Hi...I am another user. I also have the same infection and was alerted by Avira... I run combofix and here is what my combofix.txt says... Please help.. thanks

ComboFix 10-02-23.03 - The 02/24/2010 4:01.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.241 [GMT 0]
Running from: c:\documents and settings\The\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\docume~1\THE~1\LOCALS~1\Temp\cvasds0.dll
c:\documents and settings\The\Application Data\avdrn.dat
c:\documents and settings\The\Start Menu\Programs\Startup\siszyd32.exe
c:\windows\system32\drivers\saishci.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_saishci
-------\Service_saishci


((((((((((((((((((((((((( Files Created from 2010-01-24 to 2010-02-24 )))))))))))))))))))))))))))))))
.

2010-02-22 09:50 . 2010-02-22 09:50 -------- d-----w- c:\documents and settings\The\Local Settings\Application Data\Apple Computer
2010-02-20 15:24 . 2010-02-20 15:24 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-20 15:23 . 2010-02-20 15:23 -------- d-----w- c:\program files\NCH Swift Sound
2010-02-09 00:20 . 2010-02-09 00:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-09 00:15 . 2010-02-09 00:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-05 10:39 . 2010-02-05 10:39 251376 ----a-w- c:\documents and settings\The\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-02-01 09:00 . 2008-05-02 10:41 3493888 ---ha-w- c:\documents and settings\The\Application Data\U3\temp\Launchpad Removal.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-24 04:00 . 2009-12-24 10:37 79488 ----a-w- c:\documents and settings\The\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-21 17:25 . 2008-11-08 10:23 -------- d-----w- c:\documents and settings\The\Application Data\Skype
2010-02-21 16:41 . 2008-11-08 10:24 -------- d-----w- c:\documents and settings\The\Application Data\skypePM
2010-02-14 14:20 . 2008-11-06 12:48 18080 ----a-w- c:\documents and settings\The\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-09 00:15 . 2008-11-07 08:47 -------- d-----w- c:\program files\Google
2010-02-01 09:11 . 2008-11-08 18:25 -------- d-----w- c:\documents and settings\The\Application Data\U3
2010-01-12 12:55 . 2010-01-12 12:55 16 ----a-w- c:\documents and settings\NetworkService\Application Data\fvgqad.dat
2010-01-08 21:44 . 2010-01-08 21:44 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-01-05 10:05 . 2010-01-05 10:05 16 ----a-w- c:\documents and settings\Default User\Application Data\fvgqad.dat
2010-01-05 02:46 . 2010-01-05 02:46 -------- d-----w- c:\program files\MSXML 4.0
2010-01-05 01:42 . 2010-01-05 01:42 16 ----a-w- c:\documents and settings\The\Application Data\fvgqad.dat
2010-01-04 04:31 . 2009-12-27 18:16 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-02 23:29 . 2008-11-06 12:56 -------- d-----w- c:\program files\Avira
2009-12-31 15:06 . 2006-01-13 01:49 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-27 18:16 . 2009-12-27 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-12-27 18:05 . 2008-11-11 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\OrbNetworks
2009-12-27 18:05 . 2008-11-11 12:47 -------- d-----w- c:\program files\Winamp Remote
2009-12-27 18:03 . 2008-11-11 12:46 -------- d-----w- c:\program files\Winamp
2009-12-22 05:35 . 2006-01-13 01:26 668672 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:35 . 2006-01-13 01:55 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 12:58 . 2008-11-06 20:23 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2006-01-13 01:13 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 13:37 . 2006-01-13 01:47 456832 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:04 . 2006-01-13 01:36 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:04 . 2006-01-06 15:53 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:37 . 2006-01-13 01:47 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2006-01-13 01:39 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2006-01-13 01:10 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37 . 2006-01-06 15:53 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37 . 2006-01-06 15:53 8704 ----a-w- c:\windows\system32\tsbyuv.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[-] 2006-01-13 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2008-07-16 1266992]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2005-12-14 7095344]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-10 68856]
"Google Update"="c:\documents and settings\The\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-12 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-24 114688]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-07 136600]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnsc"="c:\windows\system32\msnsc.exe" [2006-01-13 62054]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Documents and Settings\\The\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\The\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/27/2009 6:16 PM 108289]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/9/2010 12:15 AM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-02-20 c:\windows\Tasks\expressburnSevenDays.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-02-20 16:15]

