Infected with Virtob, please help

I am getting random DCOM attacks. My antivirus says I have been infected with Virtob, but can't fix it.

Here is my HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:48 PM, on 3/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
d:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdimon.exe
D:\Program Files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\Jimmy.VALUED-20606295\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero 8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [lxdimon.exe] "d:\Program Files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "d:\Program Files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools\daemon.exe" -autorun
O4 - HKCU\..\Run: [AlcoholAutomount] "d:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - https://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1214086121140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214086111328
O16 - DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} (ENetLauncher Control) - http://www.dragongemworld.com/Active_X/ENetLauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 7191 bytes

Thanks for a fast reply on such a short notice. Here is DDS.txt


DDS (Ver_09-03-16.01) - NTFSx86
Run by Jimmy at 12:48:15.57 on Fri 03/20/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.768.452 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090319-0] *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
d:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdimon.exe
D:\Program Files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Jimmy.VALUED-20606295\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "d:\program files\daemon tools\daemon.exe" -autorun
uRun: [AlcoholAutomount] "d:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [avast!] d:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NBKeyScan] "d:\program files\nero\nero 8\nero backitup\NBKeyScan.exe"
mRun: [lxdimon.exe] "d:\program files\lexmark 3500-4500 series\lexmark 3500-4500 series\lxdimon.exe"
mRun: [lxdiamon] "d:\program files\lexmark 3500-4500 series\lexmark 3500-4500 series\lxdiamon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} - hxxps://www.e-games.com.my/com/EGamesPlugin.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1214086121140
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214086111328
DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} - hxxp://www.dragongemworld.com/Active_X/ENetLauncher.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jimmy~1.val\applic~1\mozilla\firefox\profiles\skwmol9v.default\
FF - plugin: d:\program files\videolan\vlc\npvlc.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-7 114768]
R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-6 20560]
R2 avast! Antivirus;avast! Antivirus;d:\program files\alwil software\avast4\ashServ.exe [2008-6-3 138680]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;d:\program files\alwil software\avast4\ashMaiSv.exe [2008-6-3 254040]
R3 avast! Web Scanner;avast! Web Scanner;d:\program files\alwil software\avast4\ashWebSv.exe [2008-6-3 352920]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2002-4-24 175232]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2008-3-18 99248]
S3 HFXLowerFilter;HFXLowerFilter;c:\windows\system32\drivers\hfx_lfd.sys [2006-6-21 21632]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2007-8-19 33792]
S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2002-4-24 807917]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 SASENUM;SASENUM;d:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 sejt1;sejt1;\??\d:\s\sejtengine\sejt.sys --> d:\s\sejtengine\sejt.sys [?]
S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [2002-4-24 594668]
S3 XDva008;XDva008;\??\c:\windows\system32\xdva008.sys --> c:\windows\system32\XDva008.sys [?]
S3 zenx1;zenx1;\??\c:\documents and settings\jimmy.valued-20606295\my documents\my received files\zenxengine gms\zenxengine_latest\zenxengine_latest\zenx.sys --> c:\documents and settings\jimmy.valued-20606295\my documents\my received files\zenxengine gms\zenxengine_latest\zenxengine_latest\zenx.sys [?]

=============== Created Last 30 ================


==================== Find3M ====================

2009-03-19 23:26 82,484 a------- c:\windows\War3Unin.dat
2009-01-15 23:56 4 ---shr-- c:\docume~1\alluse~1\applic~1\sysqcl0.dat
2008-12-18 00:53 604 a---h--- c:\program files\STLL Notifier
2008-08-18 00:56 784 a------- c:\docume~1\jimmy~1.val\applic~1\mpauth.dat
2008-02-18 13:25 35,184 a------- c:\docume~1\jimmy~1.val\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 12:49:04.79 ===============

Hello.
Bad and good news.

Bad news - Virtob is also known as Virut, a file infector which can't be fixed without formatting.
Good news - DDS log says no exe files modified within the past month, so there may still be some hope.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, Click Options > Change settings
  
• Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  
• Back at the main window, mark the drives that you want to scan.
  
• Select all drives. A red dot shows which drives have been chosen.
  
• Click the green arrow at the right, and the scan will start.
  
