Everytime I try to convert a video or music file my computer shuts down and I get this error.
I ran Hijack and here are the results,
any help would be appreciated,
thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:00 PM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\algssl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O1 - Hosts: 75.67.92.226 http://paypal.com
O1 - Hosts: 75.67.92.226 paypal.co.uk
O1 - Hosts: 75.67.92.226 www.paypal.co.uk
O1 - Hosts: 75.67.92.226 http://paypal.co.uk
O1 - Hosts: 75.67.92.226 http://www.paypal.co.uk
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb124\Dealio.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb124\Dealio.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] -RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] -SkyTel.EXE
O4 - HKLM\..\Run: [SoundMan] -SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] -ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] -ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE KOCOM KMC-90 Web Camera
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.2] msime80.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LGMobileSyncLauncher] C:\Program Files\CYON MobileSync\MobileSync\LG_MobileSync_Launcher_Setup .exe
O4 - HKCU\..\Run: [MsServer] msfir80.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb124\Dealio.dll (file missing)
O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb124\Dealio.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [url]http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab[/url]
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - -"C:\Program Files\Windows Media Player\WMPNetwk.exe" (file missing)

--
End of file - 7995 bytes

Does this site apply at all? http://support.microsoft.com/default.aspx?scid=kb;en-us;156669

also, what program are you using to the convert the files?

Hi thank you for you reply. It happens with any converter, right now I am trying AVI converter for movies and Xilisoft WMA MP3 Converter for music.

check out this converter, http://www.afterdawn.com/software/video_software/video_encoders/super.cfm.

did you check the support link I sent you, and did it help?

When I try to put the command prompt "System Root\System32\Drwtsn32.exe -I" I get System is not recognized as an internal or external command. I will try the converter you mentioned above and let you know how it goes.
Thank you for all your help

I Tried super as a converter and the same thing keeps happening.

awaj,

When people have posted HJT logs, please refrain from responding until we have had a chance to check those logs...

kaosjin,

You have several infections... I will move this to the appropriate forum... Please run this tool and post back with the log so I can see what else might be there...

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop (it needs to be run from the Desktop).
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall...

Dear Budfred, I don't know if I've already posted this or not, I know that I don't see it here posted, so I will repost it.
I would also like to thank you for your time and effort

ComboFix 08-01-13.1 - dan 2008-01-13 21:29:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1651 [GMT 9:00]
Running from: C:\Documents and Settings\dan.HOME-2A93A0681B\Desktop\ComboFix(2).exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ufdata2000.log

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 12:19 . 2008-01-13 12:19 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-01-13 11:57 . 2008-01-13 11:59 <DIR> d-------- C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\LimeWire
2008-01-13 11:35 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 11:17 . 2008-01-13 11:18 <DIR> d-------- C:\Program Files\Exact Audio Copy
2008-01-13 07:57 . 2008-01-13 07:59 <DIR> d-------- C:\Program Files\Add Remove Pro
2008-01-12 21:48 . 2008-01-12 21:48 <DIR> d-------- C:\Program Files\eRightSoft
2008-01-12 21:46 . 2006-03-11 05:48 169,472 -rahs---- C:\WINDOWS\system32\MatroskaDX.ax
2008-01-12 21:46 . 2006-05-03 18:06 163,328 -rahs---- C:\WINDOWS\system32\flvDX.dll
2008-01-12 21:46 . 2005-11-26 04:46 161,792 -rahs---- C:\WINDOWS\system32\RealMediaDX.ax
2008-01-12 21:46 . 2003-11-21 07:00 54,784 -rahs---- C:\WINDOWS\system32\RLAPEDec.ax
2008-01-12 21:46 . 2004-04-27 07:00 37,888 -rahs---- C:\WINDOWS\system32\RLMPCDec.ax
2008-01-12 21:46 . 2007-02-21 19:47 31,232 -rahs---- C:\WINDOWS\system32\msfDX.dll
2008-01-12 21:45 . 2006-09-12 19:46 227,328 -rahs---- C:\WINDOWS\system32\ac3DX.ax
2008-01-12 21:45 . 2006-01-13 07:23 123,904 -rahs---- C:\WINDOWS\system32\AVCDX.ax
2008-01-12 21:45 . 2007-07-03 14:59 9,292 ---h----- C:\WINDOWS\super.chm
2008-01-12 21:35 . 2008-01-12 21:39 <DIR> d-------- C:\Program Files\Xilisoft
2008-01-12 21:28 . 2008-01-12 21:28 <DIR> d-------- C:\Program Files\CDBurnerXP
2008-01-12 20:33 . 2008-01-12 20:33 13,696 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-12 20:31 . 2004-08-04 10:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-12 20:17 . 2008-01-12 20:17 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-12 20:16 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\000001_.tmp
2008-01-12 19:19 . 2004-08-04 10:56 96,768 --a------ C:\WINDOWS\system32\dpcdll.dll.wga
2008-01-12 19:19 . 2001-08-23 23:00 29,338 --a------ C:\WINDOWS\system32\EULA.TXT.wga
2008-01-12 19:19 . 2004-08-04 10:56 24,064 --a------ C:\WINDOWS\system32\pidgen.dll.wga
2008-01-12 16:38 . 2008-01-13 08:17 45,056 --a------ C:\WINDOWS\VM_STI.EXE
2008-01-12 15:52 . 2008-01-12 15:52 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-01-11 18:18 . 2008-01-11 18:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-10 18:20 . 2008-01-10 19:00 <DIR> d-------- C:\Documents and Settings\dan.HOME-2A93A0681B\.housecall6.6
2008-01-10 15:33 . 2008-01-10 16:09 <DIR> d-------- C:\Program Files\Consumer Update Firmware
2008-01-10 10:51 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-10 10:18 . 2008-01-13 13:59 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-01-10 08:52 . 2002-01-05 14:40 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-01-10 08:52 . 2002-01-05 15:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-01-10 08:52 . 2003-08-07 15:01 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-01-10 08:50 . 2005-11-21 14:48 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-01-10 08:50 . 2005-11-21 14:48 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-01-04 13:42 . 2008-01-04 13:42 <DIR> d-------- C:\Program Files\iMesh Applications
2008-01-04 13:42 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2008-01-03 08:55 . 2008-01-03 09:03 <DIR> d-------- C:\Program Files\Ares Ultra
2007-12-23 10:16 . 2007-12-23 10:16 <DIR> d-------- C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\Media Player Classic
2007-12-16 16:49 . 2007-04-09 13:23 28,040 --a------ C:\WINDOWS\system32\mdimon.dll
2007-12-16 16:48 . 2007-12-16 16:48 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-12-16 16:44 . 2007-12-16 16:44 <DIR> dr-h----- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-13 05:06 --------- d-----w C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\AVG7
2008-01-13 05:03 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7
2008-01-12 23:04 --------- d-----w C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\uTorrent
2008-01-12 08:36 --------- d-----w C:\Program Files\MSN Messenger
2008-01-05 12:11 --------- d-----w C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\dvdcss
2007-12-22 22:15 --------- d-----w C:\Program Files\STOPzilla!
2007-12-22 22:15 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\ZILLAbar
2007-12-16 07:49 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-12 07:38 --------- d-----w C:\Program Files\WordBiz
2007-12-09 10:45 --------- d-----w C:\Program Files\Winamp
2007-12-09 10:32 --------- d-----w C:\Program Files\MagicISO
2007-12-09 00:21 --------- d-----w C:\Program Files\ABC
2007-12-09 00:18 --------- d-----w C:\Program Files\uTorrent
2007-12-09 00:11 --------- d-----w C:\Program Files\Realtek
2007-12-09 00:11 --------- d-----w C:\Program Files\MSXML 6.0
2007-12-09 00:10 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-08 23:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-08 23:48 --------- d-----w C:\Program Files\VideoLAN
2007-12-08 13:52 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\STOPzilla!
2007-12-08 13:49 --------- d-----w C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\STOPzilla!
2007-12-08 12:26 --------- d-----w C:\Program Files\SuperAdBlocker.com
2007-12-08 12:24 --------- d-----w C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\SuperAdBlocker.com
2007-11-25 21:29 --------- d-----w C:\Documents and Settings\dan\Application Data\Dealio
2007-11-22 21:30 --------- d-----w C:\Program Files\Java
2007-11-22 21:29 --------- d-----w C:\Program Files\Common Files\Java
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 12:01 8,464 ----a-w C:\WINDOWS\system32\sporder.dll
2007-11-07 09:50 727,040 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 22:54 24,112 ----a-w C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\GDIPFONTCACHEV1.DAT
2007-10-27 08:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.
<pre>
----a-w 5,674,352 2008-01-12 08:36:53 C:\Program Files\MSN Messenger\MsnMsgr .Exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-01-13_11.43.34.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-12 10:14:10 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-01-13 05:05:01 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
- 2007-11-12 10:14:10 19,904 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-01-13 05:04:58 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-01-13 05:03:53 4,960 ----a-w C:\WINDOWS\system32\drivers\avgtdi.sys
+ 1996-04-03 19:33:26 5,248 ----a-w C:\WINDOWS\system32\giveio.sys
+ 2005-06-15 14:55:53 4,096 ----a-w C:\WINDOWS\system32\speedfan.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"LGMobileSyncLauncher"="C:\Program Files\CYON MobileSync\MobileSync\LG_MobileSync_Launcher_Setup .exe" [ ]
"Router"="C:\Program Files\Router\Router.exe" [ ]
"MsServer"="msfir80.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"RTHDCPL"="-RTHDCPL.EXE" []
"SkyTel"="-SkyTel.EXE" []
"SoundMan"="-SOUNDMAN.EXE" []
"AlcWzrd"="-ALCWZRD.EXE" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-13 08:17 39792]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2008-01-13 08:17 45056]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-13 00:44 8429568]
"nwiz"="nwiz.exe" [2007-04-13 00:44 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-13 00:44 81920]
"au"="C:\Program Files\Dealio\DealioAU.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-13 14:05 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-13 08:17 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-12 19:14 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

