Can't run any spyware or virus remover programs and Windows

This is my first post. I know I am dealing with spyware and a virus. Problem is I can't run any program in regular or safe mode that they (spyware and virus) won't let me download or if I download the program I'm blocked from running it or I get an error message saying it can't run. I also discovered that Windows update is disabled, I turn the service on but it goes back to disabled.

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Here is my HJT Scan


Scan saved at 4:33:28 PM, on 1/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Time Matters - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\TMW2009\TMIETB.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Time Matters - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\TMW2009\TMIETB.DLL
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmflp03\BrStDvPt.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [QuickBooksDB17] C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe -n QB_DAYLENE_17 -qs -gd ALL -gk all -gp 4096 -gu all -ch 64M -c 32M -x tcpip(BroadcastListener=NO;port=10172) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe C:\DOCUME~1\SUPERV~1\LOCALS~1\APPLIC~1\Intuit\QUICKB~1\Log\DBSTAR~1.LOG -y
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [madoboros] Rundll32.exe "c:\windows\system32\zuziberi.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.westlaw.com
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203913440765
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c1/v21.101/qboax10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4467DD2F-5713-437D-8E6C-F8886FF5A3A3}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{4467DD2F-5713-437D-8E6C-F8886FF5A3A3}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS3\Services\Tcpip\..\{4467DD2F-5713-437D-8E6C-F8886FF5A3A3}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O20 - AppInit_DLLs: c:\windows\system32\fifugiku.dll c:\windows\system32\zuziberi.dll,tidadegi.dll
O21 - SSODL: wavunezoy - {88b9dfb1-4e12-462f-89a0-3c2ea5d68809} - c:\windows\system32\zuziberi.dll
O21 - SSODL: detafemoy - {97f09718-5dce-4791-ab67-30747b9c7c36} - c:\windows\system32\zuziberi.dll
O21 - SSODL: nolazorir - {ec0933ef-fdc8-46b5-a69e-78bcc5205a83} - c:\windows\system32\zuziberi.dll
O21 - SSODL: wisizihim - {ba5b202f-197e-4bbd-9c8e-79087c63b0e5} - c:\windows\system32\zuziberi.dll
O21 - SSODL: yinuzevoz - {4ce38ed1-4ac3-4b2f-9f16-f8138a7cfa85} - c:\windows\system32\zuziberi.dll
O21 - SSODL: nenudusus - {8a455b91-4e86-4687-a915-05d91556f59d} - c:\windows\system32\zuziberi.dll
O21 - SSODL: hezuminet - {cf71b090-2329-422b-8589-5bed68ba07b6} - c:\windows\system32\zuziberi.dll
O21 - SSODL: fitaronok - {0885b5c6-4ec2-4e7d-9fd4-ed741c235f31} - c:\windows\system32\zuziberi.dll
O21 - SSODL: nivemajoz - {5344aa5b-aeec-4c56-ab70-425bf978844a} - c:\windows\system32\zuziberi.dll
O21 - SSODL: wogunawap - {56b52858-64af-466d-be96-1104a94e7a22} - c:\windows\system32\zuziberi.dll
O21 - SSODL: mayigejol - {e8280449-2c6e-49e8-8f39-72383735fa4c} - c:\windows\system32\zuziberi.dll
O21 - SSODL: pivujobef - {2a4f58cb-9495-4646-8617-bf94b754234d} - c:\windows\system32\zuziberi.dll
O21 - SSODL: yulubufil - {b2d656f3-8bff-49e1-a45d-4bf0d40de2a6} - c:\windows\system32\fifugiku.dll
O22 - SharedTaskScheduler: tokatiluy - {88b9dfb1-4e12-462f-89a0-3c2ea5d68809} - c:\windows\system32\zuziberi.dll
O22 - SharedTaskScheduler: mujuzedij - {97f09718-5dce-4791-ab67-30747b9c7c36} - c:\windows\system32\zuziberi.dll
O22 - SharedTaskScheduler: jugezatag - {ec0933ef-fdc8-46b5-a69e-78bcc5205a83} - c:\windows\system32\zuziberi.dll
O22 - SharedTaskScheduler: gahurihor - {ba5b202f-197e-4bbd-9c8e-79087c63b0e5} - c:\windows\system32\zuziberi.dll
O22 - SharedTaskScheduler: gahurihor - {4ce38ed1-4ac3-4b2f-9f16-f8138a7cfa85} - c:\windows\system32\zuziberi.dll
O22 - SharedTaskScheduler: mujuzedij - {8a455b91-4e86-4687-a915-05d91556f59d} - c:\windows\system32\zuziberi.dll
O22 - SharedTaskScheduler: mujuzedij - {cf71b090-2329-422b-8589-5bed68ba07b6} - c:\windows\system32\zuziberi.dll
O22 - SharedTaskScheduler: gahurihor - {0885b5c6-4ec2-4e7d-9fd4-ed741c235f31} - c:\windows\system32\zuziberi.dll
O22 - SharedTaskScheduler: gahurihor - {5344aa5b-aeec-4c56-ab70-425bf978844a} - c:\windows\system32\zuziberi.dll
O22 - SharedTaskScheduler: jugezatag - {56b52858-64af-466d-be96-1104a94e7a22} - c:\windows\system32\zuziberi.dll
O22 - SharedTaskScheduler: tokatiluy - {e8280449-2c6e-49e8-8f39-72383735fa4c} - c:\windows\system32\zuziberi.dll
O22 - SharedTaskScheduler: gahurihor - {2a4f58cb-9495-4646-8617-bf94b754234d} - c:\windows\system32\zuziberi.dll
O22 - SharedTaskScheduler: kupuhivus - {b2d656f3-8bff-49e1-a45d-4bf0d40de2a6} - c:\windows\system32\fifugiku.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\SYSTEM32\Brmfrmps.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

