I did follow all of the steps in STEps before you post.

Here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 8:14:47 AM, on 5/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\WINDOWS\retadpu1000106.exe
C:\Program Files\Online Backup for QuickBooks\OnlineBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\hdlchsny.dll",realset
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\swinprdv.exe CHD003
O4 - HKCU\..\Run: [@BackupScheduler] C:\Program Files\Online Backup for QuickBooks\OnlineBackup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [zwok] C:\Program Files\InetGet2\stub_109_4_0_4_0.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\qodsregj.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\swinprdv.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C44E963-FB5B-4D45-80FB-1C430D31C5CA}: NameServer = 68.94.156.1 68.94.157.1
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Sorry, here is the info.

From: eTrust Antivirus Web Scanner
No infections / Scan completed /16434 files scanned / no infections found

From: Spybot
congratulations, no immediated threats were found.


I had scanned with Spybot 2 days earlier, before I read this forum. It found 63 items and they were deleted.

Thank you,

Carsynn

Hello,

Please perform my next steps in the right order...

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\hdlchsny.dll",realset
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\swinprdv.exe CHD003
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [zwok] C:\Program Files\InetGet2\stub_109_4_0_4_0.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\qodsregj.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\swinprdv.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Download Combofix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Thank you, I will do those and report back. I thought you should know that I ran spybot this morning and it came back with
Smitfraud-c. Toolbarr888
ZenoSearch

carsynn

Ok, I'll read your logs afterwards. :)

After I ran HiJackthis and before I could Fix Checked, an error message came up.

It said:
Hijackthis has encountered a problem and needs to close. We are sorry for he inconveniance. If you were in the middle of something, the info you were working on might be lost.
Please tell Microsoft ..................................

(the choice of buttons were)
Debug Send error report Don't Send


Should I run hijackthis in safe mode? Bear in mind, that until 3 days ago I did not even know a safe mode existed, let alone use it.

thanks,

carsynn

Hi,

No, Running HijackThis in safe mode won't make a difference. Can you rename Hijackthis.exe to Analyse.exe
Then scan with Analyse.exe and fix the entries I asked you to fix in it.
If that didn't work, just proceed with my next steps (Combofix)

I ran it again and it worked.

Here are the logs. 1st combo fix
Carsynn" - 2007-05-25 14:40:58 Service Pack 2
ComboFix 07-05.26.V - Running from: "C:\Documents and Settings\Carsynn\Desktop\"
(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\fxmmtdyy.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\hdlchsny.dll
C:\WINDOWS\system32\iriaadpr.dll
C:\WINDOWS\system32\ddcyayx.dll
C:\WINDOWS\system32\fccdbcy.dll
C:\WINDOWS\system32\jkkhfeb.dll
C:\WINDOWS\system32\ssqropn.dll
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\utvwa.ini
C:\WINDOWS\system32\wyadd.bak1
C:\WINDOWS\system32\wyadd.bak2
C:\WINDOWS\system32\wyadd.ini
C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\ynshcldh.ini
C:\WINDOWS\system32\wyadd.bak1
C:\WINDOWS\system32\wyadd.bak2
C:\WINDOWS\system32\wyadd.ini
C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\jkkkifg.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
"C:\Program Files\Common Files\Yazzle1122OinAdmin.exe"
"C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe"
"C:\WINDOWS\system32\smpi1\lb2.exe"
"C:\WINDOWS\system32\smpi1\lb66.exe"
"C:\WINDOWS\system32\smpi1\lib06.exe"
"C:\WINDOWS\system32\smpi1\lib67.exe"
"C:\Temp\17O7\tmpTF.log"
"C:\WINDOWS\system32\bszip.dll"
"C:\WINDOWS\b136.exe"
"C:\WINDOWS\system32\smpi1"
"C:\Temp\17O7"

2nd the new Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 2:57:26 PM, on 5/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Online Backup for QuickBooks\OnlineBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {18E8F12C-72CA-439D-C48A-31D300A42B3E} - C:\Program Files\Windows Media Player\qujaxiqi.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKCU\..\Run: [@BackupScheduler] C:\Program Files\Online Backup for QuickBooks\OnlineBackup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Hi,

Your log from Combofix is incomplete. So open the C:\Combofix.txt and copy and paste the entire contents in your next reply. :)

Sorry about that.

Here it is.

