Help with W32 worm and Virtumonde

J

jbclimber

New member
Hi, I have been trying for over a week to remove several viruses, including Virtumonde and others, one which starts with W32.

The computer is very slow, and whenever I remove the viruses with Mcafee, Spybot, and Malwarebytes anit-malware, I restart the computer and the problems start again.

Here is the hijack log (I hope I got the right format):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:36 PM, on 1/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Susan Micheletti\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2b458fc4-b3b5-4f49-8a34-77fa5a6f3ed3} - (no file)
O2 - BHO: (no name) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Kodak software updater.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) -
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://us.bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: c:\windows\system32\parodupa.dll C:\WINDOWS\system32\vetaweyo.dll c:\windows\system32\wiyoyova.dll
O20 - Winlogon Notify: acebbbaac - C:\WINDOWS\system32\acebbbaac.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ipx/ip Service (ipxlaunch) - Unknown owner - c:\temp\svchost.exe (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O24 - Desktop Component 0: (no name) - http://img.photobucket.com/albums/v452/rsxgirl2002/11_7_104v.gif

--
End of file - 10593 bytes


Any advice is appreciated! Thanks,
 
Hi

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
 
Blade81, thank you for responding.

Below is the Combofix log and new Hijackthis log. After this logs were generated, Mcafee still reports a W32 Autorun worm. Please let me know what to do next. Thanks again!



