1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

I can't use any Antivirus!

Discussion in 'Malware and Virus Removal Archive' started by snow rose, 2008/06/12.

Page 1 of 2
  1. 2008/06/12
    snow rose

    snow rose Inactive Thread Starter

    Joined:
    2008/03/12
    Messages:
    33
    Likes Received:
    0
    hi every one

    I have virus in my computer
    when i install any antivirus ,, i can't use the computer
    but when i uninstall the antivirus i can use it

    please heeeeeeeelp

    and this is the report
    ------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 02:32:41 م, on 12/06/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\igfxpers.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! ¤u¨م¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: swsxachu.dll - {13FD5987-65D2-C58D-D87E-987451F12531} - C:\WINDOWS\System32\swsxachu.dll
    O2 - BHO: opshbbty.dll - {22596546-2036-9451-6058-658402589722} - C:\WINDOWS\System32\opshbbty.dll
    O2 - BHO: rijxbkin.dll - {25FD6584-698F-BCD2-602C-698745210352} - C:\WINDOWS\System32\rijxbkin.dll
    O2 - BHO: lassaplo.dll - {2B69874A-C58C-458D-69F0-698F874E41B2} - C:\WINDOWS\System32\lassaplo.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: skqncbib.dll - {32023698-6984-8541-9654-698745012523} - C:\WINDOWS\System32\skqncbib.dll
    O2 - BHO: yxcschlp.dll - {35671234-7890-ABCD-CDEF-567801237653} - C:\WINDOWS\System32\yxcschlp.dll
    O2 - BHO: nhmxcjkl.dll - {37AC9076-C898-B098-D098-A18319080973} - C:\WINDOWS\System32\nhmxcjkl.dll
    O2 - BHO: lijzclit.dll - {3C954872-1230-6541-9548-6541025884C3} - C:\WINDOWS\System32\lijzclit.dll
    O2 - BHO: oswxdttb.dll - {43512378-9874-5641-1025-985420368734} - C:\WINDOWS\System32\oswxdttb.dll
    O2 - BHO: mpwddapi.dll - {45694105-5108-9405-3695-954187462154} - C:\WINDOWS\System32\mpwddapi.dll
    O2 - BHO: mpmydapi.dll - {4629FF4F-ACDB-5C90-A098-FACB3456A264} - C:\WINDOWS\System32\mpmydapi.dll
    O2 - BHO: apsgdjba.dll - {4FD45A54-9875-698F-E56E-65102358FDF4} - C:\WINDOWS\System32\apsgdjba.dll (file missing)
    O2 - BHO: zptlcsys.dll - {50940F85-F015-14F1-A05F-F69858AC6D05} - C:\WINDOWS\System32\zptlcsys.dll
    O2 - BHO: ptjhehlp.dll - {528DF602-9541-A985-210A-984A698C6F25} - C:\WINDOWS\System32\ptjhehlp.dll
    O2 - BHO: pjjxedwd.dll - {54FAE856-AD58-20CB-A025-CD4895FA6E45} - C:\WINDOWS\System32\pjjxedwd.dll
    O2 - BHO: ozfyebyt.dll - {5A069845-2036-6084-9054-6087502480A5} - C:\WINDOWS\System32\ozfyebyt.dll
    O2 - BHO: apsgejba.dll - {5FD45A54-9875-698F-E56E-65102358FDF5} - C:\WINDOWS\System32\apsgejba.dll
    O2 - BHO: zywmfime.dll - {6319A1F1-9410-9654-3201-345FFA349136} - C:\WINDOWS\System32\zywmfime.dll (file missing)
    O2 - BHO: zywmgime.dll - {7319A1F1-9410-9654-3201-345FFA349137} - C:\WINDOWS\System32\zywmgime.dll
    O2 - BHO: mnmhgsrv.dll - {7C8D1401-A58D-A81C-CD24-A5915C4517C7} - C:\WINDOWS\System32\mnmhgsrv.dll
    O2 - BHO: ypdjfbmp.dll - {81954FAC-1023-154F-895A-1458258AD818} - C:\WINDOWS\System32\ypdjfbmp.dll (file missing)
    O2 - BHO: yxfhcjpg.dll - {83BA45AF-FAAA-CDDD-BEEE-BCDE1234AB38} - C:\WINDOWS\System32\yxfhcjpg.dll
    O2 - BHO: zxptejpg.dll - {91698482-6555-3666-1222-954784129019} - C:\WINDOWS\System32\zxptejpg.dll (file missing)
    O2 - BHO: ypdjgbmp.dll - {91954FAC-1023-154F-895A-1458258AD819} - C:\WINDOWS\System32\ypdjgbmp.dll
    O2 - BHO: yzztimsn.dll - {9490415F-65F8-B5C5-D8BA-9405FB120549} - C:\WINDOWS\System32\yzztimsn.dll
    O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! ¤u¨م¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O17 - HKLM\System\CCS\Services\Tcpip\..\{45E890EC-2E69-4BB8-9096-657E7C13A6B2}: NameServer = 66.11.234.90,66.11.234.91
    O20 - AppInit_DLLs: hjk.dll,gjbhr.dll,ilkyu.dll,yukevg.dll,sergy.dll,e rgfwe.dll,hffgth.dll,tyjert.dll,rthkyuk.dll,jkjkll .dll,ghjyer.dll,kergt.dll,fgthde.dll,losdf.dll,gfc fg.dll,reger.dll,hrergh.dll,frntrn.dll,qrhhb.dll,d rghszd.dll,fngn.dll,gnfctt.dll,xgnfn.dll,xfgnhcgfm .dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfg nfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dl l,xdndn.dll,xdfntt.dll,hgfhk.dll,dnteh.dll,xfng.dl l,njritc.dll,chmfcmh.dll,jwlah.dll,gmnait.dll,hfjg .dll,thurh.dll,mgmgmm.dll,oqrthc.dll,wergjuk.dll,j yjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.d ll,ydgn.dll,dbfb.dll,fjnbv.dll,grgrjj.dll,setrhes. dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdhdg.dll,r hs.dll,mrjhtjd.dll,zdbfbd.dll,fjyjy.dll,fxnfnh.dll ,bjrvm.dll,ektvm.dll,ghthhh.dll,yjrfe.dll,dscef.dl l,crugd.dll,lariytrz.dll,hjaiq.dll,kduy.dll,hkfgh. dll,awef.dll,dfhsh.dll,ethsh.dll,stehs.dll,sthth.d ll,wfhyt.dll,rgghjj.dll,ghjkdr.dll,hfther.dll,
    O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
    O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    --
    End of file - 7711 bytes


    --------------------------------
     
    snow rose,
    #1
  2. 2008/06/12
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi snow rose
    Wow :eek:

    You have a password stealer. see here.
    http://www.castlecops.com/CLSID.html

    I would suggest you change all passwords using a Non-infected computer (Not this one) and refrain from any credit card or financial dealings until clean. If you do any financial dealings with this computer Contact any credit card or banks for possible fraud on your account.

    Please do the following in the order given.

    Now download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

    Double click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select 'Perform Quick Scan', then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Post the entire report in your next reply along with a fresh HijackThis log.

    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

    Now this.

    Download ComboFix from Here to your Desktop.

    It's best to disable realtime protection applications as they sometimes interfere with the tool.
    Check this link for any applicable programs you may have.
    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • Vista users right click Combofix.exe and select Run As Administrator.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

    Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

    Please post the MBAM log and the Combofix log.

    Thanks
    Geri
     
    Geri,
    #2


  3. to hide this advert.

  4. 2008/06/13
    snow rose

    snow rose Inactive Thread Starter

    Joined:
    2008/03/12
    Messages:
    33
    Likes Received:
    0
    Thanx for your help :)

    and this is the Reports:
    ------------------------------------

    mbam
    Malwarebytes' Anti-Malware 1.17
    Database version: 852
    06:45:53 م 13/06/2008
    mbam-log-6-13-2008 (18-45-53).txt
    Scan type: Quick Scan
    Objects scanned: 40856
    Time elapsed: 3 minute(s), 2 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 3
    Registry Keys Infected: 2
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 26
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    C:\WINDOWS\system32\zxmscwin.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\hjmh.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\ukrth.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{6a041f13-a111-12a3-b0cf-f99818aa68a6} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{6a041f13-a111-12a3-b0cf-f99818aa68a6} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{6a041f13-a111-12a3-b0cf-f99818aa68a6} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    C:\WINDOWS\system32\zxmscwin.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\0LU34XUV\22[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\0LU34XUV\26[2].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\0LU34XUV\36[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\0LU34XUV\3[2].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\0LU34XUV\40[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\0LU34XUV\4[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\8127CXA3\24[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\8127CXA3\2[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\8127CXA3\32[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\8127CXA3\37[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\89E78DIJ\20[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\89E78DIJ\29[3].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\89E78DIJ\34[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\89E78DIJ\38[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\89E78DIJ\41[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\CPQRSTIJ\25[2].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\CPQRSTIJ\27[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\CPQRSTIJ\33[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\CPQRSTIJ\35[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\CPQRSTIJ\39[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temporary Internet Files\Content.IE5\CPQRSTIJ\5[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\axmsawin.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\MicroSoft.pif (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\hjmh.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\ukrth.dll (Spyware.OnlineGames) -> Delete on reboot

