Download and run Winsockfix from here http://www.softpedia.com/get/Tweak/N...nSockFix.shtml

==

Can you please do the following.

===============

Scan with HijackThis and then place a check next to all the following, if present:


O3 - Toolbar: (no name) - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - (no file)

O9 - Extra button: Microsoft AntiSpyware helper - {03CBA32B-A8D1-47B2-8C23-683AEAC7D6A3} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {03CBA32B-A8D1-47B2-8C23-683AEAC7D6A3} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {254B281D-743D-403B-9A15-BFD736E45AD6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {254B281D-743D-403B-9A15-BFD736E45AD6} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {4343580D-A149-4C3F-8D99-8DB1CB8E896B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4343580D-A149-4C3F-8D99-8DB1CB8E896B} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {56D0B23C-7C93-47E8-BAC9-1810C6F0FF50} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {56D0B23C-7C93-47E8-BAC9-1810C6F0FF50} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {90CC3EF6-D6ED-4534-A338-4C4296824DCC} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {90CC3EF6-D6ED-4534-A338-4C4296824DCC} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B4A70ABC-DE25-447E-B18D-F58AD9A32CCF} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B4A70ABC-DE25-447E-B18D-F58AD9A32CCF} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {DD7E33A6-5385-443F-8E7B-0B96F472EFCD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DD7E33A6-5385-443F-8E7B-0B96F472EFCD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {DEEE085F-4080-4195-B99F-C83C2BBC8CED} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DEEE085F-4080-4195-B99F-C83C2BBC8CED} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E6EB790C-5B9E-4AD1-89F7-12EEBC1AA8BB} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E6EB790C-5B9E-4AD1-89F7-12EEBC1AA8BB} - (no file) (HKCU)

O15 - Trusted Zone: *.musicmatch.com (HKLM)

O20 - AppInit_DLLs: murka.dat

O23 - Service: a2free - Unknown owner - C:\WINDOWS\TEMP\147662.exe (file missing)
O23 - Service: CCALib8 - Unknown owner - C:\WINDOWS\TEMP\426172.exe (file missing)
O23 - Service: ccEvtMgr - Unknown owner - C:\WINDOWS\TEMP\355511.exe (file missing)
O23 - Service: WZCSVC - Unknown owner - C:\WINDOWS\TEMP\147662.exe (file missing)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

Well I was on the phone with dell for like an hour and they helped me get the internet back up except what I see now was that it randomly released its IP just like if I went into command prompt and typed in ipconfig /release also I cant just type in ipconfig /renew to fix it, I tried . So then I ran the WinSock program because these internet problems and once I reset it it did it again but resetting the computer once it happens gives me the internet back for a bit. So with this I have internet for 3,5,10 minutes something like that and then it stops working but now heres my hijackthis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:58 PM, on 1/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\TEMP\134503.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://body1.spfldcol.edu/dwa7W.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AppMgmt - Unknown owner - C:\WINDOWS\TEMP\134503.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\TEMP\144177.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: HTTPFilter - Unknown owner - C:\WINDOWS\TEMP\183173.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: NetSvc - Unknown owner - C:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: RegSrvc - Unknown owner - C:\WINDOWS\system32\RegSrvc.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: RSVP - Unknown owner - C:\WINDOWS\system32\rsvp.exe (file missing)
O23 - Service: S24EventMonitor - Unknown owner - C:\WINDOWS\system32\S24EvMon.exe (file missing)
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: sp_rssrv - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 5794 bytes


This line in hijack this

F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,

The ntos.exe spybot is telling my its a part of the virus and I looked it up and someone says remove the entery but I dont want to go without approval from you. Oh and also I've heard bad happening once they deleted it so I dont think that will help us out :/ also, just me skimming through this log could the line

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

Be doing something with the internet?


Sorry for typos no time to fix em internet will die on me :/

(So I edited it and once again it died on me before I could post it so time to restart :/ )

That LSP is legit.

