Got combofix to work and here's the log
ComboFix 08-12-06.04 - Masta 2008-12-06 21:23:53.1 - NTFSx86
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Masta\Application Data\rhc3usj0ej9n
c:\program files\Common Files\ystem~1
c:\program files\Microsoft Common
c:\program files\Microsoft Common\svchost.exe
c:\windows\smdat32m.sys
c:\windows\system32\bdgdnwwu.ini
c:\windows\system32\drivers\TDSSmact.sys
c:\windows\system32\dwciaumu.dll
c:\windows\system32\ecjghi.dll
c:\windows\system32\efcYsrRH.dll
c:\windows\system32\fcyxuu.dll
c:\windows\system32\ftvktlew.dll
c:\windows\system32\gyxoawck.dll
c:\windows\system32\imoyodpx.ini
c:\windows\system32\ispaemwe.dll
c:\windows\system32\kdgdshrt.dll
c:\windows\system32\lqlqvg.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\MlUDefii.ini
c:\windows\system32\msiconf.exe
c:\windows\system32\nhtndgqe.dll
c:\windows\system32\oagbnpqj.ini
c:\windows\system32\olftbnbu.ini
c:\windows\system32\pmNgefFv.dll
c:\windows\system32\pmnoNEVP.dll
c:\windows\system32\PVENonmp.ini
c:\windows\system32\PVENonmp.ini2
c:\windows\system32\qgtvlpsw.ini
c:\windows\system32\qirsbkiu.dll
c:\windows\system32\rbkoer.dll
c:\windows\system32\rnkletgq.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\ubnbtflo.dll
c:\windows\system32\ukdjcpou.dll
c:\windows\system32\ukjxhg.dll
c:\windows\system32\uopcjdku.ini
c:\windows\system32\wpv631227968841.cpx
c:\windows\system32\wsplvtgq.dll
c:\windows\system32\xkljpe.dll
c:\windows\system32\xpvxsriy.dll
c:\windows\system32\ycfamhyk.dll
c:\windows\system32\yfpqwl.dll
c:\windows\system32\yfwkit.dll
c:\windows\system32\yirsxvpx.ini
c:\windows\system32\yixoswfw.dll
c:\windows\system32\zbchib.dll
c:\windows\wiaserviv.log
H:\autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.
2008-12-06 20:51 . 2008-12-06 20:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-06 20:51 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-06 20:51 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-06 20:08 . 2008-12-06 16:21 3,060,566 --a------ c:\documents and settings\Masta\ComboFix.exe
2008-12-06 17:23 . 2008-12-06 17:23 <DIR> d-------- c:\documents and settings\newuse
2008-12-06 16:41 . 2008-12-06 16:41 1,297 --a------ c:\program files\WinXP_EXE_Fix.reg
2008-12-05 14:47 . 2008-12-05 14:47 111,104 --a------ c:\windows\system32\IEDefender.dll
2008-12-05 14:46 . 2008-12-05 14:47 <DIR> d-------- c:\program files\AV2010
2008-12-05 14:46 . 2008-12-05 14:46 76,824 --a------ c:\windows\system32\wingamma.exe
2008-12-05 01:52 . 2008-12-05 01:52 <DIR> d-------- c:\program files\Panda Security
2008-12-04 17:37 . 2008-12-04 17:37 <DIR> d-------- c:\documents and settings\Masta\Application Data\Malwarebytes
2008-12-04 17:37 . 2008-12-04 17:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 20:00 . 2008-11-30 20:00 95 --a------ c:\windows\wininit.ini
2008-11-30 19:13 . 2008-11-30 19:13 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-30 19:13 . 2008-11-30 19:13 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-30 19:13 . 2008-11-30 19:13 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-30 19:12 . 2008-11-30 19:13 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 07:35 --------- d-----w c:\program files\Warcraft III
2008-12-06 02:32 --------- d-----w c:\program files\Diablo II
2008-12-05 08:07 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-05 08:06 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 02:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-03 23:51 --------- d-----w c:\documents and settings\Masta\Application Data\uTorrent
2008-11-18 21:16 --------- d-----w c:\program files\PokerStars.NET
2008-11-16 20:29 --------- d-----w c:\program files\Lavasoft
2008-11-06 11:24 --------- d-----w c:\documents and settings\Masta\Application Data\Folding@home-x86
2008-11-06 11:22 --------- d-----w c:\program files\Folding@home
2008-11-05 08:43 --------- d-----w c:\program files\mIRC
2008-11-04 02:45 --------- d-----w c:\program files\7-Zip
1996-09-18 19:07 7,564,336 -c--a-w c:\documents and settings\Jeff\L2DEMO.EXE
1996-09-17 16:02 15 -c--a-w c:\documents and settings\Jeff\INSTALL.BAT
2001-08-23 12:00 94,784 -csh--w c:\windows\twain.dll
2004-08-04 05:56 50,688 --sh--w c:\windows\twain_32.dll
2007-05-29 01:08 10,646 --sha-w c:\windows\system32\KGyGaAvL.sys
2004-08-04 05:56 1,028,096 --sh--w c:\windows\system32\mfc42.dll
2004-08-04 05:56 54,784 --sh--w c:\windows\system32\msvcirt.dll
2004-08-04 05:56 413,696 --sh--w c:\windows\system32\msvcp60.dll
2004-08-04 05:56 343,040 --sh--w c:\windows\system32\msvcrt.dll
2004-08-04 05:56 553,472 --sh--w c:\windows\system32\oleaut32.dll
2004-08-04 05:56 83,456 --sh--w c:\windows\system32\olepro32.dll
2004-08-04 05:56 11,776 --sh--w c:\windows\system32\regsvr32.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 21:34 24576 c:\program files\AlienGUIse\fastload.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.WMV3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\ff_vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Masta^Start Menu^Programs^Startup^Alienware Dock.lnk]
path=c:\documents and settings\Masta\Start Menu\Programs\Startup\Alienware Dock.lnk