2010-02-20 c:\windows\Tasks\expressburnSevenDaysInit.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-02-20 16:15]

2010-02-23 c:\windows\Tasks\expressburnShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-02-20 16:15]

2010-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 00:15]

2010-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 00:15]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1547161642-725345543-1003Core.job
- c:\documents and settings\The\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 14:21]

2010-02-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1547161642-725345543-1003UA.job
- c:\documents and settings\The\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 14:21]

2010-02-24 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-01-08 22:18]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\The\Application Data\Mozilla\Firefox\Profiles\bkk79tx6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-flv&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-flv&p=
FF - component: c:\documents and settings\The\Application Data\Mozilla\Firefox\Profiles\bkk79tx6.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: c:\documents and settings\The\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\The\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-24 04:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-02-24 04:07:53
ComboFix-quarantined-files.txt 2010-02-24 04:07

Pre-Run: 18,369,077,248 bytes free
Post-Run: 18,331,672,576 bytes free

- - End Of File - - EB1F876066CD2FBA5D80C032C2396D2A

I split the post in to a new topic, to avoid confusion.

We need to do some diagnostics to get started.

1. Please download Rooter and Save it to your desktop

• Double click it to start the tool.
  
• Click Scan.
  
• Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.

2. Download LockSearch to your desktop

• A window will pop up, Press 2 and then Enter. A scan will start, let it run uninterrupted. It should only take a few minutes.
  
• A log will appear when it is finished, it will also be saved in the same location as LockSearch, which should be on your desktop. Post the contents of the log in your reply
  

3. Please download CKScanner by askey127 from here
Save it to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
  
• After a very short time, when the cursor hourglass disappears, click Save List To File.
  
• A message box will verify that the file is saved.
  
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

4. Please download Cheetah-Anti-Rogue, and save to your Desktop.

• Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  
• Double-click on Cheetah-Anti-Rogue.cmd to start.
  
• It will finish quickly and launch a log.
  
• Post the contents of it in your next reply.

5. I request the following logs to be posted in your next reply, please:
-Rooter
-LockSearch
-CKScanner
-Cheetah

Thanks.

Thanks for your reply. Here are the logs you have asked to post.

============
Rooter
============
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 2
[32_bits] - x86 Family 6 Model 9 Stepping 5, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
.
Internet Explorer 6.0.2900.2180
.
C:\ [Fixed-NTFS] .. ( Total:29 Go - Free:17 Go )
D:\ [Fixed-NTFS] .. ( Total:45 Go - Free:21 Go )
E:\ [CD_Rom]
.
Scan : 05:08.21
Path : C:\Documents and Settings\The\Desktop\Rooter.exe
User : The( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (780)
______ \??\C:\WINDOWS\system32\csrss.exe (852)
______ \??\C:\WINDOWS\system32\winlogon.exe (876)
______ C:\WINDOWS\system32\services.exe (924)
______ C:\WINDOWS\system32\lsass.exe (936)
______ C:\WINDOWS\system32\svchost.exe (1112)
______ C:\WINDOWS\system32\svchost.exe (1176)
______ C:\WINDOWS\System32\svchost.exe (1320)
______ C:\WINDOWS\system32\svchost.exe (1388)
______ C:\WINDOWS\system32\svchost.exe (1596)
______ C:\WINDOWS\Explorer.EXE (1920)
______ C:\WINDOWS\system32\spoolsv.exe (204)
______ C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (232)
______ C:\Program Files\Avira\AntiVir Desktop\sched.exe (244)
______ C:\WINDOWS\system32\svchost.exe (364)
______ C:\WINDOWS\system32\igfxtray.exe (456)
______ C:\WINDOWS\system32\hkcmd.exe (468)
______ C:\WINDOWS\system32\igfxpers.exe (480)
______ C:\Program Files\Google\Google Talk\googletalk.exe (492)
______ C:\Program Files\Java\jre6\bin\jusched.exe (500)
______ C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe (508)
______ C:\Program Files\Logitech\QuickCam\Quickcam.exe (524)
______ C:\Program Files\Winamp\winampa.exe (564)
______ C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (572)
______ C:\Program Files\MSN Messenger\MsnMsgr.Exe (588)
______ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (604)
______ C:\Program Files\Avira\AntiVir Desktop\avguard.exe (1840)
______ C:\Program Files\Java\jre6\bin\jqs.exe (1924)
______ C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe (1972)
______ C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (1004)
______ C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe (1060)
______ C:\WINDOWS\system32\svchost.exe (1280)
______ C:\WINDOWS\system32\wdfmgr.exe (1560)
______ C:\WINDOWS\System32\alg.exe (2920)
______ C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe (3352)
______ C:\WINDOWS\system32\wuauclt.exe (3836)
______ C:\Program Files\Java\jre6\bin\jucheck.exe (1160)
______ C:\Documents and Settings\The\Desktop\Rooter.exe (3700)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:31453438464)
\Device\Harddisk0\Partition0 (Start_Offset:31453470720 | Length:48562053120)
\Device\Harddisk0\Partition2 (Start_Offset:31453502976 | Length:48562020864)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\expressburnSevenDays.job
C:\WINDOWS\Tasks\expressburnSevenDaysInit.job
C:\WINDOWS\Tasks\expressburnShakeIcon.job
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1547161642-725345543-1003Core.job
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1547161642-725345543-1003UA.job
C:\WINDOWS\Tasks\SA.DAT
C:\WINDOWS\Tasks\WGASetup.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 05:08.35
.
C:\Rooter$\Rooter_1.txt - (24/02/2010 | 05:08.35)


