Some virus problems

Hi there guys,
Today I was playing wow when a small popup came out of the system try about an anti-virus scan running, I hadn't seen it before and knew right away it was a virus. I closed out of everything, disconnected my cat5 and attempted to open up task manager. and malwarebytes; I got a Security Warning  for both.

"Application cannot be executed. The file 'xxxxxx' is infected. Do you want to activate your antivirus software now?"

obviously fake.  I did manage to get superantispyware open using alternate start, where I found a 'trojan dropper/ Gen-c.' I did not reboot like it wanted me to. However other than that I cannot get anything open.  online scanners do not work. the virus keeps attempting to send my browser to websites. and i keep getting fake antivirus alerts. I am not sure what to do. I attempted to look at my hosts file to see if they were blocking it that way, but I couldn't get it open.

Windows XP SP3

seems very close to this: http://www.computerhope.com/forum/index.php/topic,99119.0.html  and http://www.computerhope.com/forum/index.php/topic,99477.0.html

update: my little cousin triped and yanked out the power chord. computer is now booted up in safemode (with networking) and I can open programs. however I cannot update my AV.

[Malware Removal Specialist]

Work through the Malware Removal Guide. HERE

Step A: I manually updated avira and ran a scan.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Avira AntiVir Personal
Report file date: Saturday, February 06, 2010  21:06

Scanning for 1731055 virus strains and unwanted programs.

Licensee        : Avira AntiVir Personal - FREE Antivirus
Serial number   : 0000149996-ADJIE-0000001
Platform        : Windows XP
Windows version : (Service Pack 3)  [5.1.2600]
Boot mode       : Normally booted
Username        : Mark
Computer name   : MARK-47805DC06C

Version information:
BUILD.DAT       : 9.0.0.418     21723 Bytes   12/2/2009 16:28:00
AVSCAN.EXE      : 9.0.3.10     466689 Bytes  10/13/2009 16:26:33
AVSCAN.DLL      : 9.0.3.0       40705 Bytes   2/27/2009 15:58:24
LUKE.DLL        : 9.0.3.2      209665 Bytes   2/20/2009 16:35:49
LUKERES.DLL     : 9.0.2.0       12033 Bytes   2/27/2009 15:58:52
VBASE000.VDF    : 7.10.0.0   19875328 Bytes   11/6/2009 21:47:16
VBASE001.VDF    : 7.10.1.0    1372672 Bytes  11/19/2009 21:47:16
VBASE002.VDF    : 7.10.3.1    3143680 Bytes   1/20/2010 21:47:16
VBASE003.VDF    : 7.10.3.75    996864 Bytes   1/26/2010 21:47:16
VBASE004.VDF    : 7.10.3.76      2048 Bytes   1/26/2010 21:47:16
VBASE005.VDF    : 7.10.3.77      2048 Bytes   1/26/2010 21:47:16
VBASE006.VDF    : 7.10.3.78      2048 Bytes   1/26/2010 21:47:16
VBASE007.VDF    : 7.10.3.79      2048 Bytes   1/26/2010 21:47:16
VBASE008.VDF    : 7.10.3.80      2048 Bytes   1/26/2010 21:47:16
VBASE009.VDF    : 7.10.3.81      2048 Bytes   1/26/2010 21:47:16
VBASE010.VDF    : 7.10.3.82      2048 Bytes   1/26/2010 21:47:16
VBASE011.VDF    : 7.10.3.83      2048 Bytes   1/26/2010 21:47:16
VBASE012.VDF    : 7.10.3.84      2048 Bytes   1/26/2010 21:47:16
VBASE013.VDF    : 7.10.3.85      2048 Bytes   1/26/2010 21:47:16
VBASE014.VDF    : 7.10.3.122    172544 Bytes   1/29/2010 21:47:16
VBASE015.VDF    : 7.10.3.149     79872 Bytes    2/1/2010 21:47:16
VBASE016.VDF    : 7.10.3.174     68608 Bytes    2/3/2010 21:47:16
VBASE017.VDF    : 7.10.3.199     76800 Bytes    2/4/2010 21:47:16
VBASE018.VDF    : 7.10.3.200      2048 Bytes    2/4/2010 21:47:16
VBASE019.VDF    : 7.10.3.201      2048 Bytes    2/4/2010 21:47:16
VBASE020.VDF    : 7.10.3.202      2048 Bytes    2/4/2010 21:47:16
VBASE021.VDF    : 7.10.3.203      2048 Bytes    2/4/2010 21:47:16
VBASE022.VDF    : 7.10.3.204      2048 Bytes    2/4/2010 21:47:16
VBASE023.VDF    : 7.10.3.205      2048 Bytes    2/4/2010 21:47:16
VBASE024.VDF    : 7.10.3.206      2048 Bytes    2/4/2010 21:47:16
VBASE025.VDF    : 7.10.3.207      2048 Bytes    2/4/2010 21:47:16
VBASE026.VDF    : 7.10.3.208      2048 Bytes    2/4/2010 21:47:16
VBASE027.VDF    : 7.10.3.209      2048 Bytes    2/4/2010 21:47:16
VBASE028.VDF    : 7.10.3.210      2048 Bytes    2/4/2010 21:47:16
VBASE029.VDF    : 7.10.3.211      2048 Bytes    2/4/2010 21:47:16
VBASE030.VDF    : 7.10.3.212      2048 Bytes    2/4/2010 21:47:16
VBASE031.VDF    : 7.10.3.219     64512 Bytes    2/5/2010 21:47:16
Engineversion   : 8.2.1.158
AEVDF.DLL       : 8.1.1.3      106868 Bytes    2/5/2010 21:47:14
AESCRIPT.DLL    : 8.1.3.13     823674 Bytes    2/5/2010 21:47:14
AESCN.DLL       : 8.1.4.0      127348 Bytes    2/5/2010 21:47:14
AESBX.DLL       : 8.1.1.1      246132 Bytes    2/5/2010 21:47:14
AERDL.DLL       : 8.1.3.4      479605 Bytes    2/5/2010 21:47:14
AEPACK.DLL      : 8.2.0.5      422262 Bytes    2/5/2010 21:47:14
AEOFFICE.DLL    : 8.1.0.38     196987 Bytes    2/5/2010 21:47:14
AEHEUR.DLL      : 8.1.1.4     2326899 Bytes    2/5/2010 21:47:14
AEHELP.DLL      : 8.1.10.0     237942 Bytes    2/5/2010 21:47:14
AEGEN.DLL       : 8.1.1.86     369012 Bytes    2/5/2010 21:47:14
AEEMU.DLL       : 8.1.1.0      393587 Bytes    2/5/2010 21:47:14
AECORE.DLL      : 8.1.11.1     184694 Bytes    2/5/2010 21:47:14
AEBB.DLL        : 8.1.0.3       53618 Bytes    2/5/2010 21:47:14
AVWINLL.DLL     : 9.0.0.3       18177 Bytes  12/12/2008 13:47:59
AVPREF.DLL      : 9.0.3.0       44289 Bytes   8/26/2009 20:14:02
AVREP.DLL       : 8.0.0.3      155905 Bytes   1/20/2009 19:34:28
AVREG.DLL       : 9.0.0.0       36609 Bytes   12/5/2008 15:32:09
AVARKT.DLL      : 9.0.0.3      292609 Bytes   3/24/2009 20:05:41
AVEVTLOG.DLL    : 9.0.0.7      167169 Bytes   1/30/2009 15:37:08
SQLITE3.DLL     : 3.6.1.0      326401 Bytes   1/28/2009 20:03:49
SMTPLIB.DLL     : 9.2.0.25      28417 Bytes    2/2/2009 13:21:33
NETNT.DLL       : 9.0.0.0       11521 Bytes   12/5/2008 15:32:10
RCIMAGE.DLL     : 9.0.0.25    2438913 Bytes   5/15/2009 20:39:58
RCTEXT.DLL      : 9.0.73.0      86785 Bytes  10/13/2009 17:25:47

Configuration settings for the scan:
Jobname.............................: Local Drives
Configuration file..................: c:\program files\avira\antivir desktop\alldrives.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, E:, F:, A:, D:, G:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: high
Deviating risk categories...........: +JOKE,+PCK,+PFS,+SPR,

Start of the scan: Saturday, February 06, 2010  21:06

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'CCC.exe' - '1' Module(s) have been scanned
Scan process 'razerofa.exe' - '1' Module(s) have been scanned
Scan process 'razertra.exe' - '1' Module(s) have been scanned
Scan process 'devldr32.exe' - '1' Module(s) have been scanned
Scan process 'OSD.exe' - '1' Module(s) have been scanned
Scan process 'razerhid.exe' - '1' Module(s) have been scanned
Scan process 'V0410Mon.exe' - '1' Module(s) have been scanned
Scan process 'winampa.exe' - '1' Module(s) have been scanned
Scan process 'MOM.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
37 processes with 37 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
    [INFO]      No virus was found!
Master boot sector HD1
    [INFO]      No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
    [INFO]      No virus was found!
Boot sector 'E:\'
    [INFO]      No virus was found!
Boot sector 'F:\'
    [INFO]      No virus was found!
Boot sector 'A:\'
    [INFO]      In the drive 'A:\' no data medium is inserted!

