Trojan Zlob.G/ TR/Spy.gen trojan

No idea what it is

I was getting Trojan Zlob.G pop up thing..about 30 mins ago..its stopped (i downloaded AntiVir)

Its now saying this:
https://2img.net/h/oi33.tinypic.com/121copy.jpg

Hello.
Please read here and post a Hijack This log.

http://www.geekpolice.net/malware-removal-support-hijackthis-logs-f11/read-this-before-posting-t3821.htm

Ok, sorry. Is this correct? (Also im getting that AntiVir thing a lot now..and 3 at a time)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:21:39, on 11/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\NudgeMania\NudgeMania.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\DOCUME~1\San\LOCALS~1\Temp\nsn3.tmp\NM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\Documents and Settings\San\Desktop\Hijack(GP)This.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thetechguys.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thetechguys.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [NudgeMania] C:\Program Files\NudgeMania\NudgeMania.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.thetechguys.com
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1225035119865
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Micro Star SCM - Unknown owner - C:\Program Files\System Control Manager\MSIService.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 6429 bytes

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Delete this file in bold:
C:\WINDOWS\system32\ntos.exe

• Download combofix from here, use the top links - combofix.exe
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

I have a file called 'ntoskrnl.exe' not 'ntso.exe' though
I also have 'NTOS.EXE-1A2A349A.pf'

Don't delete ntoskrnl.exe, that's a legit file.
Skip it and goi on with combofix.

Think this is it?

ComboFix 08-12-11.01 - San 2008-12-11 21:26:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.483 [GMT 0:00]
Running from: c:\documents and settings\San\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\mrxdavv.sys
c:\windows\system32\kwave.sys
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\anyone\Application Data\wsnpoem
c:\documents and settings\anyone\Application Data\wsnpoem\audio.dll
c:\documents and settings\anyone\Application Data\wsnpoem\video.dll
c:\documents and settings\LocalService\Application Data\wsnpoem
c:\documents and settings\LocalService\Application Data\wsnpoem\audio.dll
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\~.exe
c:\windows\system32\a.exe
c:\windows\system32\k86.bin
c:\windows\system32\ntos.exe
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\video.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.

