Virtumonde

D

dogslide21

New member
Hi this is the first time in a forum for me so bear with me
I have spybot 1.5 and ran a scan, I found I have a Virtumonde vrius I have tried all the fixs on the net but it just don't want go I tried what you have in discriptionis detected but it wont work, when I fix it with modem on it stops and when I fix it without the modem on works but on a reboot and scan its back again HELP PLEASE.
Virtumonde: [SBI $050FD60A] Library (File, nothing done)
C:\WINDOWS\system32\vturs.dll


--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-09-11 unins000.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2008-01-09 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-01-09 Includes\DialerC.sbi (*)
2008-01-09 Includes\HeavyDuty.sbi (*)
2007-12-26 Includes\Hijackers.sbi (*)
2008-01-09 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2008-01-09 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-01-09 Includes\Malware.sbi (*)
2008-01-09 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2008-01-09 Includes\PUPSC.sbi (*)
2008-01-09 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-01-09 Includes\SecurityC.sbi (*)
2007-11-07 Includes\Spybots.sbi (*)
2008-01-09 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2007-12-12 Includes\Trojans.sbi (*)
2008-01-09 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll
 
Hi dogslide21 and welcome to Safer Networking Forums :)

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
 
hjt log

Here is th hjt log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:52 AM, on 17/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS .EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:80
F3 - REG:win.ini: load=C:\WINDOWS\system32\vturs.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: {915947ef-4599-8e2a-1944-67ee482e32fa} - {af23e284-ee76-4491-a2e8-9954fe749519} - C:\WINDOWS\system32\smvrngeo.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant .exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1191633768828
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 6944 bytes
 
Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
 
combofix log

Here is the combofix log

ComboFix 08-01-11.3 - Andrew's 2008-01-17 22:01:50.4 - NTFSx86
Running from: C:\Documents and Settings\Andrew's\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\srutv.ini
C:\WINDOWS\system32\srutv.ini2
C:\WINDOWS\system32\vturs.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-17 22:40 . 2008-01-17 22:40 326,144 --a------ C:\WINDOWS\system32\vturs.dll
2008-01-17 19:59 . 2008-01-17 19:59 <DIR> d-------- C:\Program Files\Sun
2008-01-17 19:58 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-17 19:06 . 2008-01-17 19:06 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-17 11:40 . 2008-01-17 11:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 18:32 . 2008-01-16 18:32 326,144 --a------ C:\WINDOWS\system32\vturs.dll_old
2008-01-16 18:29 . 2008-01-16 18:29 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-15 21:13 . 2008-01-15 21:13 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-15 17:07 . 2006-01-05 05:49 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-15 17:07 . 2006-01-05 06:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-14 11:59 . 2008-01-16 18:29 <DIR> d-------- C:\VundoFix Backups
2008-01-12 21:00 . 2008-01-12 21:00 680,960 --a------ C:\WINDOWS\isRS-000.tmp
2008-01-10 12:16 . 2008-01-17 22:40 174,592 --a------ C:\WINDOWS\system32\lexpps .exe
2008-01-09 12:09 . 2008-01-17 14:24 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-09 11:26 . 2008-01-09 11:26 <DIR> d-------- C:\Program Files\DVD Shrink
2008-01-06 14:07 . 2008-01-06 14:17 <DIR> d-------- C:\Program Files\UrbanTerror
2008-01-01 17:38 . 2008-01-01 17:38 <DIR> d-------- C:\Program Files\Paradox Entertainment
2007-12-21 15:22 . 2007-12-21 15:22 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2007-12-21 07:54 . 2005-04-27 08:42 104,593 --a------ C:\WINDOWS\system32\drivers\MPIXVID.SYS
2007-12-21 07:54 . 2004-06-29 01:16 25,575 --a------ C:\WINDOWS\system32\drivers\USBCamAT.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 11:39 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd6749.sys
2008-01-17 08:58 --------- d-----w C:\Program Files\Java
2008-01-17 03:23 --------- d-----w C:\Program Files\QuickTime
2008-01-17 03:23 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-01-17 00:09 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\uTorrent
2008-01-16 23:58 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\Vso
2008-01-16 08:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\LimeWire
2008-01-15 07:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cast ping base frag
2008-01-12 13:24 --------- d-----w C:\Program Files\DivoCodec
2008-01-12 09:55 --------- d-----w C:\Program Files\DivX
2008-01-09 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-08 23:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 02:04 --------- d-----w C:\Program Files\Firefly Studios
2008-01-06 01:52 --------- d-----w C:\Program Files\WinISO
2008-01-06 01:52 --------- d-----w C:\Program Files\EGOSOFT
2007-12-21 23:03 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-21 23:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 23:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SUPERAntiSpyware.com
2007-12-20 20:54 --------- d-----w C:\Program Files\Digital Camera
2007-12-16 10:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2007-12-14 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-11 11:20 --------- d-----w C:\Program Files\MagicDisc
2007-12-11 10:06 --------- d-----w C:\Program Files\iSofter
2007-12-10 11:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\DivX
2007-12-10 10:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2007-12-10 10:30 --------- d-----w C:\Program Files\Elaborate Bytes
2007-11-29 22:30 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-11-28 04:18 --------- d-----w C:\Program Files\SlySoft
2007-11-28 04:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SlySoft
2007-11-28 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-24 05:53 --------- d-----w C:\Program Files\Oberon Media
2007-11-24 05:44 --------- d-----w C:\Program Files\Google
2007-11-22 12:06 --------- d-----w C:\Program Files\LimeWire
2007-11-20 00:09 104,320 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
2007-10-31 02:17 54,824 ----a-w C:\WINDOWS\agrsmdel.exe
2007-10-26 06:21 47,360 ----a-w C:\Documents and Settings\Andrew's\Application Data\pcouffin.sys
2007-06-01 11:46 2,608 ----a-w C:\Documents and Settings\Andrew's\Application Data\wklnhst.dat
2007-01-10 10:05 3,696 -c--a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
.
Code: 
<pre>
----a-w         1,819,648 2008-01-13 04:16:09  C:\Documents and Settings\All Users\Application Data\Cast ping base frag\eggs okay .exe
----a-w            39,792 2008-01-17 03:24:03  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w           202,024 2008-01-13 04:16:08  C:\Program Files\Common Files\Nero\Lib\NMBgMonitor .exe
----a-w           185,632 2008-01-13 04:15:50  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            68,856 2008-01-17 11:47:48  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w            49,152 2008-01-15 23:19:41  C:\Program Files\Hp\HP Software Update\HPwuSchd2 .exe
----a-w            57,344 2008-01-17 11:47:43  C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
