PDA

View Full Version : Pop-up nightmare



tcgrmt
2007-12-11, 16:20
Completed steps 1-3 of "before you post".

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:12 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\otqmxkqb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [40f193b1] rundll32.exe "C:\WINDOWS\system32\fpfkiurt.dll",b
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\otqmxkqb.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 5737 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, December 10, 2007 5:28:59 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/12/2007
Kaspersky Anti-Virus database records: 479322
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 50588
Number of viruses found: 7
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 00:36:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Rob Cabrera\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Local Settings\History\History.IE5\MSHist012007121020071211\index.dat Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Local Settings\Temp\~DF361F.tmp Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Local Settings\Temp\~DFD040.tmp Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Local Settings\Temp\~DFFA8F.tmp Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Local Settings\Temp\~DFFA9F.tmp Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rob Cabrera\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Rob Cabrera\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Windows NT\rtejehdahdec.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP190\A0021708.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP190\A0021862.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP190\A0023268.dll Infected: not-a-virus:AdWare.Win32.Agent.wx skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP191\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C44ADD0D-6A17-4612-8528-1F10F78E720A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\core.sys Object is locked skipped
C:\WINDOWS\system32\fccaaww.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjr skipped
C:\WINDOWS\system32\fpfkiurt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\uskwooxj.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5c0.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

steamwiz
2007-12-11, 21:44
Hi

Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

THEN ...

Please download Combofix: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Please remember to post :-

1. SUPERAntiSpyware Scan Log
2. C:\ComboFix.txt
3. a new hijackthis log.( run after everything else)

steam

tcgrmt
2007-12-13, 13:46
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/12/2007 at 10:04 AM

Application Version : 3.9.1008

Core Rules Database Version : 3359
Trace Rules Database Version: 1358

Scan type : Complete Scan
Total Scan Time : 00:50:53

Memory items scanned : 387
Memory threats detected : 0
Registry items scanned : 5932
Registry threats detected : 1
File items scanned : 51126
File threats detected : 7

Unclassified.Unknown Origin
HKU\S-1-5-21-216143887-1857994863-4077827341-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{11A69AE4-FBED-4832-A2BF-45AF82825583}

Adware.Tracking Cookie
C:\Documents and Settings\Rob Cabrera\Cookies\rob_cabrera@msnportal.112.2o7[1].txt
C:\Documents and Settings\Rob Cabrera\Cookies\rob_cabrera@specificclick[1].txt
C:\Documents and Settings\Rob Cabrera\Cookies\rob_cabrera@doubleclick[1].txt

Trojan.Downloader-Gen/DDC
C:\DOCUMENTS AND SETTINGS\ROB CABRERA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\TQTUYFL4\GAMADRIL20071203[1]

Adware.k8l
C:\PROGRAM FILES\WINDOWS NT\RTEJEHDAHDEC.HTML

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP194\A0023586.DLL

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP
_________________________________________________

ComboFix 07-12-12.3 - Rob Cabrera 2007-12-12 17:03:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.632 [GMT -6:00]
Running from: C:\Documents and Settings\Rob Cabrera\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Rob Cabrera\Favorites\Online Security Guide.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qkhkptko.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
.