2008-12-11 19:54 . 2008-12-11 19:54 d-------- c:\program files\Avira
2008-12-11 19:54 . 2008-12-11 19:54 d-------- c:\documents and settings\LocalService\Application Data\Xfire
2008-12-11 19:54 . 2008-12-11 19:54 d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-11 19:45 . 2008-12-11 19:45 d-------- C:\_OTMoveIt
2008-12-11 17:36 . 2008-12-11 17:38 d-------- c:\program files\SUPERAntiSpyware
2008-12-11 17:36 . 2008-12-11 17:36 d-------- c:\documents and settings\San\Application Data\SUPERAntiSpyware.com
2008-12-11 17:36 . 2008-12-11 17:36 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-11 15:59 . 2008-12-11 15:59 d-------- c:\documents and settings\San\Application Data\DivX
2008-12-10 08:22 . 2008-12-11 00:36 d-------- c:\program files\Phantasy Star Online Blue Burst
2008-12-09 23:08 . 2008-12-09 23:08 d-------- c:\program files\FLV Player
2008-12-09 00:02 . 2008-12-09 00:02 d-------- c:\windows\ShellNew
2008-12-09 00:02 . 2008-12-09 00:02 d-------- c:\program files\AutoIt3
2008-12-07 13:49 . 2008-12-07 13:49 d-------- c:\program files\DivX
2008-12-05 21:11 . 2008-12-11 19:59 7 --a------ c:\windows\system32\tmcontrol.bin
2008-12-05 20:39 . 2008-12-05 20:39 8,544 --a------ c:\windows\system32\mmctl.sys
2008-12-01 20:46 . 2008-12-01 20:46 d--h----- c:\documents and settings\All Users\Application Data\{AFD61B9C-946C-4129-B53C-E1C5D51A536D}
2008-12-01 20:45 . 2008-12-01 20:45 d-------- c:\program files\Transparent
2008-12-01 20:45 . 2008-12-01 20:45 d-------- c:\documents and settings\All Users\Application Data\Transparent
2008-11-27 18:20 . 2008-11-27 18:21 d-------- c:\program files\SystemRequirementsLab
2008-11-27 18:20 . 2008-11-27 18:20 d-------- c:\documents and settings\San\Application Data\SystemRequirementsLab
2008-11-27 08:43 . 2008-11-27 15:55 139,264 --a------ c:\windows\War3Unin.exe
2008-11-27 08:43 . 2008-11-27 15:59 76,256 --a------ c:\windows\War3Unin.dat
2008-11-27 08:43 . 2008-11-27 15:55 2,829 --a------ c:\windows\War3Unin.pif
2008-11-27 08:41 . 2008-12-03 21:52 d-------- c:\program files\Warcraft III
2008-11-25 19:46 . 2008-11-25 19:46 d-------- c:\documents and settings\All Users\Application Data\PMB Files
2008-11-25 19:44 . 2008-11-25 19:44 d-------- c:\program files\Pando Networks
2008-11-25 18:15 . 2005-05-08 17:56 55,808 --a------ c:\windows\system32\zlib1.dll
2008-11-21 21:47 . 2008-11-21 21:47 3,596,288 --a------ c:\windows\system32\qt-dx331.dll
2008-11-21 21:47 . 2008-11-21 21:47 524,288 --a------ c:\windows\system32\DivXsm.exe
2008-11-21 21:47 . 2008-11-21 21:47 4,816 --a------ c:\windows\system32\divxsm.tlb
2008-11-21 21:46 . 2008-11-21 21:46 1,044,480 --a------ c:\windows\system32\libdivx.dll
2008-11-21 21:46 . 2008-11-21 21:46 200,704 --a------ c:\windows\system32\ssldivx.dll
2008-11-21 21:44 . 2008-11-21 21:44 161,096 --a------ c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 . 2008-11-21 21:44 12,288 --a------ c:\windows\system32\DivXWMPExtType.dll
2008-11-20 20:44 . 2008-11-20 20:44 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-11-20 16:09 . 2008-11-20 16:09 d-------- c:\documents and settings\All Users\Application Data\Launcher
2008-11-20 14:55 . 2008-11-20 14:55 d-------- c:\documents and settings\San\Application Data\vlc
2008-11-20 14:39 . 2008-11-20 14:43 d-------- c:\documents and settings\San\Application Data\MozillaControl
2008-11-20 14:39 . 2008-11-20 14:39 d-------- c:\documents and settings\All Users\Application Data\Graboid Inc
2008-11-20 13:56 . 2008-11-20 13:56 d-------- c:\program files\Mozilla ActiveX Control v1.7.12
2008-11-20 13:55 . 2008-11-20 13:55 d-------- c:\program files\VideoLAN
2008-11-20 13:55 . 2008-11-20 14:39 d-------- c:\program files\Graboid
2008-11-20 10:45 . 2008-11-20 10:45 d-------- c:\program files\MindArk
2008-11-19 19:59 . 2008-11-19 19:59 d-------- c:\documents and settings\San\Application Data\GarageGames
2008-11-14 23:58 . 2008-05-30 15:24 d-------- c:\documents and settings\anyone\Application Data\InstallShield
2008-11-14 23:58 . 2008-11-14 23:58 d-------- c:\documents and settings\anyone
2008-11-12 16:43 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 21:32 --------- d-----w c:\program files\DNA
2008-12-11 21:32 --------- d-----w c:\documents and settings\San\Application Data\LimeWire
2008-12-11 21:32 --------- d-----w c:\documents and settings\San\Application Data\DNA
2008-12-11 20:11 --------- d-----w c:\documents and settings\San\Application Data\Xfire
2008-12-11 19:21 --------- d-----w c:\program files\LimeWire
2008-12-11 17:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-10 17:00 31 ----a-w c:\documents and settings\San\jagex_runescape_preferences.dat
2008-12-08 23:13 --------- d-----w c:\program files\Xfire
2008-11-21 21:47 9,464 ------w c:\windows\system32\drivers\cdralw2k.sys
2008-11-21 21:47 9,336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2008-11-21 21:47 43,528 ------w c:\windows\system32\drivers\PxHelp20.sys
2008-11-21 21:47 129,784 ------w c:\windows\system32\pxafs.dll
2008-11-21 21:47 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-11-21 21:47 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-11-09 16:32 --------- d-----w c:\documents and settings\San\Application Data\Ventrilo
2008-11-09 16:31 --------- d-----w c:\program files\Ventrilo
2008-11-09 15:13 --------- d-----w c:\program files\Windows Journal Viewer
2008-11-09 10:21 --------- d-----w c:\documents and settings\San\Application Data\Thinstall
2008-11-08 19:39 --------- d-----w c:\program files\iTunes
2008-11-08 19:39 --------- d-----w c:\documents and settings\San\Application Data\Apple Computer
2008-11-08 19:39 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-08 19:38 --------- d-----w c:\program files\QuickTime
2008-11-08 19:38 --------- d-----w c:\program files\iPod
2008-11-08 19:38 --------- d-----w c:\program files\Bonjour
2008-11-08 19:37 --------- d-----w c:\program files\Common Files\Apple
2008-11-08 19:37 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-08 19:36 --------- d-----w c:\program files\Apple Software Update
2008-11-08 19:35 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-11-05 19:03 --------- d-----w c:\program files\NudgeMania
2008-11-01 15:14 --------- d-----w c:\program files\Common Files\DirectX
2008-10-31 23:28 --------- d-----w c:\documents and settings\San\Application Data\BitTorrent
2008-10-31 22:10 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2008-10-31 22:03 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-31 22:03 --------- d-----w c:\program files\Gravity
2008-10-31 22:03 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-31 17:53 --------- d-----w c:\program files\eFusion
2008-10-31 17:52 --------- d-----w c:\program files\SD EnterNET
2008-10-30 00:51 --------- d-----w c:\program files\BitTorrent
2008-10-29 23:17 --------- d-----w c:\documents and settings\San\Application Data\MSNInstaller
2008-10-27 20:08 --------- d-----w c:\documents and settings\San\Application Data\Gadu-Gadu
2008-10-27 20:05 --------- d-----w c:\program files\Gadu-Gadu
2008-10-27 18:33 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-10-27 18:33 --------- d-----w c:\program files\Java
2008-10-26 21:16 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-10-26 15:50 --------- d-----w c:\program files\Windows Live
2008-10-26 15:49 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-10-26 15:43 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-04-14 12:00 717,312 ----a-r c:\documents and settings\anyone\Application Data\ntos.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-03-20 2127296]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-11-12 342336]
"NudgeMania"="c:\program files\NudgeMania\NudgeMania.exe" [2007-02-25 65821]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-11 1028096]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-04-23 778240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-27 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\San\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-09-18 147456]
Xfire.lnk - c:\program files\Xfire\xfire.exe [2008-11-20 2986320]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mmctl.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56762:TCP"= 56762:TCP:Pando Media Booster
"56762:UDP"= 56762:UDP:Pando Media Booster

