carynm

Hello,

I am hoping that someone can help me! My computer is infected with spyware and I can't get rid of the pop ups!

My computer runs very slow and it's hard to do anything! I've run the Super AntiSpyware and got rid of a lot of stuff plus a couple of trojians. But I am still having lots of trouble and don't know what else to do!

Can someone help me?

Thanks,
Caryn


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:57:17 PM, on 12/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\usbplay.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\4209D\svchost.exe
C:\WINDOWS\system32\4209D\ctfmon.exe
C:\WINDOWS\system32\4209D\ctfmon.exe
C:\WINDOWS\system32\4209D\ctfmon.exe
C:\WINDOWS\system32\4209D\ctfmon.exe
C:\WINDOWS\system32\4209D\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\4209D\ctfmon.exe
C:\WINDOWS\system32\4209D\ctfmon.exe
C:\WINDOWS\system32\4209D\ctfmon.exe
C:\WINDOWS\system32\4209D\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\4209D\ctfmon.exe
C:\WINDOWS\system32\4209D\ctfmon.exe
C:\WINDOWS\system32\4209D\ctfmon.exe
C:\WINDOWS\system32\4209D\ctfmon.exe
C:\WINDOWS\system32\4209D\ctfmon.exe
C:\WINDOWS\system32\4209D\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\8f3b1.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\3511\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe usbhelp.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush0.dll
O2 - BHO: Invoke Class - {5FB8C5D4-929F-4870-89E2-7E3EE26EE701} - C:\WINDOWS\system32\28f1.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8F776B2A-72DF-40C1-BD69-EDB642A706D7} - C:\WINDOWS\system32\bho.dll
O2 - BHO: (no name) - {9963387B-212E-4643-B207-82DAEA0E713D} - C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys
O2 - BHO: (no name) - {A45B2C37-01D0-4D3E-BE5E-CC119B17BE9E} - C:\Program Files\Internet Explorer\IEXPLORE32.win
O2 - BHO: (no name) - {C5E87A05-F463-4841-B19E-DD3EC3862368} - C:\Program Files\Internet Explorer\IEXPLORE32.Sys
O2 - BHO: (no name) - {EE12D60D-AD9A-4095-B839-3BE6862679FD} - C:\Program Files\Internet Explorer\IEXPLORE32.Dat
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\Owner\LOCALS~1\Temp\20075149618_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\20075149613_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 15
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NVDispDrv] C:\WINDOWS\iqcppq.exe
O4 - HKLM\..\Run: [MsPrint32D] C:\WINDOWS\ijezwn.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Owner"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /M "Stylus CX4800" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus CX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVA.EXE /FU "C:\WINDOWS\TEMP\E_SE2C.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDEG32] LYLoader.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDWG32] LYLoadbr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDCG32 ] LYLeador.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDOG32] LYLoador.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDSG32] LYLoadar.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDMG32] LYLoadmr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDHG32] LYLoadhr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDQG32] LYLoadqr.exe
O4 - HKLM\..\Policies\Explorer\Run: [hh9] rundll32 "C:\WINDOWS\Downlo~1\hh9.dll",start
O4 - HKLM\..\Policies\Explorer\Run: [num3rm0b] rundll32 "C:\WINDOWS\Downlo~1\num3rm0b.dll",Run
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1193059601484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193059577453
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_inst...syInstallX.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServicevcHelp (Serviceusbhelp) - Unknown owner - C:\WINDOWS\system32\usbplay.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Yahoo Service (YahooSvr) - Unknown owner - C:\WINDOWS\system32\4209D\svchost.exe

--
End of file - 13466 bytes

Katana

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I'm afraid I have unpleasant news for you. You have evidence of a Very Dangerous infection on this machine.
Your machine is heavily infected, and more than one of the infections is a Password Stealer

It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine,

If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

• Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
• Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
• If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
  Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
• From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
• DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
• Take any other steps you think appropriate for an attempted identity theft.

I am sorry to be the bearer of bad news, but it is best that you know the full impact of this infection :(



Download and Run ComboFix

• Download Combofix from one of the links below :
  
  ComboFix.exe 1
  ComboFix.exe 2
  ComboFix.exe 3
  
• You must download it to and run it from your Desktop
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper

__________________

carynm

Hi Katana,

Thank you so much for helping me! OMG! I didn't realize it was this bad! I will definitely change all my passwords!!

I was wondering if know how long the combofix will run. I opened it and typed "1" to continue and then realized I still had the window to the forum opened. I exited out but I don't know if that messed up the combofix. It doesn't look like it's doing anything. I'm on my mom's computer right now! Did I mess it up? Sorry!

