Hi this is the first time in a forum for me so bear with me
I have spybot 1.5 and ran a scan, I found I have a Virtumonde vrius I have tried all the fixs on the net but it just don't want go I tried what you have in discriptionis detected but it wont work, when I fix it with modem on it stops and when I fix it without the modem on works but on a reboot and scan its back again HELP PLEASE.
Virtumonde: [SBI $050FD60A] Library (File, nothing done)
C:\WINDOWS\system32\vturs.dll


--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-09-11 unins000.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2008-01-09 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-01-09 Includes\DialerC.sbi (*)
2008-01-09 Includes\HeavyDuty.sbi (*)
2007-12-26 Includes\Hijackers.sbi (*)
2008-01-09 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2008-01-09 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-01-09 Includes\Malware.sbi (*)
2008-01-09 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2008-01-09 Includes\PUPSC.sbi (*)
2008-01-09 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-01-09 Includes\SecurityC.sbi (*)
2007-11-07 Includes\Spybots.sbi (*)
2008-01-09 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2007-12-12 Includes\Trojans.sbi (*)
2008-01-09 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll

Hi dogslide21 and welcome to Safer Networking Forums :)

Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Here is th hjt log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:52 AM, on 17/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS .EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:80
F3 - REG:win.ini: load=C:\WINDOWS\system32\vturs.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: {915947ef-4599-8e2a-1944-67ee482e32fa} - {af23e284-ee76-4491-a2e8-9954fe749519} - C:\WINDOWS\system32\smvrngeo.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant .exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191633768828
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 6944 bytes

Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

Here is the combofix log

ComboFix 08-01-11.3 - Andrew's 2008-01-17 22:01:50.4 - NTFSx86
Running from: C:\Documents and Settings\Andrew's\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\srutv.ini
C:\WINDOWS\system32\srutv.ini2
C:\WINDOWS\system32\vturs.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-17 22:40 . 2008-01-17 22:40 326,144 --a------ C:\WINDOWS\system32\vturs.dll
2008-01-17 19:59 . 2008-01-17 19:59 <DIR> d-------- C:\Program Files\Sun
2008-01-17 19:58 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-17 19:06 . 2008-01-17 19:06 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-17 11:40 . 2008-01-17 11:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 18:32 . 2008-01-16 18:32 326,144 --a------ C:\WINDOWS\system32\vturs.dll_old
2008-01-16 18:29 . 2008-01-16 18:29 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-15 21:13 . 2008-01-15 21:13 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-15 17:07 . 2006-01-05 05:49 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-15 17:07 . 2006-01-05 06:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-14 11:59 . 2008-01-16 18:29 <DIR> d-------- C:\VundoFix Backups
2008-01-12 21:00 . 2008-01-12 21:00 680,960 --a------ C:\WINDOWS\isRS-000.tmp
2008-01-10 12:16 . 2008-01-17 22:40 174,592 --a------ C:\WINDOWS\system32\lexpps .exe
2008-01-09 12:09 . 2008-01-17 14:24 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-09 11:26 . 2008-01-09 11:26 <DIR> d-------- C:\Program Files\DVD Shrink
2008-01-06 14:07 . 2008-01-06 14:17 <DIR> d-------- C:\Program Files\UrbanTerror
2008-01-01 17:38 . 2008-01-01 17:38 <DIR> d-------- C:\Program Files\Paradox Entertainment
2007-12-21 15:22 . 2007-12-21 15:22 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2007-12-21 07:54 . 2005-04-27 08:42 104,593 --a------ C:\WINDOWS\system32\drivers\MPIXVID.SYS
2007-12-21 07:54 . 2004-06-29 01:16 25,575 --a------ C:\WINDOWS\system32\drivers\USBCamAT.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 11:39 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd6749.sys
2008-01-17 08:58 --------- d-----w C:\Program Files\Java
2008-01-17 03:23 --------- d-----w C:\Program Files\QuickTime
2008-01-17 03:23 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-01-17 00:09 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\uTorrent
2008-01-16 23:58 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\Vso
2008-01-16 08:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\LimeWire
2008-01-15 07:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cast ping base frag
2008-01-12 13:24 --------- d-----w C:\Program Files\DivoCodec
2008-01-12 09:55 --------- d-----w C:\Program Files\DivX
2008-01-09 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-08 23:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 02:04 --------- d-----w C:\Program Files\Firefly Studios
2008-01-06 01:52 --------- d-----w C:\Program Files\WinISO
2008-01-06 01:52 --------- d-----w C:\Program Files\EGOSOFT
2007-12-21 23:03 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-21 23:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 23:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SUPERAntiSpyware.com
2007-12-20 20:54 --------- d-----w C:\Program Files\Digital Camera
2007-12-16 10:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2007-12-14 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-11 11:20 --------- d-----w C:\Program Files\MagicDisc
2007-12-11 10:06 --------- d-----w C:\Program Files\iSofter
2007-12-10 11:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\DivX
2007-12-10 10:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2007-12-10 10:30 --------- d-----w C:\Program Files\Elaborate Bytes
2007-11-29 22:30 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-11-28 04:18 --------- d-----w C:\Program Files\SlySoft
2007-11-28 04:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SlySoft
2007-11-28 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-24 05:53 --------- d-----w C:\Program Files\Oberon Media
2007-11-24 05:44 --------- d-----w C:\Program Files\Google
2007-11-22 12:06 --------- d-----w C:\Program Files\LimeWire
2007-11-20 00:09 104,320 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
2007-10-31 02:17 54,824 ----a-w C:\WINDOWS\agrsmdel.exe
2007-10-26 06:21 47,360 ----a-w C:\Documents and Settings\Andrew's\Application Data\pcouffin.sys
2007-06-01 11:46 2,608 ----a-w C:\Documents and Settings\Andrew's\Application Data\wklnhst.dat
2007-01-10 10:05 3,696 -c--a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
.