    --------------------------------------------------------------

    ComboFix 08-06-11.7 - ali 06/13/2008 19:35:08.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.1.1256.1.1033.18.216 [GMT 3:00]
    Running from: C:\Documents and Settings\ali\Desktop\ComboFix.exe
    * Created a new restore point
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    C:\WINDOWS\AppPatch\AcXtrnel.dll
    C:\WINDOWS\AppPatch\Jview.dll
    C:\WINDOWS\system32\crugd.cfg
    C:\WINDOWS\system32\ddserh.dll
    C:\WINDOWS\system32\ergfwe.dll
    C:\WINDOWS\system32\fassaplo.sys
    C:\WINDOWS\system32\fsrgeb.dll
    C:\WINDOWS\system32\fstlbsys.sys
    C:\WINDOWS\system32\fxwmbime.sys
    C:\WINDOWS\system32\fzmsbwin.sys
    C:\WINDOWS\system32\fzptbjpg.sys
    C:\WINDOWS\system32\gajzalit.sys
    C:\WINDOWS\system32\ghjyer.dll
    C:\WINDOWS\system32\gjbhr.dll
    C:\WINDOWS\system32\gpsgajba.sys
    C:\WINDOWS\system32\hgfhk.cfg
    C:\WINDOWS\system32\hgfhk.dll
    C:\WINDOWS\system32\hhrdxd.dll
    C:\WINDOWS\system32\hjk.dll
    C:\WINDOWS\system32\hjmh.dll
    C:\WINDOWS\system32\ijsgajba.sys
    C:\WINDOWS\system32\jashbbty.sys
    C:\WINDOWS\system32\jkjkll.dll
    C:\WINDOWS\system32\jyjlt.cfg
    C:\WINDOWS\system32\jyjlt.dll
    C:\WINDOWS\system32\kduy.cfg
    C:\WINDOWS\system32\kduy.dll
    C:\WINDOWS\system32\lariytrz.cfg
    C:\WINDOWS\system32\lariytrz.dll
    C:\WINDOWS\system32\lassaplo.dll
    C:\WINDOWS\system32\lijzclit.dll
    C:\WINDOWS\system32\mnmhgsrv.dll
    C:\WINDOWS\system32\newxbttb.sys
    C:\WINDOWS\system32\njritc.cfg
    C:\WINDOWS\system32\njritc.dll
    C:\WINDOWS\system32\oqrthc.cfg
    C:\WINDOWS\system32\oqrthc.dll
    C:\WINDOWS\system32\oswxdttb.dll
    C:\WINDOWS\system32\ozfyebyt.dll
    C:\WINDOWS\system32\pmjhbhlp.sys
    C:\WINDOWS\system32\pzwmaime.sys
    C:\WINDOWS\system32\rgghjj.cfg
    C:\WINDOWS\system32\rgghjj.dll
    C:\WINDOWS\system32\sergy.dll
    C:\WINDOWS\system32\smmhbsrv.sys
    C:\WINDOWS\system32\spmybapi.sys
    C:\WINDOWS\system32\spwdbapi.sys
    C:\WINDOWS\system32\SysCbCDK.dll
    C:\WINDOWS\system32\tdggrz.dll
    C:\WINDOWS\system32\tfsdmz.dll
    C:\WINDOWS\system32\tiwxattb.sys
    C:\WINDOWS\system32\toqnabib.sys
    C:\WINDOWS\system32\tyjert.cfg
    C:\WINDOWS\system32\tyjert.dll
    C:\WINDOWS\system32\ujkwet.dll
    C:\WINDOWS\system32\ukrth.dll
    C:\WINDOWS\system32\wymxajkl.sys
    C:\WINDOWS\system32\wyrsdj.dll
    C:\WINDOWS\system32\xdfntt.cfg
    C:\WINDOWS\system32\xdfntt.dll
    C:\WINDOWS\system32\xdhdg.dll
    C:\WINDOWS\system32\xfgnfx.cfg
    C:\WINDOWS\system32\xfgnfx.dll
    C:\WINDOWS\system32\xfztbmsn.sys
    C:\WINDOWS\system32\xzcsbhlp.sys
    C:\WINDOWS\system32\xzfhbjpg.sys
    C:\WINDOWS\system32\ydgn.cfg
    C:\WINDOWS\system32\ydgn.dll
    C:\WINDOWS\system32\ysjxbdwd.sys
    C:\WINDOWS\system32\zaztamsn.exe
    C:\WINDOWS\system32\zdbdb.cfg
    C:\WINDOWS\system32\zdbdb.dll
    C:\WINDOWS\system32\zxfhajpg.exe
    .
    ((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
    .
    No new files created in this timespan
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2008-06-13 16:09 304 ----a-w C:\MicroSoft.pif
    2008-06-13 16:09 30 ----a-w C:\MicroSoft.bat
    2008-06-13 16:09 186 ----a-w C:\MicroSoft.vbs
    2008-06-13 15:17 225,792 ---ha-w C:\WINDOWS\system32\pedadt.dll
    2008-06-13 15:10 9,728 ----a-w C:\WINDOWS\AppPatch\AcSpecf.dll
    2008-06-13 15:10 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
    2008-06-13 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-06-13 15:10 --------- d-----w C:\Documents and Settings\ali\Application Data\Malwarebytes
    2008-06-12 22:46 --------- d-----w C:\Documents and Settings\ali\Application Data\Talkback
    2008-06-12 21:58 --------- d-----w C:\Documents and Settings\jana\Application Data\Media Player Classic
    2008-06-12 18:09 --------- d-----w C:\Program Files\Yahoo! Games
    2008-06-12 18:09 --------- d-----w C:\Program Files\TryMedia
    2008-06-12 17:42 --------- d-----w C:\Program Files\K-Lite Codec Pack
    2008-06-12 17:01 1,606 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP
    2008-06-12 11:36 18,048 ----a-w C:\WINDOWS\system32\drivers\eth8023.sys
    2008-06-12 11:32 --------- d-----w C:\Program Files\Trend Micro
    2008-06-11 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-06-10 16:02 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
    2008-06-10 16:02 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
    2008-06-09 21:59 --------- d-----w C:\Program Files\Kaspersky Lab
    2008-06-09 14:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-06-09 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2008-06-09 09:03 --------- d-----w C:\Program Files\Common Files\xing shared
    2008-06-09 09:03 --------- d-----w C:\Program Files\Common Files\Real
    2008-06-09 09:02 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
    2008-06-09 09:02 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
    2008-06-09 09:01 27,136 ----a-w C:\WINDOWS\AppPatch\AcPlugin.dll
    2008-06-08 20:23 218,624 ---ha-w C:\WINDOWS\system32\jggtsr.dll
    2008-06-08 20:13 --------- d-----w C:\Documents and Settings\ali\Application Data\Yahoo!
    2008-06-08 19:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
    2008-06-07 16:11 --------- d-----w C:\Program Files\Real
    2008-06-07 16:11 --------- d-----w C:\Program Files\Google
    2008-06-07 15:30 --------- d-----w C:\Program Files\Avira
    2008-06-07 15:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
    2008-06-07 14:09 --------- d-----w C:\Program Files\Winamp
    2008-06-07 14:08 --------- d-----w C:\Documents and Settings\jana\Application Data\Winamp
    2008-06-06 22:58 --------- d-----w C:\Documents and Settings\jana\Application Data\Yahoo!
    2008-06-06 22:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
    2008-06-06 22:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
    2008-06-06 21:07 --------- d-----w C:\Program Files\Yahoo!
    2008-06-06 20:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-06-06 20:47 --------- d-----w C:\Program Files\Realtek
    2008-06-06 20:46 315,392 ----a-w C:\WINDOWS\HideWin.exe
    2008-06-06 20:46 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-06-06 20:46 --------- d-----w C:\Documents and Settings\jana\Application Data\InstallShield
    2008-06-06 20:45 4,716 ----a-w C:\WINDOWS\gdrv.sys
    2008-06-06 20:42 --------- d-----w C:\Program Files\Intel
    2008-06-06 20:07 --------- d-----w C:\Program Files\microsoft frontpage
    2008-06-06 20:06 558,142 ----a-w C:\WINDOWS\java\Packages\PRTNZB3B.ZIP
    2008-06-06 20:06 155,995 ----a-w C:\WINDOWS\java\Packages\IVR9F7XZ.ZIP
    2004-08-08 15:17 520 --sh--w C:\WINDOWS\system32\aoqnabib.sys
    2004-08-08 20:51 536,584 --sh--w C:\WINDOWS\system32\apsgejba.dll
    2004-08-08 15:12 4,680 --sh--w C:\WINDOWS\system32\bcsxachu.sys
    2004-08-08 15:17 15,309 --sh--w C:\WINDOWS\system32\dfqnabib.exe
    2004-08-08 16:12 3,640 --sh--w C:\WINDOWS\system32\erjxakin.sys
    2004-08-08 15:16 15,656 --sh--w C:\WINDOWS\system32\lpmxajkl.exe
    2004-08-08 20:26 535,560 --sh--w C:\WINDOWS\system32\nhmxcjkl.dll
    2004-08-08 08:52 536,072 --sh--w C:\WINDOWS\system32\rijxbkin.dll
    2004-08-08 15:16 520 --sh--w C:\WINDOWS\system32\rnmxajkl.sys
    2004-08-08 15:15 520 --sh--w C:\WINDOWS\system32\snfybbyt.sys
    2004-08-08 16:12 16,602 --sh--w C:\WINDOWS\system32\stjxakin.exe
    2002-08-29 12:00 9,216 --sha-w C:\WINDOWS\system32\tuker.dll
    2004-08-08 15:16 4,160 --sh--w C:\WINDOWS\system32\xsdjbbmp.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25FD6584-698F-BCD2-602C-698745210352}]
    08/08/2004 11:52 AM 536072 ---hs---- C:\WINDOWS\System32\rijxbkin.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37AC9076-C898-B098-D098-A18319080973}]
    08/08/2004 11:26 PM 535560 ---hs---- C:\WINDOWS\System32\nhmxcjkl.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5FD45A54-9875-698F-E56E-65102358FDF5}]
    08/08/2004 11:51 PM 536584 ---hs---- C:\WINDOWS\System32\apsgejba.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}]
    06/13/2008 06:24 PM 45056 --a------ C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM 4670704]
    "ctfmon.exe "= "C:\WINDOWS\System32\ctfmon.exe" [08/29/2002 03:00 PM 13312]
    "swg "= "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [06/07/2008 07:11 PM 171448]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/09/2008 12:02 PM 185896]
    [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
    "{CAED0F3B-DF8B-4DBF-BB20-8DFBC3199068} "= C:\WINDOWS\System32\jggtsr.dll [06/08/2008 11:23 PM 218624]
    "{37AC9076-C898-B098-D098-A18319080973} "= C:\WINDOWS\System32\nhmxcjkl.dll [08/08/2004 11:26 PM 535560]
    "{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38} "= C:\WINDOWS\System32\wyrsdj.dll [ ]
    "{A9895933-6636-4281-BC58-EE6DE2AF96E3} "= C:\WINDOWS\System32\ddserh.dll [ ]
    "{EA5D4B0E-B8CE-4761-8C7E-5D26369F0EC6} "= C:\WINDOWS\System32\fsrgeb.dll [ ]
    "{25FD6584-698F-BCD2-602C-698745210352} "= C:\WINDOWS\System32\rijxbkin.dll [08/08/2004 11:52 AM 536072]
    "{5E907A48-400E-4EA8-9792-FFAE052D59E9} "= C:\WINDOWS\System32\pedadt.dll [06/13/2008 06:17 PM 225792]
    "{5FD45A54-9875-698F-E56E-65102358FDF5} "= C:\WINDOWS\System32\apsgejba.dll [08/08/2004 11:51 PM 536584]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
    "JavaView "= {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll [ ]
    "ThunderAdvise "= {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll [06/13/2008 06:24 PM 45056]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=tuker.dll,ujkwet.dll,asefry.dll,sdv j.dll,asfhjy.dll,hjukrt.dll,dhdhvv.dll,asfjthj.dll ,hmsdvf.dll,jrhhh.dll,sdrfh.dll,vhsdfg.dll,dger.dl l,hjdrg.dll,kergt.dll,gfcfg.dll,reger.dll,hrergh.d ll,frntrn.dll,qrhhb.dll,drghszd.dll,fngn.dll,gnfct t.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dll ,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsdd h.dll,xbcvxb.dll,zfdzb.dll,xdndn.dll,xdfntt.dll,hg fhk.dll,dnteh.dll,xfng.dll,njritc.dll,chmfcmh.dll, jwlah.dll,gmnait.dll,hfjg.dll,thurh.dll,mgmgmm.dll ,oqrthc.dll,ghkrg.dll,jyjlt.dll,ijatnaw.dll,sehhte r.dll,fhjfg.dll,zdbdb.dll,ydgn.dll,dbfb.dll,fjnbv. dll,yukevg.dll,setrhes.dll,cdxbfxdb.dll,xfgnxfn.dl l,gjkhj.dll,xdhdg.dll,rhs.dll,mrjhtjd.dll,zdbfbd.d ll,fjyjy.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,ghthhh .dll,yjrfe.dll,dscef.dll,crugd.dll,lariytrz.dll,hj aiq.dll,kduy.dll,hkfgh.dll,awef.dll,dfhsh.dll,eths h.dll,stehs.dll,sthth.dll,wfhyt.dll,rgghjj.dll,ghj kdr.dll,hfther.dll,,nhmxcjkl.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.YV12 "= yv12vfw.dll
    R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgn tmgr.sys [07/18/2007 02:22 PM]
    R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntd d.sys [08/09/2007 01:04 PM]
    R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe [08/29/2002 03:00 PM]
    S2 cdralw;NVIDIA Compatible Windows Miniport Driver;C:\WINDOWS\System32\DRIVERS\nvmini.sys []
    S3 eth8023;eth8023;C:\WINDOWS\System32\drivers\eth802 3.sys [06/12/2008 02:36 PM]
    S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [06/06/2008 11:45 PM]
    S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\System32\DRIVERS\loop.sys [08/17/2001 01:53 PM]
    .
    ************************************************** ************************
    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-13 19:38:08
    Windows 5.1.2600 Service Pack 1 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    ************************************************** ************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\System32\tuker.dll
    PROCESS: C:\WINDOWS\system32\lsass.exe
    -> C:\WINDOWS\system32\tuker.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
    .
    ************************************************** ************************
    .
    Completion time: 06/13/2008 19:39:49 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-06-13 16:39:46
    Pre-Run: 11,205,746,688 bytes free
    Post-Run: 11,475,513,344 bytes free
    222
    -------------------------------------------------------------------------

