hi..below are the log files
for combofix:
"Administrator" - 07-04-10 0:15:39 Service Pack 2
ComboFix 07-04-05 - Running from: "D:\Program Files\Mozilla Firefox"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
D:\WINDOWS\system32\dodolook260.exe
D:\WINDOWS\system32\winepm95.bin
D:\WINDOWS\system32\winlwf58.bin
D:\WINDOWS\system32\winowf48.bin
D:\WINDOWS\system32\winreq96.bin
D:\WINDOWS\system32\winupx93.bin
D:\WINDOWS\system32\Msf3sf.sys
D:\WINDOWS\system32\4.dll
D:\WINDOWS\system32\6.dll
D:\Program Files\Common Files\microsoft shared\msinfo\SysInfo.bak
D:\Program Files\Common Files\microsoft shared\msinfo\SysInfo.vxd
D:\WINDOWS\Debug\UserMode\0DE49.dll
D:\WINDOWS\system32\drivers\ayyowf48.sys
D:\DOCUME~1\ALLUSE~1\APPLIC~1.\Microsoft\PCTools\pctools.dll
D:\DOCUME~1\ALLUSE~1\APPLIC~1\td\a1004.dat
D:\DOCUME~1\ALLUSE~1\APPLIC~1\td\b1004.dat
D:\DOCUME~1\ALLUSE~1\APPLIC~1\td\k1004.dat
D:\DOCUME~1\ALLUSE~1\APPLIC~1\td\p1004.dat
D:\DOCUME~1\ALLUSE~1\APPLIC~1\td\r1004.dat
D:\WINDOWS\system32\mdserivces\services\reg.exe
D:\WINDOWS\system32\bdsupx93\bdsupx93.dll
D:\WINDOWS\system32\bdsupx93\winupx93.bin
D:\WINDOWS\system32\bdsupx93\winupx93.dll
D:\WINDOWS\system32\advport.dll
D:\WINDOWS\system32\d3d1caps.srg
D:\WINDOWS\system32\scia.dll
D:\WINDOWS\system32\score.txt
D:\WINDOWS\system32\toolset.ini
D:\WINDOWS\system32\unibar.exe
D:\WINDOWS\kernel32.exe
D:\WINDOWS\system32\kbnaxp.dll
D:\WINDOWS\system32\xpnap.exe
D:\WINDOWS\config\starter\config.htm
D:\WINDOWS\system32\msrundll.exe
D:\WINDOWS\system32\ims.ini
D:\WINDOWS\system32\wbem\mof\good\esery.mof
D:\WINDOWS\system32\drivers\usb8028x.sys
D:\WINDOWS\system32\player.dll
D:\WINDOWS\usb8028x.log
D:\WINDOWS\system32\FP30PY.dll
D:\DOCUME~1\ALLUSE~1\APPLIC~1.\Microsoft\PCTools
D:\DOCUME~1\ALLUSE~1\APPLIC~1\td
D:\WINDOWS\system32\mdserivces
D:\WINDOWS\system32\winup
D:\Program Files\Common Files\Ruango
D:\WINDOWS\system32\bdsupx93
D:\WINDOWS\system32\ayyowf48.dll
D:\WINDOWS\system32\bdsupx93.dll
D:\WINDOWS\system32\winowf48.dll
D:\WINDOWS\system32\drivers\tnswgk39.sys
((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\ayyowf48
-------\BKMARKS
-------\CryptographicServer
-------\ndcia
-------\romman
-------\stdio
-------\tnswgk39
-------\usb8028
-------\usb8028x
-------\WmdmPWD
-------\LEGACY_ACPIDISK
-------\LEGACY_AYYOWF48
-------\LEGACY_BKMARKS
-------\LEGACY_CDNPROT
-------\LEGACY_CRYPTOGRAPHICSERVER
-------\LEGACY_FKWLD
-------\LEGACY_MCHINJDRV
-------\LEGACY_NDCIA
-------\LEGACY_ROMMAN
-------\LEGACY_STDIO
-------\LEGACY_TNSWGK39
-------\LEGACY_USB8028
-------\LEGACY_USB8028X
-------\LEGACY_WMDMPWD
((((((((((((((((((((((((((((((( Files Created from 2007-03-10 to 2007-04-10 ))))))))))))))))))))))))))))))))))
2007-04-10 00:16 0 --a------ D:\WINDOWS\system32\tnswgk39.dll
2007-04-10 00:10 <DIR> d-------- D:\avenger
2007-04-09 21:08 <DIR> d-------- D:\WINDOWS\system32\Kaspersky Lab
2007-04-09 19:48 <DIR> d-------- D:\!KillBox
2007-04-09 13:52 3,968 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-08 14:38 <DIR> d-------- D:\Program Files\CCleaner
2007-04-07 22:18 <DIR> d-------- D:\Program Files\KONAMI
2007-04-06 11:28 <DIR> d-------- D:\Program Files\Spyware Doctor
2007-04-06 11:27 172 --a------ D:\WINDOWS\system32\ayyowf48\winowf48.bin
2007-04-06 11:27 <DIR> d-------- D:\WINDOWS\system32\ayyowf48
2007-04-04 16:55 1,168 --a------ D:\WINDOWS\mozver.dat
2007-04-03 23:17 0 --a------ D:\WINDOWS\nsreg.dat
2007-04-03 23:07 <DIR> d-------- D:\WINDOWS\%DownloadedProgramFiles%
2007-04-03 21:03 <DIR> d-------- D:\Program Files\Common Files\scosoft.com
2007-04-03 18:50 <DIR> d-------- D:\WINDOWS\pss
2007-04-03 18:22 <DIR> d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\Uniblue