ComboFix 09-01-16.03 - Susan Micheletti 2009-01-17 6:27:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.48 [GMT -8:00]
Running from: c:\documents and settings\Susan Micheletti\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\acebbbaac.dll
c:\windows\system32\firugoti.dll
c:\windows\system32\tb.dr
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSpqxt.dat
c:\windows\wiaserviv.log
.
---- Previous Run -------
.
C:\Autorun.inf
c:\docume~1\SUSANM~1\LOCALS~1\Temp\LOOPARK.dat
c:\docume~1\SUSANM~1\LOCALS~1\Temp\LPK.dll
c:\docume~1\SUSANM~1\LOCALS~1\Temp\Wowfont.dat
c:\docume~1\SUSANM~1\LOCALS~1\Temp\WowInitcode.dll
c:\documents and settings\All Users\documents\setup.exe
c:\documents and settings\Brittney Micheletti\Application Data\Starware
c:\documents and settings\Brittney Micheletti\Application Data\Starware\BrowserSearch\BrowserSearch.xml
c:\documents and settings\Brittney Micheletti\Application Data\Starware\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\Brittney Micheletti\Application Data\Starware\ErrorSearch\ErrorSearchOptions.xml
c:\documents and settings\Brittney Micheletti\Application Data\Starware\ErrorSearch\ErrorSearchOptions.xml.backup
c:\documents and settings\Brittney Micheletti\Application Data\Starware\Layouts\PreferencesLayout.xml
c:\documents and settings\Brittney Micheletti\Application Data\Starware\Layouts\PreferencesLayout.xml.backup
c:\documents and settings\Brittney Micheletti\Application Data\Starware\Layouts\ToolbarLayout.xml
c:\documents and settings\Brittney Micheletti\Application Data\Starware\Layouts\ToolbarLayout.xml.backup
c:\documents and settings\Brittney Micheletti\Application Data\Starware\Manager\ManagerOptions.xml
c:\documents and settings\Brittney Micheletti\Application Data\Starware\Manager\ManagerOptions.xml.backup
c:\documents and settings\Brittney Micheletti\Application Data\Starware\PopupBlocker\PopupBlockerOptions.xml
c:\documents and settings\Brittney Micheletti\Application Data\Starware\PopupBlocker\PopupBlockerOptions.xml.backup
c:\documents and settings\Brittney Micheletti\Application Data\Starware\Reference\ReferenceOptions.xml
c:\documents and settings\Brittney Micheletti\Application Data\Starware\Reference\ReferenceOptions.xml.backup
c:\documents and settings\Brittney Micheletti\Application Data\Starware\RelatedSearch\RelatedSearchOptions.xml
c:\documents and settings\Brittney Micheletti\Application Data\Starware\RelatedSearch\RelatedSearchOptions.xml.backup
c:\documents and settings\Brittney Micheletti\Application Data\Starware\SearchMatch\SearchMatchOptions.xml
c:\documents and settings\Brittney Micheletti\Application Data\Starware\SearchMatch\SearchMatchOptions.xml.backup
c:\documents and settings\Brittney Micheletti\Application Data\Starware\SmileyTown\SmileyTownOptions.xml
c:\documents and settings\Brittney Micheletti\Application Data\Starware\SmileyTown\SmileyTownOptions.xml.backup
c:\documents and settings\Brittney Micheletti\Application Data\Starware\Toolbar\TBProductsOptions.xml
c:\documents and settings\Brittney Micheletti\Application Data\Starware\Toolbar\TBProductsOptions.xml.backup
c:\documents and settings\Brittney Micheletti\Application Data\Starware\ToolbarLogo\ToolbarLogoOptions.xml
c:\documents and settings\Brittney Micheletti\Application Data\Starware\ToolbarLogo\ToolbarLogoOptions.xml.backup
c:\documents and settings\Brittney Micheletti\Application Data\Starware\ToolbarSearch\ToolbarSearchOptions.xml
c:\documents and settings\Brittney Micheletti\Application Data\Starware\ToolbarSearch\ToolbarSearchOptions.xml.backup
c:\documents and settings\Brittney Micheletti\Application Data\Starware\TravelSearch\TravelSearchOptions.xml
c:\documents and settings\Brittney Micheletti\Application Data\Starware\TravelSearch\TravelSearchOptions.xml.backup
c:\documents and settings\Brittney Micheletti\Application Data\Starware\Weather\WeatherOptions.xml
c:\documents and settings\Brittney Micheletti\Application Data\Starware\Weather\WeatherOptions.xml.backup
c:\documents and settings\Kellie Micheletti\Application Data\Starware
c:\documents and settings\Kellie Micheletti\Application Data\Starware\BrowserSearch\BrowserSearch.xml
c:\documents and settings\Kellie Micheletti\Application Data\Starware\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\Kellie Micheletti\Application Data\Starware\ErrorSearch\ErrorSearchOptions.xml
c:\documents and settings\Kellie Micheletti\Application Data\Starware\ErrorSearch\ErrorSearchOptions.xml.backup
c:\documents and settings\Kellie Micheletti\Application Data\Starware\Layouts\PreferencesLayout.xml
c:\documents and settings\Kellie Micheletti\Application Data\Starware\Layouts\PreferencesLayout.xml.backup
c:\documents and settings\Kellie Micheletti\Application Data\Starware\Layouts\ToolbarLayout.xml
c:\documents and settings\Kellie Micheletti\Application Data\Starware\Layouts\ToolbarLayout.xml.backup
c:\documents and settings\Kellie Micheletti\Application Data\Starware\Manager\ManagerOptions.xml
c:\documents and settings\Kellie Micheletti\Application Data\Starware\Manager\ManagerOptions.xml.backup
c:\documents and settings\Kellie Micheletti\Application Data\Starware\PopupBlocker\PopupBlockerOptions.xml
c:\documents and settings\Kellie Micheletti\Application Data\Starware\PopupBlocker\PopupBlockerOptions.xml.backup
c:\documents and settings\Kellie Micheletti\Application Data\Starware\Reference\ReferenceOptions.xml
c:\documents and settings\Kellie Micheletti\Application Data\Starware\Reference\ReferenceOptions.xml.backup
c:\documents and settings\Kellie Micheletti\Application Data\Starware\RelatedSearch\RelatedSearchOptions.xml
c:\documents and settings\Kellie Micheletti\Application Data\Starware\RelatedSearch\RelatedSearchOptions.xml.backup
c:\documents and settings\Kellie Micheletti\Application Data\Starware\SearchMatch\SearchMatchOptions.xml
c:\documents and settings\Kellie Micheletti\Application Data\Starware\SearchMatch\SearchMatchOptions.xml.backup
c:\documents and settings\Kellie Micheletti\Application Data\Starware\SmileyTown\SmileyTownOptions.xml
c:\documents and settings\Kellie Micheletti\Application Data\Starware\SmileyTown\SmileyTownOptions.xml.backup
c:\documents and settings\Kellie Micheletti\Application Data\Starware\Toolbar\TBProductsOptions.xml
c:\documents and settings\Kellie Micheletti\Application Data\Starware\Toolbar\TBProductsOptions.xml.backup
c:\documents and settings\Kellie Micheletti\Application Data\Starware\ToolbarLogo\ToolbarLogoOptions.xml
c:\documents and settings\Kellie Micheletti\Application Data\Starware\ToolbarLogo\ToolbarLogoOptions.xml.backup
c:\documents and settings\Kellie Micheletti\Application Data\Starware\ToolbarSearch\ToolbarSearchOptions.xml
c:\documents and settings\Kellie Micheletti\Application Data\Starware\ToolbarSearch\ToolbarSearchOptions.xml.backup
c:\documents and settings\Kellie Micheletti\Application Data\Starware\TravelSearch\TravelSearchOptions.xml
c:\documents and settings\Kellie Micheletti\Application Data\Starware\TravelSearch\TravelSearchOptions.xml.backup
c:\documents and settings\Kellie Micheletti\Application Data\Starware\Weather\WeatherOptions.xml
c:\documents and settings\Kellie Micheletti\Application Data\Starware\Weather\WeatherOptions.xml.backup
c:\documents and settings\Susan Micheletti\Application Data\FunWebProducts
c:\documents and settings\Susan Micheletti\Application Data\FunWebProducts\Data\Susan Micheletti\avatar.dat
c:\documents and settings\Susan Micheletti\Application Data\FunWebProducts\Data\Susan Micheletti\register.dat
c:\documents and settings\Susan Micheletti\Start Menu\Antivirus 2009
c:\documents and settings\Susan Micheletti\Start Menu\Antivirus 2009\Antivirus 2009.lnk
c:\documents and settings\Susan Micheletti\Start Menu\Antivirus 2009\Uninstall Antivirus 2009.lnk
c:\documents and settings\Tony Micheletti\Application Data\Starware
c:\documents and settings\Tony Micheletti\Application Data\Starware\BrowserSearch\BrowserSearch.xml
c:\documents and settings\Tony Micheletti\Application Data\Starware\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\Tony Micheletti\Application Data\Starware\ErrorSearch\ErrorSearchOptions.xml
c:\documents and settings\Tony Micheletti\Application Data\Starware\ErrorSearch\ErrorSearchOptions.xml.backup
c:\documents and settings\Tony Micheletti\Application Data\Starware\Layouts\PreferencesLayout.xml
c:\documents and settings\Tony Micheletti\Application Data\Starware\Layouts\PreferencesLayout.xml.backup
c:\documents and settings\Tony Micheletti\Application Data\Starware\Layouts\ToolbarLayout.xml
c:\documents and settings\Tony Micheletti\Application Data\Starware\Layouts\ToolbarLayout.xml.backup
c:\documents and settings\Tony Micheletti\Application Data\Starware\Manager\ManagerOptions.xml
c:\documents and settings\Tony Micheletti\Application Data\Starware\Manager\ManagerOptions.xml.backup
c:\documents and settings\Tony Micheletti\Application Data\Starware\PopupBlocker\PopupBlockerOptions.xml
c:\documents and settings\Tony Micheletti\Application Data\Starware\PopupBlocker\PopupBlockerOptions.xml.backup
c:\documents and settings\Tony Micheletti\Application Data\Starware\Reference\ReferenceOptions.xml
c:\documents and settings\Tony Micheletti\Application Data\Starware\Reference\ReferenceOptions.xml.backup
c:\documents and settings\Tony Micheletti\Application Data\Starware\RelatedSearch\RelatedSearchOptions.xml
c:\documents and settings\Tony Micheletti\Application Data\Starware\RelatedSearch\RelatedSearchOptions.xml.backup
c:\documents and settings\Tony Micheletti\Application Data\Starware\SearchMatch\SearchMatchOptions.xml
c:\documents and settings\Tony Micheletti\Application Data\Starware\SearchMatch\SearchMatchOptions.xml.backup
c:\documents and settings\Tony Micheletti\Application Data\Starware\SmileyTown\SmileyTownOptions.xml
c:\documents and settings\Tony Micheletti\Application Data\Starware\SmileyTown\SmileyTownOptions.xml.backup
c:\documents and settings\Tony Micheletti\Application Data\Starware\Toolbar\TBProductsOptions.xml
c:\documents and settings\Tony Micheletti\Application Data\Starware\Toolbar\TBProductsOptions.xml.backup
c:\documents and settings\Tony Micheletti\Application Data\Starware\ToolbarLogo\ToolbarLogoOptions.xml
c:\documents and settings\Tony Micheletti\Application Data\Starware\ToolbarLogo\ToolbarLogoOptions.xml.backup
c:\documents and settings\Tony Micheletti\Application Data\Starware\ToolbarSearch\ToolbarSearchOptions.xml
c:\documents and settings\Tony Micheletti\Application Data\Starware\ToolbarSearch\ToolbarSearchOptions.xml.backup
c:\documents and settings\Tony Micheletti\Application Data\Starware\TravelSearch\TravelSearchOptions.xml
c:\documents and settings\Tony Micheletti\Application Data\Starware\TravelSearch\TravelSearchOptions.xml.backup
c:\documents and settings\Tony Micheletti\Application Data\Starware\Weather\WeatherOptions.xml
c:\documents and settings\Tony Micheletti\Application Data\Starware\Weather\WeatherOptions.xml.backup
C:\moffice.lnk
c:\program files\Antivirus 2009
c:\program files\Antivirus 2009\av2009.exe
c:\program files\comet systems
c:\program files\comet systems\DM\activeJobs.xml
c:\program files\comet systems\DM\bin\dmfilemap.xml
c:\program files\comet systems\DM\bin\dmserver.exe
c:\program files\comet systems\DM\bin\publicKey.pbk
c:\program files\comet systems\DM\completedJobs.xml
c:\program files\comet systems\DM\jobIndex.xml
c:\program files\comet systems\DM\pendingJobs.xml
c:\program files\comet systems\DM\productInfo.xml
c:\program files\comet systems\DM\request.xml
c:\program files\comet systems\DM\response.xml
c:\program files\comet systems\Wallpaper\swpstart.exe
c:\program files\comet
c:\program files\comet\Bin\csinstall.exe
c:\program files\comet\Bin\unins.ico
c:\program files\comet\Data\csres.dat
c:\program files\comet\Products\adzap\1b.gif
c:\program files\comet\Products\adzap\1bl.gif
c:\program files\comet\Products\adzap\1br.gif
c:\program files\comet\Products\adzap\1l.gif
c:\program files\comet\Products\adzap\1r.gif
c:\program files\comet\Products\adzap\1t.gif
c:\program files\comet\Products\adzap\1tl.gif
c:\program files\comet\Products\adzap\1tr.gif
c:\program files\comet\Products\adzap\adzap.html
c:\program files\comet\Products\adzap\adzap.js
c:\program files\comet\Products\adzap\adzap.wav
c:\program files\comet\Products\adzap\adzap_tb.js
c:\program files\comet\Products\adzap\azunins.js
c:\program files\comet\Products\adzap\cap1a.gif
c:\program files\comet\Products\adzap\cap1b.gif
c:\program files\comet\Products\adzap\cap2a.gif
c:\program files\comet\Products\adzap\cap2b.gif
c:\program files\comet\Products\adzap\cap3a.gif
c:\program files\comet\Products\adzap\cap3b.gif
c:\program files\comet\Products\adzap\except.xml
c:\program files\comet\Products\adzap\header.gif
c:\program files\comet\Products\adzap\pubutton.bmp
c:\program files\comet\Products\adzap\pubutton_alert.bmp
c:\program files\comet\Products\adzap\pubutton_off.bmp
c:\program files\comet\Products\adzap\scr_adzap.js
c:\program files\comet\Products\adzap\sump.gif
c:\program files\comet\Products\adzap\sys_except.xml
c:\program files\comet\Products\adzap\zapometer.gif
c:\program files\comet\Products\FunButton\funbutton.bmp
c:\program files\comet\Products\RefButton\refbutton.bmp
c:\program files\comet\Products\RefButton\refbutton.js
c:\program files\comet\Products\RelatedSearch\related.xml
c:\program files\comet\Products\RelatedSearch\related.xsl
c:\program files\comet\Products\Screensaver\screensaver.bmp
c:\program files\comet\Products\Shared\autosrch.js
c:\program files\comet\Products\Shared\related.js
c:\program files\comet\Products\Shared\tbproducts.js
c:\program files\comet\Products\Smileytown\smileytown.bmp
c:\program files\comet\Products\Smileytown\smileytown.js
c:\program files\comet\Products\Smileytown\smileytown.xml
c:\program files\comet\Products\Travel\cars.xsl
c:\program files\comet\Products\Travel\flights.xsl
c:\program files\comet\Products\Travel\hotels.xsl
c:\program files\comet\Products\Travel\travel.js
c:\program files\comet\Products\Travel\travel_context.xml
c:\program files\comet\Products\WebButton\webbutton.bmp