    And this is Hijackthis Report:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 07:59:57 م, on 13/06/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
    R3 - URLSearchHook: Yahoo! ¤u¨م¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: opshbbty.dll - {22596546-2036-9451-6058-658402589722} - C:\WINDOWS\System32\opshbbty.dll
    O2 - BHO: rijxbkin.dll - {25FD6584-698F-BCD2-602C-698745210352} - C:\WINDOWS\System32\rijxbkin.dll
    O2 - BHO: nhmxcjkl.dll - {37AC9076-C898-B098-D098-A18319080973} - C:\WINDOWS\System32\nhmxcjkl.dll
    O2 - BHO: zptlcsys.dll - {50940F85-F015-14F1-A05F-F69858AC6D05} - C:\WINDOWS\System32\zptlcsys.dll
    O2 - BHO: ozfyebyt.dll - {5A069845-2036-6084-9054-6087502480A5} - C:\WINDOWS\System32\ozfyebyt.dll
    O2 - BHO: apsgejba.dll - {5FD45A54-9875-698F-E56E-65102358FDF5} - C:\WINDOWS\System32\apsgejba.dll
    O2 - BHO: mnmhgsrv.dll - {7C8D1401-A58D-A81C-CD24-A5915C4517C7} - C:\WINDOWS\System32\mnmhgsrv.dll
    O2 - BHO: yxfhcjpg.dll - {83BA45AF-FAAA-CDDD-BEEE-BCDE1234AB38} - C:\WINDOWS\System32\yxfhcjpg.dll
    O2 - BHO: ypdjgbmp.dll - {91954FAC-1023-154F-895A-1458258AD819} - C:\WINDOWS\System32\ypdjgbmp.dll
    O2 - BHO: yzztimsn.dll - {9490415F-65F8-B5C5-D8BA-9405FB120549} - C:\WINDOWS\System32\yzztimsn.dll
    O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{45E890EC-2E69-4BB8-9096-657E7C13A6B2}: NameServer = 66.11.234.90,66.11.234.91
    O20 - AppInit_DLLs: tuker.dll,ujkwet.dll,asefry.dll,sdvj.dll,asfhjy.dl l,hjukrt.dll,dhdhvv.dll,asfjthj.dll,hmsdvf.dll,jrh hh.dll,sdrfh.dll,vhsdfg.dll,dger.dll,hjdrg.dll,ker gt.dll,gfcfg.dll,reger.dll,hrergh.dll,frntrn.dll,q rhhb.dll,drghszd.dll,fngn.dll,gnfctt.dll,xgnfn.dll ,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzi jj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dl l,zfdzb.dll,xdndn.dll,xdfntt.dll,hgfhk.dll,dnteh.d ll,xfng.dll,njritc.dll,chmfcmh.dll,jwlah.dll,gmnai t.dll,hfjg.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,ghk rg.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll ,zdbdb.dll,ydgn.dll,dbfb.dll,fjnbv.dll,yukevg.dll, setrhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdh dg.dll,rhs.dll,mrjhtjd.dll,zdbfbd.dll,fjyjy.dll,fx nfnh.dll,bjrvm.dll,ektvm.dll,ghthhh.dll,yjrfe.dll, dscef.dll,crugd.dll,lariytrz.dll,hjaiq.dll,kduy.dl l,hkfgh.dll,awef.dll,dfhsh.dll,ethsh.dll,stehs.dll ,sthth.dll,wfhyt.dll,rgghjj.dll,ghjkdr.dll,hfther. dll,,yzztimsn.dll,nhmxcjkl.dll
    O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll
    O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    --
    End of file - 5122 bytes
    --------------------------------

    i "m waiting for you reply
     
    Last edited: 2008/06/13
    snow rose,
    #3
  5. 2008/06/13
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    Please be patent, I'm going through your log and coming with a fix.

    Thanks
    Geri
     
    Geri,
    #4
  6. 2008/06/13
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi snow rose

    I need a couple files scanned.


    Jotti File Submission:
    • Please go to Jotti's malware scan
    • Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time

      • C:\WINDOWS\AppPatch\AcSpecf.dll
        C:\WINDOWS\AppPatch\AcPlugin.dll
        C:\WINDOWS\system32\drivers\eth8023.sys

    • Click on the submit button
    • Please post the results in your next reply.


    Thanks
    Geri
     
    Geri,
    #5
  7. 2008/06/16
    snow rose

    snow rose Inactive Thread Starter

    Joined:
    2008/03/12
    Messages:
    33
    Likes Received:
    0
    hi again

    Sorry for being late

    this is the result for all file paths:


    The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

    ------------------------

    and this is the HJK log again:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:50:18, on 16/06/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masrawy.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
    O2 - BHO: swsxachu.dll - {13FD5987-65D2-C58D-D87E-987451F12531} - (no file)
    O2 - BHO: tisqatyu.dll - {18093456-9012-4568-9076-908765467181} - C:\WINDOWS\System32\tisqatyu.dll
    O2 - BHO: opshbbty.dll - {22596546-2036-9451-6058-658402589722} - C:\WINDOWS\System32\opshbbty.dll
    O2 - BHO: rijxbkin.dll - {25FD6584-698F-BCD2-602C-698745210352} - C:\WINDOWS\System32\rijxbkin.dll
    O2 - BHO: lassaplo.dll - {2B69874A-C58C-458D-69F0-698F874E41B2} - C:\WINDOWS\System32\lassaplo.dll
    O2 - BHO: skqncbib.dll - {32023698-6984-8541-9654-698745012523} - C:\WINDOWS\System32\skqncbib.dll
    O2 - BHO: yxcschlp.dll - {35671234-7890-ABCD-CDEF-567801237653} - C:\WINDOWS\System32\yxcschlp.dll
    O2 - BHO: nhmxcjkl.dll - {37AC9076-C898-B098-D098-A18319080973} - C:\WINDOWS\System32\nhmxcjkl.dll
    O2 - BHO: lijzclit.dll - {3C954872-1230-6541-9548-6541025884C3} - C:\WINDOWS\System32\lijzclit.dll
    O2 - BHO: oswxdttb.dll - {43512378-9874-5641-1025-985420368734} - C:\WINDOWS\System32\oswxdttb.dll
    O2 - BHO: mpwddapi.dll - {45694105-5108-9405-3695-954187462154} - C:\WINDOWS\System32\mpwddapi.dll
    O2 - BHO: mpmydapi.dll - {4629FF4F-ACDB-5C90-A098-FACB3456A264} - (no file)
    O2 - BHO: arjrbler.dll - {4C69034A-F45F-D34D-A33A-C33C4D324FC4} - C:\WINDOWS\System32\arjrbler.dll
    O2 - BHO: zptlcsys.dll - {50940F85-F015-14F1-A05F-F69858AC6D05} - C:\WINDOWS\System32\zptlcsys.dll
    O2 - BHO: ptjhehlp.dll - {528DF602-9541-A985-210A-984A698C6F25} - C:\WINDOWS\System32\ptjhehlp.dll
    O2 - BHO: pjjxedwd.dll - {54FAE856-AD58-20CB-A025-CD4895FA6E45} - C:\WINDOWS\System32\pjjxedwd.dll
    O2 - BHO: ozfyebyt.dll - {5A069845-2036-6084-9054-6087502480A5} - C:\WINDOWS\System32\ozfyebyt.dll
    O2 - BHO: mpmyfapi.dll - {6629FF4F-ACDB-5C90-A098-FACB3456A266} - C:\WINDOWS\System32\mpmyfapi.dll
    O2 - BHO: zxmscwin.dll - {6A041F13-A111-12A3-B0CF-F99818AA68A6} - C:\WINDOWS\System32\zxmscwin.dll
    O2 - BHO: mndhfdwd.dll - {6C648541-1025-9650-9057-6541258720C6} - C:\WINDOWS\System32\mndhfdwd.dll
    O2 - BHO: apsgfjba.dll - {6FD45A54-9875-698F-E56E-65102358FDF6} - C:\WINDOWS\System32\apsgfjba.dll
    O2 - BHO: mndsgsrv.dll - {77FD640A-158F-48AC-FD14-1597F14A9777} - C:\WINDOWS\System32\mndsgsrv.dll
    O2 - BHO: mnmhgsrv.dll - {7C8D1401-A58D-A81C-CD24-A5915C4517C7} - C:\WINDOWS\System32\mnmhgsrv.dll
    O2 - BHO: yxfhcjpg.dll - {83BA45AF-FAAA-CDDD-BEEE-BCDE1234AB38} - C:\WINDOWS\System32\yxfhcjpg.dll
    O2 - BHO: ypdjgbmp.dll - {91954FAC-1023-154F-895A-1458258AD819} - C:\WINDOWS\System32\ypdjgbmp.dll
    O2 - BHO: yzztimsn.dll - {9490415F-65F8-B5C5-D8BA-9405FB120549} - C:\WINDOWS\System32\yzztimsn.dll
    O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - (no file)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{45E890EC-2E69-4BB8-9096-657E7C13A6B2}: NameServer = 66.11.234.90,66.11.234.91
    O20 - AppInit_DLLs: sergy.dll,ergfwe.dll,ilkyu.dll,yukevg.dll,ghkrg.dl l,tuker.dll,ujkwet.dll,asfjthj.dll,rthkyuk.dll,jkj kll.dll,ghjyer.dll,kergt.dll,fgthde.dll,losdf.dll, gfcfg.dll,reger.dll,hrergh.dll,frntrn.dll,qrhhb.dl l,drghszd.dll,fngn.dll,gnfctt.dll,xgnfn.dll,xfgnhc gfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll, xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb .dll,xdndn.dll,xdfntt.dll,hgfhk.dll,dnteh.dll,xfng .dll,njritc.dll,chmfcmh.dll,jwlah.dll,gmnait.dll,h fjg.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,tyjert.dll ,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb .dll,ydgn.dll,dbfb.dll,fjnbv.dll,hffgth.dll,setrhe s.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdhdg.dll ,rhs.dll,mrjhtjd.dll,zdbfbd.dll,fjyjy.dll,fxnfnh.d ll,bjrvm.dll,ektvm.dll,ghthhh.dll,yjrfe.dll,dscef. dll,crugd.dll,lariytrz.dll,hjaiq.dll,kduy.dll,hkfg h.dll,awef.dll,dfhsh.dll,ethsh.dll,stehs.dll,sthth .dll,wfhyt.dll,rgghjj.dll,ghjkdr.dll,hfther.dll,,a rjrbler.dll,tisqatyu.dll,nhmxcjkl.dll,yzztimsn.dll ,skqncbib.dll
    O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    --
    End of file - 5783 bytes
     
    snow rose,
    #6
  8. 2008/06/16
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi snow rose
    OK we seem to be lossing ground here.

    Please do this in the order given.


    Please backup your registry using ERUNT before proceeding to any of the steps.

    Download ERUNT from Derfisch or Aumha and save it to your desktop.

    Use the setup program to install ERUNT on your computer
    Click ERUNT.Setup.exe to install ERUNT and backup your registry.
    Uncheck the "Create NTREGOPT desktop icon” box.
    In the window that comes up to Create an ERUNT entry to the Start up folder select No.