Download
SDFix
and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the
following :

• Restart your computer
• After hearing your computer beep once during startup, but before the
  Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

• In Safe Mode, right click the SDFix.zip folder and choose Extract
  All,
• Open the extracted folder and double click RunThis.bat to
  start the script.
• Type Y to begin the script.
• It will remove the Trojan Services then make some repairs to the
  registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool
  will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and
  display Finished, then press any key to end the script and load
  your desktop icons.
• Finally open the SDFix folder on your desktop and copy and paste the
  contents of the results file Report.txt back onto the forum with
  a new HijackThis log

Hehe Thanks for specifically telling me how to boot in safe mode But I already know how to do that (not trying to be rude) never know might be aiding someone and they might so I guess its kind of nessassary to put it up as well Ok I ran SDfix earlier last week it did alot more last time than this time so heres the SDfix log


SDFix: Version 1.122

Run by Ed on Thu 01/03/2008 at 05:18 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
smtpdrv

Path:
System32\DRIVERS\smtpdrv.sys

smtpdrv - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\2.TMP - Deleted
C:\3.TMP - Deleted
C:\5.TMP - Deleted
C:\6.TMP - Deleted
C:\7.TMP - Deleted
C:\WINDOWS\system32\7_exception.nls - Deleted
C:\WINDOWS\system32\drivers\smtpdrv.sys - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 17:22:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wqd29]
"Type"=dword:00000001
"Tag"=dword:00000006
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0Symantec Core Services\0Symantec Services\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Wqd29]
"Type"=dword:00000001
"Tag"=dword:00000006
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0Symantec Core Services\0Symantec Services\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Wqd29]
"Type"=dword:00000001
"Tag"=dword:00000006
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0Symantec Core Services\0Symantec Services\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Wqd29]
"Type"=dword:00000001
"Tag"=dword:00000006
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0Symantec Core Services\0Symantec Services\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\Wqd29]
"Type"=dword:00000001
"Tag"=dword:00000006
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0Symantec Core Services\0Symantec Services\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\Wqd29]
"Type"=dword:00000001
"Tag"=dword:00000006
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0Symantec Core Services\0Symantec Services\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\SYSTEM32\DRIVERS\Wqd29.sys 142848 bytes executable
C:\WINDOWS\LastGood
C:\WINDOWS\LastGood\INF
C:\WINDOWS\LastGood\INF\oem24.inf 0 bytes
C:\WINDOWS\LastGood\INF\oem24.PNF 0 bytes

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 5


Remaining Services:
------------------

smtpdrv


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:Enabled:AOL Instant Messenger"
"C:\\Program Files\\EMCO Malware Destroyer\\MalwareDestroyer.exe"="C:\\Program Files\\EMCO Malware Destroyer\\MalwareDestroyer.exe:Enabled:Malware Scanner for Home User's"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:enabledxpsp2res.dll,-22019"