R1 mmctl;DRAM Cash Driver;c:\windows\system32\mmctl.sys [2008-12-05 8544]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [2008-05-30 159744]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [2008-05-30 153600]
R3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\DRIVERS\rtl8187Se.sys [2008-05-30 263680]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
.
Contents of the 'Scheduled Tasks' folder

2008-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

Notify-ctlsys - ctlsys.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thetechguys.com
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\San\Application Data\Mozilla\Firefox\Profiles\92yo5lqw.default\
FF - plugin: c:\documents and settings\San\Application Data\Mozilla\Firefox\Profiles\92yo5lqw.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\program files\DNA\plugins\npbtdna.dll
FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-11 21:31:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\docume~1\San\LOCALS~1\temp\nse4.tmp\NM.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-11 21:34:50 - machine was rebooted [San]
ComboFix-quarantined-files.txt 2008-12-11 21:34:45

Pre-Run: 44,425,789,440 bytes free
Post-Run: 44,399,394,816 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

272 --- E O F --- 2008-11-13 19:48:02

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
mmctl

File::
c:\windows\system32\mmctl.sys

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mmctl.sys]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

ComboFix 08-12-11.01 - San 2008-12-11 22:21:08.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.273 [GMT 0:00]
Running from: c:\documents and settings\San\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\San\Desktop\CFscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\mrxdavv.sys
c:\windows\system32\kwave.sys

.
((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.