2007-04-03 14:46 <DIR> d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-04-03 14:45 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2007-04-03 11:54 <DIR> d-------- D:\WINDOWS\CSC
2007-04-03 00:25 <DIR> d-------- D:\WINDOWS\system32\yrelwf58
2007-04-03 00:25 <DIR> d-------- D:\WINDOWS\system32\thpepm95
2007-04-03 00:05 33 --a------ D:\WINDOWS\system32\111gPgi0.dll
2007-04-02 23:35 276 --a------ D:\WINDOWS\system32\BF74F43E.dat
2007-04-02 23:35 <DIR> d-------- D:\Program Files\wjpw
2007-03-30 20:53 21,504 --a------ D:\WINDOWS\system32\hidserv.dll
2007-03-28 21:16 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\HHD Software
2007-03-28 21:15 <DIR> d-------- D:\Program Files\HHD Software
2007-03-28 20:58 <DIR> d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\WinRAR
2007-03-28 20:24 223,128 --a------ D:\WINDOWS\system32\drivers\vaxscsi.sys
2007-03-28 20:24 <DIR> d-------- D:\Program Files\Alcohol Soft
2007-03-28 20:22 96,256 --a------ D:\WINDOWS\system32\drivers\sptd8365.sys
2007-03-28 20:22 642,560 --a------ D:\WINDOWS\system32\drivers\sptd.sys
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-03 11:14 -------- d--h----- D:\Program Files\installshield installation information
2007-03-08 23:36 577536 --a------ D:\WINDOWS\system32\user32.dll
2007-03-08 23:36 40960 --a------ D:\WINDOWS\system32\mf3216.dll
2007-03-08 23:36 281600 --a------ D:\WINDOWS\system32\gdi32.dll
2007-03-08 21:47 1843584 --a------ D:\WINDOWS\system32\win32k.sys
2007-03-08 21:33 -------- d-------- D:\Program Files\ea games
2007-02-26 05:14 -------- d-------- D:\Program Files\pplive
2007-02-26 05:10 -------- d-------- D:\Program Files\msn messenger
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="D:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="D:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SoundMan"="SOUNDMAN.EXE"
"ABITManager"="D:\\Program Files\\ABIT\\ABIT Manager\\ABITManager.exe"
"ABITEQ"="D:\\Program Files\\ABIT\\ABIT Manager\\abiteq.exe -M"
"RemoteControl"="\"D:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"TkBellExe"="\"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PCSuiteTrayApplication"="D:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -onlytray"
"AVG7_CC"="D:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^ruango.lnk]
"path"="D:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ruango.lnk"
"backup"="D:\\WINDOWS\\pss\\ruango.lnkCommon Startup"
"location"="Common Startup"
"command"="D:\\WINDOWS\\system32\\MSRundll.exe D:\\PROGRA~1\\COMMON~1\\Ruango\\Player.dll,Always"
"item"="ruango"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qlsreq96]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qlsreq96"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\Rundll32.exe \"%systemroot%\\system32\\qlsreq96.dll\",Start"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{90BC520C-9175-470E-94B8-10FD869D170B}"=""
"{1B4E3287-2C14-F46E-89D0-AADD240C8583}"=""
"{26F0E2C9-F853-42D4-866E-86AA4C8EF58F}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0lsanp\0
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
Hardware
Contents of the 'Scheduled Tasks' folder
D:\WINDOWS\tasks\XoftSpySE 2.job
D:\WINDOWS\tasks\XoftSpySE.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-10 0:19:37
D:\ComboFix-quarantined-files.txt ... 07-04-10 00:19
for avenger
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\udonkrvg
*******************
Script file located at: \??\D:\Documents and Settings\cnjqeccx.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at D:\Avenger
*******************
Beginning to process script file:
File D:\Documents and Settings\Administrator\Local Settings\Temp\1271625.exe deleted successfully.