Remaining Files:
---------------
C:\3.TMP Found
C:\5.TMP Found
C:\6.TMP Found
C:\7.TMP Found
C:\WINDOWS\system32\7_exception.nls Found
C:\WINDOWS\system32\drivers\smtpdrv.sys Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 21 Dec 2004 0 ..SHR --- "C:\mssys.com"
Tue 21 Dec 2004 0 A.SHR --- "C:\Program Files\q330994.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\WINDOWS\cvchost.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\WINDOWS\dl.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\WINDOWS\dlm.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\WINDOWS\msstasks.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\WINDOWS\mssys.com"
Tue 21 Dec 2004 0 A.SHR --- "C:\WINDOWS\mstasks1.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\WINDOWS\mstaskss.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\WINDOWS\msxmidi.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\WINDOWS\ntldr.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\WINDOWS\rocky.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\WINDOWS\seksdialer.exe"
Tue 28 Feb 2006 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Tue 28 Feb 2006 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Tue 28 Feb 2006 73,728 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\WINDOWS\SYSTEM\wmscrop.exe"
Sun 23 Sep 2007 29,184 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL0711.tmp"
Fri 21 Sep 2007 29,184 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL0841.tmp"
Sun 23 Sep 2007 30,208 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL0943.tmp"
Sun 23 Sep 2007 30,208 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL0948.tmp"
Sun 23 Sep 2007 30,208 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL1098.tmp"
Sun 23 Sep 2007 29,184 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL2467.tmp"
Sun 23 Sep 2007 30,208 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL2494.tmp"
Sun 23 Sep 2007 29,696 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL2580.tmp"
Sun 23 Sep 2007 30,208 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL3211.tmp"
Sun 23 Sep 2007 30,208 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL3979.tmp"
Thu 3 Jan 2008 597,232 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\021bbe9f2a0e31da1414f03ea6d62389\BIT4.tmp"
Wed 2 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0c114cf5b19927cfea8b29c83de1ed86\BITD.tmp"
Wed 2 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2abaeb659824de5967ddf7181c6befdb\BITC.tmp"
Wed 2 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\33831624a2e810dc854ea2f820d0dd53\BIT9.tmp"
Wed 2 Jan 2008 797,088 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\379c3e87f4016899bd06cdf1184d31ce\BITE.tmp"
Thu 3 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\393673217fc83f2b990ca70aa98f1df8\BIT8.tmp"
Wed 2 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\40a830826de015286a7a5523023b1e09\BIT13.tmp"
Wed 2 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\458b0ddf827cd2ca02539e5a3b1a3d3c\BITF.tmp"
Thu 3 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\526e15b6e1b5300357490c8089b5f84e\BIT12.tmp"
Wed 2 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6c0455d67216e75859cc27e7120ab0d1\BITA.tmp"
Sun 5 Aug 2007 4,073,736 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9e8f057b37182e58e794b70ef39a992c\BIT50E.tmp"
Wed 2 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a0d1667f129d439fad31a81898b17830\BITB.tmp"
Wed 2 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ac396c0c2d53942a12157d0ad3c4135a\BIT14.tmp"
Mon 31 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d378d94379aa314a2f8a03df7faef1bc\BIT4.tmp"
Wed 2 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d8816d09f86abbe0c321ddc90d5c0948\BIT7.tmp"
Wed 2 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\dcfb65ff18fcfdf3d0086d241818e7bc\BIT11.tmp"
Tue 14 Aug 2007 7,649,240 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\deb995e7b7d2953ec6904bd5047bd45f\BIT8.tmp"
Wed 28 Mar 2007 55,296 ...H. --- "C:\Documents and Settings\Ed\Application Data\Microsoft\Word\~WRL1465.tmp"
Tue 8 Oct 2002 106,496 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"
Sun 5 Aug 2007 308,618 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8ae7c447040239d7d5b8bbc96b906af0\download\BIT51B.tmp"
Sun 5 Aug 2007 246,738 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\90c5d2ebf41ce8d405eb458cc79a1965\download\BIT521.tmp"
Tue 21 Dec 2004 0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.DOWNLOADER.V\Files\Y.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.DUCKY\Files\y.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.SSDX\Files\MSDOS.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.BACKDOOR.BIFROSE\Files\WINDOWS\System.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.BACKDOOR.REDKOD\Files\WINDOWS\System.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.DOWNLOADER.HARNIG\Files\WINDOWS\mstasks1.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.DOWNLOADER.HARNIG\Files\WINDOWS\seksdialer.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.DOWNLOADER.HARNIG\Files\WINDOWS\system.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.DOWNLOADER.LUNII\Files\WINDOWS\mstasks1.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.EASYSEARCH\Files\WINDOWS\wininet32.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.HARNIG\Files\WINDOWS\dl.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.HARNIG\Files\WINDOWS\dlm.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.RUNWIN32\Files\WINDOWS\wininet32.exe"
Tue 21 Dec 2004 0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.STARTPA.CQ\Files\WINDOWS\System32\msxslab.dll"

Finished!


