bigtime virus/trojon/downloader problem

So last night I tried installing a "safe" program and I ended up with some big problems, I'll run you guys through all the details and I'll put up a HijackThis Log at the end...any help is appreciated.

I opened up the install for my program and before it even finished installing, I had tons of messages coming up from my Symantec AntiVirus. All the messages were along the lines of "cannot send email to...for reason..."...I literally got hundreds of these popups in a matter of one minute. The antivirus also found and cleared four risks, all of them are W32.Mandaph. The files corrupted were nnjamld.exe in my C drive and the other two were luzznrima.htm in my temporary internet files. It then found and cleared by deletion a downloader located in my windows folder in system32. The filename was jfiehayd.dll. The last thing it found and cleared by deletion was about 20 minutes later. It was Trojan.Zlob in he same location as the downloader but in the folder 158117 and the filename was 158117.htm. Also, soon after all this started, my machine randomly started playing some weird audio on repeat...it only stopped after I ctrl+alt+del and shutdown iexplorer. I have also noticed that when I only have one IE open, my task manager will say that I have 2 open.

Alright, so it found those few things and cleared them all supposedly but I kept getting those symantec popups. I then tried going on IE 7.0 and on my home page, no images appeared but I was able to get to my homepage. The same was true for any other website I went to. Firefox, on the other hand, loaded all pics without any problem. Then I tried downloading a file on both IE and firefox and I got error messages. I then re-installed IE...immediately after rebooting my comp was flooded with those symantec pop ups. It also told me that my automatic updates was off...and it still is. After reinstalling IE, I still had the problem with the images so I went to internet options and restored everything to the default and suddenly I could see the images on the sites. I went and set my usual homepage, etc etc. When I reopened IE, I was taken to some "thanks for installing IE" page as expected except now I'm taken there EVERY TIME I OPEN IE. It also asks me if it's ok to run javascripts each time I open IE (that little window with the lock on it). I still cannot download anything off of IE but I can download from mozilla. I also can't access certain webpages from either browser. If I try going to the windows update page on IE, it doesn't work...If I try going to symantec's help pages, doesn't work. Even techguys.com will not load on either browser. I also can't do liveupdate through symantec.

I also found that when I google a site, the link from google to the site will redirect me to some spam advertisement page. Same is true when I search on yahoo.

for example, when I open a link from google...the site always has at the beginning and it redirects me somewhere else: <<Dangerous link removed>>

I dno if you want to click that but it looks like something is wrong.

Furthermore, I find that IE opens much slower. When I bootup, my comp makes noise for longer. When I load some pages (like yahoo.com and computerhope.com), it immediately takes me to the bottom of the page, then i scroll up. I did do a scan of my windows folder and nothing was found. I went through my windows folder and deleted some files that were modified around the time that these problems began. I also cleared out some things from my hijackthis log that I could not recognize. Since then, the number of symantec pop ups has gone down and I can access the internet somewhat easier. I still can't download through IE but downloading most things through firefox works. My automatic update thing remains off when I bootup. It doesn't even turn on when I try to turn it on.

attached my most recent HJ log (btw, when trying to get the log on my old HJT, I couldn't do it so I had to go and install the most recent version...found that majorgeeks.com does not go either).

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:45 PM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\ScsiAcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Trend Micro\HijackThis\Sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.verizon.net/newsroom/portals/newsroom.portal
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://dslstart.verizon.net/vzn.dsl/welcome.htm?ver=30382&
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://resnet.stonybrook.edu/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 216.133.248.230:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39a4a522-0da1-4e30-a925-ea1243f8afff} - C:\WINDOWS\system32\cbXOIyXq.dll
O2 - BHO: (no name) - {663656df-6bae-460c-a612-8133df519346} - C:\WINDOWS\system32\wvUmKaYP.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with &ZipScan - C:\PROGRA~1\ZIPSCA~1\zs_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [international] International*
O12 - Plugin for .thp: C:\Program Files\Internet Explorer\Plugins\NPLM32.DLL
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/26.30/uploader2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - https://register.resnet.stonybrook.edu/CAT/CNICAT.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://pdc.resnet.stonybrook.edu/webinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj02.custhelp.com/7560-b440h/rnl/java/RntX.cab
O20 - Winlogon Notify: wvUmKaYP - C:\WINDOWS\SYSTEM32\wvUmKaYP.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAcc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10358 bytes

any help would really really be appreciated, thanks.

[Malware Removal Specialist]

N We need the rest of the information from here > http://www.computerhope.com/forum/index.php/topic,46313.0.html

ok I'm running the superantispy scan as we speak. I've found that a lot of spam pop ups are appearing if i use IE. Also, I can't install the malware program.

[Malware Removal Specialist]

Let SAS finish and then post a Hijackthis log.