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can click next icon next to the files found:
  
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
  
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
  

The version of Dr Web Cureit you are talking about must of been different than mine because I did not see that icon. So I right clicked my infected file and clicked Move Incurable. Here is DrWeb.csv

mirc.exe;D:\Program Files\mIRC;Program.mIRC.617;Incurable.Moved.;

Hello.
Do you know what this is?

zenxengine gms

It's was or still is in My received files like it was sent through msn.

... double post. This virus is screwing my computer

Last edited by nesta_p on 20th March 2009, 9:40 pm; edited 1 time in total

Its a trainer for a game. Should I delete it?(I thought I deleted it a while ago)

Hello.
We'll see what this says.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :services
  sejt1
  zenx1
  
  :files
  c:\documents and settings\jimmy.valued-20606295\my documents\my received files\zenxengine gms
  d:\s
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

My OTMoveIt log:

========== SERVICES/DRIVERS ==========

Service\Driver sejt1 deleted successfully.

Service\Driver zenx1 deleted successfully.
========== FILES ==========
File/Folder c:\documents and settings\jimmy.valued-20606295\my documents\my received files\zenxengine gms not found.
File/Folder d:\s not found.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03202009_145043




My computer still acting up. I keep getting the same virus messages from my antivirus. Plus my computer is always busy(there seems to be an hourglass always beside my mouse)

Does your AV say where this virus is located?
Lets go even deeper.

• Download combofix from here
  Link 1
  Link 2
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV. (avast!)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

My antivirus does show where the virus is found

here is a log of what my AV found in the past two days, when the virus started breaking out on my computer.
3/19/2009 10:32:15 PM SYSTEM 1328 Sign of "Win32:Bifrose-CKD [Trj]" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OHZAYNQA\cnt[1].exe\[Armadillo]" file.
3/19/2009 10:39:01 PM SYSTEM 1328 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite (C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite) returning error, 0000001E.
3/19/2009 10:39:07 PM SYSTEM 1328 Sign of "Win32:Bifrose-CKD [Trj]" has been found in "C:\WINDOWS\system32\18.scr\[Armadillo]" file.
3/19/2009 10:40:15 PM SYSTEM 1328 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S7EZ4D8Z\unc[1].exe" file.
3/19/2009 10:55:46 PM SYSTEM 1352 Sign of "Win32:Virtob" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\UMDZYNR0\x[1]" file.
3/19/2009 11:00:45 PM SYSTEM 1352 Sign of "Win32:Virtob" has been found in "C:\WINDOWS\system32\x.exe" file.
3/19/2009 11:02:13 PM SYSTEM 1352 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite (C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite) returning error, 0000001E.
3/19/2009 11:02:57 PM SYSTEM 1352 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite (C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite) returning error, 0000001E.
3/19/2009 11:04:55 PM SYSTEM 1352 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite (C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite) returning error, 0000001E.
3/19/2009 11:21:28 PM SYSTEM 1316 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\UMDZYNR0\x[3]" file.
3/19/2009 11:21:43 PM SYSTEM 1316 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\x.exe" file.
3/20/2009 1:15:11 AM SYSTEM 1316 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2D6D0P0N\unc[1].exe" file.
3/20/2009 1:17:09 AM SYSTEM 1316 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\x.exe" file.
3/20/2009 1:23:58 AM SYSTEM 1316 Sign of "Win32:Virtob" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\3HN1G8DN\x[1]" file.
3/20/2009 1:24:07 AM SYSTEM 1316 Sign of "Win32:Virtob" has been found in "C:\WINDOWS\system32\x.exe" file.
3/20/2009 1:24:24 AM SYSTEM 1316 Sign of "Win32:Virtob" has been found in "C:\WINDOWS\System32\x.exe" file.
3/20/2009 1:49:19 AM SYSTEM 1316 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite (C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite) returning error, 0000001E.
3/20/2009 12:55:38 PM SYSTEM 1452 Sign of "Win32:Virtob" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\UMDZYNR0\x[3]" file.
3/20/2009 12:55:59 PM SYSTEM 1452 Sign of "Win32:Virtob" has been found in "C:\WINDOWS\system32\x.exe" file.
3/20/2009 12:56:01 PM SYSTEM 1452 Sign of "Win32:Virtob" has been found in "C:\WINDOWS\System32\x.exe" file.
3/20/2009 2:08:34 PM SYSTEM 1452 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite (C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite) returning error, 0000001E.