C:\Documents and Settings\dan\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-09-19 19:53:11]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 13:49:52]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-16 15:23]
R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2007-10-12 08:34]
S1 SABKUTIL;SABKUTIL;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys []
S3 rockusb;Driver for rockusb Device;C:\WINDOWS\system32\DRIVERS\rockusb.sys [2006-03-22 19:57]
S3 SKTBus;SK Telecom USB Composite device driver;C:\WINDOWS\system32\DRIVERS\SKTBus.sys [2007-05-30 16:29]
S3 SKTMdm;SK Telecom USB Modem;C:\WINDOWS\system32\DRIVERS\SKTMdm.sys [2007-05-30 16:29]
S3 SKTOBEX;SK Telecom USB OBEX Device Driver;C:\WINDOWS\system32\DRIVERS\SKTOBEX.sys [2007-05-30 16:30]
S3 SKTVsp;SK Telecom USB Virtual Serial Port Driver;C:\WINDOWS\system32\DRIVERS\SKTVsp.sys [2007-05-30 16:30]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{79dcc9bc-b789-11dc-96b6-00e04d40d6fc}]
\Shell\Auto\command - E:\sal.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{94e7974a-bef0-11dc-96bb-00e04d40d6fc}]
\Shell\Auto\command - E:\sal.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{94e7974b-bef0-11dc-96bb-00e04d40d6fc}]
\Shell\Auto\command - F:\sal.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{e426fd0d-b126-11dc-96ab-00e04d40d6fc}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Setup.pif

.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2008-01-13 21:30:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MsServer = msfir80.exe???.

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-13 21:31:07
ComboFix-quarantined-files.txt 2008-01-13 12:31:00
ComboFix2.txt 2008-01-13 11:23:26
ComboFix3.txt 2008-01-13 02:43:44
.
2008-01-12 11:35:45 --- E O F ---

kaosjin,

How many other forums have you asked for help in that you don't even remember if you posted this log here?? I work with a lot of the different security forums and I can tell you that none of us appreciate people asking for help from multiple forums since it can take each of us up to an hour to analyze a log... If I do that and 3 other people do that, we end up with 4 hours of time for one hour of benefit... Not a good trade from my point of view...

I am going to wait for a response before putting any more effort into this log... Meanwhile, it looks like you have been installing a bunch of software in the last 24 hours and that is NOT a good idea when your computer is badly infected... Not only is it likely that those programs can get infected, it makes it much more difficult to analyze the logs you post... Please do not install any other programs than the ones needed to clean this computer until it is clean...

I posted on "geeks to go" about 4 days ago and never got a reply. What I meant by my last post was that I thought I had posted it and it never came up. When I reposted I noticed that the file was too big and that I had to split it. Hence, I thought that I had posted it and I had not.
Thank you for your time and I will not put anything else on this computer and await your reply.

If you intend to stay with help here, please let G2G know that you are already getting help... Please run this:

* Click here (http://support.f-secure.com/enu/home/ols.shtml) to use the F-Secure Online Scanner
Then click the Start Scanning button below.
You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
In case you are having problems with installing the ActiveX/starting the scan, please read here (http://support.f-secure.com/enu/home/ols-faq.shtml).
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.


and then...

Please do this:

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
Just before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the Registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the Desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your Desktop icons.
Finally open the SDFix folder on your Desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.

I tried running F-Secure Online Scanner and once more my computer shut down about 15 minutes into the program. I finally got it running after about 10 minutes. Should I try running it again?
I also informed G2G that I was getting help from another forum.

Please explain what you mean about taking 10 minutes to get the computer going again?? What kept it from simply rebooting?? Did you get any error messages or any indication of what went wrong??

It just shut down and when I tried to restart it, it kept shutting down again with nothing showing, has it was booting, it just would shut down. One time on the screen it had c000021a error. So I waited about 5 minutes and it started the next time I tried.

Go here and follow the instructions for installing Recovery Console, then try F-Secure again... You may need to run a Repair Install eventually, but we can see... If it works okay, go on to SDFix...

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Hi Budfred,
Unfortunately, I will not be able to do the system recovery at this time. I am presently abroad and have misplaced my XP CD I have ordered an new one anbd it will take about four weeks to get to me. Is there another way to do this?

Go ahead with SDFix and we can see if that helps... You probably won't be able to remove the error message without fixing Windows, but we can still go after the malware...

Hi Budfred,
I tried to run sdfix and after about 2 minutes of hitting Y to run, it says "unable to locate locale" and shuts my computer down.