Ntos and that wsnpoem is part of a virus/torjan spybot picks up that I cant rid of. Ok hijackthis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:01 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://body1.spfldcol.edu/dwa7W.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\WINDOWS\TEMP\157967.exe (file missing)
O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\TEMP\149675.exe (file missing)
O23 - Service: COMSysApp - Unknown owner - C:\WINDOWS\TEMP\158557.exe (file missing)
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\TEMP\137738.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: HTTPFilter - Unknown owner - C:\WINDOWS\TEMP\183173.exe (file missing)
O23 - Service: lanmanserver - Unknown owner - C:\WINDOWS\TEMP\130377.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: NetSvc - Unknown owner - C:\WINDOWS\TEMP\134503.exe (file missing)
O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: RegSrvc - Unknown owner - C:\WINDOWS\system32\RegSrvc.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: RSVP - Unknown owner - C:\WINDOWS\system32\rsvp.exe (file missing)
O23 - Service: S24EventMonitor - Unknown owner - C:\WINDOWS\system32\S24EvMon.exe (file missing)
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: sp_rssrv - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 5578 bytes


Again sorry for typos dont want to get into fixing them just to be kicked off the internet ill tell whats happening with that because it hasnt kicked the Ip off.

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\WINDOWS\SYSTEM32\DRIVERS\Wqd29.sys
C:\mssys.com
C:\Program Files\q330994.exe
C:\WINDOWS\cvchost.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\ntldr.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\seksdialer.exe

========

• Save it to your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
• Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.
  
  
  Quote ...

  "%userprofile%\desktop\ComboFix.exe" /KillAll

  
  
  http://i5.photobucket.com/albums/y15...ox_KillAll.jpg
  
  
• Click OK and this will start ComboFix.
• When finished, it will produce a log. Please save that log to a Notepad File and include it in your next reply along with a fresh HJT log.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* Re-enable all the programs that were disabled prior to the running of ComboFix.

* Post the following logs/Reports:

• ComboFix.txt
• Fresh HijackThis log run after all the other tools have performed their cleanup.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Ok, first Part of that you asked for.

C:\WINDOWS\SYSTEM32\DRIVERS\Wqd29.sys
Scan taken on 04 Jan 2008 20:32:59 (GMT)
A-Squared Found nothing
AntiVir Found RKIT/Agent.SC.1
ArcaVir Found Trojan.Rootkit.Agent.Sc
Avast Found nothing
AVG Antivirus Found BackDoor.Generic9.JSS
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Rootkit.W32.Agent.sc
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Rootkit.Win32.Agent.sc
Fortinet Found W32/Agent.SC!tr.rkit
Ikarus Found Rootkit.Win32.Agent.ea
Kaspersky Anti-Virus Found Rootkit.Win32.Agent.sc
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found Rootkit/Agent.HOT
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Rootkit.Win32.Agent.sc

The rest said this so i presume that the files do not exist

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Ok now Il'l do that next part I just thought it might be more organised in 2 posts.

Ok, next part here is the ComboFix log seems pretty long Have fun with that.


ComboFix 08-01-04.1 - Ed 2008-01-04 16:04:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.151 [GMT -5:00]
Running from: C:\Documents and Settings\Ed\desktop\ComboFix.exe
Command switches used :: /KillAll
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ed\Local Settings\Application Data.\n.ini
C:\Documents and Settings\Ed\Local Settings\Application Data\n.ini
C:\WINDOWS\bundles
C:\WINDOWS\bundles\AdSmartMedia_bundle.exe
C:\WINDOWS\bundles\adv0ltc0m.exe
C:\WINDOWS\bundles\ast_5_adsav.exe
C:\WINDOWS\bundles\Beryllium.exe
C:\WINDOWS\bundles\bruzmoh.exe
C:\WINDOWS\bundles\bs5-goodyr1.exe
C:\WINDOWS\bundles\bs5-tsrkqn.exe
C:\WINDOWS\bundles\Century.exe
C:\WINDOWS\bundles\cxt_big.exe
C:\WINDOWS\bundles\Decade.exe
C:\WINDOWS\bundles\desktrf-162813.exe
C:\WINDOWS\bundles\icmedia2_56.exe
C:\WINDOWS\bundles\ICMMedia_1cmm3d1a.exe
C:\WINDOWS\bundles\iehost.exe
C:\WINDOWS\bundles\InvestorIntelligenceInstallWeb.exe
C:\WINDOWS\bundles\optimizejames.exe
C:\WINDOWS\bundles\runsearch.exe
C:\WINDOWS\bundles\sahagent-dectest1001.exe
C:\WINDOWS\bundles\sahagent-seedcorn1002.exe
C:\WINDOWS\bundles\setup_silent_26221.exe
C:\WINDOWS\bundles\stlb2_seed.exe
C:\WINDOWS\bundles\TrafficSpec8.exe
C:\WINDOWS\bundles\Verti1.exe
C:\WINDOWS\bundles\winversion.exe
C:\WINDOWS\PerfInfo
C:\WINDOWS\system32\7_exception.nls
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\smtpdrv.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\Uae48.sys
C:\WINDOWS\system32\drivers\WQD29.sys
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dl_
C:\WINDOWS\system32\wsnpoem\video.dl_

