I never was given the option of installing the recovery console, but here are the logs:
Combo fix log:
ComboFix 09-02-12.03 - Maria Yesilevskaya 2009-02-12 19:40:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1251.7.1033.18.2039.1628 [GMT -6:00]
Running from: c:\documents and settings\Maria Yesilevskaya\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:c:\windows\TWFyaWEgWWVzaWxldnNrYXlh\asappsrv.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Maria Yesilevskaya\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Maria Yesilevskaya\x.exe
c:\program files\Common Files\kqfi
c:\program files\Common Files\kqfi\kqfia.exe
c:\program files\Common Files\kqfi\kqfia.lck
c:\program files\Common Files\kqfi\kqfid\class-barrel
c:\program files\Common Files\kqfi\kqfid\kqfic.dll
c:\program files\Common Files\kqfi\kqfid\vocabulary
c:\program files\Common Files\kqfi\kqfih
c:\program files\Common Files\kqfi\kqfil.exe
c:\program files\Common Files\kqfi\kqfil.lck
c:\program files\Common Files\kqfi\kqfim.exe
c:\program files\Common Files\kqfi\kqfim.lck
c:\program files\Common Files\kqfi\kqfip.exe
c:\program files\VnrPack
c:\program files\VnrPack\dicts.gz
c:\program files\VnrPack\trgts.gz
c:\program files\VnrPack\VnrPack23.exe
c:\windows\kqfi
c:\windows\kqfi\kqfi.dat
c:\windows\kqfi\wu
c:\windows\system32\__c006C977.exe
c:\windows\system32\__c00CFFF1.exe
c:\windows\system32\__c00F034A.exe
c:\windows\system32\atmtd.dll.tmp
c:\windows\system32\cbylsenu.dll
c:\windows\system32\digeste.dll
c:\windows\system32\ginyjg.dll
c:\windows\system32\iuxchmtt.dll
c:\windows\system32\jveqob.dll
c:\windows\system32\jvxkdvpd.dll
c:\windows\system32\kkslus.dll
c:\windows\system32\rqbhkctb.dll
c:\windows\system32\rqRKaaYq.dll.vir
c:\windows\system32\ssqRIaBu.dll
c:\windows\system32\tdexzj.dll
c:\windows\system32\vwyios.dll
c:\windows\system32\wpv381233435309.cpx
c:\windows\system32\wvqrwluj.dll
c:\windows\TWFyaWEgWWVzaWxldnNrYXlh\
c:\windows\TWFyaWEgWWVzaWxldnNrYXlh\\asappsrv.dll.vir
c:\windows\TWFyaWEgWWVzaWxldnNrYXlh\\command.exe
c:\windows\TWFyaWEgWWVzaWxldnNrYXlh\\nqIVuqH0qqpWuqU5xBhOsr51.vbs
c:\windows\TWFyaWEgWWVzaWxldnNrYXlh\command.exe
C:\xcrashdump.dat
c:\windows\system32\cmuti.dll . . . . failed to delete
----- BITS: Possible infected sites -----
hxxp://childhe.com.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
((((((((((((((((((((((((( Files Created from 2009-01-13 to 2009-02-13 )))))))))))))))))))))))))))))))
.