Do you have a way to borrow a WinXP disk so that you can install Recovery Console?? It is possible to do it without your own disk...

Meanwhile, you can try some other tools...

Download AVG Anti-Spyware from HERE (http://www.ewido.net/en/download/)
Install AVG Anti-Spyware
Double-click the icon on Desktop to launch AVG Anti-Spyware
You will need to update AVG Anti-Spyware to the latest definition files.
On the top of the main screen click Shield and then [active] to change it to inactive
On the top of the main screen click Update and then Start Update.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".


Close ALL open Windows / Programs / Folders. Run AVG Anti-Spyware with it's updated definitions: (...it's important that all windows must be closed)

* Click Scanner and then the Scan tab
* Click Complete System Scan to begin scanning.

Once the scan is complete do the following:
* If you have any infections you will prompted, then select "Apply all actions"
* Once finished, click the Save report button, then click Save Report As and save it to your Desktop. (make sure to remember where you saved that file, this is important).

Close AVG Anti-Spyware and Reboot.

and....................

* Download Dr.Web CureIt to the Desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.


and another online scan...................

Please use the Eset NOD32 Online Anti-Virus scanner and Removal Tool

Note: This tool requires the use of Internet Explorer and is Vista compatible

Please click HERE (http://www.eset.com/threat-center/cac.php) to start the process
Place a checkmark in the box beside "Terms of Service", then click "Start".
On the next screen, "Click" where prompted to install the required ActiveX Control.
Acknowledge the Security Warning in the next window by Clicking the "Install" button.
Press the "START" button on the Welcome Screen.
A download progress bar will then inform you on the status of your download.
Once the initialization is complete, place a checkmark beside "Remove found threats", then click "Scan".
When the tool has finished, under the Details Tab, you will find a list of items found and deleted. Copy that list and paste it here if possible.
No log will be made available for posting in your reply.

Hi Budfred,
I just want to take the time to thank you for all your help and support. Unfortunately, I am in Korea at the moment and everybody I ask only have the Korean version of XP. So I will have to wait until the one I ordered gets here. I did the AVG anti spyware and the Drweb, but when I tried to do the Eset, my computer shut down again. It got almost 90% done and it shutdown somewhere around C:/windows/help. Here are the saved data from the ones I did do.
Here is the DrWeb
00069515.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Delete d.;
00071781.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.base d;Deleted.;
00074796.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.5013 ;Deleted.;
01660812.FIL;C:\$VAULT$.AVG;Trojan.Igidak;Deleted. ;
01661000.FIL;C:\$VAULT$.AVG;Trojan.Igidak;Deleted. ;
01661562.FIL;C:\$VAULT$.AVG;Trojan.Igidak;Deleted. ;
01661968.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.10006;D eleted.;
01662062.FIL\data001;C:\$VAULT$.AVG\01662062.FIL;A dware.MediaTicket.origin;;
01662062.FIL\data002;C:\$VAULT$.AVG\01662062.FIL;T rojan.PurityAd;;
01662062.FIL;C:\$VAULT$.AVG;Archive contains infected objects;Moved.;
01662140.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.10006;D eleted.;
01662625.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.10006;D eleted.;
01662828.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.3848 6;Deleted.;
01662953.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.10006;D eleted.;
01663031.FIL;C:\$VAULT$.AVG;Trojan.Rond.origin;Inc urable.Moved.;
01663109.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9785;De leted.;
01663250.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.3805 5;Deleted.;
01663296.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.10006;D eleted.;
01663531.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.10006;D eleted.;
01663703.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.257;De leted.;
01663859.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.257;De leted.;
01664031.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.257;De leted.;
01664296.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.257;De leted.;
01664484.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.257;De leted.;
01664593.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.257;De leted.;
01664718.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.257;De leted.;
01664859.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.10006;D eleted.;
01664921.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.10006;D eleted.;
01664968.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.10006;D eleted.;
01665031.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.10006;D eleted.;
01665093.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.10006;D eleted.;
01665156.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.10006;D eleted.;
01665250.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.10006;D eleted.;
01665312.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.10006;D eleted.;
01665343.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.257;De leted.;
01665484.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.10006;D eleted.;
01665531.FIL;C:\$VAULT$.AVG;Trojan.Igidak;Deleted. ;
04929484.FIL;C:\$VAULT$.AVG;Trojan.Click.4833;Dele ted.;
04929625.FIL;C:\$VAULT$.AVG;Trojan.Click.4833;Dele ted.;
21372563.FIL;C:\$VAULT$.AVG;Trojan.Proxy.origin;In curable.Moved.;
33440796.FIL;C:\$VAULT$.AVG;Adware.OneStep;Incurab le.Moved.;
33441906.FIL;C:\$VAULT$.AVG;Adware.NewDotNet;Incur able.Moved.;
34587375.FIL;C:\$VAULT$.AVG;Trojan.Winpop;Deleted. ;
42483203.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.10006;D eleted.;
46113078.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Delete d.;
57114781.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Delete d.;
61527250.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.10016;D eleted.;
94279781.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.400;D eleted.;
94279953.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.400;D eleted.;
94279968.FIL;C:\$VAULT$.AVG;Trojan.Spambot.2393;De leted.;
94279984.FIL;C:\$VAULT$.AVG;Trojan.Packed.155;Dele ted.;
94280015.FIL;C:\$VAULT$.AVG;Trojan.Packed.155;Dele ted.;
94280046.FIL;C:\$VAULT$.AVG;Trojan.Spambot.2393;De leted.;
94280062.FIL;C:\$VAULT$.AVG;Trojan.Packed.155;Dele ted.;
94280093.FIL;C:\$VAULT$.AVG;Trojan.Packed.155;Dele ted.;
94280109.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Delete d.;
94280125.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Delete d.;
94280156.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Delete d.;
94280203.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.8738;De leted.;
94280218.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.3181 7;Deleted.;
94280234.FIL;C:\$VAULT$.AVG;Trojan.Winpop;Deleted. ;
94280265.FIL;C:\$VAULT$.AVG;Trojan.Winpop;Deleted. ;
94280281.FIL;C:\$VAULT$.AVG;Trojan.Rond;Deleted.;
94280312.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.3181 7;Deleted.;
94280359.FIL;C:\$VAULT$.AVG;Trojan.EzulaAd;Deleted .;
94280390.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Delete d.;
94280406.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Delete d.;
94280468.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Delete d.;
94280484.FIL;C:\$VAULT$.AVG;Trojan.Click.2799;Dele ted.;
94280515.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Delete d.;
94280531.FIL;C:\$VAULT$.AVG;Trojan.EzulaAd;Deleted .;
94280562.FIL;C:\$VAULT$.AVG;Trojan.Proxy.origin;In curable.Moved.;
94280609.FIL;C:\$VAULT$.AVG;BackDoor.Bulknet;Delet ed.;
94280625.FIL;C:\$VAULT$.AVG;Trojan.NtRootKit.360;D eleted.;
94280640.FIL;C:\$VAULT$.AVG;Trojan.EzulaAd;Deleted .;
94280671.FIL;C:\$VAULT$.AVG;BackDoor.Bulknet;Delet ed.;
94280765.FIL;C:\$VAULT$.AVG;BackDoor.Bulknet;Delet ed.;
94280812.FIL;C:\$VAULT$.AVG;BackDoor.Bulknet;Delet ed.;
94280843.FIL;C:\$VAULT$.AVG;BackDoor.Bulknet;Delet ed.;
ComboFix.bat;C:\ComboFix;Probably BATCH.Virus;Incurable.Moved.;
The AVG one is over 44,000 characters, if you want it also, I will post it in 5 different posts.