2007-12-11 15:33 . 2007-12-12 09:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-11 15:33 . 2007-12-11 15:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-11 15:33 . 2007-12-11 15:33 <DIR> d-------- C:\Documents and Settings\Rob Cabrera\Application Data\SUPERAntiSpyware.com
2007-12-11 15:33 . 2007-12-11 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-11 09:16 . 2007-12-11 15:32 989,562 ---hs---- C:\WINDOWS\system32\jumiedtc.ini
2007-12-11 09:15 . 2007-12-11 09:15 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-10 16:36 . 2007-12-10 16:36 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-10 16:36 . 2007-12-10 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-10 16:23 . 2007-12-11 07:36 2,786 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-10 16:14 . 2007-12-12 07:06 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-10 13:04 . 2007-12-10 13:05 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-10 13:00 . 2007-12-10 14:44 <DIR> d-------- C:\Program Files\SpywareGuard
2007-12-10 10:17 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-10 10:17 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-10 10:17 . 2007-12-04 08:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-10 10:16 . 2007-12-10 10:16 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-10 10:16 . 2007-12-04 07:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-10 10:16 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-10 10:16 . 2007-12-04 06:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-10 10:16 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-10 10:16 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-10 09:57 . 2007-12-10 10:38 <DIR> dr-hs---- C:\Program Files\Helper
2007-12-10 08:21 . 2007-12-11 09:10 859,484 ---hs---- C:\WINDOWS\system32\truikfpf.ini
2007-12-08 15:28 . 2007-12-10 08:15 851,244 ---hs---- C:\WINDOWS\system32\tcidymca.ini
2007-12-07 15:14 . 2007-12-12 08:21 438,218 --ahs---- C:\WINDOWS\system32\nqstv.ini2
2007-12-07 15:10 . 2007-12-10 10:48 <DIR> d-------- C:\WINDOWS\system32\ripd1
2007-12-07 15:10 . 2007-12-08 09:45 <DIR> d-------- C:\WINDOWS\system32\rex2
2007-12-07 15:10 . 2007-12-10 14:05 <DIR> d-------- C:\WINDOWS\system32\doc4
2007-12-07 15:10 . 2007-12-12 06:25 <DIR> d-------- C:\WINDOWS\system32\bbc5
2007-12-07 15:10 . 2007-12-08 08:13 <DIR> d-------- C:\WINDOWS\system32\ashell3
2007-12-07 15:09 . 2007-12-07 15:09 <DIR> d-------- C:\WINDOWS\system32\daSgo01

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 16:12 --------- d-----w C:\Program Files\Google
2007-12-10 15:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-12-08 15:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 16:07 --------- d-----w C:\Documents and Settings\Rob Cabrera\Application Data\AdobeUM
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-04-21 17:46 722,176 ----a-w C:\Documents and Settings\Rob Cabrera\gotomypc_428.exe
2006-09-19 18:08 88 --sh--r C:\WINDOWS\system32\FC4C914ECF.sys
2006-09-19 18:08 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutoCAD Digital Signatures Icon Overlay Handler]
@={36A21736-36C2-4C11-8ACB-D4136F2B57BD}

[HKEY_CLASSES_ROOT\CLSID\{36A21736-36C2-4C11-8ACB-D4136F2B57BD}]
2005-03-05 06:18 136312 --a------ C:\WINDOWS\system32\AcSignIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 17:17 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 20:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 02:12]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 04:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-27 16:31]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 15:16]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00]
"40f193b1"="C:\WINDOWS\system32\ctdeimuj.dll" []

C:\Documents and Settings\Rob Cabrera\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 07:18:22]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-27 16:28:03]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qkhkptko]
qkhkptko.dll


.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 17:07:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-12 17:07:59 - machine was rebooted
.
2007-12-12 13:08:36 --- E O F --
________________________________________________

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [40f193b1] rundll32.exe "C:\WINDOWS\system32\ctdeimuj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: qkhkptko - qkhkptko.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 5903 bytes

steamwiz
2007-12-13, 21:36
Hi

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)


File::
C:\Program Files\Windows NT\rtejehdahdec.html
C:\WINDOWS\system32\fccaaww.dll
C:\WINDOWS\system32\fpfkiurt.dll
C:\WINDOWS\system32\uskwooxj.dll
C:\WINDOWS\system32\jumiedtc.ini
C:\WINDOWS\system32\truikfpf.ini
C:\WINDOWS\system32\tcidymca.ini
C:\WINDOWS\system32\nqstv.ini2
C:\WINDOWS\system32\otqmxkqb.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"40f193b1"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qkhkptko]

DirLook::
C:\WINDOWS\system32\ripd1
C:\WINDOWS\system32\rex2
C:\WINDOWS\system32\doc4
C:\WINDOWS\system32\bbc5
C:\WINDOWS\system32\ashell3
C:\WINDOWS\system32\daSgo01

Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

steam

tcgrmt
2007-12-13, 22:48
ComboFix 07-12-12.3 - admin 2007-12-13 14:09:50.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.689 [GMT -6:00]
Running from: C:\Documents and Settings\Rob Cabrera\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\admin\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\Windows NT\rtejehdahdec.html
C:\WINDOWS\system32\fccaaww.dll
C:\WINDOWS\system32\fpfkiurt.dll
C:\WINDOWS\system32\jumiedtc.ini
C:\WINDOWS\system32\nqstv.ini2
C:\WINDOWS\system32\otqmxkqb.exe
C:\WINDOWS\system32\tcidymca.ini
C:\WINDOWS\system32\truikfpf.ini
C:\WINDOWS\system32\uskwooxj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jumiedtc.ini
C:\WINDOWS\system32\nqstv.ini2
C:\WINDOWS\system32\tcidymca.ini
C:\WINDOWS\system32\truikfpf.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-13 07:01 . 2007-12-13 07:01 <DIR> d--h----- C:\Documents and Settings\admin\Application Data\GTek
2007-12-11 15:33 . 2007-12-13 05:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-11 15:33 . 2007-12-11 15:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-11 15:33 . 2007-12-11 15:33 <DIR> d-------- C:\Documents and Settings\Rob Cabrera\Application Data\SUPERAntiSpyware.com
2007-12-11 15:33 . 2007-12-11 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-11 09:15 . 2007-12-11 09:15 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-10 16:36 . 2007-12-10 16:36 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-10 16:36 . 2007-12-10 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-10 16:23 . 2007-12-11 07:36 2,786 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-10 16:14 . 2007-12-12 07:06 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-10 13:04 . 2007-12-10 13:05 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-10 13:00 . 2007-12-10 14:44 <DIR> d-------- C:\Program Files\SpywareGuard
2007-12-10 10:17 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-10 10:17 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-10 10:17 . 2007-12-04 08:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-10 10:16 . 2007-12-10 10:16 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-10 10:16 . 2007-12-04 07:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-10 10:16 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-10 10:16 . 2007-12-04 06:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-10 10:16 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-10 10:16 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-10 09:57 . 2007-12-10 10:38 <DIR> dr-hs---- C:\Program Files\Helper
2007-12-07 15:10 . 2007-12-10 10:48 <DIR> d-------- C:\WINDOWS\system32\ripd1
2007-12-07 15:10 . 2007-12-08 09:45 <DIR> d-------- C:\WINDOWS\system32\rex2
2007-12-07 15:10 . 2007-12-10 14:05 <DIR> d-------- C:\WINDOWS\system32\doc4
2007-12-07 15:10 . 2007-12-12 06:25 <DIR> d-------- C:\WINDOWS\system32\bbc5
2007-12-07 15:10 . 2007-12-08 08:13 <DIR> d-------- C:\WINDOWS\system32\ashell3
2007-12-07 15:09 . 2007-12-07 15:09 <DIR> d-------- C:\WINDOWS\system32\daSgo01

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 16:12 --------- d-----w C:\Program Files\Google
2007-12-10 15:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-12-08 15:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 16:07 --------- d-----w C:\Documents and Settings\Rob Cabrera\Application Data\AdobeUM
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-04-21 17:46 722,176 ----a-w C:\Documents and Settings\Rob Cabrera\gotomypc_428.exe
2006-09-19 18:08 88 --sh--r C:\WINDOWS\system32\FC4C914ECF.sys
2006-09-19 18:08 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\ashell3 ----


---- Directory of C:\WINDOWS\system32\bbc5 ----


---- Directory of C:\WINDOWS\system32\daSgo01 ----

2007-11-25 22:32 32768 --a------ C:\WINDOWS\system32\daSgo01\daSgo011065.exe

---- Directory of C:\WINDOWS\system32\doc4 ----


---- Directory of C:\WINDOWS\system32\rex2 ----


---- Directory of C:\WINDOWS\system32\ripd1 ----



((((((((((((((((((((((((((((( snapshot@2007-12-12_17.07.31.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-13 13:19:52 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_524.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutoCAD Digital Signatures Icon Overlay Handler]
@={36A21736-36C2-4C11-8ACB-D4136F2B57BD}

[HKEY_CLASSES_ROOT\CLSID\{36A21736-36C2-4C11-8ACB-D4136F2B57BD}]
2005-03-05 06:18 136312 --a------ C:\WINDOWS\system32\AcSignIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 17:17 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 20:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 02:12]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 04:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-27 16:31]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 15:16]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00]

