[DesperateDan]

hi, I keep getting viruses or trojans I move them to the chest but when I restart my computer I get them back again, my automatic updates keeps getting disabled, I have avast anti virus I never had a problem before I've done a boot scan it found a win32 virus I move it to the chest but as I say they keep coming back. would you please have a look and see if you see if I have any thing bad. here is the Hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 3:07:27 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe
C:\WINDOWS\system32\winsock32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\common files\aol\1186954596\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1186954596\ee\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\DANSAN~1\LOCALS~1\Temp\Rar$EX00.250\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://a.tribalfusion.com/p.media/aT...01716/pop.html
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [] winsock32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [] winsock32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-GB\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{96501477-46A7-4C7F-81AE-388209F962FD}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\RpcSandraSrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
__________________

[Cheeseball81]

Download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• ...

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[DesperateDan]

Tjhanks for youe help here is the Combofix log and hijackthis log

ComboFix 07-11-05.2 - Dan Sanderson 2007-11-06 9:03:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1541 [GMT 0:00]
Running from: C:\Documents and Settings\Dan Sanderson\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WinAble

.
((((((((((((((((((((((((( Files Created from 2007-10-06 to 2007-11-06

)))))))))))))))))))))))))))))))
.

2007-11-06 09:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 07:41 <DIR> d-------- C:\Program Files\Uniblue
2007-11-06 07:41 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Uniblue
2007-11-05 21:11 30,770 --a------ C:\WINDOWS\system32\ertws.exe
2007-11-05 19:28 35,840 --a------ C:\WINDOWS\mrofinu173.exe
2007-11-05 19:27 9,806 --a------ C:\WINDOWS\sadasd.exe
2007-11-05 18:31 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Grisoft
2007-11-05 18:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-05 18:31 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-05 08:48 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-05 08:20 <DIR> d-------- C:\Program Files\iTunes
2007-11-05 08:20 <DIR> d-------- C:\Program Files\iPod
2007-11-05 08:20 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Apple Computer
2007-11-05 08:19 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-05 08:14 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-05 08:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-04 11:25 <DIR> d-------- C:\Program Files\QuickTime
2007-11-04 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-04 10:01 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\DoctorWeb
2007-11-03 13:39 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Vso
2007-11-03 13:39 81,920 --a------ C:\Documents and Settings\Dan Sanderson\Application Data\ezpinst.exe
2007-11-03 13:39 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-11-03 13:39 47,360 --a------ C:\Documents and Settings\Dan Sanderson\Application Data\pcouffin.sys
2007-11-03 13:13 33,824 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-11-02 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-02 17:05 <DIR> d-------- C:\Program Files\SlySoft
2007-11-02 08:04 <DIR> d-------- C:\Program Files\MagicDisc
2007-11-02 08:04 92,544 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2007-11-02 06:49 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-11-01 10:37 <DIR> d-------- C:\Program Files\Real Alternative
2007-10-30 17:52 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Publish Providers
2007-10-30 17:50 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll
2007-10-30 17:50 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll
2007-10-30 17:49 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-10-30 17:49 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Sony
2007-10-30 17:48 <DIR> d-------- C:\Program Files\Vstplugins
2007-10-30 17:48 <DIR> d-------- C:\Program Files\Sony
2007-10-30 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2007-10-30 17:39 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Sony Setup
2007-10-30 17:38 <DIR> d-------- C:\Program Files\Sony Setup
2007-10-30 16:47 <DIR> d-------- C:\Program Files\WinAce
2007-10-30 15:28 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-29 14:20 <DIR> d-------- C:\Program Files\Common Files\DeskShare Shared
2007-10-29 14:20 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2007-10-29 13:14 <DIR> d-------- C:\Program Files\Deskshare
2007-10-28 17:16 96,832 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-10-27 14:30 <DIR> d-------- C:\Program Files\XP Codec Pack
2007-10-26 12:37 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-26 12:37 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-26 11:56 <DIR> d-------- C:\Program Files\Real
2007-10-26 11:56 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-26 11:54 <DIR> d-------- C:\My Downloads
2007-10-26 11:35 45,056 --a------ C:\WINDOWS\system32\wnaspi32.dll
2007-10-26 11:35 25,244 --a------ C:\WINDOWS\system32\drivers\aspi32.sys
2007-10-26 11:35 5,600 --a------ C:\WINDOWS\system\winaspi.dll
2007-10-26 11:35 4,672 --a------ C:\WINDOWS\system\wowpost.exe
2007-10-26 08:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-25 12:33 <DIR> d-------- C:\Program Files\Audacity