2008-12-11 19:54 . 2008-12-11 19:54 d-------- c:\program files\Avira
2008-12-11 19:54 . 2008-12-11 19:54 d-------- c:\documents and settings\LocalService\Application Data\Xfire
2008-12-11 19:54 . 2008-12-11 19:54 d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-11 19:45 . 2008-12-11 19:45 d-------- C:\_OTMoveIt
2008-12-11 17:36 . 2008-12-11 17:38 d-------- c:\program files\SUPERAntiSpyware
2008-12-11 17:36 . 2008-12-11 17:36 d-------- c:\documents and settings\San\Application Data\SUPERAntiSpyware.com
2008-12-11 17:36 . 2008-12-11 17:36 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-11 15:59 . 2008-12-11 15:59 d-------- c:\documents and settings\San\Application Data\DivX
2008-12-10 08:22 . 2008-12-11 00:36 d-------- c:\program files\Phantasy Star Online Blue Burst
2008-12-09 23:08 . 2008-12-09 23:08 d-------- c:\program files\FLV Player
2008-12-09 00:02 . 2008-12-09 00:02 d-------- c:\windows\ShellNew
2008-12-09 00:02 . 2008-12-09 00:02 d-------- c:\program files\AutoIt3
2008-12-07 13:49 . 2008-12-07 13:49 d-------- c:\program files\DivX
2008-12-05 21:11 . 2008-12-11 19:59 7 --a------ c:\windows\system32\tmcontrol.bin
2008-12-05 20:39 . 2008-12-05 20:39 8,544 --a------ c:\windows\system32\mmctl.sys
2008-12-01 20:46 . 2008-12-01 20:46 d--h----- c:\documents and settings\All Users\Application Data\{AFD61B9C-946C-4129-B53C-E1C5D51A536D}
2008-12-01 20:45 . 2008-12-01 20:45 d-------- c:\program files\Transparent
2008-12-01 20:45 . 2008-12-01 20:45 d-------- c:\documents and settings\All Users\Application Data\Transparent
2008-11-27 18:20 . 2008-11-27 18:21 d-------- c:\program files\SystemRequirementsLab
2008-11-27 18:20 . 2008-11-27 18:20 d-------- c:\documents and settings\San\Application Data\SystemRequirementsLab
2008-11-27 08:43 . 2008-11-27 15:55 139,264 --a------ c:\windows\War3Unin.exe
2008-11-27 08:43 . 2008-11-27 15:59 76,256 --a------ c:\windows\War3Unin.dat
2008-11-27 08:43 . 2008-11-27 15:55 2,829 --a------ c:\windows\War3Unin.pif
2008-11-27 08:41 . 2008-12-03 21:52 d-------- c:\program files\Warcraft III
2008-11-25 19:46 . 2008-11-25 19:46 d-------- c:\documents and settings\All Users\Application Data\PMB Files
2008-11-25 19:44 . 2008-11-25 19:44 d-------- c:\program files\Pando Networks
2008-11-25 18:15 . 2005-05-08 17:56 55,808 --a------ c:\windows\system32\zlib1.dll
2008-11-21 21:47 . 2008-11-21 21:47 3,596,288 --a------ c:\windows\system32\qt-dx331.dll
2008-11-21 21:47 . 2008-11-21 21:47 524,288 --a------ c:\windows\system32\DivXsm.exe
2008-11-21 21:47 . 2008-11-21 21:47 4,816 --a------ c:\windows\system32\divxsm.tlb
2008-11-21 21:46 . 2008-11-21 21:46 1,044,480 --a------ c:\windows\system32\libdivx.dll
2008-11-21 21:46 . 2008-11-21 21:46 200,704 --a------ c:\windows\system32\ssldivx.dll
2008-11-21 21:44 . 2008-11-21 21:44 161,096 --a------ c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 . 2008-11-21 21:44 12,288 --a------ c:\windows\system32\DivXWMPExtType.dll
2008-11-20 20:44 . 2008-11-20 20:44 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-11-20 16:09 . 2008-11-20 16:09 d-------- c:\documents and settings\All Users\Application Data\Launcher
2008-11-20 14:55 . 2008-11-20 14:55 d-------- c:\documents and settings\San\Application Data\vlc
2008-11-20 14:39 . 2008-11-20 14:43 d-------- c:\documents and settings\San\Application Data\MozillaControl
2008-11-20 14:39 . 2008-11-20 14:39 d-------- c:\documents and settings\All Users\Application Data\Graboid Inc
2008-11-20 13:56 . 2008-11-20 13:56 d-------- c:\program files\Mozilla ActiveX Control v1.7.12
2008-11-20 13:55 . 2008-11-20 13:55 d-------- c:\program files\VideoLAN
2008-11-20 13:55 . 2008-11-20 14:39 d-------- c:\program files\Graboid
2008-11-20 10:45 . 2008-11-20 10:45 d-------- c:\program files\MindArk
2008-11-19 19:59 . 2008-11-19 19:59 d-------- c:\documents and settings\San\Application Data\GarageGames
2008-11-14 23:58 . 2008-05-30 15:24 d-------- c:\documents and settings\anyone\Application Data\InstallShield
2008-11-14 23:58 . 2008-11-14 23:58 d-------- c:\documents and settings\anyone
2008-11-12 16:43 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 22:27 --------- d-----w c:\documents and settings\San\Application Data\LimeWire