Caryn

carynm

Hi Katana,

By running the combofix, will I lose everything on the hard drive? I have programs that I don't have cds for and don't want to lose them, like Photoshop cs!! Is there anyway to get around that? Do you think I will be able to copy the program onto a cd and reinstall later? I don't have the program keys. My friend downloaded his cd onto our computer for my husband and he uses it for work. We moved and don't have access to the cd anymore so this is a concern as we don't have the money right now to purchase the program! Please tell me there is another way!!

I will wait for your reply before running the combofix. Thank you!

Caryn

Katana

ComboFix won't remove any legitimate programs if they are not infected.
Double click ComboFix, type "1" and press enter.

__________________

carynm

Here are the logs you asked for. Thank you!


ComboFix 07-12-28.1 - Owner 2005-12-30 13:12:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.158 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\microsoft\office\system\AvWoJ3QuZh_3103
C:\Documents and Settings\All Users\Application Data.\microsoft\office\system\finder.dll
C:\Documents and Settings\All Users\Application Data.\microsoft\office\system\sysloader.exe
C:\Documents and Settings\All Users\Application Data.\microsoft\office\userdata
C:\Documents and Settings\All Users\Application Data.\microsoft\office\userdata\webbrowser_3103.dll
C:\Documents and Settings\All Users\Application Data.\microsoft\pctools
C:\Documents and Settings\All Users\Application Data.\microsoft\pctools\pctools.dll
C:\Documents and Settings\All Users\Application Data.\t
C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\sysloader.exe
C:\Documents and Settings\All Users\Application Data\microsoft\pctools\pctools.dll
C:\Documents and Settings\Owner\Desktop\4bb6~1.lnk
C:\Documents and Settings\Owner\Favorites\4bb6~1.lnk
C:\Documents and Settings\Owner\Favorites\7BFA~1.URL
C:\privilege.dat
C:\Program Files\ad4all
C:\Program Files\ad4all\Install.exe
C:\Program Files\ad4all\install.ini
C:\Program Files\ad4all\link1\eachlink.htm
C:\Program Files\ad4all\link1\eachlink.ico
C:\Program Files\ad4all\link1\ebaylink.ico
C:\Program Files\ad4all\link1\install.ini
C:\Program Files\ad4all\link1\Thumbs.db
C:\Program Files\Common Files\cpush
C:\Program Files\Common Files\cpush\cpush0.dll
C:\Program Files\Common Files\cpush\Uninst.exe
C:\Program Files\Incesoft\XiaoiAlerts
C:\Program Files\Incesoft\XiaoiAlerts\Capture.dll
C:\Program Files\Incesoft\XiaoiAlerts\config.dat
C:\Program Files\Incesoft\XiaoiAlerts\MSNMessengerLib.dll
C:\Program Files\Incesoft\XiaoiAlerts\MSNPlugin.dll
C:\Program Files\Incesoft\XiaoiAlerts\resource.dll
C:\Program Files\Incesoft\XiaoiAlerts\Uninstall.exe
C:\Program Files\Incesoft\XiaoiAlerts\XiaoiAlerts.exe
C:\Program Files\Internet Explorer\IEXPLORE32.jmp
C:\Program Files\Internet Explorer\PLUGINS\Sy_Win7k.Jmp
C:\Program Files\internet explorer\plugins\wn_sys8x.sys
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\qdrloader.exe
C:\WINDOWS\2a1.bmp
C:\WINDOWS\Fonts\ardaase.fon
C:\WINDOWS\Fonts\ardasase.fon
C:\WINDOWS\Fonts\armease.fon
C:\WINDOWS\Fonts\chreaur.fon
C:\WINDOWS\Fonts\chtiaur.fon
C:\WINDOWS\Fonts\enhuafx.fon
C:\WINDOWS\Fonts\enweafx.fon
C:\WINDOWS\Fonts\gezeand.fon
C:\WINDOWS\Fonts\gjcuaxw.fon
C:\WINDOWS\Fonts\gjfeaxw.fon
C:\WINDOWS\Fonts\gjtoaxw.fon
C:\WINDOWS\Fonts\jshuaxw.fon
C:\WINDOWS\Fonts\msguasd.fon
C:\WINDOWS\Fonts\mswuasd.fon
C:\WINDOWS\Fonts\mszhasd.fon
C:\WINDOWS\Fonts\wireafw.fon
C:\WINDOWS\Fonts\wymoafz.fon
C:\WINDOWS\KB611311.log
C:\WINDOWS\system32\a21.dll
C:\WINDOWS\system32\avzxlmn.dll
C:\WINDOWS\system32\avzxlst.exe
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\d3d1caps.srg
C:\WINDOWS\system32\DbgHlp32.dll
C:\WINDOWS\system32\dodolook591.exe
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\mxdispdr.sys
C:\WINDOWS\system32\gddji32.dll
C:\WINDOWS\system32\lyloader.exe
C:\WINDOWS\system32\lyloadmr.exe
C:\WINDOWS\system32\lymangr.dll
C:\WINDOWS\system32\mhsha1.dat
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
C:\WINDOWS\system32\msdeg32.dll
C:\WINDOWS\system32\MsPrint32D.dll
C:\WINDOWS\system32\nvdispdrv.dll
C:\WINDOWS\system32\rarjetl.exe
C:\WINDOWS\system32\rsztnpm.dll
C:\WINDOWS\system32\SHQ.DLL
C:\WINDOWS\system32\SHQMANGR.DLL
C:\WINDOWS\system32\svchost.dat
C:\WINDOWS\system32\svchost.dll
C:\WINDOWS\TEMP.\~my1.tmp
C:\WINDOWS\tempaq

