Major Trojan Problem!!!!!!!!!!!!!!

gotdatya · February 2008

I'm having a serious Trojan virus problem. I've ran several programs to scan for them but haven't been able to eliminate them all. The system starts very slow and won't allow me to do an online virus scan. I've ran Ewido, trojan hunter, spybot, Mcafee virus scan, Counter spy, Vundofix, and several other programs and still haven't been successful. I need someones help bad! Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:23 PM, on 2/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ajhsd.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,kfovndj.exe
O1 - Hosts: 202.67.220.239 win.mail.ru
O1 - Hosts: 170.139.138.250 viruslist.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {14601842-B47E-B25E-2DA9-0318D36F716A} - C:\WINDOWS\system32\menlyin.dll (file missing)
O2 - BHO: (no name) - {1D1C48FE-DC67-87B7-1C63-888DCA2A84CA} - C:\WINDOWS\system32\gez.dll (file missing)
O2 - BHO: (no name) - {22F32AA1-7340-E752-8895-08EECFCBC5E2} - C:\WINDOWS\system32\nwfesdi.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: slbrcchp - {53E6CF72-CFEC-9F4C-0FC8-C31191C869DD} - C:\WINDOWS\system32\slbrcchp.dll (file missing)
O2 - BHO: (no name) - {7B962435-D633-42E9-BEF5-47AE28285D02} - C:\WINDOWS\system32\ahdc.dll (file missing)
O2 - BHO: (no name) - {7C096487-A029-4CC5-B459-4B9DFBE8345A} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {7EE322EA-6807-4654-B23C-D692DCB96A9a} - C:\WINDOWS\system32\cvaxoacw.dll (file missing)
O2 - BHO: 0 - {938CA351-ACB9-4024-9C94-E767BBF92C0C} - C:\Program Files\Messenger\quba943.dll (file missing)
O2 - BHO: (no name) - {A0121B96-5D64-42C0-BECC-6202BF22B0Ca} - C:\WINDOWS\system32\cvaxoacw.dll (file missing)
O2 - BHO: (no name) - {B48C5B4A-B590-4BF6-8A7F-5806FABA3B8d} - C:\WINDOWS\system32\cvaxoacw.dll (file missing)
O2 - BHO: (no name) - {CFD3A312-C912-4DBF-8B54-A82E64537993} - C:\WINDOWS\system32\cvaxoacw.dll (file missing)
O2 - BHO: (no name) - {E190F8AB-2942-4B52-8791-2173138DC3D6} - C:\WINDOWS\system32\cvaxoacw.dll (file missing)
O2 - BHO: (no name) - {E3705568-53AF-4012-BF3B-379075232486} - C:\WINDOWS\system32\cvaxoacw.dll (file missing)
O2 - BHO: (no name) - {E911E363-B148-4640-A0DB-7D567F863206} - C:\WINDOWS\system32\cvaxoacw.dll (file missing)
O2 - BHO: (no name) - {ED6276D5-B70D-4D1B-B4FB-4631B3B2BAEa} - C:\WINDOWS\system32\cvaxoacw.dll (file missing)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B862223} - C:\Program Files\Helper\1202416995.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\200512813115_mcinfo.exe /insfin
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [foche] C:\WINDOWS\system32\jaqodw.exe reg_run (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [foche] C:\WINDOWS\system32\jaqodw.exe reg_run (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [foche] C:\WINDOWS\system32\jaqodw.exe reg_run (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [foche] C:\WINDOWS\system32\jaqodw.exe reg_run (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com
O15 - Trusted IP range: http://66.230.*.*
O15 - Trusted IP range: http://66.235.*.*
O15 - Trusted IP range: http://69.31.*.*
O15 - Trusted IP range: http://69.50.*.*
O15 - Trusted IP range: http://205.177.*.*
O16 - DPF: {103C6415-B5ED-6186-F775-02604646843B} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {1A28E79F-8C2A-4561-69A2-58EE6D5A5E05} - http://85.255.115.229/1/gdnUS210.exe
O16 - DPF: {223BC6E3-CFDC-456F-33B1-2E1423E9B244} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {2B890B4D-10EC-11B5-D610-416131C5CA60} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {30EADC7E-2604-7F87-2C45-3C0D293F1571} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {343CE214-9998-4B21-A151-FFE970167297} (WebInstall Class) - http://xscanner.spyshredderscanner.com/setup/mae/webinst.cab
O16 - DPF: {3B2571A9-2E7B-744C-7EE7-73880E623EDF} - http://85.255.115.229/1/gdnUS210.exe
O16 - DPF: {42F6AB2D-2995-2597-61F6-2DBE023F9227} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104845217375
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sysprotect.com/scanner/pages/scanner/SysProtectScannerInstall.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\slbrcchp.dll
O20 - Winlogon Notify: winypt32 - winypt32.dll (file missing)
O21 - SSODL: RamPrx - {cf58a131-3203-404b-b665-9a0147578aac} - C:\WINDOWS\Installer\{cf58a131-3203-404b-b665-9a0147578aac}\RamPrx.dll
O21 - SSODL: ComponentAlrt - {c9e76493-b4bd-439e-bd7f-7337f6b122af} - C:\WINDOWS\Installer\{c9e76493-b4bd-439e-bd7f-7337f6b122af}\ComponentAlrt.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: winsock32 (winsock32.exe) - Unknown owner - C:\WINDOWS\winsock32.exe (file missing)
O24 - Desktop Component 0: (no name) - http://emailaccount.mail.everyone.net/email/scripts/attach.pl/uid=5541105055&pn=1&noInline=0&folder=INBOX/Unnamed

--
End of file - 12479 bytes

Veka · February 2008

Hi gotdatya.

I'll be handling your log to help you get cleaned up. Please give me some time to look it over.

Veka · February 2008

You're heavily infected!

I'd recommend reinstallation. It is the best way to make sure your computer will be safe and secure again.

Please make sure you read the instructions carefully and follow them exactly. That way you speed up the cleaning process and ensure that everything is going right. If you find anything strange or you have questions, please let me know.

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix.

Step 1:

Please download to your Desktop

SDfix from here
ComboFix from here or here

Step 2:

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually.
Instead of Windows loading as normal, the Advanced Options Menu should appear.
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum)

Step 3:

Once in normal mode, run ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Please paste the contents of Report.txt (SDFix log) and ComboFix.txt (ComboFix log), along with a new HijackThis.

gotdatya · February 2008

It's already showing signs of improvement!