The sypware won't let me go to the sites, I ~[Filtered JS Events]~ the file and transfer by usb drive??

Got ComboFix to run after many attempts:

ComboFix 10-01-16.01 - Supervisor 01/17/2010 17:57:59.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1669 [GMT -8:00]
Running from: C:\Documents and Settings\Supervisor\Desktop\Combo-Fix.exe
FW: PC Tools Firewall Plus *enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.
The following files were disabled during the run:
C:\WINDOWS\system32\2629NTFS.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\SUPERV~1\LOCALS~1\Temp\winlogon.exe
C:\Documents and Settings\Supervisor\Application Data\.#
C:\Documents and Settings\Supervisor\Application Data\.#\MBX@B10@DA3708.###
C:\Documents and Settings\Supervisor\Application Data\.#\MBX@B80@18E3708.###
C:\Documents and Settings\Supervisor\Application Data\AntiVirus Plus
C:\Documents and Settings\Supervisor\Application Data\AntiVirus Plus\AntiVirus Plus.70700.dll
C:\eddc.exe
C:\ifbsexlt.exe
C:\jsykm.exe
C:\jvbfrms.exe
C:\p2hhr.bat
C:\WINDOWS\msa.exe
C:\WINDOWS\msb.exe
C:\WINDOWS\run.log
C:\WINDOWS\system32\buvoyaki.dll
C:\WINDOWS\system32\bvj2fcv.dll
C:\WINDOWS\system32\comrepl.exe
C:\WINDOWS\system32\drivers\H8SRTgaatufnwtk.sys
C:\WINDOWS\system32\flags.ini
C:\WINDOWS\system32\fuweyuni.dll
C:\WINDOWS\system32\gujayiwo.dll
C:\WINDOWS\system32\H8SRTemtinqnnxi.dll
C:\WINDOWS\system32\H8SRTfrnpbevyod.dll
C:\WINDOWS\system32\h8srtkrl32mainweq.dll
C:\WINDOWS\system32\H8SRTlxeufdsldb.dll
C:\WINDOWS\system32\H8SRTolaokfcxsm.dat
C:\WINDOWS\system32\H8SRTrdxltcmscd.dll
C:\WINDOWS\system32\h8srtshsyst.dll
C:\WINDOWS\system32\helper32.dll
C:\WINDOWS\system32\Iasv32.dll
C:\WINDOWS\system32\IS15.exe
C:\WINDOWS\system32\kbdsock.dll
C:\WINDOWS\system32\kugakedu.dll
C:\WINDOWS\system32\mshlps.dll
C:\WINDOWS\system32\pewodaju.dll
C:\WINDOWS\system32\pofusido.dll
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\sshnas21.dll
C:\WINDOWS\system32\uses32.dat
C:\WINDOWS\system32\warning.html
C:\WINDOWS\system32\winlogon32.exe
C:\WINDOWS\system32\xa.tmp
c:\windows\system32\zuziberi.dll
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
C:\WINDOWS\Tasks\gijqcqga.job
C:\wkomr.exe

Infected copy of C:\WINDOWS\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys
-------\Legacy_IAS
-------\Legacy_IPRIP
-------\Legacy_SSHNAS
-------\Service_Ias
-------\Service_Iprip
-------\Service_SSHNAS


((((((((((((((((((((((((( Files Created from 2009-12-18 to 2010-01-18 )))))))))))))))))))))))))))))))
.