Try to install Malwarebytes after SAS is done. It may install then.

MBAM still won't install but here's the SAS and HJT logs:

Scan type       : Complete Scan
Total Scan Time : 02:56:23

Memory items scanned      : 447
Memory threats detected   : 1
Registry items scanned    : 6938
Registry threats detected : 0
File items scanned        : 130530
File threats detected     : 9

Adware.Vundo Variant/Resident
   C:\WINDOWS\SYSTEM32\CBXOIYXQ.DLL
   C:\WINDOWS\SYSTEM32\CBXOIYXQ.DLL

Adware.Tracking Cookie
   C:\Documents and Settings\Owner\Cookies\owner@media6degrees[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@cache.trafficmp[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
   C:\Documents and Settings\LocalService\Cookies\owner@advertising[1].txt
   C:\Documents and Settings\LocalService\Cookies\owner@mediaplex[1].txt

Adware.E404 Helper/Variant-A
   C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\I1Y14NMB\MYWEHFOTO[1].HTM

Trojan.Winreg
   C:\WINDOWS\SYSTEM\WINREG.EXE


hjt - 05-22-08 11:03PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:08 PM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\ScsiAcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Sniper.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.verizon.net/newsroom/portals/newsroom.portal
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://dslstart.verizon.net/vzn.dsl/welcome.htm?ver=30382&
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://resnet.stonybrook.edu/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 216.133.248.230:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: (no name) - {39a4a522-0da1-4e30-a925-ea1243f8afff} - C:\WINDOWS\system32\cbXOIyXq.dll (file missing)
O2 - BHO: (no name) - {663656df-6bae-460c-a612-8133df519346} - C:\WINDOWS\system32\wvUmKaYP.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: {55c1dc25-0a4a-5f88-9164-0c098979b9d9} - {9d9b9798-90c0-4619-88f5-a4a052cd1c55} - C:\WINDOWS\system32\dyqpspox.dll
O2 - BHO: (no name) - {ae926bd9-bb58-4bdf-bf18-824f858342e8} - C:\WINDOWS\system32\geBuRLFu.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [BM076f9d11] Rundll32.exe "C:\WINDOWS\system32\fmgvdpqx.dll",s
O4 - HKLM\..\Run: [045cae8d] rundll32.exe "C:\WINDOWS\system32\updwcpnv.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with &ZipScan - C:\PROGRA~1\ZIPSCA~1\zs_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [international] International*
O12 - Plugin for .thp: C:\Program Files\Internet Explorer\Plugins\NPLM32.DLL
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/26.30/uploader2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - https://register.resnet.stonybrook.edu/CAT/CNICAT.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://pdc.resnet.stonybrook.edu/webinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj02.custhelp.com/7560-b440h/rnl/java/RntX.cab
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wvUmKaYP - C:\WINDOWS\SYSTEM32\wvUmKaYP.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAcc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10684 bytes


HJT log was done after SAS

[Malware Removal Specialist]

These scan will complete much faster than SAS.

Download NoLop to your desktop from one of the links below...

• Link 1
  
• Link 2

• Close any programs you have running since a reboot is required
• Double click NoLop.exe to run it
  
• Next, click the button labeled: Search and Destroy
  • Your computer will now be scanned for infected files
• When the scan finishes, if infected, you are prompted to reboot
• Click OK
• Now click: REBOOT
  
• A Message should popup from NoLop. If not, double click the program again and it will finish.
• Post the contents of C:\NoLop.log in the next reply.

Note: If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.

----------

Download Vundofix.exe to your desktop.

• Double-click VundoFix.exe to run it.
  
• When VundoFix opens, click the Scan for Vundo button.
  
• Once it's done scanning, click the Remove Vundo button.
  
• You will receive a prompt asking if you want to remove the files, click YES
  
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
  
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Please let Vundo finish, sometimes it can take multiple passes

----------

Now run a new Hijackthis scan and post that log also.

If "might" take two posts to get all of the logs in so that is OK as long as they are all posted.

