Resolved Connection Issues Malware Trojan

DDS.txt

DDS (Ver_10-12-12.02) - NTFSx86
Run by James Connelly at 12:32:39.10 on 26/02/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1455 [GMT 0:00]

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\James Connelly\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Mobile Partner] c:\program files\t-mobile\web'n'walk usb manager\web'n'walk USB manager.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\documents and settings\james connelly\desktop\PartyPoker.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1282821866160
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1283207610406
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jamesc~1\applic~1\mozilla\firefox\profiles\0fl13izb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\internet stuff\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Update Service: updater@foxstart.com - c:\internet stuff\mozilla firefox\extensions\updater@foxstart.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\internet stuff\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\internet stuff\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: AVG Security Toolbar em:version=6.011.025.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg10\toolbar\firefox\avg@igeared
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-10 64288]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-2-25 532224]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-3 136176]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-15 517448]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2011-02-26 11:19:31 88960 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2011-02-26 11:19:31 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2011-02-26 11:19:22 -------- d-----w- c:\program files\T-Mobile
2011-02-26 00:15:29 -------- d-----w- c:\program files\CCleaner
2011-02-25 23:39:57 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2011-02-25 23:39:57 -------- d-----w- c:\windows\system32\ZoneLabs
2011-02-25 23:39:54 -------- d-----w- c:\program files\Zone Labs
2011-02-25 23:39:11 -------- d-----w- c:\windows\Internet Logs
2011-02-25 23:36:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\ZA_PreservedFiles
2011-02-25 09:11:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-25 09:11:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-02-25 09:06:04 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-25 04:57:14 -------- d-----w- C:\GMER
2011-02-24 18:01:27 -------- d-----w- c:\docume~1\jamesc~1\applic~1\SUPERAntiSpyware.com
2011-02-24 18:01:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-02-24 18:01:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-24 14:46:50 -------- d-----w- c:\windows\pss
2011-02-24 02:14:19 44 ---h--w- c:\program files\ee3aca9b.tmp
2011-02-20 22:21:31 -------- d-----w- c:\documents and settings\james connelly\WINDOWS
2011-02-20 22:21:24 8192 ----a-w- c:\temp\gtainstaller\_ISDEL.EXE
2011-02-20 22:21:24 59904 ----a-w- c:\temp\gtainstaller\SETUP.EXE
2011-02-20 22:21:24 11264 ----a-w- c:\temp\gtainstaller\_setup.dll
2011-02-20 22:20:52 -------- d-----w- C:\TEMP
2011-02-14 14:23:47 -------- d-----w- c:\docume~1\jamesc~1\applic~1\Mozilla-Cache

==================== Find3M ====================

2011-02-25 09:05:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-20 06:35:07 252256 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-02-20 06:35:07 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-02-20 06:35:02 252256 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-08 03:27:00 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-01-08 03:27:00 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-01-08 03:27:00 6397824 ----a-w- c:\windows\system32\nv4_disp.dll
2011-01-08 03:27:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-01-08 03:27:00 4980736 ----a-w- c:\windows\system32\nvcuda.dll
2011-01-08 03:27:00 2916968 ----a-w- c:\windows\system32\nvcuvid.dll
2011-01-08 03:27:00 2292678 ----a-w- c:\windows\system32\nvdata.bin
2011-01-08 03:27:00 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-01-08 03:27:00 1958400 ----a-w- c:\windows\system32\nvapi.dll
2011-01-08 03:27:00 14671872 ----a-w- c:\windows\system32\nvoglnt.dll
2011-01-08 03:27:00 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
2011-01-07 19:56:54 81920 ----a-w- c:\windows\system32\nvwddi.dll
2011-01-07 19:56:50 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-01-07 19:56:48 277608 ----a-w- c:\windows\system32\nvmccs.dll
2011-01-07 19:56:48 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2011-01-07 19:56:48 145000 ----a-w- c:\windows\system32\nvcolor.exe
2011-01-07 19:56:48 13880424 ----a-w- c:\windows\system32\nvcpl.dll
2011-01-07 19:56:48 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-07 06:14:45 57344 ----a-w- C:\clipstreamsa.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-25 13:21:23 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-11-29 17:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 12:33:40.34 ===============

