Ok.Lets dig deeper...

You will need to download ComboFix.exe. This will give a better view to the files running, those that are hidden, and also those in the registry..Please download from one of these webpages .

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe


* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools. More help on your specific AV here: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Double-click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Recovery Console can be installed from your disc if you have Vista if you wish.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes to continue scanning for malware.
When finished, it shall produce a log for you. Please include the ComboFix.txt in your reply.

Caution.....
Never use this program to remove files.Only use it with help from an experienced user.Wrongful use can damage your computer.

ComboFix 09-09-29.04 - USER 09/30/2009 8:02.7.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.376 [GMT -4:00]
Running from: c:\documents and settings\USER\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
.

2009-09-29 13:20 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-09-29 13:20 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-09-29 13:20 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-09-29 13:20 . 2009-09-29 13:20 -------- d-----w- c:\program files\Avira
2009-09-29 13:20 . 2009-09-29 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-09-29 12:57 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-09-29 11:40 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-29 01:21 . 2009-09-29 06:09 1949 ----a-w- c:\windows\eReg.dat
2009-09-22 13:18 . 2009-09-22 13:18 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\Ahead
2009-09-21 19:56 . 2009-09-21 20:02 -------- d-----w- c:\documents and settings\USER\Application Data\Ahead
2009-09-21 19:52 . 2005-01-27 16:02 2658304 ------w- c:\windows\UNMRW.exe
2009-09-21 19:52 . 2009-09-21 19:52 -------- d-----w- c:\program files\Ahead
2009-09-21 19:52 . 2005-01-27 16:02 2658304 ------w- c:\windows\NuNinst.exe
2009-09-21 19:52 . 2005-01-27 23:08 8704 ------w- c:\windows\system32\drivers\InCDrec.sys
2009-09-21 19:52 . 2005-01-27 23:08 99200 ------w- c:\windows\system32\drivers\InCDfs.sys
2009-09-21 19:52 . 2005-01-27 23:07 28928 ------w- c:\windows\system32\drivers\InCDpass.sys
2009-09-21 19:52 . 2005-01-27 17:07 27776 ------w- c:\windows\system32\drivers\InCDrm.sys
2009-09-21 19:52 . 2009-09-21 19:52 -------- d-----w- c:\windows\InCD
2009-09-21 19:50 . 2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2009-09-21 19:49 . 2005-07-06 15:12 2973696 ------w- c:\windows\UNNeroVision.exe
2009-09-21 19:48 . 2009-09-21 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-09-21 17:04 . 2009-09-21 17:04 -------- d-----w- c:\program files\DVD Decrypter
2009-09-21 16:12 . 2009-09-21 17:01 -------- d-----w- c:\documents and settings\USER\Application Data\Vso
2009-09-16 05:12 . 2009-09-16 05:46 -------- d-----w- c:\program files\7art
2009-09-11 10:15 . 2009-09-11 10:15 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-09-05 12:58 . 2009-09-05 12:58 -------- d-----w- c:\program files\Java
2009-09-05 06:12 . 2009-09-05 06:12 -------- d-----w- c:\documents and settings\All Users\Application Data\WhiteCap (Holiday Edition)
2009-09-05 06:10 . 2009-09-06 15:15 -------- d-----w- c:\program files\Winter Fun Pack 2004 for Windows XP
2009-09-03 03:27 . 2009-09-05 06:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-02 03:57 . 2009-09-02 03:57 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-02 03:57 . 2009-09-02 03:57 -------- d-----w- c:\program files\MSBuild
2009-09-02 03:56 . 2009-09-02 03:56 -------- d-----w- c:\windows\system32\XPSViewer
2009-09-02 03:56 . 2009-09-02 03:56 -------- d-----w- c:\program files\Reference Assemblies
2009-09-02 03:56 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-09-29 12:36 . 2009-08-11 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-29 12:34 . 2009-08-13 01:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-29 11:11 . 2007-09-28 22:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-21 17:01 . 2009-07-02 14:57 47360 ----a-w- c:\documents and settings\USER\Application Data\pcouffin.sys
2009-09-21 16:12 . 2009-07-02 14:57 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-09-14 05:42 . 2009-08-12 21:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-11 10:15 . 2008-01-15 06:41 -------- d-----w- c:\program files\DivX
2009-09-10 18:54 . 2009-08-12 21:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-08-12 21:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-05 12:58 . 2002-01-01 05:12 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-09-02 04:08 . 2007-09-29 00:50 98800 ----a-w- c:\documents and settings\USER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-21 11:29 . 2009-08-21 11:29 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-08-21 11:29 . 2009-08-21 11:29 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-08-21 03:20 . 2009-08-21 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-08-17 23:55 . 2009-08-16 02:33 -------- d-----w- c:\program files\Voodoo
2009-08-17 07:13 . 2009-08-17 07:09 -------- d-----w- c:\documents and settings\USER\Application Data\Alien Skin
2009-08-15 17:14 . 2009-08-15 17:13 -------- d-----w- c:\program files\Common Files\Jasc Software Inc
2009-08-15 17:13 . 2009-08-15 17:13 -------- d-----w- c:\program files\Jasc Software Inc
2009-08-15 17:13 . 2009-08-15 17:13 -------- d-----w- c:\documents and settings\USER\Application Data\Jasc Software Inc
2009-08-13 05:03 . 2009-08-13 05:03 -------- d-----w- c:\documents and settings\USER\Application Data\Malwarebytes
2009-08-13 03:43 . 2009-08-13 03:43 -------- d-----w- c:\program files\Panda Security
2009-08-12 18:33 . 2009-08-12 18:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:52 . 2009-08-05 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2009-07-29 04:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-28 20:33 . 2009-07-05 22:34 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 09:14 . 2009-07-17 05:18 5 ----a-w- c:\windows\sbacknt.bin
2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 07:20 . 2009-07-09 07:10 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-07-09 07:20 . 2009-07-09 07:10 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-07-09 07:20 . 2009-07-09 07:10 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ------w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
"InCD"="e:\ahead\InCD\InCD.exe" [2005-01-27 1381376]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Winter Fun Wallpaper Changer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Winter Fun Wallpaper Changer.lnk
backup=c:\windows\pss\Winter Fun Wallpaper Changer.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"e:\\World of Warcraft\\Launcher.exe"=
"e:\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"e:\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"e:\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"e:\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"e:\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [9/29/2009 8:57 AM 28544]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/29/2009 9:20 AM 108289]
R3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\drivers\cccp106.sys [6/11/2009 10:32 PM 227200]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\dr ivers\mbamswissarmy.sys [8/12/2009 5:32 PM 38224]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*Yahoo!
FF - ProfilePath - c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\6kt9e4fz.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: e:\quicktime\Plugins\npqtplugin.dll
FF - plugin: e:\quicktime\Plugins\npqtplugin2.dll
FF - plugin: e:\quicktime\Plugins\npqtplugin3.dll
FF - plugin: e:\quicktime\Plugins\npqtplugin4.dll
FF - plugin: e:\quicktime\Plugins\npqtplugin5.dll
FF - plugin: e:\quicktime\Plugins\npqtplugin6.dll
FF - plugin: e:\quicktime\Plugins\npqtplugin7.dll
FF - plugin: e:\quicktime\Plugins\npqtplugin8.dll
FF - plugin: e:\quicktime\Plugins\npqtplugin9.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-09-30 08:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1911415 6-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macrome d\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1911415 6-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1911415 6-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUt il10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1911415 6-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4 C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4 C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4 C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2644)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-30 8:08
ComboFix-quarantined-files.txt 2009-09-30 12:08

