HKLM...CLSID} = "C:\windows\system32\hs7f3uhduhfukde.dll"
\InProcServer32\(Default) = "C:\windows\system32\hs7f3uhduhfukde.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<> "Shell" = "explorer.exe rundll32.exe tapi.nfo beforeglav" [MS]
<> "Taskman" = "C:\RECYCLER\S-1-5-21-1584594689-7771861970-576259173-2983\msimfo32.exe" [null data]

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
<> ("digeste.dll" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> csbdll\DLLName = "csbdll.dll" [null data]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{0561EC90-CE54-4f0c-9C55-E226110A740C}\(Default) = "Haali Column Provider"
-> {HKLM...CLSID} = "Haali Column Provider"
\InProcServer32\(Default) = "C:\Program Files\Essentials Codec Pack\Haali\mmfinfo.dll" [null data]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll" ["McAfee, Inc."]
MorpheusShellExt\(Default) = "{7DBF2913-1F89-4104-B1F4-932A29945C13}"
-> {HKLM...CLSID} = "ExplorerMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Morpheus\MorphShellExt.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "Yahoo! Mail Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YMMAPI.dll" ["Yahoo! Inc."]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll" ["McAfee, Inc."]
MorpheusShellExt\(Default) = "{7DBF2913-1F89-4104-B1F4-932A29945C13}"
-> {HKLM...CLSID} = "ExplorerMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Morpheus\MorphShellExt.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoSetActiveDesktop" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoActiveDesktopChanges" = (REG_DWORD) dword:0x00000001
{Prohibit changes}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoSetActiveDesktop" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoActiveDesktopChanges" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\

"DisableSR" = (REG_DWORD) dword:0x00000001
{Turn off System Restore}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\windows\system32\critical_warning.html"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "(None)"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "%SystemRoot%\System32\logon.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

AdobePremiereCameraArrival\
"Provider" = "@"C:\Program Files\Adobe\Premiere 6.5\Preminfo.dll",-60001"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\Adobe\Premiere 6.5\Premiere.exe""
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

CTPCPlayCDAudioOnArrival\
"Provider" = "@CTP2res.dll,-114"
"InvokeProgID" = "PlayCenter.AudioCD"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\PlayCenter.AudioCD\shell\Play\Command\(Default) = "C:\Program Files\Creative\PlayCenter2\CTPlay2.exe /PLAYCD %1" ["Creative Technology Ltd."]

HPAutoplayPSE\
"Provider" = "HP Photosmart Essential 2.5"
"InvokeProgID" = "HpqPSApl.Autoplay"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\HpqPSApl.Autoplay\shell\Play\DropTarget\CLSID = "{A6873065-D632-4615-A3A9-C5F05EE109C1}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = "C:\Program Files\HP\Digital Imaging\bin\HpqPsApl.exe" ["Hewlett-Packard"]

MPC_CD\
"Provider" = "Media Player Classic"
"InvokeProgID" = "APR_MediaHandlers"
"InvokeVerb" = "MPC_CD"
HKLM\SOFTWARE\Classes\APR_MediaHandlers\shell\MPC_CD\command\(Default) = "C:\Program Files\Essentials Codec Pack\wmplayer.exe /cd "%L"" [file not found]

MPC_DVD\
"Provider" = "Media Player Classic"
"InvokeProgID" = "APR_MediaHandlers"
"InvokeVerb" = "MPC_DVD"
HKLM\SOFTWARE\Classes\APR_MediaHandlers\shell\MPC_DVD\command\(Default) = "C:\Program Files\Essentials Codec Pack\wmplayer.exe /dvd "%L"" [file not found]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\windows\system32\WPDShextAutoplay.exe" [MS]

NeroAutoPlay2CDAudio\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_CDAudio"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:AudioCD /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2CopyCD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "PlayCDAudioOnArrival_CopyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /Dialog:DiscCopy /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2DataDisc\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_DataDisc"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_DataDisc\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:ISODisc /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_LaunchNeroStartSmart"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_LaunchNeroStartSmart\command\(Default) = "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe /AutoPlay /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2PlayAudioCD\
"Provider" = "Nero Media Player"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "PlayMusicFilesOnArrival_PlayAudioCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayMusicFilesOnArrival_PlayAudioCD\command\(Default) = "C:\Program Files\Ahead\NeroMediaPlayer\NeroMediaPlayer.exe /Play %L" ["Ahead software"]