Ran both of the scans and both found no infections, ran an HJT afterwards...here's the log. Just noting a couple of things...when I try to "save as.." in a text file, the file automatically closes itself. Both IE and firefox lag. When new tabs are opened in either, pop-ups appear and messages asking if I want to get new antispyware software (to which i cancel/click no). Last night I would frequently get error boxes saying message error or something along those lines. In my task manager it says that explorer.exe is taking up a large amount of computer energy but after I ended that program and restarted it, things were ok. Some websites will still not open and the same problems happen from sites searched on google and yahoo. I cannot upload files into emails in IE. Whenever I open IE, it takes me to http://runonce.msn.com/runonce2.aspx every time even though I set the homepage to a different one.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:15 PM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\ScsiAcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Last.fm\LastFM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.verizon.net/newsroom/portals/newsroom.portal
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://dslstart.verizon.net/vzn.dsl/welcome.htm?ver=30382&
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://resnet.stonybrook.edu/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 216.133.248.230:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: (no name) - {39a4a522-0da1-4e30-a925-ea1243f8afff} - C:\WINDOWS\system32\cbXOIyXq.dll (file missing)
O2 - BHO: (no name) - {663656df-6bae-460c-a612-8133df519346} - C:\WINDOWS\system32\wvUmKaYP.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: {55c1dc25-0a4a-5f88-9164-0c098979b9d9} - {9d9b9798-90c0-4619-88f5-a4a052cd1c55} - C:\WINDOWS\system32\dyqpspox.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {dc611d53-f5bd-4a4c-abcc-39a867d2a959} - C:\WINDOWS\system32\geBuRLFu.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [045cae8d] rundll32.exe "C:\WINDOWS\system32\updwcpnv.dll",b
O4 - HKLM\..\Run: [BM076f9d11] Rundll32.exe "C:\WINDOWS\system32\fmgvdpqx.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with &ZipScan - C:\PROGRA~1\ZIPSCA~1\zs_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [international] International*
O12 - Plugin for .thp: C:\Program Files\Internet Explorer\Plugins\NPLM32.DLL
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/26.30/uploader2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - https://register.resnet.stonybrook.edu/CAT/CNICAT.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://pdc.resnet.stonybrook.edu/webinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj02.custhelp.com/7560-b440h/rnl/java/RntX.cab
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wvUmKaYP - C:\WINDOWS\SYSTEM32\wvUmKaYP.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAcc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10566 bytes

I downloaded and ran spyware terminator and this is the log that came up. I'm yet to clear out the found malware (i'll wait for the response from here) but here it is:
Logfile of Spyware Terminator v2.2.1.433 (db:1.000.000.000)
Scan Time: 5/23/2008 8:19:32 PM  length: 269 s
Platform: WXP (5.1.0.2600)
User: Admin
Boot Mode: Normal
Scan type: Fast_Spyware_Scan
Scanned Objects: 26258 (Critical:62)
Filter: No System items, No Safe items, No Invalid items

Running Processes
ccSetMgr.exe [Symantec Corporation] : C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
SUPERAntiSpyware.exe [SUPERAntiSpyware.com] : C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
SetPoint.exe [Logitech Inc.] : C:\Program Files\Logitech\SetPoint\SetPoint.exe
KHALMNPR.EXE [Logitech Inc.] : C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
DefWatch.exe [Symantec Corporation] : C:\Program Files\Symantec AntiVirus\DefWatch.exe
ScsiAcc.exe : C:\WINDOWS\system32\ScsiAcc.exe
Rtvscan.exe [Symantec Corporation] : C:\Program Files\Symantec AntiVirus\Rtvscan.exe
LastFM.exe [Last.fm] : C:\Program Files\Last.fm\LastFM.exe

Internet Settings
R - HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R - HKLM\Software\Microsoft\Internet Explorer\Main, Start Page = http://www.yahoo.com
R - HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R - HKLM\Software\Microsoft\Internet Explorer\Search, CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings, ProxyOverride = 127.0.0.1;<local>
R - HKLM\System\CurrentControlSet\Services\Tcpip\Parameters, Domain =
R - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony, DomainName =

BHO
02 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} -  [Yahoo! Inc.] : C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
02 - BHO:  - {663656df-6bae-460c-a612-8133df519346} -  : C:\WINDOWS\system32\wvUmKaYP.dll
02 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -  [Sun Microsystems, Inc.] : C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
02 - BHO:  - {9d9b9798-90c0-4619-88f5-a4a052cd1c55} -  : C:\WINDOWS\system32\dyqpspox.dll
02 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -  [Microsoft Corporation] : C:\Program Files\Windows Live Toolbar\msntb.dll
02 - BHO:  - {dc611d53-f5bd-4a4c-abcc-39a867d2a959} -  : C:\WINDOWS\system32\geBuRLFu.dll
02 - BHO: Adobe PDF - {182EC0BE-5110-49C8-A062-BEB1D02A220B} -  [Adobe Systems Incorporated] : C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

Toolbars
03 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} -  [Hewlett-Packard Company] : C:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
03 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -  [Yahoo! Inc.] : C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
03 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -  [Microsoft Corporation] : C:\Program Files\Windows Live Toolbar\msntb.dll
03 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  [Adobe Systems Incorporated] : C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

StartUps
04 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, SUPERAntiSpyware :  [SUPERAntiSpyware.com] : C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Symantec NetDriver Monitor :  [Symantec Corporation] : C:\Program Files\SymNetDrv\SNDMon.exe
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, 045cae8d :  : C:\WINDOWS\system32\updwcpnv.dll
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, BM076f9d11 :  : C:\WINDOWS\system32\fmgvdpqx.dll
04 - Startup: %STARTUPALL%\Logitech SetPoint.lnk [Logitech Inc.] : C:\Program Files\Logitech\SetPoint\SetPoint.exe