c:\program files\comet\Services\AddRemove\addremove.htm
c:\program files\comet\Services\AddRemove\addremove.js
c:\program files\comet\Services\AddRemove\addremove_cc.js
c:\program files\comet\Services\AddRemove\armask.gif
c:\program files\comet\Services\AddRemove\arskin.gif
c:\program files\comet\Services\AddRemove\cc3.ico
c:\program files\comet\Services\AddRemove\strip.gif
c:\program files\comet\Services\AddRemove\stripend.gif
c:\program files\comet\Services\AddRemove\title_arui.gif
c:\program files\comet\Services\AddRemove\titlelabel_ar.gif
c:\program files\comet\Services\band.js
c:\program files\comet\Services\cnfmgr.js
c:\program files\comet\Services\context.js
c:\program files\comet\Services\controlpanel.js
c:\program files\comet\Services\license.js
c:\program files\comet\Services\License\adzap.lic
c:\program files\comet\Services\logging.js
c:\program files\comet\Services\LogQueue\p00000057_o01D9A350_logging_1104008507796_2.xml
c:\program files\comet\Services\LogQueue\p0000005A_o017DFD78_logging_1107400372792_1.xml
c:\program files\comet\Services\LogQueue\p00000158_o00EB5E00_logging_1096175392937_1.xml
c:\program files\comet\Services\LogQueue\p0000028C_o02188EE0_logging_1109732677237_1.xml
c:\program files\comet\Services\LogQueue\p000002BF_o01E73B00_logging_1109982847802_4.xml
c:\program files\comet\Services\LogQueue\p0000089E_o01D9C430_logging_1104979158510_3.xml
c:\program files\comet\Services\masterconfig.xml
c:\program files\comet\Services\Messaging\Base\1line_left.gif
c:\program files\comet\Services\Messaging\Base\1line_left_mask.gif
c:\program files\comet\Services\Messaging\Base\1line_left_small.gif
c:\program files\comet\Services\Messaging\Base\1line_left_small_mask.gif
c:\program files\comet\Services\Messaging\Base\1line_right.gif
c:\program files\comet\Services\Messaging\Base\1line_right_mask.gif
c:\program files\comet\Services\Messaging\Base\1line_right_small.gif
c:\program files\comet\Services\Messaging\Base\1line_right_small_mask.gif
c:\program files\comet\Services\Messaging\Base\2line_left.gif
c:\program files\comet\Services\Messaging\Base\2line_left_mask.gif
c:\program files\comet\Services\Messaging\Base\2line_left_small.gif
c:\program files\comet\Services\Messaging\Base\2line_left_small_mask.gif
c:\program files\comet\Services\Messaging\Base\2line_right.gif
c:\program files\comet\Services\Messaging\Base\2line_right_mask.gif
c:\program files\comet\Services\Messaging\Base\2line_right_small.gif
c:\program files\comet\Services\Messaging\Base\2line_right_small_mask.gif
c:\program files\comet\Services\Messaging\Base\3line_left.gif
c:\program files\comet\Services\Messaging\Base\3line_left_mask.gif
c:\program files\comet\Services\Messaging\Base\3line_left_small.gif
c:\program files\comet\Services\Messaging\Base\3line_left_small_mask.gif
c:\program files\comet\Services\Messaging\Base\3line_right.gif
c:\program files\comet\Services\Messaging\Base\3line_right_mask.gif
c:\program files\comet\Services\Messaging\Base\3line_right_small.gif
c:\program files\comet\Services\Messaging\Base\3line_right_small_mask.gif
c:\program files\comet\Services\Messaging\Base\defaultbuttonmessage.xml
c:\program files\comet\Services\Messaging\Base\message.js
c:\program files\comet\Services\Messaging\Campaigns\AdZap\band_bubble.gif
c:\program files\comet\Services\Messaging\Campaigns\AdZap\band_bubble_mask.gif
c:\program files\comet\Services\Messaging\Campaigns\AdZap\bandmessage.xml
c:\program files\comet\Services\Messaging\Campaigns\AdZap\buttonmessage.xml
c:\program files\comet\Services\Messaging\Listeners\adzap_0001.js
c:\program files\comet\Services\Messaging\Listeners\travel_0001.js
c:\program files\comet\Services\Messaging\messaging.js
c:\program files\comet\Services\Messaging\settings.xml
c:\program files\comet\Services\tbmgr.js
c:\program files\comet\Services\toolbar.js
c:\program files\comet\Services\update.js
c:\program files\comet\Services\utillauncher.js
c:\program files\comet\Services\winutil.js
c:\program files\comet\Temp\9F4_1.htm
c:\program files\comet\Temp\intro.js
c:\program files\comet\Temp\p000001BA_o03576368_related.htm
c:\program files\comet\Uninstall\un_adzap.xml
c:\program files\comet\Uninstall\un_autosearch.xml
c:\program files\comet\Uninstall\un_errorsearch.xml
c:\program files\comet\Uninstall\un_funbutton.xml
c:\program files\comet\Uninstall\un_platform.xml
c:\program files\comet\Uninstall\un_refbutton.xml
c:\program files\comet\Uninstall\un_relatedsearch.xml
c:\program files\comet\Uninstall\un_screensaver.xml
c:\program files\comet\Uninstall\un_searchassist.xml
c:\program files\comet\Uninstall\un_smileytown.xml
c:\program files\comet\Uninstall\un_travel.xml
c:\program files\comet\Uninstall\un_webbutton.xml
c:\program files\comet\Update\travelbutton.bmp
c:\program files\comet\Update\un_travelbutton.xml
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\0554404A.urr
c:\program files\FunWebProducts\ScreenSaver\Images\0D30E8F3.urr
c:\program files\FunWebProducts\Shared\03653601.dat
c:\program files\FunWebProducts\Shared\0A1E465A.dat
c:\program files\FunWebProducts\Shared\Cache\AvatarSmallBtn-new.html
c:\program files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
c:\program files\FunWebProducts\Shared\Cache\MailStampBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn-new.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\2.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\3.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\3.bin\F3BROVLY.DLL
c:\program files\MyWebSearch\bar\3.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\3.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\3.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\3.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\3.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\3.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\3.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\3.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\3.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\3.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\3.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\3.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\3.bin\F3SHLLVW.DLL
c:\program files\MyWebSearch\bar\3.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\3.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\3.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\3.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\3.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\3.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\3.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\3.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\3.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\3.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\3.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\3.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\3.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\3.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\3.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\3.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\3.bin\mwsoemon.exe
c:\program files\MyWebSearch\bar\3.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\3.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\3.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\close.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\common-x.css
c:\program files\MyWebSearch\bar\Avatar\COMMON\common.css
c:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\htmlctrl.js
c:\program files\MyWebSearch\bar\Avatar\COMMON\include.js
c:\program files\MyWebSearch\bar\Avatar\COMMON\index.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\loading.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\login.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\logo.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\max.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\min.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
c:\program files\MyWebSearch\bar\Avatar\COMMON\unmax.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\wardrobe.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\window.ico
c:\program files\MyWebSearch\bar\Cache\00AAED43.bin
c:\program files\MyWebSearch\bar\Cache\00AAEE9B.bin
c:\program files\MyWebSearch\bar\Cache\00C62F1B.bin
c:\program files\MyWebSearch\bar\Cache\00D72351
c:\program files\MyWebSearch\bar\Cache\01C1451F
c:\program files\MyWebSearch\bar\Cache\01DB21AA
c:\program files\MyWebSearch\bar\Cache\0348BDAC.bin
c:\program files\MyWebSearch\bar\Cache\0348BF81.bin
c:\program files\MyWebSearch\bar\Cache\0348C117.bin
c:\program files\MyWebSearch\bar\Cache\0485229F.bin
c:\program files\MyWebSearch\bar\Cache\048523C8.bin
c:\program files\MyWebSearch\bar\Cache\048524D2.bin
c:\program files\MyWebSearch\bar\Cache\08B2BF9B
c:\program files\MyWebSearch\bar\Cache\0954958A.RPUUA
c:\program files\MyWebSearch\bar\Cache\095499A0
c:\program files\MyWebSearch\bar\Cache\09549B27.bin
c:\program files\MyWebSearch\bar\Cache\09549C8E.bin
c:\program files\MyWebSearch\bar\Cache\09549E15.bin
c:\program files\MyWebSearch\bar\Cache\0954A067.bin
c:\program files\MyWebSearch\bar\Cache\0A18DC3E
c:\program files\MyWebSearch\bar\Cache\0A18E093
c:\program files\MyWebSearch\bar\Cache\0A18E323.bin
c:\program files\MyWebSearch\bar\Cache\0A18E45C.bin
c:\program files\MyWebSearch\bar\Cache\0A18E5D3.bin
c:\program files\MyWebSearch\bar\Cache\0A18E779.bin
c:\program files\MyWebSearch\bar\Cache\0A28483D
c:\program files\MyWebSearch\bar\Cache\0F1D2D95
c:\program files\MyWebSearch\bar\Cache\152FA53F.bin
c:\program files\MyWebSearch\bar\Cache\1630B26C.bin
c:\program files\MyWebSearch\bar\Cache\1C5CAE50
c:\program files\MyWebSearch\bar\Cache\1F6CFB80.bin
c:\program files\MyWebSearch\bar\Cache\1F6CFDE2.bin
c:\program files\MyWebSearch\bar\Cache\1F6CFF39.bin
c:\program files\MyWebSearch\bar\Cache\1F86A35F
c:\program files\MyWebSearch\bar\Cache\3D3D449D
c:\program files\MyWebSearch\bar\Cache\44EE7336.bin
c:\program files\MyWebSearch\bar\Cache\44EE8AD4.bin
c:\program files\MyWebSearch\bar\Cache\44EE8C1D.bin
c:\program files\MyWebSearch\bar\Cache\44EE8DB3.bin
c:\program files\MyWebSearch\bar\Cache\44EE8F1A.bin
c:\program files\MyWebSearch\bar\Cache\44EE9072
c:\program files\MyWebSearch\bar\Cache\793FA450
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\Settings\prevcfg.htm
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\MyWebSearch\bar\Settings\settings.dat.bak
c:\program files\MyWebSearch\bar\Settings\settings.htm
c:\program files\MyWebSearch\bar\Settings\settings.htm.bak
c:\program files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
c:\program files\screensavers.com
c:\program files\screensavers.com\Installer\bin\ScreensaversInst.dll
c:\program files\screensavers.com\Installer\bin\siuninst.exe
c:\program files\screensavers.com\Wallpaper\swpstart.exe
c:\temp\svchost.exe
c:\windows\dcbdcatys32_080816a.dll
c:\windows\dcbdcatys32_081012a.dll
c:\windows\dcbdcatys32_081027a.dll
c:\windows\IE4 Error Log.txt
c:\windows\inf\cc_43.inf
c:\windows\Install.txt
c:\windows\MSSqlServer.dll
c:\windows\smss.exe
c:\windows\svchost.exe
c:\windows\system\proxy.exe
c:\windows\system\sgcxcxxaspf081012.exe
c:\windows\system\sgcxcxxaspf081027.exe
c:\windows\system32\_proxy.dll
c:\windows\system32\_reproxy.dll
c:\windows\SYSTEM32\1.exe
c:\windows\system32\afinding.exe
c:\windows\system32\afisicx.exe
c:\windows\system32\atsxyzd.sys
c:\windows\system32\comsa32.sys
c:\windows\system32\dbi102.dll
c:\windows\system32\drivers\secdrv.sys
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\fhattach.dll
c:\windows\system32\fhpatch.dll
c:\windows\system32\ieupdates.exe
c:\windows\system32\inf\scsys16_081012.dll
c:\windows\system32\inf\scsys16_081027.dll
c:\windows\system32\inf\sppdcrs081012.scr
c:\windows\system32\inf\sppdcrs081027.scr
c:\windows\system32\inf\svchoct.exe
c:\windows\system32\inf\svchosd.exe
c:\windows\system32\IPHACTION.dll
c:\windows\system32\IPHOST.dll
c:\windows\system32\iphy.dll
c:\windows\system32\Karna1Drv.dll
c:\windows\system32\KarnaDrv.dll
c:\windows\system32\KBPK080812.log
c:\windows\system32\mabidwe.exe
c:\windows\system32\macidwe.exe
c:\windows\system32\mmchost.dll
c:\windows\system32\mywfhit.ini
c:\windows\system32\mywfhit.ini.tmp
c:\windows\system32\Nobicyt.exe
c:\windows\system32\noxtcyr.exe
c:\windows\system32\noytcyr.exe
c:\windows\system32\oduxftw.sys
c:\windows\system32\routing.exe
c:\windows\system32\roxtctm.exe
c:\windows\system32\roytctm.exe
c:\windows\system32\scui.cpl
c:\windows\system32\service.exe
c:\windows\system32\sobicyt.exe
c:\windows\system32\sotpeca.exe
c:\windows\system32\soxpeca.exe
c:\windows\system32\syspilog.pil
c:\windows\system32\tdxdowkc.exe
c:\windows\system32\tdydowkc.exe
c:\windows\system32\tmp0_392987775629.bk
c:\windows\system32\tmp0_580321142130.bk
c:\windows\system32\tmp1_229194140413.bk
c:\windows\system32\tmp1_584339346774.bk
c:\windows\system32\tmpacj0.exe
c:\windows\system32\tpszxyd.sys
c:\windows\system32\WServing.exe
c:\windows\system32\wsldoekd.exe
c:\windows\tawisys.ini
c:\windows\wftadfi16_080828a.dll
c:\windows\wftadfi16_081012a.dll
c:\windows\wftadfi16_081027a.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_6TO4
-------\Legacy_AFINDING
-------\Legacy_AFISICX
-------\Legacy_INTERNET_SERVICE
-------\Legacy_MABIDWE
-------\Legacy_MACIDWE
-------\Legacy_MESSAGER
-------\Legacy_MSSERVICE
-------\Legacy_NOBICYT
-------\Legacy_NOXTCYR
-------\Legacy_NOYTCYR
-------\Legacy_PANDRV
-------\Legacy_PERFS
-------\Legacy_ROUTING
-------\Legacy_ROXTCTM
-------\Legacy_ROYTCTM
-------\Legacy_SEIUCTOL
-------\Legacy_SOBICYT
-------\Legacy_SOTPECA
-------\Legacy_SOXPECA
-------\Legacy_tdssserv.sys
-------\Legacy_TDXDOWKC
-------\Legacy_TDYDOWKC
-------\Legacy_WSERVING
-------\Legacy_WSLDOEKD
-------\Service_6to4
-------\Service_afisicx
-------\Service_mabidwe
-------\Service_noxtcyr
-------\Service_noytcyr
-------\Service_roxtctm
-------\Service_roytctm
-------\Service_seiuctol
-------\Service_sotpeca
-------\Service_soxpeca
-------\Service_tdssserv.sys
-------\Service_tdydowkc
-------\Service_wsldoekd