    By Default the backup location is C:\windows\erunt\ (current date)
    Click OK to continue with the registry backup.
    If the folder does not exist then let ERUNT create the folder for you by clicking Yes
    You should see a progress bar when ERUNT is backing up the Windows Registry.
    After ERUNT has completed the Windows Registry backup. Click OK to exit ERUNT


    Open “Notepad” Copy the contents of the code box below to the blank Notepad.
    Click "File" > "Save as "
    In the "Save In" box at the top click the down arrow and select DeskTop

    In the “File name” type in: fix.reg
    In the “Save As Type” select: All Files
    Once saved, Go to your desktop double click “fix.reg file” and let it merge with the registry.
    Code:
    REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
 "AppInit_DLLs "=" "
    Now do this.

    1. Please download VundoFix.exe by Atribune from Atribune and save it to your desktop.
    2. Double click VundoFix.exe to run it.
    3. Click the Scan for Vundo button.
    4. Once it's done scanning, click the Fix Vundo button.
    5. You will receive a prompt asking if you want to remove the files, click YES
    6. Once you click yes, your desktop will go blank as it starts removing Vundo.
    7. When completed, it will prompt that it will reboot your computer, click OK.
    8. Please post the contents of C:\vundofix.txt.

    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    If you receive this error - "Run-time error '339': Component 'comdlg32.ocx' or one its dependencies not correctly registered: a file is missing or invalid" , please download this file and save it to your desktop.

    • Right click on Comdlg32.zip and select Extract All....
    • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
    • On the text box above the Browse button, copy and paste in C:\Windows\system32.
    • Click OK.
    • Uncheck (untick) the Show extracted files box and click Finish.
    • Click on Start > Run and copy and paste in the following into the Run box:

      REGSVR32 C:\Windows\system32\comdlg32.ocx
    • Press Enter.
    • You should receive this message - "DllRegisterServer in C:\Windows\system32\comdlg32.ocx succeeded. "
    • Click OK and restart your computer. Then try running VundoFix again.


    Now run MBAM again.

    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select 'Perform Quick Scan', then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Post the entire report in your next reply

    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

    Now run Combofix again.

    It's best to disable realtime protection applications as they sometimes interfere with the tool.
    Check this link for any applicable programs you may have.
    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • Vista users right click Combofix.exe and select Run As Administrator.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Please post the Vundo log, MBAM log and the Combofix log.

    Thanks
    Geri
     
    Geri,
    #7
  9. 2008/06/16
    snow rose

    snow rose Inactive Thread Starter

    Joined:
    2008/03/12
    Messages:
    33
    Likes Received:
    0
    thanks for your help

    but i tried to download ERUNT from this two links but not working :(

    could you upload this file to www.zshare.net

    I'm sorry for bothering you

    waiting for your reply

    snow rose
     
    snow rose,
    #8
  10. 2008/06/16
    snow rose

    snow rose Inactive Thread Starter

    Joined:
    2008/03/12
    Messages:
    33
    Likes Received:
    0
    I don't understand this step:

    Did u mean of merge that it will merge automatically by only double click "fix.reg file�? or i should merge it manually by some steps??

     
    snow rose,
    #9
  11. 2008/06/16
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    Did u mean of merge that it will merge automatically by only double click “fix.reg file

    Yes follow the steps and by dounle clicking on it, it will merge with the registry automaticlly.

    Geri
     
    Geri,
    #10
  12. 2008/06/16
    snow rose

    snow rose Inactive Thread Starter

    Joined:
    2008/03/12
    Messages:
    33
    Likes Received:
    0
    thanx for reply

    but what about this file??

     
    snow rose,
    #11
  13. 2008/06/16
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    I'm sorry that link was broken.

    Here is a good one.

    Download ERUNT from Derfisch or Aumha and save it to your desktop.

    Geri
     
    Geri,
    #12
  14. 2008/06/18
    snow rose

    snow rose Inactive Thread Starter

    Joined:
    2008/03/12
    Messages:
    33
    Likes Received:
    0
    Hi Geri

    First about ERUNT i tried to do fix.reg but when i click on it its appeared "are you sure you want to add the information in c/dosumedesktop fix.regto the registr "

    and when i choose "Yes" it refused ,, i don't know why!!

    -----------------------------------

    and about VundoFix.exe i did all steps but i didnt find this file vundofix.txt and it take me to this websit http://www.besttechie.net/tools

    ---------------------------------

    And this is MBAM Report:

    Malwarebytes' Anti-Malware 1.17
    Database version: 867
    03:29:16 م 18/06/2008
    mbam-log-6-18-2008 (15-29-16).txt
    Scan type: Quick Scan
    Objects scanned: 38287
    Time elapsed: 5 minute(s), 52 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 35
    Registry Keys Infected: 66
    Registry Values Infected: 34
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 70
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    C:\WINDOWS\system32\ergfwe.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\sergy.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\cedafb.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\hhrdxd.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\tfsdmz.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\fsrgeb.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\wyrsdj.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\pedadt.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\zdesfx.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\tdggrz.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\nhmxcjkl.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\skqncbib.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\tisqatyu.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\opshbbty.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\zptlcsys.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\rijxbkin.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\ozfyebyt.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\apsgfjba.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\ypdjgbmp.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\yxfhcjpg.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\mndhfdwd.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\ptjhehlp.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\mndsgsrv.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\lassaplo.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\pjjxedwd.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\lijzclit.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\mpwddapi.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\yxcschlp.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\zxmscwin.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\oswxdttb.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\mnmhgsrv.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\yzztjmsn.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\arjrcler.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\mpmyhapi.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    C:\WINDOWS\system32\akjsckaq.dll (Spyware.OnlineGames) -> Unloaded module successfully.
    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{84143967-b645-4bff-b873-da1dc886e9a7} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{17dfd111-bf3a-4cb4-adb0-88fcbfe69821} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{875e07b1-0614-43d9-a76e-d76a28ab3d7b} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{ea5d4b0e-b8ce-4761-8c7e-5d26369f0ec6} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{1e51c0fd-ee36-434b-ad2a-fd1ff3731c38} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{5e907a48-400e-4ea8-9792-ffae052d59e9} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{45aadfaa-dd36-42ab-83ad-0521bbf58c24} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{4d165a2a-4bc1-4ca8-8299-08e05aaab5a4} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{37ac9076-c898-b098-d098-a18319080973} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{37ac9076-c898-b098-d098-a18319080973} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{32023698-6984-8541-9654-698745012523} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{32023698-6984-8541-9654-698745012523} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{18093456-9012-4568-9076-908765467181} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{18093456-9012-4568-9076-908765467181} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{22596546-2036-9451-6058-658402589722} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{22596546-2036-9451-6058-658402589722} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{50940f85-f015-14f1-a05f-f69858ac6d05} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{50940f85-f015-14f1-a05f-f69858ac6d05} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{25fd6584-698f-bcd2-602c-698745210352} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{25fd6584-698f-bcd2-602c-698745210352} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{5a069845-2036-6084-9054-6087502480a5} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{5a069845-2036-6084-9054-6087502480a5} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{6fd45a54-9875-698f-e56e-65102358fdf6} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{6fd45a54-9875-698f-e56e-65102358fdf6} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{91954fac-1023-154f-895a-1458258ad819} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{91954fac-1023-154f-895a-1458258ad819} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{83ba45af-faaa-cddd-beee-bcde1234ab38} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{83ba45af-faaa-cddd-beee-bcde1234ab38} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{6c648541-1025-9650-9057-6541258720c6} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{6c648541-1025-9650-9057-6541258720c6} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{528df602-9541-a985-210a-984a698c6f25} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{528df602-9541-a985-210a-984a698c6f25} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{77fd640a-158f-48ac-fd14-1597f14a9777} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{77fd640a-158f-48ac-fd14-1597f14a9777} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{2b69874a-c58c-458d-69f0-698f874e41b2} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{2b69874a-c58c-458d-69f0-698f874e41b2} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{54fae856-ad58-20cb-a025-cd4895fa6e45} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{54fae856-ad58-20cb-a025-cd4895fa6e45} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{3c954872-1230-6541-9548-6541025884c3} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{3c954872-1230-6541-9548-6541025884c3} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{45694105-5108-9405-3695-954187462154} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{45694105-5108-9405-3695-954187462154} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{35671234-7890-abcd-cdef-567801237653} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{35671234-7890-abcd-cdef-567801237653} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{6a041f13-a111-12a3-b0cf-f99818aa68a6} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{6a041f13-a111-12a3-b0cf-f99818aa68a6} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{43512378-9874-5641-1025-985420368734} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{43512378-9874-5641-1025-985420368734} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{7c8d1401-a58d-a81c-cd24-a5915c4517c7} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{7c8d1401-a58d-a81c-cd24-a5915c4517c7} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{a490415f-65f8-b5c5-d8ba-9405fb12054a} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{a490415f-65f8-b5c5-d8ba-9405fb12054a} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{5c69034a-f45f-d34d-a33a-c33c4d324fc5} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{5c69034a-f45f-d34d-a33a-c33c4d324fc5} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{8629ff4f-acdb-5c90-a098-facb3456a268} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{8629ff4f-acdb-5c90-a098-facb3456a268} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{3a908760-8000-4000-a000-9000322145a3} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{3a908760-8000-4000-a000-9000322145a3} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{13fd5987-65d2-c58d-d87e-987451f12531} (Spyware.Passwords) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{13fd5987-65d2-c58d-d87e-987451f12531} (Spyware.Passwords) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{5fd45a54-9875-698f-e56e-65102358fdf5} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{9490415f-65f8-b5c5-d8ba-9405fb120549} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{9490415f-65f8-b5c5-d8ba-9405fb120549} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{caed0f3b-df8b-4dbf-bb20-8dfbc3199068} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{4629ff4f-acdb-5c90-a098-facb3456a264} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{4629ff4f-acdb-5c90-a098-facb3456a264} (Trojan.BHO) -> Quarantined and deleted successfully.
    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{84143967-b645-4bff-b873-da1dc886e9a7} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{17dfd111-bf3a-4cb4-adb0-88fcbfe69821} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{875e07b1-0614-43d9-a76e-d76a28ab3d7b} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{ea5d4b0e-b8ce-4761-8c7e-5d26369f0ec6} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{1e51c0fd-ee36-434b-ad2a-fd1ff3731c38} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{5e907a48-400e-4ea8-9792-ffae052d59e9} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{45aadfaa-dd36-42ab-83ad-0521bbf58c24} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{4d165a2a-4bc1-4ca8-8299-08e05aaab5a4} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{37ac9076-c898-b098-d098-a18319080973} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{32023698-6984-8541-9654-698745012523} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{18093456-9012-4568-9076-908765467181} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{22596546-2036-9451-6058-658402589722} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{50940f85-f015-14f1-a05f-f69858ac6d05} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{25fd6584-698f-bcd2-602c-698745210352} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{5a069845-2036-6084-9054-6087502480a5} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{6fd45a54-9875-698f-e56e-65102358fdf6} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{91954fac-1023-154f-895a-1458258ad819} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{83ba45af-faaa-cddd-beee-bcde1234ab38} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{6c648541-1025-9650-9057-6541258720c6} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{528df602-9541-a985-210a-984a698c6f25} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{77fd640a-158f-48ac-fd14-1597f14a9777} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{2b69874a-c58c-458d-69f0-698f874e41b2} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{54fae856-ad58-20cb-a025-cd4895fa6e45} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{3c954872-1230-6541-9548-6541025884c3} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{45694105-5108-9405-3695-954187462154} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{35671234-7890-abcd-cdef-567801237653} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{6a041f13-a111-12a3-b0cf-f99818aa68a6} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{43512378-9874-5641-1025-985420368734} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{7c8d1401-a58d-a81c-cd24-a5915c4517c7} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{a490415f-65f8-b5c5-d8ba-9405fb12054a} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{5c69034a-f45f-d34d-a33a-c33c4d324fc5} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{8629ff4f-acdb-5c90-a098-facb3456a268} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{3a908760-8000-4000-a000-9000322145a3} (Spyware.OnlineGames) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{9490415f-65f8-b5c5-d8ba-9405fb120549} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    C:\WINDOWS\system32\ergfwe.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\sergy.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\cedafb.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\hhrdxd.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\tfsdmz.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\fsrgeb.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\wyrsdj.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\pedadt.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\zdesfx.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\tdggrz.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\nhmxcjkl.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\skqncbib.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\tisqatyu.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\opshbbty.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\zptlcsys.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\rijxbkin.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\ozfyebyt.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\apsgfjba.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\ypdjgbmp.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\yxfhcjpg.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\mndhfdwd.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\ptjhehlp.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\mndsgsrv.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\lassaplo.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\pjjxedwd.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\lijzclit.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\mpwddapi.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\yxcschlp.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\zxmscwin.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\oswxdttb.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\mnmhgsrv.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\yzztjmsn.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\arjrcler.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\mpmyhapi.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\WINDOWS\system32\akjsckaq.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\Documents and Settings\ali\Local Settings\Temp\~f10.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temp\~f11.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temp\~f13.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temp\~f7.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temp\~f9.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\ali\Local Settings\Temp\~fB.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\aitlasys.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\axmsawin.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\dfqnabib.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\etshabty.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ghwxattb.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\isdsasrv.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ismhasrv.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lkssaplo.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lojxadwd.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lpmxajkl.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lpsgajba.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\mkjraler.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\mkjsakaq.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\onjzalit.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\pldhadwd.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\posqatyu.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\simyaapi.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\siwdaapi.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\spjhahlp.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\stjxakin.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\tjfyabyt.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\zaztamsn.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\zgrjdx.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\zsdjabmp.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\zxcsahlp.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\zxfhajpg.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\cdralw.sys (Trojan.Alman) -> Quarantined and deleted successfully.
    C:\WINDOWS\linkinfo.dll (Trojan.Downloader) -> Delete on reboot.
    C:\MicroSoft.pif (Trojan.Agent) -> Quarantined and deleted successfully.
    -----------------------------------------------------------------------------------------------------------------------------------
     