.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\WINDOWS\system32\mswsock.dll ... is infected !!



((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.


--- Other Services/Drivers In Memory ---


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
------- Supplementary Scan -------
.
.

**************************************************************************
scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...



scan completed successfully
hȋdden files:

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a0852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel(R) PRO/1000 GT Desktop Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7438bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7445a21
SendHandler -> NDIS.sys @ 0xf742387b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
------------------------ Other Running Processes ------------------------
.
.
**************************************************************************
.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Hello.
This machine is badly infected, I'm not sure it can be saved, but I can try.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
mswsock.dll

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Results of the scan:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:33 on 18/01/2010 by Supervisor (Administrator - Elevation successful)

========== filefind ==========

Searching for "mswsock.dll"
C:\I386\MSWSOCK.DLL --a--c 228352 bytes [23:43 25/06/2004] [10:00 29/08/2002] 18A8BE5A66B93F9C9615F7D4C148EDE2
C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\mswsock.dll --a--c 245248 bytes [17:36 20/06/2008] [17:36 20/06/2008] 1DFCA7713EA5A70D5D93B436AEA0317A
C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\mswsock.dll --a--c 245248 bytes [17:46 20/06/2008] [17:46 20/06/2008] 832E4DD8964AB7ACC880B2837CB1ED20
C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\mswsock.dll --a--c 245248 bytes [17:43 20/06/2008] [17:43 20/06/2008] FCEE5FCB99F7C724593365C706D28388
C:\WINDOWS\$NtServicePackUninstall$\mswsock.dll -----c 245248 bytes [15:05 13/11/2008] [17:41 20/06/2008] 097722F235A1FB698BF9234E01B52637
C:\WINDOWS\ServicePackFiles\i386\mswsock.dll -----c 245248 bytes [07:56 04/08/2004] [00:12 14/04/2008] B4138E99236F0F57D4CF49BAE98A0746
C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll -----c 245248 bytes [17:46 20/06/2008] [17:46 20/06/2008] 832E4DD8964AB7ACC880B2837CB1ED20
C:\WINDOWS\SYSTEM32\mswsock.dll --a--- 245248 bytes [10:00 29/08/2002] [17:46 20/06/2008] 832E4DD8964AB7ACC880B2837CB1ED20

-=End Of File=-

Hello.

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   FCopy::
   C:\WINDOWS\$NtServicePackUninstall$\mswsock.dll | C:\WINDOWS\SYSTEM32\mswsock.dll
   

   
   
4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.
   

Scan Results

ComboFix 10-01-19.02 - Supervisor 01/19/2010 17:06:46.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1653 [GMT -8:00]
Running from: c:\documents and settings\Supervisor\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Supervisor\Desktop\CFScript.txt
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ndisdrv.sys

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\mswsock.dll --> c:\windows\SYSTEM32\mswsock.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ndisdrv
-------\Service_ndisdrv