===========
LockSearch
===========
LockSearch by jpshortstuff (05.11.09.1)
Log created at 05:11 on 24/02/2010 (The)
Scanning C:\


C:\hiberfil.sys
-------------------------


C:\pagefile.sys
-------------------------


C:\WINDOWS\explorer.exe
-------------------------
C:\WINDOWS\explorer.exe [Unable to get md5 : 1075200 bytes]
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe [12896823FB95BFB3DC9B46BCAEDC9923 : 1033728 bytes]


C:\WINDOWS\system32\cmdow.exe
-------------------------
C:\WINDOWS\system32\cmdow.exe [Unable to get md5 : 31232 bytes]

-=E.O.F=-

====================
CKScanner
====================
CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----

==================
Cheetah
==================
Cheetah-Anti-Rogue v1.3.11
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Date: 02/24/2010 - Time: 5:27:08 - Arch.: x86


-- Malware removal tools check --
Unlocker


-- Known infection --



Extra message: Detection only.


EOF

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

here is the log. thanks


ComboFix 100223.03 The 02/26/2010 0:12.3.1 x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.283 [GMT 0]
Running from: c:\documents and settings\The\desktop\commy.exe
Command switches used :: /stepdel
AV: AntiVir Desktop Onaccess scanning disabled (Updated) {AD16649945F9482AA743FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 20100126 to 20100226 )))))))))))))))))))))))))))))))
.

20100224 05:08 . 20100224 05:08 ------- d----w C:\Rooter$
20100222 09:50 . 20100222 09:50 ------- d----w c:\documents and settings\The\Local Settings\Application Data\Apple Computer
20100220 15:24 . 20100220 15:24 ------- d----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
20100220 15:23 . 20100220 15:23 ------- d----w c:\program files\NCH Swift Sound
20100209 00:20 . 20100209 00:20 ------- d----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
20100209 00:15 . 20100209 00:15 ------- d----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
20100205 10:39 . 20100205 10:39 251376 ---aw c:\documents and settings\The\Application Data\Mozilla\plugins\npgoogletalk.dll
20100201 09:00 . 20080502 10:41 3493888 --haw c:\documents and settings\The\Application Data\U3\temp\Launchpad Removal.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
20100225 23:52 . 20091224 10:37 79488 ---aw c:\documents and settings\The\Application Data\Sun\Java\jre1.6.017\gtapi.dll
20100221 17:25 . 20081108 10:23 ------- d----w c:\documents and settings\The\Application Data\Skype
20100221 16:41 . 20081108 10:24 ------- d----w c:\documents and settings\The\Application Data\skypePM
20100214 14:20 . 20081106 12:48 18080 ---aw c:\documents and settings\The\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
20100209 00:15 . 20081107 08:47 ------- d----w c:\program files\Google
20100201 09:11 . 20081108 18:25 ------- d----w c:\documents and settings\The\Application Data\U3
20100112 12:55 . 20100112 12:55 16 ---aw c:\documents and settings\NetworkService\Application Data\fvgqad.dat
20100108 21:44 . 20100108 21:44 ------- d----w c:\program files\Microsoft CAPICOM 2.1.0.2
20100105 10:05 . 20100105 10:05 16 ---aw c:\documents and settings\Default User\Application Data\fvgqad.dat
20100105 02:46 . 20100105 02:46 ------- d----w c:\program files\MSXML 4.0
20100105 01:42 . 20100105 01:42 16 ---aw c:\documents and settings\The\Application Data\fvgqad.dat
20100104 04:31 . 20091227 18:16 56816 ---aw c:\windows\system32\drivers\avgntflt.sys
20100102 23:29 . 20081106 12:56 ------- d----w c:\program files\Avira
20091231 15:06 . 20060113 01:49 352640 ---aw c:\windows\system32\drivers\srv.sys
20091222 05:35 . 20060113 01:26 668672 -----w c:\windows\system32\wininet.dll
20091222 05:35 . 20060113 01:55 81920 ---aw c:\windows\system32\ieencode.dll
20091216 12:58 . 20081106 20:23 343040 ---aw c:\windows\system32\mspaint.exe
20091214 07:35 . 20060113 01:13 33280 ---aw c:\windows\system32\csrsrv.dll
20091204 13:37 . 20060113 01:47 456832 ---aw c:\windows\system32\drivers\mrxsmb.sys
.