----a-w         1,836,328 2008-01-13 04:16:00  C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan .exe
----a-w           282,624 2008-01-15 23:19:44  C:\Program Files\QuickTime\qttask                                  .exe
----a-w           639,488 2008-01-15 23:19:03  C:\Program Files\QuickTime\qttask                                 .exe
----a-w           639,488 2008-01-15 23:07:16  C:\Program Files\QuickTime\qttask                                .exe
----a-w           639,488 2008-01-15 21:36:36  C:\Program Files\QuickTime\qttask                               .exe
----a-w           639,488 2008-01-15 08:02:23  C:\Program Files\QuickTime\qttask                              .exe
----a-w           639,488 2008-01-15 06:35:45  C:\Program Files\QuickTime\qttask                             .exe
----a-w           639,488 2008-01-15 04:49:26  C:\Program Files\QuickTime\qttask                            .exe
----a-w           639,488 2008-01-15 03:37:58  C:\Program Files\QuickTime\qttask                           .exe
----a-w           639,488 2008-01-15 00:44:26  C:\Program Files\QuickTime\qttask                          .exe
----a-w           639,488 2008-01-17 11:48:09  C:\Program Files\QuickTime\qttask                         .exe
----a-w           639,488 2008-01-17 03:23:18  C:\Program Files\QuickTime\qttask                        .exe
----a-w           639,488 2008-01-17 00:11:39  C:\Program Files\QuickTime\qttask                       .exe
----a-w           639,488 2008-01-16 23:18:06  C:\Program Files\QuickTime\qttask                      .exe
----a-w           639,488 2008-01-16 06:15:29  C:\Program Files\QuickTime\qttask                     .exe
----a-w           639,488 2008-01-16 02:47:21  C:\Program Files\QuickTime\qttask                    .exe
----a-w           639,488 2008-01-13 23:49:45  C:\Program Files\QuickTime\qttask                   .exe
----a-w           639,488 2008-01-13 03:28:43  C:\Program Files\QuickTime\qttask                  .exe
----a-w           639,488 2008-01-12 14:00:34  C:\Program Files\QuickTime\qttask                 .exe
----a-w           639,488 2008-01-12 11:01:38  C:\Program Files\QuickTime\qttask                .exe
----a-w           639,488 2008-01-12 08:24:27  C:\Program Files\QuickTime\qttask               .exe
----a-w           639,488 2008-01-12 07:25:07  C:\Program Files\QuickTime\qttask              .exe
----a-w           639,488 2008-01-12 06:58:22  C:\Program Files\QuickTime\qttask             .exe
----a-w           639,488 2008-01-12 05:45:44  C:\Program Files\QuickTime\qttask            .exe
----a-w           639,488 2008-01-12 03:50:58  C:\Program Files\QuickTime\qttask           .exe
----a-w           639,488 2008-01-12 02:36:07  C:\Program Files\QuickTime\qttask          .exe
----a-w           639,488 2008-01-11 12:08:22  C:\Program Files\QuickTime\qttask         .exe
----a-w           639,488 2008-01-11 01:12:53  C:\Program Files\QuickTime\qttask        .exe
----a-w           639,488 2008-01-10 09:41:31  C:\Program Files\QuickTime\qttask       .exe
----a-w           639,488 2008-01-10 03:51:59  C:\Program Files\QuickTime\qttask      .exe
----a-w           639,488 2008-01-10 01:40:44  C:\Program Files\QuickTime\qttask     .exe
----a-w           639,488 2008-01-10 01:25:12  C:\Program Files\QuickTime\qttask    .exe
----a-w           639,488 2008-01-10 01:15:25  C:\Program Files\QuickTime\qttask   .exe
----a-w           639,488 2008-01-10 01:09:13  C:\Program Files\QuickTime\qttask  .exe
----a-w           639,488 2008-01-10 00:14:52  C:\Program Files\QuickTime\qttask .exe
----a-w           347,136 2008-01-17 11:48:20  C:\Program Files\Unlocker\UnlockerAssistant  .exe
----a-w           347,136 2008-01-17 03:23:21  C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w           208,952 2008-01-17 03:24:04  C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
----a-w            15,360 2008-01-17 03:24:08  C:\WINDOWS\system32\ctfmon .exe
----a-w           174,592 2008-01-17 11:40:33  C:\WINDOWS\system32\lexpps .exe
----a-w            59,392 2008-01-10 01:41:06  C:\WINDOWS\system32\IME\PINTLGNT\ImScInst .exe
----a-w           455,168 2008-01-10 01:41:00  C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D755471-77E9-4477-B1AF-97CDB762F047}]
2008-01-17 22:40 326144 --a------ C:\WINDOWS\system32\vturs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{af23e284-ee76-4491-a2e8-9954fe749519}]
C:\WINDOWS\system32\smvrngeo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-17 14:23 426496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-17 14:23 370688]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 22:00 208952]
"PCDrProfiler"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2008-01-17 22:48 639488]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2008-01-17 14:23 398848]
"Ashampoo AntiSpyWare Guard"="C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe" [ ]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant .exe" [2008-01-17 22:48 347136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2008-01-17 22:48 478720]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\vturs.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\vturs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Base frag grid bows"=C:\Documents and Settings\All Users\Application Data\Cast ping base frag\eggs okay.exe