2009-02-12 19:45 . 2009-02-12 19:45 <DIR> d-------- c:\windows\system32\LogFiles
2009-02-07 20:25 . 2009-02-07 20:25 <DIR> d-------- c:\program files\Trend Micro
2009-02-07 18:47 . 2009-02-07 20:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-07 10:32 . 2009-02-07 10:32 85,637 --a------ c:\windows\system32\1c467c31-8a65-0553-823f-b8795b8a2f5c.exe
2009-02-07 10:29 . 2009-02-07 10:29 72,704 --a------ c:\windows\system32\whuopiuv.dll
2009-02-05 14:46 . 2009-02-05 14:46 673,792 --a------ c:\windows\system32\nsj1E.dll
2009-02-01 21:25 . 2009-02-01 21:25 <DIR> d-------- c:\program files\WebShow
2009-01-31 22:34 . 2004-08-04 04:00 96,256 --a------ c:\windows\system32\cdmode.dll
2009-01-31 22:04 . 2004-08-04 04:00 96,256 --a------ c:\windows\system32\cnbjmo.dll
2009-01-31 21:30 . 2004-08-04 04:00 96,256 --a------ c:\windows\system32\cmuti.dll
2009-01-31 21:07 . 2009-02-07 19:22 <DIR> d-------- c:\documents and settings\Maria Yesilevskaya\Application Data\cogad
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-08 02:27 --------- d-----w c:\program files\AICPASampleTest
2009-01-20 05:07 --------- d-----w c:\program files\CCleaner
2008-07-10 23:41 35,104 -c--a-w c:\documents and settings\Maria Yesilevskaya\Application Data\GDIPFONTCACHEV1.DAT
2006-02-17 04:06 952 -csha-w c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39D9B177-839C-4199-AD75-BDDA2F4D3F58}]
2004-08-04 04:00 96256 --a------ c:\windows\system32\cmuti.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c9f07aee-b43f-09be-3090-c65c3c224f75}]
2009-02-05 14:46 673792 --a------ c:\windows\system32\nsj1E.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 15:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=kkslus.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-09-13 15:33 155648 c:\program files\Apoint\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 04:00 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 00:05 127035 c:\windows\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-10-12 15:54 57344 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-01-23 09:31 126976 c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-01-23 09:36 155648 c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2004-10-30 13:59 385024 c:\program files\Intel\Wireless\Bin\iFrmewrk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 19:15 290816 c:\program files\Dell\Media Experience\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-07-26 02:03 49263 c:\program files\Java\jre1.5.0_08\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 00:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 fsoaylml;fsoaylml;c:\windows\system32\drivers\fsoaylml.sys [2004-08-10 23424]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09a5a0c5-7c8f-11dd-8263-0011437b3dcf}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47e61f4b-9e1f-11db-81b9-0011437b3dcf}]
\Shell\AutoRun\command - E:\Xkey_launcher.exe
.
Contents of the 'Scheduled Tasks' folder
2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
- - - - ORPHANS REMOVED - - - -
BHO-{fb7eac79-6c2c-4db2-a404-1d2c9e8ff8f1} - c:\windows\system32\kkslus.dll
MSConfigStartUp-A00F183E370 - c:\docume~1\MARIAY~1\LOCALS~1\Temp\_A00F183E370.exe
MSConfigStartUp-c01c3afe - c:\windows\system32\vjxpyuwi.dll
MSConfigStartUp-GetModule36 - c:\program files\GetModule\GetModule36.exe
MSConfigStartUp-Twain - c:\documents and settings\Maria Yesilevskaya\Application Data\Twain\Twain.exe
MSConfigStartUp-txlvxifkpkhp - c:\windows\system32\xvonehpuhvwqq.dll
MSConfigStartUp-VnrPack23 - c:\program files\VnrPack\VnrPack23.exe
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.yahoo.com/uSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-02-12 19:45:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\LogFiles
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(968)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-12 19:48:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-13 01:48:12
Pre-Run: 18,668,376,064 bytes free
Post-Run: 18,633,895,936 bytes free
206 --- E O F --- 2009-01-15 01:59:11
Hijackthis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:07 PM, on 2/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39D9B177-839C-4199-AD75-BDDA2F4D3F58} - C:\WINDOWS\system32\cmuti.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: worldadmarketplace - {c9f07aee-b43f-09be-3090-c65c3c224f75} - C:\WINDOWS\system32\nsj1E.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search -
res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} -
http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) -
http://upload.facebook.com/controls/Fac ... oader3.cabO20 - AppInit_DLLs: kkslus.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 4879 bytes