Starting to scan executable files (registry).
The registry was scanned ( '60' files ).


Starting the file scan:

Begin scan in 'C:\' <System>
C:\pagefile.sys
    [WARNING]   The file could not be opened!
    [NOTE]      This file is a Windows system file.
    [NOTE]      This file cannot be opened for scanning.
C:\Documents and Settings\Mark\Local Settings\Temp\plugtmp-1\plugin-pdfNode.php
    [DETECTION] Contains recognition pattern of the EXP/Pidief.yag exploit
C:\WINDOWS\system32\drivers\sptd.sys
    [WARNING]   The file could not be opened!
Begin scan in 'E:\' <Media>
Begin scan in 'F:\' <Storage>
Begin scan in 'A:\'
Search path A:\ could not be opened!
System error [21]: The device is not ready.
Begin scan in 'D:\'
Search path D:\ could not be opened!
System error [21]: The device is not ready.
Begin scan in 'G:\'
Search path G:\ could not be opened!
System error [21]: The device is not ready.

Beginning disinfection:
C:\Documents and Settings\Mark\Local Settings\Temp\plugtmp-1\plugin-pdfNode.php
    [DETECTION] Contains recognition pattern of the EXP/Pidief.yag exploit
    [NOTE]      The file was moved to '4be3227e.qua'!


End of the scan: Saturday, February 06, 2010  21:14
Used time: 08:16 Minute(s)

The scan has been done completely.

   6876 Scanned directories
 154616 Files were scanned
      1 Viruses and/or unwanted programs were found
      0 Files were classified as suspicious
      0 files were deleted
      0 Viruses and unwanted programs were repaired
      1 Files were moved to quarantine
      0 Files were renamed
      2 Files cannot be scanned
 154613 Files not concerned
    667 Archives were scanned
      2 Warnings
      2 Notes

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Step 1: Nothing unusual
Step 2: done
step 3: Manual update and scan. nothing found.
step 4: Manual update and scan.  Virus found:

++++++++++++++++++++++++++++++++
Malwarebytes' Anti-Malware 1.44
Database version: 3695
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

2/6/2010 9:26:36 PM
mbam-log-2010-02-06 (19-06-36).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 164200
Time elapsed: 7 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.FakeAV) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mgsoeuiy (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mgsoeuiy (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++





step 5: checked, I have latest.
step 6:  Scanned.




+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:40:56 PM, on 2/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\V0410Mon.exe
C:\Program Files\Razer\Lachesis\razerhid.exe
C:\Program Files\Razer\Lachesis\OSD.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Razer\Lachesis\razertra.exe
C:\Program Files\Razer\Lachesis\razerofa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\TrendMicro\HiJackThis\sniper.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [linksysDiag] C:\Program Files\Linksys\LinksysDiag\LinksysDiag /hw
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [laim] "C:\Program Files\AIM Lite\aimlite.exe" -autorun
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [V0410Mon.exe] C:\WINDOWS\V0410Mon.exe
O4 - HKLM\..\Run: [Gxomolovolo] rundll32.exe "C:\WINDOWS\owekomemap.dll",Startup
O4 - HKLM\..\Run: [Lachesis] C:\Program Files\Razer\Lachesis\razerhid.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263093828140
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4529 bytes


+++++++++++++++++++++++++++++++++++++++




I am still unable to use the update features of my

[Malware Removal Specialist]

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

• R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
• O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
• O4 - HKLM\..\Run: [Gxomolovolo] rundll32.exe \"C:\WINDOWS\owekomemap.dll\",Startup
• O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
• O9 - Extra \'Tools\' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

.
Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
C:\WINDOWS\owekomemap.dll


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

----------

Next post please add the ComboFix log.

Completed.

Completed.

after running combofix and rebooting I got a RUNDLL error for part of the virus that was removed. owekomemap.dll


Here is my Log:

ComboFix 10-02-06.01 - Mark 02/06/2010  22:33:21.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3070.2684 [GMT -5:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\owekomemap.dll"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mark\Local Settings\Application Data\{6121AF1E-4494-41AE-8D1C-AB6A2F395D25}
c:\documents and settings\Mark\Local Settings\Application Data\{6121AF1E-4494-41AE-8D1C-AB6A2F395D25}\chrome.manifest
c:\documents and settings\Mark\Local Settings\Application Data\{6121AF1E-4494-41AE-8D1C-AB6A2F395D25}\chrome\content\_cfg.js
c:\documents and settings\Mark\Local Settings\Application Data\{6121AF1E-4494-41AE-8D1C-AB6A2F395D25}\chrome\content\overlay.xul
c:\documents and settings\Mark\Local Settings\Application Data\{6121AF1E-4494-41AE-8D1C-AB6A2F395D25}\install.rdf
c:\documents and settings\Mark\Local Settings\Application Data\jxswbc
c:\documents and settings\Mark\Local Settings\Application Data\jxswbc\xasbsftav.exe
c:\windows\owekomemap.dll

.
(((((((((((((((((((((((((   Files Created from 2010-01-07 to 2010-02-07  )))))))))))))))))))))))))))))))
.

