Could someone please check my Hijack This Log?

I have tried AVG and Spybot to clean my Pc but still slow and it have many processes going on. This is my first time with HJT so I'll be very careful on following each step. This is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:20 AM, on 4/1/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdwcoms.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Image-Line\FL Studio 9\FL.dll
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote Table Of Contents.onetoc2
O4 - Global Startup: Windows Defender.lnk = C:\plugins\Server.jar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: explores - Unknown owner - C:\WINDOWS\TEMP\cdox.tmp\svchost.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdwCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdwserv.exe
O23 - Service: lxdw_device - - C:\WINDOWS\system32\lxdwcoms.exe

--
End of file - 6270 bytes

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode .

Thanks for the tools and the instructions. I'll performe the steps as described, hopefuly, tonight. I only have one question. After I run all this steps , what should I be reporting you to make sure the PC is clean?

There should be four logs. Two for DDS (attach the attach.txt file), one for DeFogger and one for Gmer.

THanks for the help. These are the logs:

Logs for DDS:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 22:25:03.18 on Mon 04/05/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.766.295 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\javaw.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdwcoms.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LTPG13HE\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.pr/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\OneNote Table Of Contents.onetoc2
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\plugins\Server.jar
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli kbiasr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7o8duowg.default\
FF - plugin: c:\documents and settings\administrator\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\administrator\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-6 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-6 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-6 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-6 297752]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
S2 explores;explores;"c:\windows\temp\cdox.tmp\svchost.exe" --> c:\windows\temp\cdox.tmp\svchost.exe [?]
S2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [2009-9-20 98984]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2010-04-04 15:54:06 0 d-----w- c:\program files\EDIROL
2010-04-01 04:17:33 0 d-----w- c:\program files\Trend Micro
2010-03-26 00:14:37 186729 ----a-w- c:\windows\system32\Duck2.pdf
2010-03-13 00:05:12 0 d-----w- c:\windows\pss
2010-03-12 00:48:48 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-03-18 23:05:01 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-05 01:32:38 56532 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-21 00:22:45 6863 ----a-w- c:\windows\system32\WORK.DAT
2010-02-04 14:01:14 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-02-04 14:01:14 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-02-04 14:01:14 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-04 14:01:14 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll

============= FINISH: 22:26:59.17 ===============

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Logs for DeFogger:
This one ran but never asked for a system restart. I'm pasting here the log file:


defogger_disable by jpshortstuff (23.02.10.1)
Log created at 22:34 on 05/04/2010 (Administrator)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Log for GMER

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-05 22:58:26
Windows 5.1.2600 Service Pack 2
Running: 2qijpoti.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uxtdrpob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 83EB3A9A

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

I also want to tell you that Sybot found ctfmon.exe as a malware in the windows start-up. I have'nt done anything with it yet, this is purely informative.

Thanks in advance for your help

Gmer has flagged a rootkit

Please download ComboFix from one of these locations:

• Bleepingcomputer
• ForoSpyware
• GeeksToGo

* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. ( Click on this link to see a list of programs that should be disabled. The list is not all inclusive. )
• Double click on Combofix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Hi! I did it as you told me. Here is the comfix log
I hope this is good news!

ComboFix 10-04-05.06 - Administrator 04/06/2010 23:51:59.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.766.481 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\comfix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\ighsha.exe
c:\windows\system32\lowsec
c:\windows\system32\msvcsv60.dll
c:\windows\system32\WORK.DAT
c:\windows\system32\wupd.dat

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.