ComboFix 08-02-18.1 - Taneshia Ezeb 2008-02-18 19:49:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.67 [GMT -5:00]
Running from: C:\Documents and Settings\Taneshia Ezeb\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Taneshia Ezeb\Application Data\ASKS~1
C:\Documents and Settings\Taneshia Ezeb\Application Data\CURITY~1
C:\Documents and Settings\Taneshia Ezeb\Application Data\FNTS~1
C:\Documents and Settings\Taneshia Ezeb\Application Data\PPATCH~1
C:\Documents and Settings\Taneshia Ezeb\Application Data\WNSXS~1
C:\Documents and Settings\Taneshia Ezeb\Application Data\YSTEM~1
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-538.0000
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-538.0001
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-538.0002
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-538.0003
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-538.0004
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-538.0005
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-538.0006
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-554.0000
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-554.0001
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-554.0002
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-554.0003
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-554.0004
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-556.0000
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-556.0001
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-556.0002
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-556.0003
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-556.0004
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-556.0005
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-556.0006
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-559.0000
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-561.0000
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-561.0001
C:\Documents and Settings\Taneshia Ezeb\My Documents\CROSOF~1\CROSOF~1\ctxad-561.0002
C:\Documents and Settings\Taneshia Ezeb\My Documents\DOBE~1
C:\Documents and Settings\Taneshia Ezeb\My Documents\ECURIT~1
C:\Documents and Settings\Taneshia Ezeb\My Documents\ICROSO~1
C:\Documents and Settings\Taneshia Ezeb\My Documents\PPATCH~1
C:\Documents and Settings\Taneshia Ezeb\My Documents\SMBOLS~1
C:\Documents and Settings\Taneshia Ezeb\My Documents\SSEMBL~1
C:\Program Files\Common Files\{31FE5~1
C:\Program Files\Common Files\{41FE5~1
C:\Program Files\Common Files\{41FE5~2
C:\Program Files\Common Files\curity~1
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\ymante~1
C:\Program Files\ecurit~1
C:\Program Files\icroso~1.net
C:\Program Files\racle~1
C:\Program Files\smante~1
C:\Program Files\sstem~1
C:\Program Files\sstem3~1
C:\WINDOWS\crosof~1.net
C:\WINDOWS\dobe~1
C:\WINDOWS\dobe~2
C:\WINDOWS\racle~1
C:\WINDOWS\scurit~1
C:\WINDOWS\stat
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\bund1\temp.txt
C:\WINDOWS\system32\components
C:\WINDOWS\system32\components\flx0.dll
C:\WINDOWS\system32\components\flx10.dll
C:\WINDOWS\system32\components\flx100.dll
C:\WINDOWS\system32\components\flx101.dll
C:\WINDOWS\system32\components\flx102.dll
C:\WINDOWS\system32\components\flx103.dll
C:\WINDOWS\system32\components\flx104.dll
C:\WINDOWS\system32\components\flx105.dll
C:\WINDOWS\system32\components\flx106.dll
C:\WINDOWS\system32\components\flx107.dll
C:\WINDOWS\system32\components\flx108.dll
C:\WINDOWS\system32\components\flx109.dll
C:\WINDOWS\system32\components\flx11.dll
C:\WINDOWS\system32\components\flx110.dll
C:\WINDOWS\system32\components\flx111.dll
C:\WINDOWS\system32\components\flx112.dll
C:\WINDOWS\system32\components\flx113.dll
C:\WINDOWS\system32\components\flx114.dll
C:\WINDOWS\system32\components\flx115.dll
C:\WINDOWS\system32\components\flx116.dll
C:\WINDOWS\system32\components\flx117.dll
C:\WINDOWS\system32\components\flx118.dll
C:\WINDOWS\system32\components\flx119.dll
C:\WINDOWS\system32\components\flx12.dll
C:\WINDOWS\system32\components\flx120.dll
C:\WINDOWS\system32\components\flx121.dll
C:\WINDOWS\system32\components\flx122.dll
C:\WINDOWS\system32\components\flx123.dll
C:\WINDOWS\system32\components\flx124.dll
C:\WINDOWS\system32\components\flx125.dll
C:\WINDOWS\system32\components\flx126.dll
C:\WINDOWS\system32\components\flx127.dll
C:\WINDOWS\system32\components\flx128.dll
C:\WINDOWS\system32\components\flx129.dll
C:\WINDOWS\system32\components\flx13.dll
C:\WINDOWS\system32\components\flx130.dll
C:\WINDOWS\system32\components\flx131.dll
C:\WINDOWS\system32\components\flx132.dll
C:\WINDOWS\system32\components\flx133.dll
C:\WINDOWS\system32\components\flx134.dll
C:\WINDOWS\system32\components\flx135.dll
C:\WINDOWS\system32\components\flx136.dll
C:\WINDOWS\system32\components\flx137.dll
C:\WINDOWS\system32\components\flx138.dll
C:\WINDOWS\system32\components\flx139.dll
C:\WINDOWS\system32\components\flx14.dll
C:\WINDOWS\system32\components\flx140.dll
C:\WINDOWS\system32\components\flx141.dll
C:\WINDOWS\system32\components\flx142.dll
C:\WINDOWS\system32\components\flx143.dll
C:\WINDOWS\system32\components\flx144.dll
C:\WINDOWS\system32\components\flx145.dll
C:\WINDOWS\system32\components\flx146.dll
C:\WINDOWS\system32\components\flx147.dll
C:\WINDOWS\system32\components\flx148.dll
C:\WINDOWS\system32\components\flx149.dll
C:\WINDOWS\system32\components\flx15.dll
C:\WINDOWS\system32\components\flx150.dll
C:\WINDOWS\system32\components\flx151.dll
C:\WINDOWS\system32\components\flx152.dll
C:\WINDOWS\system32\components\flx153.dll
C:\WINDOWS\system32\components\flx154.dll
C:\WINDOWS\system32\components\flx155.dll
C:\WINDOWS\system32\components\flx156.dll
C:\WINDOWS\system32\components\flx157.dll
C:\WINDOWS\system32\components\flx158.dll
C:\WINDOWS\system32\components\flx159.dll
C:\WINDOWS\system32\components\flx16.dll
C:\WINDOWS\system32\components\flx160.dll
C:\WINDOWS\system32\components\flx161.dll
C:\WINDOWS\system32\components\flx162.dll
C:\WINDOWS\system32\components\flx163.dll
C:\WINDOWS\system32\components\flx164.dll
C:\WINDOWS\system32\components\flx165.dll
C:\WINDOWS\system32\components\flx166.dll
C:\WINDOWS\system32\components\flx167.dll
C:\WINDOWS\system32\components\flx168.dll
C:\WINDOWS\system32\components\flx169.dll
C:\WINDOWS\system32\components\flx17.dll
C:\WINDOWS\system32\components\flx170.dll
C:\WINDOWS\system32\components\flx171.dll
C:\WINDOWS\system32\components\flx172.dll
C:\WINDOWS\system32\components\flx173.dll
C:\WINDOWS\system32\components\flx174.dll
C:\WINDOWS\system32\components\flx175.dll
C:\WINDOWS\system32\components\flx176.dll
C:\WINDOWS\system32\components\flx177.dll
C:\WINDOWS\system32\components\flx178.dll
C:\WINDOWS\system32\components\flx179.dll
C:\WINDOWS\system32\components\flx18.dll
C:\WINDOWS\system32\components\flx180.dll
C:\WINDOWS\system32\components\flx181.dll
C:\WINDOWS\system32\components\flx182.dll
C:\WINDOWS\system32\components\flx183.dll
C:\WINDOWS\system32\components\flx184.dll
C:\WINDOWS\system32\components\flx185.dll
C:\WINDOWS\system32\components\flx186.dll
C:\WINDOWS\system32\components\flx187.dll
C:\WINDOWS\system32\components\flx188.dll
C:\WINDOWS\system32\components\flx189.dll
C:\WINDOWS\system32\components\flx19.dll
C:\WINDOWS\system32\components\flx190.dll
C:\WINDOWS\system32\components\flx191.dll
C:\WINDOWS\system32\components\flx192.dll
C:\WINDOWS\system32\components\flx193.dll
C:\WINDOWS\system32\components\flx194.dll
C:\WINDOWS\system32\components\flx195.dll