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 26/08/2010 02:14:27
System Uptime: 26/02/2011 12:26:00 (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5N-D
Processor: Intel(R) Pentium(R) D CPU 3.20GHz | Socket 775 | 3200/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 373 GiB total, 178.221 GiB free.
D: is CDROM (UDF)
E: is CDROM (UDF)
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\D573FD1E8C00
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\D573FD1E8C00
Service: NIC1394

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0269\4&10B48CE1&0&00
Manufacturer: NVIDIA
Name: NVIDIA nForce 10/100/1000 Mbps Ethernet
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0269\4&10B48CE1&0&00
Service: NVENETFD

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Flash Player 10 Plugin
AfterWorld Alpha
Age of Empires III
Audacity 1.2.6
AVG 2011
Battlefield Vietnam(TM)
Blue Byte Game Channel
Call of Duty(R) 4 - Modern Warfare(TM)
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Call of Duty: Modern Warfare 2 - Multiplayer
CCleaner
Command & Conquer 3
Counter-Strike: Source
Dungeon Siege
EVE Online (remove only)
FEAR
GameSpy Arcade
Garry's Mod
Google Earth
Google Update Helper
Grand Theft Auto
Grand Theft Auto IV
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java Auto Updater
Java(TM) 6 Update 24
Junk Mail filter update
LAME v3.98.2 for Audacity
LightScribe 1.4.124.1
Logitech Webcam Software
LSI PCI-SV92PP Soft Modem
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.13)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Control Panel 266.58
NVIDIA Drivers
NVIDIA Graphics Driver 266.58
NVIDIA Install Application
NVIDIA nView 135.50
NVIDIA nView Desktop Manager
OpenOffice.org 3.2
PartyPoker
PKR
PunkBuster for Battlefield Vietnam
QuickTime
Realtek High Definition Audio Driver
RuneScape Launcher 1.0.4
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Samsung PC Studio 3 USB Driver Installer
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB923789)
Segoe UI
Skype™ 5.0
Spybot - Search & Destroy
Steam
Stronghold 2 Deluxe
SUPERAntiSpyware
System Requirements Lab
Team Fortress Classic
The Settlers IV
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982664)
Update for Windows XP (KB971029)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.1.5
web'n'walk USB manager
WebFldrs XP
Winamp
Winamp Detector Plug-in
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
WinUAE 2.3.0
Xfire (remove only)
ZoneAlarm

==== Event Viewer Messages From Past Week ========

25/02/2011 23:39:31, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgldx86 Avgmfx86 Avgtdix Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL StarOpen Tcpip
25/02/2011 23:38:53, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
25/02/2011 23:19:54, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
25/02/2011 23:19:09, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
25/02/2011 23:19:08, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
25/02/2011 23:18:31, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgldx86 Avgmfx86 Avgtdix Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL StarOpen Tcpip vsdatant
25/02/2011 23:18:31, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: A device attached to the system is not functioning.
25/02/2011 23:18:31, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
25/02/2011 23:18:31, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
25/02/2011 23:18:31, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
25/02/2011 23:18:31, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
25/02/2011 04:34:07, error: ipnathlp [31012] - The DNS proxy agent encountered an error while obtaining the local list of name-resolution servers. Some DNS or WINS servers may be inaccessible to clients on the local network. The data is the error code.
25/02/2011 04:23:49, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
24/02/2011 19:05:32, error: ipnathlp [31008] - The DNS proxy agent was unable to read the local list of name-resolution servers from the registry. The data is the error code.
24/02/2011 17:44:28, error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s).
24/02/2011 17:44:28, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
24/02/2011 17:44:28, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
24/02/2011 17:44:28, error: Service Control Manager [7034] - The Agere Modem Call Progress Audio service terminated unexpectedly. It has done this 1 time(s).
24/02/2011 17:44:28, error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
24/02/2011 17:44:28, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
24/02/2011 17:44:17, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
24/02/2011 17:23:16, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

==== End Of File ===========================

Welcome to TechSpot! I'll be glad to check the logs. But you should understand that a dropped connection may have nothing to do with malware.

