[Wayno2k8]

I had a blue screen of death earlier today and need some help trying to clean my system, I had to do a system restore in safe mode to get my comp running again and it seems to be running ok now although after some scans it seems a rootkit is still hanging around and I also have some 11 svchost.exe running which sounds like a few too many to me.Here are the logs.

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!

Generated 03/24/2009 at 08:12 PM

Application Version : 4.25.1014

Core Rules Database Version : 3811
Trace Rules Database Version: 1765

Scan type : Complete Scan
Total Scan Time : 00:57:11

Memory items scanned : 569
Memory threats detected : 0
Registry items scanned : 7112
Registry threats detected : 0
File items scanned : 75466
File threats detected : 5

Rootkit.Agent/Gen-Rustock
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C03431D-8BE3-4BF8-9330-B1997CCBF2D1}\RP161\A0040283.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C03431D-8BE3-4BF8-9330-B1997CCBF2D1}\RP161\A0041283.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C03431D-8BE3-4BF8-9330-B1997CCBF2D1}\RP161\A0042284.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C03431D-8BE3-4BF8-9330-B1997CCBF2D1}\RP163\A0042407.SYS

Rootkit.Mailer/Gen
C:\WINDOWS\SYSTEM32\DRIVERS\ABA48705.SYS


Malwarebytes' Anti-Malware 1.34
Database version: 1890
Windows 5.1.2600 Service Pack 3

24/03/2009 11:31:20
mbam-log-2009-03-24 (11-31-20).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 151467
Time elapsed: 1 hour(s), 14 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\iifcDWOi.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iifcdwoi (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\ActiveDesktop\NoChangingWallpap er (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\activedesktop\NoChangingWallpa per (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\Explorer\NoActiveDesktopChange s (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\frmwrk32.exe (Trojan.Crypt) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iifcDWOi.dll (Trojan.Vundo) -> Delete on reboot.
C:\qxgjgqo.exe (Trojan.Crypt) -> Quarantined and deleted successfully.
C:\tnewfde.exe (Trojan.Crypt) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wayne\Local Settings\temp\ovfsthcimccfdncy.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svchost.exe:exe.exe (Rootkit.ADS) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:41, on 24/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\windows\system32\svchost.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\windows\System32\svchost.exe
C:\windows\system32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\windows\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\windows\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\windows\system32\ctfmon.exe
C:\Program Files\filehippo.com\UpdateChecker.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\windows\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield. exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [filehippo.com] "C:\Program Files\filehippo.com\UpdateChecker.exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll/206 (file missing)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - http://www.lizardtech.com/download/f...trol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1189947500125
O16 - DPF: {96EEC7FF-106A-47F3-90D6-B4BB754AA40E} (POLi Pay Online) - https://autxn.paywithpoli.com/ewcust...iPayOnline.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{951B9C38-DC18-4D03-9A14-5BE1608A8FD5}: NameServer = 61.9.133.193,61.9.134.49
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares Ultra\chatServer.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: ThreatFire - Unknown owner - C:\Program Files\ThreatFire\TFService.exe (file missing)
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 12871 bytes


Just some help to clean up my system would be greatly apppreciated, it's probably overdue seeing I havent probably done it in atleast 9-10 months.

[evilfantasy]

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

----------

Download from DDS by sUBs and save it to your Desktop.

Vista users. Right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* Double click on dds to run it.
* When done, DDS.txt will open.
* You will receive another prompt after a while. Click Yes at the prompt and for the next scan to complete.
* When done, Attach.txt will open.
* Please copy and paste the contents of DDS.txt and Attach.txt in your next reply.

[Wayno2k8]

ComboFix 09-03-23.01 - Wayne 2009-03-25 12:14:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1489 [GMT 11:00]
Running from: c:\documents and settings\Wayne\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning enabled* (Updated)
FW: CA Personal Firewall *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\test.txt
c:\windows\system32\hpomjfkp.ini
c:\windows\system32\IlnWyyay.ini
c:\windows\system32\IlnWyyay.ini2

.
((((((((((((((((((((((((( Files Created from 2009-02-25 to 2009-03-25 )))))))))))))))))))))))))))))))
.

