Currently my computer has been acting up, such as slowing down to a dreadful speed, random resets, Typing lag, and also when i log in something about Preferences pop-ups, and saying loading C:\windows\system32\winlogo\SPY_NET_RAT.exe. Luckly i knew what a RAT is and i read a few post's and download Spybot, but still nothing happened when i use another Anti Malware such as Malwarebytes, or RootAnalyzer(I belive thats the name) it either ends or it doesnt delete the infection.

Also, Im Running Spyboy as i type this... its on "Silent Guard"
Im running Windows XP, and also ever 6 mins give or take a pop-up from spybot says

Category: System Startup global entry
Change: Value Added
_________
Entry: SpybotDeletingC6259
_________
Old Data:
New data: cmd.exe /c del "C:\WINDOWS\Prefetch\SPY..."


Thanks Any help would be mostly appreciated
- LiveToLearn

Oh Sorry, Here is my HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:44 PM, on 10/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Susan\Desktop\Anti Virus\RootAlyzer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Runescape Membership PIN Generator.exe] C:\Windows\
O4 - HKLM\..\Run: [SPY_NET_RAT] C:\WINDOWS\system32\winlogo\SPY_NET_RAT.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [SpybotDeletingA9575] command.com /c del "C:\WINDOWS\Prefetch\SPY_NET_RAT.EXE-044EFF70.pf"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6259] cmd.exe /c del "C:\WINDOWS\Prefetch\SPY_NET_RAT.EXE-044EFF70.pf"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SPY_NET_RAT] C:\WINDOWS\system32\winlogo\SPY_NET_RAT.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3284] command.com /c del "C:\WINDOWS\Prefetch\SPY_NET_RAT.EXE-044EFF70.pf"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5889] cmd.exe /c del "C:\WINDOWS\Prefetch\SPY_NET_RAT.EXE-044EFF70.pf"
O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\winlogo\SPY_NET_RAT.exe
O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\winlogo\SPY_NET_RAT.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1801674531-484763869-2147110713-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Owner')
O4 - HKUS\S-1-5-21-1801674531-484763869-2147110713-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Caitlyn')
O4 - HKUS\S-1-5-21-1801674531-484763869-2147110713-1005\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\winlogo\SPY_NET_RAT.exe (User 'Caitlyn')
O4 - HKUS\S-1-5-21-1801674531-484763869-2147110713-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'CJ')
O4 - HKUS\S-1-5-21-1801674531-484763869-2147110713-1006\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\winlogo\SPY_NET_RAT.exe (User 'CJ')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - S-1-5-21-1801674531-484763869-2147110713-1005 Startup: FrostWire On Startup.lnk = C:\Program Files\FrostWire\FrostWire.exe (User 'Caitlyn')
O4 - S-1-5-21-1801674531-484763869-2147110713-1005 User Startup: FrostWire On Startup.lnk = C:\Program Files\FrostWire\FrostWire.exe (User 'Caitlyn')
O4 - S-1-5-21-1801674531-484763869-2147110713-1006 Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe (User 'CJ')
O4 - S-1-5-21-1801674531-484763869-2147110713-1006 User Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe (User 'CJ')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 8991 bytes

hi,

did you install this packet capture library? sometimes networking tools can install it but i dont see any of that in your log:

C:\Program Files\WinPcap

I will guess no, so you can remove it via the add/remove programs panel.
Reboot machine after the uninstall.

to show all files do this:
FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

next using explorer navigate to:
C:\windows\system32

see if you can spot a folder called:winlogo
inside the folder may be the SPY_NET_RAT.exe

if its there i would like a copy of it to play with:
You can click the link below, browse for the file again on your computer, then click the send file button to upload it to the website.

http://www.bleepingcomputer.com/submit-malware.php?channel=67

Once its uploaded to the website you can delete the entire winlogo folder

If you can't find the folder/file or the .exe isnt in the folder then dont worry about it.

LAST: First disable spybots tea timer so it dosnt interfere with HJT:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

NEXT:

start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O4 - HKLM\..\Run: [SPY_NET_RAT] C:\WINDOWS\system32\winlogo\SPY_NET_RAT.exe

O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\winlogo\SPY_NET_RAT.exe

O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\winlogo\SPY_NET_RAT.exe

O4 - HKUS\S-1-5-21-1801674531-484763869-2147110713-1005\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\winlogo\SPY_NET_RAT.exe (User 'Caitlyn')

O4 - HKUS\S-1-5-21-1801674531-484763869-2147110713-1006\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\winlogo\SPY_NET_RAT.exe (User 'CJ')

Reboot one final time and rescan and post a new hjt log.