NeroAutoPlay2VideoCapture\
"Provider" = "NeroVision Express SE"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\Ahead\NeroVision\NeroVision.exe" /New:VideoCapture"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

NeroAutoPlay2ViewPhotos\
"Provider" = "Nero PhotoSnap Viewer"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "ShowPicturesOnArrival_ViewPhotos"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\ShowPicturesOnArrival_ViewPhotos\command\(Default) = "C:\Program Files\Ahead\Nero PhotoSnap\PhotoSnapViewer.exe /Drive:%L" ["Ahead Software AG"]

PDVDPlayDVDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."]

PSASE30ImportPicturesOnArrival\
"Provider" = "Adobe Photoshop Album Starter Edition"
"InvokeProgID" = "PSASE30.autoplay"
"InvokeVerb" = "launch"
HKLM\SOFTWARE\Classes\PSASE30.autoplay\shell\launch\command\(Default) = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\psaproxy.exe" -v %1\" ["Adobe Systems Incorporated"]

SonicFoundryDVConnectVegas4\
"Provider" = "Sonic Foundry Vegas 4.0"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\Sonic Foundry\Vegas 4.0\vegas40.exe""
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]


Enabled Scheduled Tasks:
------------------------

"Ad-Aware Update (Weekly)" -> launches: "C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe update all silent" [file not found]
"College Algebra (Fall 2008 Student Version) Updates" -> launches: "C:\WINDOWS\Installer\College Algebra (Fall 2008 Student Version) Updates for All Users.lnk" [file not found]
"GoogleUpdateTaskMachine" -> launches: "C:\Program Files\Google\Update\GoogleUpdate.exe /c" [file not found]
"McDefragTask" -> launches: "C:\WINDOWS\system32\defrag.exe C: -f" ["Microsoft Corp. and Executive Software International, Inc."]
"McQcTask" -> launches: "c:\program files\mcafee\mqc\QcConsol.exe 4158 0" ["McAfee, Inc."]

"{7B02EF0B-A410-4938-8480-9BA26420A627}.job" -- insufficient permission to read this file!
"{BB65B0FB-5712-401b-B616-E69AC55E2757}" -> launches: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\h.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 32
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
C:\windows\system32\winhelper.dll [null data], 33


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {HKLM...CLSID} = "Web Browser Applet Control"
\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5}\
"MenuText" = "&Gears Settings"
"CLSIDExtension" = "{0B4350D1-055F-47A3-B112-5F2F2B0D6F08}"

{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "Send to OneNote"
"MenuText" = "S&end to OneNote"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{DDE87865-83C5-48C4-8357-2F5B1AA84522}\
"ButtonText" = "HP Smart Select"
"CLSIDExtension" = "{DDE87865-83C5-48c4-8357-2F5B1AA84522}"
-> {HKLM...CLSID} = "ClipBookBtn Class"
\InProcServer32\(Default) = "C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll" ["Hewlett-Packard Co."]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
[Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

Missing lines (compared with English-language version):
[Strings]: 2 lines

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<> "InPrivate" = "res://ieframe.dll/inprivate.htm" [MS]


HOSTS file
----------

C:\windows\System32\drivers\etc\HOSTS

maps: 106 domain names to IP addresses,
105 of the IP addresses are *not* localhost!