2009-03-24 21:41 . 2009-03-24 21:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2009-03-24 21:40 . 2009-03-24 21:40 <DIR> d-------- c:\program files\Common Files\iS3
2009-03-24 18:03 . 2009-03-24 18:27 <DIR> d-------- C:\VideoOutput
2009-03-24 17:29 . 2009-03-24 18:30 <DIR> d-------- c:\documents and settings\Wayne\Application Data\uTorrent
2009-03-24 17:27 . 2009-03-24 17:29 <DIR> d-------- c:\documents and settings\Wayne\Application Data\uTorrent(2)
2009-03-24 09:40 . 2009-03-24 09:41 2 --a------ C:\-127167480
2009-03-21 20:26 . 2009-03-21 20:26 <DIR> d--hs---- c:\documents and settings\Wayne\IECompatCache
2009-03-21 20:24 . 2009-03-21 20:24 <DIR> d--hs---- c:\documents and settings\Wayne\PrivacIE
2009-03-21 20:22 . 2009-03-21 20:22 <DIR> d--hs---- c:\documents and settings\Wayne\IETldCache
2009-03-21 20:22 . 2009-03-21 20:22 <DIR> d--hs---- c:\documents and settings\NetworkService\IETldCache
2009-03-21 19:08 . 2009-03-21 19:09 <DIR> d--h-c--- c:\windows\ie8
2009-03-21 09:41 . 2009-03-21 09:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-03-18 04:25 . 2009-03-18 04:25 <DIR> d-------- c:\temp\atmp8
2009-03-18 04:24 . 2009-03-18 04:25 17,634,976 --a------ c:\documents and settings\Wayne\nvRGKTFOAS.exe
2009-03-18 04:24 . 2009-03-18 04:24 28,672 --a------ c:\documents and settings\Wayne\nsvRlRJhiX.exe
2009-03-17 22:03 . 2009-03-17 22:03 <DIR> d-------- c:\documents and settings\Wayne\Application Data\Ahead
2009-03-17 14:19 . 2009-03-17 14:19 <DIR> d-------- c:\documents and settings\Wayne\Application Data\dvdcss
2009-03-17 14:15 . 2008-05-06 17:01 45,056 --a------ c:\windows\system32\WNASPI32.DLL
2009-03-17 14:15 . 2008-05-06 17:01 16,512 --a------ c:\windows\system32\drivers\ASPI32.SYS
2009-03-16 13:38 . 2009-03-16 13:38 <DIR> d-------- c:\documents and settings\Wayne\Application Data\Xilisoft Corporation
2009-03-16 13:37 . 2009-03-17 15:25 <DIR> d-------- c:\program files\Xilisoft
2009-03-11 20:39 . 2009-03-11 20:39 7,680 --ahs---- c:\windows\Thumbs.db
2009-03-10 20:37 . 2009-03-18 04:25 <DIR> d-------- C:\Temp
2009-03-10 11:37 . 2009-03-10 11:48 <DIR> d-------- C:\Need4Video files
2009-03-09 14:09 . 2009-03-09 14:19 <DIR> d-------- c:\program files\uTorrent
2009-03-09 02:13 . 2009-03-09 02:13 <DIR> d-------- c:\documents and settings\Wayne\Application Data\.ABC
2009-03-08 14:22 . 2009-03-08 14:22 49,152 --------- c:\windows\system32\msrating.dll.mui
2009-03-08 14:22 . 2009-03-08 14:22 2,560 --------- c:\windows\system32\mshta.exe.mui
2009-03-08 14:21 . 2009-03-08 14:21 4,096 --------- c:\windows\system32\ie4uinit.exe.mui
2009-03-08 14:20 . 2009-03-08 14:20 81,920 --------- c:\windows\system32\iedkcs32.dll.mui
2009-03-08 04:33 . 2009-03-08 04:33 18,944 -----c--- c:\windows\system32\dllcache\corpol.dll
2009-03-06 14:34 . 2009-03-06 14:35 <DIR> d-------- c:\program files\GetRight
2009-03-05 23:01 . 2009-03-05 23:01 <DIR> d-------- c:\program files\Hiro-Media
2009-03-05 23:01 . 2009-03-05 23:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hiro-Media
2009-03-03 21:15 . 2009-03-14 15:30 <DIR> d-------- c:\documents and settings\Wayne\Application Data\HPAppData
2009-03-03 19:57 . 2009-03-03 19:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\WEBREG
2009-03-03 19:57 . 2009-03-03 19:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-03-03 19:55 . 2009-03-03 19:55 <DIR> d-------- c:\documents and settings\Wayne\Application Data\HP
2009-03-03 19:49 . 2009-03-03 19:49 <DIR> d-------- c:\program files\Hewlett-Packard
2009-03-03 19:49 . 2009-03-03 19:49 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-03-03 19:49 . 2009-03-03 19:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-03-03 19:49 . 2009-03-03 19:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2009-03-03 19:48 . 2009-03-03 19:48 <DIR> d-------- c:\program files\Common Files\HP
2009-03-03 19:47 . 2009-03-03 19:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-03-03 19:47 . 2007-11-09 01:52 271,704 -ra------ c:\windows\system32\hpzids01.dll
2009-03-03 19:47 . 2007-10-20 18:25 117,760 --a------ c:\windows\system32\hpzll5mu.dll
2009-03-03 19:47 . 2007-10-30 20:25 49,920 -ra------ c:\windows\system32\drivers\HPZid412.sys