<pre>
----a-w 1,819,648 2008-01-13 04:16:09 C:\Documents and Settings\All Users\Application Data\Cast ping base frag\eggs okay .exe
----a-w 39,792 2008-01-17 03:24:03 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 202,024 2008-01-13 04:16:08 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor .exe
----a-w 185,632 2008-01-13 04:15:50 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 68,856 2008-01-17 11:47:48 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w 49,152 2008-01-15 23:19:41 C:\Program Files\Hp\HP Software Update\HPwuSchd2 .exe
----a-w 57,344 2008-01-17 11:47:43 C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
----a-w 1,836,328 2008-01-13 04:16:00 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan .exe
----a-w 282,624 2008-01-15 23:19:44 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-15 23:19:03 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-15 23:07:16 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-15 21:36:36 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-15 08:02:23 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-15 06:35:45 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-15 04:49:26 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-15 03:37:58 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-15 00:44:26 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-17 11:48:09 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-17 03:23:18 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-17 00:11:39 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-16 23:18:06 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-16 06:15:29 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-16 02:47:21 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-13 23:49:45 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-13 03:28:43 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-12 14:00:34 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-12 11:01:38 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-12 08:24:27 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-12 07:25:07 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-12 06:58:22 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-12 05:45:44 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-12 03:50:58 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-12 02:36:07 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-11 12:08:22 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-11 01:12:53 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-10 09:41:31 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-10 03:51:59 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-10 01:40:44 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-10 01:25:12 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-10 01:15:25 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-10 01:09:13 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-10 00:14:52 C:\Program Files\QuickTime\qttask .exe
----a-w 347,136 2008-01-17 11:48:20 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 347,136 2008-01-17 03:23:21 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 208,952 2008-01-17 03:24:04 C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
----a-w 15,360 2008-01-17 03:24:08 C:\WINDOWS\system32\ctfmon .exe
----a-w 174,592 2008-01-17 11:40:33 C:\WINDOWS\system32\lexpps .exe
----a-w 59,392 2008-01-10 01:41:06 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst .exe
----a-w 455,168 2008-01-10 01:41:00 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D755471-77E9-4477-B1AF-97CDB762F047}]
2008-01-17 22:40 326144 --a------ C:\WINDOWS\system32\vturs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{af23e284-ee76-4491-a2e8-9954fe749519}]
C:\WINDOWS\system32\smvrngeo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-17 14:23 426496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-17 14:23 370688]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 22:00 208952]
"PCDrProfiler"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2008-01-17 22:48 639488]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2008-01-17 14:23 398848]
"Ashampoo AntiSpyWare Guard"="C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe" [ ]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant .exe" [2008-01-17 22:48 347136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2008-01-17 22:48 478720]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\vturs.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\vturs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Base frag grid bows"=C:\Documents and Settings\All Users\Application Data\Cast ping base frag\eggs okay.exe

S3 bfastfao;bfastfao;C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\bfastfao.sys []
S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 03:02:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-14 01:31:06 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exef/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Easy Internet signup\StartEIS.aml
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 22:45:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\srutv.ini 319 bytes
C:\WINDOWS\system32\srutv.ini2 319 bytes
C:\WINDOWS\system32\vturs.exe 329728 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Unlocker\UnlockerHook.dll
-> C:\WINDOWS\system32\vturs.dll
.
Completion time: 2008-01-17 22:52:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-17 11:52:08
ComboFix2.txt 2008-01-14 07:06:40
ComboFix3.txt 2008-01-12 08:30:06
ComboFix4.txt 2007-09-12 12:35:23
.
2008-01-09 00:09:23 --- E O F ---

Hi

Please post also a fresh HijackThis log :)

here is the new hjt log you asked for.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:21 AM, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS .EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:80
F3 - REG:win.ini: load=C:\WINDOWS\system32\vturs.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191633768828
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 5968 bytes

Hi

We attempt to restore some startup items.

If no success, you will need to uninstall/re-install corresponding programs later.

Open notepad and copy/paste the text in the quotebox below into it:


RenV::
----a-w 39,792 2008-01-17 03:24:03 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 202,024 2008-01-13 04:16:08 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor .exe
----a-w 185,632 2008-01-13 04:15:50 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 68,856 2008-01-17 11:47:48 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w 49,152 2008-01-15 23:19:41 C:\Program Files\Hp\HP Software Update\HPwuSchd2 .exe
----a-w 57,344 2008-01-17 11:47:43 C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
----a-w 1,836,328 2008-01-13 04:16:00 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan .exe
----a-w 282,624 2008-01-15 23:19:44 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-15 23:19:03 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-15 23:07:16 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-15 21:36:36 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-15 08:02:23 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-15 06:35:45 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-15 04:49:26 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-15 03:37:58 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-15 00:44:26 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-17 11:48:09 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-17 03:23:18 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-17 00:11:39 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-16 23:18:06 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-16 06:15:29 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-16 02:47:21 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-13 23:49:45 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-13 03:28:43 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-12 14:00:34 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-12 11:01:38 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-12 08:24:27 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-12 07:25:07 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-12 06:58:22 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-12 05:45:44 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-12 03:50:58 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-12 02:36:07 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-11 12:08:22 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-11 01:12:53 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-10 09:41:31 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-10 03:51:59 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-10 01:40:44 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-10 01:25:12 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-10 01:15:25 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-10 01:09:13 C:\Program Files\QuickTime\qttask .exe
----a-w 639,488 2008-01-10 00:14:52 C:\Program Files\QuickTime\qttask .exe
----a-w 347,136 2008-01-17 11:48:20 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 347,136 2008-01-17 03:23:21 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 208,952 2008-01-17 03:24:04 C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
----a-w 15,360 2008-01-17 03:24:08 C:\WINDOWS\system32\ctfmon .exe
----a-w 174,592 2008-01-17 11:40:33 C:\WINDOWS\system32\lexpps .exe
----a-w 59,392 2008-01-10 01:41:06 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst .exe
----a-w 455,168 2008-01-10 01:41:00 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE

Rootkit::
C:\WINDOWS\system32\srutv.ini
C:\WINDOWS\system32\srutv.ini2
C:\WINDOWS\system32\vturs.exe

File::
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\vturs.dll_old
C:\WINDOWS\system32\smvrngeo.dll

Folder::
C:\Documents and Settings\All Users\Application Data\Cast ping base frag

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Base frag grid bows"=-

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D755471-77E9-4477-B1AF-97CDB762F047}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{af23e284-ee76-4491-a2e8-9954fe749519}]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00



Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

here is the new combofix log.

