Wonderful, thanks for the speedy reply
I installed avast and ran a combofix log:ComboFix 08-05-01.3 - Abide 2008-05-06 21:21:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247 [GMT -5:00]
Running from: C:\Documents and Settings\Abide\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Abide\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Abide\My Documents\MCROSO~1
C:\Documents and Settings\Abide\My Documents\MCROSO~1\M?crosoft\
C:\Program Files\ecurit~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\asembl~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\default.htm
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\drivers\kbdclasss.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\n3
C:\WINDOWS\system32\pcgamylh.dll
C:\WINDOWS\system32\znpqytnd.dll
C:\WINDOWS\wintst32.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_KBDCLASSS
-------\Legacy_MSSECURITY1.209.4
-------\Service_kbdclasss
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.
2008-05-06 20:22 . 2008-05-06 20:22 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-06 16:28 . 2008-05-06 16:28 <DIR> d-------- C:\Documents and Settings\Abide\Application Data\Snapfish
2008-05-06 16:28 . 2008-05-06 16:28 1,157 --a------ C:\WINDOWS\mozver.dat
2008-05-03 17:56 . 2008-05-03 17:56 <DIR> d-------- C:\VundoFix Backups
2008-05-03 17:41 . 2008-05-03 17:41 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-03 17:17 . 2008-05-06 20:51 1,695 --a------ C:\WINDOWS\system32\clbinit.dll
2008-05-03 17:10 . 2008-05-06 21:19 <DIR> d-------- C:\Documents and Settings\Abide\Application Data\SUPERAntiSpyware.com
2008-04-28 21:53 . 2008-04-28 21:53 <DIR> d-------- C:\WINDOWS\ukor
2008-04-28 21:53 . 2008-04-28 21:57 <DIR> d-------- C:\Program Files\Common Files\ukor
2008-04-28 20:51 . 2008-04-28 20:51 <DIR> d-------- C:\Documents and Settings\Abide\Application Data\Malwarebytes
2008-04-28 20:50 . 2008-04-28 20:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-28 20:50 . 2008-04-28 20:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 19:42 . 2008-04-28 19:42 <DIR> d-------- C:\Program Files\Svconr
2008-04-28 19:36 . 2008-05-06 21:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-28 19:36 . 2008-04-28 19:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-28 19:27 . 2008-05-06 20:32 <DIR> d-------- C:\Program Files\RcvSystem
2008-04-28 19:27 . 2008-04-28 21:42 109,783 --a------ C:\WINDOWS\BM9b5dde77.xml
2008-04-26 14:36 . 2008-04-26 14:36 15,086 --a------ C:\WINDOWS\system32\FreePokerBonus.ico
2008-04-26 14:36 . 2008-04-26 14:36 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-26 14:36 . 2008-04-26 14:36 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUK.ico
2008-04-26 14:36 . 2008-04-26 14:36 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconFR.ico
2008-04-26 14:24 . 2008-05-03 16:55 1,695 --a------ C:\WINDOWS\system32\clbcfg.dat
2008-04-26 14:14 . 2008-04-28 22:35 <DIR> d-------- C:\WINDOWS\system32\wTMP
2008-04-26 14:14 . 2008-04-26 14:14 <DIR> d-------- C:\WINDOWS\system32\pnVes06
2008-04-26 14:14 . 2008-05-06 20:47 <DIR> d--hs---- C:\WINDOWS\QWJpZGU
2008-04-26 14:14 . 2008-04-26 14:14 <DIR> d-------- C:\Temp\zvebs14
2008-04-26 14:14 . 2008-04-26 14:14 <DIR> d-------- C:\Temp\kvebs14
2008-04-26 14:14 . 2008-05-06 21:21 <DIR> d-------- C:\Temp
2008-04-26 14:14 . 2008-04-26 14:14 400,512 --a------ C:\WINDOWS\system32\g40.exe
2008-04-26 14:14 . 2008-05-03 17:26 167,545 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-04-26 14:14 . 2006-02-28 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-26 14:14 . 2008-04-28 19:27 578 --a------ C:\WINDOWS\index.html
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 02:19 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-06 23:06 --------- d-----w C:\Program Files\PokerStars
2008-03-27 20:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-27 20:09 --------- d-----w C:\Documents and Settings\Abide\Application Data\ArcSoft
2008-03-27 20:09 --------- d-----w C:\Documents and Settings\Abide\Application Data\AdobeUM
2008-03-27 20:07 --------- d-----w C:\Program Files\Sanyo
2008-03-27 20:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-27 20:02 --------- d-----w C:\Program Files\ArcSoft
2008-03-27 19:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-25 18:27 --------- d-----w C:\Documents and Settings\Abide\Application Data\Apple Computer
2008-03-24 18:36 --------- d-----w C:\Program Files\AIM
2008-03-22 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-16 22:14 --------- d-----w C:\Program Files\Viewpoint
2008-03-10 21:56 --------- d-----w C:\Program Files\AOD
2008-03-10 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-10 21:56 --------- d-----w C:\Documents and Settings\Abide\Application Data\Aim
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{afc6c444-ed8a-4a56-b1ae-ac19a340de61}]
C:\WINDOWS\system32\cwcwardp.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-16 18:49 68856]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2006-08-01 15:35 67112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00 15360]
"Svconr"="C:\Program Files\Svconr\Svconr.exe" [2008-04-28 19:42 57344]
"Wfkpvpn"="C:\WINDOWS\a?sembly\n?lookup.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 16:07 61952 C:\WINDOWS\system32\HDAShCut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 02:40 89542 C:\WINDOWS\AGRSMMSG.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 14:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 14:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 14:17 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"986eedeb"="C:\WINDOWS\system32\hbakumhj.dll" [ ]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
S3 TPPWRIF;TPPWRIF;C:\WINDOWS\_tpb0000.tmp\TPPWRIF.sys [2006-09-21 05:53]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 02:34:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-05-06 21:24:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-05-06 21:27:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-07 02:27:38
Pre-Run: 67,707,531,264 bytes free
Post-Run: 67,722,096,640 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
170 --- E O F --- 2008-05-06 03:25:42
And here is the HJT logLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:41 PM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Svconr\Svconr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Abide\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {16ed043a-91ca-ea1b-65a4-a8de444c6cfa} - {afc6c444-ed8a-4a56-b1ae-ac19a340de61} - C:\WINDOWS\system32\cwcwardp.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [986eedeb] rundll32.exe "C:\WINDOWS\system32\hbakumhj.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - HKCU\..\Run: [Wfkpvpn] C:\WINDOWS\a?sembly\n?lookup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) -
http://www-307.ibm.c...pport/acpir.cabO16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
http://javadl-esd.su...ows-i586-jc.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.m...ash/swflash.cabO16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) -
http://upload.facebo...Uploader4_5.cabO23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 6413 bytes