    snow rose,
    #13
  15. 2008/06/18
    snow rose

    snow rose Inactive Thread Starter

    Joined:
    2008/03/12
    Messages:
    33
    Likes Received:
    0
    And Combofix Report:

    ComboFix 08-06-16.5 - ali 06/18/2008 15:54:51.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.1.1256.1.1033.18.276 [GMT 3:00]
    Running from: C:\Documents and Settings\ali\Desktop\ComboFix.exe
    * Created a new restore point
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    C:\WINDOWS\AppPatch\AcXtrnel.dll
    C:\WINDOWS\AppPatch\Jview.dll
    C:\WINDOWS\system32\asfjthj.dll
    C:\WINDOWS\system32\ergfwe.dll
    C:\WINDOWS\system32\fassaplo.sys
    C:\WINDOWS\system32\fstlbsys.sys
    C:\WINDOWS\system32\fzmsbwin.sys
    C:\WINDOWS\system32\gajzalit.sys
    C:\WINDOWS\system32\ghjyer.dll
    C:\WINDOWS\system32\gjbhr.dll
    C:\WINDOWS\system32\gpsgajba.sys
    C:\WINDOWS\system32\gsdhadwd.sys
    C:\WINDOWS\system32\hgfhk.cfg
    C:\WINDOWS\system32\hgfhk.dll
    C:\WINDOWS\system32\hjk.dll
    C:\WINDOWS\system32\ijsgajba.sys
    C:\WINDOWS\system32\jashbbty.sys
    C:\WINDOWS\system32\jkjkll.dll
    C:\WINDOWS\system32\kduy.cfg
    C:\WINDOWS\system32\kduy.dll
    C:\WINDOWS\system32\lariytrz.cfg
    C:\WINDOWS\system32\lariytrz.dll
    C:\WINDOWS\system32\newxbttb.sys
    C:\WINDOWS\system32\njritc.cfg
    C:\WINDOWS\system32\njritc.dll
    C:\WINDOWS\system32\oqrthc.cfg
    C:\WINDOWS\system32\oqrthc.dll
    C:\WINDOWS\system32\pmjhbhlp.sys
    C:\WINDOWS\system32\sdjsakaq.sys
    C:\WINDOWS\system32\sergy.dll
    C:\WINDOWS\system32\smmhbsrv.sys
    C:\WINDOWS\system32\spmybapi.sys
    C:\WINDOWS\system32\spwdbapi.sys
    C:\WINDOWS\system32\sqjsakaq.sys
    C:\WINDOWS\system32\tiwxattb.sys
    C:\WINDOWS\system32\toqnabib.sys
    C:\WINDOWS\system32\ujkwet.dll
    C:\WINDOWS\system32\wymxajkl.sys
    C:\WINDOWS\system32\xdfntt.cfg
    C:\WINDOWS\system32\xfgnfx.cfg
    C:\WINDOWS\system32\xfgnfx.dll
    C:\WINDOWS\system32\xfgnxfn.cfg
    C:\WINDOWS\system32\xfgnxfn.dll
    C:\WINDOWS\system32\xfztbmsn.sys
    C:\WINDOWS\system32\xzcsbhlp.sys
    C:\WINDOWS\system32\xzfhbjpg.sys
    C:\WINDOWS\system32\ysjxbdwd.sys
    C:\WINDOWS\system32\zdbdb.cfg
    C:\WINDOWS\system32\zdbdb.dll
    .
    ((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
    .
    No new files created in this timespan
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2008-06-18 12:20 18,048 ----a-w C:\WINDOWS\system32\drivers\eth8023.sys
    2008-06-18 12:15 9,728 ----a-w C:\WINDOWS\AppPatch\AcSpecf.dll
    2008-06-18 11:36 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
    2008-06-18 11:15 27,136 ----a-w C:\WINDOWS\AppPatch\AcPlugin.dll
    2008-06-18 11:11 30 ----a-w C:\MicroSoft.bat
    2008-06-18 11:11 186 ----a-w C:\MicroSoft.vbs
    2008-06-16 19:28 --------- d-----w C:\Program Files\ERUNT
    2008-06-16 08:54 --------- d-----w C:\Documents and Settings\ali\Application Data\Media Player Classic
    2008-06-14 21:45 --------- d-----w C:\Documents and Settings\ali\Application Data\DivX
    2008-06-13 19:58 --------- d-----w C:\Program Files\Google
    2008-06-13 18:10 --------- d-----w C:\Program Files\Yahoo!
    2008-06-13 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-06-13 15:10 --------- d-----w C:\Documents and Settings\ali\Application Data\Malwarebytes
    2008-06-12 22:46 --------- d-----w C:\Documents and Settings\ali\Application Data\Talkback
    2008-06-12 21:58 --------- d-----w C:\Documents and Settings\jana\Application Data\Media Player Classic
    2008-06-12 18:09 --------- d-----w C:\Program Files\Yahoo! Games
    2008-06-12 18:09 --------- d-----w C:\Program Files\TryMedia
    2008-06-12 17:42 --------- d-----w C:\Program Files\K-Lite Codec Pack
    2008-06-12 17:01 1,606 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP
    2008-06-12 11:32 --------- d-----w C:\Program Files\Trend Micro
    2008-06-10 16:02 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
    2008-06-10 16:02 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
    2008-06-09 14:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-06-09 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2008-06-09 09:03 --------- d-----w C:\Program Files\Common Files\xing shared
    2008-06-09 09:03 --------- d-----w C:\Program Files\Common Files\Real
    2008-06-09 09:02 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
    2008-06-09 09:02 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
    2008-06-08 20:13 --------- d-----w C:\Documents and Settings\ali\Application Data\Yahoo!
    2008-06-08 19:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
    2008-06-07 16:11 --------- d-----w C:\Program Files\Real
    2008-06-07 15:30 --------- d-----w C:\Program Files\Avira
    2008-06-07 15:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
    2008-06-07 14:09 --------- d-----w C:\Program Files\Winamp
    2008-06-07 14:08 --------- d-----w C:\Documents and Settings\jana\Application Data\Winamp
    2008-06-06 22:58 --------- d-----w C:\Documents and Settings\jana\Application Data\Yahoo!
    2008-06-06 22:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
    2008-06-06 20:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-06-06 20:47 --------- d-----w C:\Program Files\Realtek
    2008-06-06 20:46 315,392 ----a-w C:\WINDOWS\HideWin.exe
    2008-06-06 20:46 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-06-06 20:46 --------- d-----w C:\Documents and Settings\jana\Application Data\InstallShield
    2008-06-06 20:45 4,716 ----a-w C:\WINDOWS\gdrv.sys
    2008-06-06 20:42 --------- d-----w C:\Program Files\Intel
    2008-06-06 20:07 --------- d-----w C:\Program Files\microsoft frontpage
    2008-06-06 20:06 558,142 ----a-w C:\WINDOWS\java\Packages\PRTNZB3B.ZIP
    2008-06-06 20:06 155,995 ----a-w C:\WINDOWS\java\Packages\IVR9F7XZ.ZIP
    2008-05-29 06:35 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
    2008-05-18 18:40 82,944 ----a-w C:\WINDOWS\system32\IEDFix.exe
    2008-05-18 18:40 82,944 ----a-w C:\WINDOWS\system32\404Fix.exe
    2004-08-08 21:03 1,040 --sh--w C:\WINDOWS\system32\aoqnabib.sys
    2004-08-08 17:46 5,200 --sh--w C:\WINDOWS\system32\bcsxachu.sys
    2004-08-08 21:01 520 --sh--w C:\WINDOWS\system32\cgsqatyu.sys
    2004-08-08 21:02 5,200 --sh--w C:\WINDOWS\system32\erjxakin.sys
    2002-08-29 12:00 8,704 --sha-w C:\WINDOWS\system32\hmsdvf.dll
    2004-08-08 21:02 1,040 --sh--w C:\WINDOWS\system32\iujraler.sys
    2004-08-08 21:03 1,040 --sh--w C:\WINDOWS\system32\rnmxajkl.sys
    2004-08-08 21:05 520 --sh--w C:\WINDOWS\system32\smdsbsrv.sys
    2004-08-08 21:02 520 --sh--w C:\WINDOWS\system32\snfybbyt.sys
    2002-08-29 12:00 9,216 --sha-w C:\WINDOWS\system32\tuker.dll
    2004-08-08 21:03 5,720 --sh--w C:\WINDOWS\system32\xsdjbbmp.sys
    .
    ((((((((((((((((((((((((((((( snapshot@Fri 06-13-2008_19.39.33.76 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2005-02-25 03:35:05 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB898461\spmsg.dll
    + 2005-02-25 03:35:05 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB898461\spuninst.exe
    + 2005-02-25 03:35:05 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB898461\spupdsvc.exe
    + 2005-02-25 03:35:05 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB898461\update\spcustom.dll
    + 2005-02-25 03:35:05 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB898461\update\update.exe
    + 2005-02-25 03:35:06 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB898461\update\updspapi.dll
    + 2005-03-21 12:00:20 2,890,240 -c----w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msi.dll
    + 2005-05-04 11:45:26 209,632 -c----w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\sp uninst.exe
    + 2005-05-04 11:45:28 371,936 -c----w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\up dspapi.dll
    + 2002-08-29 12:00:00 221,696 -c----w C:\WINDOWS\$NtUninstallKB842773$\qmgr.dll
    + 2002-08-29 12:00:00 17,408 -c----w C:\WINDOWS\$NtUninstallKB842773$\qmgrprxy.dll
    + 2004-05-17 22:38:24 158,208 -c----w C:\WINDOWS\$NtUninstallKB842773$\spuninst\spuninst .exe
    + 2002-08-29 12:00:00 310,272 -c----w C:\WINDOWS\$NtUninstallKB842773$\winhttp.dll
    + 2005-02-25 03:35:05 209,632 -c----w C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst .exe
    + 2005-02-25 03:35:06 371,936 -c----w C:\WINDOWS\$NtUninstallKB898461$\spuninst\updspapi .dll
    - 2008-06-13 16:37:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-06-18 12:57:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    - 2008-06-13 15:24:06 45,056 ----a-w C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
    + 2008-06-17 21:07:32 45,056 ----a-w C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
    + 2005-10-20 09:02:28 163,328 ----a-w C:\WINDOWS\erdnt\16-06-2008\ERDNT.EXE
    + 2008-06-16 20:03:04 1,929,216 ----a-w C:\WINDOWS\erdnt\16-06-2008\Users\00000001\NTUSER.DAT
    + 2008-06-16 20:03:04 32,768 ----a-w C:\WINDOWS\erdnt\16-06-2008\Users\00000002\UsrClass.dat
    + 2005-10-20 09:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\17-06-2008\ERDNT.EXE
    + 2008-06-17 20:59:46 1,929,216 ----a-w C:\WINDOWS\erdnt\AutoBackup\17-06-2008\Users\00000001\NTUSER.DAT
    + 2008-06-17 20:59:46 32,768 ----a-w C:\WINDOWS\erdnt\AutoBackup\17-06-2008\Users\00000002\UsrClass.dat
    + 2005-10-20 09:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\18-06-2008\ERDNT.EXE
    + 2008-06-18 08:08:15 1,949,696 ----a-w C:\WINDOWS\erdnt\AutoBackup\18-06-2008\Users\00000001\NTUSER.DAT
    + 2008-06-18 08:08:16 32,768 ----a-w C:\WINDOWS\erdnt\AutoBackup\18-06-2008\Users\00000002\UsrClass.dat
    + 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
    + 2004-07-01 22:08:18 361,984 ------w C:\WINDOWS\system32\bits\qmgr.dll
    + 2004-07-01 22:08:18 7,680 ------w C:\WINDOWS\system32\bitsprx2.dll
    + 2004-07-01 22:08:18 7,168 ------w C:\WINDOWS\system32\bitsprx3.dll
    - 2008-06-13 16:05:38 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\i ndex.dat
    + 2008-06-18 12:39:41 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\i ndex.dat
    - 2008-06-13 16:05:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-06-18 12:39:41 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2008-06-13 16:05:38 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2008-06-18 12:39:41 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2004-07-01 22:08:18 7,680 -c----w C:\WINDOWS\system32\dllcache\bitsprx2.dll
    + 2004-07-01 22:08:18 7,168 -c----w C:\WINDOWS\system32\dllcache\bitsprx3.dll
    - 2005-03-21 12:00:20 2,890,240 -c--a-w C:\WINDOWS\system32\dllcache\msi.dll
    + 2005-05-04 11:45:32 2,890,240 -c--a-w C:\WINDOWS\system32\dllcache\msi.dll
    - 2002-08-29 12:00:00 221,696 -c--a-w C:\WINDOWS\system32\dllcache\qmgr.dll
    + 2004-07-01 22:08:18 361,984 -c--a-w C:\WINDOWS\system32\dllcache\qmgr.dll
    - 2002-08-29 12:00:00 17,408 -c--a-w C:\WINDOWS\system32\dllcache\qmgrprxy.dll
    + 2004-07-01 22:08:18 17,408 -c--a-w C:\WINDOWS\system32\dllcache\qmgrprxy.dll
    - 2002-08-29 12:00:00 310,272 -c--a-w C:\WINDOWS\system32\dllcache\winhttp.dll
    + 2004-07-01 22:08:18 331,776 -c--a-w C:\WINDOWS\system32\dllcache\winhttp.dll
    + 2004-07-31 15:50:36 51,200 ----a-w C:\WINDOWS\system32\dumphive.exe
    - 2005-03-21 12:00:20 2,890,240 ----a-w C:\WINDOWS\system32\msi.dll
    + 2005-05-04 11:45:32 2,890,240 ----a-w C:\WINDOWS\system32\msi.dll
    + 2003-06-05 18:13:00 53,248 ----a-w C:\WINDOWS\system32\Process.exe
    - 2002-08-29 12:00:00 221,696 ----a-w C:\WINDOWS\system32\qmgr.dll
    + 2004-07-01 22:08:18 361,984 ----a-w C:\WINDOWS\system32\qmgr.dll
    - 2002-08-29 12:00:00 17,408 ----a-w C:\WINDOWS\system32\qmgrprxy.dll
    + 2004-07-01 22:08:18 17,408 ----a-w C:\WINDOWS\system32\qmgrprxy.dll
    - 2005-03-21 12:00:08 13,536 ------w C:\WINDOWS\system32\spmsg.dll
    + 2005-05-04 11:45:26 13,536 ------w C:\WINDOWS\system32\spmsg.dll
    - 2004-11-18 07:42:52 22,752 ----a-w C:\WINDOWS\system32\spupdsvc.exe
    + 2005-02-25 03:35:05 22,752 ----a-w C:\WINDOWS\system32\spupdsvc.exe
    + 2006-04-27 14:49:30 288,417 ----a-w C:\WINDOWS\system32\SrchSTS.exe
    + 2007-09-05 21:22:23 289,144 ----a-w C:\WINDOWS\system32\VCCLSID.exe
    - 2002-08-29 12:00:00 310,272 ----a-w C:\WINDOWS\system32\winhttp.dll
    + 2004-07-01 22:08:18 331,776 ----a-w C:\WINDOWS\system32\winhttp.dll
    + 2007-10-03 21:36:46 25,600 ----a-w C:\WINDOWS\system32\WS2Fix.exe
    + 2004-06-30 23:59:25 158,720 ------w C:\WINDOWS\system32\xpob2res.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C69034A-F45F-D34D-A33A-C33C4D324FC4}]
    C:\WINDOWS\System32\arjrbler.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6629FF4F-ACDB-5C90-A098-FACB3456A266}]
    C:\WINDOWS\System32\mpmyfapi.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}]
    06/18/2008 12:07 AM 45056 --a------ C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM 4670704]
    "ctfmon.exe "= "C:\WINDOWS\System32\ctfmon.exe" [08/29/2002 03:00 PM 13312]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/09/2008 12:02 PM 185896]
    C:\Documents and Settings\ali\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
    [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
    "{A9895933-6636-4281-BC58-EE6DE2AF96E3} "= C:\WINDOWS\System32\ddserh.dll [ ]
    "{4C69034A-F45F-D34D-A33A-C33C4D324FC4} "= C:\WINDOWS\System32\arjrbler.dll [ ]
    "{6629FF4F-ACDB-5C90-A098-FACB3456A266} "= C:\WINDOWS\System32\mpmyfapi.dll [ ]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
    "JavaView "= {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll [ ]
    "ThunderAdvise "= {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll [06/18/2008 12:07 AM 45056]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.YV12 "= yv12vfw.dll
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
    R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgn tmgr.sys [07/18/2007 02:22 PM]
    R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntd d.sys [08/09/2007 01:04 PM]
    R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe [08/29/2002 03:00 PM]
    S2 cdralw;NVIDIA Compatible Windows Miniport Driver;C:\WINDOWS\System32\DRIVERS\nvmini.sys []
    S3 eth8023;eth8023;C:\WINDOWS\System32\drivers\eth802 3.sys [06/18/2008 03:20 PM]
    S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [06/06/2008 11:45 PM]
    S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\System32\DRIVERS\loop.sys [08/17/2001 01:53 PM]
    .
    ************************************************** ************************
    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-18 15:57:24
    Windows 5.1.2600 Service Pack 1 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    ************************************************** ************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
    .
    ************************************************** ************************
    .
    Completion time: 06/18/2008 15:59:23 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-06-18 12:59:20
    ComboFix2.txt 2008-06-13 16:39:50
    Pre-Run: 10,674,933,760 bytes free
    Post-Run: 10,675,908,608 bytes free
    256 --- E O F --- 2008-06-16 16:58:27