S3 bfastfao;bfastfao;C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\bfastfao.sys []
S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 03:02:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-14 01:31:06 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exef/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Easy Internet signup\StartEIS.aml
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 22:45:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\srutv.ini 319 bytes
C:\WINDOWS\system32\srutv.ini2 319 bytes
C:\WINDOWS\system32\vturs.exe 329728 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Unlocker\UnlockerHook.dll
-> C:\WINDOWS\system32\vturs.dll
.
Completion time: 2008-01-17 22:52:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-17 11:52:08
ComboFix2.txt 2008-01-14 07:06:40
ComboFix3.txt 2008-01-12 08:30:06
ComboFix4.txt 2007-09-12 12:35:23
.
2008-01-09 00:09:23 --- E O F ---
 
hjt log

here is the new hjt log you asked for.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:21 AM, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS .EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:80
F3 - REG:win.ini: load=C:\WINDOWS\system32\vturs.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1191633768828
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 5968 bytes
 
Hi

We attempt to restore some startup items.

If no success, you will need to uninstall/re-install corresponding programs later.

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
RenV::
----a-w            39,792 2008-01-17 03:24:03  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w           202,024 2008-01-13 04:16:08  C:\Program Files\Common Files\Nero\Lib\NMBgMonitor .exe
----a-w           185,632 2008-01-13 04:15:50  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            68,856 2008-01-17 11:47:48  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w            49,152 2008-01-15 23:19:41  C:\Program Files\Hp\HP Software Update\HPwuSchd2 .exe
----a-w            57,344 2008-01-17 11:47:43  C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
----a-w         1,836,328 2008-01-13 04:16:00  C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan .exe
----a-w           282,624 2008-01-15 23:19:44  C:\Program Files\QuickTime\qttask                                  .exe
----a-w           639,488 2008-01-15 23:19:03  C:\Program Files\QuickTime\qttask                                 .exe
----a-w           639,488 2008-01-15 23:07:16  C:\Program Files\QuickTime\qttask                                .exe
----a-w           639,488 2008-01-15 21:36:36  C:\Program Files\QuickTime\qttask                               .exe
----a-w           639,488 2008-01-15 08:02:23  C:\Program Files\QuickTime\qttask                              .exe
----a-w           639,488 2008-01-15 06:35:45  C:\Program Files\QuickTime\qttask                             .exe
----a-w           639,488 2008-01-15 04:49:26  C:\Program Files\QuickTime\qttask                            .exe
----a-w           639,488 2008-01-15 03:37:58  C:\Program Files\QuickTime\qttask                           .exe
----a-w           639,488 2008-01-15 00:44:26  C:\Program Files\QuickTime\qttask                          .exe
----a-w           639,488 2008-01-17 11:48:09  C:\Program Files\QuickTime\qttask                         .exe
----a-w           639,488 2008-01-17 03:23:18  C:\Program Files\QuickTime\qttask                        .exe
----a-w           639,488 2008-01-17 00:11:39  C:\Program Files\QuickTime\qttask                       .exe
----a-w           639,488 2008-01-16 23:18:06  C:\Program Files\QuickTime\qttask                      .exe
----a-w           639,488 2008-01-16 06:15:29  C:\Program Files\QuickTime\qttask                     .exe
----a-w           639,488 2008-01-16 02:47:21  C:\Program Files\QuickTime\qttask                    .exe
----a-w           639,488 2008-01-13 23:49:45  C:\Program Files\QuickTime\qttask                   .exe
----a-w           639,488 2008-01-13 03:28:43  C:\Program Files\QuickTime\qttask                  .exe
----a-w           639,488 2008-01-12 14:00:34  C:\Program Files\QuickTime\qttask                 .exe
----a-w           639,488 2008-01-12 11:01:38  C:\Program Files\QuickTime\qttask                .exe
----a-w           639,488 2008-01-12 08:24:27  C:\Program Files\QuickTime\qttask               .exe
----a-w           639,488 2008-01-12 07:25:07  C:\Program Files\QuickTime\qttask              .exe
----a-w           639,488 2008-01-12 06:58:22  C:\Program Files\QuickTime\qttask             .exe
----a-w           639,488 2008-01-12 05:45:44  C:\Program Files\QuickTime\qttask            .exe
----a-w           639,488 2008-01-12 03:50:58  C:\Program Files\QuickTime\qttask           .exe
----a-w           639,488 2008-01-12 02:36:07  C:\Program Files\QuickTime\qttask          .exe
----a-w           639,488 2008-01-11 12:08:22  C:\Program Files\QuickTime\qttask         .exe
----a-w           639,488 2008-01-11 01:12:53  C:\Program Files\QuickTime\qttask        .exe
----a-w           639,488 2008-01-10 09:41:31  C:\Program Files\QuickTime\qttask       .exe
----a-w           639,488 2008-01-10 03:51:59  C:\Program Files\QuickTime\qttask      .exe
----a-w           639,488 2008-01-10 01:40:44  C:\Program Files\QuickTime\qttask     .exe
----a-w           639,488 2008-01-10 01:25:12  C:\Program Files\QuickTime\qttask    .exe
----a-w           639,488 2008-01-10 01:15:25  C:\Program Files\QuickTime\qttask   .exe
----a-w           639,488 2008-01-10 01:09:13  C:\Program Files\QuickTime\qttask  .exe
----a-w           639,488 2008-01-10 00:14:52  C:\Program Files\QuickTime\qttask .exe
----a-w           347,136 2008-01-17 11:48:20  C:\Program Files\Unlocker\UnlockerAssistant  .exe
----a-w           347,136 2008-01-17 03:23:21  C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w           208,952 2008-01-17 03:24:04  C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
----a-w            15,360 2008-01-17 03:24:08  C:\WINDOWS\system32\ctfmon .exe
----a-w           174,592 2008-01-17 11:40:33  C:\WINDOWS\system32\lexpps .exe
----a-w            59,392 2008-01-10 01:41:06  C:\WINDOWS\system32\IME\PINTLGNT\ImScInst .exe
----a-w           455,168 2008-01-10 01:41:00  C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE

Rootkit::
C:\WINDOWS\system32\srutv.ini 
C:\WINDOWS\system32\srutv.ini2 
C:\WINDOWS\system32\vturs.exe 

File::
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\vturs.dll_old
C:\WINDOWS\system32\smvrngeo.dll

Folder::
C:\Documents and Settings\All Users\Application Data\Cast ping base frag

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Base frag grid bows"=-

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D755471-77E9-4477-B1AF-97CDB762F047}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{af23e284-ee76-4491-a2e8-9954fe749519}]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
combofix log

here is the new combofix log.

ComboFix 08-01-11.3 - Andrew's 2008-01-18 11:17:39.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.42 [GMT 11:00]
Running from: C:\Documents and Settings\Andrew's\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Andrew's\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\smvrngeo.dll
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\vturs.dll_old
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Cast ping base frag
C:\Documents and Settings\All Users\Application Data\Cast ping base frag\eggs okay .exe
C:\Documents and Settings\All Users\Application Data\Cast ping base frag\eggs okay.exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\srutv.ini
C:\WINDOWS\system32\srutv.ini2
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\vturs.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-18 11:31 . 2008-01-18 11:31 319 --ahs---- C:\WINDOWS\system32\srutv.ini2
2008-01-17 19:59 . 2008-01-17 19:59 <DIR> d-------- C:\Program Files\Sun
2008-01-17 19:58 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-17 19:06 . 2008-01-17 19:06 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-17 11:40 . 2008-01-17 11:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 18:29 . 2008-01-16 18:29 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-15 21:13 . 2008-01-15 21:13 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-15 17:07 . 2006-01-05 05:49 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-15 17:07 . 2006-01-05 06:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-14 11:59 . 2008-01-16 18:29 <DIR> d-------- C:\VundoFix Backups
2008-01-12 21:00 . 2008-01-12 21:00 680,960 --a------ C:\WINDOWS\isRS-000.tmp
2008-01-10 12:15 . 2008-01-10 12:41 455,168 --a------ C:\WINDOWS\system32\dllcache\tintsetp.exe
2008-01-10 12:15 . 2008-01-17 14:24 208,952 --a------ C:\WINDOWS\system32\dllcache\imjpmig.exe
2008-01-10 12:15 . 2008-01-10 12:41 59,392 --a------ C:\WINDOWS\system32\dllcache\imscinst.exe
2008-01-09 12:09 . 2008-01-18 11:31 346,624 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-09 12:09 . 2008-01-18 11:08 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-09 11:26 . 2008-01-09 11:26 <DIR> d-------- C:\Program Files\DVD Shrink
2008-01-06 14:07 . 2008-01-06 14:17 <DIR> d-------- C:\Program Files\UrbanTerror
2008-01-01 17:38 . 2008-01-01 17:38 <DIR> d-------- C:\Program Files\Paradox Entertainment
2007-12-21 15:22 . 2007-12-21 15:22 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2007-12-21 07:54 . 2005-04-27 08:42 104,593 --a------ C:\WINDOWS\system32\drivers\MPIXVID.SYS
2007-12-21 07:54 . 2004-06-29 01:16 25,575 --a------ C:\WINDOWS\system32\drivers\USBCamAT.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 00:31 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-01-18 00:29 --------- d-----w C:\Program Files\QuickTime
2008-01-17 11:39 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd6749.sys
2008-01-17 08:58 --------- d-----w C:\Program Files\Java
2008-01-17 00:09 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\uTorrent
2008-01-16 23:58 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\Vso
2008-01-16 08:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\LimeWire
2008-01-12 13:24 --------- d-----w C:\Program Files\DivoCodec
2008-01-12 09:55 --------- d-----w C:\Program Files\DivX
2008-01-09 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-08 23:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 02:04 --------- d-----w C:\Program Files\Firefly Studios
2008-01-06 01:52 --------- d-----w C:\Program Files\WinISO
2008-01-06 01:52 --------- d-----w C:\Program Files\EGOSOFT
2007-12-21 23:03 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-21 23:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 23:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SUPERAntiSpyware.com
2007-12-20 20:54 --------- d-----w C:\Program Files\Digital Camera
2007-12-16 10:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2007-12-14 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-11 11:20 --------- d-----w C:\Program Files\MagicDisc
2007-12-11 10:06 --------- d-----w C:\Program Files\iSofter
2007-12-10 11:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\DivX
2007-12-10 10:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2007-12-10 10:30 --------- d-----w C:\Program Files\Elaborate Bytes
2007-11-29 22:30 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-11-28 04:18 --------- d-----w C:\Program Files\SlySoft
2007-11-28 04:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SlySoft
2007-11-28 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-24 05:53 --------- d-----w C:\Program Files\Oberon Media
2007-11-24 05:44 --------- d-----w C:\Program Files\Google
2007-11-22 12:06 --------- d-----w C:\Program Files\LimeWire
2007-11-20 00:09 104,320 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
2007-10-31 02:17 54,824 ----a-w C:\WINDOWS\agrsmdel.exe
2007-10-26 06:21 47,360 ----a-w C:\Documents and Settings\Andrew's\Application Data\pcouffin.sys
2007-06-01 11:46 2,608 ----a-w C:\Documents and Settings\Andrew's\Application Data\wklnhst.dat
2007-01-10 10:05 3,696 -c--a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
.
Code: 
<pre>
----a-w            39,792 2008-01-18 00:30:35  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w            68,856 2008-01-18 00:31:09  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           144,784 2008-01-18 00:31:11  C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
----a-w            57,344 2008-01-18 00:30:38  C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
----a-w            20,992 2008-01-18 00:31:35  C:\Program Files\Unlocker\UnlockerAssistant    .exe
----a-w           347,136 2008-01-18 00:18:19  C:\Program Files\Unlocker\UnlockerAssistant   .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-18 11:08 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-18 11:18 426496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-18 11:18 370688]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2008-01-17 14:24 208952]
"PCDrProfiler"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2008-01-18 11:18 398848]
"Ashampoo AntiSpyWare Guard"="C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe" [ ]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant .exe" [2008-01-18 11:31 20992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2008-01-18 11:08 478720]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINDOWS\\system32\\vturs