C:\WINDOWS\system32\components\flx196.dll
C:\WINDOWS\system32\components\flx197.dll
C:\WINDOWS\system32\components\flx198.dll
C:\WINDOWS\system32\components\flx199.dll
C:\WINDOWS\system32\components\flx20.dll
C:\WINDOWS\system32\components\flx200.dll
C:\WINDOWS\system32\components\flx201.dll
C:\WINDOWS\system32\components\flx202.dll
C:\WINDOWS\system32\components\flx203.dll
C:\WINDOWS\system32\components\flx204.dll
C:\WINDOWS\system32\components\flx205.dll
C:\WINDOWS\system32\components\flx206.dll
C:\WINDOWS\system32\components\flx207.dll
C:\WINDOWS\system32\components\flx208.dll
C:\WINDOWS\system32\components\flx209.dll
C:\WINDOWS\system32\components\flx21.dll
C:\WINDOWS\system32\components\flx210.dll
C:\WINDOWS\system32\components\flx211.dll
C:\WINDOWS\system32\components\flx212.dll
C:\WINDOWS\system32\components\flx213.dll
C:\WINDOWS\system32\components\flx214.dll
C:\WINDOWS\system32\components\flx215.dll
C:\WINDOWS\system32\components\flx216.dll
C:\WINDOWS\system32\components\flx217.dll
C:\WINDOWS\system32\components\flx218.dll
C:\WINDOWS\system32\components\flx219.dll
C:\WINDOWS\system32\components\flx22.dll
C:\WINDOWS\system32\components\flx220.dll
C:\WINDOWS\system32\components\flx221.dll
C:\WINDOWS\system32\components\flx222.dll
C:\WINDOWS\system32\components\flx223.dll
C:\WINDOWS\system32\components\flx224.dll
C:\WINDOWS\system32\components\flx225.dll
C:\WINDOWS\system32\components\flx226.dll
C:\WINDOWS\system32\components\flx227.dll
C:\WINDOWS\system32\components\flx228.dll
C:\WINDOWS\system32\components\flx229.dll
C:\WINDOWS\system32\components\flx23.dll
C:\WINDOWS\system32\components\flx230.dll
C:\WINDOWS\system32\components\flx231.dll
C:\WINDOWS\system32\components\flx232.dll
C:\WINDOWS\system32\components\flx233.dll
C:\WINDOWS\system32\components\flx234.dll
C:\WINDOWS\system32\components\flx235.dll
C:\WINDOWS\system32\components\flx236.dll
C:\WINDOWS\system32\components\flx237.dll
C:\WINDOWS\system32\components\flx238.dll
C:\WINDOWS\system32\components\flx239.dll
C:\WINDOWS\system32\components\flx24.dll
C:\WINDOWS\system32\components\flx240.dll
C:\WINDOWS\system32\components\flx241.dll
C:\WINDOWS\system32\components\flx242.dll
C:\WINDOWS\system32\components\flx243.dll
C:\WINDOWS\system32\components\flx244.dll
C:\WINDOWS\system32\components\flx245.dll
C:\WINDOWS\system32\components\flx246.dll
C:\WINDOWS\system32\components\flx247.dll
C:\WINDOWS\system32\components\flx248.dll
C:\WINDOWS\system32\components\flx249.dll
C:\WINDOWS\system32\components\flx25.dll
C:\WINDOWS\system32\components\flx250.dll
C:\WINDOWS\system32\components\flx251.dll
C:\WINDOWS\system32\components\flx252.dll
C:\WINDOWS\system32\components\flx253.dll
C:\WINDOWS\system32\components\flx254.dll
C:\WINDOWS\system32\components\flx255.dll
C:\WINDOWS\system32\components\flx256.dll
C:\WINDOWS\system32\components\flx257.dll
C:\WINDOWS\system32\components\flx258.dll
C:\WINDOWS\system32\components\flx259.dll
C:\WINDOWS\system32\components\flx26.dll
C:\WINDOWS\system32\components\flx260.dll
C:\WINDOWS\system32\components\flx261.dll
C:\WINDOWS\system32\components\flx262.dll
C:\WINDOWS\system32\components\flx263.dll
C:\WINDOWS\system32\components\flx264.dll
C:\WINDOWS\system32\components\flx265.dll
C:\WINDOWS\system32\components\flx266.dll
C:\WINDOWS\system32\components\flx267.dll
C:\WINDOWS\system32\components\flx268.dll
C:\WINDOWS\system32\components\flx269.dll
C:\WINDOWS\system32\components\flx27.dll
C:\WINDOWS\system32\components\flx270.dll
C:\WINDOWS\system32\components\flx271.dll
C:\WINDOWS\system32\components\flx272.dll
C:\WINDOWS\system32\components\flx273.dll
C:\WINDOWS\system32\components\flx274.dll
C:\WINDOWS\system32\components\flx275.dll
C:\WINDOWS\system32\components\flx276.dll
C:\WINDOWS\system32\components\flx277.dll
C:\WINDOWS\system32\components\flx278.dll
C:\WINDOWS\system32\components\flx279.dll
C:\WINDOWS\system32\components\flx28.dll
C:\WINDOWS\system32\components\flx280.dll
C:\WINDOWS\system32\components\flx281.dll
C:\WINDOWS\system32\components\flx282.dll
C:\WINDOWS\system32\components\flx283.dll
C:\WINDOWS\system32\components\flx284.dll
C:\WINDOWS\system32\components\flx285.dll
C:\WINDOWS\system32\components\flx286.dll
C:\WINDOWS\system32\components\flx29.dll
C:\WINDOWS\system32\components\flx30.dll
C:\WINDOWS\system32\components\flx31.dll
C:\WINDOWS\system32\components\flx32.dll
C:\WINDOWS\system32\components\flx33.dll
C:\WINDOWS\system32\components\flx34.dll
C:\WINDOWS\system32\components\flx35.dll
C:\WINDOWS\system32\components\flx36.dll
C:\WINDOWS\system32\components\flx37.dll
C:\WINDOWS\system32\components\flx38.dll
C:\WINDOWS\system32\components\flx39.dll
C:\WINDOWS\system32\components\flx40.dll
C:\WINDOWS\system32\components\flx41.dll
C:\WINDOWS\system32\components\flx42.dll
C:\WINDOWS\system32\components\flx43.dll
C:\WINDOWS\system32\components\flx44.dll
C:\WINDOWS\system32\components\flx45.dll
C:\WINDOWS\system32\components\flx46.dll
C:\WINDOWS\system32\components\flx47.dll
C:\WINDOWS\system32\components\flx48.dll
C:\WINDOWS\system32\components\flx49.dll
C:\WINDOWS\system32\components\flx50.dll
C:\WINDOWS\system32\components\flx51.dll
C:\WINDOWS\system32\components\flx52.dll
C:\WINDOWS\system32\components\flx53.dll
C:\WINDOWS\system32\components\flx54.dll
C:\WINDOWS\system32\components\flx55.dll
C:\WINDOWS\system32\components\flx56.dll
C:\WINDOWS\system32\components\flx57.dll
C:\WINDOWS\system32\components\flx58.dll
C:\WINDOWS\system32\components\flx59.dll
C:\WINDOWS\system32\components\flx60.dll
C:\WINDOWS\system32\components\flx61.dll
C:\WINDOWS\system32\components\flx62.dll
C:\WINDOWS\system32\components\flx63.dll
C:\WINDOWS\system32\components\flx64.dll
C:\WINDOWS\system32\components\flx65.dll
C:\WINDOWS\system32\components\flx66.dll
C:\WINDOWS\system32\components\flx67.dll
C:\WINDOWS\system32\components\flx68.dll
C:\WINDOWS\system32\components\flx69.dll
C:\WINDOWS\system32\components\flx70.dll
C:\WINDOWS\system32\components\flx71.dll
C:\WINDOWS\system32\components\flx72.dll
C:\WINDOWS\system32\components\flx73.dll
C:\WINDOWS\system32\components\flx74.dll
C:\WINDOWS\system32\components\flx75.dll
C:\WINDOWS\system32\components\flx76.dll
C:\WINDOWS\system32\components\flx77.dll
C:\WINDOWS\system32\components\flx78.dll
C:\WINDOWS\system32\components\flx79.dll
C:\WINDOWS\system32\components\flx80.dll
C:\WINDOWS\system32\components\flx81.dll
C:\WINDOWS\system32\components\flx82.dll
C:\WINDOWS\system32\components\flx83.dll
C:\WINDOWS\system32\components\flx84.dll
C:\WINDOWS\system32\components\flx85.dll
C:\WINDOWS\system32\components\flx86.dll
C:\WINDOWS\system32\components\flx87.dll
C:\WINDOWS\system32\components\flx88.dll
C:\WINDOWS\system32\components\flx89.dll
C:\WINDOWS\system32\components\flx90.dll
C:\WINDOWS\system32\components\flx91.dll
C:\WINDOWS\system32\components\flx92.dll
C:\WINDOWS\system32\components\flx93.dll
C:\WINDOWS\system32\components\flx94.dll
C:\WINDOWS\system32\components\flx95.dll
C:\WINDOWS\system32\components\flx96.dll
C:\WINDOWS\system32\components\flx97.dll
C:\WINDOWS\system32\components\flx98.dll
C:\WINDOWS\system32\components\flx99.dll
C:\WINDOWS\system32\drvhobr.dll
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\fontqxet.dll
C:\WINDOWS\system32\jirqfaha.ini
C:\WINDOWS\system32\ljjijif.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mit.bat
C:\WINDOWS\system32\opqss.bak2
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\tngidgbj.dll
C:\WINDOWS\system32\winsys64.exe
C:\WINDOWS\system32\ymbols~1