File D:\Documents and Settings\Administrator\Local Settings\Temp\4.exe not found!
Deletion of file D:\Documents and Settings\Administrator\Local Settings\Temp\4.exe failed!
Could not process line:
D:\Documents and Settings\Administrator\Local Settings\Temp\4.exe
Status: 0xc0000034
File D:\Documents and Settings\Administrator\Local Settings\Temp\5.exe not found!
Deletion of file D:\Documents and Settings\Administrator\Local Settings\Temp\5.exe failed!
Could not process line:
D:\Documents and Settings\Administrator\Local Settings\Temp\5.exe
Status: 0xc0000034
File D:\Documents and Settings\Administrator\Local Settings\Temp\Rav31.dll not found!
Deletion of file D:\Documents and Settings\Administrator\Local Settings\Temp\Rav31.dll failed!
Could not process line:
D:\Documents and Settings\Administrator\Local Settings\Temp\Rav31.dll
Status: 0xc0000034
File D:\Documents and Settings\Administrator\Local Settings\Temp\Tmp3.tmp.rom deleted successfully.
File D:\Documents and Settings\Administrator\Local Settings\Temp\Tmp4.tmp.rom deleted successfully.
File D:\Documents and Settings\Administrator\Local Settings\Temp\~Tm2.tmp.rom not found!
Deletion of file D:\Documents and Settings\Administrator\Local Settings\Temp\~Tm2.tmp.rom failed!
Could not process line:
D:\Documents and Settings\Administrator\Local Settings\Temp\~Tm2.tmp.rom
Status: 0xc0000034
File D:\Documents and Settings\Administrator\Local Settings\Temp\~Tm3.tmp.rom deleted successfully.
File D:\WINDOWS\bar.exe deleted successfully.
File D:\Documents and Settings\All Users\Templates\temp.exe deleted successfully.
File D:\Program Files\Internet Explorer\InfoMs.tdm deleted successfully.
File D:\Program Files\Internet Explorer\InfoMs.tp3 deleted successfully.
File D:\WINDOWS\system32\dodolook133.exe deleted successfully.
File D:\WINDOWS\system32\drivers\ndcia.sys not found!
Deletion of file D:\WINDOWS\system32\drivers\ndcia.sys failed!
Could not process line:
D:\WINDOWS\system32\drivers\ndcia.sys
Status: 0xc0000034
File D:\WINDOWS\system32\drivers\romman.sys not found!
Deletion of file D:\WINDOWS\system32\drivers\romman.sys failed!
Could not process line:
D:\WINDOWS\system32\drivers\romman.sys
Status: 0xc0000034
File D:\WINDOWS\system32\drivers\usb8028.sys deleted successfully.
File D:\WINDOWS\system32\1010s.exe deleted successfully.
File D:\WINDOWS\system32\ad_1485.exe deleted successfully.
File D:\WINDOWS\system32\gb01.exe deleted successfully.
File D:\WINDOWS\system32\HelpIE.dll deleted successfully.
File D:\WINDOWS\system32\mshtmlsed.exe deleted successfully.
File D:\WINDOWS\system32\trtbc.dll not found!
Deletion of file D:\WINDOWS\system32\trtbc.dll failed!
Could not process line:
D:\WINDOWS\system32\trtbc.dll
Status: 0xc0000034
File D:\WINDOWS\Temp\base.exe deleted successfully.
File D:\WINDOWS\system32\HelpIE.dll not found!
Deletion of file D:\WINDOWS\system32\HelpIE.dll failed!
Could not process line:
D:\WINDOWS\system32\HelpIE.dll
Status: 0xc0000034
File D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servere.exe deleted successfully.
Completed script processing.
*******************
Finished! Terminate.