exploreman

I have been trying to get rid of malware and troj. downloader from a windows XP pro workstation. I have just done 3 scans with AVG and it says that the computer is clean. Before this every time the computer was reconnected to the network (and through the network to the internet) and a user logged on the pop ups and files would appear. Can someone look at my logs attached and let me know if it is clean. I have attached logs of before the AVG scans and after the AVG scans and deletions.
Thanks,
Exploreman


Deckard's System Scanner v20070711.54
Run by Administrator on 2007-07-19 at 13:52:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:53:05 PM, on 7/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\virus tools\Deckards System Scan\dss.exe
C:\hjt\ADMINI~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5BEA9DF5-6868-4FB4-9EC3-704DE9703FBE} - C:\Program Files\NetMeeting\hokenowa.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://cefaluserver/connectcomputer/nshelp.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Cefalu.local
O17 - HKLM\Software\..\Telephony: DomainName = Cefalu.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Cefalu.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Cefalu.local
O20 - AppInit_DLLs:
O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: qommmlj - qommmlj.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Unknown owner - C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


-- Files created between 2007-06-19 and 2007-07-19 -----------------------------

2007-07-19 11:26:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-07-19 11:26:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-07-19 09:20:16 0 d-------- C:\hjt
2007-07-18 16:21:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2007-07-18 15:22:34 0 d-------- C:\Documents and Settings\Bernie\Application Data\Macromedia
2007-07-13 09:40:15 1956109 ---hs---- C:\WINDOWS\system32\cbadd.bak2
2007-07-11 15:24:27 0 d-------- C:\Documents and Settings\Maria\Application Data\Help
2007-07-10 18:10:24 0 d---s---- C:\Documents and Settings\Maria\UserData
2007-07-09 22:45:26 12578 --a------ C:\scanlog070907
2007-07-09 06:51:47 1843028 ---hs---- C:\WINDOWS\system32\cbadd.bak1
2007-07-06 21:33:02 0 d-------- C:\Documents and Settings\Maria\Application Data\Adobe
2007-07-02 23:56:24 0 d-------- C:\virus tools
2007-07-02 16:10:49 0 d-------- C:\VundoFix Backups
2007-06-26 14:33:33 0 d-------- C:\Documents and Settings\Maria\Application Data\Macromedia
2007-06-22 04:07:01 0 d---s---- C:\Documents and Settings\KellyB\UserData
2007-06-21 23:47:07 0 d-------- C:\Documents and Settings\KellyB\Application Data\Help
2007-06-21 23:02:33 0 d-------- C:\Documents and Settings\KellyB\Application Data\Adobe
2007-06-21 02:00:17 0 d--h----- C:\Documents and Settings\Maria\Templates
2007-06-21 02:00:17 0 dr------- C:\Documents and Settings\Maria\Start Menu
2007-06-21 02:00:17 0 dr-h----- C:\Documents and Settings\Maria\SendTo
2007-06-21 02:00:17 0 dr-h----- C:\Documents and Settings\Maria\Recent
2007-06-21 02:00:17 0 d--h----- C:\Documents and Settings\Maria\PrintHood
2007-06-21 02:00:17 1048576 --ah----- C:\Documents and Settings\Maria\NTUSER.DAT
2007-06-21 02:00:17 0 d--h----- C:\Documents and Settings\Maria\NetHood
2007-06-21 02:00:17 0 dr------- C:\Documents and Settings\Maria\My Documents
2007-06-21 02:00:17 0 d--h----- C:\Documents and Settings\Maria\Local Settings
2007-06-21 02:00:17 0 dr------- C:\Documents and Settings\Maria\Favorites
2007-06-21 02:00:17 0 d-------- C:\Documents and Settings\Maria\Desktop
2007-06-21 02:00:17 0 d---s---- C:\Documents and Settings\Maria\Cookies
2007-06-21 02:00:17 0 dr-h----- C:\Documents and Settings\Maria\Application Data
2007-06-21 02:00:17 0 d-------- C:\Documents and Settings\Maria\Application Data\Symantec
2007-06-21 02:00:17 0 d-------- C:\Documents and Settings\Maria\Application Data\Sun
2007-06-21 02:00:17 0 d-------- C:\Documents and Settings\Maria\Application Data\Sonic
2007-06-21 02:00:17 0 d---s---- C:\Documents and Settings\Maria\Application Data\Microsoft
2007-06-21 02:00:17 0 d-------- C:\Documents and Settings\Maria\Application Data\Jasc Software Inc
2007-06-21 02:00:17 0 d-------- C:\Documents and Settings\Maria\Application Data\Identities
2007-06-21 01:49:15 0 d-------- C:\Documents and Settings\KellyB\Application Data\Macromedia
2007-06-21 01:46:45 0 d--h----- C:\Documents and Settings\KellyB\Templates
2007-06-21 01:46:45 0 dr------- C:\Documents and Settings\KellyB\Start Menu
2007-06-21 01:46:45 0 dr-h----- C:\Documents and Settings\KellyB\SendTo
2007-06-21 01:46:45 0 dr-h----- C:\Documents and Settings\KellyB\Recent
2007-06-21 01:46:45 0 d--h----- C:\Documents and Settings\KellyB\PrintHood
2007-06-21 01:46:45 1835008 --ah----- C:\Documents and Settings\KellyB\NTUSER.DAT
2007-06-21 01:46:45 0 d--h----- C:\Documents and Settings\KellyB\NetHood
2007-06-21 01:46:45 0 dr------- C:\Documents and Settings\KellyB\My Documents
2007-06-21 01:46:45 0 d--h----- C:\Documents and Settings\KellyB\Local Settings
2007-06-21 01:46:45 0 dr------- C:\Documents and Settings\KellyB\Favorites
2007-06-21 01:46:45 0 d-------- C:\Documents and Settings\KellyB\Desktop
2007-06-21 01:46:45 0 d---s---- C:\Documents and Settings\KellyB\Cookies
2007-06-21 01:46:45 0 dr-h----- C:\Documents and Settings\KellyB\Application Data
2007-06-21 01:46:45 0 d-------- C:\Documents and Settings\KellyB\Application Data\Symantec
2007-06-21 01:46:45 0 d-------- C:\Documents and Settings\KellyB\Application Data\Sun
2007-06-21 01:46:45 0 d-------- C:\Documents and Settings\KellyB\Application Data\Sonic
2007-06-21 01:46:45 0 d---s---- C:\Documents and Settings\KellyB\Application Data\Microsoft
2007-06-21 01:46:45 0 d-------- C:\Documents and Settings\KellyB\Application Data\Jasc Software Inc
2007-06-21 01:46:45 0 d-------- C:\Documents and Settings\KellyB\Application Data\Identities
2007-06-21 00:50:02 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2007-06-21 00:50:00 0 d-------- C:\Documents and Settings\LocalService\Desktop
2007-06-19 08:01:02 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2007-06-19 06:51:19 0 d-------- C:\Program Files\Common Files\kqzk
2007-06-19 06:51:18 0 d-------- C:\WINDOWS\kqzk
2007-06-19 06:46:36 0 dr------- C:\Documents and Settings\LocalService\Favorites