2010-02-07 02:15 . 2010-02-07 02:15   --------   d-----w-   c:\program files\CCleaner
2010-02-07 01:55 . 2009-11-25 16:19   56816   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2010-02-07 01:55 . 2009-03-30 14:33   96104   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2010-02-07 01:55 . 2009-02-13 16:29   22360   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
2010-02-07 01:55 . 2009-02-13 16:17   45416   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
2010-02-07 01:55 . 2010-02-07 01:55   --------   d-----w-   c:\program files\Avira
2010-02-07 01:55 . 2010-02-07 01:55   --------   d-----w-   c:\documents and settings\All Users\Application Data\Avira
2010-02-07 01:47 . 2010-02-07 01:47   388096   ----a-r-   c:\documents and settings\Mark\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-07 01:47 . 2010-02-07 01:47   --------   d-----w-   c:\program files\TrendMicro
2010-02-02 23:29 . 2008-06-13 11:05   272128   -c----w-   c:\windows\system32\dllcache\bthport.sys
2010-02-02 23:29 . 2008-06-13 11:05   272128   ------w-   c:\windows\system32\drivers\bthport.sys
2010-02-02 23:26 . 2010-02-02 23:26   414672   ----a-w-   c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-02 23:23 . 2008-10-24 11:21   455296   -c----w-   c:\windows\system32\dllcache\mrxsmb.sys
2010-02-02 23:22 . 2009-08-04 15:13   2145280   -c----w-   c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-02 23:22 . 2009-08-04 14:20   2023936   -c----w-   c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-02 23:22 . 2009-08-04 14:20   2066048   -c----w-   c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-02 23:22 . 2008-05-03 11:55   2560   ------w-   c:\windows\system32\xpsp4res.dll
2010-01-29 22:10 . 2008-10-10 09:52   452440   ----a-w-   c:\windows\system32\d3dx10_40.dll
2010-01-29 22:10 . 2008-10-10 09:52   4379984   ----a-w-   c:\windows\system32\D3DX9_40.dll
2010-01-29 22:10 . 2008-10-10 09:52   2036576   ----a-w-   c:\windows\system32\D3DCompiler_40.dll
2010-01-29 22:10 . 2010-01-29 22:11   --------   d-----w-   c:\program files\Heroes of Newerth
2010-01-28 15:51 . 2010-01-07 21:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-28 15:51 . 2010-01-07 21:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-28 14:28 . 2010-01-28 14:28   --------   d-----w-   c:\documents and settings\Mark\Local Settings\Application Data\My Games
2010-01-28 14:20 . 2007-06-21 01:46   266088   ----a-w-   c:\windows\system32\xactengine2_8.dll
2010-01-28 14:20 . 2007-06-21 01:45   18280   ----a-w-   c:\windows\system32\x3daudio1_2.dll
2010-01-28 14:20 . 2007-05-16 21:45   443752   ----a-w-   c:\windows\system32\d3dx10_34.dll
2010-01-28 14:20 . 2007-05-16 21:45   3497832   ----a-w-   c:\windows\system32\d3dx9_34.dll
2010-01-28 14:20 . 2007-05-16 21:45   1124720   ----a-w-   c:\windows\system32\D3DCompiler_34.dll
2010-01-28 14:09 . 2010-01-28 14:09   --------   d-----w-   c:\program files\Firaxis Games
2010-01-28 14:09 . 2005-05-26 20:34   2297552   ----a-w-   c:\windows\system32\d3dx9_26.dll
2010-01-28 14:03 . 2010-01-28 14:03   --------   d-----w-   c:\program files\Common Files\Java
2010-01-28 14:03 . 2010-01-28 14:03   61440   ----a-w-   c:\documents and settings\Mark\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4053c8a5-n\decora-sse.dll
2010-01-28 14:03 . 2010-01-28 14:03   503808   ----a-w-   c:\documents and settings\Mark\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-76a0273a-n\msvcp71.dll
2010-01-28 14:03 . 2010-01-28 14:03   499712   ----a-w-   c:\documents and settings\Mark\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-76a0273a-n\jmc.dll
2010-01-28 14:03 . 2010-01-28 14:03   348160   ----a-w-   c:\documents and settings\Mark\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-76a0273a-n\msvcr71.dll
2010-01-28 14:03 . 2010-01-28 14:03   12800   ----a-w-   c:\documents and settings\Mark\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4053c8a5-n\decora-d3d.dll
2010-01-28 13:47 . 2010-01-28 13:47   691696   ----a-w-   c:\windows\system32\drivers\sptd.sys
2010-01-28 13:47 . 2010-01-28 13:48   --------   d-----w-   c:\program files\DAEMON Tools Lite
2010-01-28 13:46 . 2010-02-02 23:31   --------   d-----w-   c:\documents and settings\Mark\Application Data\DAEMON Tools Lite
2010-01-28 13:46 . 2010-01-28 13:46   --------   d-----w-   c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-01-20 21:34 . 2010-01-20 21:34   --------   d-----w-   c:\documents and settings\All Users\Application Data\Razer
2010-01-20 21:33 . 2010-01-20 21:33   --------   d-----w-   c:\documents and settings\Mark\Application Data\InstallShield
2010-01-16 05:13 . 2010-01-16 05:13   --------   d-----w-   c:\documents and settings\Mark\Local Settings\Application Data\Identities
2010-01-15 22:30 . 2010-01-15 22:30   52224   ----a-w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-15 22:30 . 2010-02-07 02:17   117760   ----a-w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-15 22:30 . 2010-01-15 22:30   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-15 22:30 . 2010-02-07 00:07   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-01-15 22:30 . 2010-01-15 22:30   --------   d-----w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com
2010-01-15 22:19 . 2010-01-15 22:32   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-01-15 22:16 . 2010-02-06 22:14   2984   ----a-w-   c:\windows\Idiqequ.dat
2010-01-15 22:16 . 2010-02-06 18:12   0   ----a-w-   c:\windows\Xyata.bin
2010-01-11 14:27 . 2010-01-11 14:27   --------   d-----w-   c:\documents and settings\Mark\Application Data\DivX
2010-01-11 04:25 . 2010-01-11 04:25   --------   d-----w-   c:\windows\Sun
2010-01-11 04:25 . 2009-12-17 22:14   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-01-11 04:24 . 2010-01-28 14:03   --------   d-----w-   c:\program files\Java
2010-01-11 04:24 . 2010-01-11 04:24   152576   ----a-w-   c:\documents and settings\Mark\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-11 04:24 . 2010-01-11 04:24   79488   ----a-w-   c:\documents and settings\Mark\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-11 04:20 . 2008-09-16 00:14   120056   ------w-   c:\windows\system32\pxcpyi64.exe
2010-01-11 04:20 . 2008-09-16 00:14   118520   ------w-   c:\windows\system32\pxinsi64.exe
2010-01-11 04:17 . 2010-01-11 04:20   --------   d-----w-   c:\program files\DivX
2010-01-11 04:17 . 2010-01-11 04:17   --------   d-----w-   c:\program files\Common Files\DivX Shared
2010-01-10 19:15 . 2010-01-27 01:42   --------   d-----w-   c:\documents and settings\Mark\Application Data\Ventrilo
2010-01-10 19:15 . 2010-01-10 19:15   --------   d-----w-   c:\program files\Ventrilo
2010-01-10 19:15 . 2010-01-15 22:30   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-01-10 08:05 . 2010-01-28 11:41   --------   d-----w-   c:\documents and settings\Mark\Application Data\BitTorrent
2010-01-10 08:05 . 2010-01-10 08:05   --------   d-----w-   c:\program files\BitTorrent
2010-01-10 07:11 . 2010-01-10 07:11   --------   d-----w-   c:\documents and settings\Mark\Local Settings\Application Data\Blizzard Entertainment
2010-01-10 07:02 . 2010-01-30 14:26   --------   d-----w-   c:\documents and settings\Mark\Local Settings\Application Data\Deployment
2010-01-10 06:58 . 2010-01-10 06:58   --------   d-----w-   c:\windows\system32\XPSViewer
2010-01-10 06:58 . 2010-01-10 06:58   --------   d-----w-   c:\program files\MSBuild
2010-01-10 06:58 . 2010-01-10 06:58   --------   d-----w-   c:\program files\Reference Assemblies
2010-01-10 06:57 . 2008-07-06 12:06   89088   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-01-10 06:57 . 2008-07-06 12:06   89088   -c----w-   c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-10 06:57 . 2008-07-06 12:06   575488   -c----w-   c:\windows\system32\dllcache\xpsshhdr.dll
2010-01-10 06:57 . 2008-07-06 12:06   575488   ------w-   c:\windows\system32\xpsshhdr.dll
2010-01-10 06:57 . 2008-07-06 12:06   1676288   -c----w-   c:\windows\system32\dllcache\xpssvcs.dll
2010-01-10 06:57 . 2008-07-06 12:06   1676288   ------w-   c:\windows\system32\xpssvcs.dll
2010-01-10 06:57 . 2008-07-06 12:06   117760   ------w-   c:\windows\system32\prntvpt.dll
2010-01-10 06:57 . 2008-07-06 10:50   597504   -c----w-   c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-10 06:57 . 2008-07-06 10:50   597504   ------w-   c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-01-10 06:24 . 2010-01-10 06:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-01-10 06:12 . 2010-01-10 06:12   --------   d-----w-   c:\documents and settings\Mark\Application Data\acccore
2010-01-10 06:12 . 2010-01-10 06:12   --------   d-----w-   c:\documents and settings\Mark\Application Data\LAIM
2010-01-10 06:12 . 2010-01-10 06:12   --------   d-----w-   c:\program files\AIM Lite
2010-01-10 06:02 . 2010-01-10 06:02   --------   d-----r-   C:\AHCache
2010-01-10 04:35 . 2010-02-06 23:11   --------   d-----w-   c:\program files\World of Warcraft
2010-01-10 04:35 . 2010-01-10 05:55   --------   d-----w-   c:\program files\Common Files\Blizzard Entertainment
2010-01-10 04:20 . 2007-10-11 16:10   30008   ----a-w-   c:\windows\system32\drivers\ET5Drv.sys
2010-01-10 04:18 . 2010-01-10 04:18   --------   d-----w-   C:\RaidTool
2010-01-10 04:18 . 2007-08-29 08:55   1966080   ------r-   c:\windows\system32\xRaidSetup.exe
2010-01-10 04:18 . 2007-08-20 05:31   151552   ------r-   c:\windows\system32\xRaidAPI.dll
2010-01-10 04:18 . 2008-01-03 14:10   105856   ----a-r-   c:\windows\system32\drivers\Rtenicxp.sys
2010-01-10 04:18 . 2007-09-29 05:30   65024   ----a-r-   c:\windows\system32\drivers\jraid.sys
2010-01-10 04:18 . 2010-01-10 04:18   --------   d-----w-   c:\windows\RaidTool
2010-01-10 04:15 . 2006-05-04 08:26   2808832   ------r-   c:\windows\alcwzrd.exe
2010-01-10 04:15 . 2010-01-10 04:15   315392   ----a-w-   c:\windows\HideWin.exe
2010-01-10 04:15 . 2007-07-26 09:09   520192   ------r-   c:\windows\RtlExUpd.dll
2010-01-10 04:12 . 2007-12-12 07:56   53248   ----a-r-   c:\windows\system32\CSVer.dll
2010-01-10 04:12 . 2010-01-10 04:12   --------   d-----w-   c:\program files\Intel
2010-01-10 04:12 . 2010-01-10 04:12   --------   d-----w-   C:\Intel
2010-01-10 04:12 . 2010-01-10 04:12   --------   d-----w-   c:\program files\GIGABYTE
2010-01-10 04:11 . 2010-01-10 07:00   16608   ----a-w-   c:\windows\gdrv.sys
2010-01-10 03:25 . 2008-07-09 07:38   26488   ----a-w-   c:\windows\system32\spupdsvc.exe
2010-01-10 03:25 . 2010-02-03 19:42   --------   d--h--w-   c:\windows\$hf_mig$
2010-01-10 03:24 . 2009-08-07 00:24   44768   ----a-w-   c:\windows\system32\wups2.dll
2010-01-10 03:23 . 2010-01-10 03:23   --------   d-s---w-   c:\documents and settings\Mark\UserData
2010-01-10 03:23 . 2010-01-13 04:49   --------   d-----w-   c:\program files\Creative
2010-01-10 03:23 . 2003-03-05 17:19   15840   ------w-   c:\windows\system32\drivers\PFMODNT.SYS
2010-01-10 01:12 . 2010-01-10 01:12   --------   d-----w-   c:\program files\World of Warcraft.temp
2010-01-10 01:12 . 2010-01-10 01:12   --------   d-----w-   c:\program files\Common Files\Blizzard Entertainment.temp
2010-01-10 01:03 . 2009-11-21 16:18   1673216   ----a-w-   c:\windows\system32\BootMan.exe
2010-01-10 01:03 . 2009-09-16 21:55   8456   ----a-w-   c:\windows\system32\EuGdiDrv.sys
2010-01-10 01:03 . 2009-09-14 14:21   14848   ----a-w-   c:\windows\system32\EuEpmGdi.dll
2010-01-10 01:03 . 2009-08-26 17:45   13192   ----a-w-   c:\windows\system32\epmntdrv.sys
2010-01-10 01:03 . 2009-04-22 19:28   86408   ----a-w-   c:\windows\system32\setupempdrv03.exe
2010-01-10 00:59 . 2010-01-10 00:59   --------   d-----w-   C:\CPM
2010-01-10 00:42 . 2010-01-10 00:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\Blizzard
2010-01-09 23:28 . 2010-01-09 23:28   0   ----a-w-   c:\windows\nsreg.dat
2010-01-09 23:28 . 2010-01-09 23:28   --------   d-----w-   c:\documents and settings\Mark\Local Settings\Application Data\Mozilla
2010-01-09 23:28 . 2010-01-10 00:54   --------   d-----w-   c:\windows\system32\NtmsData
2010-01-09 23:23 . 2010-01-10 07:01   12328   ----a-w-   c:\documents and settings\Mark\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-09 23:23 . 2010-01-09 23:23   --------   d-----w-   c:\documents and settings\Mark\Local Settings\Application Data\ATI
2010-01-09 23:23 . 2010-01-09 23:23   --------   d-----w-   c:\documents and settings\Mark\Application Data\ATI
2010-01-09 23:23 . 2010-01-09 23:23   --------   d-----w-   c:\documents and settings\All Users\Application Data\ATI