.
((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-18 19:06 . 2008-02-18 19:07 <DIR> d

C:\WINDOWS\ERUNT
2008-02-18 18:55 . 2008-02-18 19:33 <DIR> d

C:\SDFix
2008-02-17 21:11 . 2008-02-17 21:11 <DIR> d

C:\Program Files\Lavasoft
2008-02-17 20:51 . 2005-02-24 22:35 22,752 --a

C:\WINDOWS\system32\spupdsvc.exe
2008-02-17 20:51 . 2008-02-17 20:51 1,374 --a

C:\WINDOWS\imsins.BAK
2008-02-17 20:24 . 2008-02-17 20:24 <DIR> d

C:\Program Files\Trend Micro
2008-02-17 20:23 . 2007-10-28 10:19 812,344 --a

C:\HJTInstall.exe
2008-02-17 20:06 . 2008-02-17 20:06 354 --a

C:\WINDOWS\wininit.ini
2008-02-17 18:51 . 2008-02-18 19:02 <DIR> d

C:\Program Files\Spybot - Search & Destroy
2008-02-17 18:51 . 2008-02-18 18:50 <DIR> d

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-17 17:27 . 2008-02-17 17:29 4,212 ---h

C:\WINDOWS\system32\zllictbl.dat
2008-02-17 17:26 . 2008-02-17 17:27 <DIR> d

C:\WINDOWS\system32\ZoneLabs
2008-02-17 17:26 . 2008-02-17 17:26 <DIR> d

C:\Program Files\Zone Labs
2008-02-17 17:26 . 2008-02-18 19:38 31,767 --ah

C:\WINDOWS\system32\vsconfig.xml
2008-02-17 17:23 . 2008-02-18 19:39 <DIR> d

C:\WINDOWS\Internet Logs
2008-02-17 17:13 . 2008-02-17 17:13 <DIR> d

C:\Documents and Settings\Taneshia Ezeb\Application Data\Grisoft
2008-02-17 15:54 . 2008-02-17 15:54 <DIR> d

C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-17 15:53 . 2008-02-17 15:53 <DIR> d

C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-17 15:53 . 2007-05-30 07:10 10,872 --a

C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-17 15:50 . 2008-02-17 15:50 <DIR> d

C:\Documents and Settings\Administrator\Application Data\URSoft
2008-02-17 15:33 . 2008-02-17 15:33 45,438 --a

C:\winbtea.exe
2008-02-17 15:32 . 2008-02-17 15:32 29,184 --a

C:\winkkqp.exe
2008-02-17 15:29 . 2008-02-17 15:29 41,771 --a

C:\winghlw.exe
2008-02-17 15:00 . 2006-12-22 16:02 170,408 --a

C:\WINDOWS\system32\drivers\mfehidk.sys
2008-02-17 15:00 . 2007-03-02 14:16 109,608 --a

C:\WINDOWS\system32\drivers\Mpfp.sys
2008-02-17 15:00 . 2006-12-22 16:02 71,496 --a

C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-02-17 15:00 . 2006-12-22 16:02 37,480 --a

C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-02-17 15:00 . 2006-12-22 16:02 34,184 --a

C:\WINDOWS\system32\drivers\mfebopk.sys
2008-02-17 15:00 . 2006-12-22 16:02 32,008 --a

C:\WINDOWS\system32\drivers\mferkdk.sys
2008-02-17 14:58 . 2008-02-17 14:59 <DIR> d

C:\Program Files\McAfee.com
2008-02-17 14:58 . 2008-02-17 17:12 <DIR> d

C:\Program Files\McAfee
2008-02-17 14:58 . 2008-02-17 15:00 <DIR> d

C:\Program Files\Common Files\McAfee
2008-02-17 14:26 . 2008-02-17 21:11 <DIR> d

C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-17 14:23 . 2008-02-17 14:23 <DIR> d