C:\Documents and Settings\Rob Cabrera\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 07:18:22]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-27 16:28:03]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 14:10:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-13 14:11:01
C:\ComboFix2.txt ... 2007-12-13 13:57
C:\ComboFix3.txt ... 2007-12-12 17:07
.
2007-12-12 13:08:36 --- E O F ---

_____________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:46:15 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-216143887-1857994863-4077827341-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'admin')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 5918 bytes

tcgrmt
2007-12-13, 22:49
Thanks for your help Stemwiz!!

tcgrmt
2007-12-14, 00:38
Sorry missed an "a" in there. Can't edit the damn post.

Thanks Steamwiz!!

steamwiz
2007-12-14, 19:21
HI

You're welcome ...

Please run this on-line scan :-

http://www.bitdefender.com/scan8/ie.html

Scan the whole computer & let it Disinfect/delete all it finds ...

copy & paste here its report here please.

It will remove a Trojan Downloader which showed up in your last log ...

steam

tcgrmt
2007-12-17, 21:08
Sorry I saved it to a .txt file but it's in HTML code and I can turn it on.

<HTML>
<HEAD>
<TITLE>BitDefender Online Scanner -Scan Report</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<meta name="generator" content="Namo WebEditor v5.0(Trial)">
</HEAD>
<BODY BGCOLOR=#FFFFFF leftmargin="10" marginwidth="0" topmargin="20" marginheight="0" >


<table align="center" border="0" cellpadding="0" cellspacing="0" width="90%">
<tr>
<td width="458">
<p><font face="Arial" color=red><span style="font-size:14pt;"><b>BitDefender
Online Scanner</b></span></font></p>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>
<tr>
<td colspan="3" width="912">
<p><font face="Arial"><span style="font-size:11pt;"><B>Scan report generated
at: Mon, Dec 17, 2007 - 12:47:43</b></span></font></p>
</td>
</tr>

<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B>&nbsp;</b></span></font></p>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B>Scan
path: </b></span><span style="font-size:10pt;">C:\;D:\;</span></font></p>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B>&nbsp;</b></span></font></p>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Statistics</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Time</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">00:24:13</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">144723</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Folders</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">4006</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Boot Sectors</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">4</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Archives</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">3016</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Packed Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">7591</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>



<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Results</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Identified Viruses </font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">2</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Infected Files </font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">2</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Suspect&nbsp;Files </font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Warnings</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Disinfected</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Deleted Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">2</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Engines Info</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Virus Definitions</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">882598</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Engine build</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">14</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Archive plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">38</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Unpack plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">7</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">E-mail plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">6</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">System&nbsp;plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">1</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Scan Settings</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">First Action</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Disinfect</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Second Action</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Delete</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Heuristics</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Enable Warnings</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scanned Extensions</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">*;</font></p>
</td>
</tr>

<tr>
<td width="57%">
<p><font face="Arial" size="2">Exclude Extensions</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">&nbsp;</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Emails</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Archives</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Packed</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Boot</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

<tr>
<td colspan=2> &nbsp;
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="252" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Scanned File</b></font></p>
</td>
<td width="195" bgcolor="#CCCCCC" align="right">
<p align="left"><b><font size="2" face="Arial">&nbsp;Status</font></b></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP191\A0023408.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infected with: Trojan.Downloader.Obfuscated.CF</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP191\A0023408.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP191\A0023408.sys</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\WINDOWS\system32\daSgo01\daSgo011065.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infected with: Trojan.Downloader.VB.VKO</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\WINDOWS\system32\daSgo01\daSgo011065.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\WINDOWS\system32\daSgo01\daSgo011065.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr>
</table>
</td>

<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B>&nbsp;</b></span></font></p>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B>&nbsp;</b></span></font></p>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