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_RUNTIME
-------\LEGACY_SMTPDRV
-------\LEGACY_UAE48
-------\LEGACY_WQD29
-------\smtpdrv
-------\Uae48


((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 16:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 15:28 . 2008-01-04 15:28 2 --a------ C:\B.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0 --a------ C:\C.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0 --a------ C:\A.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0 --a------ C:\9.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0 --a------ C:\2.tmp
2008-01-03 17:23 . 2008-01-03 17:23 2 --a------ C:\5.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0 --a------ C:\8.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0 --a------ C:\7.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0 --a------ C:\6.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0 --a------ C:\3.tmp
2008-01-02 16:43 . 2008-01-02 16:43 42,496 --a------ C:\4.tmp
2008-01-02 16:32 . 2008-01-02 16:32 42,496 --a------ C:\1.tmp
2008-01-02 16:03 . 2008-01-02 16:04 <DIR> d-------- C:\ERDNT
2007-12-31 16:31 . 2007-12-31 16:31 45,056 --a------ C:\WINDOWS\NCUNINST.EXE
2007-12-31 14:53 . 2007-12-31 14:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-31 14:43 . 2007-12-31 14:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2007-12-31 12:20 . 2007-12-31 14:37 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-12-31 12:17 . 2007-12-31 15:05 <DIR> d-------- C:\Program Files\Symantec
2007-12-31 11:56 . 2007-12-31 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-31 10:32 . 2007-12-31 10:32 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\Grisoft
2007-12-31 10:32 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-12-31 10:31 . 2007-01-18 07:00 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
2007-12-30 22:24 . 2007-12-30 17:55 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-12-30 18:49 . 2007-12-30 19:47 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-12-30 17:54 . 2007-12-30 22:37 <DIR> d-------- C:\Documents and Settings\Ed\.housecall6.6
2007-12-30 17:08 . 2007-12-30 17:08 <DIR> d-------- C:\Program Files\WinClamAVShield
2007-12-30 15:05 . 2007-12-30 15:05 60,968 --a------ C:\Documents and Settings\Ed\GoToAssistDownloadHelper.exe
2007-12-30 14:53 . 2007-12-30 14:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2007-12-30 14:52 . 2007-12-30 14:52 <DIR> d-------- C:\Program Files\Citrix
2007-12-30 14:52 . 2007-12-30 14:52 60,968 --a------ C:\Documents and Settings\Administrator\GoToAssistDownloadHelper.exe
2007-12-30 13:32 . 2007-12-30 13:32 76,576 --a------ C:\WINDOWS\SYSTEM32\GDIPFONTCACHEV1.DAT
2007-12-30 13:12 . 2006-02-28 07:00 214,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wordpad.exe
2007-12-30 13:12 . 2006-02-28 07:00 113,222 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zoneclim.dll
2007-12-30 13:12 . 2006-02-28 07:00 41,029 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zcorem.dll
2007-12-30 13:12 . 2006-02-28 07:00 36,937 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zclientm.exe
2007-12-30 13:12 . 2006-02-28 07:00 29,760 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\znetm.dll
2007-12-30 13:12 . 2006-02-28 07:00 28,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2007-12-30 13:12 . 2006-02-28 07:00 13,894 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zonelibm.dll
2007-12-30 13:12 . 2006-02-28 07:00 5,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\write.exe
2007-12-30 13:12 . 2006-02-28 07:00 4,677 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zeeverm.dll
2007-12-30 13:10 . 2006-02-28 07:00 1,875,968 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex
2007-12-30 13:09 . 2006-02-28 07:00 10,129,408 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxkor.dll
2007-12-30 13:08 . 2006-02-28 07:00 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2007-12-30 13:07 . 2006-02-28 07:00 1,817,687 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bckgres.dll
2007-12-30 13:06 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2007-12-30 13:03 . 2007-12-30 13:03 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2007-12-30 13:02 . 2006-02-28 07:00 32,768 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\mnmsrvc.exe