Explorer Bars
Adobe PDF - {182EC0BE-5110-49C8-A062-BEB1D02A220B} -  [Adobe Systems Incorporated] : C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

Shell Extensions
RealOne Player Context Menu Class - {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} -  [RealNetworks, Inc.] : C:\Program Files\Real\RealOne Player\rpshell.dll
SampleView - {7F67036B-66F1-411A-AD85-759FB9C5B0DB} -  [XSS] : C:\WINDOWS\system32\ShellvRTF.dll
RecordNow! SendToExt - {DEE12703-6333-4D4E-8F34-738C4DCC2E04} -  : C:\Program Files\RecordNow!\shlext.dll
WinZip - {E0D79304-84BE-11CE-9641-444553540000} -  [WinZip Computing, Inc.] : C:\Program Files\WinZip\WZSHLSTB.DLL
WinZip - {E0D79305-84BE-11CE-9641-444553540000} -  [WinZip Computing, Inc.] : C:\Program Files\WinZip\WZSHLSTB.DLL
WinZip - {E0D79306-84BE-11CE-9641-444553540000} -  [WinZip Computing, Inc.] : C:\Program Files\WinZip\WZSHLSTB.DLL
WinZip - {E0D79307-84BE-11CE-9641-444553540000} -  [WinZip Computing, Inc.] : C:\Program Files\WinZip\WZSHLSTB.DLL
YMailShellExt Class - {5464D816-CF16-4784-B9F3-75C0DB52B499} -  [Yahoo! Inc.] : C:\Program Files\Yahoo!\Common\ymmapi.dll
 - {1E392640-6E11-11d0-9097-00608C86B89C} -  [triton Interactive] : C:\WINDOWS\system32\BQShell.dll
7-Zip Shell Extension - {23170F69-40C1-278A-1000-000100020000} -  [Igor Pavlov] : C:\Program Files\7-Zip\7-zip.dll
GMail Drive - {2B3453E4-49DF-11D3-8229-0080BE509050} -  [Bjarke Viksoe] : C:\WINDOWS\system32\ShellExt\GMailFS.dll
GMailFS Property Sheet - {2B3453E4-49DF-11D3-8229-0080BE509052} -  [Bjarke Viksoe] : C:\WINDOWS\system32\ShellExt\GMailFS.dll
GMailFS Drop Handler - {2B3453E4-49DF-11D3-8229-0080BE509054} -  [Bjarke Viksoe] : C:\WINDOWS\system32\ShellExt\GMailFS.dll
GMailFS Context Menu - {2B3453E4-49DF-11D3-8229-0080BE509056} -  [Bjarke Viksoe] : C:\WINDOWS\system32\ShellExt\GMailFS.dll
Acrobat Elements Context Menu - {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} -  [Adobe Systems Inc.] : C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll
VpshellEx Class - {BDA77241-42F6-11d0-85E2-00AA001FE28C} -  [Symantec Corporation] : C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
KbLogiExt Class - {DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C} -  [Logitech Inc.] : C:\Program Files\Logitech\SetPoint\kbcplext.dll
LogiExt Class - {B9B9F083-2B04-452A-8691-83694AC1037B} -  [Logitech Inc.] : C:\Program Files\Logitech\SetPoint\mcplext.dll
AcSignIcon - {36A21736-36C2-4C11-8ACB-D4136F2B57BD} -  [Autodesk] : C:\WINDOWS\system32\AcSignIcon.dll
ACTHUMBNAIL - {AC1DB655-4F9A-4c39-8AD2-A65324A4C446} -  [Autodesk] : C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll
ACDWFTHMBPRXY - {6DEA92E9-8682-4b6a-97DE-354772FE5727} -  [Autodesk] : C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll
Outlook File Icon Extension - {0006F045-0000-0000-C000-000000000046} -  [Microsoft Corporation] : C:\Program Files\Microsoft Office\OFFICE11\OLKFSTUB.DLL
Microsoft Office Outlook - {00020D75-0000-0000-C000-000000000046} -  [Microsoft Corporation] : C:\Program Files\Microsoft Office\OFFICE11\MLSHEXT.DLL

Shell Extecute Hooks
 - {{663656DF-6BAE-460C-A612-8133DF519346}} -  : C:\WINDOWS\system32\wvUmKaYP.dll
SABShellExecuteHook Class - {{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}} -  [SuperAdBlocker.com] : C:\Program Files\SUPERAntiSpyware\SASSEH.DLL

Protocol Handler
CZipHandler Object - {CF184AD3-CDCB-4168-A3F7-8E447D129300} -  [Hewlett-Packard Company] : C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