It does appear that you have a torrent download running from the temp folder. Please uninstall/delete that process. Cleaning a system with file sharing in the background is not effective:
2011-02-20 22:21:24 8192 ----a-w- c:\temp\gtainstaller\_ISDEL.EXE
2011-02-20 22:21:24 59904 ----a-w- c:\temp\gtainstaller\SETUP.EXE
2011-02-20 22:21:24 11264 ----a-w- c:\temp\gtainstaller\_setup.dll
==========================================
Please run the following: Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the cli[board, you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

======================================
NOTE: Combofix will not run with AVG installed. You can remove it with the following, then reinstall it after we are through:
Download AppRemover and save to the desktop]

1. Double click the setup on the desktop> click Next
2. Select “Remove Security Application”
3. Let scan finish to determine security apps
4. A screen like below will appear:
   https://www.techspot.com/downloads/5514-appremover.htmlabout/chooseuninstall.gif/image_preview[/img[*] Click on [b]Next[/b] after choice has been made
   [*] Check the AVG program you want to uninstall
   [*] After uninstall shows complete, follow online prompts to Exit the program.[/list]
   ==========================================
   ==========================================
   [b]Download Combofix to your desktop from one of these locations:[/b][b]
   [url=http://www.bleepingcomputer.com/download/anti-virus/combofix]Link 1[/url]
   [url=http://www.forospyware.com/sUBs/ComboFix.exe]Link 2[/b][/url][list]
   [*]Double click combofix.exe & follow the prompts.
   [*]As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
   [*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
   [*][B]Query- Recovery Console image[/B]
   [img]http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
   

   WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

   Click to expand...

5. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
   
   
6. .Click on Yes, to continue scanning for malware
7. .If Combofix asks you to update the program, allow
8. .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
9. .Close any open browsers.
10. .Double click combofix.exe
    
    & follow the prompts to run.
11. When the scan completes it will open a text window. Please paste that log in your next reply.

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

before i do anything. i arnt intentionally running that, didnt know i was. can i just delete the folder or shall i do all your steps and that will delete it?

also thanks very much for helping me.
ill try and get through this quickly

Esets

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=2ca49f8c575d0b4b95c04a690929654e
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-26 05:44:44
# local_time=2011-02-26 05:44:44 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1032 16777189 100 95 31832 42028008 0 0
# compatibility_mode=8192 67108863 100 0 3994 3994 0 0
# compatibility_mode=9217 16777214 75 70 63952 8813256 0 0
# scanned=99897
# found=0
# cleaned=0
# scan_time=4669

combofix

it wont let me post the combofix log here by pasting it. says im trying to attach 16 images :S
I have added it as an attachment. hope thats ok.

Sorry, it is too time consuming for me to work from an attachment. But I did open the log and see no reason why you can't paste it.

Be sure you followed the instruction for saving, copying and pasting the log.

The following errors occurred with your submission:

1. You have included 16 images in your message. You are limited to using 6 images so please go back and correct the problem and then continue again.

Images include use of smilies, the BB code tag and HTML <img> tags. The use of these is all subject to them being enabled by the administrator.


thats what it says when i try to copy the text into a reply. ill try and find a solution

You saved to the wrong place. Follow this:

First: Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Second, go back for new download and follow this:

1. Download Combofix again.
2. When this screen comes up> Click on Save
   
   
3. When screen comes up with Location> Where is says Save In> Use the down arrow point on the right and set to Desktop
   
   
4. When you double-click on combofix.exe on the dekstop, you will get this:
   
   
5. Click on Run
6. When ComboFix has finished,it will then display the log file automatically for you as shown below.
   
   
7. You should now post this log in a reply:
   [o]In Notepad> click on Edit> Select All> Edit> Copy
   [o]Click anywhere in the empty Reply box where you will paste it> then use right mouse button> Paste

All screen shots Courtesy BleepingComputer

ok i re did everything you said installed it to the desktop. tried to copy the log straight from the scan over to here and it is still telling me i am trying to put too many images or somthing. strange. this is a picture of what it is telling me.

oh dear lol

ok ive been looking around and ive found some bad things.

