Wireless disabled due to Virus

ok, i have restored the computer to normal operation. is there certain programs that i can disable in safe mode to stop ws2_32.dll from running, while i transfer the file?

I have a new plan.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\system32\dllcache\ws2_32.dll

FCOPY::
c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll | c:\windows\system32\ws2_32.dll
c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll | c:\windows\system32\dllcache\ws2_32.dll

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

ComboFix 09-06-11.05 - david 06/13/2009 10:39.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.490 [GMT -4:00]
Running from: G:\ComboFix.exe
Command switches used :: G:\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\system32\dllcache\ws2_32.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dllcache\ws2_32.dll

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll --> c:\windows\system32\ws2_32.dll
c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll --> c:\windows\system32\dllcache\ws2_32.dll
.
((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.

2009-06-11 19:42 . 2004-08-10 15:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-06-11 19:42 . 2004-08-10 15:00 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
2009-06-10 16:25 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-10 16:25 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-10 16:25 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-10 16:25 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-10 16:25 . 2009-06-10 16:25 -------- d-----w- c:\program files\Avira
2009-06-10 16:25 . 2009-06-10 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\david\Application Data\Sonic
2009-06-09 17:19 . 2009-06-09 17:19 -------- d-----w- c:\documents and settings\david\Application Data\PC Tools
2009-06-09 17:18 . 2009-06-09 17:18 -------- d-----w- c:\program files\Common Files\BitDefender
2009-06-09 17:18 . 2009-06-09 17:18 -------- d-----w- C:\4304f949750ce894fde4cc20
2009-06-08 17:11 . 2004-08-10 15:00 4096 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll
2009-06-08 13:46 . 2009-06-08 13:46 -------- d-----w- c:\documents and settings\david\Application Data\Malwarebytes
2009-06-08 13:46 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-08 13:46 . 2009-06-08 13:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-08 13:46 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-08 13:46 . 2009-06-09 17:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-08 12:53 . 2009-06-13 14:44 117760 ----a-w- c:\documents and settings\david\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-08 12:52 . 2009-06-09 17:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-08 12:52 . 2009-06-08 12:52 -------- d-----w- c:\documents and settings\david\Application Data\SUPERAntiSpyware.com
2009-06-08 12:51 . 2009-06-08 12:51 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-06-05 13:43 . 2009-06-05 13:43 -------- d-----w- c:\documents and settings\david\Application Data\MSNInstaller
2009-06-05 00:21 . 2009-06-05 00:21 -------- d-----w- c:\documents and settings\david\Application Data\Leadertech
2009-06-04 23:31 . 2008-06-11 01:22 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-06-04 23:31 . 2008-06-02 19:19 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-06-04 23:31 . 2008-06-02 19:19 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-06-04 23:31 . 2008-06-02 19:19 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-06-04 23:30 . 2009-06-09 17:19 -------- d-----w- c:\program files\Spyware Doctor
2009-06-04 14:01 . 2004-05-11 13:56 423784 ----a-w- c:\windows\system32\XceedBkp.dll
2009-06-04 14:01 . 2003-11-19 17:59 512688 ----a-w- c:\windows\system32\XceedCry.dll
2009-06-04 14:01 . 2000-07-15 09:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-06-03 14:03 . 2009-06-09 17:18 -------- d-----w- C:\AV-CLS
2009-06-03 13:45 . 2009-06-13 14:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-03 13:22 . 2009-06-03 13:22 -------- d-----w- c:\program files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 19:37 . 2006-08-29 08:20 -------- d-----w- c:\documents and settings\david\Application Data\U3
2009-06-10 15:56 . 2006-04-13 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-09 17:18 . 2006-09-23 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-06-09 17:18 . 2006-09-23 02:08 -------- d-----w- c:\program files\NVIDIA Corporation
2009-06-09 17:18 . 2006-09-20 02:40 -------- d-----w- c:\documents and settings\david\Application Data\Aim
2009-06-09 17:18 . 2006-09-20 02:38 -------- d-----w- c:\program files\AIM
2009-06-09 17:18 . 2006-10-28 02:45 -------- d-----w- c:\program files\DivX
2009-06-09 17:18 . 2007-08-15 03:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-04 18:53 . 2006-04-13 13:56 110416 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-04 15:35 . 2006-04-13 13:44 -------- d-----w- c:\program files\Quickensetup
2009-06-04 15:35 . 2006-04-13 13:17 -------- d-----w- c:\program files\Microsoft Works
2009-06-04 14:29 . 2008-11-04 16:19 -------- d-----w- c:\documents and settings\david\Application Data\GetRightToGo
2009-06-04 13:48 . 2006-04-13 12:47 -------- d-----w- c:\program files\HPQ
2009-06-04 11:42 . 2007-08-15 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-02 21:52 . 2006-10-27 02:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-31 01:41 . 2008-09-29 01:16 -------- d-----w- c:\documents and settings\amanda\Application Data\U3
2006-10-28 03:10 . 2006-10-28 03:10 56 --sh--r- c:\windows\system32\260588ACD5.sys
2006-10-28 03:10 . 2006-10-28 03:10 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-04 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-07-16 1166216]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-04 68856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/10/2009 12:25 PM 108289]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 6:29 AM 29178224]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/4/2009 7:30 PM 356920]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
R3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_06\bin\jusched.exe
HKLM-Run-QPService - c:\program files\HP\QuickPlay\QPService.exe
HKLM-Run-eabconfg.cpl - c:\program files\HPQ\Quick Launch Buttons\EabServr.exe
HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-13 10:44
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe??????????L????|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"=expand:"iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"=expand:"@iedkcs32.dll,-3051"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"=expand:"@iedkcs32.dll,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!saswinlogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
@DACL=(02 0000)
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\dllhost.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\HPQ\shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2009-06-13 10:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-13 14:47
ComboFix2.txt 2009-06-12 20:46
ComboFix3.txt 2009-06-11 21:59
ComboFix4.txt 2009-06-11 19:49

