Hi
Some of the startup programs are infected and that's why you may need to re-install some of them later.
Open notepad and copy/paste the text in the quotebox below into it:
Code:
Rootkit:
C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini2
C:\WINDOWS\system32\vtutt.exe
RenV:
----a-w 3,179,520 2008-01-27 06:19:47 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w 2,823,680 2008-01-27 06:20:26 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 3,587,584 2008-01-19 20:32:50 C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
----a-w 1,133,568 2008-01-18 03:07:54 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w 2,470,400 2008-01-27 06:21:37 C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w 2,897,920 2008-01-27 06:20:31 C:\Program Files\HP\QuickPlay\QPService .exe
----a-w 2,315,264 2008-01-27 06:21:15 C:\Program Files\HPQ\Default Settings\cpqset .exe
----a-w 2,309,632 2008-01-19 20:32:32 C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant .exe
----a-w 2,855,424 2008-01-25 07:10:47 C:\Program Files\HPQ\Quick Launch Buttons\EabServr .exe
----a-w 2,901,504 2008-01-27 06:20:31 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 3,269,120 2008-01-18 05:35:39 C:\Program Files\Messenger\msmsgs .exe
----a-w 3,074,560 2008-01-27 06:21:35 C:\Program Files\QuickTime\qttask .exe
----a-w 3,514,368 2008-01-27 06:20:31 C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w 2,735,616 2008-01-27 06:20:43 C:\WINDOWS\CREATOR\Remind_XP .exe
----a-w 2,484,736 2008-01-27 06:19:38 C:\WINDOWS\ehome\ehtray .exe
----a-w 3,290,112 2008-01-27 06:20:51 C:\WINDOWS\SMINST\RecGuard .exe
----a-w 22,528 2008-01-27 06:20:53 C:\WINDOWS\system32\ctfmon .exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBD17051-1E72-4F66-A7D8-B4A3BBAFD899}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Winupdate Engine"=-
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.