((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
.

2009-01-17 06:41 . 2009-01-17 06:41 185,360 --a------ c:\windows\309EE93D301B9F087FF9FF1DFD758D.exe
2009-01-12 18:38 . 2009-01-12 18:38 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-10 12:37 . 2009-01-10 12:37 <DIR> d-------- c:\windows\SYSTEM32\LogFiles
2009-01-09 22:36 . 2009-01-09 22:36 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-01-09 22:25 . 2009-01-09 22:25 <DIR> d-------- C:\VundoFix Backups
2009-01-09 16:32 . 2009-01-09 16:32 <DIR> d-------- c:\program files\Lavasoft
2009-01-09 16:32 . 2009-01-09 16:32 <DIR> d-------- c:\documents and settings\Susan Micheletti\Application Data\Lavasoft
2009-01-09 04:08 . 2009-01-09 04:08 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 04:08 . 2009-01-04 18:38 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-09 04:08 . 2009-01-04 18:38 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-08 18:27 . 2009-01-12 21:29 <DIR> d-------- C:\quarantine
2009-01-08 18:15 . 2009-01-08 19:02 512 --a------ c:\windows\randseed.rnd
2009-01-08 05:47 . 2009-01-08 17:55 <DIR> d-------- c:\program files\Network Associates
2009-01-08 05:47 . 2009-01-08 05:47 <DIR> d-------- c:\program files\Common Files\Network Associates
2009-01-08 05:47 . 2009-01-08 17:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Network Associates
2008-12-24 09:00 . 2008-12-24 09:00 46 --a------ c:\windows\p2hhr.bat
2008-12-24 08:58 . 2008-12-24 08:58 2 --a------ C:\77892091
2008-12-24 08:58 . 2008-12-25 22:48 0 --a------ c:\windows\SYSTEM32\DRIVERS\85bf4cca.sys
2008-12-23 14:25 . 2008-12-23 14:25 1 --a------ c:\windows\SYSTEM32\za.dat
2008-12-19 22:42 . 2008-12-19 22:42 <DIR> d-------- c:\documents and settings\Susan Micheletti\Application Data\acccore
2008-12-19 22:39 . 2008-12-19 22:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-19 22:36 . 2009-01-10 12:20 <DIR> d-------- c:\program files\AIM6
2008-12-18 14:06 . 2009-01-07 21:54 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-18 14:06 . 2008-12-18 18:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 14:49 --------- d-----w c:\program files\SPAMfighter
2009-01-09 11:42 --------- d-----w c:\program files\MSN Messenger
2009-01-09 02:45 --------- d-----w c:\program files\Dell AIO Printer A940
2009-01-09 02:44 --------- d-----w c:\program files\IrfanView
2008-12-20 06:38 --------- d-----w c:\program files\Common Files\AOL
2008-12-20 06:38 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-18 23:35 --------- d-----w c:\program files\Jasc Software Inc
2008-12-18 23:30 28,352 ----a-w c:\windows\system32\drivers\MxlW2k.sys
2008-12-08 02:14 --------- d-----w c:\documents and settings\Susan Micheletti\Application Data\ICAClient
2008-12-02 21:56 --------- d-----w c:\program files\iTunes
2008-12-02 21:56 --------- d-----w c:\program files\iPod
2008-12-02 21:56 --------- d-----w c:\program files\Common Files\Apple
2008-12-02 21:56 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-02 21:52 --------- d-----w c:\program files\QuickTime
2008-11-26 00:21 --------- d-----w c:\program files\Citrix
2008-11-12 23:30 26,860 ----a-w c:\windows\SYSTEM32\vssrvc.exe
2008-10-24 11:21 455,296 ------w c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-06-11 03:10 0 ----a-w c:\program files\temp01
2006-05-19 15:17 9,583,368 ----a-w c:\documents and settings\Susan Micheletti\DesktopDoctor1.5.1.exe
2008-02-08 05:46 13,624 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 05:46 87,360 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 05:46 91,448 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 05:46 21,824 ----a-w c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 05:46 206,136 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 05:46 31,544 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 05:46 40,248 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-17 01:27 479,232 ----a-w c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-17 01:27 548,864 ----a-w c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-17 01:27 626,688 ----a-w c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 20:47 981,170 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 05:46 24,384 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll
2009-01-10 06:30 66,576 ----a-w c:\program files\mozilla firefox\components\dedecbcccafdbcb.dll
2007-02-14 17:05 848 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
2008-09-27 20:28 6,144 --sha-w c:\windows\SYSTEM32\saduyaya.dll
2008-08-22 16:46 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008082220080823\index.dat
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2502BBD0-D73B-11DD-B4EC-CEBF56D89593}]
2002-09-13 17:17 199696 --a------ c:\windows\system32\vumer.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-08-06 155648]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 135251]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-20 218496]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 8\PostUpdate.exe" [2008-12-09 53248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-07-08 24576]
Kodak EasyShare software.lnk.disabled [2005-09-17 1807]
Kodak software updater.lnk.disabled [2005-09-17 1954]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acebbbaac]
2002-09-13 17:17 313871 c:\windows\SYSTEM32\acebbbaac.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"wsldoekd"=2 (0x2)
"wserving"=2 (0x2)
"tdydowkc"=2 (0x2)
"tdxdowkc"=2 (0x2)
"soxpeca"=2 (0x2)
"sotpeca"=2 (0x2)
"sobicyt"=2 (0x2)
"roytctm"=2 (0x2)
"roxtctm"=2 (0x2)
"routing"=2 (0x2)
"perfs"=2 (0x2)
"noytcyr"=2 (0x2)
"noxtcyr"=2 (0x2)
"nobicyt"=2 (0x2)
"macidwe"=2 (0x2)
"mabidwe"=2 (0x2)
"afisicx"=2 (0x2)
"afinding"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"xsjfn83jkemfofght"=c:\docume~1\SUSANM~1\LOCALS~1\Temp\winlogin.exe
"jsf8j34rgfght"=c:\docume~1\SUSANM~1\LOCALS~1\Temp\winloggn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"04a48954"=rundll32.exe "c:\windows\system32\tehisuvo.dll",b
"Kzoxijegohewa"=rundll32.exe "c:\windows\ekekibeh.dll",e
"Xsipofi"=rundll32.exe "c:\windows\Svifun.dll",e

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 85bf4cca;85bf4cca;c:\windows\System32\drivers\85bf4cca.sys [2008-12-25 0]
R2 ipxlaunch;Ipx/ip Service; [x]
R3 nidsdrv;nidsdrv;c:\windows\system32\nidsdrv.sys [2008-04-13 2176]
S1 ATMhelpr;ATMhelpr; [x]
S2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\SPAMfighter\sfus.exe [2008-07-14 184968]