((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-20 01:12 . 2010-01-20 01:15 -------- d-----w- c:\windows\LastGood
2010-01-18 01:05 . 2010-01-20 01:15 756736 ----a-w- c:\windows\system32\drivers\aec.sys
2010-01-18 01:05 . 2010-01-18 01:05 22016 ----a-w- C:\sbjolvsw.exe
2010-01-16 05:13 . 2010-01-16 05:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-16 05:13 . 2010-01-16 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-16 05:11 . 2010-01-16 05:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-16 03:31 . 2010-01-16 03:31 -------- d-----w- C:\EmergencyUtils
2010-01-16 03:29 . 2010-01-16 03:29 -------- d-----w- C:\Downloads
2010-01-16 00:33 . 2010-01-16 02:34 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-15 21:04 . 2010-01-15 21:04 -------- d-----w- c:\documents and settings\Supervisor\Application Data\PCToolsFirewallPlus
2010-01-15 20:56 . 2009-11-23 21:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-15 20:56 . 2009-11-09 19:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-15 20:56 . 2010-01-18 02:16 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-15 20:56 . 2010-01-18 02:16 58816 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2010-01-15 20:56 . 2010-01-18 02:16 70664 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-01-15 20:56 . 2010-01-18 02:16 32680 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2010-01-15 20:56 . 2010-01-15 20:56 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-15 20:56 . 2010-01-18 02:16 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2010-01-15 20:55 . 2010-01-18 02:17 -------- d-----w- c:\program files\PC Tools Firewall Plus
2010-01-15 19:58 . 2010-01-15 19:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-01-15 06:19 . 2009-06-17 19:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-15 06:19 . 2010-01-15 15:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-15 06:19 . 2009-06-17 19:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-14 23:53 . 2010-01-14 23:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-01-14 23:44 . 2010-01-14 23:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\SealedMedia
2010-01-14 06:03 . 2010-01-14 06:03 -------- d-----w- c:\program files\WinPcap
2010-01-14 04:49 . 2010-01-14 05:38 -------- d-----w- c:\program files\Wise Registry Cleaner
2010-01-11 18:57 . 2010-01-11 18:57 -------- d-----w- c:\program files\Alwil Software
2010-01-11 18:35 . 2010-01-11 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2010-01-07 21:42 . 2010-01-07 21:42 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-07 21:42 . 2010-01-15 20:07 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-24 02:56 . 2010-01-12 16:43 -------- d-----w- c:\program files\CCleaner
2009-12-22 17:33 . 2009-12-22 17:33 -------- d--h--w- c:\windows\PIF
2009-12-21 21:28 . 2009-12-21 21:28 -------- d-----w- c:\program files\Trend Micro
2009-12-21 21:15 . 2009-12-21 21:15 -------- d-----w- c:\documents and settings\Supervisor\Application Data\Malwarebytes
2009-12-21 21:15 . 2009-12-21 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-20 01:14 . 2009-12-11 22:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-20 00:28 . 2008-06-21 23:07 -------- d-----w- c:\program files\LogMeIn
2010-01-18 01:05 . 2010-01-18 01:05 40960 ----a-w- c:\windows\system32\info.tmp
2010-01-16 02:55 . 2009-12-02 08:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-08 08:01 . 1980-01-01 05:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-07 17:12 . 2008-03-06 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-01-06 07:24 . 2009-12-11 22:09 -------- d-----w- c:\program files\MyDefrag v4.2.6
2010-01-04 19:52 . 2008-03-03 23:43 30706 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2009-12-31 18:10 . 2009-07-08 05:19 15232 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2009-12-29 17:16 . 2009-12-29 17:16 211720 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2009-12-29 17:16 . 2009-12-29 17:16 2151728 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll
2009-12-29 17:16 . 2009-12-29 17:16 850736 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\dblgen11.dll
2009-12-29 17:16 . 2009-12-29 17:16 1092872 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2009-12-24 18:10 . 2008-02-25 06:48 84488 -c--a-w- c:\documents and settings\Supervisor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 17:59 . 2008-04-06 21:48 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-12-18 21:28 . 2009-07-16 18:33 869664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\qbpatch.exe
2009-12-11 22:05 . 2008-03-04 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-11 22:05 . 2008-03-04 23:56 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-10 17:44 . 2009-12-10 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-12-10 06:34 . 2009-12-10 06:34 -------- d-----w- c:\program files\Microsoft.NET
2009-12-09 23:51 . 2009-12-09 23:51 -------- d-----w- c:\program files\Windows Media Connect 2
2009-12-02 07:46 . 2009-03-03 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-30 20:28 . 2009-03-04 16:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-11-21 15:51 . 2002-08-29 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-09 14:45 . 2009-11-09 14:45 152576 ----a-w- c:\documents and settings\Supervisor\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-09 14:41 . 2009-11-09 14:41 79488 ----a-w- c:\documents and settings\Supervisor\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-06 15:57 . 2009-08-12 15:59 570672 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll
2009-11-06 15:57 . 2009-08-12 15:59 496944 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll
2009-11-06 15:57 . 2009-08-12 15:59 296240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlsock10.dll
2009-11-06 15:57 . 2009-08-12 15:59 263472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll
2009-11-06 15:57 . 2009-08-12 15:59 787760 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblgen10.dll
2009-11-06 15:57 . 2009-08-12 15:59 763184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblib10.dll
2009-11-06 15:57 . 2009-08-12 15:59 423216 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe
2009-11-06 15:57 . 2009-08-12 15:59 398640 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbcon10.dll
2009-11-06 15:57 . 2009-08-12 15:59 1152304 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbtool10.dll
2009-10-29 07:46 . 2006-06-23 18:33 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2002-08-29 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2005-12-05 16:15 . 2008-03-03 15:23 19025408 -c--a-w- c:\program files\Common Files\TaxWise Workstation.msi
2005-04-25 22:41 . 2008-03-03 15:36 18448384 -c--a-w- c:\program files\Common Files\TaxWise Workstation Setup.msi
2009-01-20 17:03 . 2009-12-11 16:19 16384 ----a-w- c:\program files\mozilla firefox\components\TMFFTB.dll
1601-01-01 00:03 . 1601-01-01 00:03 61440 --sha-w- c:\windows\SYSTEM32\bafuvisi.dll
1601-01-01 00:03 . 1601-01-01 00:03 61440 --sha-w- c:\windows\SYSTEM32\fifiteko.dll
1601-01-01 00:03 . 1601-01-01 00:03 91648 --sha-w- c:\windows\SYSTEM32\fifugiku.dll
1601-01-01 00:03 . 1601-01-01 00:03 93184 --sha-w- c:\windows\SYSTEM32\papuwiyi.dll
1601-01-01 00:03 . 1601-01-01 00:03 91136 --sha-w- c:\windows\SYSTEM32\vojedayu.dll
1601-01-01 00:03 . 1601-01-01 00:03 92672 --sha-w- c:\windows\SYSTEM32\wopohaba.dll
.