2010-04-07 02:35 . 2010-04-07 02:35 0 ------w- C:\h.zip
2010-04-04 15:54 . 2010-04-04 15:54 -------- d-----w- c:\program files\EDIROL
2010-04-01 04:17 . 2010-04-01 04:17 -------- d-----w- c:\program files\Trend Micro
2010-03-31 03:24 . 2010-04-01 04:07 -------- d-----w- c:\program files\Windows Live Safety Center
2010-03-12 00:48 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
1601-01-01 00:00 . 1601-01-01 00:00 -------- d-----w- c:\windows\LastGood.Tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-04 15:54 . 2009-08-03 15:22 -------- d-----w- c:\program files\VstPlugins
2010-03-18 23:05 . 2001-08-23 12:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-17 00:29 . 2010-02-14 22:39 16 ----a-w- c:\windows\msocreg32.dat
2010-03-13 23:49 . 2009-08-03 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-07 03:43 . 2010-02-26 11:42 -------- d-----w- c:\program files\Image-Line
2010-03-07 03:41 . 2010-02-22 01:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\GlarySoft
2010-03-05 01:32 . 2010-03-05 01:32 56532 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-05 00:32 . 2009-08-11 00:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-03-05 00:11 . 2010-03-05 00:06 -------- d-----w- c:\program files\iTunes
2010-03-05 00:11 . 2010-03-05 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-05 00:09 . 2010-03-05 00:09 -------- d-----w- c:\program files\iPod
2010-03-05 00:08 . 2009-08-11 00:37 -------- d-----w- c:\program files\Common Files\Apple
2010-03-04 23:50 . 2010-03-04 23:48 -------- d-----w- c:\program files\QuickTime
2010-03-03 00:05 . 2009-08-03 02:24 69232 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-01 00:29 . 2010-02-08 00:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Facebook
2010-02-27 07:57 . 2009-08-03 17:53 -------- d-----w- c:\program files\Microsoft Works
2010-02-27 00:49 . 2010-02-27 00:49 -------- d-----w- c:\program files\FileASSASSIN
2010-02-26 23:26 . 2009-08-06 06:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-02-22 02:57 . 2010-02-22 02:57 -------- d-----w- c:\program files\Aida
2010-02-22 01:55 . 2009-08-22 12:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Unity
2010-02-22 01:55 . 2009-08-22 11:28 -------- d-----w- c:\program files\Unity
2010-02-22 00:10 . 2010-02-22 00:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2010-02-21 13:06 . 2009-10-14 00:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-20 23:42 . 2009-08-03 15:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2010-02-14 22:27 . 2009-08-03 03:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-14 22:27 . 2010-02-14 22:27 -------- d-----w- c:\program files\IK Multimedia
2010-02-10 00:34 . 2009-08-03 15:02 -------- d-----w- c:\program files\Dell
2010-02-04 14:01 . 2010-02-21 14:35 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-02-04 14:01 . 2010-02-21 14:35 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-02-04 14:01 . 2010-02-21 14:35 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-04 14:01 . 2010-02-21 14:35 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote Table Of Contents.onetoc2 [2009-12-7 3656]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
short.zip [2010-4-6 0]
Windows Defender.lnk - c:\plugins\Server.jar [2010-2-28 453366]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-29 01:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"IgfxTray"=c:\windows\system32\igfxtray.exe
"snpstd3"=c:\windows\vsnpstd3.exe
"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/6/2009 2:57 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/6/2009 2:57 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/6/2009 7:42 PM 297752]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
S2 explores;explores;"c:\windows\TEMP\cdox.tmp\svchost.exe" --> c:\windows\TEMP\cdox.tmp\svchost.exe [?]
S2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [9/20/2009 10:54 AM 98984]
.
Contents of the 'Scheduled Tasks' folder

2009-12-29 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-08-28 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.pr/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7o8duowg.default\
FF - plugin: c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 00:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2256)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdwcoms.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Java\jre6\bin\javaw.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-07 00:23:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-07 04:22

Pre-Run: 1,348,714,496 bytes free
Post-Run: 1,370,136,576 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 4611CD04E68E932685BB4B5C6B8DD55D

Yes, good news as it has removed the rootkit. We need to clear up a bit now

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then please run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and " Scan in progress " will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say " The scan completed successfully. Click 'Show Results' to display all objects found ".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked , and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then please follow that with ESET's online scan

I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the button.
13. Push

NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.

I did as told


COMBOFIX:

ComboFix 10-04-06.05 - Administrator 04/07/2010 20:38:51.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.766.319 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\comfix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\TEMP\cdox.tmp\svchost.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EXPLORES
-------\Service_explores


((((((((((((((((((((((((( Files Created from 2010-03-08 to 2010-04-08 )))))))))))))))))))))))))))))))
.