ComboFix 08-01-11.3 - Andrew's 2008-01-18 11:17:39.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.42 [GMT 11:00]
Running from: C:\Documents and Settings\Andrew's\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Andrew's\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\smvrngeo.dll
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\vturs.dll_old
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Cast ping base frag
C:\Documents and Settings\All Users\Application Data\Cast ping base frag\eggs okay .exe
C:\Documents and Settings\All Users\Application Data\Cast ping base frag\eggs okay.exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\srutv.ini
C:\WINDOWS\system32\srutv.ini2
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\vturs.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-18 11:31 . 2008-01-18 11:31 319 --ahs---- C:\WINDOWS\system32\srutv.ini2
2008-01-17 19:59 . 2008-01-17 19:59 <DIR> d-------- C:\Program Files\Sun
2008-01-17 19:58 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-17 19:06 . 2008-01-17 19:06 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-17 11:40 . 2008-01-17 11:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 18:29 . 2008-01-16 18:29 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-15 21:13 . 2008-01-15 21:13 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-15 17:07 . 2006-01-05 05:49 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-15 17:07 . 2006-01-05 06:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-14 11:59 . 2008-01-16 18:29 <DIR> d-------- C:\VundoFix Backups
2008-01-12 21:00 . 2008-01-12 21:00 680,960 --a------ C:\WINDOWS\isRS-000.tmp
2008-01-10 12:15 . 2008-01-10 12:41 455,168 --a------ C:\WINDOWS\system32\dllcache\tintsetp.exe
2008-01-10 12:15 . 2008-01-17 14:24 208,952 --a------ C:\WINDOWS\system32\dllcache\imjpmig.exe
2008-01-10 12:15 . 2008-01-10 12:41 59,392 --a------ C:\WINDOWS\system32\dllcache\imscinst.exe
2008-01-09 12:09 . 2008-01-18 11:31 346,624 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-09 12:09 . 2008-01-18 11:08 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-09 11:26 . 2008-01-09 11:26 <DIR> d-------- C:\Program Files\DVD Shrink
2008-01-06 14:07 . 2008-01-06 14:17 <DIR> d-------- C:\Program Files\UrbanTerror
2008-01-01 17:38 . 2008-01-01 17:38 <DIR> d-------- C:\Program Files\Paradox Entertainment
2007-12-21 15:22 . 2007-12-21 15:22 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2007-12-21 07:54 . 2005-04-27 08:42 104,593 --a------ C:\WINDOWS\system32\drivers\MPIXVID.SYS
2007-12-21 07:54 . 2004-06-29 01:16 25,575 --a------ C:\WINDOWS\system32\drivers\USBCamAT.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 00:31 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-01-18 00:29 --------- d-----w C:\Program Files\QuickTime
2008-01-17 11:39 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd6749.sys
2008-01-17 08:58 --------- d-----w C:\Program Files\Java
2008-01-17 00:09 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\uTorrent
2008-01-16 23:58 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\Vso
2008-01-16 08:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\LimeWire
2008-01-12 13:24 --------- d-----w C:\Program Files\DivoCodec
2008-01-12 09:55 --------- d-----w C:\Program Files\DivX
2008-01-09 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-08 23:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 02:04 --------- d-----w C:\Program Files\Firefly Studios
2008-01-06 01:52 --------- d-----w C:\Program Files\WinISO
2008-01-06 01:52 --------- d-----w C:\Program Files\EGOSOFT
2007-12-21 23:03 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-21 23:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 23:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SUPERAntiSpyware.com
2007-12-20 20:54 --------- d-----w C:\Program Files\Digital Camera
2007-12-16 10:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2007-12-14 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-11 11:20 --------- d-----w C:\Program Files\MagicDisc
2007-12-11 10:06 --------- d-----w C:\Program Files\iSofter
2007-12-10 11:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\DivX
2007-12-10 10:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2007-12-10 10:30 --------- d-----w C:\Program Files\Elaborate Bytes
2007-11-29 22:30 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-11-28 04:18 --------- d-----w C:\Program Files\SlySoft
2007-11-28 04:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SlySoft
2007-11-28 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-24 05:53 --------- d-----w C:\Program Files\Oberon Media
2007-11-24 05:44 --------- d-----w C:\Program Files\Google
2007-11-22 12:06 --------- d-----w C:\Program Files\LimeWire
2007-11-20 00:09 104,320 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
2007-10-31 02:17 54,824 ----a-w C:\WINDOWS\agrsmdel.exe
2007-10-26 06:21 47,360 ----a-w C:\Documents and Settings\Andrew's\Application Data\pcouffin.sys
2007-06-01 11:46 2,608 ----a-w C:\Documents and Settings\Andrew's\Application Data\wklnhst.dat
2007-01-10 10:05 3,696 -c--a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
.

