Note: I've got the Dec1-2006 update in spybot 1.4, yaye for updating.

Smitfraud-c shows up in every spybot scan but can't be fixed, even by using secure shredder to shred every file listed in it's tree. Same for coolWWWsearch.smartsearch, nothing seems to get rid of it (even cwshredder). Spybot suggests the problem might be the programs are still in memory. Spysheriff gets fixed by nonetheless shows up again the next time like win32.lager.aq and tibs.vq

Aside from those I also have a lot of taskmanager processes that don't show up connected to anything in spybot: nordsys.exe, se.exe.exe, w.exe.exe, google.png.exe, and one or two others composed of random strings of letters and numbers. Nordsys seems to be a smart little bastard too since it keeps closing the taskmanager whenever it's open and firefox whenever I try to go to this forum or any webpage that mentions fixing malware.

List of herculean struggles so far: many many safe mode scan-fix-reboot cycles, deleting files by shredder since by hand is undoable, crawling through the registry.


And now logs:

CoolWWWSearch.SmartSearch: Executable (File, nothing done)
C:\WINDOWS\notepad32.exe

SpySheriff: Text file (File, nothing done)
C:\WINDOWS\system32\svcp.csv

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\system32\taskdir.exe

Smitfraud-C.: Library (File, nothing done)
C:\WINDOWS\system32\zlbw.dll

Smitfraud-C.: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-507921405-1972579041-725345543-1003\WindowsSubVersion

Smitfraud-C.: Web page (File, nothing done)
C:\WINDOWS\system32\winsub.xml

Tibs.vq: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-507921405-1972579041-725345543-1003\ColorTable19

Tibs.vq: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-507921405-1972579041-725345543-1003\ColorTable20

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\users32.exe

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\winmgnt.exe

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\window.exe

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\systemcritical.exe

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\time.exe

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\clrssn.exe

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\systeem.exe

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\wininet32.exe

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\dialup.exe

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\waol.exe

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\y.exe

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\x.exe

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\accesss.exe

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\olehelp.exe

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\win32e.exe

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\win64.exe

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\runwin32.exe

Win32.Lager.aq: Executable (File, nothing done)
C:\WINDOWS\system32\se.exe.exe

Win32.Lager.aq: Executable (File, nothing done)
C:\WINDOWS\system32\ss.exe.exe

Win32.Lager.aq: Executable (File, nothing done)
C:\WINDOWS\system32\w.exe.exe


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-03-19 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-12-01 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-12-01 Includes\DialerC.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2006-12-01 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-12-01 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-12-01 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-12-01 Includes\PUPSC.sbi (*)
2006-12-01 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-12-01 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-12-01 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-12-01 Includes\Trojans.sbi (*)
2006-12-01 Includes\TrojansC.sbi (*)




Logfile of HijackThis v1.99.1
Scan saved at 3:14:14 PM, on 12/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Shadowe\Desktop\SmitfraudFix\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Burn4Free Toolbar Helper - {F8E5CA21-C27B-43e7-B2BE-4CA93C9F9A1F} - C:\Program Files\Burn4Free Toolbar\v2.0.0.5\Burn4Free_Toolbar.dll
O3 - Toolbar: Burn4Free Toolbar - {70DE7956-479D-4eb7-8641-2B45774C350E} - C:\Program Files\Burn4Free Toolbar\v2.0.0.5\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] C:\Program Files\Creative\SBAudigy2\Program\Startup Menu\ChkColor.EXE
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.3.102.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B86E68D-997D-4743-808A-3CACCE8B5FBB}: NameServer = 195.140.140.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC09A116-8857-4AF0-9544-48D73B66ACC5}: NameServer = 195.140.140.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1C54CF6-934B-4465-A427-19BA99F0C79E}: NameServer = 195.140.140.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3EB4098-4A64-4DA3-8DF7-457D7FAE9033}: NameServer = 195.140.140.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1C583AC-5F8E-42DB-8240-3661EEAF9889}: NameServer = 195.140.140.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

Thanks, i'll try those as well as kaspersky's free version (AOL activeshield), if nothing else I can keep it under control long enough to backup my important files.

I normally wouldnt care but I just defragged >P

acevid's post removed, he is not authorized to analyse logs and offer advice in this forum.

Please see:

"BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D (http://forums.spybot.info/showthread.php?t=288)

Please see:
"BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D (http://forums.spybot.info/showthread.php?t=288)


Read that before I posted.

Are there bunchs of random named ???????.t files all over the place ?
It appears you dont have an antivirus ?

Run Hijackthis click >"config" then "misc tools" >"delete file on reboot"
(exact spelling counts!!! so dont browse to the files)
Copy/Paste the bolded line below into the File name box then click Open,
C:\WINDOWS\system32\nordsys.exe
Answer yes to the prompt to reboot the PC

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.


Run SpyBot check for and fix any problems found.

Post another new hijackthis log

CureIt didn't find anything so the option to save a log wasn't active, it seems that the kaspersky engine is the first antivirus program that does more than just tell me I have a virus but it can't do anything.


Logfile of HijackThis v1.99.1
Scan saved at 12:42:03 PM, on 12/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Gaim\gaim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Shadowe\Desktop\SmitfraudFix\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Burn4Free Toolbar Helper - {F8E5CA21-C27B-43e7-B2BE-4CA93C9F9A1F} - C:\Program Files\Burn4Free Toolbar\v2.0.0.5\Burn4Free_Toolbar.dll
O3 - Toolbar: Burn4Free Toolbar - {70DE7956-479D-4eb7-8641-2B45774C350E} - C:\Program Files\Burn4Free Toolbar\v2.0.0.5\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] C:\Program Files\Creative\SBAudigy2\Program\Startup Menu\ChkColor.EXE
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.3.102.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B86E68D-997D-4743-808A-3CACCE8B5FBB}: NameServer = 195.140.140.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC09A116-8857-4AF0-9544-48D73B66ACC5}: NameServer = 195.140.140.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1C54CF6-934B-4465-A427-19BA99F0C79E}: NameServer = 195.140.140.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3EB4098-4A64-4DA3-8DF7-457D7FAE9033}: NameServer = 195.140.140.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1C583AC-5F8E-42DB-8240-3661EEAF9889}: NameServer = 195.140.140.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)

Are there bunchs of random named ???????.t files all over the place ?

Might help if you answer ?

it seems that the kaspersky engine is the first antivirus program that does more than just tell me I have a virus but it can't do anything.
Explain please ? file names and location's.

Youve been using msconfig, why was this disabled in your first logs ??
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
and what else do you have disabled ?

Check for and fix any problems found with SpyBot Twice then save a results list and post it back here

Apologies for taking so long to respond but i've had to reformat anyway after (stupidly) deleting half my windows folder by accident.

Lesson: Disable the #&%@ing windows hotkeys except for copy and paste.

Thanks for letting us know.

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279