I am about to do the combofix part right now, I'll post it up right after it finishes

My combofix log:

ComboFix 09-03-19.02 - Jimmy 2009-03-20 15:47:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.768.465 [GMT -7:00]
Running from: c:\documents and settings\Jimmy.VALUED-20606295\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090320-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jimmy.VALUED-20606295\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\program files\PS TO USB CONVERTOR\CnsMin5.ico
C:\test.txt
c:\windows\system\svhost.exe
c:\windows\system32\drivers\sysdrv32.sys
c:\windows\system32\pac.txt
c:\windows\system32\SrchSTS.exe
c:\windows\system32\x.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSDRV32
-------\Service_sysdrv32


((((((((((((((((((((((((( Files Created from 2009-02-20 to 2009-03-20 )))))))))))))))))))))))))))))))
.

2009-03-20 15:09 . 2009-03-20 15:09 59,904 --a------ c:\windows\system32\55.scr
2009-03-20 14:50 . 2009-03-20 14:50 d-------- C:\_OTMoveIt
2009-03-20 13:00 . 2009-03-20 13:00 d-------- c:\documents and settings\Jimmy.VALUED-20606295\DoctorWeb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 22:50 --------- d-----w c:\program files\PS TO USB CONVERTOR
2009-03-20 05:50 --------- d-----w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\Azureus
2009-03-17 21:04 --------- d-----w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\vlc
2009-01-31 01:51 --------- d-----w c:\program files\Java
2009-01-29 05:54 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-29 05:54 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-29 05:54 --------- d-----w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\InstallShield
2009-01-29 05:54 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2009-01-29 05:05 --------- d-----w c:\program files\Teamspeak2_RC2
2009-01-29 05:05 --------- d-----w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\teamspeak2
2009-01-21 06:08 --------- d-----w c:\program files\LibUSB-Win32-0.1.10.1
2009-01-16 06:56 4 --sh--r c:\documents and settings\All Users\Application Data\sysqcl0.dat
2008-12-18 07:53 604 ---ha-w c:\program files\STLL Notifier
2008-08-18 07:56 784 ----a-w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\mpauth.dat
2008-02-18 20:25 35,184 ----a-w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\GDIPFONTCACHEV1.DAT
2006-10-21 18:38 147,456 ----a-w c:\program files\mozilla firefox\plugins\CDVDiso.dll
2006-01-15 13:38 231,064 ----a-w c:\program files\mozilla firefox\plugins\CDVDisoEFP.dll
2005-05-14 15:04 151,040 ----a-w c:\program files\mozilla firefox\plugins\CDVDisolinuz.dll
2006-01-15 13:38 54,289 ----a-w c:\program files\mozilla firefox\plugins\CDVDlinuz.dll
2005-05-14 15:04 6,656 ----a-w c:\program files\mozilla firefox\plugins\CDVDnull.dll
2005-04-20 08:21 86,016 ----a-w c:\program files\mozilla firefox\plugins\cdvdPeops.dll
2005-05-14 15:04 6,656 ----a-w c:\program files\mozilla firefox\plugins\DEV9null.dll
2005-05-16 08:41 21,732 ----a-w c:\program files\mozilla firefox\plugins\FWnull.dll
2006-03-13 09:34 565,248 ----a-w c:\program files\mozilla firefox\plugins\GSdx9 sse2.dll
2006-03-13 16:33 602,112 ----a-w c:\program files\mozilla firefox\plugins\GSdx9.dll
2006-09-04 00:08 18,944 ----a-w c:\program files\mozilla firefox\plugins\PadSSSPSX.dll
2005-05-14 15:04 372,892 ----a-w c:\program files\mozilla firefox\plugins\PADwin.dll
2006-11-04 09:20 94,208 ----a-w c:\program files\mozilla firefox\plugins\spu2PeopsSound.dll
2005-05-14 15:04 9,728 ----a-w c:\program files\mozilla firefox\plugins\USBnull.dll
2006-11-17 22:06 7,892,992 ----a-w c:\program files\mozilla firefox\plugins\ZeroGS KOSMOS 0.96 non sse2.dll
2006-11-18 14:50 7,892,992 ----a-w c:\program files\mozilla firefox\plugins\ZeroGS KOSMOS 0.96 sse2.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools\daemon.exe" [2008-04-01 486856]
"AlcoholAutomount"="d:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-11-22 203720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"lxdimon.exe"="d:\program files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864]
"lxdiamon"="d:\program files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 25264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-16 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-24 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll
"vidc.ffds"= d:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WindowsTelephony]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Lexmark 3500-4500 Series\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"d:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"d:\\Program Files\\Lexmark 3500-4500 Series\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"d:\\Program Files\\Lexmark 3500-4500 Series\\Lexmark 3500-4500 Series\\App4R.exe"=
"c:\\WINDOWS\\System32\\55.scr"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-07 114768]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 32256]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-08-06 20560]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2002-04-24 175232]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2008-03-18 99248]
S2 WindowsTelephony;Windows Telephony;"c:\windows\system\svhost.exe" --> c:\windows\system\svhost.exe [?]
S3 HFXLowerFilter;HFXLowerFilter;c:\windows\system32\drivers\hfx_lfd.sys [2006-06-21 21632]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2007-08-19 33792]
S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2002-04-24 807917]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [2002-04-24 594668]
S3 XDva008;XDva008;\??\c:\windows\System32\XDva008.sys --> c:\windows\System32\XDva008.sys [?]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NBKeyScan - d:\program files\Nero\Nero 8\Nero BackItUp\NBKeyScan.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} - hxxp://www.dragongemworld.com/Active_X/ENetLauncher.cab
FF - ProfilePath - c:\documents and settings\Jimmy.VALUED-20606295\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\
FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 15:54:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
d:\program files\Alwil Software\Avast4\aswUpdSv.exe
d:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdicoms.exe
d:\program files\Alwil Software\Avast4\ashMaiSv.exe
d:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-20 16:03:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-20 23:01:53