2010-04-07 05:34 . 2010-04-07 05:34 -------- d-----w- c:\windows\system32\custom matrices
2010-04-07 05:33 . 2010-04-07 05:35 -------- d-----w- c:\windows\system32\C2MP
2010-04-07 05:33 . 2010-04-07 05:33 -------- d-----w- c:\windows\system32\QuickTime
2010-04-07 02:35 . 2010-04-07 05:45 0 ------w- C:\h.zip
2010-04-04 15:54 . 2010-04-04 15:54 -------- d-----w- c:\program files\EDIROL
2010-04-01 04:17 . 2010-04-01 04:17 -------- d-----w- c:\program files\Trend Micro
2010-03-31 03:24 . 2010-04-01 04:07 -------- d-----w- c:\program files\Windows Live Safety Center
2010-03-12 00:48 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-04 15:54 . 2009-08-03 15:22 -------- d-----w- c:\program files\VstPlugins
2010-03-18 23:05 . 2001-08-23 12:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-17 00:29 . 2010-02-14 22:39 16 ----a-w- c:\windows\msocreg32.dat
2010-03-13 23:49 . 2009-08-03 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-11 12:38 . 2001-08-23 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-08-03 01:49 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2001-08-23 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-07 03:43 . 2010-02-26 11:42 -------- d-----w- c:\program files\Image-Line
2010-03-07 03:41 . 2010-02-22 01:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\GlarySoft
2010-03-05 01:32 . 2010-03-05 01:32 56532 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-05 00:32 . 2009-08-11 00:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-03-05 00:11 . 2010-03-05 00:06 -------- d-----w- c:\program files\iTunes
2010-03-05 00:11 . 2010-03-05 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-05 00:09 . 2010-03-05 00:09 -------- d-----w- c:\program files\iPod
2010-03-05 00:08 . 2009-08-11 00:37 -------- d-----w- c:\program files\Common Files\Apple
2010-03-04 23:50 . 2010-03-04 23:48 -------- d-----w- c:\program files\QuickTime
2010-03-04 23:21 . 2010-03-04 23:21 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-03-03 00:05 . 2009-08-03 02:24 69232 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-01 00:32 . 2010-02-08 00:02 50354 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\uninstall.exe
2010-03-01 00:29 . 2010-02-08 00:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Facebook
2010-02-27 07:57 . 2009-08-03 17:53 -------- d-----w- c:\program files\Microsoft Works
2010-02-27 00:49 . 2010-02-27 00:49 -------- d-----w- c:\program files\FileASSASSIN
2010-02-26 23:26 . 2009-08-06 06:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-02-26 06:41 . 2010-02-26 06:41 847040 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\axfbootloader.dll
2010-02-26 06:41 . 2010-02-26 06:41 5582848 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-22 02:57 . 2010-02-22 02:57 -------- d-----w- c:\program files\Aida
2010-02-22 01:55 . 2009-08-22 12:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Unity
2010-02-22 01:55 . 2009-08-22 11:28 -------- d-----w- c:\program files\Unity
2010-02-22 00:10 . 2010-02-22 00:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2010-02-21 13:06 . 2009-10-14 00:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-20 23:42 . 2009-08-03 15:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2010-02-14 22:27 . 2009-08-03 03:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-14 22:27 . 2010-02-14 22:27 -------- d-----w- c:\program files\IK Multimedia
2010-02-10 00:34 . 2009-08-03 15:02 -------- d-----w- c:\program files\Dell
2010-02-04 14:01 . 2010-02-21 14:35 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-02-04 14:01 . 2010-02-21 14:35 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-02-04 14:01 . 2010-02-21 14:35 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-04 14:01 . 2010-02-21 14:35 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-13 14:57 . 2010-01-13 14:57 2157 ----a-w- c:\documents and settings\Administrator\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2010-01-13 14:28 . 2010-01-13 14:28 2165 ----a-w- c:\documents and settings\Administrator\Application Data\.purple\certificates\x509\tls_peers\rsi.hotmail.com
2010-01-13 14:27 . 2010-01-13 14:27 2095 ----a-w- c:\documents and settings\Administrator\Application Data\.purple\certificates\x509\tls_peers\login.live.com
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote Table Of Contents.onetoc2 [2009-12-7 3656]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
short.zip [2010-4-7 0]
Windows Defender.lnk - c:\plugins\Server.jar [2010-2-28 448750]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-29 01:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"IgfxTray"=c:\windows\system32\igfxtray.exe
"snpstd3"=c:\windows\vsnpstd3.exe
"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/6/2009 2:57 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/6/2009 2:57 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/6/2009 7:42 PM 297752]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
S2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [9/20/2009 10:54 AM 98984]
.
Contents of the 'Scheduled Tasks' folder