    ------------------------------------------------------

    and Hijackthis Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:54:11, on 18/06/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masrawy.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
    O2 - BHO: arjrbler.dll - {4C69034A-F45F-D34D-A33A-C33C4D324FC4} - C:\WINDOWS\System32\arjrbler.dll (file missing)
    O2 - BHO: mpmyfapi.dll - {6629FF4F-ACDB-5C90-A098-FACB3456A266} - C:\WINDOWS\System32\mpmyfapi.dll (file missing)
    O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{45E890EC-2E69-4BB8-9096-657E7C13A6B2}: NameServer = 66.11.234.90,66.11.234.91
    O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll
    O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    --
    End of file - 2864 bytes

    -----------------------------------

    And sorry for being late but the computer is so sloooooooooooooow
     
    snow rose,
    #14
  16. 2008/06/18
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi snow rose

    • Please go to Jotti's malware scan
    • Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time
      • C:\MicroSoft.bat
        C:\MicroSoft.vbs
    • Click on the submit button
    • Please post the results in your next reply.

    Now do this Please.

    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
    [​IMG]
    Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    Code:
    File::
C:\WINDOWS\system32\drivers\eth8023.sys
C:\WINDOWS\AppPatch\AcSpecf.dll
C:\WINDOWS\AppPatch\AcPlugin.dll
C:\WINDOWS\java\Packages\PRTNZB3B.ZIP
C:\WINDOWS\java\Packages\IVR9F7XZ.ZIP
C:\WINDOWS\system32\404Fix.exe
C:\WINDOWS\system32\aoqnabib.sys
C:\WINDOWS\system32\bcsxachu.sys
C:\WINDOWS\system32\cgsqatyu.sys
C:\WINDOWS\system32\erjxakin.sys
C:\WINDOWS\system32\hmsdvf.dll
C:\WINDOWS\system32\iujraler.sys
C:\WINDOWS\system32\rnmxajkl.sys
C:\WINDOWS\system32\smdsbsrv.sys
C:\WINDOWS\system32\snfybbyt.sys
C:\WINDOWS\system32\tuker.dll
C:\WINDOWS\system32\xsdjbbmp.sys
C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C69034A-F45F-D34D-A33A-C33C4D324FC4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6629FF4F-ACDB-5C90-A098-FACB3456A266}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}]
[-hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
 "{A9895933-6636-4281-BC58-EE6DE2AF96E3} "=-
 "{4C69034A-F45F-D34D-A33A-C33C4D324FC4} "=-
 "{6629FF4F-ACDB-5C90-A098-FACB3456A266} "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
 "JavaView "=-
 "ThunderAdvise "=-
    Please post the combofix log and the Jotti results.