Services
23 - [Agere Systems] : C:\WINDOWS\system32\DRIVERS\AGRSM.sys
23 - [Realtek Semiconductor Corp.] : C:\WINDOWS\system32\drivers\ALCXWDM.SYS
23 - [Symantec Corporation] : C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
23 - : C:\WINDOWS\system32\DRIVERS\d347bus.sys
23 - : C:\WINDOWS\system32\Drivers\d347prt.sys
23 - [Symantec Corporation] : C:\Program Files\Symantec AntiVirus\DefWatch.exe
23 - [Symantec Corporation] : C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
23 - [Symantec Corporation] : C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
23 - [Promise Technology, Inc.] : C:\WINDOWS\system32\DRIVERS\fasttx2k.sys
23 - [VIA Technologies, Inc.] : C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
23 - [InterVideo, Inc.] : C:\WINDOWS\system32\drivers\iviaspi.sys
23 - [Logitech Inc.] : C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
23 - [Logitech, Inc.] : C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
23 - [Logitech, Inc.] : C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
23 - [Logitech, Inc.] : C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
23 - [Symantec Corporation] : C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080516.019\NAVENG.SYS
23 - [Symantec Corporation] : C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080516.019\NAVEX15.SYS
23 - : C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
23 - [SuperAdBlocker, Inc.] : C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
23 - : C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
23 - [Symantec Corporation] : C:\Program Files\Symantec AntiVirus\savrt.sys
23 - [Symantec Corporation] : C:\Program Files\Symantec AntiVirus\Savrtpel.sys
23 - : C:\WINDOWS\system32\ScsiAcc.exe
23 - [Silicon Integrated Systems Corporation] : C:\WINDOWS\system32\DRIVERS\SISAGPX.sys
23 - [Silicon Integrated Systems Corporation] : C:\WINDOWS\system32\DRIVERS\srvkp.sys
23 - [Symantec Corporation] : C:\Program Files\Symantec AntiVirus\Rtvscan.exe
23 - [Symantec Corporation] : C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
23 - [Symantec Corporation] : C:\WINDOWS\system32\Drivers\SYMTDI.SYS
23 - [Copyright (C) VIA/S3 Graphics Co, Ltd.] : C:\WINDOWS\system32\DRIVERS\vtmini.sys
23 - [Logitech Inc.] : C:\WINDOWS\system32\drivers\WmBEnum.sys
23 - [Logitech Inc.] : C:\WINDOWS\system32\drivers\WmXlCore.sys

here's more of the log:

Winlogon Notify
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!saswinlogon, DLLName :  [SUPERAntiSpyware.com] : C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui, DLLName :  [Intel Corporation] : C:\WINDOWS\system32\igfxsrvc.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon, DLLName :  [Symantec Corporation] : C:\WINDOWS\system32\NavLogon.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvUmKaYP, DLLName :  : C:\WINDOWS\system32\wvUmKaYP.dll

IE URL Search Hooks
Yahoo! Toolbar - {{EF99BD32-C1FB-11D2-892F-0090271D4F88}} -  [Yahoo! Inc.] : C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll

System Policies
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions :  :