Just post the parts of the AVG-AS log that are not tracking cookies... That should be a much shorter list...

C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0015574.EXE/system.exe -> Backdoor.Rbot.enq : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP183\A0015788.exe -> Backdoor.Rbot.enq : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP182\A0015629.exe -> Downloader.Agent.erf : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP182\A0015630.exe -> Downloader.Agent.fjn : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014265.exe -> Downloader.Agent.gdi : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014378.exe -> Downloader.Agent.gdi : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014401.exe -> Downloader.Agent.gdi : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014435.exe -> Downloader.Agent.gdi : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014463.exe -> Downloader.Agent.gdi : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014491.exe -> Downloader.Agent.gdi : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014563.exe -> Downloader.Agent.gdi : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0015564.exe -> Downloader.Agent.gdi : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP182\A0015648.exe -> Downloader.Agent.gdi : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP174\A0011829.exe -> Downloader.Agent.gwh : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011891.exe -> Downloader.Agent.gwh : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0012919.exe -> Downloader.Agent.gwh : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0012929.exe -> Downloader.Agent.gwh : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0013870.exe -> Downloader.Agent.gwh : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0013927.exe -> Downloader.Agent.gwh : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014270.exe -> Downloader.Agent.gwh : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014371.exe -> Downloader.Agent.gwh : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014394.exe -> Downloader.Agent.gwh : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014429.exe -> Downloader.Agent.gwh : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014456.exe -> Downloader.Agent.gwh : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014484.exe -> Downloader.Agent.gwh : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014556.exe -> Downloader.Agent.gwh : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0015558.exe -> Downloader.Agent.gwh : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP182\A0015628.exe -> Downloader.Agent.gwh : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011856.Exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011857.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011858.EXE -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011859.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011860.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011861.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011862.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011863.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011882.Exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011883.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011884.EXE -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011885.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011887.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011889.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011892.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011895.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011908.Exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011910.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011911.EXE -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011912.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011913.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011914.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011917.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0011923.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0012908.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0012909.EXE -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0012910.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0012911.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0012912.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0012913.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0012921.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP175\A0012930.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP179\A0013826.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP179\A0013827.EXE -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP179\A0013828.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP179\A0013829.exe -> Dropper.Agent.dgo : Cleaned.

C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP179\A0013830.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP179\A0013831.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0013867.EXE -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0013868.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0013869.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0013871.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0013879.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0013914.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0013935.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0013936.EXE -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0013937.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0013938.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0013939.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0013940.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0013946.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014266.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014267.EXE -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014268.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014269.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014271.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014277.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014366.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014367.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014368.EXE -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014369.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014370.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014372.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014380.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014389.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014390.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014391.EXE -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014392.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014393.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014395.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014405.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014418.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014424.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014425.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014426.EXE -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014427.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014428.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014438.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014451.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014452.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014453.EXE -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014454.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014455.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014457.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014466.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014473.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014478.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014480.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014481.EXE -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014482.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014483.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014485.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014494.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014551.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014552.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014553.EXE -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014554.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014555.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014557.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0014564.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0015553.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0015554.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0015555.EXE -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0015556.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0015557.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP180\A0015565.exe -> Dropper.Agent.dgo : Cleaned.
.

C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP181\A0015616.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP181\A0015617.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP181\A0015618.EXE -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP181\A0015619.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP181\A0015620.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP181\A0015621.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP182\A0015632.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP182\A0015643.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP182\A0015644.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP182\A0015645.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP182\A0015646.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP182\A0015647.EXE -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP182\A0015657.dll -> Not-A-Virus.Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP169\A0010491.sys -> Rootkit.Agent.eq : Cleaned
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP171\A0010561.exe -> Worm.VB.el : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP171\A0010562.exe -> Worm.VB.el : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP183\A0015786.exe -> Worm.VB.el : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP183\A0015787.exe -> Worm.VB.el : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP183\A0015789.exe -> Worm.VB.el : Cleaned.
C:\System Volume Information\_restore{3D77ED0C-CDD8-4499-80CF-7AEDA2521A74}\RP183\A0015791.exe -> Worm.VB.el : Cleaned.


::Report end

Ok, those are actually just backed up in System Restore, so no help there... Run a fresh ComboFix with a new copy and post the log so I can see how it looks now...

Also, do not try to use any of those restore points...you will just re-infect yourself. At some point, probably after you are given the 'all clear', you should remove all your previous restore points and start over, with a manually generated fresh one.