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-28 14:16 . 2010-01-09 19:16   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-01-10 19:28 . 2010-01-10 17:52   --------   d-----w-   c:\documents and settings\Mark\Application Data\Winamp
2010-01-10 17:54 . 2010-01-10 17:52   --------   d-----w-   c:\program files\Winamp
2010-01-10 17:52 . 2010-01-10 17:52   --------   d-----w-   c:\program files\Winamp Detect
2010-01-10 04:18 . 2010-01-10 04:15   --------   d-----w-   c:\program files\Realtek
2010-01-10 04:12 . 2010-01-09 19:16   --------   d-----w-   c:\program files\Common Files\InstallShield
2010-01-09 23:12 . 2010-01-09 19:16   --------   d-----w-   c:\program files\ATI Technologies
2010-01-09 23:11 . 2010-01-09 23:11   0   ----a-w-   c:\windows\ativpsrm.bin
2010-01-09 23:11 . 2010-01-09 23:11   10134   ----a-r-   c:\documents and settings\Mark\Application Data\Microsoft\Installer\{D45CF2D7-DA97-1ED5-2D6B-B005C245DA20}\ARPPRODUCTICON.exe
2009-11-21 15:51 . 2008-04-14 12:00   471552   ----a-w-   c:\windows\AppPatch\aclayers.dll
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LinksysDiag"="c:\program files\Linksys\LinksysDiag\LinksysDiag" [X]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-29 98304]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-08-29 1966080]
"laim"="c:\program files\AIM Lite\aimlite.exe" [2007-06-07 765952]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-12-21 39424]
"V0410Mon.exe"="c:\windows\V0410Mon.exe" [2007-06-07 32768]
"Lachesis"="c:\program files\Razer\Lachesis\razerhid.exe" [2008-10-14 172032]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\GIGABYTE\\GEST\\run.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Heroes of Newerth\\hon.exe"=
"c:\\Documents and Settings\\Mark\\Local Settings\\Apps\\2.0\\43B4QHHD.TH5\\YP09AKZY.5Y8\\curs..tion_eee711038731a406_0004.0000_1430d97334050788\\CurseClient.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/28/2010 8:47 AM 691696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/6/2010 8:55 PM 108289]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [1/9/2010 2:21 PM 12032]
R3 V0410Afx;Creative Camera VF0410 Audio Effects Driver;c:\windows\system32\drivers\V0410AFX.sys [1/12/2010 11:49 PM 142656]
R3 V0410Aud;Creative Camera VF0410 Noise Cancellation APO;c:\windows\system32\drivers\V0410Aud.sys [1/12/2010 11:49 PM 94720]
R3 V0410Dev;Creative Camera VF0410 Driver;c:\windows\system32\drivers\V0410Dev.sys [1/12/2010 11:49 PM 244704]
R3 V0410Vfx;Creative Camera VF0410 Video VFX Driver;c:\windows\system32\drivers\V0410Vfx.sys [1/12/2010 11:49 PM 7168]
S2 LANPkt;Linksys LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [1/9/2010 4:15 PM 8568]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [1/9/2010 4:15 PM 11351]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [1/9/2010 8:03 PM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [1/9/2010 8:03 PM 8456]
S3 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\GEST\GSvr.exe [1/9/2010 11:12 PM 47624]
S3 RTLVLANXP;Linksys VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLANXP.SYS [1/9/2010 4:15 PM 15360]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\q0ifoxa4.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Gxomolovolo - c:\windows\owekomemap.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-06 22:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spfk.sys >>UNKNOWN [0x8A51D938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74fbf28
\Driver\ACPI -> ACPI.sys @ 0xf7253cb8
\Driver\atapi -> atapi.sys @ 0xf720eb40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Linksys EG1032 v3 Instant Gigabit Desktop Network Adapter Drive -> SendCompleteHandler -> NDIS.sys @ 0xf7117bb0
 PacketIndicateHandler -> NDIS.sys @ 0xf7124a21
 SendHandler -> NDIS.sys @ 0xf710287b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1132)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\devldr32.exe
c:\program files\Razer\Lachesis\OSD.exe
c:\program files\Razer\Lachesis\razertra.exe
c:\program files\Razer\Lachesis\razerofa.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2010-02-06  22:38:22 - machine was rebooted
ComboFix-quarantined-files.txt  2010-02-07 03:38

Pre-Run: 33,481,584,640 bytes free
Post-Run: 33,561,448,448 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - DD890AC90173B1E5DCBD81DF59B17A0A

[Malware Removal Specialist]

Looking better. How is the computer running now?


Download Rooter.exe to your desktop.

* Double click Rooter.exe to start the tool.
* A DOS window will appear and show the scan progress.
* Once complete a notepad file containing the report will open.
* Copy & paste the results in your next reply.
* Close notepad and Rooter will close.

A log will also save at C:\Rooter.txt

----------

Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

Running smoothly, I was able to update definitions.

+++++++++

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 23 Stepping 6, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
.
Internet Explorer 6.0.2900.5512
Mozilla Firefox 3.5.7 (en-US)
.
A:\  [Removable]
C:\  [Fixed-NTFS] .. ( Total:68 Go - Free:31 Go )
D:\  [CD_Rom]
E:\  [Fixed-NTFS] .. ( Total:139 Go - Free:114 Go )
F:\  [Fixed-NTFS] .. ( Total:229 Go - Free:222 Go )
G:\  [CD_Rom]
.
Scan : 23:12.37
Path : C:\Documents and Settings\Mark\Desktop\Rooter.exe
User : Mark ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (1004)
______ \??\C:\WINDOWS\system32\csrss.exe (1092)
______ \??\C:\WINDOWS\system32\winlogon.exe (1132)
______ C:\WINDOWS\system32\services.exe (1176)
______ C:\WINDOWS\system32\lsass.exe (1188)
______ C:\WINDOWS\system32\Ati2evxx.exe (1376)
______ C:\WINDOWS\system32\svchost.exe (1396)
______ C:\WINDOWS\system32\svchost.exe (1464)
______ C:\WINDOWS\System32\svchost.exe (1620)
______ C:\WINDOWS\system32\svchost.exe (1792)
______ C:\WINDOWS\system32\svchost.exe (1852)
______ C:\WINDOWS\system32\spoolsv.exe (2016)
______ C:\Program Files\Avira\AntiVir Desktop\sched.exe (156)
______ C:\WINDOWS\system32\Ati2evxx.exe (168)
______ C:\WINDOWS\system32\svchost.exe (752)
______ C:\WINDOWS\RTHDCPL.EXE (880)
______ C:\Program Files\Avira\AntiVir Desktop\avguard.exe (968)
______ C:\Program Files\Java\jre6\bin\jqs.exe (1580)
______ C:\Program Files\Winamp\winampa.exe (1096)
______ C:\WINDOWS\V0410Mon.exe (1764)
______ C:\Program Files\Razer\Lachesis\razerhid.exe (1824)
______ C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (1900)
______ C:\WINDOWS\system32\svchost.exe (276)
______ C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe (820)
______ C:\WINDOWS\system32\wdfmgr.exe (1088)
______ C:\WINDOWS\system32\devldr32.exe (1044)
______ C:\Program Files\Razer\Lachesis\OSD.exe (2216)
______ C:\Program Files\Razer\Lachesis\razertra.exe (2276)
______ C:\Program Files\Razer\Lachesis\razerofa.exe (2304)
______ C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe (2380)
______ C:\WINDOWS\System32\alg.exe (3436)
______ C:\WINDOWS\system32\wuauclt.exe (796)
______ C:\WINDOWS\explorer.exe (3896)
______ C:\Program Files\Mozilla Firefox\firefox.exe (3804)
______ C:\Program Files\AIM Lite\aimlite.exe (3196)
______ C:\Documents and Settings\Mark\Desktop\Rooter.exe (2268)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:74052163584)
\Device\Harddisk0\Partition0 (Start_Offset:74052195840 | Length:246018124800)
\Device\Harddisk0\Partition2 (Start_Offset:74052228096 | Length:246018092544)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 23:12.38
.
C:\Rooter$\Rooter_1.txt - (06/02/2010 | 23:12.38)