"Carsynn" - 2007-05-25 15:22:39 Service Pack 2
ComboFix 07-05.26.V - Running from: "C:\Documents and Settings\Carsynn\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-25 ))))))))))))))))))))))))))))))))))


2007-05-25 14:50 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-23 08:00 <DIR> d-------- C:\HiJackThis
2007-05-23 07:34 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-23 07:34 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-05-23 07:34 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-05-20 13:58 932 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-05-20 13:58 184,430 --a------ C:\WINDOWS\system32\swinprdv.exe
2007-05-20 11:53 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-05-20 11:53 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-05-20 11:53 <DIR> d--hs---- C:\UWA7P
2007-05-20 11:53 <DIR> d-------- C:\Program Files\Common Files\WinAntiVirus Pro 2007
2007-05-20 11:53 <DIR> d-------- C:\DOCUME~1\Scott\APPLIC~1\WinAntiVirus Pro 2007
2007-05-20 11:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-05-20 11:43 <DIR> d-------- C:\WINDOWS\system32\SBO
2007-05-10 03:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-25 21:00:11 -------- d-----w C:\Program Files\Dl_cats
2007-05-25 09:30:13 -------- d-----w C:\DOCUME~1\Carsynn\APPLIC~1\Online Backup
2007-05-23 13:00:36 -------- d--h--w C:\DOCUME~1\Carsynn\APPLIC~1\Move Networks
2007-05-20 13:22:48 -------- d-----w C:\Program Files\QB Programs
2007-05-09 18:21:55 -------- d-----w C:\Program Files\Windows Live Toolbar
2007-05-02 13:32:15 630,464 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys
2007-05-02 13:32:15 108,656 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-04-22 17:41:07 -------- d-----w C:\Program Files\MSN Games
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-14 03:07:17 -------- d-----w C:\Program Files\Yahoo! Games
2007-04-09 13:29:55 -------- d--h--w C:\DOCUME~1\Carsynn\APPLIC~1\Gtek
2007-04-09 13:18:47 -------- d-----w C:\Program Files\DellSupport
2007-03-27 10:03:06 -------- d-----w C:\Program Files\Microsoft Works
2007-03-23 01:08:43 -------- d-----w C:\DOCUME~1\Carsynn\APPLIC~1\AdobeUM
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 15:43:01 -------- d-----w C:\Program Files\TrustSoft AntiSpyware
2007-03-15 13:18:26 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-03-14 20:10:55 26,787 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-03-14 20:10:32 74,864 ----a-w C:\WINDOWS\system32\VetRedir.dll
2007-03-14 20:10:32 115,824 ----a-w C:\WINDOWS\UnVet32.exe
2007-03-14 20:10:32 111,728 ----a-w C:\WINDOWS\AVShlExt.dll
2007-03-14 20:10:31 21,031 ----a-w C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-03-14 20:10:31 15,735 ----a-w C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-03-14 20:10:31 15,478 ----a-w C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-19 11:01:20 252,356 ----a-w C:\WINDOWS\b128.exe
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2006-10-26 11:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{18E8F12C-72CA-439D-C48A-31D300A42B3E}=C:\Program Files\Windows Media Player\qujaxiqi.dll []
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 16:29]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-12-05 23:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-04 12:52]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 14:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 14:50]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-26 23:02]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 12:36]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 14:41]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 14:19]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 13:03]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 10:43]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2007-03-14 13:10]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2007-03-14 13:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@BackupScheduler"="C:\Program Files\Online Backup for QuickBooks\OnlineBackup.exe" [2006-10-02 12:20]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []


Contents of the 'Scheduled Tasks' folder
2006-06-25 22:39:47 C:\WINDOWS\tasks\Disk Cleanup.job
2007-05-25 22:25:00 C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-25 15:24:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-25 15:25:57
C:\ComboFix-quarantined-files.txt ... 2007-05-25 15:25
C:\ComboFix2.txt ... 2007-05-25 14:50

--- E O F ---

No problem.

Do next please..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against next entry:

O2 - BHO: 0 - {18E8F12C-72CA-439D-C48A-31D300A42B3E} - C:\Program Files\Windows Media Player\qujaxiqi.dll (file missing)

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then,

Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\swinprdv.exe
C:\WINDOWS\b128.exe

Folder::
C:\UWA7P
C:\Program Files\Common Files\WinAntiVirus Pro 2007
C:\DOCUME~1\Scott\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\WINDOWS\system32\SBO

Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you will see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/Combo-Do.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

I did it!

"Carsynn" - 2007-05-25 16:22:41 Service Pack 2
ComboFix 07-05.26.V - Running from: "C:\Documents and Settings\Carsynn\"
Command switches used :: ""C:\Documents and Settings\Carsynn\Desktop\ComboFix-Do.txt""