2008-12-11 22:26 --------- d-----w c:\program files\DNA
2008-12-11 22:26 --------- d-----w c:\documents and settings\San\Application Data\DNA
2008-12-11 20:11 --------- d-----w c:\documents and settings\San\Application Data\Xfire
2008-12-11 19:21 --------- d-----w c:\program files\LimeWire
2008-12-11 17:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-10 17:00 31 ----a-w c:\documents and settings\San\jagex_runescape_preferences.dat
2008-12-08 23:13 --------- d-----w c:\program files\Xfire
2008-11-21 21:47 9,464 ------w c:\windows\system32\drivers\cdralw2k.sys
2008-11-21 21:47 9,336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2008-11-21 21:47 43,528 ------w c:\windows\system32\drivers\PxHelp20.sys
2008-11-21 21:47 129,784 ------w c:\windows\system32\pxafs.dll
2008-11-21 21:47 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-11-21 21:47 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-11-09 16:32 --------- d-----w c:\documents and settings\San\Application Data\Ventrilo
2008-11-09 16:31 --------- d-----w c:\program files\Ventrilo
2008-11-09 15:13 --------- d-----w c:\program files\Windows Journal Viewer
2008-11-09 10:21 --------- d-----w c:\documents and settings\San\Application Data\Thinstall
2008-11-08 19:39 --------- d-----w c:\program files\iTunes
2008-11-08 19:39 --------- d-----w c:\documents and settings\San\Application Data\Apple Computer
2008-11-08 19:39 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-08 19:38 --------- d-----w c:\program files\QuickTime
2008-11-08 19:38 --------- d-----w c:\program files\iPod
2008-11-08 19:38 --------- d-----w c:\program files\Bonjour
2008-11-08 19:37 --------- d-----w c:\program files\Common Files\Apple
2008-11-08 19:37 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-08 19:36 --------- d-----w c:\program files\Apple Software Update
2008-11-08 19:35 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-11-05 19:03 --------- d-----w c:\program files\NudgeMania
2008-11-01 15:14 --------- d-----w c:\program files\Common Files\DirectX
2008-10-31 23:28 --------- d-----w c:\documents and settings\San\Application Data\BitTorrent
2008-10-31 22:10 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2008-10-31 22:03 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-31 22:03 --------- d-----w c:\program files\Gravity
2008-10-31 22:03 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-31 17:53 --------- d-----w c:\program files\eFusion
2008-10-31 17:52 --------- d-----w c:\program files\SD EnterNET
2008-10-30 00:51 --------- d-----w c:\program files\BitTorrent
2008-10-29 23:17 --------- d-----w c:\documents and settings\San\Application Data\MSNInstaller
2008-10-27 20:08 --------- d-----w c:\documents and settings\San\Application Data\Gadu-Gadu
2008-10-27 20:05 --------- d-----w c:\program files\Gadu-Gadu
2008-10-27 18:33 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-10-27 18:33 --------- d-----w c:\program files\Java
2008-10-26 21:16 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-10-26 15:50 --------- d-----w c:\program files\Windows Live
2008-10-26 15:49 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-10-26 15:43 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-04-14 12:00 717,312 ----a-r c:\documents and settings\anyone\Application Data\ntos.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-11_21.33.53.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-11 22:25:06 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-03-20 2127296]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-11-12 342336]
"NudgeMania"="c:\program files\NudgeMania\NudgeMania.exe" [2007-02-25 65821]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-11 1028096]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-04-23 778240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-27 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\San\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-09-18 147456]
Xfire.lnk - c:\program files\Xfire\xfire.exe [2008-11-20 2986320]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mmctl.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56762:TCP"= 56762:TCP:Pando Media Booster
"56762:UDP"= 56762:UDP:Pando Media Booster