++++++++++++++++++++++++++++++++++++++++++++++


++++++++++++++++++++++++++++++++++++++++++++++



DDS (Ver_09-12-01.01) - NTFSx86 
Run by Mark at 23:12:56.26 on Sat 02/06/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3070.2562 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated)   {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\V0410Mon.exe
C:\Program Files\Razer\Lachesis\razerhid.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Razer\Lachesis\OSD.exe
C:\Program Files\Razer\Lachesis\razertra.exe
C:\Program Files\Razer\Lachesis\razerofa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM Lite\aimlite.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Mark\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [linksysDiag] c:\program files\linksys\linksysdiag\LinksysDiag /hw
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [laim] "c:\program files\aim lite\aimlite.exe" -autorun
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [V0410Mon.exe] c:\windows\V0410Mon.exe
mRun: [Lachesis] c:\program files\razer\lachesis\razerhid.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263093828140
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mark\applic~1\mozilla\firefox\profiles\q0ifoxa4.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-6 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-6 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-2-6 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-6 56816]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2010-1-9 12032]
R3 V0410Afx;Creative Camera VF0410 Audio Effects Driver;c:\windows\system32\drivers\V0410AFX.sys [2010-1-12 142656]
R3 V0410Aud;Creative Camera VF0410 Noise Cancellation APO;c:\windows\system32\drivers\V0410Aud.sys [2010-1-12 94720]
R3 V0410Dev;Creative Camera VF0410 Driver;c:\windows\system32\drivers\V0410Dev.sys [2010-1-12 244704]
R3 V0410Vfx;Creative Camera VF0410 Video VFX Driver;c:\windows\system32\drivers\V0410Vfx.sys [2010-1-12 7168]
S2 LANPkt;Linksys LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2010-1-9 8568]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2010-1-9 11351]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-1-9 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-1-9 8456]
S3 GEST Service;GEST Service for program management.;c:\program files\gigabyte\gest\GSvr.exe [2010-1-9 47624]
S3 RTLVLANXP;Linksys VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLANXP.SYS [2010-1-9 15360]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]

=============== Created Last 30 ================

2010-02-07 04:12:38   0   d-----w-   C:\Rooter$
2010-02-07 03:32:13   0   d-sha-r-   C:\cmdcons
2010-02-07 03:30:48   98816   ----a-w-   c:\windows\sed.exe
2010-02-07 03:30:48   77312   ----a-w-   c:\windows\MBR.exe
2010-02-07 03:30:48   261632   ----a-w-   c:\windows\PEV.exe
2010-02-07 03:30:48   161792   ----a-w-   c:\windows\SWREG.exe
2010-02-07 03:29:07   0   d-----w-   C:\ComboFix
2010-02-07 02:15:46   0   d-----w-   c:\program files\CCleaner
2010-02-07 01:55:09   56816   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2010-02-07 01:55:07   0   d-----w-   c:\program files\Avira
2010-02-07 01:55:07   0   d-----w-   c:\docume~1\alluse~1\applic~1\Avira
2010-02-07 01:47:26   0   d-----w-   c:\program files\TrendMicro
2010-02-02 23:29:30   272128   -c----w-   c:\windows\system32\dllcache\bthport.sys
2010-02-02 23:29:30   272128   ------w-   c:\windows\system32\drivers\bthport.sys
2010-02-02 23:23:54   455296   -c----w-   c:\windows\system32\dllcache\mrxsmb.sys
2010-02-02 23:22:52   2145280   -c----w-   c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-02 23:22:52   2023936   -c----w-   c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-02 23:22:51   2066048   -c----w-   c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-02 23:22:38   2560   ------w-   c:\windows\system32\xpsp4res.dll
2010-02-02 23:20:28   13646   ----a-w-   c:\windows\system32\wpa.bak
2010-01-29 22:10:13   452440   ----a-w-   c:\windows\system32\d3dx10_40.dll
2010-01-29 22:10:13   4379984   ----a-w-   c:\windows\system32\D3DX9_40.dll
2010-01-29 22:10:13   2036576   ----a-w-   c:\windows\system32\D3DCompiler_40.dll
2010-01-29 22:10:02   0   d-----w-   c:\program files\Heroes of Newerth
2010-01-28 15:51:37   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-28 15:51:36   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-28 14:20:23   443752   ----a-w-   c:\windows\system32\d3dx10_34.dll
2010-01-28 14:20:23   3497832   ----a-w-   c:\windows\system32\d3dx9_34.dll
2010-01-28 14:20:23   266088   ----a-w-   c:\windows\system32\xactengine2_8.dll
2010-01-28 14:20:23   18280   ----a-w-   c:\windows\system32\x3daudio1_2.dll
2010-01-28 14:20:23   1124720   ----a-w-   c:\windows\system32\D3DCompiler_34.dll
2010-01-28 14:09:27   0   d-----w-   c:\program files\Firaxis Games
2010-01-28 14:09:06   2297552   ----a-w-   c:\windows\system32\d3dx9_26.dll
2010-01-28 13:47:13   691696   ----a-w-   c:\windows\system32\drivers\sptd.sys
2010-01-28 13:47:08   0   d-----w-   c:\program files\DAEMON Tools Lite
2010-01-28 13:46:43   0   d-----w-   c:\docume~1\mark\applic~1\DAEMON Tools Lite
2010-01-28 13:46:42   0   d-----w-   c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2010-01-24 23:16:14   4096   ----a-w-   c:\windows\system32\crash
2010-01-20 21:34:09   249856   ----a-w-   c:\windows\system32\Lachesis.cpl
2010-01-15 22:30:27   0   d-----w-   c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-15 22:30:22   0   d-----w-   c:\program files\SUPERAntiSpyware
2010-01-15 22:30:22   0   d-----w-   c:\docume~1\mark\applic~1\SUPERAntiSpyware.com
2010-01-15 22:16:07   2984   ----a-w-   c:\windows\Idiqequ.dat
2010-01-15 22:16:07   0   ----a-w-   c:\windows\Xyata.bin
2010-01-11 04:25:02   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2010-01-11 04:25:02   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-01-11 04:20:32   120056   ------w-   c:\windows\system32\pxcpyi64.exe
2010-01-11 04:20:32   118520   ------w-   c:\windows\system32\pxinsi64.exe
2010-01-11 04:17:54   0   d-----w-   c:\program files\DivX
2010-01-11 04:17:54   0   d-----w-   c:\program files\common files\DivX Shared
2010-01-10 19:15:23   0   d-----w-   c:\program files\Ventrilo
2010-01-10 19:15:20   262   ----a-w-   c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2010-01-10 19:15:14   0   d-----w-   c:\program files\common files\Wise Installation Wizard
2010-01-10 17:52:48   0   d-----w-   c:\program files\Winamp Detect
2010-01-10 08:05:14   0   d-----w-   c:\docume~1\mark\applic~1\BitTorrent
2010-01-10 08:05:11   0   d-----w-   c:\program files\BitTorrent
2010-01-10 06:58:19   0   d-----w-   c:\windows\system32\XPSViewer
2010-01-10 06:57:31   89088   -c----w-   c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-10 06:57:31   597504   -c----w-   c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-10 06:57:31   575488   -c----w-   c:\windows\system32\dllcache\xpsshhdr.dll
2010-01-10 06:57:31   575488   ------w-   c:\windows\system32\xpsshhdr.dll
2010-01-10 06:57:31   1676288   -c----w-   c:\windows\system32\dllcache\xpssvcs.dll
2010-01-10 06:57:31   1676288   ------w-   c:\windows\system32\xpssvcs.dll
2010-01-10 06:57:31   117760   ------w-   c:\windows\system32\prntvpt.dll
2010-01-10 06:24:00   0   d-----w-   c:\docume~1\alluse~1\applic~1\Blizzard Entertainment
2010-01-10 06:12:36   0   d-----w-   c:\docume~1\mark\applic~1\LAIM
2010-01-10 06:12:30   0   d-----w-   c:\program files\AIM Lite
2010-01-10 06:02:17   0   d-----r-   C:\AHCache
2010-01-10 04:35:30   0   d-----w-   c:\program files\World of Warcraft
2010-01-10 04:35:30   0   d-----w-   c:\program files\common files\Blizzard Entertainment
2010-01-10 04:20:32   30008   ----a-w-   c:\windows\system32\drivers\ET5Drv.sys
2010-01-10 04:18:44   1966080   ------r-   c:\windows\system32\xRaidSetup.exe
2010-01-10 04:18:44   151552   ------r-   c:\windows\system32\xRaidAPI.dll
2010-01-10 04:18:44   0   d-----w-   C:\RaidTool
2010-01-10 04:18:43   105856   ----a-r-   c:\windows\system32\drivers\Rtenicxp.sys
2010-01-10 04:18:42   65024   ----a-r-   c:\windows\system32\drivers\jraid.sys
2010-01-10 04:18:39   0   d-----w-   c:\windows\RaidTool
2010-01-10 04:18:31   0   d-----w-   c:\windows\OPTIONS
2010-01-10 04:17:56   940794   ----a-w-   c:\windows\system32\LoopyMusic.wav
2010-01-10 04:17:56   146650   ----a-w-   c:\windows\system32\BuzzingBee.wav
2010-01-10 04:17:55   0   d-----w-   c:\windows\system32\Lang
2010-01-10 04:16:35   553   ------r-   c:\windows\USetup.iss
2010-01-10 04:16:33   49152   ------r-   c:\windows\system32\ChCfg.exe
2010-01-10 04:16:26   0   d-----w-   c:\windows\system32\RTCOM
2010-01-10 04:16:19   86016   ------r-   c:\windows\SoundMan.exe
2010-01-10 04:16:18   1826816   ------r-   c:\windows\SkyTel.exe
2010-01-10 04:16:16   282624   ------r-   c:\windows\system32\RTSndMgr.cpl
2010-01-10 04:16:16   1191936   ------r-   c:\windows\RtlUpd.exe
2010-01-10 04:16:11   9715200   ------r-   c:\windows\RTLCPL.exe
2010-01-10 04:16:09   4676096   ------r-   c:\windows\system32\drivers\RtkHDAud.sys
2010-01-10 04:15:59   16857600   ------r-   c:\windows\RTHDCPL.exe
2010-01-10 04:15:58   2165760   ------r-   c:\windows\MicCal.exe
2010-01-10 04:15:52   69632   ------r-   c:\windows\Alcmtr.exe
2010-01-10 04:15:51   299008   ------r-   c:\windows\system32\ALSndMgr.cpl
2010-01-10 04:15:51   2808832   ------r-   c:\windows\alcwzrd.exe
2010-01-10 04:15:51   0   d-----w-   c:\program files\Realtek
2010-01-10 04:15:49   315392   ----a-w-   c:\windows\HideWin.exe
2010-01-10 04:15:48   520192   ------r-   c:\windows\RtlExUpd.dll
2010-01-10 04:12:56   53248   ----a-r-   c:\windows\system32\CSVer.dll
2010-01-10 04:12:50   0   d-----w-   C:\Intel
2010-01-10 04:12:35   0   d-----w-   c:\program files\GIGABYTE
2010-01-10 04:11:48   16608   ----a-w-   c:\windows\gdrv.sys
2010-01-10 03:25:36   26488   ----a-w-   c:\windows\system32\spupdsvc.exe
2010-01-10 03:25:36   0   d-----w-   c:\windows\system32\PreInstall
2010-01-10 03:25:35   0   d--h--w-   c:\windows\$hf_mig$
2010-01-10 03:24:11   21728   ----a-w-   c:\windows\system32\wucltui.dll.mui
2010-01-10 03:24:11   17632   ----a-w-   c:\windows\system32\wuaueng.dll.mui
2010-01-10 03:24:11   15072   ----a-w-   c:\windows\system32\wuaucpl.cpl.mui
2010-01-10 03:24:11   15064   ----a-w-   c:\windows\system32\wuapi.dll.mui
2010-01-10 03:24:11   0   d-----w-   c:\windows\system32\SoftwareDistribution
2010-01-10 03:23:46   0   d-s---w-   c:\documents and settings\mark\UserData
2010-01-10 03:23:09   15840   ------w-   c:\windows\system32\drivers\PFMODNT.SYS
2010-01-10 03:23:09   0   d-----w-   c:\program files\Creative
2010-01-10 01:12:10   0   d-----w-   c:\program files\World of Warcraft.temp
2010-01-10 01:12:10   0   d-----w-   c:\program files\common files\Blizzard Entertainment.temp
2010-01-10 01:03:57   86408   ----a-w-   c:\windows\system32\setupempdrv03.exe
2010-01-10 01:03:57   8456   ----a-w-   c:\windows\system32\EuGdiDrv.sys
2010-01-10 01:03:57   1673216   ----a-w-   c:\windows\system32\BootMan.exe
2010-01-10 01:03:57   14848   ----a-w-   c:\windows\system32\EuEpmGdi.dll
2010-01-10 01:03:57   13192   ----a-w-   c:\windows\system32\epmntdrv.sys
2010-01-10 00:59:55   0   d-----w-   C:\CPM
2010-01-10 00:42:35   0   d-----w-   c:\docume~1\alluse~1\applic~1\Blizzard
2010-01-09 23:28:05   0   d-----w-   c:\windows\system32\NtmsData
2010-01-09 23:12:09   100368   ----a-w-   c:\windows\system32\drivers\AtiHdmi.sys
2010-01-09 23:11:12   0   d-----w-   c:\program files\ATI
2010-01-09 21:31:14   0   d-----w-   c:\docume~1\mark\applic~1\Malwarebytes
2010-01-09 21:31:10   0   d-----w-   c:\program files\Tools
2010-01-09 21:31:10   0   d-----w-   c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-09 21:21:28   71040   ----a-r-   c:\windows\system32\drivers\EG1032xp.sys
2010-01-09 21:15:05   8568   ----a-w-   c:\windows\system32\drivers\LANPkt.sys
2010-01-09 21:15:05   46592   ----a-w-   c:\windows\system32\RTLVLAN_NB.DLL
2010-01-09 21:15:05   15360   ----a-w-   c:\windows\system32\drivers\RTLVLANXP.SYS
2010-01-09 21:15:05   11351   ------w-   c:\windows\system32\drivers\diag69xp.sys
2010-01-09 21:15:05   0   d-----w-   c:\program files\Linksys
2010-01-09 20:07:45   0   d-----w-   C:\Old Files
2010-01-09 19:17:28   0   d-----w-   c:\program files\ASUS
2010-01-09 19:16:47   0   d-----w-   c:\program files\My Company Name
2010-01-09 19:16:29   0   d-----w-   c:\program files\ATI Technologies
2010-01-09 19:04:35   0   d-sh--w-   c:\documents and settings\all users\DRM
2010-01-09 19:04:24   0   d--h--w-   c:\program files\WindowsUpdate
2010-01-09 19:03:47   0   d-----w-   c:\program files\common files\MSSoap
2010-01-09 19:02:21   0   d-----w-   c:\program files\Online Services
2010-01-09 19:02:16   0   d-----w-   c:\program files\Messenger
2010-01-09 19:02:12   0   d-----w-   c:\program files\MSN Gaming Zone
2010-01-09 19:01:31   0   d-----w-   c:\program files\Windows NT
2010-01-09 13:39:49   0   d-----w-   c:\program files\common files\ODBC
2010-01-09 13:39:45   0   d-----w-   c:\program files\common files\SpeechEngines
2010-01-09 13:39:18   0   d-----r-   c:\documents and settings\all users\Documents