</table>
<p>&nbsp;</p>

</body>
</html>

tcgrmt
2007-12-17, 21:23
BitDefender Online Scanner
Scan report generated at: Mon, Dec 17, 2007 - 12:47:43
Scan path: C:\;D:\;
Statistics
Time 00:24:13
Files 144723
Folders 4006
Boot Sectors 4
Archives 3016
Packed Files 7591
Results
Identified Viruses 2
Infected Files 2
Suspect Files 0
Warnings 0
Disinfected 0
Deleted Files 2
Engines Info
Virus Definitions 882598
Engine build AVCORE v1.0 (build 2422)
(i386) (Sep 25 2007 08:26:36)
Scan plugins 14
Archive plugins 38
Unpack plugins 7
E-mail plugins 6
System plugins 1
Scan Settings
First Action Disinfect
Second Action Delete
Heuristics Yes
Enable Warnings Yes
Scanned Extensions *;
Exclude Extensions
Scan Emails Yes
Scan Archives Yes
Scan Packed Yes
Scan Files Yes
Scan Boot Yes
Scanned File Status
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-
051D24DDBF8F}\RP191\A0023408.sys Infected with: Trojan.Downloader.Obfuscated.CF
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-
051D24DDBF8F}\RP191\A0023408.sys Disinfection failed
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-
051D24DDBF8F}\RP191\A0023408.sys Deleted
C:\WINDOWS\system32\daSgo01\daSgo011065.exe Infected with: Trojan.Downloader.VB.VKO
C:\WINDOWS\system32\daSgo01\daSgo011065.exe Disinfection failed
C:\WINDOWS\system32\daSgo01\daSgo011065.exe Deleted
Page 1 of 1
12/17/2007 about:blank

steamwiz
2007-12-18, 19:56
Hi

That's the one ...

C:\WINDOWS\system32\daSgo01\daSgo011065.exe Infected with: Trojan.Downloader.VB.VKO
C:\WINDOWS\system32\daSgo01\daSgo011065.exe Disinfection failed
C:\WINDOWS\system32\daSgo01\daSgo011065.exe Deleted

Here it is in Combofix :-

---- Directory of C:\WINDOWS\system32\daSgo01 ----

2007-11-25 22:32 32768 --a------ C:\WINDOWS\system32\daSgo01\daSgo011065.exe

I didn't just want to delete it in case there was more with it ... that's why I had you use BitDefender

---
Now do this please ...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)


Folder::
C:\WINDOWS\system32\ripd1
C:\WINDOWS\system32\rex2
C:\WINDOWS\system32\doc4
C:\WINDOWS\system32\bbc5
C:\WINDOWS\system32\ashell3
C:\WINDOWS\system32\daSgo01



Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

steam

tcgrmt
2007-12-20, 16:54
ComboFix 07-12-12.3 - Rob Cabrera 2007-12-20 9:37:56.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.633 [GMT -6:00]
Running from: C:\Documents and Settings\Rob Cabrera\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rob Cabrera\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ashell3
C:\WINDOWS\system32\bbc5
C:\WINDOWS\system32\daSgo01
C:\WINDOWS\system32\doc4
C:\WINDOWS\system32\rex2
C:\WINDOWS\system32\ripd1

.
((((((((((((((((((((((((( Files Created from 2007-11-20 to 2007-12-20 )))))))))))))))))))))))))))))))
.