--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - drvnddm
*Deregistered* - DSproct
*Deregistered* - dsunidrv
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fax
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - i2omgmt
*Deregistered* - IpNat
*Deregistered* - iPod Service
*Deregistered* - IPSec
*Deregistered* - KodakCCS
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - McAfeeFramework
*Deregistered* - McShield
*Deregistered* - McTaskManager
*Deregistered* - mdmxsdk
*Deregistered* - Messenger
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NaiAvFilter1
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - omci
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - ROOTMODEM
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SPAMfighter Update Service
*Deregistered* - Spooler
*Deregistered* - sprtsvc_dellsupportcenter
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - ssrtln
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - tfsnboio
*Deregistered* - tfsncofs
*Deregistered* - tfsndrct
*Deregistered* - tfsndres
*Deregistered* - tfsnifs
*Deregistered* - tfsnopio
*Deregistered* - tfsnpool
*Deregistered* - tfsnudf
*Deregistered* - tfsnudfa
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Udfs
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - w32time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\yt8a.exe
\Shell\Explore\Command - C:\yt8a.exe
\Shell\Open\Command - C:\yt8a.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\WalgreensPhotoShowExpressCD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23119181-60f3-11dd-a2c6-000cf1fb3933}]
\Shell\AutoRun\command - F:\yt8a.exe
\Shell\Explore\Command - F:\yt8a.exe
\Shell\Open\Command - F:\yt8a.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2004-07-15 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 16:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2b458fc4-b3b5-4f49-8a34-77fa5a6f3ed3} - (no file)
HKLM-Run-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe
HKLM-Run-igfxtray - c:\windows\system32\igfxtray.exe
HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
HKLM-Run-dla - c:\windows\system32\dla\tfswctrl.exe
HKU-Default-Run-Symantec NetDriver Warning - c:\progra~1\SYMNET~1\SNDWarn.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 06:40:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\309EE93D301B9F087FF9FF1DFD758D.exe 185360 bytes executable
c:\windows\system32\_65ed8bfded701f338a8cbda365777db6.sys_.vir 39936 bytes executable
c:\windows\system32\65ed8bfded701f338a8cbda365777db6.sys 39936 bytes executable
c:\windows\system32\acebbbaac.dll 313871 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\65ed8bfded701f338a8cbda365777db6]
"ImagePath"="system32\65ed8bfded701f338a8cbda365777db6.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\acebbbaac.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\SYSTEM32\DRIVERS\KodakCCS.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\mcshield.exe
c:\program files\Network Associates\VirusScan\vstskmgr.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\SYSTEM32\6a4a439638f047775946f173873bbfb2.exe
.
**************************************************************************
.
Completion time: 2009-01-17 7:34:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-17 15:33:13

Pre-Run: 3,132,719,104 bytes free
Post-Run: 2,875,727,872 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

872 --- E O F --- 2008-11-13 11:06:22



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:51 AM, on 1/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Susan Micheletti\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DDSMEkl - {2502BBD0-D73B-11DD-B4EC-CEBF56D89593} - C:\WINDOWS\system32\vumer.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 8\PostUpdate.exe" 1014021 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Kodak software updater.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) -
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://us.bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ipx/ip Service (ipxlaunch) - Unknown owner - c:\temp\svchost.exe (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O24 - Desktop Component 0: (no name) - http://img.photobucket.com/albums/v452/rsxgirl2002/11_7_104v.gif

--
End of file - 9404 bytes
 
Hi again,

Looks like quite a big bunch of crap was removed. However, there's still bad stuff left.


Start hjt, do a system scan, check (if found):
O2 - BHO: (no name) - rsion - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -

Close browsers and fix checked.


Open notepad and copy/paste the text in the quotebox below into it:

Code: 
Driver::
ipxlaunch
65ed8bfded701f338a8cbda365777db6

File::
c:\windows\309EE93D301B9F087FF9FF1DFD758D.exe
c:\windows\p2hhr.bat
C:\77892091
c:\program files\temp01
c:\windows\SYSTEM32\saduyaya.dll
c:\windows\system32\vumer.dll
c:\windows\SYSTEM32\acebbbaac.dll
c:\docume~1\SUSANM~1\LOCALS~1\Temp\winlogin.exe
c:\docume~1\SUSANM~1\LOCALS~1\Temp\winloggn.exe
c:\windows\system32\65ed8bfded701f338a8cbda365777db6.sys
C:\yt8a.exe
F:\yt8a.exe
c:\windows\system32\_65ed8bfded701f338a8cbda365777db6.sys_.vir

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2502BBD0-D73B-11DD-B4EC-CEBF56D89593}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acebbbaac]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wsldoekd"=-
"wserving"=-
"tdydowkc"=-
"tdxdowkc"=-
"soxpeca"=-
"sotpeca"=-
"sobicyt"=-
"roytctm"=-
"roxtctm"=-
"routing"=-
"perfs"=-
"noytcyr"=-
"noxtcyr"=-
"nobicyt"=-
"macidwe"=-
"mabidwe"=-
"afisicx"=-
"afinding"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"xsjfn83jkemfofght"=-
"jsf8j34rgfght"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"04a48954"=-
"Kzoxijegohewa"=-
"Xsipofi"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23119181-60f3-11dd-a2c6-000cf1fb3933}]


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader!


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
 
Okay, I did what you requested. Thanks for your help.

Please note that Combofix crashed as it was writing the log file, and I got the blue screen of death. The computer was locked so I had to turn it off then back on.

Also, the Kaspersky Online Scanner stopped at least three times, but I finally got it to finish.

Here is the Combofix log, the K. log, and the HJT log.

ComboFix 09-01-16.03 - Susan Micheletti 2009-01-18 3:28:58.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.71 [GMT -8:00]
Running from: C:\Documents and Settings\Susan Micheletti\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Susan Micheletti\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\77892091
c:\docume~1\SUSANM~1\LOCALS~1\Temp\winloggn.exe
c:\docume~1\SUSANM~1\LOCALS~1\Temp\winlogin.exe
c:\program files\temp01
c:\windows\309EE93D301B9F087FF9FF1DFD758D.exe
c:\windows\p2hhr.bat
c:\windows\system32\_65ed8bfded701f338a8cbda365777db6.sys_.vir
c:\windows\system32\65ed8bfded701f338a8cbda365777db6.sys
c:\windows\SYSTEM32\acebbbaac.dll
c:\windows\SYSTEM32\saduyaya.dll
c:\windows\system32\vumer.dll
C:\yt8a.exe
F:\yt8a.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\77892091
c:\program files\temp01
c:\windows\309EE93D301B9F087FF9FF1DFD758D.exe
c:\windows\p2hhr.bat
c:\windows\SYSTEM32\acebbbaac.dll
c:\windows\SYSTEM32\saduyaya.dll
c:\windows\system32\vumer.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPXLAUNCH
-------\Service_ipxlaunch


((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, January 18, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, January 18, 2009 19:11:15
Records in database: 1643385
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 92433
Threat name: 15
Infected objects: 32
Suspicious objects: 0
Duration of the scan: 02:43:41


File name / Threat name / Threats count
C:\WINDOWS\system32\acebbbaac.dll/C:\WINDOWS\system32\acebbbaac.dll Infected: Worm.Win32.AutoRun.raz 1
C:\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-77d2cd4a Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-5f674187 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-376d89e1 Infected: Exploit.Java.Gimsh.b 1
C:\Program Files\AWS\WeatherBug\Install\WxBugSetup60b6.04.0.9b.EXE Infected: not-a-virus:AdWare.Win32.MyWay.j 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3REPROX.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.v 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.p 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ab 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3BROVLY.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.at 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3POPSWT.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3REPROX.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.v 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3SKIN.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ad 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ab 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\MWSOESTB.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\NPMYWEBS.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.l 1
C:\Qoobox\Quarantine\C\WINDOWS\309EE93D301B9F087FF9FF1DFD758D.exe.vir Infected: Trojan.Win32.Qhost.kng 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\firugoti.dll.vir Infected: Trojan.Win32.Agent.bfdf 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_acebbbaac_.dll.zip Infected: Worm.Win32.AutoRun.raz 2
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000019.dll Infected: Trojan.Win32.Agent.bfdf 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000227.exe Infected: Trojan.Win32.Qhost.kng 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001416.dll Infected: Worm.Win32.AutoRun.raz 1
C:\WINDOWS\3D11E3335BA8ABD36615B65CBC2B2AA2.exe Infected: Trojan.Win32.Qhost.kng 1
C:\WINDOWS\88413568FA13974472E821E48E2C5FE.exe Infected: Trojan.Win32.Qhost.kng 1
C:\WINDOWS\90D52C3D0B558103B80578F3186F8E2.exe Infected: Trojan.Win32.Qhost.kng 1
C:\WINDOWS\F248E17E4589E15C646C2CCC52154FE5.exe Infected: Trojan.Win32.Qhost.kng 1
C:\WINDOWS\SYSTEM32\acebbbaac.dll Infected: Worm.Win32.AutoRun.raz 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0XRM558A\u521[1].exe Infected: not-a-virus:AdWare.Win32.BHO.fav 1
C:\WINDOWS\SYSTEM32\logoff.log Infected: Worm.Win32.AutoRun.raz 1

The selected area was scanned.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:01, on 2009-01-18
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Susan Micheletti\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DDSMEkl - {2502BBD0-D73B-11DD-B4EC-CEBF56D89593} - C:\WINDOWS\system32\vumer.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 8\PostUpdate.exe" 1014021 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Kodak software updater.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) -
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://us.bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: acebbbaac - C:\WINDOWS\system32\acebbbaac.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O24 - Desktop Component 0: (no name) - http://img.photobucket.com/albums/v452/rsxgirl2002/11_7_104v.gif

--
End of file - 9455 bytes
 
Hi

Start hjt, do a system scan, check (if found):
O2 - BHO: DDSMEkl - {2502BBD0-D73B-11DD-B4EC-CEBF56D89593} - C:\WINDOWS\system32\vumer.dll
O20 - Winlogon Notify: acebbbaac - C:\WINDOWS\system32\acebbbaac.dll

Close browsers and fix checked.

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-77d2cd4a
C:\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-5f674187
C:\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-376d89e1
C:\Program Files\AWS\WeatherBug\Install\WxBugSetup60b6.04.0.9b.EXE
C:\WINDOWS\3D11E3335BA8ABD36615B65CBC2B2AA2.exe
C:\WINDOWS\88413568FA13974472E821E48E2C5FE.exe
C:\WINDOWS\90D52C3D0B558103B80578F3186F8E2.exe
C:\WINDOWS\F248E17E4589E15C646C2CCC52154FE5.exe
C:\WINDOWS\SYSTEM32\acebbbaac.dll
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0XRM558A\u521[1].exe
C:\WINDOWS\SYSTEM32\logoff.log


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log. How's the system running?


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
Hi, thanks again for your help. It is appreciated.

I think the computer is still affected after doing your latest suggestions, since Mcafee still reports the W32 Autorun worm.