All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

.NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [MS]
Adobe LM Service, Adobe LM Service, ""C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"" ["Adobe Systems"]
AntipyProex, AntipPro2009_100, "C:\windows\svchast.exe" [file not found]
Application Management, AppMgmt, "C:\windows\system32\svchost.exe -k netsvcs" {"C:\windows\System32\appmgmts.dll" [file not found]}
ASP.NET State Service, aspnet_state, "C:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" [MS]
Creative Audio Engine Licensing Service, Creative Audio Engine Licensing Service, ""C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe"" ["Creative Labs"]
Creative Audio Service, CTAudSvcService, "C:\Program Files\Creative\Shared Files\CTAudSvc.exe" ["Creative Technology Ltd"]
Extensible Authentication Protocol Service, EapHost, "C:\windows\System32\svchost.exe -k eapsvcs" {"C:\windows\System32\eapsvc.dll" [MS]}
Health Key and Certificate Management Service, hkmsvc, "C:\windows\System32\svchost.exe -k netsvcs" {"C:\windows\System32\kmsvc.dll" [MS]}
HP CUE DeviceDiscovery Service, hpqddsvc, "C:\windows\system32\svchost.exe -k hpdevmgmt" {"C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll" ["Hewlett-Packard Co."]}
hpqcxs08, hpqcxs08, "C:\windows\system32\svchost.exe -k hpdevmgmt" {"C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll" ["Hewlett-Packard Co."]}
InstallDriver Table Manager, IDriverT, ""C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"" ["Macrovision Corporation"]
Logical Disk Manager Administrative Service, dmadmin, "C:\windows\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
McAfee Network Agent, McNASvc, ""c:\program files\common files\mcafee\mna\mcnasvc.exe"" ["McAfee, Inc."]
McAfee Personal Firewall Service, MpfService, ""C:\Program Files\McAfee\MPF\MPFSrv.exe"" ["McAfee, Inc."]
McAfee Proxy Service, McProxy, "c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe" ["McAfee, Inc."]
McAfee Real-time Scanner, McShield, "C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe" ["McAfee, Inc."]
McAfee Scanner, McODS, "C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe" [null data]
McAfee Services, mcmscsvc, "C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe" ["McAfee, Inc."]
McAfee SystemGuards, McSysmon, "C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe" ["McAfee, Inc."]
Microsoft Office Diagnostics Service, odserv, ""C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE"" [MS]
Microsoft Office Groove Audit Service, Microsoft Office Groove Audit Service, ""C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe"" [MS]
My Web Search Service, MyWebSearchService, "C:\PROGRA~1\MYWEBS~1\bar\f.bin\mwssvc.exe" [file not found]
Net Driver HPZ12, Net Driver HPZ12, "C:\windows\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZinw12.dll" ["Hewlett-Packard"]}
Network Access Protection Agent, napagent, "C:\windows\System32\svchost.exe -k netsvcs" {"C:\windows\System32\qagentrt.dll" [MS]}
Norton Unerase Protection, NProtectService, "C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\windows\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Office Source Engine, ose, ""C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"" [MS]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\windows\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZipm12.dll" ["Hewlett-Packard"]}
Portable Media Serial Number Service, WmdmPmSN, "C:\windows\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" [file not found]
SymWMI Service, SymWSC, ""C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"]
Windows CardSpace, idsvc, ""C:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"" [MS]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\windows\system32\svchost.exe -k WudfServiceGroup" {"C:\windows\System32\WUDFSvc.dll" [MS]}
Windows Media Player Network Sharing Service, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\WMPNetwk.exe"" [MS]
Windows Presentation Foundation Font Cache 3.0.0.0, FontCache3.0.0.0, "C:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe" [MS]
Wired AutoConfig, Dot3svc, "C:\windows\System32\svchost.exe -k dot3svc" {"C:\windows\System32\dot3svc.dll" [MS]}
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]
ZumieSearch Service, ZumieSearch Service, ""C:\Program Files\ZumieSearch\zumie.exe" "C:\Program Files\ZumieSearch\zumie.dll" Service" [file not found]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
LIDIL hpzll5mu\Driver = "hpzll5mu.dll" ["Hewlett-Packard Company"]
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]


---------- (launch time: 2009-08-16 21:36:42)
<>: Suspicious data at a malware launch point.
<>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 45 seconds, including 5 seconds for message boxes)

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

As soon as I started to run the scan it shut off, then when I try to open it again it gives an error saying I dont have access.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll
eventlog.dll

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 14:14 on 17/08/2009 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 180224 bytes [13:05 16/10/2008] [07:56 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ServicePackFiles\i386\scecli.dll -----c 181248 bytes [07:56 04/08/2004] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll --a--- 181248 bytes [12:00 31/03/2003] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084

Searching for "netlogon.dll"
C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -----c 407040 bytes [13:05 16/10/2008] [07:56 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\ServicePackFiles\i386\netlogon.dll -----c 407040 bytes [07:56 04/08/2004] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll --a--- 407040 bytes [12:00 31/03/2003] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

Searching for "eventlog.dll"
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 55808 bytes [13:05 16/10/2008] [07:56 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll -----c 56320 bytes [07:56 04/08/2004] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll --a--- 60928 bytes [12:00 31/03/2003] [00:11 14/04/2008] (Unable to calculate MD5)