There is a folder in the C:\ drive that is hidden. it is running things from there. not sure what. its also infected AVG (which i reinstalled after the last combofix scan)
the hidden folder in C:\ is:- C:\32788R22FWJFW there are various programs in there that i can see in zone alarms program list.
i cant acces that or see it in the C:\ even when hidden folders are shown.

according to zone alarm in my AVG folder there is somthing called 'Xobni. Love email again.' Crogram FilesAVG\AVG10\Notification\XobniMiniAVGSetup.exe

also on the program lists ive got
Freeware implementation of REG.EXE 3 times located in C:\Documents and Settings\James Connelly\Local Settings\temp
which i also cant see..

and got Freeware implementation of SC.EXE and Freeware implementation of XCACLS both of them are in C:\32788R22FWJFW


ive tried searching quick on google but it seems really bad. im disconnecting from the internet though and only periodically checking back to read here. i need to post that log from combofix. would a log from hijackthis help at all if i can get it posted? will check back in 15 minutes for a reply. bet you regret trying to help me now lol.

im physically disconnecting the modem from the computer for piece of mind lol. please try and help .
just tell me what i need to do.
thanks and sorry lol.

ComboFix 11-02-25.02 - James Connelly 27/02/2011 5:47.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1484 [GMT 0:00]
Running from: c:\documents and settings\James Connelly\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2011-01-27 to 2011-02-27 )))))))))))))))))))))))))))))))
.