2007-10-25 10:04 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-10-25 10:04 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-10-25 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-10-25 10:03 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-23 16:23 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-10-23 16:23 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\NCH Swift Sound
2007-10-23 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-10-22 20:06 <DIR> d-------- C:\Program Files\RadioXpi
2007-10-22 17:18 <DIR> d-------- C:\WINDOWS\Freecorder Toolbar
2007-10-22 17:18 <DIR> d-------- C:\Program Files\Freecorder Toolbar
2007-10-22 17:18 <DIR> d-------- C:\Program Files\Freecorder
2007-10-22 17:07 <DIR> d-------- C:\Program Files\RipCast 1.9
2007-10-19 08:48 <DIR> d-------- C:\Program Files\CrossLoop
2007-10-15 12:32 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2007-10-15 12:32 61,056 --a--c--- C:\WINDOWS\system32\dllcache\ohci1394.sys
2007-10-15 12:32 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2007-10-15 12:32 53,248 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2007-10-15 12:32 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2007-10-15 12:32 6,400 --a--c--- C:\WINDOWS\system32\dllcache\enum1394.sys
2007-10-14 15:22 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Contacts
2007-10-14 13:51 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\MSNInstaller
2007-10-10 17:13 <DIR> d-------- C:\Program Files\AskTBar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-05 06:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-04 11:11 --------- d-----w C:\Program Files\Java
2007-11-04 10:48 --------- d-----w C:\Program Files\Common Files\FTL Shared
2007-11-03 09:47 --------- d-----w C:\Program Files\AOL 9.0
2007-11-03 09:13 --------- d-----w C:\Documents and Settings\Dan Sanderson\Application Data\LimeWire
2007-11-02 10:03 --------- d-----w C:\Program Files\DivX
2007-10-27 08:37 --------- d-----w C:\Program Files\LimeWire
2007-10-26 08:05 --------- d-----w C:\Program Files\AOL Toolbar
2007-10-25 08:22 --------- d-----w C:\Program Files\Dell AIO Printer A920
2007-10-01 17:56 --------- d-----w C:\Documents and Settings\Dan Sanderson\Application Data\Joost
2007-09-29 10:24 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-20 10:38 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-16 09:02 --------- d-----w C:\Documents and Settings\Dan Sanderson\Application Data\dvdcss
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-21 11:35 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-08-21 11:35 249,856 ------w C:\WINDOWS\Setup1.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-14 21:39 81,920 ------r C:\WINDOWS\bwUnin-6.1.4.36-8876480L.exe
2007-08-10 19:56 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2006-08-09 17:42 3,198,976 ----a-w C:\Program Files\ViewSonicregistration.exe
2007-06-13 10:23:07 1,561,600 --sh--r C:\WINDOWS\system32\winsock32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GSICONEXE"="gsicon.exe" [2003-05-14 19:26 C:\WINDOWS\system32\gsicon.exe]
"DSLAGENTEXE"="dslagent.exe" [2003-04-25 09:22 C:\WINDOWS\system32\dslagent.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe" [2006-11-17 13:21]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-16 17:05]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 10:06]
"@"="winsock32.exe" [2007-06-13 10:23 C:\WINDOWS\system32\winsock32.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 12:00]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-10-22 10:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"<NO NAME>"=winsock32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dan Sanderson^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Dan Sanderson\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dan Sanderson^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Dan Sanderson\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup
winsock32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe]
"C:\Program Files\VoyagerTest\fts.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
"C:\Program Files\CCleaner\ccleaner.exe" /AUTO

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
"C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
C:\WINDOWS\JM\JMInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Trayp]
S3trayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse]
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R3 glausb;GlobeSpan USB ADSL LAN Modem;C:\WINDOWS\system32\DRIVERS\glausb.sys
R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-05 08:14:45 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-06 08:58:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-11-06 06:59:24 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 09:03:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-06 9:04:22
.
--- E O F ---

Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 9:14:03 AM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\winsock32.exe
c:\program files\common files\aol\1186954596\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1186954596\ee\aolsoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\DANSAN~1\LOCALS~1\Temp\Rar$EX00.657\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://a.tribalfusion.com/p.media/aT...01716/pop.html
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [] winsock32.exe
O4 - HKLM\..\RunServices: [] winsock32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-GB\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{96501477-46A7-4C7F-81AE-388209F962FD}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\RpcSandraSrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Cheeseball81]

Download the Trial version of Superantispyware Pro (SAS):
http://www.superantispyware.com/supe....html?rid=3132


Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new Hijack This log.