-=End Of File=-

Hello.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\eventlog.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Now download Hijack This from here:
http://www.sendspace.com/pro/dl/932rpd

Download and run it.
Select "Do a system scan with logfile"
Copy and paste the log back here.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:24 PM, on 8/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\windows\explorer.exe
C:\windows\system32\svchost.exe
C:\Documents and Settings\Administrator\Application Data\U3\0EE1A560722218C0\LaunchPad.exe
H:\winlogon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe rundll32.exe tapi.nfo beforeglav
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.26 merijn.org
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.48 spywareinfo.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.70 www.grisoft.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: C:\windows\system32\hs7f3uhduhfukde.dll - {BD56A320-23F2-42AD-F4E4-00AAC39CAA53} - C:\windows\system32\hs7f3uhduhfukde.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_2101.dll"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [winupdate.exe] C:\windows\system32\winupdate.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [12336034] C:\Documents and Settings\All Users\Application Data\12336034\12336034.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\windows\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\windows\System32\shdocvw.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/ALLTEL/static/controls/WebflowActiveXInstaller_2-0-0.cab
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://support.cengage.com/system/web/view/live/messaging/ie/SecMgr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137190518178
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FDDBD93-A4F8-41EF-B819-6076583D22C3}: NameServer = 166.102.165.11,166.102.165.13
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: csbdll - C:\windows\SYSTEM32\csbdll.dll
O22 - SharedTaskScheduler: LKMSFOIVAMFOMSFVIOSVJASIUENFJNDJV - {BD56A320-23F2-42AD-F4E4-00AAC39CAA53} - C:\windows\system32\hs7f3uhduhfukde.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntipyProex (AntipPro2009_100) - Unknown owner - C:\windows\svchast.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\windows\
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\f.bin\mwssvc.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\windows\
O23 - Service: ZumieSearch Service - Unknown owner - C:\Program Files\ZumieSearch\zumie.exe (file missing)

--
End of file - 11772 bytes

Hello.

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.
Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

ComboFix 09-08-10.06 - Administrator 08/18/2009 20:58.1.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.800 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Uninstall Fun Web Products.dll
c:\recycler\S-1-5-21-1584594689-7771861970-576259173-2983
c:\recycler\S-1-5-21-1584594689-7771861970-576259173-2983\Desktop.ini
c:\recycler\S-1-5-21-1584594689-7771861970-576259173-2983\msimfo32.exe
c:\recycler\S-1-5-21-1715567821-746137067-1343024091-1003
c:\recycler\S-1-5-21-1715567821-746137067-1343024091-1003\desktop.ini
c:\recycler\S-1-5-21-1715567821-746137067-1343024091-1003\INFO2
c:\recycler\S-1-5-21-1715567821-746137067-1343024091-1004
c:\recycler\S-1-5-21-1715567821-746137067-1343024091-1004\desktop.ini
c:\recycler\S-1-5-21-1715567821-746137067-1343024091-1004\INFO2
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\msa.exe
c:\windows\patch.exe
c:\windows\system32\AVR09.exe
c:\windows\system32\critical_warning.html
c:\windows\system32\dddesot.dll
c:\windows\system32\drivers\glaide32.sys
c:\windows\system32\msxml71.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe


c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-17 00:45 . 2005-06-06 15:29 110592 ----a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2009-08-16 22:37 . 2009-08-17 02:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-08-16 22:37 . 2009-08-17 02:03 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\U3
2009-08-16 18:18 . 2009-08-16 18:18 36 ----a-w- c:\windows\system32\sysnet.dat
2009-08-16 18:18 . 2009-08-16 18:18 64 ----a-w- c:\windows\ppp4.dat
2009-08-16 18:18 . 2009-08-16 18:18 2 ----a-w- c:\windows\ppp3.dat
2009-08-16 18:17 . 2009-08-17 00:48 -------- d-----w- c:\program files\Windows Antivirus Pro
2009-08-16 18:14 . 2009-08-16 18:15 162816 ----a-w- C:\dvrdiqbe.exe
2009-08-16 18:14 . 2009-08-16 18:14 705 ----a-w- C:\cuopy.exe
2009-08-16 18:14 . 2009-08-16 18:14 358400 ----a-w- c:\windows\isvchost.exe
2009-08-16 18:14 . 2009-08-16 18:14 36352 ----a-w- c:\windows\system32\csbdll.dll
2009-08-16 18:14 . 2009-08-16 18:14 104448 ----a-w- C:\lcbckjms.exe
2009-08-16 18:14 . 2009-08-16 18:14 81408 ----a-w- C:\djos.exe
2009-08-16 18:13 . 2009-08-16 18:12 155648 ----a-w- c:\windows\mse.exe
2009-08-16 17:06 . 2009-08-16 17:16 -------- d-----w- c:\program files\me2
2009-08-16 17:04 . 2009-08-16 17:04 -------- d-----w- c:\program files\me
2009-08-16 16:23 . 2009-08-16 16:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-16 16:23 . 2009-08-16 16:23 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\Malwarebytes
2009-08-16 16:23 . 2009-08-17 18:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-16 16:23 . 2009-08-16 16:23 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-16 16:23 . 2009-08-16 16:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-08-16 16:23 . 2009-08-16 16:23 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\AdobeUM
2009-08-16 16:21 . 2009-08-16 16:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-08-16 16:21 . 2009-08-16 16:22 -------- d-----w- c:\docume~1\ADMINI~1\LOCALS~1\APPLIC~1\Adobe
2009-08-16 16:20 . 2009-08-16 16:20 155648 ----a-w- c:\windows\msd.exe
2009-08-16 02:53 . 2009-08-16 02:53 155648 ----a-w- c:\windows\msc.exe
2009-08-16 02:50 . 2009-08-16 02:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-16 02:50 . 2009-08-16 02:50 -------- d-----w- c:\docume~1\ADMINI~1\LOCALS~1\APPLIC~1\Mozilla
2009-08-16 02:49 . 2009-08-16 02:49 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-16 02:43 . 2009-08-16 02:42 155648 ----a-w- c:\windows\msb.exe
2009-08-16 02:20 . 2009-08-16 02:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-08-16 02:20 . 2009-08-16 02:20 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\Yahoo!
2009-08-16 02:02 . 2009-08-18 01:43 104652 ----a-w- c:\windows\system32\drivers\65ef9f3e.sys
2009-08-16 02:01 . 2009-08-16 18:14 705 ----a-w- C:\sndanmiw.exe
2009-08-16 02:00 . 2009-08-16 18:14 203535 ----a-w- C:\jybmkssu.exe
2009-08-16 02:00 . 2009-08-17 01:51 15000 ----a-w- c:\windows\system32\hs7f3uhduhfukde.dll
2009-08-15 16:12 . 2009-08-15 16:12 -------- d-----w- c:\documents and settings\whos the b**** now\Local Settings\Application Data\Ahead
2009-08-15 02:51 . 2009-08-15 02:51 -------- d-----w- c:\documents and settings\whos the b**** now\Application Data\AVS4YOU
2009-08-15 02:50 . 2009-08-15 02:50 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-15 02:50 . 2007-02-27 22:36 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-08-15 02:50 . 2007-02-27 22:36 487424 ----a-w- c:\windows\system32\msvcp70.dll
2009-08-15 02:49 . 2009-08-16 02:19 -------- d-----w- c:\program files\AVS4YOU
2009-08-11 03:48 . 2009-08-11 03:48 -------- d-----w- c:\documents and settings\whos the b**** now\Application Data\Media Player Classic
2009-08-08 16:31 . 2009-08-08 16:31 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\vsosdk
2009-08-08 02:00 . 2009-08-15 18:23 -------- d-----w- c:\documents and settings\whos the b**** now\Application Data\Vso
2009-08-08 02:00 . 2009-08-08 02:00 87608 ----a-w- c:\documents and settings\whos the b**** now\Application Data\inst.exe
2009-08-08 02:00 . 2009-08-08 02:00 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-08-08 02:00 . 2009-08-08 02:00 47360 ----a-w- c:\documents and settings\whos the b**** now\Application Data\pcouffin.sys