S3 bfastfao;bfastfao;C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\bfastfao.sys []
S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 03:02:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-14 01:31:06 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exef/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Easy Internet signup\StartEIS.aml
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 11:31:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\vturs.dll
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
Completion time: 2008-01-18 11:36:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 00:36:14
ComboFix2.txt 2008-01-17 11:52:15
ComboFix3.txt 2008-01-14 07:06:40
ComboFix4.txt 2008-01-12 08:30:06
ComboFix5.txt 2007-09-12 12:35:23
.
2008-01-09 00:09:23 --- E O F ---
 
hjt log

hereis the new hjt log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:50 AM, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1191633768828
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 6609 bytes
 
Hi

Better :)

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\Program Files\Unlocker\UnlockerAssistant    .exe
C:\Program Files\Unlocker\UnlockerAssistant   .exe
C:\WINDOWS\system32\srutv.ini2

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
combofix log

Here is the new combofix log

ComboFix 08-01-11.3 - Andrew's 2008-01-18 21:30:55.6 - NTFSx86
Running from: C:\Documents and Settings\Andrew's\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Andrew's\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\WINDOWS\system32\srutv.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\WINDOWS\system32\srutv.ini
C:\WINDOWS\system32\srutv.ini2
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\vturs.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-17 19:59 . 2008-01-17 19:59 <DIR> d-------- C:\Program Files\Sun
2008-01-17 19:58 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-17 19:06 . 2008-01-17 19:06 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-17 11:40 . 2008-01-17 11:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 18:29 . 2008-01-16 18:29 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-15 21:13 . 2008-01-15 21:13 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-15 17:07 . 2006-01-05 05:49 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-15 17:07 . 2006-01-05 06:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-14 11:59 . 2008-01-16 18:29 <DIR> d-------- C:\VundoFix Backups
2008-01-12 21:00 . 2008-01-12 21:00 680,960 --a------ C:\WINDOWS\isRS-000.tmp
2008-01-10 12:15 . 2008-01-10 12:41 455,168 --a------ C:\WINDOWS\system32\dllcache\tintsetp.exe
2008-01-10 12:15 . 2008-01-17 14:24 208,952 --a------ C:\WINDOWS\system32\dllcache\imjpmig.exe
2008-01-10 12:15 . 2008-01-10 12:41 59,392 --a------ C:\WINDOWS\system32\dllcache\imscinst.exe
2008-01-09 12:09 . 2008-01-18 11:08 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-09 12:09 . 2008-01-18 22:00 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-09 11:26 . 2008-01-09 11:26 <DIR> d-------- C:\Program Files\DVD Shrink
2008-01-06 14:07 . 2008-01-06 14:17 <DIR> d-------- C:\Program Files\UrbanTerror
2008-01-01 17:38 . 2008-01-01 17:38 <DIR> d-------- C:\Program Files\Paradox Entertainment
2007-12-21 15:22 . 2007-12-21 15:22 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2007-12-21 07:54 . 2005-04-27 08:42 104,593 --a------ C:\WINDOWS\system32\drivers\MPIXVID.SYS
2007-12-21 07:54 . 2004-06-29 01:16 25,575 --a------ C:\WINDOWS\system32\drivers\USBCamAT.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 11:00 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-01-18 00:29 --------- d-----w C:\Program Files\QuickTime
2008-01-17 11:39 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd6749.sys
2008-01-17 08:58 --------- d-----w C:\Program Files\Java
2008-01-17 00:09 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\uTorrent
2008-01-16 23:58 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\Vso
2008-01-16 08:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\LimeWire
2008-01-12 13:24 --------- d-----w C:\Program Files\DivoCodec
2008-01-12 09:55 --------- d-----w C:\Program Files\DivX
2008-01-09 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-08 23:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 02:04 --------- d-----w C:\Program Files\Firefly Studios
2008-01-06 01:52 --------- d-----w C:\Program Files\WinISO
2008-01-06 01:52 --------- d-----w C:\Program Files\EGOSOFT
2007-12-21 23:03 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-21 23:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 23:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SUPERAntiSpyware.com
2007-12-20 20:54 --------- d-----w C:\Program Files\Digital Camera
2007-12-16 10:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2007-12-14 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-11 11:20 --------- d-----w C:\Program Files\MagicDisc
2007-12-11 10:06 --------- d-----w C:\Program Files\iSofter
2007-12-10 11:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\DivX
2007-12-10 10:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2007-12-10 10:30 --------- d-----w C:\Program Files\Elaborate Bytes
2007-11-29 22:30 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-11-28 04:18 --------- d-----w C:\Program Files\SlySoft
2007-11-28 04:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SlySoft
2007-11-28 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-24 05:53 --------- d-----w C:\Program Files\Oberon Media
2007-11-24 05:44 --------- d-----w C:\Program Files\Google
2007-11-22 12:06 --------- d-----w C:\Program Files\LimeWire
2007-11-20 00:09 104,320 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
2007-10-31 02:17 54,824 ----a-w C:\WINDOWS\agrsmdel.exe
2007-10-26 06:21 47,360 ----a-w C:\Documents and Settings\Andrew's\Application Data\pcouffin.sys
2007-06-01 11:46 2,608 ----a-w C:\Documents and Settings\Andrew's\Application Data\wklnhst.dat
2007-01-10 10:05 3,696 -c--a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
.
Code: 
<pre>
----a-w            39,792 2008-01-18 11:00:14  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w            68,856 2008-01-18 11:00:19  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           144,784 2008-01-18 11:00:19  C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
----a-w            57,344 2008-01-18 11:00:18  C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
----a-w           347,136 2008-01-18 11:00:48  C:\Program Files\Unlocker\UnlockerAssistant      .exe
----a-w           347,136 2008-01-18 10:32:14  C:\Program Files\Unlocker\UnlockerAssistant     .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-18_11.35.50.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-18 00:15:38 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-18 10:30:31 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-18 00:15:38 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-18 10:30:31 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-18 00:15:38 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-18 10:30:31 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-18 00:15:38 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-18 10:30:32 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-18 00:15:38 6,127,616 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-18 10:30:32 6,127,616 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-18 00:15:38 274,432 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 10:30:32 274,432 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-17 03:24:04 208,952 ----a-w C:\WINDOWS\ime\imjp8_1\imjpmig.exe
+ 2008-01-18 11:00:38 540,160 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40A871FE-BCDB-4101-9373-16EB16586370}]
2008-01-18 22:00 326144 --a------ C:\WINDOWS\system32\vturs.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-18 11:08 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-18 11:18 426496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-18 21:31 370688]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2008-01-17 14:24 208952]
"PCDrProfiler"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2008-01-18 11:18 398848]
"Ashampoo AntiSpyWare Guard"="C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe" [ ]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant .exe" [2008-01-18 22:00 347136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2008-01-18 11:08 478720]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\vturs.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\vturs

S3 bfastfao;bfastfao;C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\bfastfao.sys []
S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 03:02:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-14 01:31:06 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exef/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Easy Internet signup\StartEIS.aml
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 22:00:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\vturs.dll
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
Completion time: 2008-01-18 22:06:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 11:06:11
ComboFix2.txt 2008-01-18 00:36:19
ComboFix3.txt 2008-01-17 11:52:15
ComboFix4.txt 2008-01-14 07:06:40
ComboFix5.txt 2008-01-12 08:30:06
.
2008-01-09 00:09:23 --- E O F ---
 
hjt log

here is the new hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:11 PM, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:80
F3 - REG:win.ini: load=C:\WINDOWS\system32\vturs.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1191633768828
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 5937 bytes
 
Hi

Rename HijackThis.exe to dogslide.exe

Uninstall via add/remove programs (you can re-install them from clean copies (= from internet) once you're clean):

Adobe Reader 8.0
GoogleToolbarNotifier
Unlocker
Java Runtime Environment 6 update 4

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\vturs.exe

Folder::
C:\Program Files\Adobe\Reader 8.0
C:\Program Files\Google\GoogleToolbarNotifier
C:\Program Files\Java\jre1.6.0_04
C:\Program Files\Unlocker

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40A871FE-BCDB-4101-9373-16EB16586370}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=-
"Lexmark X1100 Series"=-
"UnlockerAssistant"=-
"SunJavaUpdateSched"=-