ComboFix 08-01-13.1 - dan 2008-01-19 6:44:57.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1582 [GMT 9:00]
Running from: C:\Documents and Settings\dan.HOME-2A93A0681B\Desktop\ComboFix(2).exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-17 22:16 . 2008-01-17 22:16 <DIR> d-------- C:\Program Files\AVCT
2008-01-17 19:53 . 2008-01-17 20:55 <DIR> d-------- C:\Program Files\WinXMedia
2008-01-17 19:48 . 2008-01-17 19:48 <DIR> d-------- C:\OutputFolder
2008-01-16 18:14 . 2008-01-16 18:14 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\ESET
2008-01-16 17:16 . 2008-01-16 17:16 <DIR> d-------- C:\Documents and Settings\dan\DoctorWeb
2008-01-16 16:21 . 2008-01-16 16:21 <DIR> d-------- C:\Documents and Settings\dan\Application Data\Grisoft
2008-01-16 15:59 . 2008-01-16 16:02 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-16 15:48 . 2008-01-16 15:48 <DIR> d-------- C:\Documents and Settings\dan.HOME-2A93A0681B\DoctorWeb
2008-01-16 13:20 . 2008-01-16 13:20 <DIR> d-------- C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\Grisoft
2008-01-16 13:20 . 2007-05-30 21:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-16 10:58 . 2008-01-16 10:58 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-13 12:19 . 2008-01-13 12:19 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-01-13 11:57 . 2008-01-13 11:59 <DIR> d-------- C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\LimeWire
2008-01-13 11:35 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 11:17 . 2008-01-13 11:18 <DIR> d-------- C:\Program Files\Exact Audio Copy
2008-01-13 07:57 . 2008-01-13 07:59 <DIR> d-------- C:\Program Files\Add Remove Pro
2008-01-12 21:48 . 2008-01-12 21:48 <DIR> d-------- C:\Program Files\eRightSoft
2008-01-12 20:33 . 2008-01-12 20:33 13,696 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-12 20:31 . 2004-08-04 10:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-12 20:17 . 2008-01-12 20:17 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-12 20:16 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\000001_.tmp
2008-01-12 19:19 . 2004-08-04 10:56 96,768 --a------ C:\WINDOWS\system32\dpcdll.dll.wga
2008-01-12 19:19 . 2001-08-23 23:00 29,338 --a------ C:\WINDOWS\system32\EULA.TXT.wga
2008-01-12 19:19 . 2004-08-04 10:56 24,064 --a------ C:\WINDOWS\system32\pidgen.dll.wga
2008-01-12 16:38 . 2008-01-13 08:17 45,056 --a------ C:\WINDOWS\VM_STI.EXE
2008-01-12 15:52 . 2008-01-12 15:52 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-01-11 18:18 . 2008-01-11 18:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-10 18:20 . 2008-01-10 19:00 <DIR> d-------- C:\Documents and Settings\dan.HOME-2A93A0681B\.housecall6.6
2008-01-10 15:33 . 2008-01-10 16:09 <DIR> d-------- C:\Program Files\Consumer Update Firmware
2008-01-10 10:51 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-10 10:18 . 2008-01-13 13:59 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-01-10 08:52 . 2002-01-05 14:40 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-01-10 08:52 . 2002-01-05 15:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-01-10 08:52 . 2003-08-07 15:01 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-01-10 08:50 . 2005-11-21 14:48 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-01-10 08:50 . 2005-11-21 14:48 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-01-04 13:42 . 2008-01-04 13:42 <DIR> d-------- C:\Program Files\iMesh Applications
2008-01-04 13:42 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2008-01-03 08:55 . 2008-01-03 09:03 <DIR> d-------- C:\Program Files\Ares Ultra
2007-12-23 10:16 . 2007-12-23 10:16 <DIR> d-------- C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\Media Player Classic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-18 21:42 --------- d-----w C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\uTorrent
2008-01-17 23:00 --------- d-----w C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\AVG7
2008-01-16 04:20 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-01-15 09:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-15 09:10 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-13 05:03 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7
2008-01-12 08:36 --------- d-----w C:\Program Files\MSN Messenger
2008-01-05 12:11 --------- d-----w C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\dvdcss
2007-12-22 22:15 --------- d-----w C:\Program Files\STOPzilla!
2007-12-22 22:15 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\ZILLAbar
2007-12-16 07:49 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-16 07:48 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-12 07:38 --------- d-----w C:\Program Files\WordBiz
2007-12-09 10:45 --------- d-----w C:\Program Files\Winamp
2007-12-09 10:32 --------- d-----w C:\Program Files\MagicISO
2007-12-09 00:21 --------- d-----w C:\Program Files\ABC
2007-12-09 00:18 --------- d-----w C:\Program Files\uTorrent
2007-12-09 00:11 --------- d-----w C:\Program Files\Realtek
2007-12-09 00:11 --------- d-----w C:\Program Files\MSXML 6.0
2007-12-09 00:10 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-08 23:48 --------- d-----w C:\Program Files\VideoLAN
2007-12-08 13:52 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\STOPzilla!
2007-12-08 13:49 --------- d-----w C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\STOPzilla!
2007-12-08 12:26 --------- d-----w C:\Program Files\SuperAdBlocker.com
2007-12-08 12:24 --------- d-----w C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\SuperAdBlocker.com
2007-11-25 21:29 --------- d-----w C:\Documents and Settings\dan\Application Data\Dealio
2007-11-22 21:30 --------- d-----w C:\Program Files\Java
2007-11-22 21:29 --------- d-----w C:\Program Files\Common Files\Java
2007-11-12 12:01 8,464 ----a-w C:\WINDOWS\system32\sporder.dll
2007-11-07 09:50 727,040 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 22:54 24,112 ----a-w C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\GDIPFONTCACHEV1.DAT
2007-10-27 08:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.
<pre>
----a-w 5,674,352 2008-01-12 08:36:53 C:\Program Files\MSN Messenger\MsnMsgr .Exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-13_11.43.34.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-07 07:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 07:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 07:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2008-01-15 09:29:08 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-16 02:54:59 3,985,408 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-01-16 02:54:59 163,840 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-01-15 09:29:08 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-16 01:58:27 3,985,408 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NT USER.DAT
+ 2008-01-16 01:58:27 163,840 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\Us rClass.dat
- 2007-11-12 10:14:10 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-01-13 05:05:01 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
- 2007-11-12 10:14:10 19,904 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-01-13 05:04:58 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-01-13 05:03:53 4,960 ----a-w C:\WINDOWS\system32\drivers\avgtdi.sys
+ 1996-04-03 19:33:26 5,248 ----a-w C:\WINDOWS\system32\giveio.sys
+ 2007-07-27 06:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 06:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-05 11:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 04:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2007-08-02 09:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-02 09:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-08 07:30:12 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-13 02:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
+ 2005-06-15 14:55:53 4,096 ----a-w C:\WINDOWS\system32\speedfan.sys
+ 2004-12-07 02:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"LGMobileSyncLauncher"="C:\Program Files\CYON MobileSync\MobileSync\LG_MobileSync_Launcher_Setup .exe" [ ]
"Router"="C:\Program Files\Router\Router.exe" [ ]
"MsServer"="msfir80.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"RTHDCPL"="-RTHDCPL.EXE" []
"SkyTel"="-SkyTel.EXE" []
"SoundMan"="-SOUNDMAN.EXE" []
"AlcWzrd"="-ALCWZRD.EXE" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-13 08:17 39792]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2008-01-13 08:17 45056]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-13 00:44 8429568]
"nwiz"="nwiz.exe" [2007-04-13 00:44 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-13 00:44 81920]
"au"="C:\Program Files\Dealio\DealioAU.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-13 14:05 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-13 08:17 132496]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 18:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-12 19:14 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

C:\Documents and Settings\dan\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-09-19 19:53:11]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 13:49:52]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-16 15:23]
S1 SABKUTIL;SABKUTIL;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys []
S3 rockusb;Driver for rockusb Device;C:\WINDOWS\system32\DRIVERS\rockusb.sys [2006-03-22 19:57]
S3 SKTBus;SK Telecom USB Composite device driver;C:\WINDOWS\system32\DRIVERS\SKTBus.sys [2007-05-30 16:29]
S3 SKTMdm;SK Telecom USB Modem;C:\WINDOWS\system32\DRIVERS\SKTMdm.sys [2007-05-30 16:29]
S3 SKTOBEX;SK Telecom USB OBEX Device Driver;C:\WINDOWS\system32\DRIVERS\SKTOBEX.sys [2007-05-30 16:30]
S3 SKTVsp;SK Telecom USB Virtual Serial Port Driver;C:\WINDOWS\system32\DRIVERS\SKTVsp.sys [2007-05-30 16:30]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{79dcc9bc-b789-11dc-96b6-00e04d40d6fc}]
\Shell\Auto\command - E:\sal.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{94e7974a-bef0-11dc-96bb-00e04d40d6fc}]
\Shell\Auto\command - sal.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{94e7974b-bef0-11dc-96bb-00e04d40d6fc}]
\Shell\Auto\command - sal.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{e426fd0d-b126-11dc-96ab-00e04d40d6fc}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Setup.pif

.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2008-01-19 06:45:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MsServer = msfir80.exe???.

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-19 6:46:10
ComboFix-quarantined-files.txt 2008-01-18 21:46:02
ComboFix2.txt 2008-01-13 12:31:08
ComboFix3.txt 2008-01-13 11:23:26
ComboFix4.txt 2008-01-13 02:43:44
.
2008-01-12 11:35:45 --- E O F ---

Still showing signs of infection... Please go to this site and run the scan, then post the log:

http://www.kaspersky.com/virusscanner

If they are still there, please submit these to Jotti:

C:\WINDOWS\system32\initdebug.nfo
C:\WINDOWS\000001_.tmp
C:\WINDOWS\system32\dpcdll.dll.wga
C:\WINDOWS\system32\EULA.TXT.wga
C:\WINDOWS\system32\pidgen.dll.wga

Please go to Jotti's malware scan at http://virusscan.jotti.org/ and upload the files for scanning and post the results here.