Also, when Combofix was trying to store a log file, it got stuck for 15 minutes. I had do use the task manager to stop the following processes:

catchme.tmp

620c4f5c1fc4d746700af6bc3651fcd6.exe (SYSTEM)

I did not see any findstr, find, sed or swreg, but I did also see (but didn't stop) a few others which I have not clue as to what they are:

fi.cfexe
cf31904.exe

Here is the Combofix log and new HJT log:

ComboFix 09-01-16.03 - Susan Micheletti 2009-01-19 7:45:10.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.54 [GMT -8:00]
Running from: C:\Documents and Settings\Susan Micheletti\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Susan Micheletti\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-77d2cd4a
C:\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-5f674187
C:\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-376d89e1
C:\Program Files\AWS\WeatherBug\Install\WxBugSetup60b6.04.0.9b.EXE
C:\WINDOWS\3D11E3335BA8ABD36615B65CBC2B2AA2.exe
C:\WINDOWS\88413568FA13974472E821E48E2C5FE.exe
C:\WINDOWS\90D52C3D0B558103B80578F3186F8E2.exe
C:\WINDOWS\F248E17E4589E15C646C2CCC52154FE5.exe
C:\WINDOWS\SYSTEM32\acebbbaac.dll
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0XRM558A\u521[1].exe
C:\WINDOWS\SYSTEM32\logoff.log
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-77d2cd4a
C:\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-5f674187
C:\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-376d89e1
C:\Program Files\AWS\WeatherBug\Install\WxBugSetup60b6.04.0.9b.EXE
C:\WINDOWS\3D11E3335BA8ABD36615B65CBC2B2AA2.exe
C:\WINDOWS\88413568FA13974472E821E48E2C5FE.exe
C:\WINDOWS\90D52C3D0B558103B80578F3186F8E2.exe
C:\WINDOWS\F248E17E4589E15C646C2CCC52154FE5.exe
C:\WINDOWS\SYSTEM32\acebbbaac.dll
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0XRM558A\u521[1].exe
C:\WINDOWS\SYSTEM32\logoff.log
.
---- Previous Run -------
.
C:\77892091
c:\program files\temp01
c:\windows\309EE93D301B9F087FF9FF1DFD758D.exe
c:\windows\p2hhr.bat
c:\windows\SYSTEM32\acebbbaac.dll
c:\windows\SYSTEM32\saduyaya.dll
c:\windows\system32\vumer.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPXLAUNCH
-------\Service_ipxlaunch


((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-19 07:28 . 2009-01-19 07:28 185,360 --a------ C:\WINDOWS\B46011541A2D74E299A534CC107CE2CF.exe
2009-01-18 05:10 . 2009-01-18 05:08 410,984 --a------ C:\WINDOWS\SYSTEM32\deploytk.dll
2009-01-18 05:10 . 2009-01-18 05:09 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2009-01-12 18:38 . 2009-01-12 18:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2009-01-10 12:37 . 2009-01-10 12:37 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2009-01-09 22:36 . 2009-01-09 22:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2009-01-09 22:25 . 2009-01-09 22:25 <DIR> d-------- C:\VundoFix Backups
2009-01-09 16:32 . 2009-01-09 16:32 <DIR> d-------- C:\Program Files\Lavasoft
2009-01-09 16:32 . 2009-01-09 16:32 <DIR> d-------- C:\Documents and Settings\Susan Micheletti\Application Data\Lavasoft
2009-01-09 04:08 . 2009-01-09 04:08 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-09 04:08 . 2009-01-04 18:38 38,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-09 04:08 . 2009-01-04 18:38 15,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2009-01-08 18:27 . 2009-01-19 07:35 <DIR> d-------- C:\quarantine
2009-01-08 18:15 . 2009-01-08 19:02 512 --a------ C:\WINDOWS\randseed.rnd
2009-01-08 05:47 . 2009-01-08 17:55 <DIR> d-------- C:\Program Files\Network Associates
2009-01-08 05:47 . 2009-01-08 05:47 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2009-01-08 05:47 . 2009-01-08 17:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Network Associates
2008-12-24 08:58 . 2008-12-25 22:48 0 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\85bf4cca.sys
2008-12-23 14:25 . 2008-12-23 14:25 1 --a------ C:\WINDOWS\SYSTEM32\za.dat
2008-12-19 22:42 . 2008-12-19 22:42 <DIR> d-------- C:\Documents and Settings\Susan Micheletti\Application Data\acccore
2008-12-19 22:39 . 2008-12-19 22:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-12-19 22:36 . 2009-01-10 12:20 <DIR> d-------- C:\Program Files\AIM6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 15:34 --------- d-----w C:\Program Files\SPAMfighter
2009-01-18 13:08 --------- d-----w C:\Program Files\Java
2009-01-18 12:39 --------- d-----w C:\Program Files\Common Files\Adobe
2009-01-09 11:42 --------- d-----w C:\Program Files\MSN Messenger
2009-01-09 02:45 --------- d-----w C:\Program Files\Dell AIO Printer A940
2009-01-09 02:44 --------- d-----w C:\Program Files\IrfanView
2009-01-08 05:54 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-12-20 06:38 --------- d-----w C:\Program Files\Common Files\AOL
2008-12-20 06:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-12-19 02:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-18 23:35 --------- d-----w C:\Program Files\Jasc Software Inc
2008-12-18 23:30 28,352 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-12-13 06:40 3,593,216 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-11 10:57 333,952 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\srv.sys
2008-12-08 02:14 --------- d-----w C:\Documents and Settings\Susan Micheletti\Application Data\ICAClient
2008-12-02 21:56 --------- d-----w C:\Program Files\iTunes
2008-12-02 21:56 --------- d-----w C:\Program Files\iPod
2008-12-02 21:56 --------- d-----w C:\Program Files\Common Files\Apple
2008-12-02 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-02 21:52 --------- d-----w C:\Program Files\QuickTime
2008-11-26 00:21 --------- d-----w C:\Program Files\Citrix
2008-11-12 23:30 26,860 ----a-w C:\WINDOWS\SYSTEM32\vssrvc.exe
2008-11-08 00:45 2,174,976 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\WMVCore.dll
2008-10-24 11:21 455,296 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-10-23 12:36 286,720 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2006-05-19 15:17 9,583,368 ----a-w C:\Documents and Settings\Susan Micheletti\DesktopDoctor1.5.1.exe
2008-02-08 05:46 13,624 ----a-w C:\Program Files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 05:46 87,360 ----a-w C:\Program Files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 05:46 91,448 ----a-w C:\Program Files\mozilla firefox\plugins\confmgr.dll
2008-02-08 05:46 21,824 ----a-w C:\Program Files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 05:46 206,136 ----a-w C:\Program Files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 05:46 31,544 ----a-w C:\Program Files\mozilla firefox\plugins\icafile.dll
2008-02-08 05:46 40,248 ----a-w C:\Program Files\mozilla firefox\plugins\icalogon.dll
2007-03-17 01:27 479,232 ----a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2007-03-17 01:27 548,864 ----a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2007-03-17 01:27 626,688 ----a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 20:47 981,170 ----a-w C:\Program Files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 05:46 24,384 ----a-w C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
2009-01-18 13:37 66,576 ----a-w C:\Program Files\mozilla firefox\components\dedecbcccafdbcb.dll
2007-02-14 17:05 848 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2008-08-22 16:46 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008082220080823\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2502BBD0-D73B-11DD-B4EC-CEBF56D89593}]
2007-04-15 17:19 199696 --a------ C:\WINDOWS\system32\vumer.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 16:12 15360]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-10-21 09:09 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-11-04 10:30 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-11-20 13:20 290088]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 17:15 290816]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-08-06 10:03 155648]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 07:10 81990]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 03:11 135251]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2009-01-18 05:09 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-20 16:04 218496]
"SWHelper"="C:\WINDOWS\system32\Macromed\Shockwave 8\PostUpdate.exe" [2008-12-09 02:16 53248]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-07-08 23:11:34 24576]
Kodak EasyShare software.lnk.disabled [2005-09-17 10:47:22 1807]
Kodak software updater.lnk.disabled [2005-09-17 10:49:29 1954]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acebbbaac]
2007-04-14 17:19 313871 C:\WINDOWS\SYSTEM32\acebbbaac.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
"Aim6"="C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 85bf4cca;85bf4cca;C:\WINDOWS\System32\drivers\85bf4cca.sys [2008-12-25 22:48 0]
R3 nidsdrv;nidsdrv;C:\WINDOWS\system32\nidsdrv.sys [2008-04-13 16:11 2176]
S1 ATMhelpr;ATMhelpr; [x]
S2 SPAMfighter Update Service;SPAMfighter Update Service;C:\Program Files\SPAMfighter\sfus.exe [2008-07-14 17:39 184968]


--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - agp440
*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - ASCTRM
*Deregistered* - ATMhelpr
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - drvnddm
*Deregistered* - DSproct
*Deregistered* - dsunidrv
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fax
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - i2omgmt
*Deregistered* - IpNat
*Deregistered* - iPod Service
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - KodakCCS
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - McAfeeFramework
*Deregistered* - McShield
*Deregistered* - McTaskManager
*Deregistered* - mdmxsdk
*Deregistered* - Messenger
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NaiAvFilter1
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - omci
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - ROOTMODEM
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SPAMfighter Update Service
*Deregistered* - Spooler
*Deregistered* - sprtsvc_dellsupportcenter
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - ssrtln
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - tfsnboio
*Deregistered* - tfsncofs
*Deregistered* - tfsndrct
*Deregistered* - tfsndres
*Deregistered* - tfsnifs
*Deregistered* - tfsnopio
*Deregistered* - tfsnpool
*Deregistered* - tfsnudf
*Deregistered* - tfsnudfa
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Udfs
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - w32time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\WalgreensPhotoShowExpressCD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55234f62-dd19-11dd-a32b-000cf1fb3933}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\m.exe /s
.
Contents of the 'Scheduled Tasks' folder

2009-01-09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2004-07-15 C:\WINDOWS\Tasks\ISP signup reminder 1.job
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE [2008-04-13 16:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
FF - ProfilePath -
.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:27, on 2009-01-19
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Susan Micheletti\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DDSMEkl - {2502BBD0-D73B-11DD-B4EC-CEBF56D89593} - C:\WINDOWS\system32\vumer.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 8\PostUpdate.exe" 1014021 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Kodak software updater.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) -
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://us.bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: acebbbaac - C:\WINDOWS\system32\acebbbaac.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O24 - Desktop Component 0: (no name) - http://img.photobucket.com/albums/v452/rsxgirl2002/11_7_104v.gif

--
End of file - 9455 bytes
 
Hi

Where does McAfee see the infected items in?