<pre>
----a-w 39,792 2008-01-18 00:30:35 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 68,856 2008-01-18 00:31:09 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w 144,784 2008-01-18 00:31:11 C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
----a-w 57,344 2008-01-18 00:30:38 C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
----a-w 20,992 2008-01-18 00:31:35 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 347,136 2008-01-18 00:18:19 C:\Program Files\Unlocker\UnlockerAssistant .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-18 11:08 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-18 11:18 426496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-18 11:18 370688]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2008-01-17 14:24 208952]
"PCDrProfiler"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2008-01-18 11:18 398848]
"Ashampoo AntiSpyWare Guard"="C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe" [ ]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant .exe" [2008-01-18 11:31 20992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2008-01-18 11:08 478720]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINDOWS\\system32\\vturs

S3 bfastfao;bfastfao;C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\bfastfao.sys []
S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 03:02:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-14 01:31:06 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exef/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Easy Internet signup\StartEIS.aml
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 11:31:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\vturs.dll
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
Completion time: 2008-01-18 11:36:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 00:36:14
ComboFix2.txt 2008-01-17 11:52:15
ComboFix3.txt 2008-01-14 07:06:40
ComboFix4.txt 2008-01-12 08:30:06
ComboFix5.txt 2007-09-12 12:35:23
.
2008-01-09 00:09:23 --- E O F ---

hereis the new hjt log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:50 AM, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191633768828
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 6609 bytes

An error keeps on coming up
after the combofix

RUNDLL
Error loading
the specified module could not be found.

plaese disreguard the last message it is fine after a reboot

Hi

Better :)

Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\WINDOWS\system32\srutv.ini2

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Here is the new combofix log

ComboFix 08-01-11.3 - Andrew's 2008-01-18 21:30:55.6 - NTFSx86
Running from: C:\Documents and Settings\Andrew's\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Andrew's\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\WINDOWS\system32\srutv.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\WINDOWS\system32\srutv.ini
C:\WINDOWS\system32\srutv.ini2
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\vturs.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-17 19:59 . 2008-01-17 19:59 <DIR> d-------- C:\Program Files\Sun
2008-01-17 19:58 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-17 19:06 . 2008-01-17 19:06 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-17 11:40 . 2008-01-17 11:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 18:29 . 2008-01-16 18:29 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-15 21:13 . 2008-01-15 21:13 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-15 17:07 . 2006-01-05 05:49 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-15 17:07 . 2006-01-05 06:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-14 11:59 . 2008-01-16 18:29 <DIR> d-------- C:\VundoFix Backups
2008-01-12 21:00 . 2008-01-12 21:00 680,960 --a------ C:\WINDOWS\isRS-000.tmp
2008-01-10 12:15 . 2008-01-10 12:41 455,168 --a------ C:\WINDOWS\system32\dllcache\tintsetp.exe
2008-01-10 12:15 . 2008-01-17 14:24 208,952 --a------ C:\WINDOWS\system32\dllcache\imjpmig.exe
2008-01-10 12:15 . 2008-01-10 12:41 59,392 --a------ C:\WINDOWS\system32\dllcache\imscinst.exe
2008-01-09 12:09 . 2008-01-18 11:08 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-09 12:09 . 2008-01-18 22:00 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-09 11:26 . 2008-01-09 11:26 <DIR> d-------- C:\Program Files\DVD Shrink
2008-01-06 14:07 . 2008-01-06 14:17 <DIR> d-------- C:\Program Files\UrbanTerror
2008-01-01 17:38 . 2008-01-01 17:38 <DIR> d-------- C:\Program Files\Paradox Entertainment
2007-12-21 15:22 . 2007-12-21 15:22 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2007-12-21 07:54 . 2005-04-27 08:42 104,593 --a------ C:\WINDOWS\system32\drivers\MPIXVID.SYS
2007-12-21 07:54 . 2004-06-29 01:16 25,575 --a------ C:\WINDOWS\system32\drivers\USBCamAT.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 11:00 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-01-18 00:29 --------- d-----w C:\Program Files\QuickTime
2008-01-17 11:39 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd6749.sys
2008-01-17 08:58 --------- d-----w C:\Program Files\Java
2008-01-17 00:09 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\uTorrent
2008-01-16 23:58 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\Vso
2008-01-16 08:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\LimeWire
2008-01-12 13:24 --------- d-----w C:\Program Files\DivoCodec
2008-01-12 09:55 --------- d-----w C:\Program Files\DivX
2008-01-09 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-08 23:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 02:04 --------- d-----w C:\Program Files\Firefly Studios
2008-01-06 01:52 --------- d-----w C:\Program Files\WinISO
2008-01-06 01:52 --------- d-----w C:\Program Files\EGOSOFT
2007-12-21 23:03 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-21 23:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 23:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SUPERAntiSpyware.com
2007-12-20 20:54 --------- d-----w C:\Program Files\Digital Camera
2007-12-16 10:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2007-12-14 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-11 11:20 --------- d-----w C:\Program Files\MagicDisc
2007-12-11 10:06 --------- d-----w C:\Program Files\iSofter
2007-12-10 11:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\DivX
2007-12-10 10:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2007-12-10 10:30 --------- d-----w C:\Program Files\Elaborate Bytes
2007-11-29 22:30 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-11-28 04:18 --------- d-----w C:\Program Files\SlySoft
2007-11-28 04:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SlySoft
2007-11-28 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-24 05:53 --------- d-----w C:\Program Files\Oberon Media
2007-11-24 05:44 --------- d-----w C:\Program Files\Google
2007-11-22 12:06 --------- d-----w C:\Program Files\LimeWire
2007-11-20 00:09 104,320 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
2007-10-31 02:17 54,824 ----a-w C:\WINDOWS\agrsmdel.exe
2007-10-26 06:21 47,360 ----a-w C:\Documents and Settings\Andrew's\Application Data\pcouffin.sys
2007-06-01 11:46 2,608 ----a-w C:\Documents and Settings\Andrew's\Application Data\wklnhst.dat
2007-01-10 10:05 3,696 -c--a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
.