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ACPIDISK
-------\LEGACY_MS_2FAX
-------\LEGACY_MXDISPDR
-------\LEGACY_SVCHOST
-------\LEGACY_SYSLOADER
-------\acpidisk
-------\ms_2fax
-------\mxdispdr
-------\svchost
-------\sysloader


((((((((((((((((((((((((( Files Created from 2005-11-28 to 2005-12-28 )))))))))))))))))))))))))))))))
.

2005-12-30 02:24 . 2005-12-30 13:09 68 --a------ C:\WINDOWS\system32\eee4d7ff00.dll
2005-12-29 20:30 . 2005-12-29 20:30 <DIR> d-------- C:\Program Files\Thunder Network
2005-12-29 14:08 . 2005-12-29 14:08 79 --a------ C:\WINDOWS\system32\mstacim.sig
2005-12-29 12:57 . 2005-12-29 12:57 68 --a------ C:\WINDOWS\system32\d49
2005-12-29 12:27 . 2005-12-29 12:27 68 --a------ C:\WINDOWS\system32\9127
2005-12-29 11:57 . 2005-12-29 11:57 68 --a------ C:\WINDOWS\system32\672
2005-12-29 11:27 . 2005-12-29 11:27 68 --a------ C:\WINDOWS\system32\63e6
2005-12-29 10:56 . 2005-12-29 10:56 68 --a------ C:\WINDOWS\system32\610b
2005-12-29 10:26 . 2005-12-29 10:26 68 --a------ C:\WINDOWS\system32\53da
2005-12-29 09:56 . 2005-12-29 09:56 68 --a------ C:\WINDOWS\system32\3e610
2005-12-29 09:26 . 2005-12-29 09:26 68 --a------ C:\WINDOWS\system32\363
2005-12-29 08:56 . 2005-12-29 08:56 68 --a------ C:\WINDOWS\system32\127a10
2005-12-29 08:47 . 2005-12-29 08:47 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
2005-12-29 08:31 . 2005-12-29 08:31 0 --a------ C:\WINDOWS\system32\d1c0a932
2005-12-29 08:30 . 2005-12-30 05:30 72 --a------ C:\WINDOWS\system32\cflInfo.nt
2005-12-29 08:30 . 2005-12-28 13:17 49 --a------ C:\WINDOWS\system32\adurl.ini
2005-12-29 08:26 . 2005-12-28 13:26 180 --a------ C:\WINDOWS\system32\key.~tmp
2005-12-29 08:26 . 2005-12-29 08:26 68 --a------ C:\WINDOWS\system32\10b
2005-12-29 08:26 . 2005-12-30 11:54 29 --a------ C:\WINDOWS\system32\11-64-8750
2005-12-29 08:26 . 2005-12-29 08:26 8 --a------ C:\WINDOWS\system32\-5-64-8750
2005-12-29 08:25 . 2005-12-29 08:26 208,896 ---hs---- C:\WINDOWS\system32\bho.dll
2005-12-29 08:24 . 2005-12-29 08:27 <DIR> d-------- C:\WINDOWS\system32\4209D
2005-12-29 08:24 . 2005-12-28 13:26 694 --a------ C:\WINDOWS\system32\ini.~tmp
2005-12-29 08:24 . 2005-12-28 13:26 508 --a------ C:\WINDOWS\system32\setyahoo.ini
2005-12-28 21:36 . 2005-12-30 12:57 40 --a------ C:\WINDOWS\system32\WCIPYELRYFLS.DLL
2005-12-28 21:32 . 2005-12-28 13:14 1,822 --a------ C:\WINDOWS\system32\JQWEMTA.LDO
2005-12-28 21:30 . 2005-12-28 21:30 2,289,152 --a------ C:\WINDOWS\system32\usbshow.dll
2005-12-28 21:30 . 2005-12-28 21:30 2,289,152 --a------ C:\WINDOWS\system32\drivers\usbshow.sys
2005-12-28 21:30 . 2005-12-28 21:30 417,792 --a------ C:\WINDOWS\system32\usbplay.exe
2005-12-28 21:30 . 2005-12-28 21:30 417,792 --a------ C:\WINDOWS\system32\drivers\usbplay.sys
2005-12-28 21:30 . 2005-12-28 21:30 377,856 --a------ C:\WINDOWS\system32\usbhelp.exe
2005-12-28 21:30 . 2005-12-28 21:30 377,856 --a------ C:\WINDOWS\system32\drivers\usbhelp.sys
2005-12-28 21:30 . 2005-12-28 13:12 1,297 --a------ C:\WINDOWS\system32\mu17kg0g.dll
2005-12-28 21:30 . 2005-12-28 13:14 67 --a------ C:\WINDOWS\system32\TZFNVBIPVCI.DLL
2005-12-28 21:29 . 2005-12-28 13:17 382 --a------ C:\WINDOWS\system32\e8ae8279a2.dll
2005-12-28 21:29 . 2005-12-29 08:24 61 --a------ C:\WINDOWS\system32\7967556C.dat
2005-12-28 21:29 . 2005-12-28 21:29 12 --a------ C:\WINDOWS\0494ac5aa2.dll
2005-12-28 21:29 . 2005-12-30 13:10 0 --a------ C:\WINDOWS\system32\dnabeser.dat
2005-12-28 12:19 . 2005-12-28 13:26 49,152 --a------ C:\WINDOWS\system32\9E827BA2.DLL
2005-12-28 12:19 . 2005-12-28 12:19 14,504 --a------ C:\WINDOWS\system32\26F21CF4.EXE
2005-12-27 02:02 . 2005-12-27 02:02 <DIR> d-------- C:\Program Files\Washer
2005-12-27 02:02 . 2001-05-01 22:01 384,000 --a------ C:\WINDOWS\unwash.exe
2005-12-07 17:43 . 2005-12-07 17:43 565,170 --a------ C:\WINDOWS\system32\large.bnk
2005-12-07 17:43 . 2005-12-07 17:43 278,528 --a------ C:\WINDOWS\system32\livesnth.dll
2005-12-07 17:43 . 2005-12-07 17:43 44 --a------ C:\WINDOWS\liveup.ini
2005-12-07 13:58 . 2005-12-07 23:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2005-12-07 13:57 . 2007-05-14 11:10 <DIR> d-------- C:\Program Files\QuickTime
2005-12-07 13:52 . 2005-12-07 13:52 <DIR> d-------- C:\Program Files\iTunes
2005-12-07 13:52 . 2005-12-07 13:52 <DIR> d-------- C:\Program Files\iPod
2005-12-07 13:51 . 2005-12-07 13:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2005-12-07 13:47 . 2005-12-07 13:47 34,412,848 --a------ C:\Program Files\iTunesSetup.exe
2005-12-07 13:04 . 2006-12-11 20:48 1,038 --a------ C:\net_save.dna
2005-12-07 13:03 . 2007-05-14 11:10 <DIR> d-------- C:\Program Files\support.com