[DesperateDan]

Thanks Cheeseball81, after running the program it rebooted but when I got to my desktop The same virus was detected by avast, here is the log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/07/2007 at 06:53 AM

Application Version : 3.9.1008

Core Rules Database Version : 3339
Trace Rules Database Version: 1340

Scan type : Complete Scan
Total Scan Time : 00:18:00

Memory items scanned : 426
Memory threats detected : 0
Registry items scanned : 5538
Registry threats detected : 26
File items scanned : 26768
File threats detected : 19

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet002\Services\oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#Active Service
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Adware.Tracking Cookie
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@aoluk.122.2o7[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@statcounter[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@doubleclick[2].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@ads.techguy[2].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@toplist[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@ads.aol.co[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@media.adrevolver[2].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@mediaplex[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@adrevolver[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@media.adrevolver[3].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@ad.uk.tangozebra[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@advertising[2].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@aoleusearch.122.2o7[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@linksynergy[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@tradedoubler[1].txt
C:\Documents and Settings\Dan Sanderson\Cookies\dan_sanderson@atdmt[2].txt

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4473571C-5010-468B-B028-4C36014D560D}\RP137\A0022633.EXE

Trojan.Downloader-Gen/Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4473571C-5010-468B-B028-4C36014D560D}\RP137\A0022634.EXE


Logfile of HijackThis v1.99.1
Scan saved at 7:14:13 AM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\winsock32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\common files\aol\1186954596\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1186954596\ee\aolsoftware.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\DANSAN~1\LOCALS~1\Temp\Rar$EX00.672\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://a.tribalfusion.com/p.media/aT...01716/pop.html
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [] winsock32.exe
O4 - HKLM\..\RunServices: [] winsock32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-GB\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{96501477-46A7-4C7F-81AE-388209F962FD}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\RpcSandraSrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Cheeseball81]

I know, you're very infected so we still have plenty more to do.
Please rerun Combofix and post those results.

[DesperateDan]

thanks for your help

ComboFix 07-11-05.2 - Dan Sanderson 2007-11-07 21:28:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1590 [GMT 0:00]
Running from: C:\Documents and Settings\Dan Sanderson\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.