C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 11:15 . 2008-02-17 11:15 <DIR> d

C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2008-02-17 10:19 . 2001-08-17 13:48 12,160 --a

C:\WINDOWS\system32\drivers\mouhid.sys
2008-02-17 10:19 . 2001-08-17 13:48 12,160 --a

C:\WINDOWS\system32\dllcache\mouhid.sys
2008-02-17 10:15 . 2008-02-17 10:15 15,544 --a

C:\WINDOWS\system32\drivers\sbhr.sys
2008-02-15 14:21 . 2008-02-15 14:21 0 --a

C:\WINDOWS\system32\SBRC.dat
2008-02-15 14:21 . 2008-02-15 14:21 0 --a

C:\WINDOWS\system32\SBFC.dat
2008-02-15 14:20 . 2008-02-15 14:20 <DIR> d

C:\Documents and Settings\Taneshia Ezeb\Application Data\Sunbelt Software
2008-02-15 14:19 . 2008-02-15 14:19 <DIR> d

C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-02-15 14:15 . 2008-02-15 14:15 <DIR> d

C:\Program Files\Sunbelt Software
2008-02-15 14:08 . 2008-02-15 14:11 <DIR> d

C:\Program Files\Your Uninstaller 2008
2008-02-15 14:08 . 2008-02-15 14:08 <DIR> d

C:\Documents and Settings\Taneshia Ezeb\Application Data\URSoft
2008-02-15 14:08 . 2008-02-18 18:45 <DIR> d-a

C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-15 14:06 . 2008-02-15 14:06 <DIR> d

C:\Documents and Settings\Taneshia Ezeb\Application Data\Leadertech
2008-02-15 14:04 . 2008-02-15 14:05 <DIR> d

C:\Program Files\Executive Software
2008-02-15 14:03 . 2008-02-15 14:03 <DIR> d

C:\VundoFix Backups
2008-02-15 14:00 . 2008-02-15 14:00 <DIR> d

C:\Documents and Settings\Taneshia Ezeb\Application Data\TrojanHunter
2008-02-12 20:58 . 2008-02-17 21:12 <DIR> d

C:\Program Files\SpywareGuard
2008-02-12 20:57 . 2008-02-12 20:57 <DIR> d

C:\Program Files\SpywareBlaster
2008-02-12 20:03 . 2008-02-12 20:03 <DIR> d

C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-02-12 19:22 . 2008-02-17 15:55 <DIR> d

C:\Program Files\TrojanHunter 5.0
2008-02-12 19:19 . 2008-02-12 19:19 <DIR> d

C:\Program Files\CCleaner
2008-02-12 19:04 . 2008-02-12 19:04 <DIR> d

C:\Program Files\microsoft frontpage
2008-02-12 19:02 . 2008-02-12 19:05 3 --a

C:\WINDOWS\unq32.dat
2008-02-12 18:41 . 2005-01-04 08:26 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-02-12 18:41 . 2005-01-04 09:50 <DIR> d

C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-02-12 18:41 . 2008-02-12 18:53 <DIR> d

C:\Documents and Settings\Administrator\Application Data\GTek
2008-02-12 18:41 . 2005-01-24 16:10 <DIR> d

C:\Documents and Settings\Administrator\Application Data\AOL
2008-02-10 12:27 . 2008-02-10 12:27 <DIR> dr

C:\Documents and Settings\All Users\Documents
2008-02-09 21:55 . 2008-02-09 21:57 <DIR> d

C:\Program Files\SiteAdvisor
2008-02-09 21:55 . 2008-02-09 21:55 <DIR> d

C:\Documents and Settings\Taneshia Ezeb\Application Data\SiteAdvisor
2008-02-09 21:55 . 2008-02-09 21:55 <DIR> d

C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-09 20:26 . 2008-02-17 17:12 <DIR> d

C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-04 22:37 . 2008-02-04 22:37 1,040 --a

C:\net_save.dna
2008-02-04 22:35 . 2008-02-12 18:53 <DIR> d

C:\Program Files\support.com
2008-02-04 22:35 . 2008-02-04 22:35 <DIR> d

C:\Documents and Settings\All Users\Application Data\Support.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-19 00:00 44,544 ----a-w C:\WINDOWS\Internet Logs\xDB1D.tmp
2008-02-15 20:38

d

w C:\Program Files\Pure Networks
2008-02-15 20:38

d

w C:\Program Files\Common Files\AOL
2008-02-15 17:34

d

w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-15 17:27

d

w C:\Documents and Settings\Taneshia Ezeb\Application Data\AOL Office
2008-02-15 17:02

d

w C:\Program Files\Yahoo!
2008-02-15 17:01

d

w C:\Program Files\SBC Self Support Tool
2008-02-12 23:55

d

w C:\Documents and Settings\Taneshia Ezeb\Application Data\AOL
2008-02-12 23:53

d

w C:\Program Files\QuickTime
2008-02-10 04:02

d

w C:\Program Files\iTunes
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2006-10-25 20:51 2,407 ----a-w C:\Documents and Settings\Taneshia Ezeb\cvxecsmk.exe
2006-11-29 03:42 303 --sh--w C:\WINDOWS\Cursors\mocsm.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14601842-B47E-B25E-2DA9-0318D36F716A}]
C:\WINDOWS\system32\menlyin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D1C48FE-DC67-87B7-1C63-888DCA2A84CA}]
C:\WINDOWS\system32\gez.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22F32AA1-7340-E752-8895-08EECFCBC5E2}]
C:\WINDOWS\system32\nwfesdi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53E6CF72-CFEC-9F4C-0FC8-C31191C869DD}]
C:\WINDOWS\system32\slbrcchp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B962435-D633-42E9-BEF5-47AE28285D02}]
C:\WINDOWS\system32\ahdc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C096487-A029-4CC5-B459-4B9DFBE8345A}]
C:\WINDOWS\system32\ssqpo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7EE322EA-6807-4654-B23C-D692DCB96A9a}]
C:\WINDOWS\system32\cvaxoacw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{938CA351-ACB9-4024-9C94-E767BBF92C0C}]
C:\Program Files\Messenger\quba943.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A0121B96-5D64-42C0-BECC-6202BF22B0Ca}]
C:\WINDOWS\system32\cvaxoacw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B48C5B4A-B590-4BF6-8A7F-5806FABA3B8d}]
C:\WINDOWS\system32\cvaxoacw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E190F8AB-2942-4B52-8791-2173138DC3D6}]
C:\WINDOWS\system32\cvaxoacw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3705568-53AF-4012-BF3B-379075232486}]
C:\WINDOWS\system32\cvaxoacw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E911E363-B148-4640-A0DB-7D567F863206}]
C:\WINDOWS\system32\cvaxoacw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED6276D5-B70D-4D1B-B4FB-4631B3B2BAEa}]
C:\WINDOWS\system32\cvaxoacw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\slbrcchp]
@={53E6CF72-CFEC-9F4C-0FC8-C31191C869DD}