2011-02-26 11:19 . 2007-03-05 07:55 88960 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2011-02-26 11:19 . 2007-03-05 07:55 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2011-02-26 11:19 . 2011-02-26 11:19 -------- d-----w- c:\program files\T-Mobile
2011-02-26 00:15 . 2011-02-26 00:15 -------- d-----w- c:\program files\CCleaner
2011-02-25 23:40 . 2010-11-16 17:45 69120 ----a-w- c:\windows\system32\zlcomm.dll
2011-02-25 23:40 . 2010-11-16 17:45 104448 ----a-w- c:\windows\system32\zlcommdb.dll
2011-02-25 23:39 . 2011-02-25 23:40 -------- d-----w- c:\windows\system32\ZoneLabs
2011-02-25 23:39 . 2010-11-16 17:45 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2011-02-25 23:39 . 2011-02-25 23:39 -------- d-----w- c:\program files\Zone Labs
2011-02-25 23:39 . 2011-02-27 05:32 -------- d-----w- c:\windows\Internet Logs
2011-02-25 23:36 . 2011-02-25 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\ZA_PreservedFiles
2011-02-25 23:19 . 2011-02-25 23:19 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-02-25 09:11 . 2011-02-26 05:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-02-25 09:11 . 2011-02-25 09:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-25 09:06 . 2011-02-25 09:06 -------- d-----w- c:\program files\Common Files\Java
2011-02-25 09:06 . 2011-02-25 09:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-25 09:05 . 2011-02-25 09:05 -------- d-----w- c:\program files\Java
2011-02-25 04:57 . 2011-02-25 04:57 -------- d-----w- C:\GMER
2011-02-24 18:01 . 2011-02-24 18:01 -------- d-----w- c:\documents and settings\James Connelly\Application Data\SUPERAntiSpyware.com
2011-02-24 18:01 . 2011-02-24 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-24 18:01 . 2011-02-24 18:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-24 02:14 . 2011-02-22 14:14 44 ---h--w- c:\program files\ee3aca9b.tmp
2011-02-20 22:21 . 2011-02-20 22:21 -------- d-----w- c:\documents and settings\James Connelly\WINDOWS
2011-02-14 15:10 . 2011-02-14 15:10 -------- d-----w- c:\documents and settings\Adam Capewell
2011-02-14 14:23 . 2011-02-14 14:24 -------- d-----w- c:\documents and settings\James Connelly\Application Data\Mozilla-Cache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-25 09:05 . 2010-08-26 16:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-08 03:27 . 2011-01-24 21:50 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-01-08 03:27 . 2011-01-24 21:50 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-01-08 03:27 . 2010-08-29 16:46 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-01-08 03:27 . 2010-08-29 16:46 2916968 ----a-w- c:\windows\system32\nvcuvid.dll
2011-01-08 03:27 . 2010-08-29 16:46 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-01-08 03:27 . 2010-08-29 16:45 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
2011-01-08 03:27 . 2008-10-09 09:26 14671872 ----a-w- c:\windows\system32\nvoglnt.dll
2011-01-08 03:27 . 2008-10-09 09:23 4980736 ----a-w- c:\windows\system32\nvcuda.dll
2011-01-08 03:27 . 2008-10-09 09:21 9888672 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-01-08 03:27 . 2008-10-09 09:21 1958400 ----a-w- c:\windows\system32\nvapi.dll
2011-01-08 03:27 . 2008-10-09 09:20 6397824 ----a-w- c:\windows\system32\nv4_disp.dll
2011-01-07 19:56 . 2011-01-07 19:56 81920 ----a-w- c:\windows\system32\nvwddi.dll
2011-01-07 19:56 . 2011-01-07 19:56 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-01-07 19:56 . 2011-01-07 19:56 277608 ----a-w- c:\windows\system32\nvmccs.dll
2011-01-07 19:56 . 2011-01-07 19:56 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2011-01-07 19:56 . 2011-01-07 19:56 145000 ----a-w- c:\windows\system32\nvcolor.exe
2011-01-07 19:56 . 2011-01-07 19:56 13880424 ----a-w- c:\windows\system32\nvcpl.dll
2011-01-07 19:56 . 2011-01-07 19:56 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-07 06:14 . 2011-01-07 04:12 57344 ----a-w- C:\clipstreamsa.dll
2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-26 18:43 . 2009-08-18 11:30 564632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll
2010-12-26 18:42 . 2009-08-18 11:24 17816 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2010-12-25 13:21 . 2010-11-19 22:03 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 18:09 . 2010-08-26 11:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2010-08-26 11:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-10 02:35 . 2010-12-10 02:35 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-09 15:15 . 2008-04-14 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2008-04-14 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-12-03 09:05 . 2010-12-10 02:35 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-29 17:38 . 2010-11-29 17:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38 . 2010-11-29 17:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"Mobile Partner"="c:\program files\T-Mobile\web'n'walk USB manager\web'n'walk USB manager.exe" [2007-03-21 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-07 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Mobile Partner"=c:\program files\T-Mobile\web'n'walk USB manager\web'n'walk USB manager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Internet Stuff\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Games\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"c:\\Internet Stuff\\Xfire\\Xfire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Internet Stuff\\Entropia Universe\\bin32\\Entropia.exe"=
"c:\\Internet Stuff\\Steam\\Steam.exe"=
"c:\\Internet Stuff\\Steam\\SteamApps\\conners1010@hotmail.com\\team fortress classic\\hl.exe"=
"c:\\Internet Stuff\\Entropia Universe\\bin32\\ClientLoader.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Internet Stuff\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Internet Stuff\\AfterWorld DG\\AfterWorld\\AW_Launcher.exe"=
"c:\\Internet Stuff\\AfterWorld DG\\AfterWorld\\AfterWorld.exe"=
"c:\\Games\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Games\\Microsoft Games\\Age Of Empires 2\\empires2.EXE"=
"c:\\Downloads\\AnarchyOnline_18.1.1-Large.exe"=
"c:\\Games\\BlueByte\\BBGC\\BBGChan.exe"=
"c:\\Games\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Internet Stuff\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"c:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\Games\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.9\\cnc3game.dat"=
"c:\\Games\\Microsoft Games\\Dungeon Siege\\DungeonSiege.exe"=
"c:\\Games\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Games\\Sierra\\FEAR\\FEARMP.exe"=
"c:\\Internet Stuff\\GameSpy Arcade\\Aphex.exe"=
"c:\\Games\\Rockstar Games\\Grand Theft Auto\\WINO\\Grand Theft Auto.exe"=
"c:\\Games\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Games\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1200:UDP"= 1200:UDP:*isabled:cs1
"27000:UDP"= 27000:UDP:*isabled:cs2
"27015:UDP"= 27015:UDP:*isabled:cs3
"27030:TCP"= 27030:TCP:*isabled:cs4
"27039:TCP"= 27039:TCP:*isabled:cs5
"20:TCP"= 20:TCP:Entropia1
"30584:UDP"= 30584:UDP:Entropia3
"30583:TCP"= 30583:TCP:Entropia4
"554:TCP"= 554:TCP:Entropia5
"80:UDP"= 80:UDP:Entropia6
"88:UDP"= 88:UDP:*isabled:GTA4 2
"3074:UDP"= 3074:UDP:*isabled:GTA4 3
"3074:TCP"= 3074:TCP:*isabled:GTA4 4
"53:UDP"= 53:UDP:*isabled:GTA4 5
"53:TCP"= 53:TCP:*isabled:GTA4 6
"28000:UDP"= 28000:UDP:*isabled:AW1
"28100:UDP"= 28100:UDP:*isabled:AW2
"50000:UDP"= 50000:UDP:*isabled:AWVC1
"51000:UDP"= 51000:UDP:*isabled:AWVC2
"5800:TCP"= 5800:TCP:*isabled:AWVC3
"5900:TCP"= 5900:TCP:*isabled:AWVC4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/12/2010 02:35 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/09/2010 04:57 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504]
.
Contents of the 'Scheduled Tasks' folder