------- Sigcheck -------

[-] 2010-01-20 01:18 . !HASH: COULD NOT OPEN FILE !!!!! . 756736 . . [------] . . c:\windows\SYSTEM32\DRIVERS\aec.sys
[-] 2008-04-13 16:39 . !HASH: COULD NOT OPEN FILE !!!!! . 142592 . . [------] . . c:\windows\ServicePackFiles\i386\aec.sys
[-] 2006-02-15 00:30 . !HASH: COULD NOT OPEN FILE !!!!! . 142464 . . [------] . . c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[-] 2006-02-15 00:22 . !HASH: COULD NOT OPEN FILE !!!!! . 142464 . . [------] . . c:\windows\$NtServicePackUninstall$\aec.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-12-21 1803064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefPrt"="c:\program files\Brother\Brmflp03\BrStDvPt.exe" [2003-03-29 45056]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"QuickBooksDB17"="c:\program files\Intuit\QuickBooks 2007\QBDBMgrN.exe" [2006-09-13 128536]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-18 3168216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-12-10 984352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-01 16:16 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-04-14 23:04 40960 ----a-w- c:\program files\Scansoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-04-14 22:46 57393 ----a-w- c:\program files\Scansoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\USMT\\migwiz.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\WINDOWS\\SYSTEM32\\dfrgntfs.exe"=
"c:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\Acrodist.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 pctgntdi;pctgntdi;c:\windows\SYSTEM32\DRIVERS\pctgntdi.sys [1/15/2010 12:56 PM 233136]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\SYSTEM32\DRIVERS\LMIRfsDriver.sys [2/29/2008 4:34 PM 47640]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\SYSTEM32\DRIVERS\PCTAppEvent.sys [1/15/2010 12:56 PM 88040]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\SYSTEM32\DRIVERS\pctNdis-PacketFilter.sys [1/15/2010 12:56 PM 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\SYSTEM32\DRIVERS\pctNdis.sys [1/15/2010 12:56 PM 58816]
S1 dvkifzvm;dvkifzvm;\??\c:\windows\system32\drivers\dvkifzvm.sys --> c:\windows\system32\drivers\dvkifzvm.sys [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2/28/2008 3:31 PM 12856]
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFilt.sys [2/29/2008 2:40 PM 2944]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\SYSTEM32\DRIVERS\BrSerWdm.sys [2/29/2008 2:39 PM 61952]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\SYSTEM32\DRIVERS\BrUsbMdm.sys [2/29/2008 2:40 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\SYSTEM32\DRIVERS\BrUsbScn.sys [2/29/2008 2:40 PM 10368]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [11/6/2007 12:22 PM 34064]
S3 PCTFW-DNS;PCTools Firewall - DNS driver;c:\windows\SYSTEM32\DRIVERS\pctNdis-DNS.sys [1/15/2010 12:56 PM 32680]
S3 pctplfw;pctplfw;c:\windows\SYSTEM32\DRIVERS\pctplfw.sys [1/15/2010 12:56 PM 115216]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]
S4 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB19 [?]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
Trusted Zone: westlaw.com
TCP: {4467DD2F-5713-437D-8E6C-F8886FF5A3A3} = 208.67.222.222,208.67.220.220
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\Supervisor\Application Data\Mozilla\Firefox\Profiles\1iw8kveg.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.paycycle.com/in/todo/default.jsp
FF - component: c:\program files\Mozilla Firefox\components\TMFFTB.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 17:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aec]
"ImagePath"="system32\drivers\aec.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1184)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(2928)
c:\windows\system32\WININET.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\Brmfrmps.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-19 17:19:34 - machine was rebooted