2009-03-03 19:47 . 2007-10-30 20:25 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2009-03-03 19:46 . 2007-10-30 20:11 729,088 -ra------ c:\windows\system32\hpowiax7.dll
2009-03-03 19:46 . 2007-10-30 20:11 581,632 -ra------ c:\windows\system32\hpotscl6.dll
2009-03-03 19:46 . 2007-10-30 20:25 372,736 -ra------ c:\windows\system32\hppldcoi.dll
2009-03-03 19:46 . 2007-10-30 20:25 309,760 -ra------ c:\windows\system32\difxapi.dll
2009-03-03 19:46 . 2007-10-30 20:11 303,104 -ra------ c:\windows\system32\hpovst15.dll
2009-03-03 19:46 . 2007-10-30 20:25 21,568 -ra------ c:\windows\system32\drivers\HPZius12.sys
2009-03-03 19:46 . 2008-04-14 04:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-03-03 19:46 . 2008-04-14 04:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-03-03 19:43 . 2009-03-03 19:55 <DIR> d-------- c:\program files\HP
2009-03-03 19:38 . 2009-03-03 19:55 157,454 --a------ c:\windows\hpoins27.dat
2009-03-03 19:38 . 2008-01-19 02:56 932 --------- c:\windows\hpomdl27.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-03-25 01:29 --------- d-----w c:\program files\BitComet
2009-03-25 01:24 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k7
2009-03-25 01:24 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k6
2009-03-25 01:24 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k5
2009-03-25 01:24 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k4
2009-03-25 01:24 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k3
2009-03-25 01:24 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k2
2009-03-25 01:24 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k1
2009-03-25 01:24 197,154 ----a-w c:\windows\system32\drivers\kmxcfg.u2k0
2009-03-24 13:34 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-24 13:33 --------- d-----w c:\program files\SpywareBlaster
2009-03-24 13:31 --------- d-----w c:\documents and settings\Wayne\Application Data\CallingID
2009-03-24 13:31 --------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2009-03-24 06:35 --------- d-----w c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-03-24 06:30 --------- d-----w c:\program files\Spyware Terminator
2009-03-24 05:37 --------- d-----w c:\documents and settings\Wayne\Application Data\Spyware Terminator
2009-03-22 08:23 --------- d-----w c:\program files\Common Files\Adobe
2009-03-19 03:56 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-11 07:43 --------- d-----w c:\documents and settings\Wayne\Application Data\GetRight
2009-03-11 06:41 --------- d-----w c:\documents and settings\Wayne\Application Data\Vso
2009-03-05 12:02 --------- d-----w c:\program files\XviD
2009-03-03 10:39 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-03 07:54 --------- d-----w c:\program files\Common Files\EPSON
2009-03-01 12:00 --------- d-----w c:\documents and settings\Wayne\Application Data\Skype
2009-02-26 13:00 --------- d-----w c:\documents and settings\Wayne\Application Data\teamspeak2
2009-02-26 11:09 --------- d-----w c:\program files\SUPERAntiSpyware
2009-02-22 01:08 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-02-22 01:08 --------- d-----r c:\program files\Skype
2009-02-20 05:20 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Software
2009-02-20 05:19 --------- d-----w c:\documents and settings\Wayne\Application Data\NCH Software
2009-02-18 03:44 6,308,224 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2009-02-12 08:10 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-10 23:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-10 23:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-06 06:23 --------- d-----w c:\program files\Java
2009-02-06 01:08 --------- d-----w c:\program files\Common Files\Apple
2008-01-26 00:17 32 ------w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-09-16 08:24 47,360 ------w c:\documents and settings\Wayne\Application Data\pcouffin.sys
2005-03-31 12:17 40,960 ------w c:\program files\Uninstall_CDS.exe
2008-08-17 12:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081720080 818\index.dat
2008-08-28 10:47 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082820080 829\index.dat
.