Scan taken on 19 Jan 2008 07:35:18 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

I tried kapersky and it shut down my computer at about 80% complete. Now I am doing Jotti's.

File: 000001_.tmp
Status:
OK
MD5: dc801056c6eb1fe72dfdaa96fbabaf13
Packers detected:
-
Bit9 reports: No threat detected

File: dpcdll.dll.wga
Status:
OK
MD5: f7fc12edd4f0c19490d37af9570c50f8
Packers detected:
-
Bit9 reports: No threat detected

File: EULA.TXT.wga
Status:
OK
MD5: 36716cfe138fb09e0ad03ff3b9387589
Packers detected:
-
Bit9 reports: Not analyzed yet

File: pidgen.dll
Status:
OK
MD5: 16c8c00746b6189059e032a176a8eccf
Packers detected:
-
Bit9 reports: No threat detected

I suggest trying Kaspersky again and make sure you don't run anything else while it is running so it is less likely to crash... If it doesn't work, do this:

Try running an MWavScan... It will produce a log in the lower window that has the bad list and you will need to use Ctrl-C to copy it and then paste it here for review.... If the list is extremely long, you can just paste the lines that begin with the word "File" since those are the ones we need to be most concerned about...
DO NOT post the upper window which contains everything that was scanned...

http://www.mwti.net/products/mwav/mwav.asp

It will suggest that you buy the product to fix what it finds, but that is not necessary... Just post the bad part of the scan and we will deal with it...

Thank you for your effort. I tried Kapersky again and it once more shut my computer. I then ran MWavScan and yes there is a long list in the lower box. 17 start with Object and the other 300 or so start with Entry. I think you want the following, if not let me know.

Object "funwebproducts Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "xtractor plus Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "zillabar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "savenow Adware" found in File System! Action Taken: No Action Taken.
Object "regsort Corrupted Adware/Spyware" found in File System! Action Taken: No Action Taken.
Object "backdoor (ircbot) trojans Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken.

Did you not have any that began with "File"??

The fact that you are unable to complete those scans is worrisome, but the ComboFix results are unclear... Rather than doing another ComboFix scan which is providing ambiguous results, try this one and we can see if that narrows the suspects down...

Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile for me to see.

Thank you Budfred, here is the logfile

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [file not found]
"LGMobileSyncLauncher" = "C:\Program Files\CYON MobileSync\MobileSync\LG_MobileSync_Launcher_Setup .exe" [file not found]
"Router" = "C:\Program Files\Router\Router.exe" [file not found]
"MsServer" = "msfir80.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"RTHDCPL" = "-RTHDCPL.EXE" [file not found]
"SkyTel" = "-SkyTel.EXE" [file not found]
"SoundMan" = "-SOUNDMAN.EXE" [file not found]
"AlcWzrd" = "-ALCWZRD.EXE" [file not found]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"BigDogPath" = "C:\WINDOWS\VM_STI.EXE KOCOM KMC-90 Web Camera" ["VM."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"au" = "C:\Program Files\Dealio\DealioAU.exe" [file not found]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{6A87B991-A31F-4130-AE72-6D0C294BF082}\(Default) = (no title provided)
-> {HKLM...CLSID} = "DealioBHO Class"
\InProcServer32\(Default) = "C:\Program Files\Dealio\kb124\Dealio.dll" [file not found]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {HKLM...CLSID} = "ImageExtractorShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {HKLM...CLSID} = "CInfoTipShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wpdshserviceobj.dll" [MS]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandler s\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMen uHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHa ndlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper2.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\dan.HOME-2A93A0681B\Local Settings\Application Data\Microsoft\Wallpaper2.bmp"


Startup items in "dan" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
"Microsoft Office OneNote 2003 Quick Launch" -> shortcut to: "C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE /tsr" [MS]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F}"
-> {HKLM...CLSID} = "Dealio"
\InProcServer32\(Default) = "C:\Program Files\Dealio\kb124\Dealio.dll" [file not found]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F}" = (no title provided)
-> {HKLM...CLSID} = "Dealio"
\InProcServer32\(Default) = "C:\Program Files\Dealio\kb124\Dealio.dll" [file not found]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{5C4C24D0-28B6-4B6B-B70F-E09848367F10}\(Default) = "Dealio"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Dealio\kb124\Dealio.dll" [file not found]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{E908B145-C847-4E85-B315-07E2E70DECF8}\
"ButtonText" = "Dealio"
"MenuText" = "Dealio"
"CLSIDExtension" = "{9F038672-0425-4792-BC9C-36DE3308E8AA}"
-> {HKLM...CLSID} = "DealioToolbarHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Dealio\kb124\Dealio.dll" [file not found]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]
AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monito rs\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


---------- (launch time: 2008-01-21 07:19:40)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 35 seconds, including 18 seconds for message boxes)

That identifies a couple of things that were a problem, but it looks like they are already dead... Do this anyway to see if it can clean things up a bit more:

Open Notepad and copy/paste the text in the quotebox below into it:

File::
msfir80.exe
C:\WINDOWS\system32\ALCMTR.EXE

Folder::
C:\Program Files\Dealio
C:\Program Files\NewDotNet

Registry::
"MsServer" = "msfir80.exe" = -



Save this as CFScript.txt


http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Post the log in your next response...

Open a HJT scan and put checks by any of these that are still there:

O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb124\Dealio.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb124\Dealio.dll (file missing)
O4 - HKLM\..\Run: [Alcmtr] -ALCMTR.EXE
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKCU\..\Run: [MsServer] msfir80.exe
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb124\Dealio.dll (file missing)
O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb124\Dealio.dll (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)

Close all open windows except HJT and press Fix checked...

Reboot and post a fresh HJT log along with the ComboFix log... Let me know how you computer is running...

Thank you for all the help. Your help is greatly appreciated.
Combo fix log
ComboFix 08-01-13.1 - dan 2008-01-21 9:18:01.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1590 [GMT 9:00]
Running from: C:\Documents and Settings\dan.HOME-2A93A0681B\Desktop\ComboFix(2).exe
Command switches used :: C:\Documents and Settings\dan.HOME-2A93A0681B\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\ALCMTR.EXE
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\regedit.com
C:\WINDOWS\system32\taskmgr.com