R1 mmctl;DRAM Cash Driver;c:\windows\system32\mmctl.sys [2008-12-05 8544]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [2008-05-30 159744]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [2008-05-30 153600]
R3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\DRIVERS\rtl8187Se.sys [2008-05-30 263680]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
.
Contents of the 'Scheduled Tasks' folder

2008-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thetechguys.com
uInternet Settings,ProxyOverride = *.local
TCP: {B39B491E-699B-4580-A854-FC0B264408E6} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\San\Application Data\Mozilla\Firefox\Profiles\92yo5lqw.default\
FF - plugin: c:\documents and settings\San\Application Data\Mozilla\Firefox\Profiles\92yo5lqw.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\program files\DNA\plugins\npbtdna.dll
FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-11 22:25:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\docume~1\San\LOCALS~1\temp\nst4.tmp\NM.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-11 22:29:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-11 22:29:21
ComboFix2.txt 2008-12-11 21:34:51

Pre-Run: 44,316,610,560 bytes free
Post-Run: 44,302,966,784 bytes free

250 --- E O F --- 2008-11-13 19:48:02

That didn't work.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :processes
  explorer.exe
  
  :services
  mmctl
  
  :files
  c:\windows\system32\mmctl.sys
  
  :reg
  [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mmctl.sys]
  
  :commands
  [purity]
  [emptytemp]
  [start explorer]
  [reboot]
  