2011-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-03 04:57]

2011-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-03 04:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\James Connelly\Application Data\Mozilla\Firefox\Profiles\0fl13izb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 0
FF - Ext: Update Service: updater@foxstart.com - c:\internet stuff\Mozilla Firefox\extensions\updater@foxstart.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\internet stuff\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\internet stuff\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-27 05:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-57989841-1844823847-515967899-1005\Software\SecuROM\License information*]
"datasecu"=hex:94,f3,eb,ad,cb,83,9e,53,c4,bf,a8,ba,6b,63,dc,c0,0d,6f,4b,a5,09,
93,fc,31,bc,1e,b9,1a,5f,a4,80,79,ac,3c,b8,c1,10,93,01,ef,4d,48,fd,21,0b,b9,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3212)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-02-27 05:59:11
ComboFix-quarantined-files.txt 2011-02-27 05:59

Pre-Run: 194,588,082,176 bytes free
Post-Run: 194,573,717,504 bytes free

- - End Of File - - 1D43C31521AFADF384DA5DC9B84DD475

managed to post the combofix log. i had to disable smileys in the post!!! haha.

So that where all the 'images' were! Be sure not to add anything to the logs.


Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

Save this as CFScript.txt, in the same location as ComboFix.exe


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Please take a look at this section in the Combofix log:
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
Many ports have been disabled or set. I need to know if you have set these.

hi mate. very sorry but i got desperate and i formatted my disk, like a nob, thinking it should sort the problem out. ive managed to get up to service pack 3 on it again and now have avira, zone alarm, and spybot.
i didnt open them ports you were referring to and even though ive formatted (3 or 4 times) i still have issues. something is very hidden and using my download bandwidth everytime i connect still.
i think i have a root kit and i think my usb modem could also have some files on it to keep it comnig back, maybe in the bios too.
should i start a new thread or are you willing to help me more?

I will continue to help but I'd like you to start a new thread. Make Subject Attn: Bobbye Persistent Infection. Please include this URL in the new tread https://www.techspot.com/vb/topic161743.html#post1012256 so I can come back more easily to check it needed.

First thing to do is disinfect the flash drive:
These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
[*] Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

1. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
   Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
2. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
3. Wait until it has finished scanning and then exit the program.
4. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

This is very likely why the infection has persisted. Please put all logs and info on new thread. I am going to close this one.
Since you have reformatted, I need a new set of logs, so repeat this on the new thread: Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
==========================================