------- Sigcheck -------

2006-04-20 23:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-31 03:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 21:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 22:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 22:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 21:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2006-02-28 23:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2007-09-17 00:08 359808 ba57942c0029b0878afba052a3e33689 c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-14 06:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2007-10-31 04:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-14 06:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-09-03 04:17 361600 eec9730f9cc03819111d90e6caa2dcc9 c:\windows\system32\dllcache\tcpip.sys
2008-09-03 04:17 361600 eec9730f9cc03819111d90e6caa2dcc9 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"filehippo.com"="c:\program files\filehippo.com\UpdateChecker.exe" [2008-07-04 137216]
"BitComet"="c:\program files\BitComet\BitComet.exe" [2009-01-20 2523960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-01-24 181488]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-12-20 234736]
"cafw"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-12-20 771312]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-12-20 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-12-20 259312]
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe" [2008-12-20 14088]
"SpywareTerminator"="c:\progra~1\SPYWAR~1\SpywareT erminatorShield.exe" [2009-02-18 2233856]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-05 148888]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-02-18 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]
"nwiz"="nwiz.exe" [2009-02-18 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-21 77824]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= "c:\program files\CA\CA Internet Security Suite\CA Website Inspector\LinkAdvisor\CIDLinkAdvisor.dll" [2008-06-23 1373624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-04 17:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 14:30 79368 c:\windows\system32\UmxWNP.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Hiro-Media Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Hiro-Media Client.lnk
backup=c:\windows\pss\Hiro-Media Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionTrackerPro.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VersionTrackerPro.lnk
backup=c:\windows\pss\VersionTrackerPro.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Wayne^Start Menu^Programs^Startup^BitDefender Total Security 2008.lnk]
backup=c:\windows\pss\BitDefender Total Security 2008.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Wayne^Start Menu^Programs^Startup^DesktopEarth AutoStart.lnk]
backup=c:\windows\pss\DesktopEarth AutoStart.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Wayne^Start Menu^Programs^Startup^Karen's Replicator.lnk]
path=c:\documents and settings\Wayne\Start Menu\Programs\Startup\Karen's Replicator.lnk
backup=c:\windows\pss\Karen's Replicator.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Wayne^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Wayne^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Wayne\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMLABTECMOUSE
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
--a------ 2008-07-29 16:54 2831360 c:\program files\Ares Ultra\Ares Ultra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares ultra]
--a------ 2008-07-29 16:54 2831360 c:\program files\Ares Ultra\Ares Ultra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
--a------ 2009-01-20 17:37 2523960 c:\program files\BitComet\BitComet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMOFFICE4DMOUSE]
--a------ 2008-06-03 18:34 958464 c:\program files\Labtec\Desktop\V5.1\MOffice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-11-08 19:58 133104 c:\documents and settings\Wayne\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 08:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-10-14 21:17 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2005-06-11 01:20 1397760 c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-06-08 15:44 196608 c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2005-06-08 16:24 458752 c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-06-08 16:14 217088 c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
--------- 2002-12-10 18:54 127022 c:\program files\Common Files\Logitech\QCDriver3\LVComS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
--a------ 2009-02-11 10:19 399504 c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2005-05-19 20:38 1957888 c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--------- 2001-07-09 12:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]
--a------ 2006-11-28 02:12 2658304 c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OFFICEKB]
--a------ 2008-06-03 18:34 387584 c:\program files\Labtec\Desktop\V5.1\KBDAP32A.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
--------- 2004-04-21 11:26 86016 c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2009-01-29 14:01 23975720 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-02-26 22:09 1830128 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"23939:TCP"= 23939:TCP:BitComet 23939 TCP
"23939:UDP"= 23939:UDP:BitComet 23939 UDP
"60235:TCP"= 60235:TCP:BitComet 60235 TCP
"60235:UDP"= 60235:UDP:BitComet 60235 UDP
"7773:TCP"= 7773:TCP:BitComet 7773 TCP
"7773:UDP"= 7773:UDP:BitComet 7773 UDP
"16050:TCP"= 16050:TCP:BitComet 16050 TCP
"16050:UDP"= 16050:UDP:BitComet 16050 UDP