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
combofix log

here is the new combofix log

ComboFix 08-01-11.3 - Andrew's 2008-01-19 10:07:47.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.43 [GMT 11:00]
Running from: C:\Documents and Settings\Andrew's\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Andrew's\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\vturs.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Adobe\Reader 8.0
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Google\GoogleToolbarNotifier
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Unlocker
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\Unlocker\UnlockerHook.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\srutv.ini
C:\WINDOWS\system32\srutv.ini2
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\vturs.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-19 09:45 . 2008-01-19 10:05 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-17 19:59 . 2008-01-17 19:59 <DIR> d-------- C:\Program Files\Sun
2008-01-17 11:40 . 2008-01-17 11:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 18:29 . 2008-01-16 18:29 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-15 21:13 . 2008-01-15 21:13 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-15 17:07 . 2006-01-05 05:49 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-15 17:07 . 2006-01-05 06:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-14 11:59 . 2008-01-16 18:29 <DIR> d-------- C:\VundoFix Backups
2008-01-12 21:00 . 2008-01-12 21:00 680,960 --a------ C:\WINDOWS\isRS-000.tmp
2008-01-10 12:15 . 2008-01-10 12:41 455,168 --a------ C:\WINDOWS\system32\dllcache\tintsetp.exe
2008-01-10 12:15 . 2008-01-17 14:24 208,952 --a------ C:\WINDOWS\system32\dllcache\imjpmig.exe
2008-01-10 12:15 . 2008-01-10 12:41 59,392 --a------ C:\WINDOWS\system32\dllcache\imscinst.exe
2008-01-09 12:09 . 2008-01-18 11:08 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-09 12:09 . 2008-01-18 11:08 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-09 11:26 . 2008-01-09 11:26 <DIR> d-------- C:\Program Files\DVD Shrink
2008-01-06 14:07 . 2008-01-06 14:17 <DIR> d-------- C:\Program Files\UrbanTerror
2008-01-01 17:38 . 2008-01-01 17:38 <DIR> d-------- C:\Program Files\Paradox Entertainment
2007-12-21 15:22 . 2007-12-21 15:22 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2007-12-21 07:54 . 2005-04-27 08:42 104,593 --a------ C:\WINDOWS\system32\drivers\MPIXVID.SYS
2007-12-21 07:54 . 2004-06-29 01:16 25,575 --a------ C:\WINDOWS\system32\drivers\USBCamAT.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 23:15 --------- d-----w C:\Program Files\Google
2008-01-18 23:08 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-01-18 22:57 --------- d-----w C:\Program Files\Java
2008-01-18 22:52 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-18 00:29 --------- d-----w C:\Program Files\QuickTime
2008-01-17 11:39 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd6749.sys
2008-01-17 00:09 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\uTorrent
2008-01-16 23:58 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\Vso
2008-01-16 08:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\LimeWire
2008-01-12 13:24 --------- d-----w C:\Program Files\DivoCodec
2008-01-12 09:55 --------- d-----w C:\Program Files\DivX
2008-01-09 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-08 23:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 02:04 --------- d-----w C:\Program Files\Firefly Studios
2008-01-06 01:52 --------- d-----w C:\Program Files\WinISO
2008-01-06 01:52 --------- d-----w C:\Program Files\EGOSOFT
2007-12-21 23:03 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-21 23:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 23:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SUPERAntiSpyware.com
2007-12-20 20:54 --------- d-----w C:\Program Files\Digital Camera
2007-12-16 10:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2007-12-14 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-11 11:20 --------- d-----w C:\Program Files\MagicDisc
2007-12-11 10:06 --------- d-----w C:\Program Files\iSofter
2007-12-10 11:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\DivX
2007-12-10 10:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2007-12-10 10:30 --------- d-----w C:\Program Files\Elaborate Bytes
2007-11-29 22:30 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-11-28 04:18 --------- d-----w C:\Program Files\SlySoft
2007-11-28 04:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SlySoft
2007-11-28 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-24 05:53 --------- d-----w C:\Program Files\Oberon Media
2007-11-22 12:06 --------- d-----w C:\Program Files\LimeWire
2007-11-20 00:09 104,320 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
2007-10-31 02:17 54,824 ----a-w C:\WINDOWS\agrsmdel.exe
2007-10-26 06:21 47,360 ----a-w C:\Documents and Settings\Andrew's\Application Data\pcouffin.sys
2007-06-01 11:46 2,608 ----a-w C:\Documents and Settings\Andrew's\Application Data\wklnhst.dat
2007-01-10 10:05 3,696 -c--a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
.
Code: 
<pre>
----a-w            57,344 2008-01-18 23:05:24  C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
----a-w           208,952 2008-01-18 23:05:22  C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
----a-w            15,360 2008-01-18 23:05:24  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-18_11.35.50.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-18 00:15:38 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-18 23:07:18 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-18 00:15:38 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-18 23:07:18 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-18 00:15:38 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-18 23:07:18 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-18 00:15:38 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-18 23:07:18 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-18 00:15:38 6,127,616 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-18 23:07:19 6,127,616 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-18 00:15:38 274,432 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 23:07:19 274,432 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-18 11:08 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2008-01-17 14:24 208952]
"PCDrProfiler"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"Ashampoo AntiSpyWare Guard"="C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe" [ ]

S3 bfastfao;bfastfao;C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\bfastfao.sys []
S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 03:02:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-14 01:31:06 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exef/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Easy Internet signup\StartEIS.aml
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 10:20:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 10:24:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 23:24:09
ComboFix2.txt 2008-01-18 11:06:16
ComboFix3.txt 2008-01-18 00:36:19
ComboFix4.txt 2008-01-17 11:52:15
ComboFix5.txt 2008-01-14 07:06:40
.
2008-01-09 00:09:23 --- E O F ---
 
hjt log

here is the new hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:55 AM, on 19/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Trend Micro\HijackThis\dogslide.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:80
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1191633768828
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 4630 bytes
 
Hi

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
C:\WINDOWS\system32\ctfmon .exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
combofix log

here is the new combofix log.

