Okay Dan,
I was able to find a friend who was running windows xp home edition so was able to follow your instructions. When you ask to see the combo output report, did you want me run combofix once again, after the file had been replaced?
Below is the output report from when I ran combofix as the first step of your instructions:
ComboFix 09-05-05.04 - George 06/05/2009 15:51.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.382.123 [GMT 1:00]
Running from: c:\documents and settings\George\Desktop\Godiva.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated)
.
((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.
2009-04-25 19:41 . 2009-04-25 19:41 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-04-25 11:40 . 2009-04-25 12:16 -------- d-----w c:\program files\AVIConverter
2009-04-25 11:27 . 2009-04-25 11:28 -------- d-----w C:\Combo-Fix
2009-04-23 08:15 . 2009-04-23 08:15 -------- d-----w c:\documents and settings\George\Application Data\Malwarebytes
2009-04-23 08:14 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 08:14 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 08:14 . 2009-04-23 08:14 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 08:14 . 2009-04-23 08:14 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 00:06 . 2009-04-23 00:06 -------- d-s---w c:\windows\system32\config\systemprofile\UserData
2009-04-22 17:49 . 2009-04-22 17:49 -------- d-----w c:\program files\Trend Micro
2009-04-22 09:31 . 2009-04-23 09:17 -------- d-----w c:\documents and settings\George\Application Data\Twain
2009-04-22 00:26 . 2009-04-23 18:34 -------- d-----w C:\ComboFix
2009-04-21 23:48 . 2009-04-21 23:48 577024 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-04-21 23:45 . 2009-04-21 23:45 -------- d-----w c:\windows\ERUNT
2009-04-21 13:35 . 2009-04-21 13:35 213376 -c--a-w c:\windows\system32\dllcache\ndis.sys
2009-04-18 10:41 . 2003-06-25 15:05 266360 ----a-w c:\windows\system32\TweakUI.exe
2009-04-18 10:14 . 2009-04-18 10:34 -------- d-----w c:\program files\iColorFolder
2009-04-18 09:58 . 2009-04-18 09:58 -------- d-----w c:\program files\IconXP
2009-04-17 00:19 . 2009-04-19 10:11 -------- d-----w c:\windows\Windows98_icons
2009-04-17 00:17 . 2009-04-17 00:17 -------- d-----w c:\program files\Mystik Media
2009-04-17 00:16 . 2009-04-17 00:17 -------- dc-h--w c:\documents and settings\All Users\Application Data\{E33597A3-E995-4DA4-A3A0-F1775979A8E0}
2009-04-16 19:02 . 2007-05-17 16:30 318976 ----a-w c:\windows\system32\avisynth.dll
2009-04-16 19:02 . 2004-02-22 09:11 719872 ----a-w c:\windows\system32\devil.dll
2009-04-16 19:02 . 2004-01-24 23:00 70656 ----a-w c:\windows\system32\yv12vfw.dll
2009-04-16 19:02 . 2004-01-24 23:00 70656 ----a-w c:\windows\system32\i420vfw.dll
2009-04-16 19:02 . 2009-04-16 19:02 -------- d-----w c:\program files\AviSynth 2.5
2009-04-16 19:01 . 2008-03-16 13:30 216064 --sh--r c:\windows\system32\nbDX.dll
2009-04-16 19:01 . 2007-02-21 11:47 31232 --sh--r c:\windows\system32\msfDX.dll
2009-04-16 19:01 . 2006-05-03 10:06 163328 --sh--r c:\windows\system32\flvDX.dll
2009-04-16 19:01 . 2009-04-16 19:01 -------- d-----w c:\program files\eRightSoft
2009-04-15 23:30 . 2009-04-15 23:30 -------- d-----w c:\program files\XeroBank
2009-04-15 15:13 . 2004-07-29 01:19 175104 ----a-w c:\windows\lame_enc.dll
2009-04-14 22:10 . 2009-04-14 22:10 0 ----a-w c:\windows\nsreg.dat
2009-04-14 22:09 . 2009-04-14 22:10 -------- d-----w c:\documents and settings\George\Application Data\Thunderbird
2009-04-14 22:09 . 2009-04-14 22:11 -------- d-----w c:\documents and settings\George\Local Settings\Application Data\Thunderbird
2009-04-14 22:08 . 2009-05-06 14:17 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-12 16:41 . 2009-04-12 16:41 -------- d-----w c:\documents and settings\George\Bullfrog
2009-04-12 16:41 . 2009-04-12 16:41 -------- d-----w c:\windows\system\KEEPER
2009-04-12 03:42 . 2009-04-12 03:42 -------- d-----w c:\program files\ebrary
2009-04-09 00:10 . 2009-04-09 00:10 -------- d-----w c:\program files\Common Files\DivX Shared
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 13:17 . 2008-07-28 22:59 -------- d-----w c:\program files\StarCraft
2009-05-02 00:18 . 2007-10-22 00:08 -------- d-----w c:\program files\eMusic Remote
2009-04-25 19:43 . 2006-05-22 13:08 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-21 13:35 . 2006-05-22 07:36 213376 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-16 21:48 . 2006-09-03 14:31 66648 ----a-w c:\documents and settings\George\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-30 19:01 . 2008-07-05 10:14 557469 ----a-w c:\windows\system32\libmplayer.dll