2009-12-29 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-08-28 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.pr/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7o8duowg.default\
FF - plugin: c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 20:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2708)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdwcoms.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Java\jre6\bin\javaw.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-07 21:04:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-08 01:04
ComboFix2.txt 2010-04-07 04:23

Pre-Run: 1,232,523,264 bytes free
Post-Run: 1,217,609,728 bytes free

- - End Of File - - E0704497514571F8A52C12E4860DED22
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

MALWAREBITES


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3967

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

4/7/2010 11:30:45 PM
mbam-log-2010-04-07 (23-30-45).txt

Scan type: Full scan (C:\|)
Objects scanned: 157424
Time elapsed: 2 hour(s), 11 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\My Documents\LimeWire\Saved\Sonic.Reality.Sonik.Synth.2.VSTi.DXi.RTAS.AU.iSO-SPiRiT\ikssynkg.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Image-Line\FL Studio 9\FL.exe (Hoax.BadJoke) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\19698511-55c8-f003-2225-1865c63cf31a.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

ESET

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadedt.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.UI trojan cleaned - quarantined
C:\System Volume Information\_restore{7B1E1AAA-9E6E-48FF-BFA3-300D2D09A4DC}\RP13\A0016742.bat BAT/KillAV.NBD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7B1E1AAA-9E6E-48FF-BFA3-300D2D09A4DC}\RP13\A0016743.bat BAT/KillAV.NBD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7B1E1AAA-9E6E-48FF-BFA3-300D2D09A4DC}\RP13\A0016744.bat BAT/KillWin.NBF trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7B1E1AAA-9E6E-48FF-BFA3-300D2D09A4DC}\RP13\A0016748.bat BAT/KillFiles.NCJ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7B1E1AAA-9E6E-48FF-BFA3-300D2D09A4DC}\RP13\A0016753.bat BAT/CDEject.C trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7B1E1AAA-9E6E-48FF-BFA3-300D2D09A4DC}\RP13\A0016759.bat BAT/Netstop.NAB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7B1E1AAA-9E6E-48FF-BFA3-300D2D09A4DC}\RP13\A0016761.bat BAT/Disabler.NAD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7B1E1AAA-9E6E-48FF-BFA3-300D2D09A4DC}\RP13\A0016764.bat BAT/KeyboardDisable.C trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7B1E1AAA-9E6E-48FF-BFA3-300D2D09A4DC}\RP13\A0016765.bat BAT/KeyboardDisable.C trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7B1E1AAA-9E6E-48FF-BFA3-300D2D09A4DC}\RP13\A0016766.bat BAT/MouseDisable.AD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7B1E1AAA-9E6E-48FF-BFA3-300D2D09A4DC}\RP13\A0016767.bat BAT/MouseDisable.AD trojan cleaned by deleting - quarantined

Why there is not a single antivirus that can treat all this viruses and trojans and malwares at once??? Whithout people like you this would be imposible to fix. Thanks you again...Let me know the next step....

There will never be one antivirus that kills everything. That is why we need to use a mixed approach.

Combofix has removed the bad driver and MBAM and ESET have deleted both the remaining rubbish and some of the malware that was sitting in Spybot's and Combofix's quarantine as well as some other stuff.

The PC looks good. How is it performing?

Is performing great! Before this the hard disk was constantly working. Now everything seams normal to me. Now I will do a disk defragment. What combination of antivirus softwareswould you recomend to run ina frecuent basis?

THanks you for all your help! I really apreciate it.... i was about to re-format this lap-top but now everything is doing well! THnask again!

Great news

Just need to clear up and you'll find some info about the best combination of security products below too.


You're clean. Good stuff!

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.

• Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
• Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
• Please follow the prompts to uninstall Combofix.
• You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.

• Download OTC by OldTimer and save it to your desktop.
• Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
• Then Click the big button.
• You will get a prompt saying "Being Cleanup Process". Please select Yes.
• Restart your computer when prompted.

------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it josrios, happy surfing!

Cheers.

m0le

Since this issue appears to be resolved ... this topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.