------ Sigcheck ------

[-] 20080414 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[-] 20060113 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010022404.06.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 20100225 23:46 . 20100225 23:46 16384 c:\windows\Temp\PerflibPerfdata788.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEYCURRENTUSER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA5DBB45a2B5581755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [20080716 1266992]

[HKEYCLASSESROOT\clsid\{57bca5fa5dbb45a2b5581755c3f6253b}]
[HKEYCLASSESROOT\WINAMPTB.AOLTBSearch.1]
[HKEYCLASSESROOT\TypeLib\{538CD77CBFDD49b0956277419CAB89D1}]
[HKEYCLASSESROOT\WINAMPTB.AOLTBSearch]

[HKEYCURRENTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [20051214 7095344]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [20081110 68856]
"Google Update"="c:\documents and settings\The\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [20081112 133104]

[HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [20050824 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [20050824 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [20050824 114688]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [20070101 3739648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [20081107 136600]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\CommunicationsHelper.exe" [20071025 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [20071025 2178832]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [20080803 36352]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [20090302 209153]

[HKEYUSERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnsc"="c:\windows\system32\msnsc.exe" [20060113 62054]

[HKEYUSERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [20060113 44544]

[HKEYLOCALMACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Documents and Settings\\The\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\The\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/27/2009 6:16 PM 108289]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/9/2010 12:15 AM 135664]
.
Contents of the 'Scheduled Tasks' folder

20100220 c:\windows\Tasks\expressburnSevenDays.job
c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [20100220 16:15]

20100220 c:\windows\Tasks\expressburnSevenDaysInit.job
c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [20100220 16:15]

20100223 c:\windows\Tasks\expressburnShakeIcon.job
c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [20100220 16:15]

20100225 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\program files\Google\Update\GoogleUpdate.exe [20100209 00:15]

20100225 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
c:\program files\Google\Update\GoogleUpdate.exe [20100209 00:15]

20100225 c:\windows\Tasks\GoogleUpdateTaskUserS1521107808153315471616427253455431003Core.job
c:\documents and settings\The\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [20081112 14:21]

20100226 c:\windows\Tasks\GoogleUpdateTaskUserS1521107808153315471616427253455431003UA.job
c:\documents and settings\The\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [20081112 14:21]

20100225 c:\windows\Tasks\WGASetup.job
c:\windows\system32\KB905474\wgasetup.exe [20100108 22:18]
.
.
------ Supplementary Scan ------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Winamp Search c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\enUS\local\search.html
IE: E&xport to Microsoft Excel c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamicmuien96D6FF0C6D236BF8.dll/cmsidewiki.html
FF ProfilePath c:\documents and settings\The\Application Data\Mozilla\Firefox\Profiles\bkk79tx6.default\
FF prefs.js: browser.search.defaulturl hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-flv&p=
FF prefs.js: browser.search.selectedEngine Yahoo
FF prefs.js: browser.startup.homepage hxxp://www.yahoo.com/
FF prefs.js: keyword.URL hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-flv&p=
FF component: c:\documents and settings\The\Application Data\Mozilla\Firefox\Profiles\bkk79tx6.default\extensions\{0b38152b1b20484da11f5e04a9b0661f}\components\WinampTBPlayer.dll
FF plugin: c:\documents and settings\The\Application Data\Mozilla\plugins\npgoogletalk.dll
FF plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
.