2007-12-17 12:20 . 2007-12-17 12:20 <DIR> d-------- C:\WINDOWS\LastGood
2007-12-17 12:20 . 2007-12-17 12:47 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-13 07:01 . 2007-12-13 07:01 <DIR> d--h----- C:\Documents and Settings\admin\Application Data\GTek
2007-12-11 15:33 . 2007-12-13 05:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-11 15:33 . 2007-12-11 15:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-11 15:33 . 2007-12-11 15:33 <DIR> d-------- C:\Documents and Settings\Rob Cabrera\Application Data\SUPERAntiSpyware.com
2007-12-11 15:33 . 2007-12-11 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-11 09:15 . 2007-12-11 09:15 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-10 16:36 . 2007-12-10 16:36 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-10 16:36 . 2007-12-10 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-10 16:23 . 2007-12-11 07:36 2,786 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-10 16:14 . 2007-12-12 07:06 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-10 13:04 . 2007-12-10 13:05 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-10 13:00 . 2007-12-10 14:44 <DIR> d-------- C:\Program Files\SpywareGuard
2007-12-10 10:17 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-10 10:17 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-10 10:17 . 2007-12-04 08:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-10 10:16 . 2007-12-10 10:16 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-10 10:16 . 2007-12-04 07:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-10 10:16 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-10 10:16 . 2007-12-04 06:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-10 10:16 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-10 10:16 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-10 09:57 . 2007-12-10 10:38 <DIR> dr-hs---- C:\Program Files\Helper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 16:12 --------- d-----w C:\Program Files\Google
2007-12-10 15:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-12-08 15:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 16:07 --------- d-----w C:\Documents and Settings\Rob Cabrera\Application Data\AdobeUM
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 16:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-04-21 17:46 722,176 ----a-w C:\Documents and Settings\Rob Cabrera\gotomypc_428.exe
2006-09-19 18:08 88 --sh--r C:\WINDOWS\system32\FC4C914ECF.sys
2006-09-19 18:08 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-12_17.07.31.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-17 18:21:33 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll
+ 2007-12-17 18:21:33 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll
+ 2007-12-17 18:21:34 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll
+ 2007-12-17 18:21:38 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2007-10-25 16:26:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2007-10-25 16:26:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2007-12-17 18:21:39 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll
+ 2007-12-17 18:21:35 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll
+ 2007-10-25 16:26:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll
+ 2007-10-25 16:26:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll
+ 2007-12-17 18:13:37 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_520.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutoCAD Digital Signatures Icon Overlay Handler]
@={36A21736-36C2-4C11-8ACB-D4136F2B57BD}

[HKEY_CLASSES_ROOT\CLSID\{36A21736-36C2-4C11-8ACB-D4136F2B57BD}]
2005-03-05 06:18 136312 --a------ C:\WINDOWS\system32\AcSignIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 17:17 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 20:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 02:12]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 04:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-27 16:31]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 15:16]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00]

C:\Documents and Settings\Rob Cabrera\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 07:18:22]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-27 16:28:03]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-20 09:39:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-20 9:39:44
C:\ComboFix2.txt ... 2007-12-13 14:11
C:\ComboFix3.txt ... 2007-12-13 13:57
.
2007-12-12 13:08:36 --- E O F ---
___________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:36 AM, on 12/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 6004 bytes

steamwiz
2007-12-20, 17:29
Hi

Those logs are clean now ... :)

I now want you to purge system restore and run a new KASPERSKY ONLINE SCAN ...

This will clear all your infected restore points...

Turn off (Disable) System Restore in XP :-

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

Then...

Turn on (enable) System Restore :-

Follow the same procedure, but this time uncheck Turn off System Restore

if you have any problem with this... here's a link to instructions :-


Disabling or enabling Windows XP System Restore >

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

THEN ... run a new KASPERSKY ONLINE SCAN & post the log please ...

steam

tcgrmt
2007-12-20, 21:02
Cleared the system restore points and turned system restore back on.


KASPERSKY ONLINE SCANNER REPORT
Thursday, December 20, 2007 1:57:25 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/12/2007
Kaspersky Anti-Virus database records: 490570
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
T:\

Scan Statistics:
Total number of scanned objects: 88550
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:26:19

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\History\History.IE5\MSHist012007121020071217\index.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\History\History.IE5\MSHist012007122020071221\index.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\admin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Local Settings\History\History.IE5\MSHist012007122020071221\index.dat Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Local Settings\temp\~DF14D4.tmp Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Local Settings\temp\~DF14E2.tmp Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Local Settings\temp\~DFCE7B.tmp Object is locked skipped
C:\Documents and Settings\Rob Cabrera\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rob Cabrera\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Rob Cabrera\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_528.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Thanks for all your help Steam!!

steamwiz
2007-12-21, 22:10
HI

That's what I like to see ... :bigthumb:

KASPERSKY ONLINE SCANNER REPORT

Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0

If all your problems are resolved ...

Happy surfing ... & a Merry christmas & a Happy new year

steam

tcgrmt
2007-12-28, 22:26
Thanks again Steam!!

Happy New Year.

steamwiz
2008-01-03, 19:51
You're very welcome :)

Happy New Year to you as well ...

Locking resolved thread ...

steam