backup=c:\windows\pss\Alienware Dock.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2008-12-05 01:38 6731312 c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 14:08 67160 c:\program files\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a--c--- 2006-01-02 16:41 45056 c:\program files\ATI Technologies\ATI.ACE\CLI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a--c--- 2004-03-03 11:00 335872 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a--c--- 2006-09-13 09:12 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
--a------ 2001-08-09 16:06 45056 c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-18 08:42 133104 c:\documents and settings\Masta\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2006-11-21 19:09 842584 c:\program files\Microsoft IntelliPoint\ipoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-10 08:18 270648 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a--c--- 2001-11-29 00:00 28672 c:\program files\Creative\SBLive\Program\ADGJDet.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 04:50 155648 c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 14:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-16 13:01 13529088 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-16 13:01 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 09:56 286720 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-11-24 14:31 1410296 c:\program files\Valve\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 12:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2006-10-13 10:16 185784 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Gamma Display]
--a------ 2008-12-05 14:46 76824 c:\windows\system32\wingamma.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-16 13:01 1630208 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a------ 2002-07-02 16:56 24576 c:\windows\system32\CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IDriverT"=3 (0x3)
"ewido security suite guard"=2 (0x2)
"ewido security suite control"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"ose"=3 (0x3)
"Autodesk Licensing Service"=3 (0x3)
"NBService"=3 (0x3)
"AVG Anti-Spyware Guard"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"dmadmin"=3 (0x3)
"iPod Service"=3 (0x3)
"NVSvc"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Diablo II\\Diablo II.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\3.6.15\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
R1 ewido security suite driver;ewido security suite driver;\??\c:\program files\ewido anti-malware\guard.sys [2005-12-30 3072]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-06 38496]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder
2008-12-07 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Masta\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 08:42]
.
- - - - ORPHANS REMOVED - - - -
BHO-{C1A45ED4-D098-4147-8E76-BFDDB4722054} - c:\windows\system32\iifeDUlM.dll
BHO-{F7472C8C-BD20-49CD-9D2E-47A19E57A808} - c:\windows\system32\pmnoNEVP.dll
BHO-{fee80177-8560-4afc-97c8-b3e8669348d6} - c:\windows\system32\yfwkit.dll
Notify-WgaLogon - (no file)
Notify-winuns32 - winuns32.dll
MSConfigStartUp-avgnt - c:\program files\AntiVir PersonalEdition Classic\avgnt.exe
MSConfigStartUp-BearShare - c:\program files\BearShare\BearShare.exe
MSConfigStartUp-ec89b77d - c:\windows\system32\xpvxsriy.dll
MSConfigStartUp-fe3dbfea - c:\windows\system32\fe3dbfea.exe
MSConfigStartUp-Inrebpzv - c:\progra~1\COMMON~1\YSTEM~1\NPDB~1.EXE
MSConfigStartUp-InstaFinderK - c:\program files\INSTAFINK\InstaFinderK_inst.exe
MSConfigStartUp-lphc7usj0ej9n - c:\windows\system32\lphc7usj0ej9n.exe
MSConfigStartUp-Opoa - c:\windows\system32\ASEMBL~1\smss.exe
MSConfigStartUp-P2P Networking - c:\windows\system32\P2P Networking\P2P Networking.exe
MSConfigStartUp-SemanticInsight - c:\program files\RXToolBar\Semantic Insight\SemanticInsight.exe
MSConfigStartUp-Share-to-Web Namespace Daemon - c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
MSConfigStartUp-SMrhc3usj0ej9n - c:\program files\rhc3usj0ej9n\rhc3usj0ej9n.exe
MSConfigStartUp-SpywareQuake - c:\program files\SpywareQuake.com\Spyware-Quake.exe
MSConfigStartUp-SVCHOST - c:\windows\system32\drivers\svchost.exe
MSConfigStartUp-tbon - c:\program files\TBONBin\tbon.exe
MSConfigStartUp-zango - c:\program files\zango\zango.exe
MSConfigStartUp-msiexec - msiconf.exe
.
------- Supplementary Scan -------
.
mLocal Page = about
:blank
mStart Page = about
:blank
mSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://toolbar.morpheus.com/ready.html?toolbar=Installed
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe -
FireFox -: Profile - c:\documents and settings\Masta\Application Data\Mozilla\Firefox\Profiles\r1pbz51b.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - google.com
FF -: plugin - c:\documents and settings\Masta\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-12-06 21:36:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll
c:\program files\AlienGUIse\fastload.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-06 21:41:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 03:41:00
Pre-Run: 1,798,524,928 bytes free
Post-Run: 1,887,408,128 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
306
thanks again for all the help, I can now navigate to the pages online that were blocked and exe files are opening again!