    Thanks
    Geri
     
    Geri,
    #15
  17. 2008/06/20
    snow rose

    snow rose Inactive Thread Starter

    Joined:
    2008/03/12
    Messages:
    33
    Likes Received:
    0
    Hi Geri

    This is the results for Jotti's malware scan:

    normar virus contro: found bat :autorun b.b

    normar virus control: found vb5 :autorun.z

    and others is found nothing
    -------------------------------------

    ComboFix 08-06-16.5 - ali 06/20/2008 12:52:52.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.1.1256.1.1033.18.238 [GMT 3:00]
    Running from: C:\Documents and Settings\ali\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\ali\Desktop\CFScript.txt
    * Created a new restore point
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    FILE ::
    C:\WINDOWS\AppPatch\AcPlugin.dll
    C:\WINDOWS\AppPatch\AcSpecf.dll
    C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
    C:\WINDOWS\java\Packages\IVR9F7XZ.ZIP
    C:\WINDOWS\java\Packages\PRTNZB3B.ZIP
    C:\WINDOWS\system32\404Fix.exe
    C:\WINDOWS\system32\aoqnabib.sys
    C:\WINDOWS\system32\bcsxachu.sys
    C:\WINDOWS\system32\cgsqatyu.sys
    C:\WINDOWS\system32\drivers\eth8023.sys
    C:\WINDOWS\system32\erjxakin.sys
    C:\WINDOWS\system32\hmsdvf.dll
    C:\WINDOWS\system32\iujraler.sys
    C:\WINDOWS\system32\rnmxajkl.sys
    C:\WINDOWS\system32\smdsbsrv.sys
    C:\WINDOWS\system32\snfybbyt.sys
    C:\WINDOWS\system32\tuker.dll
    C:\WINDOWS\system32\xsdjbbmp.sys
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    C:\WINDOWS\AppPatch\AcPlugin.dll
    C:\WINDOWS\AppPatch\AcSpecf.dll
    C:\WINDOWS\AppPatch\AcXtrnel.dll
    C:\WINDOWS\AppPatch\Jview.dll
    C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
    C:\WINDOWS\java\Packages\IVR9F7XZ.ZIP
    C:\WINDOWS\java\Packages\PRTNZB3B.ZIP
    C:\WINDOWS\linkinfo.dll
    C:\WINDOWS\system32\404Fix.exe
    C:\WINDOWS\system32\aitlasys.exe
    C:\WINDOWS\system32\akjsckaq.dll
    C:\WINDOWS\system32\aoqnabib.sys
    C:\WINDOWS\system32\asfjthj.dll
    C:\WINDOWS\system32\axmsawin.exe
    C:\WINDOWS\system32\bcsxachu.sys
    C:\WINDOWS\system32\cedafb.dll
    C:\WINDOWS\system32\cgsqatyu.sys
    C:\WINDOWS\system32\ddserh.dll
    C:\WINDOWS\system32\drivers\cdralw.sys
    C:\WINDOWS\system32\drivers\eth8023.sys
    C:\WINDOWS\system32\ergfwe.dll
    C:\WINDOWS\system32\erjxakin.sys
    C:\WINDOWS\system32\etshabty.exe
    C:\WINDOWS\system32\fassaplo.sys
    C:\WINDOWS\system32\fsrgeb.dll
    C:\WINDOWS\system32\fstlbsys.sys
    C:\WINDOWS\system32\fzmsbwin.sys
    C:\WINDOWS\system32\gajzalit.sys
    C:\WINDOWS\system32\ghjyer.dll
    C:\WINDOWS\system32\ghwxattb.exe
    C:\WINDOWS\system32\gjbhr.dll
    C:\WINDOWS\system32\gpsgajba.sys
    C:\WINDOWS\system32\hgfhk.cfg
    C:\WINDOWS\system32\hgfhk.dll
    C:\WINDOWS\system32\hhrdxd.dll
    C:\WINDOWS\system32\hjk.dll
    C:\WINDOWS\system32\hmsdvf.dll
    C:\WINDOWS\system32\ijsgajba.sys
    C:\WINDOWS\system32\isdsasrv.exe
    C:\WINDOWS\system32\ismhasrv.exe
    C:\WINDOWS\system32\iujraler.sys
    C:\WINDOWS\system32\jashbbty.sys
    C:\WINDOWS\system32\jkjkll.dll
    C:\WINDOWS\system32\lariytrz.cfg
    C:\WINDOWS\system32\lariytrz.dll
    C:\WINDOWS\system32\lassaplo.dll
    C:\WINDOWS\system32\lijzclit.dll
    C:\WINDOWS\system32\lkssaplo.exe
    C:\WINDOWS\system32\lojxadwd.exe
    C:\WINDOWS\system32\lpsgajba.exe
    C:\WINDOWS\system32\mkjsakaq.exe
    C:\WINDOWS\system32\mnmhgsrv.dll
    C:\WINDOWS\system32\mpwddapi.dll
    C:\WINDOWS\system32\newxbttb.sys
    C:\WINDOWS\system32\njritc.cfg
    C:\WINDOWS\system32\njritc.dll
    C:\WINDOWS\system32\onjzalit.exe
    C:\WINDOWS\system32\opshbbty.dll
    C:\WINDOWS\system32\oqrthc.cfg
    C:\WINDOWS\system32\oqrthc.dll
    C:\WINDOWS\system32\oswxdttb.dll
    C:\WINDOWS\system32\ozfyebyt.dll
    C:\WINDOWS\system32\pjjxedwd.dll
    C:\WINDOWS\system32\pmjhbhlp.sys
    C:\WINDOWS\system32\ptjhehlp.dll
    C:\WINDOWS\system32\rnmxajkl.sys
    C:\WINDOWS\system32\sdjsakaq.sys
    C:\WINDOWS\system32\sergy.dll
    C:\WINDOWS\system32\simyaapi.exe
    C:\WINDOWS\system32\siwdaapi.exe
    C:\WINDOWS\system32\skqncbib.dll
    C:\WINDOWS\system32\smdsbsrv.sys
    C:\WINDOWS\system32\smmhbsrv.sys
    C:\WINDOWS\system32\snfybbyt.sys
    C:\WINDOWS\system32\spjhahlp.exe
    C:\WINDOWS\system32\spmybapi.sys
    C:\WINDOWS\system32\spwdbapi.sys
    C:\WINDOWS\system32\sqjsakaq.sys
    C:\WINDOWS\system32\tdggrz.dll
    C:\WINDOWS\system32\tfsdmz.dll
    C:\WINDOWS\system32\tisqatyu.dll
    C:\WINDOWS\system32\tiwxattb.sys
    C:\WINDOWS\system32\toqnabib.sys
    C:\WINDOWS\system32\tuker.dll
    C:\WINDOWS\system32\ujkwet.dll
    C:\WINDOWS\system32\wyrsdj.dll
    C:\WINDOWS\system32\xfztbmsn.sys
    C:\WINDOWS\system32\xsdjbbmp.sys
    C:\WINDOWS\system32\xzcsbhlp.sys
    C:\WINDOWS\system32\xzfhbjpg.sys
    C:\WINDOWS\system32\ysjxbdwd.sys
    C:\WINDOWS\system32\yxcschlp.dll
    C:\WINDOWS\system32\yxfhcjpg.dll
    C:\WINDOWS\system32\zaztamsn.exe
    C:\WINDOWS\system32\zdbdb.cfg
    C:\WINDOWS\system32\zdbdb.dll
    C:\WINDOWS\system32\zptlcsys.dll
    C:\WINDOWS\system32\zxcsahlp.exe
    C:\WINDOWS\system32\zxfhajpg.exe
    C:\WINDOWS\system32\zxmscwin.dll
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    -------\Legacy_CDRALW
    -------\Service_cdralw