2007-12-30 13:00 . 2006-02-28 07:00 140,800 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\sessmgr.exe
2007-12-30 13:00 . 2006-02-28 07:00 126,464 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wmiapsrv.exe
2007-12-30 13:00 . 2006-02-28 07:00 6,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msdtc.exe
2007-12-30 12:54 . 2006-02-28 07:00 168,806 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\startoc.cat
2007-12-30 12:54 . 2006-02-28 07:00 24,661 --a------ C:\WINDOWS\SYSTEM32\spxcoins.dll
2007-12-30 12:54 . 2006-02-28 07:00 24,661 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\spxcoins.dll
2007-12-30 12:54 . 2006-02-28 07:00 24,209 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msn7.cat
2007-12-30 12:54 . 2006-02-28 07:00 14,573 -ra------ C:\WINDOWS\SET89.tmp
2007-12-30 12:54 . 2006-02-28 07:00 13,312 --a------ C:\WINDOWS\SYSTEM32\irclass.dll
2007-12-30 12:54 . 2006-02-28 07:00 13,312 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\irclass.dll
2007-12-30 12:54 . 2006-02-28 07:00 11,651 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msn9.cat
2007-12-30 12:54 . 2006-02-28 07:00 7,382 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\OEMBIOS.CAT
2007-12-30 11:07 . 2007-12-30 11:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-30 10:38 . 2007-12-30 10:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-30 10:38 . 2007-12-30 10:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-30 10:37 . 2007-12-30 10:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 00:15 . 2007-12-30 00:15 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-29 23:23 . 2007-12-29 23:59 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\SUPERAntiSpyware.com
2007-12-29 23:23 . 2007-12-29 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-29 19:12 . 2007-12-31 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-29 18:59 . 2007-12-29 18:59 230 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.inf
2007-12-29 17:04 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-12-29 17:00 . 2007-12-29 17:00 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-29 16:14 . 2007-12-29 16:14 <DIR> d-------- C:\Program Files\Broadcom
2007-12-29 16:12 . 2003-03-17 21:03 966,656 --a------ C:\WINDOWS\SYSTEM32\W70MLRES.DLL
2007-12-29 16:10 . 1999-05-07 13:24 645,616 --a------ C:\WINDOWS\SYSTEM32\MSCOMCT2.OCX
2007-12-29 16:10 . 2000-03-23 12:50 446,464 -ra------ C:\WINDOWS\SYSTEM32\hhactivex.dll
2007-12-29 16:10 . 1999-05-07 13:24 414,944 --a------ C:\WINDOWS\SYSTEM32\COMCT332.OCX
2007-12-29 16:10 . 1998-11-10 10:46 328,480 --a------ C:\WINDOWS\SYSTEM32\ssa3d30.ocx
2007-12-29 16:10 . 2002-01-08 17:00 176,128 --a------ C:\WINDOWS\SYSTEM32\RcdScan.dll
2007-12-29 16:10 . 1998-06-17 23:00 89,360 --a------ C:\WINDOWS\SYSTEM32\VB5DB.DLL
2007-12-29 15:26 . 2007-12-29 15:26 <DIR> d-------- C:\Program Files\Uniblue
2007-12-29 15:26 . 2007-12-29 15:26 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\Uniblue
2007-12-29 15:26 . 2007-12-29 15:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2007-12-29 13:24 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-12-29 13:24 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-12-29 13:24 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2007-12-29 13:24 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-12-29 13:24 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-12-29 13:24 . 2007-12-29 20:24 1,450 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-12-29 11:04 . 2006-02-28 07:00 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2007-12-29 10:49 . 2006-02-28 07:00 1,086,058 -ra------ C:\WINDOWS\SET47.tmp
2007-12-29 10:49 . 2006-02-28 07:00 14,573 -ra------ C:\WINDOWS\SET80.tmp
2007-12-29 10:49 . 2006-02-28 07:00 13,753 -ra------ C:\WINDOWS\SET53.tmp
2007-12-29 10:49 . 2006-02-28 07:00 7,334 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wmerrenu.cat
2007-12-29 10:48 . 2006-02-28 07:00 1,042,903 -ra------ C:\WINDOWS\SET46.tmp
2007-12-29 07:59 . 2007-12-31 08:40 1,596 --a------ C:\WINDOWS\SYSTEM32\wpa.bak
2007-12-29 07:46 . 2007-07-30 19:19 216,408 --a--c--- C:\WINDOWS\SYSTEM32\wuaucpl.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 18:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-31 18:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-31 17:20 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-31 17:20 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-31 17:20 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-31 03:53 --------- d-----w C:\Program Files\Common Files\aolshare