.
((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-20 15:59 . 2008-01-20 15:59 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-01-20 15:59 . 2008-01-20 15:59 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-01-20 15:59 . 2008-01-20 15:59 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-01-20 15:59 . 2008-01-20 15:59 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-01-20 15:59 . 2008-01-20 15:59 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-01-20 15:59 . 2008-01-20 15:59 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-01-20 13:07 . 2004-08-04 10:56 146,432 --a------ C:\WINDOWS\R.COM
2008-01-20 13:07 . 2004-08-04 10:56 135,680 --a------ C:\WINDOWS\system32\T.COM
2008-01-20 13:07 . 2008-01-21 07:10 26 --a------ C:\WINDOWS\Lic.xxx
2008-01-19 15:49 . 2008-01-19 15:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-19 15:49 . 2008-01-19 15:49 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-01-17 22:16 . 2008-01-17 22:16 <DIR> d-------- C:\Program Files\AVCT
2008-01-17 19:53 . 2008-01-17 20:55 <DIR> d-------- C:\Program Files\WinXMedia
2008-01-17 19:48 . 2008-01-17 19:48 <DIR> d-------- C:\OutputFolder
2008-01-16 18:14 . 2008-01-16 18:14 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\ESET
2008-01-16 17:16 . 2008-01-16 17:16 <DIR> d-------- C:\Documents and Settings\dan\DoctorWeb
2008-01-16 16:21 . 2008-01-16 16:21 <DIR> d-------- C:\Documents and Settings\dan\Application Data\Grisoft
2008-01-16 15:59 . 2008-01-16 16:02 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-16 15:48 . 2008-01-16 15:48 <DIR> d-------- C:\Documents and Settings\dan.HOME-2A93A0681B\DoctorWeb
2008-01-16 13:20 . 2008-01-16 13:20 <DIR> d-------- C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\Grisoft
2008-01-16 13:20 . 2007-05-30 21:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-16 10:58 . 2008-01-16 10:58 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-13 12:19 . 2008-01-13 12:19 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-01-13 11:57 . 2008-01-13 11:59 <DIR> d-------- C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\LimeWire
2008-01-13 11:35 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 11:17 . 2008-01-13 11:18 <DIR> d-------- C:\Program Files\Exact Audio Copy
2008-01-13 07:57 . 2008-01-13 07:59 <DIR> d-------- C:\Program Files\Add Remove Pro
2008-01-12 21:48 . 2008-01-12 21:48 <DIR> d-------- C:\Program Files\eRightSoft
2008-01-12 20:33 . 2008-01-12 20:33 13,696 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-12 20:31 . 2004-08-04 10:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-12 20:17 . 2008-01-12 20:17 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-12 20:16 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\000001_.tmp
2008-01-12 19:19 . 2004-08-04 10:56 96,768 --a------ C:\WINDOWS\system32\dpcdll.dll.wga
2008-01-12 19:19 . 2001-08-23 23:00 29,338 --a------ C:\WINDOWS\system32\EULA.TXT.wga
2008-01-12 19:19 . 2004-08-04 10:56 24,064 --a------ C:\WINDOWS\system32\pidgen.dll.wga
2008-01-12 16:38 . 2008-01-13 08:17 45,056 --a------ C:\WINDOWS\VM_STI.EXE
2008-01-12 15:52 . 2008-01-12 15:52 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-01-11 18:18 . 2008-01-11 18:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-10 18:20 . 2008-01-10 19:00 <DIR> d-------- C:\Documents and Settings\dan.HOME-2A93A0681B\.housecall6.6
2008-01-10 15:33 . 2008-01-10 16:09 <DIR> d-------- C:\Program Files\Consumer Update Firmware
2008-01-10 10:51 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-10 10:18 . 2008-01-13 13:59 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-01-10 08:52 . 2002-01-05 14:40 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-01-10 08:52 . 2002-01-05 15:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-01-10 08:52 . 2003-08-07 15:01 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-01-10 08:50 . 2005-11-21 14:48 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-01-10 08:50 . 2005-11-21 14:48 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-01-04 13:42 . 2008-01-04 13:42 <DIR> d-------- C:\Program Files\iMesh Applications
2008-01-04 13:42 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2008-01-03 08:55 . 2008-01-03 09:03 <DIR> d-------- C:\Program Files\Ares Ultra
2007-12-23 10:16 . 2007-12-23 10:16 <DIR> d-------- C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\Media Player Classic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-20 22:05 --------- d-----w C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\uTorrent
2008-01-20 10:58 --------- d-----w C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\AVG7
2008-01-16 04:20 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-01-15 09:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-15 09:10 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-13 05:03 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7
2008-01-12 08:36 --------- d-----w C:\Program Files\MSN Messenger
2008-01-05 12:11 --------- d-----w C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\dvdcss
2007-12-22 22:15 --------- d-----w C:\Program Files\STOPzilla!
2007-12-22 22:15 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\ZILLAbar
2007-12-16 07:49 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-16 07:48 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-12 07:38 --------- d-----w C:\Program Files\WordBiz
2007-12-09 10:45 --------- d-----w C:\Program Files\Winamp
2007-12-09 10:32 --------- d-----w C:\Program Files\MagicISO
2007-12-09 00:21 --------- d-----w C:\Program Files\ABC
2007-12-09 00:18 --------- d-----w C:\Program Files\uTorrent
2007-12-09 00:11 --------- d-----w C:\Program Files\Realtek
2007-12-09 00:11 --------- d-----w C:\Program Files\MSXML 6.0
2007-12-09 00:10 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-08 23:48 --------- d-----w C:\Program Files\VideoLAN
2007-12-08 13:52 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\STOPzilla!
2007-12-08 13:49 --------- d-----w C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\STOPzilla!
2007-12-08 12:26 --------- d-----w C:\Program Files\SuperAdBlocker.com
2007-12-08 12:24 --------- d-----w C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\SuperAdBlocker.com
2007-11-25 21:29 --------- d-----w C:\Documents and Settings\dan\Application Data\Dealio
2007-11-22 21:30 --------- d-----w C:\Program Files\Java
2007-11-22 21:29 --------- d-----w C:\Program Files\Common Files\Java
2007-11-12 12:01 8,464 ----a-w C:\WINDOWS\system32\sporder.dll
2007-11-07 09:50 727,040 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 22:54 24,112 ----a-w C:\Documents and Settings\dan.HOME-2A93A0681B\Application Data\GDIPFONTCACHEV1.DAT
2007-10-27 08:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.
<pre>
----a-w 5,674,352 2008-01-12 08:36:53 C:\Program Files\MSN Messenger\MsnMsgr .Exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-13_11.43.34.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-07 07:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 07:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 07:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
- 2008-01-13 02:36:12 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-21 00:17:48 237,568 ----a-w

C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 02:36:12 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-21 00:17:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 02:36:12 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-21 00:17:48 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-13 02:36:12 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-21 00:17:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 02:36:12 3,985,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-21 00:17:49 3,985,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-13 02:36:12 163,840 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-21 00:17:49 163,840 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-15 09:29:08 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-16 02:54:59 3,985,408 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-01-16 02:54:59 163,840 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-01-15 09:29:08 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-16 01:58:27 3,985,408 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NT USER.DAT
+ 2008-01-16 01:58:27 163,840 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\Us rClass.dat
- 2007-11-12 10:14:10 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-01-13 05:05:01 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
- 2007-11-12 10:14:10 19,904 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-01-13 05:04:58 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-01-13 05:03:53 4,960 ----a-w C:\WINDOWS\system32\drivers\avgtdi.sys
+ 1996-04-03 19:33:26 5,248 ----a-w C:\WINDOWS\system32\giveio.sys
+ 2005-05-24 03:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 06:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 06:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-07-27 06:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 06:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-05 11:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 04:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2007-08-02 09:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-02 09:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-08 07:30:12 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-13 02:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
+ 2005-06-15 14:55:53 4,096 ----a-w C:\WINDOWS\system32\speedfan.sys
+ 2004-12-07 02:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"LGMobileSyncLauncher"="C:\Program Files\CYON MobileSync\MobileSync\LG_MobileSync_Launcher_Setup .exe" [ ]
"Router"="C:\Program Files\Router\Router.exe" [ ]
"MsServer"="msfir80.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"RTHDCPL"="-RTHDCPL.EXE" []
"SkyTel"="-SkyTel.EXE" []
"SoundMan"="-SOUNDMAN.EXE" []
"AlcWzrd"="-ALCWZRD.EXE" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-13 08:17 39792]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2008-01-13 08:17 45056]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-13 00:44 8429568]
"nwiz"="nwiz.exe" [2007-04-13 00:44 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-13 00:44 81920]
"au"="C:\Program Files\Dealio\DealioAU.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-13 14:05 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-13 08:17 132496]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 18:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-12 19:14 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