2009-08-08 02:00 . 2007-03-19 00:37 65602 ----a-w- c:\windows\system32\cook3260.dll
2009-08-08 02:00 . 2006-09-29 16:26 176165 ----a-w- c:\windows\system32\drv23260.dll
2009-08-08 02:00 . 2006-09-29 16:25 208935 ----a-w- c:\windows\system32\drv33260.dll
2009-08-08 02:00 . 2006-09-29 16:24 217127 ----a-w- c:\windows\system32\drv43260.dll
2009-08-08 02:00 . 2006-05-20 20:16 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll
2009-08-08 02:00 . 2006-05-11 23:21 626688 ----a-w- c:\windows\system32\vp7vfw.dll
2009-08-08 02:00 . 2002-12-10 06:20 102439 ----a-w- c:\windows\system32\sipr3260.dll
2009-08-08 02:00 . 2009-08-08 02:00 -------- d-----w- c:\program files\VSO
2009-08-08 01:15 . 2009-08-08 01:15 -------- d-----w- c:\documents and settings\whos the b**** now\Application Data\Ahead
2009-08-06 18:32 . 2009-08-06 18:32 -------- d-----w- c:\documents and settings\whos the b**** now\Local Settings\Application Data\Apple Computer
2009-08-04 03:40 . 2009-08-04 03:40 -------- d-----w- c:\documents and settings\whos the b**** now\Local Settings\Application Data\Adobe
2009-08-02 15:46 . 2009-08-02 15:46 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-02 15:45 . 2009-08-02 15:45 -------- d-----w- c:\program files\Reference Assemblies
2009-08-02 15:43 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-02 15:43 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-02 15:43 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-02 15:43 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-02 15:43 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-02 15:43 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-02 15:43 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-02 15:32 . 2009-08-02 19:31 -------- d-----w- c:\documents and settings\whos the b**** now\Local Settings\Application Data\compLexity Demo Player
2009-08-02 15:32 . 2009-08-02 15:32 -------- d-----w- c:\program files\compLexity Demo Player
2009-07-24 15:15 . 2009-07-24 15:15 -------- d-----w- c:\program files\NVIDIA Corporation
2009-07-24 15:15 . 2009-07-24 15:15 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\NVIDIA Corporation
2009-07-24 15:13 . 2009-07-14 18:54 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-07-24 15:13 . 2009-07-14 18:54 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-07-24 15:13 . 2009-07-14 18:54 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-07-24 15:13 . 2009-07-14 18:54 1597690 ----a-w- c:\windows\system32\nvdata.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-16 16:38 . 2003-12-03 01:50 -------- d-----w- c:\program files\Trend Micro
2009-08-16 02:35 . 2004-01-28 15:26 -------- d-----w- c:\program files\Yahoo!
2009-08-16 02:20 . 2008-03-14 05:20 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Yahoo!
2009-08-16 02:10 . 2007-04-06 09:41 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee
2009-08-13 21:33 . 2003-12-03 15:57 -------- d-----w- c:\program files\Steam
2009-08-13 07:04 . 2007-09-21 03:57 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help
2009-08-05 16:20 . 2009-06-24 20:53 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\myitlab
2009-08-05 09:01 . 2005-12-30 16:08 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 16:04 . 2009-07-11 15:18 78200 ----a-w- c:\documents and settings\whos the b**** now\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-02 15:46 . 2007-09-21 04:04 -------- d-----w- c:\program files\MSBuild
2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 13:29 . 2007-04-06 09:46 -------- d-----w- c:\program files\McAfee
2009-07-16 04:13 . 2009-07-16 04:12 -------- d-----w- c:\program files\Essentials Codec Pack
2009-07-16 04:01 . 2009-07-16 04:01 -------- d-----w- c:\program files\FLV Player
2009-07-16 03:57 . 2009-07-16 03:57 -------- d-----w- c:\documents and settings\whos the b**** now\Application Data\Apple Computer
2009-07-14 18:54 . 2007-03-28 05:37 485920 -c--a-w- c:\windows\system32\nvudisp.exe
2009-07-14 18:54 . 2006-10-22 16:22 868352 ----a-w- c:\windows\system32\nvapi.dll
2009-07-14 18:54 . 2006-10-22 16:22 7741664 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-07-14 18:54 . 2006-10-22 16:22 5842816 ----a-w- c:\windows\system32\nv4_disp.dll