2005-12-07 13:03 . 2005-12-07 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Support.com
2005-12-05 19:30 . 2005-12-05 19:30 10,920 --a------ C:\aolconnfix.exe
2005-12-01 01:11 . 2005-12-01 01:11 <DIR> d-------- C:\Program Files\Common Files\aolback
2005-12-01 01:11 . 2007-05-14 11:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AOL
2005-12-01 01:11 . 2006-09-28 05:55 715 --a------ C:\WINDOWS\aolback.exe.lnk
2005-12-01 01:10 . 2005-12-01 01:10 <DIR> d-------- C:\Program Files\Pure Networks
2005-12-01 01:10 . 2006-09-28 05:57 <DIR> d-------- C:\Program Files\AOL Companion
2005-12-01 01:10 . 2005-12-01 01:10 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\You've Got Pictures Screensaver
2005-12-01 01:10 . 2005-12-01 01:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pure Networks
2005-12-01 01:10 . 1998-06-26 03:00 644,400 --a------ C:\WINDOWS\system32\MSComCt2.ocx
2005-12-01 01:10 . 1998-04-24 02:00 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2005-12-01 01:10 . 2000-05-22 03:00 203,976 --a------ C:\WINDOWS\system32\RichTx32.ocx
2005-12-01 01:10 . 2001-03-13 16:49 140,288 --a------ C:\WINDOWS\system32\COMDLG32.OCX
2005-12-01 01:10 . 1998-06-24 03:00 115,016 --a------ C:\WINDOWS\system32\MSInet.ocx
2005-12-01 01:10 . 2001-11-21 13:15 102,400 --a------ C:\WINDOWS\system32\SimpleRegistry.dll
2005-12-01 01:10 . 1999-04-17 04:06 10,752 --a------ C:\WINDOWS\system32\aamd532.dll
2005-12-01 01:08 . 2007-05-14 11:10 <DIR> d-------- C:\Program Files\Common Files\aolshare
2005-12-01 01:08 . 2004-05-07 18:54 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2005-12-01 01:08 . 2003-09-16 13:07 499,712 --------- C:\WINDOWS\system32\msvcp71.dll
2005-12-01 01:08 . 2003-09-09 17:06 348,160 --------- C:\WINDOWS\system32\msvcr71.dll
2005-12-01 01:08 . 2004-05-07 18:54 153,088 --a------ C:\WINDOWS\system32\jgdwmie.dll
2005-12-01 01:08 . 2003-01-10 19:13 33,588 --a------ C:\WINDOWS\system32\drivers\wanatw4.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 15:59 --------- d-----w C:\Program Files\Windows Live
2007-12-28 15:59 --------- d-----w C:\Program Files\MSN Messenger
2007-12-28 15:51 --------- d-----w C:\Program Files\LimeWire
2007-12-28 15:51 --------- d-----w C:\Program Files\iWin.com
2007-12-28 15:46 109 ----a-w C:\WINDOWS\Fonts\kawdicsb.dll
2007-12-28 15:45 47 ----a-w C:\WINDOWS\Fonts\avwghinb.dll
2007-12-28 15:45 25 ----a-w C:\WINDOWS\Fonts\hookhelp.ini
2007-12-28 15:45 108 ----a-w C:\WINDOWS\Fonts\kvdxlcf.dll
2007-12-28 15:44 48 ----a-w C:\WINDOWS\Fonts\rarjenia.dll
2007-12-28 15:43 77 ----a-w C:\WINDOWS\Fonts\kvdxslcf.dll
2007-12-28 15:42 61 ----a-w C:\WINDOWS\Fonts\okmhccs.dll
2007-12-28 15:42 50 ----a-w C:\WINDOWS\Fonts\avzxlinb.dll
2007-12-28 15:41 56 ----a-w C:\WINDOWS\Fonts\ratbrnib.dll
2007-12-28 01:09 34,428 ----a-w C:\Program Files\csrss0.exe
2007-12-27 19:19 --------- d-----w C:\Program Files\Evrsoft First Page 2006
2007-12-26 01:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\CoreFTP
2007-11-13 16:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-11-13 16:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-13 16:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 03:10 --------- d-----w C:\Program Files\Trend Micro
2007-11-12 13:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-11-11 13:50 --------- d-----w C:\Program Files\Java
2007-10-22 14:21 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2007-10-22 14:21 --------- d-----w C:\Program Files\Yahoo!
2007-10-22 14:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-10-22 14:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-22 13:38 --------- d-----w C:\Program Files\MSXML 6.0
2007-10-17 20:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
2007-09-18 05:29 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2007-09-18 05:29 52,496 ----a-w C:\WINDOWS\system32\drivers\tmactmon.sys
2007-09-18 05:29 52,368 ----a-w C:\WINDOWS\system32\drivers\tmevtmgr.sys
2007-09-18 05:29 36,112 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-09-18 05:29 333,328 ----a-w C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-09-18 05:29 203,024 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-09-18 05:29 138,512 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-18 05:29 1,126,328 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2007-08-26 21:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-08-24 17:19 --------- d-----w C:\Program Files\GameTop.com
2007-08-22 00:37 --------- d-----w C:\Program Files\iWin.com Games
2007-07-15 04:47 --------- d-----w C:\Program Files\Common Files\Adobe
2007-06-22 23:42 12,296 ----a-w C:\WINDOWS\system32\drivers\tmfilter.cat