Pre-Run: 6,270,242,816 bytes free
Post-Run: 6,306,021,376 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
177

Hello. The log shows more malware, so we have to use Combofix with additional directives.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
WindowsTelephony

File::
c:\windows\system32\55.scr

Folder::
C:\_OTMoveIt
c:\documents and settings\Jimmy.VALUED-20606295\DoctorWeb

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WindowsTelephony]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
"UpdatesDisableNotify"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\System32\\55.scr"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Thanks for the help. Here is my new ComboFix log:

ComboFix 09-03-19.02 - Jimmy 2009-03-20 16:27:43.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.768.454 [GMT -7:00]
Running from: c:\documents and settings\Jimmy.VALUED-20606295\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jimmy.VALUED-20606295\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090320-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\55.scr
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_OTMoveIt
c:\_otmoveit\MovedFiles\03202009_145043.log
c:\_otmoveit\MovedFiles\03202009_145043.res
c:\documents and settings\Jimmy.VALUED-20606295\DoctorWeb
c:\documents and settings\Jimmy.VALUED-20606295\DoctorWeb\CureIt.log
c:\windows\system\svhost.exe
c:\windows\system32\55.scr

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWSTELEPHONY
-------\Service_WindowsTelephony


((((((((((((((((((((((((( Files Created from 2009-02-20 to 2009-03-20 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 22:50 --------- d-----w c:\program files\PS TO USB CONVERTOR
2009-03-20 05:50 --------- d-----w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\Azureus
2009-03-17 21:04 --------- d-----w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\vlc
2009-01-31 01:51 --------- d-----w c:\program files\Java
2009-01-29 05:54 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-29 05:54 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-29 05:54 --------- d-----w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\InstallShield
2009-01-29 05:54 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2009-01-29 05:05 --------- d-----w c:\program files\Teamspeak2_RC2
2009-01-29 05:05 --------- d-----w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\teamspeak2
2009-01-21 06:08 --------- d-----w c:\program files\LibUSB-Win32-0.1.10.1
2009-01-16 06:56 4 --sh--r c:\documents and settings\All Users\Application Data\sysqcl0.dat
2008-12-18 07:53 604 ---ha-w c:\program files\STLL Notifier
2008-08-18 07:56 784 ----a-w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\mpauth.dat
2008-02-18 20:25 35,184 ----a-w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\GDIPFONTCACHEV1.DAT
2006-10-21 18:38 147,456 ----a-w c:\program files\mozilla firefox\plugins\CDVDiso.dll
2006-01-15 13:38 231,064 ----a-w c:\program files\mozilla firefox\plugins\CDVDisoEFP.dll
2005-05-14 15:04 151,040 ----a-w c:\program files\mozilla firefox\plugins\CDVDisolinuz.dll
2006-01-15 13:38 54,289 ----a-w c:\program files\mozilla firefox\plugins\CDVDlinuz.dll
2005-05-14 15:04 6,656 ----a-w c:\program files\mozilla firefox\plugins\CDVDnull.dll
2005-04-20 08:21 86,016 ----a-w c:\program files\mozilla firefox\plugins\cdvdPeops.dll
2005-05-14 15:04 6,656 ----a-w c:\program files\mozilla firefox\plugins\DEV9null.dll
2005-05-16 08:41 21,732 ----a-w c:\program files\mozilla firefox\plugins\FWnull.dll
2006-03-13 09:34 565,248 ----a-w c:\program files\mozilla firefox\plugins\GSdx9 sse2.dll