2009-07-14 18:54 . 2006-10-22 16:22 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-07-14 18:54 . 2006-10-22 16:22 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-07-14 18:54 . 2006-10-22 16:22 10457088 ----a-w- c:\windows\system32\nvoglnt.dll
2009-07-14 17:35 . 2009-07-14 17:35 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-07-14 17:35 . 2009-07-14 17:35 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-07-14 17:35 . 2009-07-14 17:35 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-07-14 17:35 . 2009-07-14 17:35 3170304 ----a-w- c:\windows\system32\nvwss.dll
2009-07-14 17:34 . 2009-07-14 17:34 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-07-14 17:34 . 2009-07-14 17:34 4923392 ----a-w- c:\windows\system32\nvdisps.dll
2009-07-14 17:34 . 2009-07-14 17:34 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-07-14 17:34 . 2009-07-14 17:34 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-07-14 17:34 . 2009-07-14 17:34 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-07-14 17:34 . 2009-07-14 17:34 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-07-14 17:34 . 2009-07-14 17:34 13877248 ----a-w- c:\windows\system32\nvcpl.dll
2009-07-14 17:34 . 2009-07-14 17:34 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-07-14 17:34 . 2009-07-14 17:34 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-07-14 03:43 . 2004-04-06 11:29 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 01:48 . 2009-07-14 01:16 -------- d-----w- c:\documents and settings\whos the b**** now\Application Data\HPAppData
2009-07-12 18:46 . 2009-07-12 18:46 -------- d-----w- c:\documents and settings\whos the b**** now\Application Data\Yahoo!
2009-07-11 20:35 . 2009-07-11 20:35 0 ----a-w- c:\documents and settings\whos the b**** now\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-07-11 17:10 . 2009-06-02 21:58 -------- d-----w- c:\program files\uTorrent
2009-07-11 17:08 . 2004-04-11 06:53 -------- d-----w- c:\program files\mIRC2
2009-07-10 22:19 . 2003-12-03 15:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-10 22:19 . 2009-07-10 22:19 -------- d-----w- c:\program files\Common Files\Creative Labs Shared
2009-07-10 22:19 . 2003-12-03 15:47 -------- d-----w- c:\program files\Creative
2009-07-10 22:18 . 2009-05-08 06:48 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-07-10 11:01 . 2007-03-28 05:24 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-07-07 01:07 . 2009-07-07 01:07 -------- d-----w- c:\program files\Undisker
2009-07-03 17:09 . 2009-02-11 17:55 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2003-03-31 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2003-03-31 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2003-03-31 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2003-03-31 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 20:51 . 2009-06-24 20:48 1690 ----a-w- c:\windows\unins000.dat
2009-06-24 20:50 . 2009-06-24 20:48 683801 ----a-w- c:\windows\unins000.exe
2009-06-24 11:18 . 2003-03-31 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-22 14:55 . 2009-06-22 14:50 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2009-06-16 18:02 . 2006-01-14 02:41 78200 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 14:36 . 2003-03-31 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-13 16:27 . 2006-02-09 18:04 5632 -csha-w- c:\program files\Thumbs.db
2009-06-12 12:31 . 2003-03-31 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2003-03-31 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2003-12-03 14:54 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2003-03-31 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-12-30 16:08 1291264 ----a-w- c:\windows\system32\quartz.dll
2008-09-24 23:42 . 2009-01-22 00:47 267592 ----a-w- c:\program files\Uninstall Ask Toolbar.dll
2007-12-11 04:34 . 2009-01-22 00:37 237568 ----a-w- c:\program files\Uninstall Morpheus Toolbar.dll
2006-01-28 17:35 . 2006-01-28 17:35 774144 -c--a-w- c:\program files\RngInterstitial.dll
2000-06-05 21:47 . 2007-09-17 07:05 32768 -c--a-w- c:\program files\mozilla firefox\plugins\AppSub32.dll
.