*************************************************************************

catchme 0.3.1398 W2K/XP/Vista rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 20100226 00:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

*************************************************************************
.
-------------------- DLLs Loaded Under Running Processes --------------------

> 'explorer.exe'(2912)
c:\windows\system32\browselc.dll
.
Completion time: 20100226 00:18:38
ComboFixquarantinedfiles.txt 20100226 00:18
ComboFix2.txt 20100224 04:07

PreRun: 18,312,613,888 bytes free
PostRun: 18,283,102,208 bytes free

End Of File CC03BBE1A930654047D5744C49C638C6

Re-running ComboFix to remove infections:

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open notepad and copy/paste the text in the quotebox below into it:
  

  
  killall::
  
  FCopy::
  c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe | c:\windows\explorer.exe
  
  File::
  c:\documents and settings\Default User\Application Data\fvgqad.dat
  c:\documents and settings\NetworkService\Application Data\fvgqad.dat
  
  Registry::
  [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
  "nlsf"=-
  
  NoOrphans::
  
  Reboot::
  

• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
  
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

====

Please download RootRepeal from GooglePages.com.

• Extract the program file to your Desktop.
  
• Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
  
  
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  
• When done, click on Save Report
  
• Save it to the Desktop.
  
• Please copy/paste the contents of the report in your next reply.
  

Please remove any e-mail address in the RootRepeal report (if present).

========

Please make sure the ComboFix and RootRepeal logs are posted in your next reply.

Sorry, but trying to run CFScript is giving the error message. When clicked OK, the ComboFix shut down and I cannot go ahead from there anymore.

Here is the error message screenshot

Did you run it as CFScript.txt?

As long as you have the extension on the end, it should work.

Please try again.

Thanks. It works now. Here are the log.

ComboFix 10-02-23.03 - The 02/28/2010 14:21:46.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.233 [GMT 0:00]
Running from: c:\documents and settings\The\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\The\Desktop\CFscript.txt.txt
AV: AntiVir Desktop On-access scanning enabled (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\documents and settings\Default User\Application Data\fvgqad.dat"
"c:\documents and settings\NetworkService\Application Data\fvgqad.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Default User\Application Data\fvgqad.dat
c:\documents and settings\NetworkService\Application Data\fvgqad.dat

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))
.

2010-02-26 00:10 . 2010-02-26 00:18 -------- d-----w- C:\Commy
2010-02-24 05:08 . 2010-02-24 05:08 -------- d-----w- C:\Rooter$
2010-02-22 09:50 . 2010-02-22 09:50 -------- d-----w- c:\documents and settings\The\Local Settings\Application Data\Apple Computer
2010-02-20 15:24 . 2010-02-20 15:24 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-20 15:23 . 2010-02-20 15:23 -------- d-----w- c:\program files\NCH Swift Sound
2010-02-09 00:20 . 2010-02-09 00:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-09 00:15 . 2010-02-09 00:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-05 10:39 . 2010-02-05 10:39 251376 ----a-w- c:\documents and settings\The\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-02-01 09:00 . 2008-05-02 10:41 3493888 ---ha-w- c:\documents and settings\The\Application Data\U3\temp\Launchpad Removal.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-28 06:39 . 2009-12-24 10:37 79488 ----a-w- c:\documents and settings\The\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-21 17:25 . 2008-11-08 10:23 -------- d-----w- c:\documents and settings\The\Application Data\Skype
2010-02-21 16:41 . 2008-11-08 10:24 -------- d-----w- c:\documents and settings\The\Application Data\skypePM
2010-02-14 14:20 . 2008-11-06 12:48 18080 ----a-w- c:\documents and settings\The\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-09 00:15 . 2008-11-07 08:47 -------- d-----w- c:\program files\Google
2010-02-01 09:11 . 2008-11-08 18:25 -------- d-----w- c:\documents and settings\The\Application Data\U3
2010-01-08 21:44 . 2010-01-08 21:44 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-01-05 02:46 . 2010-01-05 02:46 -------- d-----w- c:\program files\MSXML 4.0
2010-01-05 01:42 . 2010-01-05 01:42 16 ----a-w- c:\documents and settings\The\Application Data\fvgqad.dat
2010-01-04 04:31 . 2009-12-27 18:16 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-02 23:29 . 2008-11-06 12:56 -------- d-----w- c:\program files\Avira
2009-12-31 15:06 . 2006-01-13 01:49 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:35 . 2006-01-13 01:26 668672 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:35 . 2006-01-13 01:55 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 12:58 . 2008-11-06 20:23 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2006-01-13 01:13 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 13:37 . 2006-01-13 01:47 456832 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