[HKEY_CLASSES_ROOT\CLSID\{53E6CF72-CFEC-9F4C-0FC8-C31191C869DD}]
C:\WINDOWS\system32\slbrcchp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 03:53 65024 C:\WINDOWS\SOUNDMAN.EXE]
"msci"="C:\DOCUME~1\Owner\LOCALS~1\Temp\200512813115_mcinfo.exe" [ ]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-06-15 15:17 699120]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31 1046688]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-08-29 19:09 980736]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"foche"="C:\WINDOWS\system32\jaqodw.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RamPrx"= {cf58a131-3203-404b-b665-9a0147578aac} - C:\WINDOWS\Installer\{cf58a131-3203-404b-b665-9a0147578aac}\RamPrx.dll [2008-02-07 18:45 14374]
"ComponentAlrt"= {c9e76493-b4bd-439e-bd7f-7337f6b122af} - C:\WINDOWS\Installer\{c9e76493-b4bd-439e-bd7f-7337f6b122af}\ComponentAlrt.dll [2008-02-09 00:33 14374]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winypt32]
winypt32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\slbrcchp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
DNSQueryTimeouts REG_MULTI_SZ 1 2 2 4 8 0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL OOBE Updater.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL OOBE Updater.exe
backup=C:\WINDOWS\pss\AOL OOBE Updater.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Taneshia Ezeb^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Taneshia Ezeb\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AolDesktopRmvMsg]
C:\PROGRA~1\AOLDES~2\RmvMsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bsu4805e]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChkDisk]
C:\WINDOWS\system32\chk_disk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorGuard]
C:\Program Files\ErrorGuard\ErrorGuard.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\foche]
C:\WINDOWS\system32\jaqodw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iut75]
c:\windows\system32\drivers\uzcx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\links]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSDrive]
C:\WINDOWS\system32\drvhob.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwfesdi.dll]
C:\WINDOWS\system32\nwfesdi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyShredder]
C:\Program Files\SpyShredder\SpyShredder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysProtect Free]
C:\Program Files\SysProtect Free\USYP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uoei]
C:\DOCUME~1\TANESH~1\MYDOCU~1\CROSOF~1\spool32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VaCtrls]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vkhnyckr]
C:\Documents and Settings\Taneshia Ezeb\My Documents\??pPatch\n?tdde.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win32099110718786]
C:\WINDOWS\win32099110718786.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ydonefup.exe]
C:\Documents and Settings\All Users\Application Data\ydonefup.exe

R0 Pnp680r;Silicon Image SiI 0680 Medley Raid Controller;C:\WINDOWS\system32\DRIVERS\pnp680r.sys [2002-09-03 07:50]
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-02-17 10:15]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9a354d6-3790-11da-9572-00038a000015}]
\Shell\AutoRun\command - F:\GETMYPIX.EXE

*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 19:59:52 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-17 19:59:50 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 19:59:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
msci = C:\DOCUME~1\Owner\LOCALS~1\Temp\200512813115_mcinfo.exe /insfin?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????h????????(B???D?h??????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-18 20:01:06
ComboFix-quarantined-files.txt 2008-02-19 01:00:52
.
2008-02-18 01:54:13 --- E O F ---

SDFix: Version 1.143

Run by Administrator on Mon 02/18/2008 at 07:09 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services:

Name:
DP1112
winsock32.exe

Path:
\??\C:\WINDOWS\system32\Drivers\DP.sys
"C:\WINDOWS\winsock32.exe"

DP1112 - Deleted
winsock32.exe - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\COMCBX2.DLL - Deleted
C:\WINDOWS\SYSTEM32\WINIVFOP.DLL - Deleted
C:\WINDOWS\SYSTEM32\WINUPDAT.DLL - Deleted
C:\1D1.TMP - Deleted
C:\WINDOWS\system32\srvswc2.dll - Deleted
C:\WINDOWS\system32\srvswc3.dll - Deleted
C:\wsusupd.exe - Deleted
C:\WINDOWS\system32\comcbx2.dll - Deleted
C:\WINDOWS\system32\commnet8.dll - Deleted
C:\WINDOWS\system32\comsatac.dll - Deleted
C:\WINDOWS\system32\defrasw.dll - Deleted
C:\WINDOWS\system32\delFSF.bat - Deleted
C:\WINDOWS\system32\drivers\smss.exe - Deleted
C:\WINDOWS\system32\hnetviw.dll - Deleted
C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\msratnit.dll - Deleted
C:\WINDOWS\system32\qviexio3.dat - Deleted
C:\WINDOWS\system32\rasqervy.dll - Deleted
C:\WINDOWS\system32\sdfinacs.dll - Deleted
C:\WINDOWS\system32\wuasirvy.dll - Deleted

Removing Temp Files...

ADS Check:

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 19:28:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1104850099\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1104850099\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\TEMP\\win71E.tmp.exe"="C:\\WINDOWS\\TEMP\\win71E.tmp.exe:*:Enabled:win71E.tmp"
"C:\\Program Files\\Common Files\\Aol\\aoltpspd.exe"="C:\\Program Files\\Common Files\\Aol\\aoltpspd.exe:*:Enabled:aoltpspd.exe"
"C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Enabled:America Online 9.0a"
"C:\\WINDOWS\\SOUNDMAN.EXE"="C:\\WINDOWS\\SOUNDMAN.EXE:*:Enabled:SOUNDMAN.EXE"
"C:\\winstall.exe"="C:\\winstall.exe:*:Enabled:winstall.exe"
"C:\\WINDOWS\\system32\\wscntfy.exe"="C:\\WINDOWS\\system32\\wscntfy.exe:*:Enabled:wscntfy.exe"
"C:\\WINDOWS\\winsock32.exe"="C:\\WINDOWS\\winsock32.exe:*:Enabled:winsock32"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:iexplore.exe"
"C:\\WINDOWS\\TEMP\\win4816.tmp.exe"="C:\\WINDOWS\\TEMP\\win4816.tmp.exe:*:Enabled:win4816.tmp"
"C:\\WINDOWS\\TEMP\\win62FA.tmp.exe"="C:\\WINDOWS\\TEMP\\win62FA.tmp.exe:*:Enabled:win62FA.tmp"
"C:\\WINDOWS\\TEMP\\win77D1.tmp.exe"="C:\\WINDOWS\\TEMP\\win77D1.tmp.exe:*:Enabled:win77D1.tmp"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Enabled:America Online 9.0a"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"

Remaining Files:

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 4 Aug 2004 1,667,584 A.SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Thu 8 Jun 2006 122 A.SH. --- "C:\WINDOWS\Cursors\mocsm.tmp"
Sat 9 Feb 2008 154,993 A.SH. --- "C:\WINDOWS\system32\opqss.bak2"
Wed 6 Jul 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 6 Jul 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv11.bak"
Thu 7 Feb 2008 39,462 ..SHR --- "C:\WINDOWS\Installer\{7e1d042e-c4ad-407a-9d48-dbeae95ad2e6}\zip.dll"
Sat 9 Feb 2008 14,374 ..SHR --- "C:\WINDOWS\Installer\{c9e76493-b4bd-439e-bd7f-7337f6b122af}\ComponentAlrt.dll"
Thu 7 Feb 2008 14,374 ..SHR --- "C:\WINDOWS\Installer\{cf58a131-3203-404b-b665-9a0147578aac}\RamPrx.dll"
Tue 16 Jan 2007 2,634 ..SH. --- "C:\WINDOWS\msagent\chars\svssdo.tmp"
Sat 12 Aug 2006 71,700 ..SH. --- "C:\Documents and Settings\Taneshia Ezeb\Local Settings\Temp\owccrlnd.dll"
Wed 6 Jul 2005 4,348 ...H. --- "C:\Documents and Settings\Taneshia Ezeb\My Documents\My Music\License Backup\drmv1key.bak"
Wed 6 Jul 2005 401 A..H. --- "C:\Documents and Settings\Taneshia Ezeb\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 6 Jul 2005 312 ...H. --- "C:\Documents and Settings\Taneshia Ezeb\My Documents\My Music\License Backup\drmv2key.bak"
Wed 6 Jul 2005 1,536 A..H. --- "C:\Documents and Settings\Taneshia Ezeb\My Documents\My Music\License Backup\drmv2lic.bak"

Finished!

gotdatya · February 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:05 PM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {14601842-B47E-B25E-2DA9-0318D36F716A} - C:\WINDOWS\system32\menlyin.dll (file missing)
O2 - BHO: (no name) - {1D1C48FE-DC67-87B7-1C63-888DCA2A84CA} - C:\WINDOWS\system32\gez.dll (file missing)
O2 - BHO: (no name) - {22F32AA1-7340-E752-8895-08EECFCBC5E2} - C:\WINDOWS\system32\nwfesdi.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: slbrcchp - {53E6CF72-CFEC-9F4C-0FC8-C31191C869DD} - C:\WINDOWS\system32\slbrcchp.dll (file missing)
O2 - BHO: (no name) - {7B962435-D633-42E9-BEF5-47AE28285D02} - C:\WINDOWS\system32\ahdc.dll (file missing)
O2 - BHO: (no name) - {7C096487-A029-4CC5-B459-4B9DFBE8345A} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {7EE322EA-6807-4654-B23C-D692DCB96A9a} - C:\WINDOWS\system32\cvaxoacw.dll (file missing)
O2 - BHO: 0 - {938CA351-ACB9-4024-9C94-E767BBF92C0C} - C:\Program Files\Messenger\quba943.dll (file missing)
O2 - BHO: (no name) - {A0121B96-5D64-42C0-BECC-6202BF22B0Ca} - C:\WINDOWS\system32\cvaxoacw.dll (file missing)
O2 - BHO: (no name) - {B48C5B4A-B590-4BF6-8A7F-5806FABA3B8d} - C:\WINDOWS\system32\cvaxoacw.dll (file missing)
O2 - BHO: (no name) - {E190F8AB-2942-4B52-8791-2173138DC3D6} - C:\WINDOWS\system32\cvaxoacw.dll (file missing)
O2 - BHO: (no name) - {E3705568-53AF-4012-BF3B-379075232486} - C:\WINDOWS\system32\cvaxoacw.dll (file missing)
O2 - BHO: (no name) - {E911E363-B148-4640-A0DB-7D567F863206} - C:\WINDOWS\system32\cvaxoacw.dll (file missing)
O2 - BHO: (no name) - {ED6276D5-B70D-4D1B-B4FB-4631B3B2BAEa} - C:\WINDOWS\system32\cvaxoacw.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\200512813115_mcinfo.exe /insfin
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKUS\S-1-5-19\..\Run: [foche] C:\WINDOWS\system32\jaqodw.exe reg_run (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [foche] C:\WINDOWS\system32\jaqodw.exe reg_run (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [foche] C:\WINDOWS\system32\jaqodw.exe reg_run (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [foche] C:\WINDOWS\system32\jaqodw.exe reg_run (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com
O15 - Trusted IP range: http://66.230.*.*
O15 - Trusted IP range: http://66.235.*.*
O15 - Trusted IP range: http://69.31.*.*
O15 - Trusted IP range: http://69.50.*.*
O15 - Trusted IP range: http://205.177.*.*
O16 - DPF: {103C6415-B5ED-6186-F775-02604646843B} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {1A28E79F-8C2A-4561-69A2-58EE6D5A5E05} - http://85.255.115.229/1/gdnUS210.exe
O16 - DPF: {223BC6E3-CFDC-456F-33B1-2E1423E9B244} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {2B890B4D-10EC-11B5-D610-416131C5CA60} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {30EADC7E-2604-7F87-2C45-3C0D293F1571} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {343CE214-9998-4B21-A151-FFE970167297} (WebInstall Class) - http://xscanner.spyshredderscanner.com/setup/mae/webinst.cab
O16 - DPF: {3B2571A9-2E7B-744C-7EE7-73880E623EDF} - http://85.255.115.229/1/gdnUS210.exe
O16 - DPF: {42F6AB2D-2995-2597-61F6-2DBE023F9227} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104845217375
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sysprotect.com/scanner/pages/scanner/SysProtectScannerInstall.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\slbrcchp.dll
O20 - Winlogon Notify: winypt32 - winypt32.dll (file missing)
O21 - SSODL: RamPrx - {cf58a131-3203-404b-b665-9a0147578aac} - C:\WINDOWS\Installer\{cf58a131-3203-404b-b665-9a0147578aac}\RamPrx.dll
O21 - SSODL: ComponentAlrt - {c9e76493-b4bd-439e-bd7f-7337f6b122af} - C:\WINDOWS\Installer\{c9e76493-b4bd-439e-bd7f-7337f6b122af}\ComponentAlrt.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://emailaccount.mail.everyone.net/email/scripts/attach.pl/uid=5541105055&pn=1&noInline=0&folder=INBOX/Unnamed

--
End of file - 10975 bytes

Veka · February 2008

Good to hear!

Btw, do you use P2P softwares, cracks, and that kind of stuff ?

Please do the following...

Go to VirusTotal
Copy and paste the following file path into the Search Box in the middle of the page:

C:\WINDOWS\Installer\{cf58a131-3203-404b-b665-9a014757 8aac}\RamPrx.dll
Now, click on the Send File button
Save a copy of the Anti-Virus results. Post the results in your next reply.

Copy and paste the following file path into the Search Box in the middle of the page:

C:\WINDOWS\Installer\{c9e76493-b4bd-439e-bd7f-7337f6b1 22af}\ComponentAlrt.dll
Now, click on the Send File button
Save a copy of the Anti-Virus results. Post the results in your next reply.

gotdatya · February 2008

I cannot find the files which you named on the computer! I did a search online for the "Ramprx dll file and it shows up as being virus. Can I just go ahead and eliminate them?