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\DOCUME~1\Scott\APPLIC~1\WinAntiVirus Pro 2007\avtasks.dat"
"C:\DOCUME~1\Scott\APPLIC~1\WinAntiVirus Pro 2007\CookieList.dat"
"C:\DOCUME~1\Scott\APPLIC~1\WinAntiVirus Pro 2007\history.db"
"C:\DOCUME~1\Scott\APPLIC~1\WinAntiVirus Pro 2007\PGE.dat"
"C:\DOCUME~1\Scott\APPLIC~1\WinAntiVirus Pro 2007\Logs\wa7Support.log"
"C:\DOCUME~1\Scott\APPLIC~1\WinAntiVirus Pro 2007\Logs\winav.log"
"C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\Abbr"
"C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ActivationCode"
"C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ProductCode"
"C:\WINDOWS\system32\SBO\SB1065.exe"
"C:\WINDOWS\system32\winpfz32.sys"
"C:\WINDOWS\system32\swinprdv.exe"
"C:\WINDOWS\b128.exe"
"C:\UWA7P"
"C:\Program Files\Common Files\WinAntiVirus Pro 2007"
"C:\DOCUME~1\Scott\APPLIC~1\WinAntiVirus Pro 2007"
"C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007"
"C:\WINDOWS\system32\SBO"


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-25 ))))))))))))))))))))))))))))))))))


2007-05-25 14:50 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-23 08:00 <DIR> d-------- C:\HiJackThis
2007-05-23 07:34 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-23 07:34 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-05-23 07:34 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-05-20 11:53 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-05-20 11:53 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-05-10 03:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-25 23:02:13 -------- d-----w C:\Program Files\Dl_cats
2007-05-25 09:30:13 -------- d-----w C:\DOCUME~1\Carsynn\APPLIC~1\Online Backup
2007-05-23 13:00:36 -------- d--h--w C:\DOCUME~1\Carsynn\APPLIC~1\Move Networks
2007-05-20 13:22:48 -------- d-----w C:\Program Files\QB Programs
2007-05-09 18:21:55 -------- d-----w C:\Program Files\Windows Live Toolbar
2007-05-02 13:32:15 630,464 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys
2007-05-02 13:32:15 108,656 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-04-22 17:41:07 -------- d-----w C:\Program Files\MSN Games
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-14 03:07:17 -------- d-----w C:\Program Files\Yahoo! Games
2007-04-09 13:29:55 -------- d--h--w C:\DOCUME~1\Carsynn\APPLIC~1\Gtek
2007-04-09 13:18:47 -------- d-----w C:\Program Files\DellSupport
2007-03-27 10:03:06 -------- d-----w C:\Program Files\Microsoft Works
2007-03-23 01:08:43 -------- d-----w C:\DOCUME~1\Carsynn\APPLIC~1\AdobeUM
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 15:43:01 -------- d-----w C:\Program Files\TrustSoft AntiSpyware
2007-03-15 13:18:26 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-03-14 20:10:55 26,787 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-03-14 20:10:32 74,864 ----a-w C:\WINDOWS\system32\VetRedir.dll
2007-03-14 20:10:32 115,824 ----a-w C:\WINDOWS\UnVet32.exe
2007-03-14 20:10:32 111,728 ----a-w C:\WINDOWS\AVShlExt.dll
2007-03-14 20:10:31 21,031 ----a-w C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-03-14 20:10:31 15,735 ----a-w C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-03-14 20:10:31 15,478 ----a-w C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2006-10-26 11:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 16:29]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-12-05 23:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-04 12:52]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 14:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 14:50]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-26 23:02]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 12:36]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 14:41]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 14:19]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 13:03]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 10:43]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2007-03-14 13:10]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2007-03-14 13:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@BackupScheduler"="C:\Program Files\Online Backup for QuickBooks\OnlineBackup.exe" [2006-10-02 12:20]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []


Contents of the 'Scheduled Tasks' folder
2006-06-25 22:39:47 C:\WINDOWS\tasks\Disk Cleanup.job
2007-05-25 23:20:00 C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-25 16:23:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-25 16:25:01
C:\ComboFix-quarantined-files.txt ... 2007-05-25 16:24
C:\ComboFix2.txt ... 2007-05-25 15:25
C:\ComboFix3.txt ... 2007-05-25 14:50

--- E O F ---

Great! :)

That's now fixed as well. Just one more important thing to do..

Delete the C:\Qoobox - folder.

Then,

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java: Download the latest version of Java Runtime Environment (JRE) 6u1 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Examples of older versions in Add or Remove Programs: Java 2 Runtime Environment, SE v1.4.2
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 6
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Let me know in your next reply how things are now.

It is installed and running great. Thank you so so much for helping me. This is a whole new world and I know now where it came from. My husband told me he downloaded some gaming stuff. Anyway,
Before I posted this, I ran spybot and it came up with this.

Avenue A inc
Doubleclick
Zedo
Hitbox
Hitbox
MediaPlex

It said they were all tracking cookies. Should I worry?

If not, should I now, follow the steps posted under So How Did I get Infected In the First Place?

