I did a few things today, I downloaded a squared as sugested and scan. Very interestingly

it identifyed the following

C:\GameXP\GameXP.exe\[UPX] -> Win32yfucDldr-AC [Trj]
and traces of kazza

Game XP I have been using for a long time from www.theorica.net but I never ever downloaded Kazza. I do a google on DyfucDldr-AC and find nothing, so I remove AC and find not much and finaly Dyfuc comes up blank. What is this thing?

Thanks SirDice a few of those i was able to acount for, such as PcPitstop, a site I use for
checking my system status. But others I could not so I just removed, thanks.

When I had the malware infection few days ago, I suspected it was Win32:Small-FB since the file in startup dmefq.exe scaned with http://virusscan.jotti.org showed up as Small-FB, I was never able to find a remover so I preformed manual cleaning. The problem with DNS redirecting me to search sites vanished.

When I atempted a safemode, A message was displayed to press esc to cancle loading of
SPTD.sys then Welcome screen apears, I apempt to type my password and computer reboots. Cannot get into safe mode. I'll have more work to do.

So I go to Norton's online virus scan, and it comes up empty, no viruses found, and the security check came up with no problems. For RootKitRevealer , dalek kindly identifyed 3
of the enterys, indeed I had Alcohol, but I only drink cola... So the other enterys were:

HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s0 12/14/2005 5:28 PM 4 bytes Hidden from Windows API.

And there I see it, SPTD the same name that cropt up in safe mode. It apears to be SCSI
Pass Through Detect, that the darn Daemon tools left behind. So I find an uninstaller for
SPTD and remove it.

Much beter, my latest scan on RootKitRevealer:

HKLM\S-1-5-21-73586283-1935655697-839522115-1003\Software\BufferZone\Virtual\Untrusted\Softw

are\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEAC

F9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\fcbfrf\Zl Qbphzragf\Qb 2/20/2006 12:32 PM

16 bytes Hidden from Windows API.
HKLM\S-1-5-21-73586283-1935655697-839522115-1003\Software\Microsoft\Windows\CurrentVersion\E

xplorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf

naq Frggvatf\fcbfrf\Zl Qbphzragf\Qbjaybnqf\(cp tnzr) Lrgvfcbeg Cneg 1-6 B 2/20/2006

7:18 PM 16 bytes Hidden from Windows API.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 2/20/2006 7:18 PM 80 bytes Data

mismatch between Windows API and raw hive data.
So the first two are my new security program BufferZone (sandbox) and the last one:

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed

Suspicious, is it a Random Number Generator seed value of some sort?

everything else apears clean now.

One more question, I was hesitant on installing SP2 because of the rep[orted problems with programs, games and port blocking. Are there known work arounds for these problems or have they already been solved.