------- Sigcheck -------

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-02-24_04.06.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-28 14:28 . 2010-02-28 14:28 16384 c:\windows\temp\Perflib_Perfdata_668.dat
+ 2010-02-26 08:20 . 2010-02-26 08:20 22528 c:\windows\Installer\21dd45.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2008-07-16 1266992]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2005-12-14 7095344]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-10 68856]
"Google Update"="c:\documents and settings\The\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-12 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-24 114688]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-07 136600]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnsc"="c:\windows\system32\msnsc.exe" [2006-01-13 62054]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Documents and Settings\\The\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\The\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/27/2009 6:16 PM 108289]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/9/2010 12:15 AM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-02-20 c:\windows\Tasks\expressburnSevenDaysInit.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-02-20 16:15]

2010-02-27 c:\windows\Tasks\expressburnShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-02-20 16:15]

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 00:15]

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 00:15]

2010-02-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1547161642-725345543-1003Core.job
- c:\documents and settings\The\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 14:21]

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1547161642-725345543-1003UA.job
- c:\documents and settings\The\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 14:21]

2010-02-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-01-08 22:18]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\The\Application Data\Mozilla\Firefox\Profiles\bkk79tx6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-flv&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-flv&p=
FF - component: c:\documents and settings\The\Application Data\Mozilla\Firefox\Profiles\bkk79tx6.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: c:\documents and settings\The\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\The\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-28 14:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(7384)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-02-28 14:34:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-28 14:34
ComboFix2.txt 2010-02-26 00:18
ComboFix3.txt 2010-02-24 04:07

Pre-Run: 18,159,714,304 bytes free
Post-Run: 18,163,109,888 bytes free

- - End Of File - - 2CD9D7BB2CA6AA495AC34F83FA8393F5

=====================
RootRepeal Log
=====================

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/02/28 14:38
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xF8940000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF85C0000 Size: 60416 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEFB7B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A9A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF8AD6000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEF809000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "" at address 0xf8c33376

#: 053 Function Name: NtCreateThread
Status: Hooked by "" at address 0xf8c3336c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "" at address 0xf8c3337b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "" at address 0xf8c33385

#: 098 Function Name: NtLoadKey
Status: Hooked by "" at address 0xf8c3338a

#: 122 Function Name: NtOpenProcess
Status: Hooked by "" at address 0xf8c33358

#: 128 Function Name: NtOpenThread
Status: Hooked by "" at address 0xf8c3335d

#: 193 Function Name: NtReplaceKey
Status: Hooked by "" at address 0xf8c33394

#: 204 Function Name: NtRestoreKey
Status: Hooked by "" at address 0xf8c3338f

#: 247 Function Name: NtSetValueKey
Status: Hooked by "" at address 0xf8c33380

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "" at address 0xf8c33367

==EOF==

Now, how is your computer running?

It is good. The pop up message from Avira does not show up anymore. Does it mean it is fixed? Anything else I need to do?

Thanks

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Malwarebytes' Anti-Malware 1.44
Database version: 3813
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/2/2010 11:36:42 PM
mbam-log-2010-03-02 (23-36-42).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 175611
Time elapsed: 1 hour(s), 0 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msnsc (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\msnsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\saishci.sys.vir (HackTool.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{899DB6A9-F886-48E9-84A7-5D3108CF06F3}\RP101\A0013326.sys (HackTool.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{899DB6A9-F886-48E9-84A7-5D3108CF06F3}\RP54\A0004407.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{899DB6A9-F886-48E9-84A7-5D3108CF06F3}\RP54\A0004427.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\The\Application Data\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully.

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

Malwarebytes' Anti-Malware 1.44
Database version: 3818
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/3/2010 9:32:19 PM
mbam-log-2010-03-03 (21-32-19).txt

Scan type: Quick Scan
Objects scanned: 113828
Time elapsed: 9 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asyncmac (Trojan.MultipleAV) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\asyncmac.sys (Trojan.MultipleAV) -> Quarantined and deleted successfully.