Pre-Run: 36,355,858,432 bytes free
Post-Run: 36,334,059,520 bytes free

430 --- E O F --- 2009-06-04 13:06

Okay, re-run the SystemLook script, the dllcache copy of it is gone, but then replaced again.
Lets see if that helped any.

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 15:50 on 13/06/2009 by david (Administrator - Elevation successful)

========== filefind ==========

Searching for "ws2_32.dll"
C:\Documents and Settings\david\Desktop\ws2_32.dll --a--- 82432 bytes [00:10 13/06/2009] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A
C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\ws2_32.dll --a--- 82432 bytes [00:05 13/06/2009] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A
C:\Qoobox\Quarantine\C\WINDOWS\system32\ws2_32.dll --a--- 82432 bytes [00:05 13/06/2009] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll ------ 82432 bytes [17:55 21/09/2008] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A
C:\WINDOWS\system32\ws2_32.dll --a--- 82944 bytes [15:00 10/08/2004] [07:00 10/08/2004] 2ED0B7F12A60F90092081C50FA0EC2B2

-=End Of File=-

Download the GMER rootkit scan from here: GMER

1. Unzip it and start GMER.
   
2. Click the >>> tab and then click the Scan button.
   
3. Once done, click the Copy button.
   
4. This will copy the results to your clipboard.
   
5. Paste the results in your next reply.
   

Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

The log will be quite big, so I need you to upload it to rapidshare.com please.

http://rapidshare.com/files/244283049/gmer.txt.html
MD5: 42356A9CF49AD7FDA68128ECC9082CDE

Hi,
Is there any scan tool that i can download, i do not have internet access to use an online scan tool?

Can you zip a copy of the file and transfer it to another machine with working internet? then unzip it and run the online scan?

Could also try Winsock XP Fix, download and run:
http://www.snapfiles.com/get/winsockxpfix.html

Press fix, then reboot.

Jotti's Malware Scanner found no infections.
Winsock XP Fix did not fix the problem. However,

Back to Performing a a new ws2_32.dll manually i had some success. I am able to move the clean file to system32 successfully in safe mode.


SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 09:48 on 15/06/2009 by david (Administrator - Elevation successful)

========== filefind ==========

Searching for "ws2_32.dll"
C:\I386\SYSTEM32\ws2_32.dll --a--- 82432 bytes [05:09 15/06/2009] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll ------ 82432 bytes [17:55 21/09/2008] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A
C:\WINDOWS\system32\ws2_32.dll --a--- 82432 bytes [13:22 15/06/2009] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A

-=End Of File=-

Well done. The patched file is gone, and there's another backup appeared.
Did you run Winsock XP Fix AFTER replacing the bad file? or BEFORE?

thank you. Ran Winsock XP Fix Before fixing file. Should I run it again?

Could never have done it without your help.

Yes, because the new file is replaced, so the Winsock will need fixing again.
Run it again, then reboot to make sure it's done it's job.

Tried Winsock again but did not give me internet access all network drives still show code 39

Okay, I may need to pass this onto Doc and he'll help you troubleshoot it.
Is it wireless problems?

Yes, i can not access the internet through landline or wireless.
Thank you so much for all your help. It is greatly appreciated!

Hello,
Any New Ideas?

Nope, I'll ask Doc now though.

Hello Doc
Do you have any ideas troubleshooting this?

Hello,

Nothing I can think of. Can you try resetting your router or modem and see if it works?

I have tried that and had no luck. The network card is still showing code error 39.

Have you updated to the latest drivers?