2006-03-13 16:33 602,112 ----a-w c:\program files\mozilla firefox\plugins\GSdx9.dll
2006-09-04 00:08 18,944 ----a-w c:\program files\mozilla firefox\plugins\PadSSSPSX.dll
2005-05-14 15:04 372,892 ----a-w c:\program files\mozilla firefox\plugins\PADwin.dll
2006-11-04 09:20 94,208 ----a-w c:\program files\mozilla firefox\plugins\spu2PeopsSound.dll
2005-05-14 15:04 9,728 ----a-w c:\program files\mozilla firefox\plugins\USBnull.dll
2006-11-17 22:06 7,892,992 ----a-w c:\program files\mozilla firefox\plugins\ZeroGS KOSMOS 0.96 non sse2.dll
2006-11-18 14:50 7,892,992 ----a-w c:\program files\mozilla firefox\plugins\ZeroGS KOSMOS 0.96 sse2.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-20_15.59.32.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-20 23:31:57 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_52c.dat
+ 2009-03-20 23:32:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools\daemon.exe" [2008-04-01 486856]
"AlcoholAutomount"="d:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-11-22 203720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"lxdimon.exe"="d:\program files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864]
"lxdiamon"="d:\program files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 25264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-16 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-24 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll
"vidc.ffds"= d:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Lexmark 3500-4500 Series\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"d:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"d:\\Program Files\\Lexmark 3500-4500 Series\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"d:\\Program Files\\Lexmark 3500-4500 Series\\Lexmark 3500-4500 Series\\App4R.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-07 114768]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 32256]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-08-06 20560]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2002-04-24 175232]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2008-03-18 99248]
S3 HFXLowerFilter;HFXLowerFilter;c:\windows\system32\drivers\hfx_lfd.sys [2006-06-21 21632]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2007-08-19 33792]
S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2002-04-24 807917]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [2002-04-24 594668]
S3 XDva008;XDva008;\??\c:\windows\System32\XDva008.sys --> c:\windows\System32\XDva008.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} - hxxp://www.dragongemworld.com/Active_X/ENetLauncher.cab
FF - ProfilePath - c:\documents and settings\Jimmy.VALUED-20606295\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\
FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 16:33:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
d:\program files\Alwil Software\Avast4\aswUpdSv.exe
d:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdicoms.exe
c:\windows\system32\wscntfy.exe
d:\program files\Alwil Software\Avast4\ashMaiSv.exe
d:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-03-20 16:41:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-20 23:40:12
ComboFix2.txt 2009-03-20 23:03:15

Pre-Run: 6,294,315,008 bytes free
Post-Run: 6,283,218,944 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
165

Hello.
How is the machine now?

I haven't had a virus alert in 2 hours, so the computer seems to better. Thanks for helping.

Hello.
Glad to hear it.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.
Please enable avast! now.