-- Find3M Report ---------------------------------------------------------------

2007-07-17 23:29:43 0 d-------- C:\Program Files\Sophos
2007-06-20 06:59:51 1847125 ---hs---- C:\WINDOWS\system32\xbeeg.bak2
2007-06-16 06:59:17 1821760 ---hs---- C:\WINDOWS\system32\xbeeg.bak1
2007-06-07 03:42:27 0 d-------- C:\Program Files\QCmax
2007-06-07 03:42:27 0 d-------- C:\Program Files\OST10
2007-06-07 03:42:26 0 d-------- C:\Program Files\Modem Helper
2007-06-07 03:42:19 0 d-------- C:\Program Files\Common Files\aolshare
2007-06-07 03:42:19 0 d-------- C:\Program Files\America Online 9.0
2007-06-06 15:27:47 1808553 ---hs---- C:\WINDOWS\system32\opqss.bak1
2007-06-04 00:36:09 1583854 ---hs---- C:\WINDOWS\system32\qqtss.bak1


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{5BEA9DF5-6868-4FB4-9EC3-704DE9703FBE} C:\Program Files\NetMeeting\hokenowa.dll [x]
{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebx
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qommmlj

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SAVService

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-07-19 at 13:53:23 ---------



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:02:08 PM 7/19/2007

+ Scan result:



C:\Documents and Settings\theresa.CEFALU\Application Data\Τаsks\lοgonui.exe -> Adware.PurityScan : No action taken.
C:\Program Files\NetMeeting\hokenowa.dll -> Adware.TTC : No action taken.
C:\WINDOWS\SYSTEM32\T3\am67.exe -> Adware.ZQuest : No action taken.
C:\Program Files\Common Files\kqzk\kqzkd\vocabulary -> Downloader.TSUpdate.j : No action taken.
C:\WINDOWS\SYSTEM32\T9QaSQ\T9QaSQ1099.exe -> Downloader.VB.awj : No action taken.
C:\WINDOWS\SYSTEM32\o02PrEz\o02PrEz1065.exe -> Downloader.VB.awj : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.10\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.11\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.12\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.13\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.14\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.15\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.16\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.17\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.18\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.19\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.20\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.21\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.22\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.23\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.24\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\AUTO_2N.exe -> Trojan.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\rnd_soft.php -> Trojan.Dialer.og : No action taken.


::Report end