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
Unable to stop service mmctl .
========== FILES ==========
File move failed. c:\windows\system32\mmctl.sys scheduled to be moved on reboot.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mmctl.sys\\ deleted successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\San\LOCALS~1\Temp\nst4.tmp\NM.exe scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\San\LOCALS~1\Temp\nst4.tmp\NotifyIcon.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\San\LOCALS~1\Temp\nst4.tmp\ShutdownAllow.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\San\LOCALS~1\Temp\hsperfdata_San\108 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\San\LOCALS~1\Temp\etilqs_CLUblYxYBledM8iwTcOx scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\San\LOCALS~1\Temp\nsj3.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\San\LOCALS~1\Temp\~DFC1D3.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7f4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\San\Local Settings\Application Data\Mozilla\Firefox\Profiles\92yo5lqw.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\San\Local Settings\Application Data\Mozilla\Firefox\Profiles\92yo5lqw.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\San\Local Settings\Application Data\Mozilla\Firefox\Profiles\92yo5lqw.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\San\Local Settings\Application Data\Mozilla\Firefox\Profiles\92yo5lqw.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\San\Local Settings\Application Data\Mozilla\Firefox\Profiles\92yo5lqw.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\San\Local Settings\Application Data\Mozilla\Firefox\Profiles\92yo5lqw.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12112008_225558

Files moved on Reboot...
File c:\windows\system32\mmctl.sys not found!
C:\DOCUME~1\San\LOCALS~1\Temp\nst4.tmp\NM.exe moved successfully.
DllUnregisterServer procedure not found in C:\DOCUME~1\San\LOCALS~1\Temp\nst4.tmp\NotifyIcon.dll
C:\DOCUME~1\San\LOCALS~1\Temp\nst4.tmp\NotifyIcon.dll NOT unregistered.
C:\DOCUME~1\San\LOCALS~1\Temp\nst4.tmp\NotifyIcon.dll moved successfully.
DllUnregisterServer procedure not found in C:\DOCUME~1\San\LOCALS~1\Temp\nst4.tmp\ShutdownAllow.dll
C:\DOCUME~1\San\LOCALS~1\Temp\nst4.tmp\ShutdownAllow.dll NOT unregistered.
C:\DOCUME~1\San\LOCALS~1\Temp\nst4.tmp\ShutdownAllow.dll moved successfully.
File C:\DOCUME~1\San\LOCALS~1\Temp\hsperfdata_San\108 not found!
File C:\DOCUME~1\San\LOCALS~1\Temp\etilqs_CLUblYxYBledM8iwTcOx not found!
File C:\DOCUME~1\San\LOCALS~1\Temp\nsj3.tmp not found!
C:\DOCUME~1\San\LOCALS~1\Temp\~DFC1D3.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_7f4.dat not found!
C:\Documents and Settings\San\Local Settings\Application Data\Mozilla\Firefox\Profiles\92yo5lqw.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\San\Local Settings\Application Data\Mozilla\Firefox\Profiles\92yo5lqw.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\San\Local Settings\Application Data\Mozilla\Firefox\Profiles\92yo5lqw.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\San\Local Settings\Application Data\Mozilla\Firefox\Profiles\92yo5lqw.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\San\Local Settings\Application Data\Mozilla\Firefox\Profiles\92yo5lqw.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\San\Local Settings\Application Data\Mozilla\Firefox\Profiles\92yo5lqw.default\XUL.mfl moved successfully.

Hmmm.

What problems remain?

None. The pop ups have stop i can get on MSN now and other chat programs.

Its all good ;D:thx:

could my internet speed be effected by any of the tests? seems to be slower XD Dont know if its just it being annoying though ;P

Delete these two folders:
C:\_OTMoveIt
C:\Qoobox

Internet speed could be effected by stuff accessing in the internet like the Java quick starter.
We can disable a few items though and see if there's any changes, your call though. If you want to, post a new Hijack This log.

Thanks again

Also i deleted them folders and its good again. I don't think i need to post another right now. Wouldn't know where to start anyway.

Okay.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck.

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.