==================== Find3M  ====================

2010-01-09 19:02:55   21640   ----a-w-   c:\windows\system32\emptyregdb.dat
2009-12-22 05:21:05   667136   ------w-   c:\windows\system32\wininet.dll
2009-12-22 05:20:58   81920   ----a-w-   c:\windows\system32\ieencode.dll
2009-11-29 03:04:00   45056   ----a-w-   c:\windows\system32\aticalrt.dll
2009-11-29 03:04:00   45056   ----a-w-   c:\windows\system32\aticalcl.dll
2009-11-29 03:02:00   3620864   ----a-w-   c:\windows\system32\aticaldd.dll
2009-11-29 03:02:00   311296   ----a-w-   c:\windows\system32\atiiiexx.dll
2009-11-29 02:45:00   13430784   ----a-w-   c:\windows\system32\atioglxx.dll
2009-11-29 02:43:00   3516864   ----a-w-   c:\windows\system32\ati3duag.dll
2009-11-29 02:42:00   446464   ----a-w-   c:\windows\system32\ATIDEMGX.dll
2009-11-29 02:41:00   300544   ----a-w-   c:\windows\system32\ati2dvag.dll
2009-11-29 02:27:00   887724   ----a-w-   c:\windows\system32\ativva6x.dat
2009-11-29 02:27:00   2152832   ----a-w-   c:\windows\system32\ativvaxx.dll
2009-11-29 02:27:00   208896   ----a-w-   c:\windows\system32\atipdlxx.dll
2009-11-29 02:26:00   43520   ----a-w-   c:\windows\system32\ati2edxx.dll
2009-11-29 02:26:00   26112   ----a-w-   c:\windows\system32\Ati2mdxx.exe
2009-11-29 02:26:00   155648   ----a-w-   c:\windows\system32\Oemdspif.dll
2009-11-29 02:26:00   155648   ----a-w-   c:\windows\system32\ati2evxx.dll
2009-11-29 02:25:00   602112   ----a-w-   c:\windows\system32\ati2evxx.exe
2009-11-29 02:23:00   53248   ----a-w-   c:\windows\system32\ATIDDC.DLL
2009-11-29 02:19:00   565248   ----a-w-   c:\windows\system32\atikvmag.dll
2009-11-29 02:18:00   176128   ----a-w-   c:\windows\system32\atiadlxx.dll
2009-11-29 02:17:00   393216   ----a-w-   c:\windows\system32\atiok3x2.dll
2009-11-29 02:17:00   17408   ----a-w-   c:\windows\system32\atitvo32.dll
2009-11-29 02:12:00   638976   ----a-w-   c:\windows\system32\ati2cqag.dll
2009-11-29 02:10:00   64512   ----a-w-   c:\windows\system32\atimpc32.dll
2009-11-29 02:10:00   64512   ----a-w-   c:\windows\system32\amdpcom32.dll
2009-11-26 20:02:00   197623   ----a-w-   c:\windows\system32\atiicdxx.dat