<pre>
----a-w 39,792 2008-01-18 11:00:14 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 68,856 2008-01-18 11:00:19 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w 144,784 2008-01-18 11:00:19 C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
----a-w 57,344 2008-01-18 11:00:18 C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
----a-w 347,136 2008-01-18 11:00:48 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 347,136 2008-01-18 10:32:14 C:\Program Files\Unlocker\UnlockerAssistant .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-18_11.35.50.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-18 00:15:38 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-18 10:30:31 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-18 00:15:38 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-18 10:30:31 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-18 00:15:38 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-18 10:30:31 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-18 00:15:38 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-18 10:30:32 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-18 00:15:38 6,127,616 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-18 10:30:32 6,127,616 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-18 00:15:38 274,432 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 10:30:32 274,432 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-17 03:24:04 208,952 ----a-w C:\WINDOWS\ime\imjp8_1\imjpmig.exe
+ 2008-01-18 11:00:38 540,160 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40A871FE-BCDB-4101-9373-16EB16586370}]
2008-01-18 22:00 326144 --a------ C:\WINDOWS\system32\vturs.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-18 11:08 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-18 11:18 426496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-18 21:31 370688]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2008-01-17 14:24 208952]
"PCDrProfiler"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2008-01-18 11:18 398848]
"Ashampoo AntiSpyWare Guard"="C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe" [ ]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant .exe" [2008-01-18 22:00 347136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2008-01-18 11:08 478720]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\vturs.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\vturs

S3 bfastfao;bfastfao;C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\bfastfao.sys []
S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 03:02:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-14 01:31:06 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exef/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Easy Internet signup\StartEIS.aml
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 22:00:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\vturs.dll
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
Completion time: 2008-01-18 22:06:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 11:06:11
ComboFix2.txt 2008-01-18 00:36:19
ComboFix3.txt 2008-01-17 11:52:15
ComboFix4.txt 2008-01-14 07:06:40
ComboFix5.txt 2008-01-12 08:30:06
.
2008-01-09 00:09:23 --- E O F ---

here is the new hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:11 PM, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:80
F3 - REG:win.ini: load=C:\WINDOWS\system32\vturs.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191633768828
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 5937 bytes

Hi

Rename HijackThis.exe to dogslide.exe

Uninstall via add/remove programs (you can re-install them from clean copies (= from internet) once you're clean):

Adobe Reader 8.0
GoogleToolbarNotifier
Unlocker
Java Runtime Environment 6 update 4

Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\vturs.exe

Folder::
C:\Program Files\Adobe\Reader 8.0
C:\Program Files\Google\GoogleToolbarNotifier
C:\Program Files\Java\jre1.6.0_04
C:\Program Files\Unlocker

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40A871FE-BCDB-4101-9373-16EB16586370}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=-
"Lexmark X1100 Series"=-
"UnlockerAssistant"=-
"SunJavaUpdateSched"=-

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

here is the new combofix log

ComboFix 08-01-11.3 - Andrew's 2008-01-19 10:07:47.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.43 [GMT 11:00]
Running from: C:\Documents and Settings\Andrew's\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Andrew's\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\vturs.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Adobe\Reader 8.0
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Google\GoogleToolbarNotifier
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Unlocker
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Unlocker\UnlockerHook.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\srutv.ini
C:\WINDOWS\system32\srutv.ini2
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\vturs.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-19 09:45 . 2008-01-19 10:05 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-17 19:59 . 2008-01-17 19:59 <DIR> d-------- C:\Program Files\Sun
2008-01-17 11:40 . 2008-01-17 11:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 18:29 . 2008-01-16 18:29 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-15 21:13 . 2008-01-15 21:13 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-15 17:07 . 2006-01-05 05:49 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-15 17:07 . 2006-01-05 06:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-14 11:59 . 2008-01-16 18:29 <DIR> d-------- C:\VundoFix Backups
2008-01-12 21:00 . 2008-01-12 21:00 680,960 --a------ C:\WINDOWS\isRS-000.tmp
2008-01-10 12:15 . 2008-01-10 12:41 455,168 --a------ C:\WINDOWS\system32\dllcache\tintsetp.exe
2008-01-10 12:15 . 2008-01-17 14:24 208,952 --a------ C:\WINDOWS\system32\dllcache\imjpmig.exe
2008-01-10 12:15 . 2008-01-10 12:41 59,392 --a------ C:\WINDOWS\system32\dllcache\imscinst.exe
2008-01-09 12:09 . 2008-01-18 11:08 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-09 12:09 . 2008-01-18 11:08 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-09 11:26 . 2008-01-09 11:26 <DIR> d-------- C:\Program Files\DVD Shrink
2008-01-06 14:07 . 2008-01-06 14:17 <DIR> d-------- C:\Program Files\UrbanTerror
2008-01-01 17:38 . 2008-01-01 17:38 <DIR> d-------- C:\Program Files\Paradox Entertainment
2007-12-21 15:22 . 2007-12-21 15:22 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2007-12-21 07:54 . 2005-04-27 08:42 104,593 --a------ C:\WINDOWS\system32\drivers\MPIXVID.SYS
2007-12-21 07:54 . 2004-06-29 01:16 25,575 --a------ C:\WINDOWS\system32\drivers\USBCamAT.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 23:15 --------- d-----w C:\Program Files\Google
2008-01-18 23:08 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-01-18 22:57 --------- d-----w C:\Program Files\Java
2008-01-18 22:52 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-18 00:29 --------- d-----w C:\Program Files\QuickTime
2008-01-17 11:39 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd6749.sys
2008-01-17 00:09 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\uTorrent
2008-01-16 23:58 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\Vso
2008-01-16 08:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\LimeWire
2008-01-12 13:24 --------- d-----w C:\Program Files\DivoCodec
2008-01-12 09:55 --------- d-----w C:\Program Files\DivX
2008-01-09 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-08 23:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 02:04 --------- d-----w C:\Program Files\Firefly Studios
2008-01-06 01:52 --------- d-----w C:\Program Files\WinISO
2008-01-06 01:52 --------- d-----w C:\Program Files\EGOSOFT
2007-12-21 23:03 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-21 23:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 23:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SUPERAntiSpyware.com
2007-12-20 20:54 --------- d-----w C:\Program Files\Digital Camera
2007-12-16 10:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2007-12-14 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-11 11:20 --------- d-----w C:\Program Files\MagicDisc
2007-12-11 10:06 --------- d-----w C:\Program Files\iSofter
2007-12-10 11:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\DivX
2007-12-10 10:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2007-12-10 10:30 --------- d-----w C:\Program Files\Elaborate Bytes
2007-11-29 22:30 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-11-28 04:18 --------- d-----w C:\Program Files\SlySoft
2007-11-28 04:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SlySoft
2007-11-28 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-24 05:53 --------- d-----w C:\Program Files\Oberon Media
2007-11-22 12:06 --------- d-----w C:\Program Files\LimeWire
2007-11-20 00:09 104,320 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
2007-10-31 02:17 54,824 ----a-w C:\WINDOWS\agrsmdel.exe
2007-10-26 06:21 47,360 ----a-w C:\Documents and Settings\Andrew's\Application Data\pcouffin.sys
2007-06-01 11:46 2,608 ----a-w C:\Documents and Settings\Andrew's\Application Data\wklnhst.dat
2007-01-10 10:05 3,696 -c--a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
.