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxS tart.sys [2008-06-24 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxA gent.sys [2008-06-24 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFil e.sys [2008-06-24 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-06-24 115216]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 55024]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-07-30 142592]
R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2005-06-01 76325]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-06-24 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.s ys [2008-06-24 66576]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-07-10 179856]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-07-23 206096]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2008-06-24 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2008-06-24 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-06-24 281104]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.s ys [2008-06-24 88816]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\dr ivers\mbam.sys [2008-07-10 15504]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2008-12-20 185584]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMo n.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSy sMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-04-30 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-04-30 8320]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\ TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-02-18 c:\windows\Tasks\CAAntiSpywareScan_Daily as Wayne at 13 40.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2008-12-20 13:43]

2009-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-2025429265-839522115-1003.job
- c:\documents and settings\Wayne\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-08 19:58]

2009-03-24 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Wayne.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-02-11 10:19]

2009-03-24 c:\windows\Tasks\Malwarebytes' Scheduled Update for Wayne.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-02-11 10:19]

2009-03-24 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]

2009-03-25 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PowerBar - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-BDAgent - c:\program files\BitDefender\BitDefender 2008\bdagent.exe
MSConfigStartUp-BitDefender Antiphishing Helper - c:\program files\BitDefender\BitDefender 2008\IEShow.exe
MSConfigStartUp-DriverUpdaterPro - c:\program files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe
MSConfigStartUp-LDM - c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
MSConfigStartUp-LogitechGalleryRepair - c:\program files\Logitech\ImageStudio\ISStart.exe
MSConfigStartUp-LogitechImageStudioTray - c:\program files\Logitech\ImageStudio\LogiTray.exe
MSConfigStartUp-Windows Defender - c:\program files\Windows Defender\MSASCui.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
LSP: c:\windows\system32\VetRedir.dll
TCP: {951B9C38-DC18-4D03-9A14-5BE1608A8FD5} = 61.9.133.193,61.9.134.49
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {96EEC7FF-106A-47F3-90D6-B4BB754AA40E} - hxxps://autxn.paywithpoli.com/ewcustomer/POLiPayOnline.cab
FF - ProfilePath - c:\documents and settings\Wayne\Application Data\Mozilla\Firefox\Profiles\8cpr16ar.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\Wayne\Application Data\Mozilla\Firefox\Profiles\8cpr16ar.default\ext ensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\CA\CA Internet Security Suite\CA Website Inspector\LinkAdvisor\Firefox\components\CallingID LinkAdvisorGecko.dll
FF - component: c:\program files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\Firefox\components\CIDDomFx3.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Wayne\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-25 12:29:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1512)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\documents and settings\Wayne\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(1768)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\windows\system32\WgaTray.exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
c:\windows\system32\rundll32.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\cappactiveprotection.exe
.
************************************************** ************************
.
Completion time: 2009-03-25 12:33:27 - machine was rebooted [Wayne]
ComboFix-quarantined-files.txt 2009-03-25 01:33:24

