Hi Steve_c
going on the most recent scan OTL (12-7-2010) the system has been and likely still is heavily infested / infected.
If the filename (oflpydin) is still accessible, and you can do so, then you should upload it to virustotal http://www.virustotal.com/
C:\DOCUME~1\user\LOCALS~1\Temp\oflpydin.sys
- please reply post the results here with a link to the site analysis
The infection may be sourced to WPA KILL EXE CRYPT DLL
- one of the biggest torrents indexer with more then 900000 torrents listed.
This is made apparent by the following entry
O4 - HKLM…\Run: C:\DOCUME~1\user\LOCALS~1\Temp\tmp0a014ee3\crypt_KillEXE.exe File not found
The filename in this case is [nonep] - here are some links
http://www.systemlookup.com/Startup/21910-anr1_exe.html
http://www.threatexpert.com/report.aspx?md5=062edb027adecf8f7b6f36ab083b54a8
here is a rundown of some of the extent of the infection
C:\WINDOWS{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini (file created in system known alias)
http://www.threatexpert.com/report.aspx?md5=46b485f61396f2dcfa0e65821ad3a3a8
[2010/06/25 11:31:57 | 1901,940,360 | -HS- | M] () – C:\WINDOWS\System32\aaaamonm.sys (known alias)
http://www.prevx.com/filenames/3227458260899559805-X1/ADMPARSEJ.EXE.html
further
[2009/01/27 17:57:00 | 000,002,098 | -HS- | C] () – C:\WINDOWS\System32\zogadeli.dll
[2009/01/27 17:57:00 | 000,002,098 | -HS- | C] () – C:\WINDOWS\System32\wisahiri.dll
etc…down to…
[2009/01/15 17:50:01 | 000,002,098 | -HS- | C] () – C:\WINDOWS\System32\lavusita.dll
and
[2009/01/14 17:52:57 | 000,002,098 | -HS- | C] () – C:\WINDOWS\System32\yirumuno.dll
[2009/01/14 17:52:57 | 000,002,098 | -HS- | C] () – C:\WINDOWS\System32\ruhefife.dll
etc…down to…
[2009/01/12 18:09:53 | 000,002,098 | -HS- | C] () – C:\WINDOWS\System32\hofonike.dll
this is also horrible in the systemdrive - < %SYSTEMDRIVE%*.* >
[2010/07/11 11:38:31 | 000,003,476 | -H-- | M] () – C:\aaw7boot.cmd
I post the instances only in case they might provide some clue to best method of removal
But to my thinking the only thing to do here is to run combofix or something similar
so if I were you I would sit tight and wait for essexboy, I very much doubt if the infection can be removed manually