Threat Files
<Client-IRC.mIRC.616> : C:\Documents and Settings\Owner\Desktop\Installers\mirc616.exe
<IEPlugin> [Pacific Gold Coast Corp.] : C:\WINDOWS\systb.exe
<ViewPoint Toolbar> [Viewpoint Corporation] : C:\Program Files\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBARBHO.DLL
<ViewPoint Toolbar> : C:\Program Files\VIEWPOINT\VIEWPOINT TOOLBAR\ViewBarInstaller.exe
<ViewPoint Toolbar> : C:\Program Files\VIEWPOINT\VIEWPOINT TOOLBAR\images\anti_spyware.gif
<ViewPoint Toolbar> : C:\Program Files\VIEWPOINT\VIEWPOINT TOOLBAR\images\blue.gif
<ViewPoint Toolbar> : C:\Program Files\VIEWPOINT\VIEWPOINT TOOLBAR\images\bottom_left.gif
<ViewPoint Toolbar> : C:\Program Files\VIEWPOINT\VIEWPOINT TOOLBAR\images\bottom_right.gif
<ViewPoint Toolbar> : C:\Program Files\VIEWPOINT\VIEWPOINT TOOLBAR\images\congratulations.gif
<ViewPoint Toolbar> : C:\Program Files\VIEWPOINT\VIEWPOINT TOOLBAR\images\download_skins.gif
<ViewPoint Toolbar> : C:\Program Files\VIEWPOINT\VIEWPOINT TOOLBAR\images\howtouse.gif
<ViewPoint Toolbar> : C:\Program Files\VIEWPOINT\VIEWPOINT TOOLBAR\images\liberty.jpg
<ViewPoint Toolbar> : C:\Program Files\VIEWPOINT\VIEWPOINT TOOLBAR\images\no_spyware.gif
<ViewPoint Toolbar> : C:\Program Files\VIEWPOINT\VIEWPOINT TOOLBAR\images\s.gif
<ViewPoint Toolbar> : C:\Program Files\VIEWPOINT\VIEWPOINT TOOLBAR\images\skins.jpg
<ViewPoint Toolbar> : C:\Program Files\VIEWPOINT\VIEWPOINT TOOLBAR\images\takeamoment.gif
<ViewPoint Toolbar> : C:\Program Files\VIEWPOINT\VIEWPOINT TOOLBAR\images\Thumbs.db
<ViewPoint Toolbar> : C:\Program Files\VIEWPOINT\VIEWPOINT TOOLBAR\images\top_left.gif
<ViewPoint Toolbar> : C:\Program Files\VIEWPOINT\VIEWPOINT TOOLBAR\images\top_right.gif
<ViewPoint Toolbar> : C:\Program Files\VIEWPOINT\VIEWPOINT TOOLBAR\images\vwpt_logo.gif
<ViewPoint Toolbar> : C:\Program Files\VIEWPOINT\VIEWPOINT TOOLBAR\stylesheets\style.css
<Trojan.IRC.Flood.SME> : C:\WINDOWS\system\Drivers\sysmake.vxd
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\ui_config
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\ui_state
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\routing_table
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\torrent_config
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\metainfo\28abbdc5a111a3f900dc0489b85176db0a8e2d72
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\metainfo\30559ccec017208153e3b8ee78039daefd70a9f6
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\metainfo\3ee0bb302937f0134f6916a61133cfdd141591fe
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\metainfo\4a65d1c1dae1307af095191bb14f2a4948e0d5f8
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\metainfo\6c7436fd37e9e9c5e7d850abb135dbfcf704c3f5
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\metainfo\6ff6d6797c008edd12cd059ee4ab85f38c8cb2d3
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\metainfo\81c98c66c071bdfefda5df532ce6848205420116
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\metainfo\8c52667508b40872d2f1a11f6c8048724ff0d9be
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\metainfo\aed5e80318888a6ca7acd2f6e396f9ec6e4213ed
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\metainfo\bedf1f32f51ec8a871c8257123438b9e230198ea
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\metainfo\c79b8cfee8aa6d167eecec4e095eda6139a76038
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\metainfo\cd27df9935b637654355401a25155684fa6d16d1
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\metainfo\d859f96764e4eab82f1975a22267890f515c8e7a
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\metainfo\e971071f2b122c4fd72bbdfa1e1470a501d542c6
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\metainfo\f8eb3fe59cf0333609fdc19dcd8bbd6b1804149e
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\resume\28abbdc5a111a3f900dc0489b85176db0a8e2d72
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\resume\30559ccec017208153e3b8ee78039daefd70a9f6
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\resume\3ee0bb302937f0134f6916a61133cfdd141591fe
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\resume\4a65d1c1dae1307af095191bb14f2a4948e0d5f8
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\resume\6c7436fd37e9e9c5e7d850abb135dbfcf704c3f5
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\resume\6ff6d6797c008edd12cd059ee4ab85f38c8cb2d3
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\resume\81c98c66c071bdfefda5df532ce6848205420116
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\resume\8c52667508b40872d2f1a11f6c8048724ff0d9be
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\resume\aed5e80318888a6ca7acd2f6e396f9ec6e4213ed
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\resume\bedf1f32f51ec8a871c8257123438b9e230198ea
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\resume\c79b8cfee8aa6d167eecec4e095eda6139a76038
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\resume\cd27df9935b637654355401a25155684fa6d16d1
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\resume\d859f96764e4eab82f1975a22267890f515c8e7a
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\resume\e971071f2b122c4fd72bbdfa1e1470a501d542c6
<BitTorrent Smart> : C:\Documents and Settings\Owner\Application Data\.bittorrent\data\resume\f8eb3fe59cf0333609fdc19dcd8bbd6b1804149e
<IcooLoader> : C:\Program Files\icoo loader\filequeue.xml
<IcooLoader> : C:\Program Files\icoo loader\finf_tmp.html
<IcooLoader> : C:\Program Files\icoo loader\logs\log.txt

[Malware Removal Specialist]

Download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
  
• Link #2
  
• Link #3

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• Choose Yes to accept the Disclaimers.

• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, see this Combofix tutorial with screenshots that will detail the downloading and running of combofix more thoroughly.

I've downloaded combofix to the desktop but it will not run. Not sure why, I closed out all windows and disconnected from the net, it still will not run.

[Malware Removal Specialist]

Let's try running Combofix in a different way.