<pre>
----a-w 57,344 2008-01-18 23:05:24 C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
----a-w 208,952 2008-01-18 23:05:22 C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
----a-w 15,360 2008-01-18 23:05:24 C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-18_11.35.50.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-18 00:15:38 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-18 23:07:18 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-18 00:15:38 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-18 23:07:18 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-18 00:15:38 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-18 23:07:18 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-18 00:15:38 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-18 23:07:18 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-18 00:15:38 6,127,616 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-18 23:07:19 6,127,616 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-18 00:15:38 274,432 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 23:07:19 274,432 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-18 11:08 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2008-01-17 14:24 208952]
"PCDrProfiler"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"Ashampoo AntiSpyWare Guard"="C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe" [ ]

S3 bfastfao;bfastfao;C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\bfastfao.sys []
S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 03:02:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-14 01:31:06 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exef/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Easy Internet signup\StartEIS.aml
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 10:20:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 10:24:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 23:24:09
ComboFix2.txt 2008-01-18 11:06:16
ComboFix3.txt 2008-01-18 00:36:19
ComboFix4.txt 2008-01-17 11:52:15
ComboFix5.txt 2008-01-14 07:06:40
.
2008-01-09 00:09:23 --- E O F ---

here is the new hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:55 AM, on 19/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Trend Micro\HijackThis\dogslide.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:80
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191633768828
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 4630 bytes

Hi

Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
C:\WINDOWS\system32\ctfmon .exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

here is the new combofix log.

ComboFix 08-01-11.3 - Andrew's 2008-01-20 8:12:00.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.47 [GMT 11:00]
Running from: C:\Documents and Settings\Andrew's\Desktop\ComboFix.exe
Command switches used :: C:\Program Files\Trend Micro\HijackThis\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
C:\WINDOWS\system32\ctfmon .exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
C:\WINDOWS\system32\ctfmon .exe

.
((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-17 19:59 . 2008-01-17 19:59 <DIR> d-------- C:\Program Files\Sun
2008-01-17 11:40 . 2008-01-17 11:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 18:29 . 2008-01-16 18:29 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-15 21:13 . 2008-01-15 21:13 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-15 17:07 . 2006-01-05 05:49 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-15 17:07 . 2006-01-05 06:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-14 11:59 . 2008-01-16 18:29 <DIR> d-------- C:\VundoFix Backups
2008-01-12 21:00 . 2008-01-12 21:00 680,960 --a------ C:\WINDOWS\isRS-000.tmp
2008-01-10 12:15 . 2008-01-10 12:41 455,168 --a------ C:\WINDOWS\system32\dllcache\tintsetp.exe
2008-01-10 12:15 . 2008-01-17 14:24 208,952 --a------ C:\WINDOWS\system32\dllcache\imjpmig.exe
2008-01-10 12:15 . 2008-01-10 12:41 59,392 --a------ C:\WINDOWS\system32\dllcache\imscinst.exe
2008-01-09 12:09 . 2008-01-18 11:08 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-09 12:09 . 2008-01-18 11:08 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-09 11:26 . 2008-01-09 11:26 <DIR> d-------- C:\Program Files\DVD Shrink
2008-01-06 14:07 . 2008-01-06 14:17 <DIR> d-------- C:\Program Files\UrbanTerror
2008-01-01 17:38 . 2008-01-01 17:38 <DIR> d-------- C:\Program Files\Paradox Entertainment
2007-12-21 15:22 . 2007-12-21 15:22 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2007-12-21 07:54 . 2005-04-27 08:42 104,593 --a------ C:\WINDOWS\system32\drivers\MPIXVID.SYS
2007-12-21 07:54 . 2004-06-29 01:16 25,575 --a------ C:\WINDOWS\system32\drivers\USBCamAT.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 21:17 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-01-18 23:15 --------- d-----w C:\Program Files\Google
2008-01-18 22:57 --------- d-----w C:\Program Files\Java
2008-01-18 22:52 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-18 00:29 --------- d-----w C:\Program Files\QuickTime
2008-01-18 00:07 174,592 ----a-w C:\WINDOWS\system32\lexpps.exe
2008-01-17 11:39 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd6749.sys
2008-01-17 00:09 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\uTorrent
2008-01-16 23:58 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\Vso
2008-01-16 08:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\LimeWire
2008-01-12 13:24 --------- d-----w C:\Program Files\DivoCodec
2008-01-12 09:55 --------- d-----w C:\Program Files\DivX
2008-01-09 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-08 23:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 02:04 --------- d-----w C:\Program Files\Firefly Studios
2008-01-06 01:52 --------- d-----w C:\Program Files\WinISO
2008-01-06 01:52 --------- d-----w C:\Program Files\EGOSOFT
2007-12-21 23:03 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-21 23:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 23:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SUPERAntiSpyware.com
2007-12-20 20:54 --------- d-----w C:\Program Files\Digital Camera
2007-12-16 10:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2007-12-14 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-11 11:20 --------- d-----w C:\Program Files\MagicDisc
2007-12-11 10:06 --------- d-----w C:\Program Files\iSofter
2007-12-10 11:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\DivX
2007-12-10 10:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2007-12-10 10:30 --------- d-----w C:\Program Files\Elaborate Bytes
2007-11-29 22:30 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-11-29 22:30 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-11-29 22:30 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-11-29 22:30 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 04:18 --------- d-----w C:\Program Files\SlySoft
2007-11-28 04:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SlySoft
2007-11-28 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-24 05:53 --------- d-----w C:\Program Files\Oberon Media
2007-11-22 12:06 --------- d-----w C:\Program Files\LimeWire
2007-11-20 00:09 104,320 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-31 02:17 54,824 ----a-w C:\WINDOWS\agrsmdel.exe
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-29 00:15 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-10-27 06:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 06:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 06:21 47,360 ----a-w C:\Documents and Settings\Andrew's\Application Data\pcouffin.sys
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-23 14:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-23 14:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-23 14:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-23 14:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2007-06-01 11:46 2,608 ----a-w C:\Documents and Settings\Andrew's\Application Data\wklnhst.dat
2007-01-10 10:05 3,696 -c--a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-01-18_11.35.50.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-18 00:15:38 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-19 21:11:36 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-18 00:15:38 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-19 21:11:36 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-18 00:15:38 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-19 21:11:36 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-18 00:15:38 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-19 21:11:37 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-18 00:15:38 6,127,616 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-19 21:11:37 6,127,616 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-18 00:15:38 274,432 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-19 21:11:37 274,432 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-18 11:08 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCDrProfiler"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"Ashampoo AntiSpyWare Guard"="C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe" [ ]