============= FINISH: 23:13:05.68 ===============



++++++++++++++++++++++++++++++++++++

++++++++++++++++++++++++++++++++++++



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/9/2010 2:06:34 PM
System Uptime: 2/6/2010 10:35:44 PM (1 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. |  | X48T-DQ6
Processor: Intel Pentium III Xeon processor | Socket 775 | 3166/333mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 69 GiB total, 31.283 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 140 GiB total, 114.286 GiB free.
F: is FIXED (NTFS) - 229 GiB total, 222.525 GiB free.
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {5458011F-08D4-4605-93A2-F03E61BEDBA3}
Description: Enhanced Display Driver Helper Service
Device ID: ROOT\ASUSOTHERDEVICES\0000
Manufacturer: ASUSTeK
Name: Enhanced Display Driver Helper Service
PNP Device ID: ROOT\ASUSOTHERDEVICES\0000
Service: asuskbnt

==== System Restore Points ===================

RP15: 1/10/2010 1:57:38 AM - Installed Windows KB954550-v5.
RP16: 1/10/2010 1:57:43 AM - Printer Driver Microsoft XPS Document Writer Installed
RP17: 1/10/2010 1:57:50 AM - Printer Driver Microsoft XPS Document Writer Installed
RP18: 1/10/2010 12:52:36 PM - Installed Windows Media Format Runtime
RP19: 1/10/2010 12:52:54 PM - Installed DirectX
RP20: 1/10/2010 2:15:23 PM - Installed Ventrilo Client
RP21: 1/10/2010 11:24:54 PM - Installed Java(TM) 6 Update 17
RP22: 1/12/2010 12:06:19 AM - System Checkpoint
RP23: 1/12/2010 11:49:54 PM - Installed Advanced Video FX Engine
RP24: 1/14/2010 3:36:27 AM - System Checkpoint
RP25: 1/15/2010 4:31:47 AM - System Checkpoint
RP26: 1/15/2010 5:30:22 PM - Installed SUPERAntiSpyware Free Edition
RP27: 1/17/2010 12:42:49 AM - System Checkpoint
RP28: 1/18/2010 1:10:26 AM - System Checkpoint
RP29: 1/19/2010 2:03:28 AM - System Checkpoint
RP30: 1/20/2010 10:17:48 AM - System Checkpoint
RP31: 1/20/2010 4:33:39 PM - Removed Razer Lachesis
RP32: 1/20/2010 4:33:59 PM - Installed Razer Lachesis
RP33: 1/21/2010 6:09:06 PM - System Checkpoint
RP34: 1/23/2010 12:54:49 AM - System Checkpoint
RP35: 1/24/2010 4:18:27 AM - System Checkpoint
RP36: 1/25/2010 12:32:20 PM - System Checkpoint
RP37: 1/26/2010 12:32:35 PM - System Checkpoint
RP38: 1/27/2010 9:23:05 PM - System Checkpoint
RP39: 1/28/2010 8:47:12 AM - SPTD setup V1.62
RP40: 1/28/2010 9:03:08 AM - Installed Java(TM) 6 Update 18
RP41: 1/28/2010 9:09:06 AM - Installed DirectX 9.0
RP42: 1/28/2010 9:09:29 AM - Installed Sid Meier's Civilization 4
RP43: 1/28/2010 9:10:36 AM - Configured Sid Meier's Civilization 4
RP44: 1/28/2010 9:15:27 AM - Installed DirectX
RP45: 1/28/2010 9:15:42 AM - Configured Sid Meier's Civilization 4
RP46: 1/28/2010 9:16:15 AM - Installed Sid Meier's Civilization 4 - Beyond the Sword
RP47: 1/28/2010 9:20:12 AM - Installed DirectX
RP48: 1/28/2010 9:20:29 AM - Configured Sid Meier's Civilization 4 - Beyond the Sword
RP49: 1/29/2010 10:07:59 AM - System Checkpoint
RP50: 1/29/2010 5:10:05 PM - Installed Microsoft Visual C++ 2005 Redistributable
RP51: 1/29/2010 5:10:12 PM - Installed DirectX
RP52: 1/31/2010 12:35:28 AM - System Checkpoint
RP53: 2/1/2010 2:05:27 AM - System Checkpoint
RP54: 2/2/2010 6:23:23 PM - Software Distribution Service 3.0
RP55: 2/2/2010 6:32:48 PM - Software Distribution Service 3.0
RP56: 2/3/2010 3:00:13 AM - Software Distribution Service 3.0
RP57: 2/4/2010 3:00:12 AM - Software Distribution Service 3.0
RP58: 2/5/2010 5:43:41 AM - System Checkpoint
RP59: 2/6/2010 2:18:49 PM - System Checkpoint
RP60: 2/6/2010 8:47:26 PM - Installed HiJackThis
RP61: 2/6/2010 8:54:50 PM - Avira AntiVir Personal - 2/6/2010 20:54

==== Installed Programs ======================

Adobe Flash Player 10 Plugin
Adobe Reader 6.0.1
Advanced Video FX Engine
AIM Lite 0.33
ASUS Utilities
ASUS VGA Driver
ATI - Software Uninstall Utility
ATI Display Driver
AutoUpdate
Avira AntiVir Personal - Free Antivirus
BitTorrent
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
Creative Live! Cam Video IM Pro (VF0410) (1.01.01.00)
Curse Client
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Dynamic Energy Saver 1.0 B8.0128.1
EASEUS Partition Master 4.1.1 Home Edition
Gigabyte Raid Configurer
Heroes of Newerth
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Java Auto Updater
Java(TM) 6 Update 18
LinksysDiag
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.5.7)
Razer Lachesis
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Skins
SUPERAntiSpyware Free Edition
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
VC80CRTRedist - 8.0.50727.762
Ventrilo Client
WebFldrs XP
Winamp
Winamp Application Detect
Windows Driver Package - MOTOROLA (uisp) USB  (09/08/2006 1.2.0.0)
Windows Driver Package - Razer (HidUsb) HIDClass  (05/10/2007 1.00)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format Runtime
WinRAR archiver
World of Warcraft

==== Event Viewer Messages From Past Week ========

2/6/2010 6:54:42 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2/6/2010 6:53:19 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  EIO_XP Fips intelppm SASDIFSV SASKUTIL sptd
2/6/2010 6:44:19 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD EIO_XP Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL sptd Tcpip
2/6/2010 6:44:19 PM, error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:  A device attached to the system is not functioning.
2/6/2010 6:44:19 PM, error: Service Control Manager [7001]  - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:  A device attached to the system is not functioning.
2/6/2010 6:44:19 PM, error: Service Control Manager [7001]  - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
2/6/2010 6:44:19 PM, error: Service Control Manager [7001]  - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:  A device attached to the system is not functioning.
2/6/2010 6:43:23 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/6/2010 6:43:21 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2/6/2010 6:42:54 PM, error: sptd [4]  - Driver detected an internal error in its data structures for .
2/6/2010 6:37:29 PM, error: Service Control Manager [7034]  - The Java Quick Starter service terminated unexpectedly.  It has done this 1 time(s).
2/6/2010 6:35:23 PM, error: Service Control Manager [7034]  - The Ati HotKey Poller service terminated unexpectedly.  It has done this 1 time(s).
2/6/2010 10:33:20 PM, error: Service Control Manager [7034]  - The Windows User Mode Driver Framework service terminated unexpectedly.  It has done this 1 time(s).
2/6/2010 10:33:20 PM, error: Service Control Manager [7034]  - The Print Spooler service terminated unexpectedly.  It has done this 1 time(s).
2/6/2010 10:33:20 PM, error: Service Control Manager [7034]  - The Application Layer Gateway Service service terminated unexpectedly.  It has done this 1 time(s).
1/30/2010 9:25:40 AM, error: sr [1]  - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'.  It has stopped monitoring the volume.

==== End Of File ===========================

[Malware Removal Specialist]

Looks like we got everything. Good job.

If there are no more malware issues we can finish up now.

Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.

* Click START then RUN
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter.

The above procedure will:
* Delete: ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

Use the Secunia Software Inspector to check for out of date software.

* Click Start Now
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

I ran into a problem again Evil, everything seemed fine, then I started browsing the internet this afternoon, I went to a website and then Adobe acrobat reader started loading, I knew this shouldn't happen on that website and I Xd out of Firefox. (This is probably where I got the first problem from yesterday, I'm never going to that website again.) My computer then automaticly shutdown without my asking. It now will not boot up, in normal mode or safe mode. It gets to the windows loading bar then restarts. I was able to get it to the windows recovery console. Please advise?

[Malware Removal Specialist]

Try this.

Boot into Recovery Console and log on to the current installation.

When you get to the Recovery Console prompt, type cd \ and press "Enter".