Pre-Run: 5,553,201,152 bytes free
Post-Run: 5,517,570,048 bytes free

177 --- E O F --- 2009-08-18 18:55

Ok.Its not a malware problem.You log is fine..Try this and then do your scan.

The extension that gives Windows XP the ability to compress files and folders is Zipfldr.dll. Beyond compressing and decompressing files, it does little else. Disabling Zipfldr.dll isn't that big of a task. You don’t even have to go into the registry to do so. Start by opening a command prompt on your Windows XP workstation. When the command prompt appears, copy and paste this... regsvr32 /u c:\windows\system32\zipfldr.dll and press [Enter]. Your system32 folder may be located in the c:\winnt folder or somewhere else, so you'll need to know the path to Zipfldr.dll before entering the command. You should see a Regsvr32 dialog box appear that says DllUnregisterServer in c:\windows\system32\zipfldr.dll succeeded, indicating that the command worked.
If you want to re-enable XP's built-in Zip feature, you'll have to reregister Zipfldr.dll. To do so, type regsvr32 c:\windows\system32\zipfldr.dll and press [Enter]. This time, you'll see a Regsvr32 dialog box that says DllRegisterServer in c:\windows\system32\zipfldr.dll succeeded.

Success! Thanx a bunch. I disabled it to run scans and stuff than enabled back. I tried running Mbam a second time to make sure it was ok. It paused at the zip file for a minute but than it started working. I will keep this info for reference incase this keeps happening. The 1st Mbam log is in the next posted message.

Malwarebytes' Anti-Malware 1.41
Database version: 2880
Windows 5.1.2600 Service Pack 3

9/30/2009 10:10:26 PM
mbam-log-2009-09-30 (22-10-26).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 142107
Time elapsed: 20 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{3831331e-0d11-4716-871d-68f3b11d23c9} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3dcd2bc5-8489-48ae-891f-90c8b2f19f56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{52c01a76-19e2-4a50-ae8a-38ffbccf9182} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{762ec429-1a5d-4ab8-844a-9a552e1241da} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a506ef88-9efc-4522-bfe1-a8e886a64d80} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b87799af-2ce9-4daa-93cf-65f002035369} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bbc73c94-337c-43cc-b52c-31eb9fa34013} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c406f816-318d-4f7d-81cb-ba93ca7b70d5} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d502d4a3-03e6-4eae-a14e-69606ca63430} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec22770d-3343-4c56-8a8d-3e560475f655} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

That looks fine.You should be ok now...

This will clear away any of the files and folders that were created by ComboFix.
Go to :
Start > Run then copy and paste the following highlighted (blue) text below into the box and click OK.

ComboFix /u

Please read these for future reference it may save you future problems with malware:

http://www.pchelpforum.com/fixed-hij...afterwork.html
http://www.pchelpforum.com/fixed-hij...happening.html
http://www.pchelpforum.com/fixed-hij...-infected.html