Veka · February 2008

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File:: 
C:\winbtea.exe 
C:\winkkqp.exe 
C:\winghlw.exe 
C:\WINDOWS\unq32.dat 
C:\Documents and Settings\Taneshia Ezeb\cvxecsmk.exe 
C:\WINDOWS\system32\menlyin.dll 
C:\WINDOWS\system32\gez.dll 
C:\WINDOWS\system32\nwfesdi.dll 
C:\WINDOWS\system32\slbrcchp.dll 
C:\WINDOWS\system32\ahdc.dll 
C:\WINDOWS\system32\ssqpo.dll 
C:\WINDOWS\system32\cvaxoacw.dll 
C:\Program Files\Messenger\quba943.dll 
C:\Program Files\Helper\1202416995.dll 
C:\WINDOWS\system32\chk_disk.exe 
C:\Program Files\ErrorGuard\ErrorGuard.Exe 
C:\WINDOWS\system32\jaqodw.exe 
c:\windows\system32\drivers\uzcx.exe 
C:\WINDOWS\system32\drvhob.dll 
C:\WINDOWS\system32\nwfesdi.dll 
C:\WINDOWS\win32099110718786.exe 
C:\Documents and Settings\All Users\Application Data\ydonefup.exe 
C:\Documents and Settings\Owner\Local Settings\Temp\200512813115_mcinfo.exe 
C:\WINDOWS\Installer\{cf58a131-3203-404b-b665-9a0147578aac}\RamPrx.dll
C:\WINDOWS\Installer\{c9e76493-b4bd-439e-bd7f-7337f6b122af}\ComponentAlrt.dll
C:\WINDOWS\Cursors\mocsm.ini2 
 
Folder:: 
C:\DOCUME~1\TANESH~1\MYDOCU~1\CROSOF~1 
C:\Documents and Settings\Taneshia Ezeb\My Documents\??pPatch 
C:\Program Files\Helper 
C:\Program Files\ErrorGuard 
 
Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14601842-B47E-B25E-2DA9-0318D36F716A}] 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D1C48FE-DC67-87B7-1C63-888DCA2A84CA}] 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22F32AA1-7340-E752-8895-08EECFCBC5E2}] 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53E6CF72-CFEC-9F4C-0FC8-C31191C869DD}] 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B962435-D633-42E9-BEF5-47AE28285D02}] 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C096487-A029-4CC5-B459-4B9DFBE8345A}] 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7EE322EA-6807-4654-B23C-D692DCB96A9a}] 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{938CA351-ACB9-4024-9C94-E767BBF92C0C}] 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A0121B96-5D64-42C0-BECC-6202BF22B0Ca}] 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B48C5B4A-B590-4BF6-8A7F-5806FABA3B8d}] 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E190F8AB-2942-4B52-8791-2173138DC3D6}] 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3705568-53AF-4012-BF3B-379075232486}] 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E911E363-B148-4640-A0DB-7D567F863206}] 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED6276D5-B70D-4D1B-B4FB-4631B3B2BAEa}]
[-HKEY_CLASSES_ROOT\CLSID\{14601842-B47E-B25E-2DA9-0318D36F716A}]
[-HKEY_CLASSES_ROOT\CLSID\{1D1C48FE-DC67-87B7-1C63-888DCA2A84CA}]
[-HKEY_CLASSES_ROOT\CLSID\{22F32AA1-7340-E752-8895-08EECFCBC5E2}]
[-HKEY_CLASSES_ROOT\CLSID\{53E6CF72-CFEC-9F4C-0FC8-C31191C869DD}]
[-HKEY_CLASSES_ROOT\CLSID\{7B962435-D633-42E9-BEF5-47AE28285D02}]
[-HKEY_CLASSES_ROOT\CLSID\{7C096487-A029-4CC5-B459-4B9DFBE8345A}]
[-HKEY_CLASSES_ROOT\CLSID\{7EE322EA-6807-4654-B23C-D692DCB96A9a}]
[-HKEY_CLASSES_ROOT\CLSID\{938CA351-ACB9-4024-9C94-E767BBF92C0C}]
[-HKEY_CLASSES_ROOT\CLSID\{A0121B96-5D64-42C0-BECC-6202BF22B0Ca}]
[-HKEY_CLASSES_ROOT\CLSID\{B48C5B4A-B590-4BF6-8A7F-5806FABA3B8d}]
[-HKEY_CLASSES_ROOT\CLSID\{E190F8AB-2942-4B52-8791-2173138DC3D6}]
[-HKEY_CLASSES_ROOT\CLSID\{E3705568-53AF-4012-BF3B-379075232486}]
[-HKEY_CLASSES_ROOT\CLSID\{E911E363-B148-4640-A0DB-7D567F863206}]
[-HKEY_CLASSES_ROOT\CLSID\{ED6276D5-B70D-4D1B-B4FB-4631B3B2BAEa}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers] 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] 
"foche"=- 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winypt32] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\foche] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iut75] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSDrive] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwfesdi.dll] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uoei] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VaCtrls] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vkhnyckr] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win32099110718786] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ydonefup.exe] 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] 
"AppInit_DLLs"=- 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad] 
"RamPrx"=- 
"ComponentAlrt"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

gotdatya · February 2008

Here's the latest results:

ComboFix 08-02-18.1 - Taneshia Ezeb 2008-02-21 18:04:42.2 - NTFSx86
Running from: C:\Documents and Settings\Taneshia Ezeb\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Taneshia Ezeb\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\ydonefup.exe
C:\Documents and Settings\Owner\Local Settings\Temp\200512813115_mcinfo.exe
C:\Documents and Settings\Taneshia Ezeb\cvxecsmk.exe
C:\Program Files\ErrorGuard\ErrorGuard.Exe
C:\Program Files\Helper\1202416995.dll
C:\Program Files\Messenger\quba943.dll
C:\winbtea.exe
C:\WINDOWS\Cursors\mocsm.ini2
C:\WINDOWS\Installer\{c9e76493-b4bd-439e-bd7f-7337f6b122af}\ComponentAlrt.dll
C:\WINDOWS\Installer\{cf58a131-3203-404b-b665-9a0147578aac}\RamPrx.dll
C:\WINDOWS\system32\ahdc.dll
C:\WINDOWS\system32\chk_disk.exe
C:\WINDOWS\system32\cvaxoacw.dll
c:\windows\system32\drivers\uzcx.exe
C:\WINDOWS\system32\drvhob.dll
C:\WINDOWS\system32\gez.dll
C:\WINDOWS\system32\jaqodw.exe
C:\WINDOWS\system32\menlyin.dll
C:\WINDOWS\system32\nwfesdi.dll
C:\WINDOWS\system32\slbrcchp.dll
C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\unq32.dat
C:\WINDOWS\win32099110718786.exe
C:\winghlw.exe
C:\winkkqp.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Taneshia Ezeb\cvxecsmk.exe
C:\winbtea.exe
C:\WINDOWS\Cursors\mocsm.ini2
C:\WINDOWS\Installer\{c9e76493-b4bd-439e-bd7f-7337f6b122af}\ComponentAlrt.dll
C:\WINDOWS\Installer\{cf58a131-3203-404b-b665-9a0147578aac}\RamPrx.dll
C:\WINDOWS\unq32.dat
C:\winghlw.exe
C:\winkkqp.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.

2008-02-21 17:52 . 2008-02-21 17:52 <DIR> d

C:\WINDOWS\LastGood
2008-02-18 19:06 . 2008-02-18 19:07 <DIR> d