2007-11-07 21:21 33,824 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-11-07 06:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-07 06:24 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\SUPERAntiSpyware.com
2007-11-07 06:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-06 09:56 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\.housecall6.6
2007-11-06 09:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 07:41 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Uniblue
2007-11-05 18:31 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Grisoft
2007-11-05 18:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-05 18:31 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-05 08:48 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-05 08:20 <DIR> d-------- C:\Program Files\iTunes
2007-11-05 08:20 <DIR> d-------- C:\Program Files\iPod
2007-11-05 08:20 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Apple Computer
2007-11-05 08:19 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-05 08:14 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-05 08:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-04 11:25 <DIR> d-------- C:\Program Files\QuickTime
2007-11-04 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-04 10:01 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\DoctorWeb
2007-11-03 13:39 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Vso
2007-11-03 13:39 81,920 --a------ C:\Documents and Settings\Dan Sanderson\Application Data\ezpinst.exe
2007-11-03 13:39 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-11-03 13:39 47,360 --a------ C:\Documents and Settings\Dan Sanderson\Application Data\pcouffin.sys
2007-11-02 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-02 17:05 <DIR> d-------- C:\Program Files\SlySoft
2007-11-02 08:04 <DIR> d-------- C:\Program Files\MagicDisc
2007-11-02 08:04 92,544 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2007-11-02 06:49 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-11-01 10:37 <DIR> d-------- C:\Program Files\Real Alternative
2007-10-30 17:52 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Publish Providers
2007-10-30 17:50 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll
2007-10-30 17:50 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll
2007-10-30 17:49 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-10-30 17:49 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Sony
2007-10-30 17:48 <DIR> d-------- C:\Program Files\Vstplugins
2007-10-30 17:48 <DIR> d-------- C:\Program Files\Sony
2007-10-30 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2007-10-30 17:39 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\Sony Setup
2007-10-30 17:38 <DIR> d-------- C:\Program Files\Sony Setup
2007-10-30 16:47 <DIR> d-------- C:\Program Files\WinAce
2007-10-30 15:28 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-29 14:20 <DIR> d-------- C:\Program Files\Common Files\DeskShare Shared
2007-10-29 14:20 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2007-10-29 13:14 <DIR> d-------- C:\Program Files\Deskshare
2007-10-28 17:16 96,832 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-10-27 14:30 <DIR> d-------- C:\Program Files\XP Codec Pack
2007-10-26 12:37 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-26 12:37 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-26 11:56 <DIR> d-------- C:\Program Files\Real
2007-10-26 11:56 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-26 11:54 <DIR> d-------- C:\My Downloads
2007-10-26 11:35 45,056 --a------ C:\WINDOWS\system32\wnaspi32.dll
2007-10-26 11:35 25,244 --a------ C:\WINDOWS\system32\drivers\aspi32.sys
2007-10-26 11:35 5,600 --a------ C:\WINDOWS\system\winaspi.dll
2007-10-26 11:35 4,672 --a------ C:\WINDOWS\system\wowpost.exe
2007-10-26 08:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-25 12:33 <DIR> d-------- C:\Program Files\Audacity
2007-10-25 10:04 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-10-25 10:04 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-10-25 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-10-25 10:03 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-23 16:23 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-10-23 16:23 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\NCH Swift Sound
2007-10-23 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-10-22 20:06 <DIR> d-------- C:\Program Files\RadioXpi
2007-10-22 17:18 <DIR> d-------- C:\WINDOWS\Freecorder Toolbar
2007-10-22 17:18 <DIR> d-------- C:\Program Files\Freecorder Toolbar
2007-10-22 17:18 <DIR> d-------- C:\Program Files\Freecorder
2007-10-22 17:07 <DIR> d-------- C:\Program Files\RipCast 1.9
2007-10-19 08:48 <DIR> d-------- C:\Program Files\CrossLoop
2007-10-15 12:32 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2007-10-15 12:32 61,056 --a--c--- C:\WINDOWS\system32\dllcache\ohci1394.sys
2007-10-15 12:32 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2007-10-15 12:32 53,248 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2007-10-15 12:32 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2007-10-15 12:32 6,400 --a--c--- C:\WINDOWS\system32\dllcache\enum1394.sys
2007-10-14 15:22 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Contacts
2007-10-14 13:51 <DIR> d-------- C:\Documents and Settings\Dan Sanderson\Application Data\MSNInstaller
2007-10-10 17:13 <DIR> d-------- C:\Program Files\AskTBar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 08:22 --------- d-----w C:\Documents and Settings\Dan Sanderson\Application Data\Ahead
2007-11-07 06:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-06 13:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-04 11:11 --------- d-----w C:\Program Files\Java
2007-11-04 10:48 --------- d-----w C:\Program Files\Common Files\FTL Shared
2007-11-03 09:47 --------- d-----w C:\Program Files\AOL 9.0
2007-11-03 09:13 --------- d-----w C:\Documents and Settings\Dan Sanderson\Application Data\LimeWire
2007-11-02 10:03 --------- d-----w C:\Program Files\DivX
2007-10-27 08:37 --------- d-----w C:\Program Files\LimeWire
2007-10-26 08:05 --------- d-----w C:\Program Files\AOL Toolbar
2007-10-25 08:22 --------- d-----w C:\Program Files\Dell AIO Printer A920
2007-10-01 17:56 --------- d-----w C:\Documents and Settings\Dan Sanderson\Application Data\Joost
2007-09-29 10:24 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-20 10:38 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-16 09:02 --------- d-----w C:\Documents and Settings\Dan Sanderson\Application Data\dvdcss
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-08-21 11:35 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-08-21 11:35 249,856 ------w C:\WINDOWS\Setup1.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-14 21:39 81,920 ------r C:\WINDOWS\bwUnin-6.1.4.36-8876480L.exe
2007-08-10 19:56 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2006-08-09 17:42 3,198,976 ----a-w C:\Program Files\ViewSonicregistration.exe
2007-06-13 10:23:07 1,561,600 --sh--r C:\WINDOWS\system32\winsock32.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-06_ 9.04.01.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-21 15:53:44 385,536 ----a-w C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
+ 2007-11-07 06:24:25 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-07 06:24:25 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-11-07 06:24:25 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-11-07 21:21:39 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_730.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GSICONEXE"="gsicon.exe" [2003-05-14 19:26 C:\WINDOWS\system32\gsicon.exe]
"DSLAGENTEXE"="dslagent.exe" [2003-04-25 09:22 C:\WINDOWS\system32\dslagent.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe" [2006-11-17 13:21]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-16 17:05]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 10:06]
"@"="winsock32.exe" [2007-06-13 10:23 C:\WINDOWS\system32\winsock32.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 12:00]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2006-09-15 14:27]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"<NO NAME>"=winsock32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dan Sanderson^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Dan Sanderson\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dan Sanderson^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Dan Sanderson\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup
winsock32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe]
"C:\Program Files\VoyagerTest\fts.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
"C:\Program Files\CCleaner\ccleaner.exe" /AUTO