• Make sure combofix is located on your desktop.
• Now STOP all your monitoring programs
  
• Click this link to see a list of security programs that should be disabled and how to disable them.
  
• Click on your START button and choose Run.  Then copy/paste the entire content of the following Codebox (Including the "" marks and the Symbols) into the run box.
  .
                                   

Code: [Select]

"%userprofile%\desktop\ComboFix.exe" /KillAll

.

• Click OK and this will start combofix in a special way.
  
• When finished, it will produce a log.
• Please save that log to a Notepad File and include it in your next reply.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* ComboFix will automatically Restart your machine when the KillAll switch is used.

Combofix (CF) disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

been a while since my last post but BIG changes. So the instructions u gave for combofix, although good, did not work. BUT, I accidentally changed the file name of combofix to fix and it worked! I ran it and it went through everything, I rebooted and my machine is running somewhat better. Only problem was after that scan, I couldn't access this forum. Yet, I was now able to access other sites that I couldn't do before (majorgeeks) but this forum (as well as google and yahoo) were no longer working for me. So with the idea of changing the filename fresh in my mind, I went to my mbam-setup file and changed it to mam-setup and there you go, it installed and I just finished the quick scan. I rebooted and now things seem to be running smoother (I can come back on this forum, I can search google and yahoo) but my homepage is still set to that runonce site and I do still get popups on IE. My logs are attached

[recovering space - attachment deleted by admin]

[Malware Removal Specialist]

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

First:

• Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
• Choose Exit Spybot S&D Resident

Second:

• Open Spybot S&D
• Click Mode, check Advanced Mode
  
• Go To Left Panel, Click Tools, then also in left panel, click Resident
  
• If your firewall raises a question, say OK
  
• Uncheck the box labeled Resident Tea-Timer and OK any prompts.
  
• Use File, Exit to terminate Spybot
  
• Reboot your machine for the changes to take effect.

----------

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.

• Click Start , then Run
  
• Type notepad.exe in the Run Box.
  

2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
C:\WINDOWS\system32\hhmxfdyb.exe
C:\WINDOWS\system32\ftembefa.dll
C:\WINDOWS\system32\gbnvcblt.dll
C:\WINDOWS\system32\qpvqsufn.dll
C:\WINDOWS\system32\jfpkfirk.exe
C:\WINDOWS\system32\dyqpspox.dll
C:\WINDOWS\system32\updwcpnv.dll
C:\WINDOWS\system32\fmgvdpqx.dll
C:\WINDOWS\system32\jpcbhawv.exe
C:\WINDOWS\system32\cnhamnbe.dll
C:\WINDOWS\system32\ihstwpkj.dll
C:\WINDOWS\BM076f9d11.xml
C:\WINDOWS\system32\gsbgqpwwfw.sys
C:\WINDOWS\system32\gh.l
C:\WINDOWS\system32\yl.po
C:\WINDOWS\system32\mn.n
C:\WINDOWS\system32\ccs.so
C:\WINDOWS\system32\bmf.cs
C:\WINDOWS\system32\wvUmKaYP.dll.vir

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{012f0183-f42f-4734-8d18-22b7b412a571}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39a4a522-0da1-4e30-a925-ea1243f8afff}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff3085b5-b331-4cfc-b758-87b8e0458a8f}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"045cae8d"=-
"BM076f9d11"=-

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\045cae8d]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jdgf894jrghoiiskd]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plyrihnpsoi]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rdpdd]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sais]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wintelupdate]
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

----------

Download ATF Cleaner by Atribune and save it to your Desktop
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

• Windows Temp
  
• Current User Temp
  
• All Users Temp
  
• Temporary Internet Files
  
• Java Cache

The rest are optional - if you want to remove everything, check Select All
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.

----------

Create An Uninstall List

• Start HijackThis
  
• Click on the Open the Misc Tools section
  
• Click on the Open Uninstall Manager button.
  
• Click on the Save list button and specify where you would like to save this file and click Save.
  • When you press Save button a notepad will open with the contents of that file.
• Copy and paste that list in your reply.

.
----------

Next post add
New Combofix log
Uninstall list

Let me know how things are now.

the two lists you requested are attached. Things are running much much smoother (especially after that mbam scan). As of yet, no pop ups but I'll wait a bit before I celebrate. All sites are working ok and I can download on firefox as well as IE. Thank you for the instructions on disabling tea timer, I was looking for that. Thanks again in general, you've been an extreme help on this entire issue. Only two things have been a nuisance lately...I've been trying to run ad-aware 2008 and my comp reboots mid-scan...and boot up times are much much longer than before but that's expected with the increase in number of startup programs.

[recovering space - attachment deleted by admin]

[Malware Removal Specialist]

Some stubborn ones to get rid of.