2007-06-12 23:01 3,418 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.inf
2007-06-12 23:01 2,557 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.inf
2007-06-12 23:00 263,392 ----a-w C:\WINDOWS\system32\drivers\Tmfilter.sys
2007-06-12 22:52 2,518 ----a-w C:\WINDOWS\system32\drivers\vsapint.inf
2007-06-09 03:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\InstallShield
2007-06-09 03:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\EPSON
2007-06-09 03:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-09 03:32 --------- d-----w C:\Program Files\EPSON
2007-05-14 16:55 --------- d-----w C:\Program Files\Common Files\AOL
2007-05-14 16:10 --------- d-----w C:\Program Files\Smart Panel
2007-05-14 16:10 --------- d-----w C:\Program Files\CompuServe 7.0
2007-05-14 16:10 --------- d-----w C:\Program Files\Common Files\csshare
2007-05-14 16:10 --------- d-----w C:\Program Files\America Online 9.0a
2007-05-14 16:10 --------- d-----w C:\Program Files\America Online 9.0
2007-05-14 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-05-14 16:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-05-14 16:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-04-27 01:23 --------- d-----w C:\Program Files\McAfee.com
2007-04-23 10:14 364,160 ----a-w C:\WINDOWS\system32\drivers\update.sys
2007-04-16 02:23 --------- d-----w C:\Program Files\activePDF
2007-04-04 18:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-03-20 05:33 --------- d-----w C:\Program Files\Reference Assemblies
2007-03-20 05:33 --------- d-----w C:\Program Files\MSBuild
2007-03-03 10:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ambient Design
2007-03-03 10:18 --------- d-----w C:\Program Files\Ambient Design
2007-02-27 07:01 --------- d-----w C:\Program Files\Corel
2007-02-27 06:44 --------- d-----w C:\Program Files\Tablet
2007-02-09 11:10 574,464 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2007-02-06 21:01 6,252,136 ----a-w C:\Program Files\winzip100.exe
2007-01-30 07:37 10,612 ----a-w C:\WINDOWS\system32\drivers\tmcomm.cat
2007-01-24 08:45 2,454 ----a-w C:\WINDOWS\system32\drivers\tmcomm.inf
2007-01-23 03:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\Snapfish
2007-01-22 20:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\Viewpoint
2007-01-22 20:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-01-02 05:24 --------- d-----w C:\Program Files\MTV Networks
2007-01-02 05:20 --------- d-----w C:\Program Files\Windows Media Connect 2
2006-12-14 10:57 --------- d-----w C:\Program Files\Lavasoft
2006-12-14 10:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-12-14 08:38 --------- d-----w C:\Program Files\GameHouse
2006-12-12 06:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2006-10-19 04:00 38,528 ----a-w C:\WINDOWS\system32\drivers\wpdusb.sys
2006-09-29 03:00 82,944 ------w C:\WINDOWS\system32\drivers\WudfRd.sys
2006-09-29 02:55 77,568 ------w C:\WINDOWS\system32\drivers\WudfPf.sys
2006-09-22 15:18 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2006-09-18 05:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2006-08-21 09:14 128,896 ------w C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 09:37 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2006-08-14 10:34 332,928 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2006-07-30 19:11 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2006-07-30 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Macrovision
2006-07-13 08:48 202,240 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2006-07-06 02:43 --------- d-----w C:\Program Files\CoreFTP
2006-06-14 09:00 82,944 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2006-06-14 08:47 6,400 ----a-w C:\WINDOWS\system32\drivers\splitter.sys
2006-06-14 08:47 172,416 ----a-w C:\WINDOWS\system32\drivers\kmixer.sys
2006-05-31 23:53 32,328 ----a-w C:\WINDOWS\system32\drivers\atwpkt264.sys
2006-05-31 23:53 25,160 ----a-w C:\WINDOWS\system32\drivers\atwpkt2.sys
2006-05-05 09:47 174,592 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2004-08-04 01:11 2,118,073 --sh--w C:\WINDOWS\system32\jsqxayc.dll
2004-08-04 15:41 402 --sh--w C:\WINDOWS\system32\ratbrpi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}]
2007-12-29 09:12 53248 -r------- C:\WINDOWS\system32\28f1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F776B2A-72DF-40C1-BD69-EDB642A706D7}]
2005-12-29 08:26 208896 ---hs---- C:\WINDOWS\system32\bho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A45B2C37-01D0-4D3E-BE5E-CC119B17BE9E}]
2005-12-29 08:35 29818 --ahs---- C:\Program Files\Internet Explorer\IEXPLORE32.win

