Cheers mate, I couldn't execute combofix on the other xp account due to the virus so i did it on my username; here is the log.
ComboFix 10-05-16.02 - Sherwin 17/05/2010 20:33:53.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1471.808 [GMT 10:00]
Running from: c:\documents and settings\Sherwin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\TEMP\Local Settings\Application Data\xeraryvrc
c:\documents and settings\TEMP\Local Settings\Application Data\xeraryvrc\tsnmnnatssd.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\uactmp.db
c:\windows\system32\UACxfjmfoax.db
.
((((((((((((((((((((((((( Files Created from 2010-04-17 to 2010-05-17 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-17 09:51 . 2008-06-28 04:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-05-16 12:19 . 2009-04-09 14:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-16 11:51 . 2009-07-29 09:50 -------- d-----w- c:\documents and settings\TEMP\Application Data\FrostWire
2010-05-07 09:43 . 2010-03-26 10:39 -------- d-----w- c:\documents and settings\TEMP\Application Data\Skype
2010-05-07 09:43 . 2010-03-26 10:46 -------- d-----w- c:\documents and settings\TEMP\Application Data\skypePM
2010-05-06 00:36 . 2009-10-02 20:18 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-02 05:51 . 2008-07-16 11:09 -------- d-----w- c:\documents and settings\Sherwin\Application Data\FrostWire
2010-04-29 05:39 . 2009-04-09 14:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 05:39 . 2009-04-09 14:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-16 06:17 . 2007-12-12 05:38 -------- d-----w- c:\documents and settings\Sherwin\Application Data\uTorrent
2010-04-16 03:39 . 2010-03-30 21:43 -------- d-----w- c:\documents and settings\Sherwin\Application Data\Skype
2010-04-16 03:35 . 2010-03-30 21:48 -------- d-----w- c:\documents and settings\Sherwin\Application Data\skypePM
2010-04-02 01:18 . 2009-11-17 02:47 -------- d-----w- c:\documents and settings\TEMP\Application Data\uTorrent
2010-03-30 02:23 . 2010-03-30 02:18 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-03-30 02:19 . 2010-03-30 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2010-03-30 02:18 . 2010-03-30 02:18 -------- d-----w- c:\program files\Logitech
2010-03-30 02:17 . 2010-03-30 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-03-27 03:39 . 2010-03-27 03:39 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-26 10:46 . 2010-03-26 10:46 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-26 10:36 . 2006-06-26 13:10 -------- d-----w- c:\program files\Google
2010-03-26 10:34 . 2010-03-26 10:33 -------- d-----r- c:\program files\Skype
2010-03-26 10:33 . 2010-03-26 10:33 -------- d-----w- c:\program files\Common Files\Skype
2010-03-26 10:33 . 2010-03-26 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-03-21 02:38 . 2009-09-11 10:43 69 ----a-w- c:\documents and settings\Sherwin\jagex_runescape_preferences2.dat
2010-03-21 02:36 . 2008-07-02 02:02 41 ----a-w- c:\documents and settings\Sherwin\jagex_runescape_preferences.dat
2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-09-07 04:35 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-09-07 04:34 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-09-07 04:34 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2008-09-07 04:33 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-22 09:12 . 2010-02-22 09:12 503808 ----a-w- c:\documents and settings\Sherwin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-707bb77f-n\msvcp71.dll
2010-02-22 09:12 . 2010-02-22 09:12 499712 ----a-w- c:\documents and settings\Sherwin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-707bb77f-n\jmc.dll
2010-02-22 09:12 . 2010-02-22 09:12 348160 ----a-w- c:\documents and settings\Sherwin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-707bb77f-n\msvcr71.dll
2010-02-22 09:12 . 2010-02-22 09:12 61440 ----a-w- c:\documents and settings\Sherwin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-59320863-n\decora-sse.dll
2010-02-22 09:12 . 2010-02-22 09:12 12800 ----a-w- c:\documents and settings\Sherwin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-59320863-n\decora-d3d.dll
2010-02-20 03:14 . 2010-02-20 03:14 503808 ----a-w- c:\documents and settings\TEMP\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-697d0d8d-n\msvcp71.dll
2010-02-20 03:14 . 2010-02-20 03:14 499712 ----a-w- c:\documents and settings\TEMP\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-697d0d8d-n\jmc.dll
2010-02-20 03:14 . 2010-02-20 03:14 348160 ----a-w- c:\documents and settings\TEMP\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-697d0d8d-n\msvcr71.dll
2010-02-20 03:14 . 2010-02-20 03:14 61440 ----a-w- c:\documents and settings\TEMP\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-70c01420-n\decora-sse.dll
2010-02-20 03:14 . 2010-02-20 03:14 12800 ----a-w- c:\documents and settings\TEMP\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-70c01420-n\decora-d3d.dll
2010-02-16 23:10 . 2008-09-07 04:33 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-09-07 04:33 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-07 53248]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"VTTrayp"="VTtrayp.exe" [2005-10-31 163840]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2006-8-28 745472]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-22 23:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 05:18 413696 -c--a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"C-Media Mixer"=Mixer.exe /startup
"AVG8_TRAY"=c:\progra~1\AVG\AVG8\avgtray.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Documents and Settings\\TEMP\\Desktop\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27633:TCP"= 27633:TCP:Limewire
"27633:UDP"= 27633:UDP:Limewire
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [30/01/2009 5:44 PM 64288]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [16/05/2008 8:10 PM 685816]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [28/06/2008 2:39 PM 335240]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [28/06/2008 2:39 PM 297752]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [28/08/2006 6:23 PM 66048]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [24/09/2009 9:17 PM 1181328]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3/11/2006 7:19 PM 13592]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [28/08/2006 6:19 PM 113792]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/03/2010 8:37 PM 135664]
S3 BPIKSp50;BPIKSp50 NDIS Protocol Driver;\??\d:\bpiksp50.sys --> d:\BPIKSp50.sys [?]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-05-17 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 07:25]
2010-05-17 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 07:25]
2010-05-17 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 07:25]
2010-05-17 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 07:25]
2010-05-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 07:25]
2010-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 01:34]
2010-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 10:36]
2010-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 10:36]
2010-05-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 09:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Sherwin\Application Data\Mozilla\Firefox\Profiles\djnk51pv.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_
everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a
s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-Cmaudio - cmicnfg.cpl
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-05-17 20:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.netdevice: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys >>UNKNOWN [0x8A2F68AC]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9e7dcb8
\Driver\atapi -> atapi.sys @ 0xb9e38b40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(6820)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\VTTimer.exe
c:\windows\system32\VTtrayp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2010-05-17 20:58:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-17 10:58
Pre-Run: 12,930,306,048 bytes free
Post-Run: 13,739,872,256 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - BEA9F323B0F1972B74FC7693FECCFD2E