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
"C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1186954596\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
C:\WINDOWS\JM\JMInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Trayp]
S3trayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse]
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R3 glausb;GlobeSpan USB ADSL LAN Modem;C:\WINDOWS\system32\DRIVERS\glausb.sys
R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys

*Newly Created Service* - OREANS32
.
Contents of the 'Scheduled Tasks' folder
"2007-11-05 08:14:45 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-07 09:58:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-11-07 21:24:44 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 21:29:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-07 21:29:39
C:\ComboFix2.txt ... 2007-11-06 09:04
.
--- E O F ---

[ralucagymnast]

Hi I am new here, and go easy on me, because I am a beginner!!! I have the dreaded virtumonde trojan, I have Avastantivirus, but it hasnt got rid of it. I have spywaredoctor, and that also hasnt gotten rid. I need to get rid of it, but havent a clue about manually removing it. Could someone give me a real dummies guide to removing it??I mean, real Janet and John stuff!!! I am a beginner, in the true sense of the word!! Help!!
Cheers!

[blues_harp28]

Hi and welcome to TSG.
Best to start your own thread as you can see this one belongs to DesperateDan.
Go to the Malware removal and Hijack this log Forum and post a Hijack this log there.

http://www.thespykiller.co.uk/files/HJTsetup.exe
Link not working..try.
http://tomcoyote.com/hjt

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.

Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click Edit > Select All> Edit > Copy to copy the entire contents of the log.
Paste the log in your next reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

[Cheeseball81]

1. Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote:

Files to delete:
C:\WINDOWS\system32\winsock32.exe
C:\WINDOWS\system32\ertws.exe
C:\WINDOWS\mrofinu173.exe
C:\WINDOWS\sadasd.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

Rescan with Hijack This, close all browser windows except Hijack This, put a checkmark beside these entries and click fix checked.

O4 - HKLM\..\Run: [] winsock32.exe

O4 - HKLM\..\RunServices: [] winsock32.exe

Reboot and post another Hijack This log please.

[DesperateDan]

I followed your instructions I get as far as the traffic lights, when I clicked on the traffic lights I get dailog box saying, are you sure you want to execute the commands in the selected script?, when I click yes I get an error saying, error selected file does not appear to be a valid script, I don't know it I'm copying the selected fies to the clip board the right way, I high light the files then I keep my finger down on the ctrl key and press the C key am I doing it right? sorry to sound like a dummy but i'm not used to to keyboard commands

[ralucagymnast]

are these instructions for me to follow? I wasnt sure whether they are for DesparateDan???I am having no luck with vundofix or symantec's virtumonde fixer or any of those things. My desktop screen is still black, and I am running very very slowly, still getting random popups. As I said, I am an absolute beginner, so be gentle with me!

[blues_harp28]

Hi ralucagymnast.
You need to start your own thread.
In the General Security Forum..
Click on the red box at the top title New Thread.
Click on it and post your problem and a Hijack this log.

http://tomcoyote.com/hjt
Go to the link above..click Download Hjt log.

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.

Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click Edit > Select All> Edit > Copy to copy the entire contents of the log.
Paste the log in your next reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required

[Cheeseball81]

These instructions are for Dan.

Make sure you are including the words "Files to delete"

[DesperateDan]

Its still the same I get the same error, error selected file does not appear to be a valid script.