Type cd system~1\_resto~1 and press "Enter".

Type dir and press "Enter".

After
you press enter you will see a list of folders (like rp1, rp2) If the
list of restore points has more than one page then press the "Enter" key until you reach the end of the list

Type cd rp {number of the second to last folder in the list} and press "Enter".
Note: Example: cd rp9 if the last restore point is rp10

Type cd snapshot and press "Enter".

Type copy _registry_machine_system c:\windows\system32\config\system and press "Enter".

Type copy _registry_machine_software c:\windows\system32\config\software and press "Enter".

Type exit and press "Enter".

Your PC will reboot.

=======================

If you get an access denied error when doing the above, then do the following at the recovery console:

Type cd \ and press "Enter".

Type cd windows\system32\config and press "Enter".

Type ren system system.bak and press "Enter".

Type exit and press "Enter".

Your PC will reboot, go back into the Recovery Console and start from the beginning.

when i did cd system~1\_resto~1

I got access denied error.

when I typed ren system system.bak

I got 'a directory or file with the name system.bak already exists'

[Malware Removal Specialist]

Try booting with the CD and doing a Repair Install. http://michaelstevenstech.com/XPrepairinstall.htm

alright, I have done this i'm now booted in normal mode. Ty. running scans now.

I scanned with avira, it found errors but didn't tell me what

++++
Scan ended [The scan has been done completely.].
Number of files:   116606
Number of folders:   6169
Number of malware:   0
Number of errors:   45

+++++++++++++++++++++++++++++++++++++


SuperAntispyware: found a tracking cookie and removed it.

++++++++++++++++++++++++++++++++

Mbam: I saved this before pressing remove, thats why it says no action taken.

+++
Malwarebytes' Anti-Malware 1.44
Database version: 3703
Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

2/7/2010 4:30:43 PM
mbam-log-2010-02-07 (16-30-39).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 160791
Time elapsed: 10 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Local Settings\Application Data\jxswbc\xasbsftav.exe.vir (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\temp\00005956.sys (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00004613.tmp (Trojan.FakeAlert) -> No action taken.

++++++++++++++++++++++++++++++++++++++


Hijack This:


Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:59:45 PM, on 2/7/2010
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\V0410Mon.exe
C:\Program Files\Razer\Lachesis\razerhid.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Razer\Lachesis\OSD.exe
C:\Program Files\Razer\Lachesis\razertra.exe
C:\Program Files\Razer\Lachesis\razerofa.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\sniper.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [linksysDiag] C:\Program Files\Linksys\LinksysDiag\LinksysDiag /hw
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [laim] "C:\Program Files\AIM Lite\aimlite.exe" -autorun
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [V0410Mon.exe] C:\WINDOWS\V0410Mon.exe
O4 - HKLM\..\Run: [Lachesis] C:\Program Files\Razer\Lachesis\razerhid.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263093828140
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4581 bytes




I see a few baddies in that HJT report.



Waiting for further instruction.

[Malware Removal Specialist]

You need to let MBAM fix those.


Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

- O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
- O9 - Extra \'Tools\' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Please run TDSSKiller per the below steps:

* Go to TDSSKiller and Download TDSSKiller.zip to your Desktop
* Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any sub-folder of the Desktop.
* Click Start > Run and copy/paste the following Red text into Run box and hit Enter on your keyboard.

"%userprofile%\Desktop\TDSSKiller.exe" -v
 
* Follow the instructions to type in "delete" when it asks you what to do when if finds something.
* When done, a log file should be created on your C: drive called 'TDSSKiller.txt' please add this log to your next reply.

Done, TDSSkiller came up with nothing. and saved no logfile.

Update: I am now having trouble clicking things in my browser window, I can't open links or click buttons. I am only able to post this by going through history and finding the history link to me posting from before



Okay this is strange. sometimes I can't click links, highlite text, or click buttons like post/modify. but if I minimize then maximize I can then do the previously mentioned, however I can't switch tabs. I minimize and maxmize and its back to the first problem

[Malware Removal Specialist]

Try this.

Download Rooter.exe to your desktop.

* Double click Rooter.exe to start the tool.
* A DOS window will appear and show the scan progress.
* Once complete a notepad file containing the report will open.
* Copy & paste the results in your next reply.
* Close notepad and Rooter will close.

A log will also save at C:\Rooter.txt

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 1
[32_bits] - x86 Family 6 Model 7 Stepping 6, GenuineIntel
.
[wscsvc] STOPPED (state:1) : Security Center -> Disabled !
[SharedAccess] RUNNING (state:4)
.
Internet Explorer 6.0.2800.1106
Mozilla Firefox 3.5.7 (en-US)
.
A:\  [Removable]
C:\  [Fixed-NTFS] .. ( Total:68 Go - Free:32 Go )
D:\  [CD_Rom]
E:\  [Fixed-NTFS] .. ( Total:139 Go - Free:114 Go )
F:\  [Fixed-NTFS] .. ( Total:229 Go - Free:222 Go )
.
Scan : 18:04.46
Path : C:\Documents and Settings\Mark\Desktop\Rooter.exe
User : Mark ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (968)
______ \??\C:\WINDOWS\system32\csrss.exe (1024)
______ \??\C:\WINDOWS\system32\winlogon.exe (1048)
______ C:\WINDOWS\system32\services.exe (1096)
______ C:\WINDOWS\system32\lsass.exe (1108)
______ C:\WINDOWS\system32\svchost.exe (1304)
______ C:\WINDOWS\system32\svchost.exe (1464)
______ C:\WINDOWS\System32\svchost.exe (1608)
______ C:\WINDOWS\System32\svchost.exe (1900)
______ C:\WINDOWS\System32\svchost.exe (1932)
______ C:\WINDOWS\system32\spoolsv.exe (220)
______ C:\Program Files\Avira\AntiVir Desktop\sched.exe (312)
______ C:\WINDOWS\Explorer.EXE (576)
______ C:\WINDOWS\V0410Mon.exe (772)
______ C:\Program Files\Razer\Lachesis\razerhid.exe (784)
______ C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (792)
______ C:\WINDOWS\System32\devldr32.exe (828)
______ C:\WINDOWS\System32\alg.exe (876)
______ C:\Program Files\Java\jre6\bin\jqs.exe (948)
______ C:\WINDOWS\System32\svchost.exe (1112)
______ C:\Program Files\Razer\Lachesis\OSD.exe (1816)
______ C:\Program Files\Razer\Lachesis\razertra.exe (188)
______ C:\Program Files\Razer\Lachesis\razerofa.exe (404)
______ C:\WINDOWS\RTHDCPL.EXE (496)
______ C:\WINDOWS\SOUNDMAN.EXE (2184)
______ C:\Program Files\Avira\AntiVir Desktop\avguard.exe (1908)
______ C:\Program Files\Mozilla Firefox\firefox.exe (3852)
______ C:\Documents and Settings\Mark\Desktop\Rooter.exe (3068)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:74052163584)
\Device\Harddisk0\Partition0 (Start_Offset:74052195840 | Length:246018124800)
\Device\Harddisk0\Partition2 (Start_Offset:74052228096 | Length:246018092544)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 18:04.47
.
C:\Rooter$\Rooter_2.txt - (07/02/2010 | 18:04.47)

[Malware Removal Specialist]

It looks like Malwarebytes got everything.

Although you will want to run this next scan. Be sure you have time to let it finish as it can take up to 3 hours or more.

Run the F-Secure Online Scanner for Viruses, Spyware and Rootkits.

Note: This Scanner is for Internet Explorer Only!

* Place a check mark next to I have read and accepted the license terms and then click Install
* Accept the warning to install the F-Secure Control in Internet Explorer.
* Click Start once the control is installed.
* Choose the Full Scan option and then click Start
* Once the download completes,the scan will begin automatically.
* The scan will take some time to finish so please be patient.
* When the scan completes, choose the Automatic cleaning (recommended) button then click Next and let the scanner finish cleaning.
* Click the Show Report button. (this will open an Internet Explorer window containing the report)
* Copy & Paste the entire report in your next reply.

canning Report
Sunday, February 7, 2010 20:12:08 - 20:36:25

Computer name: MARK-47805DC06C
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ E:\ F:\
3 malware found
TrackingCookie.2o7 (spyware)

    * System (Disinfected)

TrackingCookie.Atdmt (spyware)

    * System (Disinfected)

TrackingCookie.Doubleclick (spyware)

    * System (Disinfected)

Statistics
Scanned:

    * Files: 22294
    * System: 2718
    * Not scanned: 6

Actions:

    * Disinfected: 3
    * Renamed: 0
    * Deleted: 0
    * Not cleaned: 0
    * Submitted: 0

Files not scanned:

    * C:\PAGEFILE.SYS
    * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
    * C:\WINDOWS\SYSTEM32\CONFIG\SAM
    * C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
    * C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
    * C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

[Malware Removal Specialist]

All that found was 3 cookies which are not a threat. Looks like you are clean.... again.

How is the computer running now?

It seems to be running alright, after the repair install i'm back on SP 1. I have tried to upgrade to SP2 but I get stuck at 'creating cabinets'. been there for about 40 min now.

Ignore that last post, problem taken care of.

Thank you so much for your help Evil.