Now download The Avenger by Swandog46 and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
  
• Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Registry values to delete:

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jdgf894jrghoiiskd

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plyrihnpsoi

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rdpdd

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webrebates0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wintelupdate

Note: the above instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

• Now click the Execute button.
  
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

• Add the Avenger log in your next post.

.
----------

Your Java is out of date.
Older versions of Java have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version(s) of Java components and update.
 
Step 1 - Get the new version

• Go to the Sun Java Download Page
  
• On the Sun Java page scroll to the 5th download. Java Runtime Environment (JRE) 6 Update 6
  
• Click the button and choose the options.
  • Platform Windows
    
  • Language English
  • Next place a check mark in the box to agree to the License Agreement.
• "I agree to the Java SE Runtime Environment 6 License Agreement"
  
• Click Continue
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Then from your desktop double-click on jre-6u6-windowsi586-p.exe to install the newest version.
  
• Follow the prompts to complete the installation.

Step 2 - Remove old version(s)

• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel > Add/Remove programs and remove all older versions of Java.
  
• Do not remove Java 6 Update 6
  
  • Uninstall all of these.
  • J2SE Runtime Environment 5.0 Update 10
  • J2SE Runtime Environment 5.0 Update 2
  • J2SE Runtime Environment 5.0 Update 4
  • J2SE Runtime Environment 5.0 Update 7
  • J2SE Runtime Environment 5.0 Update 8
  • J2SE Runtime Environment 5.0 Update 9
  • Java 2 Runtime Environment, SE v1.4.2_03
  • Java 2 Runtime Environment, SE v1.4.2_05
  • Java 2 Runtime Environment, SE v1.4.2_06
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each old Java version.
• Restart your computer once all Java components are removed.

Step 3 - Remove old folder(s)

• Double click My Computer on the desktop, Locate this folder: C:\Program Files\Java
  
• Open the Java folder and delete any subfolders except the jre1.6.0_06 folder which was just created by the newest Java installation.

.
----------

Also uninstall Viewpoint Media Player

See Viewpoint to Plunge Into Adware

----------

Next post add
Avenger log

Hopefully the boot times will start to improve.

Let me know how everything is now.

Boot time was a little improved but I think a scan is running every time I boot up. In the task manager it's called DoScan? After doing the avenger, on the reboot several pop up errors with the title of "no disk" kept appearing which was very odd. Here's the log...

//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Sun May 25 01:12:33 2008

01:12:10: Error: Invalid syntax in command:
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jdgf894jrghoiiskd"
Skipping line.  (Registry value deletion mode) 
01:12:12: Error: Invalid syntax in command:
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd"
Skipping line.  (Registry value deletion mode) 
01:12:13: Error: Invalid syntax in command:
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plyrihnpsoi"
Skipping line.  (Registry value deletion mode) 
01:12:21: Error: Invalid syntax in command:
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rdpdd"
Skipping line.  (Registry value deletion mode) 
01:12:22: Error: Invalid syntax in command:
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webrebates0"
Skipping line.  (Registry value deletion mode) 
01:12:24: Error: Invalid syntax in command:
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA"
Skipping line.  (Registry value deletion mode) 
01:12:25: Error: Invalid syntax in command:
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wintelupdate"
Skipping line.  (Registry value deletion mode) 


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished!  Terminate.


[recovering space - attachment deleted by admin]

[Malware Removal Specialist]

Look here for information on the DoScan.

For some reason the reg values aren't going away with any of the tools used....yet!

----------

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- C:\WINDOWS\system32\ScsiAcc.exe
- R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 216.133.248.230:80 <<--Unless you did this yourself
- O2 - BHO: (no name) - SOFTWARE - (no file)
- O8 - Extra context menu item: Open with &ZipScan - C:\PROGRA~1\ZIPSCA~1\zs_ie.htm
- O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)
- O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAcc.exe

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Download OTMoveIt2 by OldTimer

• Save it to your desktop.
  
• Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code: [Select]
  C:\WINDOWS\system32\ScsiAcc.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jdgf894jrghoiiskd
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plyrihnpsoi
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rdpdd
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webrebates0
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wintelupdate

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the Yellow bar) and choose Paste.
  
• Click the red Moveit! button.

• Copy everything in the Results window (under the Green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

----------

Next post add
OTMoveIt log

 

Here's the log:

C:\WINDOWS\system32\ScsiAcc.exe moved successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jdgf894jrghoiiskd >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jdgf894jrghoiiskd\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plyrihnpsoi >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plyrihnpsoi\\ not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rdpdd >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rdpdd\\ not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webrebates0 >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webrebates0\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wintelupdate  >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wintelupdate \\ not found.
 
OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05252008_131353

[Malware Removal Specialist]

Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.
.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.

.
The above procedure will:

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

.
Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.

How is everything now?