S3 bfastfao;bfastfao;C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\bfastfao.sys []
S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 03:02:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-14 01:31:06 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exef/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Easy Internet signup\StartEIS.aml
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 08:18:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 8:20:04
ComboFix-quarantined-files.txt 2008-01-19 21:19:55
ComboFix2.txt 2008-01-18 23:24:12
ComboFix3.txt 2008-01-18 11:06:16
ComboFix4.txt 2008-01-18 00:36:19
ComboFix5.txt 2008-01-17 11:52:15
.
2008-01-09 00:09:23 --- E O F ---

here is new hjt log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:00 AM, on 20/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\dogslide.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:80
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191633768828
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 4529 bytes

Hi

It looks like that we are winning this battle :)

Next step is to install antivirus:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/doc/1) - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

After that, please post back a fresh HijackThis log.

I install avast and run the scan i move some windows files to the chest and deleted one C:\windows\IME\imjp8_1\imjpmig.exe, Idon't konw if it was important or not
but here is the new hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:15 PM, on 21/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\dogslide.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:80
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191633768828
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 5326 bytes

Hi

Yes that was likely one of those file infectors.

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

new hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:45 PM, on 22/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\dogslide.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:80
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191633768828
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 5476 bytes

new log part1

<html>
<head>
<title>KASPERSKY ONLINE SCANNER REPORT</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
</head>
<style>
.pagetitle { font-size:20px; color:#FFFFFF; font-family: Arial, Geneva, sans-serif; }
.text { font-size:11px; font-family: Arial, Geneva, sans-serif; }
TD { font-size:11px; font-family: Arial, Geneva, sans-serif; }
</style>
<body>
<table width='100%' height='110' border='0'>
<tr height='30' align='center' bgcolor='#005447'>
<td colspan='2' height='30' class='pagetitle'>
<b>KASPERSKY ONLINE SCANNER REPORT</b>
</td>
</tr>
<tr height='70'>
<td colspan='2' height='70'>
Tuesday, January 22, 2008 11:08:35 PM<br>
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)<br>
Kaspersky Online Scanner version: 5.0.98.0<br>
Kaspersky Anti-Virus database last update: 22/01/2008<br>
Kaspersky Anti-Virus database records: 526506<br>
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
</table>
<table width='100%' height='145' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Settings</b></td>
</tr>
<tr height='15'>
<td height='15' width='250'>Scan using the following antivirus database</td>
<td>extended</td>
</tr>
<tr height='15'>
<td height='15'>Scan Archives</td>
<td>true</td>
</tr>
<tr height='15'>
<td height='15'>Scan Mail Bases</td>
<td>true</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Scan Target</b></td>
<td>My Computer</td>
</tr>
<tr height='20'>
<td colspan='2' height='20'>
C:\<br>
D:\<br>
E:\<br>
F:\<br>
I:\
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Statistics</b></td>
</tr>
<tr height='15'>
<td height='15'>Total number of scanned objects</td>
<td>86951</td>
</tr>
<tr height='15'>
<td height='15'>Number of viruses found</td>
<td>10</td>
</tr>
<tr height='15'>
<td height='15'>Number of infected objects</td>
<td>41</td>
</tr>
<tr height='15'>
<td height='15'>Number of suspicious objects</td>
<td>0</td>
</tr>
<tr height='15'>
<td height='15'>Duration of the scan process</td>
<td>01:27:29</td>
</tr>
</table>
<br>
<table width='100%' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Infected Object Name</b></td>
<td width='200'><b>Virus Name</b></td>
<td width='100'><b>Last Action</b></td>
</tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Application Data\Sun\Java\Deployment\cache\6.0\32\7836d960-7f540ec2/BnnnnBaa.class </td>
<td>Infected: Trojan.Java.ClassLoader.as </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Application Data\Sun\Java\Deployment\cache\6.0\32\7836d960-7f540ec2/VaannnaaBaa.class </td>
<td>Infected: Trojan.Java.ClassLoader.as </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Application Data\Sun\Java\Deployment\cache\6.0\32\7836d960-7f540ec2/Bnnnnn.class </td>
<td>Infected: Trojan.Java.ClassLoader.as </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Application Data\Sun\Java\Deployment\cache\6.0\32\7836d960-7f540ec2 </td>
<td>ZIP: infected - 3 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-730f1c55.zip/BnnnnBaa.class </td>
<td>Infected: Trojan.Java.ClassLoader.as </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-730f1c55.zip/VaannnaaBaa.class </td>
<td>Infected: Trojan.Java.ClassLoader.as </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-730f1c55.zip/Bnnnnn.class </td>
<td>Infected: Trojan.Java.ClassLoader.as </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-730f1c55.zip </td>
<td>ZIP: infected - 3 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Cookies\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Desktop\antivirus kits\SmitfraudFix\Reboot.exe </td>
<td>Infected: not-a-virus:RiskTool.Win32.Reboot.f </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Desktop\antivirus kits\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe </td>
<td>Infected: not-a-virus:RiskTool.Win32.Reboot.f </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Desktop\antivirus kits\SmitfraudFix.exe/data.rar </td>
<td>Infected: not-a-virus:RiskTool.Win32.Reboot.f </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Desktop\antivirus kits\SmitfraudFix.exe </td>
<td>RarSFX: infected - 2 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Local Settings\History\History.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Local Settings\History\History.IE5\MSHist012008012220080123\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Local Settings\Temp\~DF660E.tmp </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Local Settings\Temp\~DF661A.tmp </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\Local Settings\Temporary Internet Files\Content.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\My Documents\Downloads\DVD-Shrink-Pro-V-3.2.0.15-cracked\dvdshrink32setup.exe/data0000.cab/wr-1-922.exe </td>
<td>Infected: Trojan-Downloader.Win32.Small.gll </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\My Documents\Downloads\DVD-Shrink-Pro-V-3.2.0.15-cracked\dvdshrink32setup.exe/data0000.cab/DVDSHR~1.EXE/data0000.cab/is151099.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.bih </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\My Documents\Downloads\DVD-Shrink-Pro-V-3.2.0.15-cracked\dvdshrink32setup.exe/data0000.cab/DVDSHR~1.EXE/data0000.cab </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.bih </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\My Documents\Downloads\DVD-Shrink-Pro-V-3.2.0.15-cracked\dvdshrink32setup.exe/data0000.cab/DVDSHR~1.EXE </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.bih </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\My Documents\Downloads\DVD-Shrink-Pro-V-3.2.0.15-cracked\dvdshrink32setup.exe/data0000.cab </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.bih </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\My Documents\Downloads\DVD-Shrink-Pro-V-3.2.0.15-cracked\dvdshrink32setup.exe </td>
<td>Rsrc-Package: infected - 5 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Andrew's\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\temp\Cookies\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\chandir.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\chandir.idx </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\chn.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\chn.idx </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\D0000000.FCS </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\inuse.txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\L0000013.FCS </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\main.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs.idx </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs_die.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs_die.idx </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs_dnd.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>