Let's run ComboFix with following CFScript in safe mode.


Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WINDOWS\B46011541A2D74E299A534CC107CE2CF.exe
C:\WINDOWS\system32\vumer.dll
C:\WINDOWS\SYSTEM32\acebbbaac.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2502BBD0-D73B-11DD-B4EC-CEBF56D89593}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acebbbaac]


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log (after rebooting back into normal mode).


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
Hi, I did what you suggested. Thanks again for your help.

Combofix again crashed as it was writing the logfile (after re-booting normally). I was trying to use task manager to close two instances of process E33BACF5D7F5484293F87E124060FE70.exe.

I have attached the Mcafee log to show you were it says the worm and trojan are. I am also attaching what Combofix log file, which I think may be incomplete, and a new HJT log. Thanks again.

2009-01-19 11:31 Move failed (Clean failed) MICHELETTI\Susan Micheletti C:\WINDOWS\E33BACF5D7F5484239F87E124060FE70.exe Generic Qhost
2009-01-19 11:31 Not scanned (scan timed out) NT AUTHORITY\LOCAL SERVICE C:\Documents and Settings\All Users\Application Data\SupportSoft\DellSupportCenter\SYSTEM\data\manifest.xml
2009-01-19 11:32 Not scanned (scan timed out) MICHELETTI\Susan Micheletti C:\Documents and Settings\Susan Micheletti\Local Settings\Application Data\SupportSoft\DellSupportCenter\Susan Micheletti\data\manifest.xml
2009-01-19 11:33 Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\SYSTEM32\8d0800b02a9dc89d8dff773da7360a2c.TMP W32/AutoRun.worm.gen
2009-01-19 11:43 Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\SYSTEM32\13028c86c3c812faab6fec047eb4e554.TMP W32/AutoRun.worm.gen
2009-01-19 11:43 No Action Taken (Clean failed) NT AUTHORITY\SYSTEM C:\WINDOWS\SYSTEM32\acebbbaac.dll W32/AutoRun.worm.gen


ComboFix 09-01-19.01 - Administrator 2009-01-19 11:14:58.5 - NTFSx86 NETWORK
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

FILE ::
C:\WINDOWS\B46011541A2D74E299A534CC107CE2CF.exe
C:\WINDOWS\SYSTEM32\acebbbaac.dll
C:\WINDOWS\system32\vumer.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\B46011541A2D74E299A534CC107CE2CF.exe
C:\WINDOWS\SYSTEM32\acebbbaac.dll
C:\WINDOWS\system32\vumer.dll
.
---- Previous Run -------
.
C:\77892091
C:\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-77d2cd4a
C:\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-5f674187
C:\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-376d89e1
C:\Program Files\AWS\WeatherBug\Install\WxBugSetup60b6.04.0.9b.EXE
c:\program files\temp01
c:\windows\309EE93D301B9F087FF9FF1DFD758D.exe
C:\WINDOWS\3D11E3335BA8ABD36615B65CBC2B2AA2.exe
C:\WINDOWS\88413568FA13974472E821E48E2C5FE.exe
C:\WINDOWS\90D52C3D0B558103B80578F3186F8E2.exe
C:\WINDOWS\F248E17E4589E15C646C2CCC52154FE5.exe
c:\windows\p2hhr.bat
c:\windows\SYSTEM32\acebbbaac.dll
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0XRM558A\u521[1].exe
C:\WINDOWS\SYSTEM32\logoff.log
c:\windows\SYSTEM32\saduyaya.dll
c:\windows\system32\vumer.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPXLAUNCH
-------\Service_ipxlaunch


((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47, on 2009-01-19
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Susan Micheletti\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 8\PostUpdate.exe" 1014021 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Kodak software updater.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) -
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://us.bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: acebbbaac - C:\WINDOWS\system32\acebbbaac.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O24 - Desktop Component 0: (no name) - http://img.photobucket.com/albums/v452/rsxgirl2002/11_7_104v.gif

--
End of file - 9363 bytes
 
Hi

Let's try a bit different way of approach.

We need to execute an OTMoveIt3 script
  1. Please download OTMoveIt3 by OldTimer and save it to your desktop.
  2. Double click theOTMoveIt3 icon on your desktop.
  3. Paste the following code under the Paste Fix Here area. Do not include the word
    Code
    .
    Code: 
    :Files
C:\WINDOWS\E33BACF5D7F5484239F87E124060FE70.exe
C:\WINDOWS\SYSTEM32\acebbbaac.dll

:reg
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acebbbaac]
  4. Push the large MoveIt button.
  5. OTMI3 may ask to reboot the machine. Please do so if asked.
  6. Copy/Paste the contents under the Results line here in your next reply with a fresh hjt log.
  7. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Re-run Kaspersky online scanner and post back its report too.
 
Hi, here are the OTMI3, KASPERSKY, and HJT logs files. Thanks again for your help.

========== FILES ==========
File move failed. C:\WINDOWS\E33BACF5D7F5484239F87E124060FE70.exe scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\acebbbaac.dll
C:\WINDOWS\SYSTEM32\acebbbaac.dll NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\acebbbaac.dll scheduled to be moved on reboot.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acebbbaac\\ deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01202009_043811

Files moved on Reboot...
File C:\WINDOWS\E33BACF5D7F5484239F87E124060FE70.exe not found!
LoadLibrary failed for C:\WINDOWS\SYSTEM32\acebbbaac.dll
C:\WINDOWS\SYSTEM32\acebbbaac.dll NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\acebbbaac.dll scheduled to be moved on reboot.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, January 20, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, January 21, 2009 01:01:14
Records in database: 1656517
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 92651
Threat name: 15
Infected objects: 29
Suspicious objects: 0
Duration of the scan: 02:29:24


File name / Threat name / Threats count
C:\Documents and Settings\Susan Micheletti\Local Settings\Temporary Internet Files\Content.IE5\IOE1EFNQ\u740[1].msg Infected: not-a-virus:AdWare.Win32.BHO.fav 1
C:\Qoobox\Quarantine\C\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-77d2cd4a.vir Infected: Exploit.Java.Gimsh.b 1
C:\Qoobox\Quarantine\C\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-5f674187.vir Infected: Exploit.Java.Gimsh.b 1
C:\Qoobox\Quarantine\C\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-376d89e1.vir Infected: Exploit.Java.Gimsh.b 1
C:\Qoobox\Quarantine\C\Program Files\AWS\WeatherBug\Install\WxBugSetup60b6.04.0.9b.EXE.vir Infected: not-a-virus:AdWare.Win32.MyWay.j 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3REPROX.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.v 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.p 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ab 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3BROVLY.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.at 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3POPSWT.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3REPROX.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.v 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3SKIN.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ad 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ab 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\MWSOESTB.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\NPMYWEBS.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.l 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0XRM558A\u521[1].exe.vir Infected: not-a-virus:AdWare.Win32.BHO.fav 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\firugoti.dll.vir Infected: Trojan.Win32.Agent.bfdf 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_acebbbaac_.dll.zip Infected: Worm.Win32.AutoRun.raz 3
C:\quarantine\acebbbaac.dll Infected: Worm.Win32.AutoRun.raz 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP10\A0001787.EXE Infected: not-a-virus:AdWare.Win32.MyWay.j 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0003926.exe Infected: Trojan.Win32.Qhost.kng 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0003927.exe Infected: Trojan.Win32.Qhost.kng 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0003928.exe Infected: Trojan.Win32.Qhost.kng 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000019.dll Infected: Trojan.Win32.Agent.bfdf 1

The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:41, on 2009-01-20
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Susan Micheletti\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DDSMEkl - {2502BBD0-D73B-11DD-B4EC-CEBF56D89593} - C:\WINDOWS\system32\vumer.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 8\PostUpdate.exe" 1014021 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Kodak software updater.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) -
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://us.bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: acebbbaac - C:\WINDOWS\system32\acebbbaac.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O24 - Desktop Component 0: (no name) - http://img.photobucket.com/albums/v452/rsxgirl2002/11_7_104v.gif

--
End of file - 9609 bytes
 
Hi


We need to execute an OTMoveIt3 script
  1. Please download OTMoveIt3 by OldTimer and save it to your desktop.
  2. Double click theOTMoveIt3 icon on your desktop.
  3. Paste the following code under the Paste Fix Here area. Do not include the word
    Code
    .
    Code: 
    :Files
C:\Documents and Settings\Susan Micheletti\Local Settings\Temporary Internet Files\Content.IE5\IOE1EFNQ\u740[1].msg
C:\quarantine\acebbbaac.dll
C:\WINDOWS\system32\vumer.dll

:reg
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2502BBD0-D73B-11DD-B4EC-CEBF56D89593}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acebbbaac]
  4. Push the large MoveIt button.
  5. OTMI3 may ask to reboot the machine. Please do so if asked.
  6. Copy/Paste the contents under the Results line here in your next reply with a fresh hjt log.
  7. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Also, please run a full scan with Malwarebytes' Anti-Malware and remove its findings. Post back the report.
 
Hi, I think that we are getting closer, but problems still remain. I did as you suggested. I did NOT remove the stuff that Malwarebytes detected, since you didn't tell me to. Here are the logs, thanks again for your help.

========== FILES ==========
File/Folder C:\Documents and Settings\Susan Micheletti\Local Settings\Temporary Internet Files\Content.IE5\IOE1EFNQ\u740[1].msg not found.
LoadLibrary failed for C:\quarantine\acebbbaac.dll
C:\quarantine\acebbbaac.dll NOT unregistered.
File move failed. C:\quarantine\acebbbaac.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\vumer.dll unregistered successfully.
C:\WINDOWS\system32\vumer.dll moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2502BBD0-D73B-11DD-B4EC-CEBF56D89593}\\ not found.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acebbbaac\\ deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01212009_172927

Files moved on Reboot...
File C:\quarantine\acebbbaac.dll not found!