2007-12-31 03:50 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-31 00:22 --------- d-----w C:\Program Files\AIM
2007-12-30 05:40 14,037 ----a-w C:\WINDOWS\system32\drivers\mdc8021x.sys
2007-12-29 21:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-29 21:12 --------- d-----w C:\Program Files\Intel
2007-12-29 12:20 --------- d-----w C:\Program Files\Apoint
2007-12-29 06:16 --------- d-----w C:\Program Files\AWS
2007-12-29 06:16 --------- d-----w C:\Documents and Settings\Ed\Application Data\Rex-Services
2007-12-27 20:05 --------- d-----w C:\Documents and Settings\Ed\Application Data\Symantec
2007-12-27 16:38 --------- d-----w C:\Program Files\QuickTime
2007-12-25 19:10 --------- d-----w C:\Documents and Settings\Ed\Application Data\U3
2007-12-10 16:23 --------- d-----w C:\Documents and Settings\Ed\Application Data\MSN6
2007-12-01 04:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 04:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 04:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-25 03:37 --------- d-----w C:\Program Files\Tribeca Labs
2007-11-12 23:50 --------- d-----w C:\Documents and Settings\Ed\Application Data\Move Networks
2007-11-10 22:39 76,576 ----a-w C:\Documents and Settings\Ed\Application Data\GDIPFONTCACHEV1.DAT
2005-03-10 17:28 0 ----a-w C:\Documents and Settings\Ed\Upgrade.exe
2004-12-22 00:10 0 -csha-r C:\Program Files\q330994.exe
2004-12-22 00:10 0 -csha-r C:\WINDOWS\cvchost.exe
2004-12-22 00:10 0 -csha-r C:\WINDOWS\dl.exe
2004-12-22 00:10 0 -csha-r C:\WINDOWS\dlm.exe
2004-12-22 00:10 0 -csha-r C:\WINDOWS\msstasks.exe
2004-12-22 00:10 0 -csha-r C:\WINDOWS\mssys.com
2004-12-22 00:10 0 -csha-r C:\WINDOWS\mstasks1.exe
2004-12-22 00:10 0 -csha-r C:\WINDOWS\mstaskss.exe
2004-12-22 00:10 0 -csha-r C:\WINDOWS\msxmidi.exe
2004-12-22 00:10 0 -csha-r C:\WINDOWS\ntldr.exe
2004-12-22 00:10 0 -csha-r C:\WINDOWS\rocky.exe
2004-12-22 00:10 0 -csha-r C:\WINDOWS\seksdialer.exe
2004-12-22 00:10 0 -csha-r C:\WINDOWS\SYSTEM\wmscrop.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2007-12-28 23:07 1591808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-12-28 21:58 2778112]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-27 11:35 115816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2006-02-28 07:00 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 2007-12-30 14:52 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2003-06-20 07:03 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Uae48.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^winlogin.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
backup=C:\WINDOWS\pss\winlogin.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ed^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\Ed\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ed^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Ed\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ed^Start Menu^Programs^Startup^Photobot.lnk]
path=C:\Documents and Settings\Ed\Start Menu\Programs\Startup\Photobot.lnk
backup=C:\WINDOWS\pss\Photobot.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2sni3mX]
cnvc3260.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2003-06-11 00:07 147456 --a--c--- C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aqlwihou]
C:\Program Files\Tmlsfdce\aqlwihou.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2007-12-27 11:35 335872 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdater]
C:\Program Files\AutoUpdate\AutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Awola]
C:\Documents and Settings\Ed\Application Data\Awola\Awola.exe /MIN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\conscorr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Control handler]
C:\WINDOWS\System32\c6hen9sezmzo2mthd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CSV7P70]
C:\Program Files\CSBB\CSV7P070.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2002-12-17 21:16 360448 --a------ C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dkbepahk]
rundll32.exe C:\Program Files\dkbepahk\dmtkrqfa.dll,Init