Thank you again,

carsynn

Hi,

Please don't worry about cookies. You'll always get them and they will always return. This just depends what sites you visit.
Everyone has them. They are even present on the MSN startpage, Yahoo startpage...
You may also want to read next:
http://www.spywareinfo.com/articles/cookies/
http://www.mvps.org/winhelp2002/cookies.htm

If you want to manage your cookies you can use next programs:

For Internet explorer: CookieWall (http://www.analogx.com/contents/download/network/cookie.htm)

For Firefox: CookieSafe (https://addons.mozilla.org/en-US/firefox/addon/2497)

Keep in mind that you're not supposed to block every cookie, because some cookies are required.
Most people don't use an additional cookie manager, because it may be annoying in some cases to manually filter all cookies in the beginning, so they clean their cookies once in a while via the "clean cookies" option in their browser settings.

Glad I could help. :)

Please read my Prevention page (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html).

Happy Surfing again!

Thank you again. I will leave the cookies.

In following the list to protect my computer, I had downloaded ZoneAlarm from Checkpoint Software Technologies Ltd(from spybot list) to my desktop. When I tried to run it is says: Installation Conflict. Computer Associtiates AntiVirus was detected on this computer and may cause conflict with ZoneAlarm. Please uninstall it before installing ZoneAlarm.

I cannot find this program on my install/ uninstall list. Should I delete ZoneAlarm from my desktop and install Komodo, Jetico or Kerio?

I promise to be out of your hair soon.

Carsynn

Hi,

The Computer associates Antivirus seems related here with your Yahoo Antivirus as I see from your log:


O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe

So Zonealarm is actually detecting your Yahoo Antivirus.

Actually, imho, Yahoo Antivirus isn't that great either, it lacks in detection and removal as you have noticed previously. Zonealarm is a good firewall, but it may cause a huge slowdown on some systems - also, on some systems, Zonealarm may cause a lot of problems as well due to incompatibility with other software and hardware and from what I've heard, the latest version is quite buggy. That's why I don't have Zonealarm set in my "Software" list of the ones I recommend, because I've seen too many problems with it.

Comodo, kerio or jetico are good firewalls. So, the choice is yours here. You can also uninstall your Yahoo Antivirus and install another Antivirus instead. My personal favorite is Avira which is great in detection and removal.

Thank you.

I am going to uninstall yahoo online protection and install your recommended antivirus and firewall. I saw that zonealarm was not on your list a bit to late. Yikes!

Also, this morning I ran spybot and it popped up with the smitfaud toolbar. I deleted it. I have not had any browser highjacking though. Should I worry?

BTW, I am incredibly grateful for your help and guidance.

carsynn

Hi,

Yes, it's possible that Spybot still found some leftovers from smitfraud, but this time Spybot should be able to delete these leftovers without any problem.
So, don't worry here. When the infection was still active, you would notice this - popups popups popups :laugh:

And you're most welcome :)

Hi, I am protected now. I have installed

Spybot Search and Destroy
Spyware Blaster
Hi Jackthis
Avira
Comodo.
If it makes any difference they are all sitting on my desktop.

But now IE runs so slow. Any ideas? It took 25 minutes to download Avira and the same amount of time for Comodo. And an absurd amount of time to move from page to page on this site.

Carsynn

Hi,

Concerning the slow download of Avira and Comodo, this is indeed a fact. I had the same yesterday when I wanted to download both for my other computer. Guess since both are really popular nowadays (and for free), that many try to download it at the same time.

The slow browsing may be because you have cleared your cache previously, so when you browse to a page, it is a bit slower than usual, but that will improve again.
Also check your Cache size in Internet Explorer to see if it has the recommended size. If the Cache size is set too low or too high, it can cause slower performance. You can check the Cache Size under Tools > Internet Options > General Tab > Temporary Internet Files > Settings (button) > "Amount of disk space to use". Ideal would be between 50MB - 100MB.

I use Firefox as my browser, which is a littlebit faster and more secure than Internet Explorer.
I only use Internet Explorer to visit Windows updates and visit other pages that firefox won't properly load.
Only disadvantage with firefox is.. the first time when you launch it, it's quite slow, but once loaded, it goes pretty fast.

Thank you.

Here is an interesting twist. I am the administrator on this computer. When my family logs on and go to IE they whiz around with no trouble. Only when I log on and try to send email or use internet explorer is the time so sloooooow.

carsynn

Aah, you're having the same with email. This could be because of the latest Windows update. Many people are complaining about this.
You may take a look at this thread here:
http://forums.spybot.info/showthread.php?t=11047
Solution is already posted in the first post though, but it is an interesting thread. :)

yes, that is me. The same problems. I saw that thread and thought it sounded just like what was happening to me.
I was hoping not.

Thanks anyway and thank you again for helping get rid of all that %^&&**!

carsynn

You're welcome carsynn :)