ComboFix 08-01-11.3 - Andrew's 2008-01-20 8:12:00.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.47 [GMT 11:00]
Running from: C:\Documents and Settings\Andrew's\Desktop\ComboFix.exe
Command switches used :: C:\Program Files\Trend Micro\HijackThis\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
C:\WINDOWS\system32\ctfmon .exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
C:\WINDOWS\system32\ctfmon .exe

.
((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-17 19:59 . 2008-01-17 19:59 <DIR> d-------- C:\Program Files\Sun
2008-01-17 11:40 . 2008-01-17 11:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 18:29 . 2008-01-16 18:29 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-15 21:13 . 2008-01-15 21:13 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-15 17:07 . 2006-01-05 05:49 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-15 17:07 . 2006-01-05 06:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-14 11:59 . 2008-01-16 18:29 <DIR> d-------- C:\VundoFix Backups
2008-01-12 21:00 . 2008-01-12 21:00 680,960 --a------ C:\WINDOWS\isRS-000.tmp
2008-01-10 12:15 . 2008-01-10 12:41 455,168 --a------ C:\WINDOWS\system32\dllcache\tintsetp.exe
2008-01-10 12:15 . 2008-01-17 14:24 208,952 --a------ C:\WINDOWS\system32\dllcache\imjpmig.exe
2008-01-10 12:15 . 2008-01-10 12:41 59,392 --a------ C:\WINDOWS\system32\dllcache\imscinst.exe
2008-01-09 12:09 . 2008-01-18 11:08 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-09 12:09 . 2008-01-18 11:08 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-09 11:26 . 2008-01-09 11:26 <DIR> d-------- C:\Program Files\DVD Shrink
2008-01-06 14:07 . 2008-01-06 14:17 <DIR> d-------- C:\Program Files\UrbanTerror
2008-01-01 17:38 . 2008-01-01 17:38 <DIR> d-------- C:\Program Files\Paradox Entertainment
2007-12-21 15:22 . 2007-12-21 15:22 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2007-12-21 07:54 . 2005-04-27 08:42 104,593 --a------ C:\WINDOWS\system32\drivers\MPIXVID.SYS
2007-12-21 07:54 . 2004-06-29 01:16 25,575 --a------ C:\WINDOWS\system32\drivers\USBCamAT.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 21:17 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-01-18 23:15 --------- d-----w C:\Program Files\Google
2008-01-18 22:57 --------- d-----w C:\Program Files\Java
2008-01-18 22:52 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-18 00:29 --------- d-----w C:\Program Files\QuickTime
2008-01-18 00:07 174,592 ----a-w C:\WINDOWS\system32\lexpps.exe
2008-01-17 11:39 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd6749.sys
2008-01-17 00:09 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\uTorrent
2008-01-16 23:58 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\Vso
2008-01-16 08:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\LimeWire
2008-01-12 13:24 --------- d-----w C:\Program Files\DivoCodec
2008-01-12 09:55 --------- d-----w C:\Program Files\DivX
2008-01-09 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-08 23:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 02:04 --------- d-----w C:\Program Files\Firefly Studios
2008-01-06 01:52 --------- d-----w C:\Program Files\WinISO
2008-01-06 01:52 --------- d-----w C:\Program Files\EGOSOFT
2007-12-21 23:03 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-21 23:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 23:03 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SUPERAntiSpyware.com
2007-12-20 20:54 --------- d-----w C:\Program Files\Digital Camera
2007-12-16 10:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2007-12-14 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-11 11:20 --------- d-----w C:\Program Files\MagicDisc
2007-12-11 10:06 --------- d-----w C:\Program Files\iSofter
2007-12-10 11:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\DivX
2007-12-10 10:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2007-12-10 10:30 --------- d-----w C:\Program Files\Elaborate Bytes
2007-11-29 22:30 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-11-29 22:30 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-11-29 22:30 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-11-29 22:30 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 04:18 --------- d-----w C:\Program Files\SlySoft
2007-11-28 04:12 --------- d-----w C:\Documents and Settings\Andrew's\Application Data\SlySoft
2007-11-28 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-24 05:53 --------- d-----w C:\Program Files\Oberon Media
2007-11-22 12:06 --------- d-----w C:\Program Files\LimeWire
2007-11-20 00:09 104,320 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-31 02:17 54,824 ----a-w C:\WINDOWS\agrsmdel.exe
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-29 00:15 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-10-27 06:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 06:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 06:21 47,360 ----a-w C:\Documents and Settings\Andrew's\Application Data\pcouffin.sys
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-23 14:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-23 14:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-23 14:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-23 14:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2007-06-01 11:46 2,608 ----a-w C:\Documents and Settings\Andrew's\Application Data\wklnhst.dat
2007-01-10 10:05 3,696 -c--a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-01-18_11.35.50.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-18 00:15:38 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-19 21:11:36 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-18 00:15:38 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-19 21:11:36 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-18 00:15:38 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-19 21:11:36 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-18 00:15:38 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-19 21:11:37 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-18 00:15:38 6,127,616 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-19 21:11:37 6,127,616 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-18 00:15:38 274,432 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-19 21:11:37 274,432 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-18 11:08 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCDrProfiler"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"Ashampoo AntiSpyWare Guard"="C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe" [ ]

S3 bfastfao;bfastfao;C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\bfastfao.sys []
S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 03:02:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-14 01:31:06 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exef/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Easy Internet signup\StartEIS.aml
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 08:18:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 8:20:04
ComboFix-quarantined-files.txt 2008-01-19 21:19:55
ComboFix2.txt 2008-01-18 23:24:12
ComboFix3.txt 2008-01-18 11:06:16
ComboFix4.txt 2008-01-18 00:36:19
ComboFix5.txt 2008-01-17 11:52:15
.
2008-01-09 00:09:23 --- E O F ---
 
You must log in or register to reply here.
Back
Top