Problems with Trojans.

[Shandy]

Hi, I've recently been having problems with some Trojans that Spybot Search and Destroy detected (All other scanners I used failed to find the problem). They were called Win32.delf and hipoug18 or something. I also found a file at C:\yt8a.exe and C:\windows\system32\yt8a.exe (which labeled it self as a system file) this was closing down my browser every time I opened a page containing "yt8a.exe".
I managed to remove yt8a.exe from startup and have run many scans including the ones recommended by the sticky post at the top of the forum here. Although none of the programs reported that they had detected or removed win32.delf or the other they are no longer being detected by my spybot S&D scans.
My computer does seem to be running better however I can no longer enable the showing of hidden files and folders and I cannot boot windows in safe mode (gets so far when booting files and stops) also Hijackthis.exe won't run with that name, which it should if I was completely clean.
Also I have checked for the existence of TDSServ.sys but I don't have it.

I will attach logs I have created although one or two may be from before changes were made/files removed by other scanners.

While I await a reply I will create a combofix log, Can't seem to find the last one I created, also please let me know of any other reports you may need and I shall gather them.

Thank you very much for your help, Shandy

[attachment deleted by admin]

[Shandy]

Unfortunately only the one log seemed to become attached, Here are the rest.

[attachment deleted by admin]

[Shandy]

Here is the combofix log.
Thanks guys.

[attachment deleted by admin]

[CBMatt]

Is AT&T your internet service provider?

I don't really see much in your logs.  Are you still experiencing problems?

[Shandy]

Actually seems to be running fine now, and Hijackthis.exe will run under that name, I haven't tried a safe boot, I'll check that later. Thanks for your time
And no btw, AT&T isn't my isp but it may have been previously, this is an old machine from work that was setup for domain use, it's given me nothing but trouble since I've removed it from the domain. Anyway I'm all good now, thanks again

[CBMatt]

I don't know if it's related or not, but you had these entries in your HJT log...

O17 - HKLM\System\CCS\Services\Tcpip\..\{6A16CDF6-7E37-4793-84D9-096B3DA653D2}: Domain = EMEA.ATT.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = EMEA.ATT.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = EMEA.ATT.COM
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = EMEA.ATT.COM

These could possibly be causing issues.  As a test, you may want to try removing these entries with HijackThis.  Simply place checkmarks next to them, close all other windows, and click on Fix Checked.  NOTE: there is a possibility that this may break your internet connection.  If that happens, run HijackThis again and choose the Backups option.  Find the above O17 entries, place checkmarks next to them, and have HJT restore them.

[Shandy]

Thats the old domain the laptop used to be on it shouldn't affect my connection, I will remove them now. This laptop was given to my dad by a company he had a contract with, after the contract finished he kept the laptop since it was built only for his use. It's been giving me problems actually I removed the machine from the domain (guessing the admin's password) but after that I could not get past the username/password on windows log in since the account my dad used was no longer accessible. I had to download a boot disc to remove all account passwords so I could log in then I had to take permission of every file with CACLS. Everything seems to be alright now except a tonne of redundant files but I don't know if any are essential or not.
Jeez I'm rambling... Thanks for the help Chris! you rule

[CBMatt]

Heh, well, I'm glad things seem to be running a bit better now.  As for duplicate files, you may want to look into this program...
http://www.snapfiles.com/get/fastdupfinder.html