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5E87A05-F463-4841-B19E-DD3EC3862368}]
2005-12-29 08:35 30348 --ahs---- C:\Program Files\Internet Explorer\IEXPLORE32.Sys

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE12D60D-AD9A-4095-B839-3BE6862679FD}]
2005-12-29 08:34 35997 --ahs---- C:\Program Files\Internet Explorer\IEXPLORE32.Dat

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"Washer"="C:\Program Files\Washer\washer.exe" [2001-06-22 15:29]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00]
"EPSON Stylus CX5000 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVA.exe" [2006-10-18 06:01]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"="zHotkey.exe" [2003-06-03 13:01 C:\WINDOWS\zHotkey.exe]
"SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 17:18]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" []
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 03:50]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-22 16:29]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 14:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-07 13:57]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 18:54]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"Trend Micro AntiVirus 2007"="C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" []
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-18 00:29]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"washindex"="C:\Program Files\Washer\washidx.exe" [2001-04-02 21:32]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-07-30 14:11:05]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-09-28 05:52:35]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-02-27 01:44:01]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-06-22 23:20:09]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"hh9"= rundll32 "C:\WINDOWS\Downlo~1\hh9.dll",start
"num3rm0b"= rundll32 "C:\WINDOWS\Downlo~1\num3rm0b.dll",Run