2009-03-30 19:01 . 2008-07-05 10:14 4426841 ----a-w c:\windows\system32\libavcodec.dll
2009-03-30 19:01 . 2008-07-05 10:13 849136 ----a-w c:\windows\system32\ff_x264.dll
2009-03-30 19:01 . 2008-06-13 10:39 98304 ----a-w c:\windows\system32\ff_wmv9.dll
2009-03-30 19:01 . 2008-06-12 17:36 84480 ----a-w c:\windows\system32\ff_vfw.dll
2009-03-30 19:01 . 2004-12-20 10:03 828029 ----a-w c:\windows\system32\xvidcore.dll
2009-02-24 19:35 . 2006-10-03 16:23 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-02-24 19:35 . 2006-10-02 11:36 129784 ------w c:\windows\system32\pxafs.dll
2009-02-24 19:35 . 2006-10-02 11:36 118520 ------w c:\windows\system32\pxinsi64.exe
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-23 21:52 . 2009-02-23 21:44 246 ----a-w c:\windows\filelisting.bat
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\opera\program\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\opera\program\plugins\ssldivx.dll
2007-04-17 23:20 . 2007-04-17 23:20 56 --sh--r c:\windows\system32\512601FDB7.sys
2006-05-03 10:06 . 2009-04-16 19:01 163328 --sh--r c:\windows\system32\flvDX.dll
2007-04-17 23:20 . 2007-04-17 23:20 1890 --sha-w c:\windows\system32\KGyGaAvL.sys
2007-02-21 11:47 . 2009-04-16 19:01 31232 --sh--r c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-04-16 19:01 216064 --sh--r c:\windows\system32\nbDX.dll
.
------- Sigcheck -------
[-] 2009-04-21 13:35 213376 3D748D850B1C17C357C54BBFD4835F27 c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-21 13:35 213376 3D748D850B1C17C357C54BBFD4835F27 c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-04-23_18.43.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-06 14:42 . 2009-05-06 14:42 16384 c:\windows\Temp\Perflib_Perfdata_41c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-04-23 22058792]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-09-18 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2006-03-16 634880]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2006-04-04 53248]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-28 262144]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-18 16143872]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2006-03-18 89541]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-08-11 266240]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk
backup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\inf\\explorer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22178:TCP"= 22178:TCP:BitComet 22178 TCP
"22178:UDP"= 22178:UDP:BitComet 22178 UDP
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [01/02/2007 20:40 101120]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [01/02/2007 20:40 33408]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [14/11/2007 19:08 69632]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [28/11/2007 13:53 98304]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [18/04/2006 15:12 98816]
S1 d83568e8;d83568e8;c:\windows\system32\drivers\d83568e8.sys --> c:\windows\system32\drivers\d83568e8.sys [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
2008-06-27 c:\windows\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [2006-05-22 12:00]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Add to Windows &Live Favorites -
http://favorites.live.com/quickadd.aspxIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {B98AAA0F-DE81-4AC5-B45A-FACC2E6BC232} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\George\Application Data\Mozilla\Firefox\Profiles\g3sq6njz.default\
FF - prefs.js: browser.startup.homepage -
hxxp://vle.coventry.ac.uk/webct/entryPageIns.dowebctFF - plugin: c:\program files\Mozilla Firefox\plugins\NPInfotl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsabffx.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: c:\windows\system32\SuperAdBlocker.com\npsabffx.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-05-06 15:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\l3codeca.acm
- - - - - - - > 'explorer.exe'(1772)
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2009-05-06 15:57
ComboFix-quarantined-files.txt 2009-05-06 14:56
ComboFix2.txt 2009-05-06 14:48
ComboFix3.txt 2009-04-29 18:58
ComboFix4.txt 2009-04-25 22:48
ComboFix5.txt 2009-05-06 14:50
Pre-Run: 197,423,104 bytes free
Post-Run: 183,345,152 bytes free
194