ComboFix-quarantined-files.txt 2010-01-20 01:19
ComboFix2.txt 2010-01-20 00:45

Pre-Run: 22,064,885,760 bytes free
Post-Run: 22,024,716,288 bytes free

Current=1 Default=1 Failed=4 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 12453EC484EF7802CE8CB9B78C74C3CC

Hello.

• Double-click SystemLook.exe to run it again.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
aec.sys

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Scan Results:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 16:32 on 20/01/2010 by Supervisor (Administrator - Elevation successful)

========== filefind ==========

Searching for "aec.sys"
C:\I386\aec.sys --a--c 142208 bytes [23:40 25/06/2004] [04:16 29/08/2002] (Unable to calculate MD5)
C:\WINDOWS\$hf_mig$\KB900485\SP2QFE\aec.sys --a--c 142464 bytes [00:30 15/02/2006] [00:30 15/02/2006] (Unable to calculate MD5)
C:\WINDOWS\$NtServicePackUninstall$\aec.sys -----c 142464 bytes [15:05 13/11/2008] [00:22 15/02/2006] (Unable to calculate MD5)
C:\WINDOWS\ServicePackFiles\i386\aec.sys -----c 142592 bytes [05:39 04/08/2004] [16:39 13/04/2008] (Unable to calculate MD5)
C:\WINDOWS\SYSTEM32\DRIVERS\aec.sys --a--- 756736 bytes [01:05 18/01/2010] [00:33 21/01/2010] (Unable to calculate MD5)

-=End Of File=-

I found the file but, the scanner says the file is empty and it won't upload it.

Hello.

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
  
• Please double-click OTM.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  C:\sbjolvsw.exe
  c:\windows\SYSTEM32\bafuvisi.dll
  c:\windows\SYSTEM32\fifiteko.dll
  c:\windows\SYSTEM32\fifugiku.dll
  c:\windows\SYSTEM32\papuwiyi.dll
  c:\windows\SYSTEM32\vojedayu.dll
  c:\windows\SYSTEM32\wopohaba.dll
  
  
  
  
• Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

Scan Results

========== FILES ==========
C:\sbjolvsw.exe moved successfully.
DllUnregisterServer procedure not found in c:\windows\SYSTEM32\bafuvisi.dll
c:\windows\SYSTEM32\bafuvisi.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\SYSTEM32\fifiteko.dll
c:\windows\SYSTEM32\fifiteko.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\SYSTEM32\fifugiku.dll
c:\windows\SYSTEM32\fifugiku.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\SYSTEM32\papuwiyi.dll
c:\windows\SYSTEM32\papuwiyi.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\SYSTEM32\vojedayu.dll
c:\windows\SYSTEM32\vojedayu.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\SYSTEM32\wopohaba.dll
c:\windows\SYSTEM32\wopohaba.dll moved successfully.

OTM by OldTimer - Version 3.1.6.0 log created on 01212010_154335

We can remove OTMoveIt now.

• Please double-click OTM.exe to run it again.
  
• Press the green CleanUp! button.
  
• Press Yes cleanup process prompt, do the same for the reboot prompt.
  

How is the machine running now?

The machine appears to be running well, the windows update sheild even popped up. how do I remove systemlook and what is a good antivirus program to run?? Thank you for your help

You can just right click > Delete for SystemLook.

Please install Avira antivirus otherwise you won't be protected.

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

After I install the anti virus program, can I go ahead and do the windows updates? Thanks again for your help.

Yep, you can. ^^

I'm Doing the windows updates now.

Okay, let me know how it goes.

The updates went well, no problems, computer seems to be running well.

Okay, this should be fine now.

Thank you again for your help