C:\Documents and Settings\dan\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-09-19 19:53:11]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 13:49:52]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-16 15:23]
S1 SABKUTIL;SABKUTIL;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys []
S3 rockusb;Driver for rockusb Device;C:\WINDOWS\system32\DRIVERS\rockusb.sys [2006-03-22 19:57]
S3 SKTBus;SK Telecom USB Composite device driver;C:\WINDOWS\system32\DRIVERS\SKTBus.sys [2007-05-30 16:29]
S3 SKTMdm;SK Telecom USB Modem;C:\WINDOWS\system32\DRIVERS\SKTMdm.sys [2007-05-30 16:29]
S3 SKTOBEX;SK Telecom USB OBEX Device Driver;C:\WINDOWS\system32\DRIVERS\SKTOBEX.sys [2007-05-30 16:30]
S3 SKTVsp;SK Telecom USB Virtual Serial Port Driver;C:\WINDOWS\system32\DRIVERS\SKTVsp.sys [2007-05-30 16:30]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{79dcc9bc-b789-11dc-96b6-00e04d40d6fc}]
\Shell\Auto\command - E:\sal.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{94e7974a-bef0-11dc-96bb-00e04d40d6fc}]
\Shell\Auto\command - sal.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{94e7974b-bef0-11dc-96bb-00e04d40d6fc}]
\Shell\Auto\command - sal.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{e426fd0d-b126-11dc-96ab-00e04d40d6fc}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Setup.pif

.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2008-01-21 09:18:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MsServer = msfir80.exe???.

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-21 9:19:19
ComboFix-quarantined-files.txt 2008-01-21 00:19:12
ComboFix2.txt 2008-01-18 21:46:10
ComboFix3.txt 2008-01-13 12:31:08
ComboFix4.txt 2008-01-13 11:23:26
ComboFix5.txt 2008-01-13 02:43:44
.
2008-01-12 11:35:45 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:08 AM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\dan.HOME-2A93A0681B\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] -RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] -SkyTel.EXE
O4 - HKLM\..\Run: [SoundMan] -SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] -ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE KOCOM KMC-90 Web Camera
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LGMobileSyncLauncher] C:\Program Files\CYON MobileSync\MobileSync\LG_MobileSync_Launcher_Setup .exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - [url]http://support.f-secure.com/ols/fscax.cab[/url]
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - [url]http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab[/url]
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - [url]http://www.eset.eu/buxus/docs/OnlineScanner.cab[/url]
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - -"C:\Program Files\Windows Media Player\WMPNetwk.exe" (file missing)

--
End of file - 6307 bytes

Hi Budfred,
I want to thank you for all your help and now I can play a DVD without my computer crashing. That is very nice. When I try to convert shows to play on my MP4, It converts one and on the second one, my computer shuts down. I will have my XP CD here in two weeks and hopefully then we can fix that problem. Once more thank you.
Dan

I am afraid you have picked up at least one more trojan recently... McAfee has apparently identified this one, so use their online scan... I am not sure how much cleaning or what logs it will give you, but copy whatever info isn't available by log...

http://us.mcafee.com/root/mfs/default.asp

Also, please check this folder to see if there is anything there...

C:\WINDOWS\zts2.exe

Check these files at Jotti:

C:\WINDOWS\Lic.xxx
C:\WINDOWS\system32\lnod32apiW.dll

Use Windows Search to find and submit this file:

sal.xls.exe

Please go to Jotti's malware scan at http://virusscan.jotti.org/ and upload the file for scanning and post the results here.

I don't know for sure when these appeared, but most of this wasn't in earlier scans, so it looks like it is recent... Please avoid the web as much as possible until this is all cleaned up... It is likely your passwords and other personal data is already compromised, but other problems may multiply as you pick up infections... It also appears that you are not running a firewall or antivirus and that is probably a big part of the reason you are getting infected... They can infect you quicker than I can help you clean it up...

C:\WINDOWS\zts2.exe is empty
I do have windows firewall on and I run avg and avg antispyware

File: lnod32apiW.dll Status:
OK
MD5: d4d79b74e4ee5a01073ced642a82aa1f Packers detected:
-
Bit9 reports: No threat detected

Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 02d7dfffcc69bb011f46bb817509187a Packers detected:
-
Bit9 reports: File not found

sal.xls.exe the search says this is located in combo fix 08, and when I open it I can not locate it.
I ran Mcafee and it shut down my computer.
I hope these results help.
Thank you

C:\WINDOWS\zts2.exe is empty
I do have windows firewall on and I run avg and avg antispyware

File: lnod32apiW.dll Status:
OK
MD5: d4d79b74e4ee5a01073ced642a82aa1f Packers detected:
-
Bit9 reports: No threat detected

Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 02d7dfffcc69bb011f46bb817509187a Packers detected:
-
Bit9 reports: File not found

sal.xls.exe the search says this is located in combo fix 08, and when I open it I can not locate it.
I ran Mcafee and it shut down my computer.
I hope these results help.
Thank you
Well, not enough...

I missed that you are running AVG Antivirus... However, the Windows Firewall will only protect against incoming threats (and probably not well)... The trojans you have are sending out messages and it won't block those at all...

I don't know what you are saying about this file:

sal.xls.exe

I don't know what "combo fix 08" is...

Did you scan Lic.xxx??

I am not sure you are ever going to get ahead of these infections if you can't complete those online scans...

Try this... Reboot to Safe Mode with Networking (but not connected to the internet... Turn on your antivirus and firewall manually, then connect to the internet and try to run the online scans... Attempt each one I have suggested until you either get them all done or they all fail or some combination... Post the logs... Start with the last one...

I thank you for all your help, but it looks like I will have to wait until I get my xp cd in order to continue. I downloaded Comodo firewall as a second firewall.
When I do a search for sal.xls.exe it comes up in combo fix 8. I believe it is one of the combofix text files. I tried to run another online scan in safe mode as requested and my computer shut down as soon as I started. Now when I play music with winamp it plays for about 10 minutes and my computer shuts down. I think it is best to wait for the cd and then try what you recomended in your earlier post. I think I just want to uninstall the windows xp I have now and reinstall the new one, once my disc arrives, Once more thank you for all your help Budfred.
Dan

What is the path for the file that you say is in combo fix 08?? It should have a path, not the name of a file...

Also, if you run Comodo, make sure that Windows firewall is turned off... Running 2 firewalls at the same time is likely to make them both ineffective...

If you are going to wipe/reinstall, still it is a good idea to stay offline as much as possible and definitely avoid any financial transactions online... As soon as you get set up again, change passwords to forums like this and anything else you access online...