------- Sigcheck -------

[7] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe


c:\windows\system32\ctfmon.exe ... is missing !!
c:\windows\system32\appmgmts.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672]
"PCShield"="c:\windows\System32\sfg_2101.dll" [2006-02-01 233472]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2007-04-09 19968]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2007-04-09 19456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe rundll32.exe tapi.nfo beforeglav"
"Userinit"="c:\windows\System32\Userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\csbdll]
2009-08-16 18:14 36352 ----a-w- c:\windows\system32\csbdll.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote Table Of Contents.onetoc2]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote Table Of Contents.onetoc2
backup=c:\windows\pss\OneNote Table Of Contents.onetoc2Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Java\\j2re1.4.2_04\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Steam\\SteamApps\\bongreaper\\counter-strike\\hl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\bongreaper\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\mIRC2\\mirc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5100:TCP"= 5100:TCP:*:Disabled:webcam.yahoo.com
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S1 65ef9f3e;65ef9f3e;c:\windows\system32\drivers\65ef9f3e.sys [8/15/2009 10:02 PM 104652]
S1 glaide32;glaide32;\??\c:\windows\system32\drivers\glaide32.sys --> c:\windows\system32\drivers\glaide32.sys [?]
S2 AntipPro2009_100;AntipyProex;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\MYWEBS~1\bar\f.bin\mwssvc.exe --> c:\progra~1\MYWEBS~1\bar\f.bin\mwssvc.exe [?]
S2 NProtectService;Norton Unerase Protection;c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [1/19/2006 2:18 PM 135168]
S2 ZumieSearch Service;ZumieSearch Service;"c:\program files\ZumieSearch\zumie.exe" "c:\program files\ZumieSearch\zumie.dll" Service --> c:\program files\ZumieSearch\zumie.exe [?]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [7/10/2009 6:12 PM 99352]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [7/10/2009 6:12 PM 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [7/10/2009 6:19 PM 79360]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [7/10/2009 6:12 PM 555032]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [7/10/2009 6:12 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [7/10/2009 6:12 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [7/10/2009 6:12 PM 100888]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [7/10/2009 6:12 PM 566296]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [7/10/2009 6:12 PM 566296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-12336034 - c:\documents and settings\All Users\Application Data\12336034\12336034.exe
Notify-AtiExtEvent - (no file)
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {1FDDBD93-A4F8-41EF-B819-6076583D22C3} = 166.102.165.11,166.102.165.13
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {5445BE81-B796-11D2-B931-002018654E2E} - hxxp://support.cengage.com/system/web/view/live/messaging/ie/SecMgr.cab
FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\pfk72lik.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NpIpx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 21:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4???n????=??????\??? ??? ???\???\???????????5?B~e?B~\???\?????????a??????C@?\???\??????sn???\??????s\???? CTxfiHlp = CTXFIHLP.EXE?
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(200)
c:\windows\system32\csbdll.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(256)
c:\windows\system32\WININET.dll
.
Completion time: 2009-08-19 21:25
ComboFix-quarantined-files.txt 2009-08-19 01:25

Pre-Run: 15,884,750,848 bytes free
Post-Run: 21,807,038,464 bytes free

889 --- E O F --- 2009-08-15 15:21

Hello.
What a mess you have here. Your lucky this could be fixed.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\sysnet.dat
c:\windows\ppp4.dat
c:\windows\ppp3.dat
C:\dvrdiqbe.exe
C:\cuopy.exe
c:\windows\isvchost.exe
c:\windows\system32\csbdll.dll
C:\lcbckjms.exe
C:\djos.exe
c:\windows\mse.exe
c:\windows\msd.exe
c:\windows\msc.exe
c:\windows\msb.exe
c:\windows\system32\drivers\65ef9f3e.sys
C:\sndanmiw.exe
C:\jybmkssu.exe
c:\windows\system32\hs7f3uhduhfukde.dll
c:\program files\Uninstall Ask Toolbar.dll
c:\program files\Uninstall Morpheus Toolbar.dll

Folder::
c:\program files\Windows Antivirus Pro

Registry::
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe"
"Userinit"="c:\windows\System32\Userinit.exe,"
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\csbdll]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=-
"c:\\StubInstaller.exe"=-
"c:\\Program Files\\Java\\j2re1.4.2_04\\bin\\javaw.exe"=-
"c:\\Program Files\\FrostWire\\FrostWire.exe"=-

Driver::
65ef9f3e
glaide32
AntipPro2009_100
MyWebSearchService
ZumieSearch Service

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

Ok, Combo fix wont run for me anymore, it comes up with 3 access denied's and just stops when it tries to create a restore point. I noticed I was able to run malewarebytes and removed everything it found, hope I didn't jump ahead to soon?. Now when i start up (not safe-mode) I get the blue screen of death.....Cant believe I let my system get so bad, kind of embarrassing I appreciate the help Belahzur. Thank you.

We need to do this in safe mode:

Please do the following in Safe Mode with Networking: as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then do the following instructions:

Now do the top ComboFix instruction given by Belahzur.