Pre-Run: 107,760,553,984 bytes free
Post-Run: 107,937,488,896 bytes free

Current=1 Default=1 Failed=3 LastKnownGood=4 Sets=1,2,3,4
409 --- E O F --- 2009-03-20 08:40:26

Here are the last scans from superantispyware and malwarebytes too Evil,thanks so much for your help.

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!

Generated 03/25/2009 at 06:36 AM

Application Version : 4.25.1014

Core Rules Database Version : 3811
Trace Rules Database Version: 1765

Scan type : Complete Scan
Total Scan Time : 00:57:53

Memory items scanned : 542
Memory threats detected : 0
Registry items scanned : 7113
Registry threats detected : 0
File items scanned : 75397
File threats detected : 1

Rootkit.Agent/Gen-Rustock
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2C03431D-8BE3-4BF8-9330-B1997CCBF2D1}\RP163\A0042457.SYS


Malwarebytes' Anti-Malware 1.34
Database version: 1891
Windows 5.1.2600 Service Pack 3

25/03/2009 05:35:45
mbam-log-2009-03-25 (05-35-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 151618
Time elapsed: 1 hour(s), 1 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[evilfantasy]

This scanner works with Internet Explorer only!

Scan with the BitDefender Online Scanner
Click I Agree to the license and then install the ActiveX control.
Please DO NOT change the Scanning Options.
That will make your logs huge and we don't need to see clean files.
Select Start Scan to begin.
This scan can take a while so please be patient and let it complete.

Once BitDefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report



This will save a file named bdscan.html I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later)

You will have to upload the file online. The forums will not accept HTML.

Go to File Dropper

Click Upload
Locate the file and double click it.
Copy the link below Share This Link: and post it back here.

----------

[Wayno2k8]

Ok heres the link. Would have had this done hours ago only the scan did take a very long time

http://www.filedropper.com/bdscan_1

[evilfantasy]

OK how is the computer running now?

[Wayno2k8]

Yes computer is running well, maybe a little slower than usual on boot up but other than that running ok.This file is still on the computer though, I just checked and thought better let you know. C:\Documents and Settings\Wayne\nsvRlRJhiX.exe

[evilfantasy]

OK time to finish up.

• Click START then RUN
• Now type Combofix /u in the runbox
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.

The above procedure will:

• Delete:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

----------

I would also recommend that you Defrag the computer. There may be a lot of fragmented sections on the drive after cleaning the malware.

You can use the built in Windows Defrag or a faster FREE program. Defraggler is very effective and easy to use. Be sure to clean out temp files and restart the computer just before using this.

----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
• Check the box next to Enable thorough system inspection.
• Click Start
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

----------

Go to Microsoft Windows Update and get all critical security updates. (you will need to use Internet Explorer to do this)

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[Wayno2k8]

Ok thanks for your help Kevin much appreciated. Most of the other stuff is done just have to update at microsoft and do a defrag, I have windows update turned on so cant be much if anything to come there. Spywareblaster is always here but never seem to see it running. Can you let me know if I need to delete those files that were found by the bitdefender scan and should I reset my system restore as a couple of those trojans were left in system restore I think?

[evilfantasy]

Removing ComboFix cleared your restore points.

You can delete any leftover logs.

Quote:

Spywareblaster is always here but never seem to see it running

It doesn't actually run. You just have to open it now and then and check for updates and apply all protection. It ads known rouge sites and activex scripts to your browsers security and blocks them if you happen to enter a bad web page.