Malwarebytes' Anti-Malware 1.32
Database version: 1616
Windows 5.1.2600 Service Pack 3

2009-01-21 18:48:21
mbam-log-2009-01-21 (18-48-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 154428
Time elapsed: 1 hour(s), 3 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Susan Micheletti\Local Settings\Temporary Internet Files\Content.IE5\LSSWTE78\g979[1].msg (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Susan Micheletti\Local Settings\Temporary Internet Files\Content.IE5\TIGO36S7\u186[1].msg (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0XRM558A\u521[1].exe.vir (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0004983.dll (Worm.AutoRun) -> No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000194.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\A0001688.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\SYSTEM32\acebbbaac.dll (Worm.AutoRun) -> No action taken.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:51, on 2009-01-21
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Susan Micheletti\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 8\PostUpdate.exe" 1014021 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Kodak software updater.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) -
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://us.bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O24 - Desktop Component 0: (no name) - http://img.photobucket.com/albums/v452/rsxgirl2002/11_7_104v.gif

--
End of file - 9483 bytes
 
Blade81, I realize I misread your post. I will re-run Malwarebytes and remove the viruses that were listed in the log posted above. I will run a new HJT log and also post that. So I will be posting another message later. Thanks again.
 
Ok. Shall wait for fresh reports with description of remaining problems :)
 
Blade81, thanks again for all of your help. Here are the log files.

The system seems to be running faster. Please let me know what to do next.

========== FILES ==========
File/Folder C:\Documents and Settings\Susan Micheletti\Local Settings\Temporary Internet Files\Content.IE5\IOE1EFNQ\u740[1].msg not found.
LoadLibrary failed for C:\quarantine\acebbbaac.dll
C:\quarantine\acebbbaac.dll NOT unregistered.
File move failed. C:\quarantine\acebbbaac.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\vumer.dll unregistered successfully.
C:\WINDOWS\system32\vumer.dll moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2502BBD0-D73B-11DD-B4EC-CEBF56D89593}\\ not found.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acebbbaac\\ deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01212009_172927

Files moved on Reboot...
File C:\quarantine\acebbbaac.dll not found!


Database version: 1616
Windows 5.1.2600 Service Pack 3

2009-01-22 18:43:58
mbam-log-2009-01-22 (18-43-58).txt

Scan type: Full Scan (C:\|)
Objects scanned: 154513
Time elapsed: 53 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Susan Micheletti\Local Settings\Temporary Internet Files\Content.IE5\LSSWTE78\g979[1].msg (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Susan Micheletti\Local Settings\Temporary Internet Files\Content.IE5\TIGO36S7\u186[1].msg (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0XRM558A\u521[1].exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0004983.dll (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0005017.dll (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000194.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\A0001688.exe (Trojan.Agent) -> Quarantined and deleted successfully.


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 8\PostUpdate.exe" 1014021 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Kodak software updater.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) -
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://us.bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: acebbbaac - C:\WINDOWS\system32\acebbbaac.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O24 - Desktop Component 0: (no name) - http://img.photobucket.com/albums/v452/rsxgirl2002/11_7_104v.gif

--
End of file - 9438 bytes
 
Hi, I forgot to mention, that whenver I plug a usb drive into the computer, the files autorun.inf and m.exe appear. I suspect it is some type of trojan. When I delete the files they reappear.

But the system is running much better now. I think we are almost done.

Thanks again.
 
I forgot to mention, that whenver I plug a usb drive into the computer, the files autorun.inf and m.exe appear. I suspect it is some type of trojan. When I delete the files they reappear.
Click to expand...
Hi

That's the problem here. You have to plug the infected usb drive (or drives if you have used more than one during the infection) in so that it will be cleaned.

Then run ComboFix and after that Kaspersky online scanner with full scan. Post back reports of both and also a fresh hjt log.
 
Thanks Blade81. I did what you said. I left the USB drive (F) installed. Here are the log files. Let me know how to proceed. Thanks again for your help.

ComboFix 09-01-19.01 - Administrator 2009-01-19 11:14:58.5 - NTFSx86 NETWORK
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

FILE ::
C:\WINDOWS\B46011541A2D74E299A534CC107CE2CF.exe
C:\WINDOWS\SYSTEM32\acebbbaac.dll
C:\WINDOWS\system32\vumer.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\B46011541A2D74E299A534CC107CE2CF.exe
C:\WINDOWS\SYSTEM32\acebbbaac.dll
C:\WINDOWS\system32\vumer.dll
.
---- Previous Run -------
.
C:\77892091
C:\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-77d2cd4a
C:\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-5f674187
C:\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-376d89e1
C:\Program Files\AWS\WeatherBug\Install\WxBugSetup60b6.04.0.9b.EXE
c:\program files\temp01
c:\windows\309EE93D301B9F087FF9FF1DFD758D.exe
C:\WINDOWS\3D11E3335BA8ABD36615B65CBC2B2AA2.exe
C:\WINDOWS\88413568FA13974472E821E48E2C5FE.exe
C:\WINDOWS\90D52C3D0B558103B80578F3186F8E2.exe
C:\WINDOWS\F248E17E4589E15C646C2CCC52154FE5.exe
c:\windows\p2hhr.bat
c:\windows\SYSTEM32\acebbbaac.dll
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0XRM558A\u521[1].exe
C:\WINDOWS\SYSTEM32\logoff.log
c:\windows\SYSTEM32\saduyaya.dll
c:\windows\system32\vumer.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPXLAUNCH
-------\Service_ipxlaunch


((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, January 23, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, January 23, 2009 17:01:56
Records in database: 1675780
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 93097
Threat name: 15
Infected objects: 35
Suspicious objects: 0
Duration of the scan: 02:21:12


File name / Threat name / Threats count
C:\WINDOWS\system32\acebbbaac.dll/C:\WINDOWS\system32\acebbbaac.dll Infected: Worm.Win32.AutoRun.raz 1
C:\Documents and Settings\Susan Micheletti\Local Settings\Temporary Internet Files\Content.IE5\LSSWTE78\u796[1].msg Infected: not-a-virus:AdWare.Win32.BHO.fav 1
C:\Qoobox\Quarantine\C\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-77d2cd4a.vir Infected: Exploit.Java.Gimsh.b 1
C:\Qoobox\Quarantine\C\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-5f674187.vir Infected: Exploit.Java.Gimsh.b 1
C:\Qoobox\Quarantine\C\Documents and Settings\Susan Micheletti\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-376d89e1.vir Infected: Exploit.Java.Gimsh.b 1
C:\Qoobox\Quarantine\C\Program Files\AWS\WeatherBug\Install\WxBugSetup60b6.04.0.9b.EXE.vir Infected: not-a-virus:AdWare.Win32.MyWay.j 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3REPROX.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.v 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.p 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ab 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3BROVLY.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.at 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3POPSWT.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3REPROX.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.v 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3SKIN.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ad 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ab 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\MWSOESTB.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\NPMYWEBS.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.l 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\firugoti.dll.vir Infected: Trojan.Win32.Agent.bfdf 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_acebbbaac_.dll.zip Infected: Worm.Win32.AutoRun.raz 4
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP10\A0001787.EXE Infected: not-a-virus:AdWare.Win32.MyWay.j 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0003926.exe Infected: Trojan.Win32.Qhost.kng 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0003927.exe Infected: Trojan.Win32.Qhost.kng 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0003928.exe Infected: Trojan.Win32.Qhost.kng 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000019.dll Infected: Trojan.Win32.Agent.bfdf 1
C:\WINDOWS\2F56C3F3887B328B4F93612A415B1B76.exe Infected: Trojan.Win32.Qhost.kng 1
C:\WINDOWS\66F6A99C53F9DD7B9C4713E342F59F8.exe Infected: Trojan.Win32.Qhost.kng 1
C:\WINDOWS\DF6C421352B418204735FB373A7CF33E.exe Infected: Trojan.Win32.Qhost.kng 1
C:\WINDOWS\F39FBF4334456C87AFDD5A8F34B73475.exe Infected: Trojan.Win32.Qhost.kng 1
C:\WINDOWS\SYSTEM32\acebbbaac.dll Infected: Worm.Win32.AutoRun.raz 1
F:\m.exe Infected: Trojan.Win32.Qhost.kng 1

The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50, on 2009-01-23
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Susan Micheletti\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DDSMEkl - {2502BBD0-D73B-11DD-B4EC-CEBF56D89593} - C:\WINDOWS\system32\vumer.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 8\PostUpdate.exe" 1014021 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Kodak software updater.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) -
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://us.bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: acebbbaac - C:\WINDOWS\system32\acebbbaac.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O24 - Desktop Component 0: (no name) - http://img.photobucket.com/albums/v452/rsxgirl2002/11_7_104v.gif

--
End of file - 9455 bytes
 
Hopefully this will nail the pest for good.

  • Double click theOTMoveIt3 icon on your desktop.
  • Paste the following code under the Paste Fix Here area. Do not include the word
    Code
    .
    Code: 
    :Files
C:\WINDOWS\system32\acebbbaac.dll
C:\Documents and Settings\Susan Micheletti\Local Settings\Temporary Internet Files\Content.IE5\LSSWTE78\u796[1].msg
C:\WINDOWS\2F56C3F3887B328B4F93612A415B1B76.exe
C:\WINDOWS\66F6A99C53F9DD7B9C4713E342F59F8.exe
C:\WINDOWS\DF6C421352B418204735FB373A7CF33E.exe
C:\WINDOWS\F39FBF4334456C87AFDD5A8F34B73475.exe
F:\m.exe
C:\WINDOWS\system32\vumer.dll

:reg
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2502BBD0-D73B-11DD-B4EC-CEBF56D89593}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acebbbaac]
  • Push the large MoveIt button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Results line here in your next reply with a fresh hjt log.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Re-run Kaspersky online scanner and post back its report too.
 
You must log in or register to reply here.
Back
Top