kaspersky log p2

<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs_dnd.idx </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs_ext.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs_ext.idx </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs_rcv.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs_rcv.idx </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\storydb.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Compaq Connections\5577497\Users\Default\Data\storydb.idx </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Nero\Nero8\Nero BackItUp\BIU1.txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\qoobox\Quarantine\C\WINDOWS\system32\dojbtgdv.dll.vir </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\qoobox\Quarantine\C\WINDOWS\system32\rsrunoss.dll.vir </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.din </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\qoobox\Quarantine\C\WINDOWS\system32\tjmypeyy.dll.vir </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.din </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\qoobox\Quarantine\C\WINDOWS\system32\windows.vir </td>
<td>Infected: Trojan.Win32.Zapchast.dt </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\qoobox\Quarantine\C\WINDOWS\system32\yzrtdxuh.dll.vir </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\qoobox\Quarantine\catchme2008-01-12_192301.40.zip/hgghged.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.atj </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\qoobox\Quarantine\catchme2008-01-12_192301.40.zip/yzrtdxuh.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\qoobox\Quarantine\catchme2008-01-12_192301.40.zip </td>
<td>ZIP: infected - 2 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\SDFix\backups\backups.zip/backups/mrofinu922.exe.tmp </td>
<td>Infected: Trojan-Dropper.Win32.Agent.dgo </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\SDFix\backups\backups.zip </td>
<td>ZIP: infected - 1 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\MountPointManagerRemoteDatabase </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP217\A0041702.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP218\A0043886.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP218\A0043888.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.din </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP218\A0043896.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP218\A0043901.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP220\A0045270.exe/file6 </td>
<td>Infected: Trojan.Win32.Obfuscated.mu </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP220\A0045270.exe </td>
<td>Inno: infected - 1 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP221\A0046301.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP221\A0046329.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP223\A0047929.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.din </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\VundoFix Backups\djylzgem.dll.bad </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\VundoFix Backups\fbfyfkyw.dll.bad </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\VundoFix Backups\tjmypeyy.dll.bad </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.din </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\Debug\PASSWD.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\SchedLgU.Txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\SDDE343B6.tmp </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\SoftwareDistribution\ReportingEvents.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\Sti_Trace.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CatRoot2\edb.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CatRoot2\tmp.edb </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\Antivirus.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\AppEvent.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\default </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\default.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\Internet.evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SAM </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SAM.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SecEvent.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SECURITY </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SECURITY.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\software </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\software.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SysEvent.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\system </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\system.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\drivers\dtscsi.sys </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\drivers\sptd.sys </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\drivers\sptd6749.sys </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\h323log.txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\TEMP\Perflib_Perfdata_608.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\TEMP\_avast4_\Webshlock.txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\wiadebug.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\wiaservc.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\WindowsUpdate.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td colspan='3' height='20'><b>Scan process completed.</b></td>
</tr>
</table>
</body>
</html>

Hi

Empty these folders:

C:\Documents and Settings\Andrew's\Application Data\Sun\Java\Deployment\cache
C:\qoobox\Quarantine
C:\SDFix\backups\
C:\VundoFix Backups

Delete this:

C:\Documents and Settings\Andrew's\My Documents\Downloads\DVD-Shrink-Pro-V-3.2.0.15-cracked

Empty Recycle Bin.

Still problems?

no everthing is fine now thanck you very much.
if my friends need help i'll give them this site.
:bigthumb:again thank you.

Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (http://www.personalfirewall.comodo.com/)
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
4) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Next we remove all used tools.

Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) and save it to desktop.

Double-click OTMoveIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean! :bigthumb:

Since this issue appears resolved ... this Topic is closed. Glad I could help.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.