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{E34345F1-DACF-3452-CB7D-4620F34A153E}"= C:\WINDOWS\system32\rsztnpm.dll [ ]
"{8960356A-458E-DE24-BD50-268F589A56A8}"= C:\WINDOWS\system32\avwlhmn.dll [2004-08-03 20:09 25055]
"{C859245F-345D-BC13-AC4F-145D47DA34FC}"= C:\WINDOWS\system32\avzxlmn.dll [ ]
"{8A1247C1-53DA-FF43-ABD3-345F323A48D8}"= C:\WINDOWS\system32\avwghmn.dll [2004-08-03 20:10 24497]
"{C7D81718-1314-5200-2597-58790101807C}"= C:\WINDOWS\system32\kaqhlzy.dll [2004-08-03 20:10 2120534]
"{1D098345-9012-8750-8910-9128098134D1}"= C:\WINDOWS\system32\jsqxayc.dll [2004-08-03 20:11 2118073]
"{C5E87A05-F463-4841-B19E-DD3EC3862368}"= C:\Program Files\Internet Explorer\IEXPLORE32.Sys [2005-12-29 08:35 30348]
"{EE12D60D-AD9A-4095-B839-3BE6862679FD}"= C:\Program Files\Internet Explorer\IEXPLORE32.Dat [2005-12-29 08:34 35997]
"{A45B2C37-01D0-4D3E-BE5E-CC119B17BE9E}"= C:\Program Files\Internet Explorer\IEXPLORE32.win [2005-12-29 08:35 29818]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe usbhelp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 5ylbkzwq;5ylbkzw;C:\WINDOWS\system32\DRIVERS\5ylbkzwq.sys [2004-08-04 02:56]
R2 lr5lof8;lr5lof8;C:\WINDOWS\system32\drivers\lr5lof8.sys [2004-08-04 02:56]
R2 ms_2fax;ms_2fax;C:\WINDOWS\system32\8f3b1.exe [2007-12-28 20:10]
R2 Serviceusbhelp;ServicevcHelp;C:\WINDOWS\system32\usbplay.exe [2005-12-28 21:30]
R2 YahooSvr;Yahoo Service;C:\WINDOWS\system32\4209D\svchost.exe [2005-12-29 08:24]
S2 7967556C;7967556C;C:\WINDOWS\system32\26F21CF4.EXE [2005-12-28 12:19]
S3 FontCache6.0.5070.0;WinFX Font Cache 6.0.5070.0;C:\WINDOWS\Microsoft.NET\Windows\v6.0.5070\PresentationFontCache.exe [2005-11-07 01:29]
S3 PciHardDisk;PciHardDisk;C:\WINDOWS\system32\fat32.sys []
S4 itcppss;Indigo Tcp Port Sharing Service;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IndigoListener.exe [2006-01-13 02:37]

*Newly Created Service* - MS_2FAX
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2005-12-28 13:26:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2005-12-28 13:29:38 - machine was rebooted [Owner]
.
2007-12-28 05:59:31 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:24 PM, on 12/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\usbplay.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\4209D\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\8f3b1.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\4209D\ctfmon.exe
C:\WINDOWS\system32\4209D\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe usbhelp.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Invoke Class - {5FB8C5D4-929F-4870-89E2-7E3EE26EE701} - C:\WINDOWS\system32\28f1.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8F776B2A-72DF-40C1-BD69-EDB642A706D7} - C:\WINDOWS\system32\bho.dll
O2 - BHO: (no name) - {A45B2C37-01D0-4D3E-BE5E-CC119B17BE9E} - C:\Program Files\Internet Explorer\IEXPLORE32.win
O2 - BHO: (no name) - {C5E87A05-F463-4841-B19E-DD3EC3862368} - C:\Program Files\Internet Explorer\IEXPLORE32.Sys
O2 - BHO: (no name) - {EE12D60D-AD9A-4095-B839-3BE6862679FD} - C:\Program Files\Internet Explorer\IEXPLORE32.Dat
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 15
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Owner"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /M "Stylus CX4800" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus CX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVA.EXE /FU "C:\WINDOWS\TEMP\E_SE2C.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [hh9] rundll32 "C:\WINDOWS\Downlo~1\hh9.dll",start
O4 - HKLM\..\Policies\Explorer\Run: [num3rm0b] rundll32 "C:\WINDOWS\Downlo~1\num3rm0b.dll",Run
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1193059601484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193059577453
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_inst...syInstallX.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O20 - AppInit_DLLs: kaqhlzy.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServicevcHelp (Serviceusbhelp) - Unknown owner - C:\WINDOWS\system32\usbplay.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Yahoo Service (YahooSvr) - Unknown owner - C:\WINDOWS\system32\4209D\svchost.exe

--
End of file - 11663 bytes

Katana

Custom CFScript

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  
  Code:

  DirLook::
  C:\WINDOWS\system32\d49
  C:\WINDOWS\system32\9127
  C:\WINDOWS\system32\672
  C:\WINDOWS\system32\63e6
  C:\WINDOWS\system32\610b
  C:\WINDOWS\system32\53da
  C:\WINDOWS\system32\3e610
  C:\WINDOWS\system32\363
  C:\WINDOWS\system32\127a10
  C:\WINDOWS\system32\d1c0a932
  C:\WINDOWS\system32\10b
  C:\WINDOWS\system32\11-64-8750
  C:\WINDOWS\system32\-5-64-8750
  
  File::
  C:\WINDOWS\system32\eee4d7ff00.dll
  C:\WINDOWS\system32\mstacim.sig
  C:\WINDOWS\system32\cflInfo.nt
  C:\WINDOWS\system32\adurl.ini
  C:\WINDOWS\system32\key.~tmp
  C:\WINDOWS\system32\bho.dll
  C:\WINDOWS\system32\ini.~tmp
  C:\WINDOWS\system32\setyahoo.ini
  C:\WINDOWS\system32\WCIPYELRYFLS.DLL
  C:\WINDOWS\system32\JQWEMTA.LDO
  C:\WINDOWS\system32\mu17kg0g.dll
  C:\WINDOWS\system32\TZFNVBIPVCI.DLL
  C:\WINDOWS\system32\e8ae8279a2.dll
  C:\WINDOWS\system32\7967556C.dat
  C:\WINDOWS\0494ac5aa2.dll
  C:\WINDOWS\system32\dnabeser.dat
  C:\WINDOWS\system32\9E827BA2.DLL
  C:\WINDOWS\system32\26F21CF4.EXE
  C:\WINDOWS\system32\aamd532.dll
  C:\WINDOWS\Fonts\kawdicsb.dll
  C:\WINDOWS\Fonts\avwghinb.dll
  C:\WINDOWS\Fonts\hookhelp.ini
  C:\WINDOWS\Fonts\kvdxlcf.dll
  C:\WINDOWS\Fonts\rarjenia.dll
  C:\WINDOWS\Fonts\kvdxslcf.dll
  C:\WINDOWS\Fonts\okmhccs.dll
  C:\WINDOWS\Fonts\avzxlinb.dll
  C:\WINDOWS\Fonts\ratbrnib.dll
  C:\Program Files\csrss0.exe
  C:\WINDOWS\system32\jsqxayc.dll
  C:\WINDOWS\system32\ratbrpi.dll
  Folder::
  C:\WINDOWS\system32\4209D
  Driver::
  7967556C
  Yahoo Service
  ServicevcHelp
  ms_2fax
  lr5lof8
  5ylbkzw
  Registry::
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}]
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F776B2A-72DF-40C1-BD69-EDB642A706D7}]
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A45B2C37-01D0-4D3E-BE5E-CC119B17BE9E}]
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5E87A05-F463-4841-B19E-DD3EC3862368}]
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE12D60D-AD9A-4095-B839-3BE6862679FD}]
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D098345-9012-8750-8910-9128098134D1}]
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7D81718-1314-5200-2597-58790101807C}]
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A1247C1-53DA-FF43-ABD3-345F323A48D8}]
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C859245F-345D-BC13-AC4F-145D47DA34FC}]
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8960356A-458E-DE24-BD50-268F589A56A8}]
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E34345F1-DACF-3452-CB7D-4620F34A153E}]
  
  [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
  "hh9"=-
  "num3rm0b"=-
  
  [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
  "Shell"="Explorer.exe"
  
  File::
  C:\WINDOWS\system32\usbshow.dll
  C:\WINDOWS\system32\drivers\usbshow.sys
  C:\WINDOWS\system32\usbplay.exe
  C:\WINDOWS\system32\drivers\usbplay.sys
  C:\WINDOWS\system32\usbhelp.exe
  C:\WINDOWS\system32\drivers\usbhelp.sys
  C:\WINDOWS\system32\28f1.dll
  C:\Program Files\Internet Explorer\IEXPLORE32.win
  C:\Program Files\Internet Explorer\IEXPLORE32.Sys
  C:\Program Files\Internet Explorer\IEXPLORE32.Dat
  C:\WINDOWS\Downlo~1\num3rm0b.dll
  C:\WINDOWS\Downlo~1\hh9.dll
  C:\WINDOWS\system32\rsztnpm.dll
  C:\WINDOWS\system32\avwlhmn.dll
  C:\WINDOWS\system32\avzxlmn.dll
  C:\WINDOWS\system32\avwghmn.dll
  C:\WINDOWS\system32\kaqhlzy.dll
  C:\WINDOWS\system32\jsqxayc.dll
  C:\WINDOWS\system32\DRIVERS\5ylbkzwq.sys
  C:\WINDOWS\system32\drivers\lr5lof8.sys
  C:\WINDOWS\system32\8f3b1.exe
  C:\WINDOWS\system32\26F21CF4.EXE

• Save this as CFScript.txt and place it on your desktop.
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

__________________

carynm