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DR_S]
C:\Program Files\DR_S\DR_S.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2002-07-17 11:18 28672 --a------ C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eZmmod]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe -win

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JB4sRgb3Q]
cmurecst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2002-07-16 20:21 28672 --a------ C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mnlyss]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mpyvwwbts]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nfxpzc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperProfessional]
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]
C:\Program Files\QdrPack\QdrPack11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service Pack 1]
C:\WINDOWS\System32\vedxg6ame4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
2007-12-27 11:34 35840 --a------ C:\Documents and Settings\Ed\Application Data\Microsoft\Windows\lxcfi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 16:46 1460560 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]
2007-12-28 21:58 2778112 --a------ C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stcloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SYSfit]
C:\WINDOWS\SYSfit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Mechanic Registry Compact Handler]
C:\Program Files\iolo\System Mechanic 5 Professional\SysMech5.exe /PERSISTREGCOMPACT

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
C:\Documents and Settings\Ed\Application Data\WinTouch\WinTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdtl]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"sp_rssrv"=2 (0x2)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"comHost"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"CCALib8"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aspnet_state"=3 (0x3)
"aawservice"=2 (0x2)
"a2free"=2 (0x2)
"WANMiniportService"=2 (0x2)
"RasMan"=3 (0x3)
"ImapiService"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\System32\drivers\sp_rsdrv2.sys [2007-12-29 01:55]
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2002-11-08 14:13]
S2 init_3b0c-6b44;init_3b0c-6b44;C:\WINDOWS\System32\init_3b0c-6b44.sys []
S3 EraserUtilDrv10621;EraserUtilDrv10621;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys []
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-11-22 20:01]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-30 00:06:26 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-12-29 20:49:02 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 16:12:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 16:17:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-04 21:17:01
.
2008-01-04 20:29:30 --- E O F ---


Now here is the new hijackthis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:46 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://body1.spfldcol.edu/dwa7W.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\WINDOWS\TEMP\157967.exe (file missing)
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: COMSysApp - Unknown owner - C:\WINDOWS\TEMP\158557.exe (file missing)
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\TEMP\137738.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: HTTPFilter - Unknown owner - C:\WINDOWS\TEMP\183173.exe (file missing)
O23 - Service: lanmanserver - Unknown owner - C:\WINDOWS\TEMP\130377.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: NetSvc - Unknown owner - C:\WINDOWS\TEMP\134503.exe (file missing)
O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: RegSrvc - Unknown owner - C:\WINDOWS\system32\RegSrvc.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: RSVP - Unknown owner - C:\WINDOWS\system32\rsvp.exe (file missing)
O23 - Service: S24EventMonitor - Unknown owner - C:\WINDOWS\system32\S24EvMon.exe (file missing)
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: sp_rssrv - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 5711 bytes


Internet seems to have not gone down I'll leave this computer running to see if it dose though.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt
• A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Not going anywhere, now on normal boot up as it is just about to goto the desktop the "blue screen of death" comes up and re boots that computer right now I have it in safe mode so should I still run what you just said in safe mode?