    ((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
    .
    No new files created in this timespan
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2008-06-19 20:57 30 ----a-w C:\MicroSoft.bat
    2008-06-19 20:57 186 ----a-w C:\MicroSoft.vbs
    2008-06-19 20:57 1,308 ----a-w C:\MicroSoft.pif
    2008-06-19 20:46 --------- d-----w C:\Documents and Settings\ali\Application Data\cleaner
    2008-06-18 16:22 --------- d-----w C:\Documents and Settings\ali\Application Data\CyberScrub
    2008-06-18 11:36 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
    2008-06-16 19:28 --------- d-----w C:\Program Files\ERUNT
    2008-06-16 08:54 --------- d-----w C:\Documents and Settings\ali\Application Data\Media Player Classic
    2008-06-14 21:45 --------- d-----w C:\Documents and Settings\ali\Application Data\DivX
    2008-06-13 19:58 --------- d-----w C:\Program Files\Google
    2008-06-13 18:10 --------- d-----w C:\Program Files\Yahoo!
    2008-06-13 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-06-13 15:10 --------- d-----w C:\Documents and Settings\ali\Application Data\Malwarebytes
    2008-06-12 22:46 --------- d-----w C:\Documents and Settings\ali\Application Data\Talkback
    2008-06-12 21:58 --------- d-----w C:\Documents and Settings\jana\Application Data\Media Player Classic
    2008-06-12 18:09 --------- d-----w C:\Program Files\Yahoo! Games
    2008-06-12 18:09 --------- d-----w C:\Program Files\TryMedia
    2008-06-12 17:42 --------- d-----w C:\Program Files\K-Lite Codec Pack
    2008-06-12 11:32 --------- d-----w C:\Program Files\Trend Micro
    2008-06-10 16:02 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
    2008-06-10 16:02 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
    2008-06-09 14:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-06-09 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2008-06-09 09:03 --------- d-----w C:\Program Files\Common Files\xing shared
    2008-06-09 09:03 --------- d-----w C:\Program Files\Common Files\Real
    2008-06-08 20:13 --------- d-----w C:\Documents and Settings\ali\Application Data\Yahoo!
    2008-06-08 19:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
    2008-06-07 16:11 --------- d-----w C:\Program Files\Real
    2008-06-07 15:30 --------- d-----w C:\Program Files\Avira
    2008-06-07 15:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
    2008-06-07 14:09 --------- d-----w C:\Program Files\Winamp
    2008-06-07 14:08 --------- d-----w C:\Documents and Settings\jana\Application Data\Winamp
    2008-06-06 22:58 --------- d-----w C:\Documents and Settings\jana\Application Data\Yahoo!
    2008-06-06 22:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
    2008-06-06 20:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-06-06 20:47 --------- d-----w C:\Program Files\Realtek
    2008-06-06 20:46 315,392 ----a-w C:\WINDOWS\HideWin.exe
    2008-06-06 20:46 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-06-06 20:46 --------- d-----w C:\Documents and Settings\jana\Application Data\InstallShield
    2008-06-06 20:45 4,716 ----a-w C:\WINDOWS\gdrv.sys
    2008-06-06 20:42 --------- d-----w C:\Program Files\Intel
    2008-06-06 20:07 --------- d-----w C:\Program Files\microsoft frontpage
    2004-08-08 07:17 16,734 --sh--w C:\WINDOWS\system32\agxyaloe.exe
    2004-08-08 20:49 537,608 --sh--w C:\WINDOWS\system32\apsgfjba.dll
    2004-08-08 20:49 535,560 --sh--w C:\WINDOWS\system32\arjrdler.dll
    2004-08-08 07:15 16,497 --sh--w C:\WINDOWS\system32\dazfajke.exe
    2004-08-08 07:15 15,873 --sh--w C:\WINDOWS\system32\dfqnabib.exe
    2004-08-08 07:15 1,040 --sh--w C:\WINDOWS\system32\dtzfajke.sys
    2004-08-08 07:17 536,584 --sh--w C:\WINDOWS\system32\erxybloe.dll
    2004-08-08 07:17 520 --sh--w C:\WINDOWS\system32\igxyaloe.sys
    2004-08-08 20:51 538,632 --sh--w C:\WINDOWS\system32\jke34kl32.dll
    2004-08-08 07:15 16,520 --sh--w C:\WINDOWS\system32\mkjraler.exe
    2004-08-08 20:51 534,024 --sh--w C:\WINDOWS\system32\mndsgsrv.dll
    2004-08-08 07:15 14,831 --sh--w C:\WINDOWS\system32\posqatyu.exe
    2004-08-08 20:49 536,072 --sh--w C:\WINDOWS\system32\pqzfajke.dll
    2004-08-08 20:48 536,584 --sh--w C:\WINDOWS\system32\rijxbkin.dll
    2004-08-08 07:15 16,602 --sh--w C:\WINDOWS\system32\stjxakin.exe
    2004-08-08 07:15 15,044 --sh--w C:\WINDOWS\system32\tjfyabyt.exe
    2004-08-08 20:48 536,072 --sh--w C:\WINDOWS\system32\yzztjmsn.dll
    .
    ((((((((((((((((((((((((((((( snapshot_Wed 06-18-2008_15.59.13.03 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-06-18 12:57:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-06-20 09:55:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2005-10-20 09:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\19-06-2008\ERDNT.EXE
    + 2008-06-19 20:46:13 2,195,456 ----a-w C:\WINDOWS\erdnt\AutoBackup\19-06-2008\Users\00000001\NTUSER.DAT
    + 2008-06-19 20:46:13 32,768 ----a-w C:\WINDOWS\erdnt\AutoBackup\19-06-2008\Users\00000002\UsrClass.dat
    + 2005-10-20 09:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\20-06-2008\ERDNT.EXE
    + 2008-06-20 07:14:05 2,195,456 ----a-w C:\WINDOWS\erdnt\AutoBackup\20-06-2008\Users\00000001\NTUSER.DAT
    + 2008-06-20 07:14:05 32,768 ----a-w C:\WINDOWS\erdnt\AutoBackup\20-06-2008\Users\00000002\UsrClass.dat
    + 2005-10-20 09:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\2008-06-18\ERDNT.EXE
    + 2008-06-18 12:58:20 1,929,216 ----a-w C:\WINDOWS\erdnt\AutoBackup\2008-06-18\Users\00000001\NTUSER.DAT
    + 2008-06-18 12:58:20 32,768 ----a-w C:\WINDOWS\erdnt\AutoBackup\2008-06-18\Users\00000002\UsrClass.dat
    + 2005-10-20 09:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\2008-06-20\ERDNT.EXE
    + 2008-06-20 09:55:52 2,195,456 ----a-w C:\WINDOWS\erdnt\AutoBackup\2008-06-20\Users\00000001\NTUSER.DAT
    + 2008-06-20 09:55:52 32,768 ----a-w C:\WINDOWS\erdnt\AutoBackup\2008-06-20\Users\00000002\UsrClass.dat
    - 2008-06-18 12:39:41 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\i ndex.dat
    + 2008-06-20 09:55:39 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\i ndex.dat
    - 2008-06-18 12:39:41 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-06-20 09:55:39 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2008-06-18 12:39:41 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2008-06-20 09:55:39 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2001-06-19 20:48:45 1,067,808 ----a-w C:\WINDOWS\system32\midimapyt2.dll
    + 2008-06-20 0753 229,376 ---ha-w C:\WINDOWS\system32\pedadt.dll
    + 2008-06-20 0740 218,624 ---ha-w C:\WINDOWS\system32\zdesfx.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20909876-4567-3908-4056-909834565102}]
    08/08/2004 10:17 AM 536584 ---hs---- C:\WINDOWS\System32\erxybloe.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25FD6584-698F-BCD2-602C-698745210352}]
    08/08/2004 11:48 PM 536584 ---hs---- C:\WINDOWS\System32\rijxbkin.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60A345CD-ABCD-EFAB-CDEF-ABCD01020306}]
    08/08/2004 11:49 PM 536072 ---hs---- C:\WINDOWS\System32\pqzfajke.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C69034A-F45F-D34D-A33A-C33C4D324FC6}]
    08/08/2004 11:49 PM 535560 ---hs---- C:\WINDOWS\System32\arjrdler.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}]
    08/08/2004 11:49 PM 537608 ---hs---- C:\WINDOWS\System32\apsgfjba.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77FD640A-158F-48AC-FD14-1597F14A9777}]
    08/08/2004 11:51 PM 534024 ---hs---- C:\WINDOWS\System32\mndsgsrv.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9629FF4F-ACDB-5C90-A098-FACB3456A269}]
    08/08/2004 11:51 PM 538632 ---hs---- C:\WINDOWS\System32\jke34kl32.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A490415F-65F8-B5C5-D8BA-9405FB12054A}]
    08/08/2004 11:48 PM 536072 ---hs---- C:\WINDOWS\System32\yzztjmsn.dll
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM 4670704]
    "ctfmon.exe "= "C:\WINDOWS\System32\ctfmon.exe" [08/29/2002 03:00 PM 13312]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/09/2008 12:02 PM 185896]
    C:\Documents and Settings\ali\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
    [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
    "{A9895933-6636-4281-BC58-EE6DE2AF96E3} "= C:\WINDOWS\System32\ddserh.dll [ ]
    "{A490415F-65F8-B5C5-D8BA-9405FB12054A} "= C:\WINDOWS\System32\yzztjmsn.dll [08/08/2004 11:48 PM 536072]
    "{25FD6584-698F-BCD2-602C-698745210352} "= C:\WINDOWS\System32\rijxbkin.dll [08/08/2004 11:48 PM 536584]
    "{4F4F0064-71E0-4f0d-0028-708476C7815F} "= C:\WINDOWS\System32\midimapyt2.dll [06/19/2001 11:48 PM 1067808]
    "{45AADFAA-DD36-42AB-83AD-0521BBF58C24} "= C:\WINDOWS\System32\zdesfx.dll [06/20/2008 10:15 AM 218624]
    "{6C69034A-F45F-D34D-A33A-C33C4D324FC6} "= C:\WINDOWS\System32\arjrdler.dll [08/08/2004 11:49 PM 535560]
    "{6FD45A54-9875-698F-E56E-65102358FDF6} "= C:\WINDOWS\System32\apsgfjba.dll [08/08/2004 11:49 PM 537608]
    "{60A345CD-ABCD-EFAB-CDEF-ABCD01020306} "= C:\WINDOWS\System32\pqzfajke.dll [08/08/2004 11:49 PM 536072]
    "{5E907A48-400E-4EA8-9792-FFAE052D59E9} "= C:\WINDOWS\System32\pedadt.dll [06/20/2008 10:15 AM 229376]
    "{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38} "= C:\WINDOWS\System32\wyrsdj.dll [ ]
    "{9629FF4F-ACDB-5C90-A098-FACB3456A269} "= C:\WINDOWS\System32\jke34kl32.dll [08/08/2004 11:51 PM 538632]
    "{77FD640A-158F-48AC-FD14-1597F14A9777} "= C:\WINDOWS\System32\mndsgsrv.dll [08/08/2004 11:51 PM 534024]
    "{20909876-4567-3908-4056-909834565102} "= C:\WINDOWS\System32\erxybloe.dll [08/08/2004 10:17 AM 536584]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
    "midimapyt2 "= {4F4F0064-71E0-4f0d-0028-708476C7815F} - C:\WINDOWS\System32\midimapyt2.dll [06/19/2001 11:48 PM 1067808]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.YV12 "= yv12vfw.dll
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
    R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgn tmgr.sys [07/18/2007 02:22 PM]
    R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntd d.sys [08/09/2007 01:04 PM]
    R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe [08/29/2002 03:00 PM]
    S3 eth8023;eth8023;C:\WINDOWS\System32\drivers\eth802 3.sys []
    S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [06/06/2008 11:45 PM]
    S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\System32\DRIVERS\loop.sys [08/17/2001 01:53 PM]
    .
    ************************************************** ************************
    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-20 12:56:01
    Windows 5.1.2600 Service Pack 1 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    ************************************************** ************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
    .
    ************************************************** ************************
    .
    Completion time: 06/20/2008 12:58:04 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-06-20 09:58:01
    ComboFix2.txt 2008-06-18 12:59:24
    ComboFix3.txt 2008-06-13 16:39:50
    Pre-Run: 10,075,398,144 bytes free
    Post-Run: 10,045,870,080 bytes free
    303 --- E O F --- 2008-06-16 16:58:27
     
    snow rose,
    #16
  18. 2008/06/20
    snow rose

    snow rose Inactive Thread Starter

    Joined:
    2008/03/12
    Messages:
    33
    Likes Received:
    0
    And Hijackthis Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:05:50, on 20/06/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masrawy.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
    O2 - BHO: erxybloe.dll - {20909876-4567-3908-4056-909834565102} - C:\WINDOWS\System32\erxybloe.dll
    O2 - BHO: rijxbkin.dll - {25FD6584-698F-BCD2-602C-698745210352} - C:\WINDOWS\System32\rijxbkin.dll
    O2 - BHO: pqzfajke.dll - {60A345CD-ABCD-EFAB-CDEF-ABCD01020306} - C:\WINDOWS\System32\pqzfajke.dll
    O2 - BHO: arjrdler.dll - {6C69034A-F45F-D34D-A33A-C33C4D324FC6} - C:\WINDOWS\System32\arjrdler.dll
    O2 - BHO: apsgfjba.dll - {6FD45A54-9875-698F-E56E-65102358FDF6} - C:\WINDOWS\System32\apsgfjba.dll
    O2 - BHO: mndsgsrv.dll - {77FD640A-158F-48AC-FD14-1597F14A9777} - C:\WINDOWS\System32\mndsgsrv.dll
    O2 - BHO: jke34kl32.dll - {9629FF4F-ACDB-5C90-A098-FACB3456A269} - C:\WINDOWS\System32\jke34kl32.dll
    O2 - BHO: yzztjmsn.dll - {A490415F-65F8-B5C5-D8BA-9405FB12054A} - C:\WINDOWS\System32\yzztjmsn.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{45E890EC-2E69-4BB8-9096-657E7C13A6B2}: NameServer = 66.11.234.90,66.11.234.91
    O20 - AppInit_DLLs: arjrdler.dll,yzztjmsn.dll
    O21 - SSODL: midimapyt2 - {4F4F0064-71E0-4f0d-0028-708476C7815F} - C:\WINDOWS\System32\midimapyt2.dll
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    --
    End of file - 3327 bytes



    ---------------------------------------------------
    and by the way there is message always appear :

    " 16bit ms-dos subystem c\windos\system32\cmd.exethe ntvdm cpu has encountered an illegal instruction.cs:0543 ip:012op:63 72 69 70 74 choosePclosePclosePto terminate the application "

    ----------------------------------------------------------

    What should I do????
     
    snow rose,
    #17
  19. 2008/06/20
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi snow rose
    I belive that message is related to this infection and should stop if we can get rid of it. :(

    OK Please do this.

    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
    [​IMG]
    Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    Code:
    File::
C:\WINDOWS\system32\agxyaloe.exe
C:\WINDOWS\system32\apsgfjba.dll
C:\WINDOWS\system32\arjrdler.dll
C:\WINDOWS\system32\dazfajke.exe
C:\WINDOWS\system32\dfqnabib.exe
C:\WINDOWS\system32\dtzfajke.sys
C:\WINDOWS\system32\erxybloe.dll
C:\WINDOWS\system32\igxyaloe.sys
C:\WINDOWS\system32\jke34kl32.dll
C:\WINDOWS\system32\mkjraler.exe
C:\WINDOWS\system32\mndsgsrv.dll
C:\WINDOWS\system32\posqatyu.exe
C:\WINDOWS\system32\pqzfajke.dll
C:\WINDOWS\system32\rijxbkin.dll
C:\WINDOWS\system32\stjxakin.exe
C:\WINDOWS\system32\tjfyabyt.exe
C:\WINDOWS\system32\yzztjmsn.dll
C:\WINDOWS\system32\midimapyt2.dll
C:\WINDOWS\system32\pedadt.dll
C:\WINDOWS\system32\zdesfx.dll
C:\WINDOWS\System32\drivers\eth802 3.sys
C:\MicroSoft.bat
C:\MicroSoft.vbs
C:\MicroSoft.pif
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20909876-4567-3908-4056-909834565102}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25FD6584-698F-BCD2-602C-698745210352}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60A345CD-ABCD-EFAB-CDEF-ABCD01020306}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C69034A-F45F-D34D-A33A-C33C4D324FC6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77FD640A-158F-48AC-FD14-1597F14A9777}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9629FF4F-ACDB-5C90-A098-FACB3456A269}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A490415F-65F8-B5C5-D8BA-9405FB12054A}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
 "{A9895933-6636-4281-BC58-EE6DE2AF96E3} "=- 
 "{A490415F-65F8-B5C5-D8BA-9405FB12054A} "=- 
 "{25FD6584-698F-BCD2-602C-698745210352} "=- 
 "{4F4F0064-71E0-4f0d-0028-708476C7815F} "=- 
 "{45AADFAA-DD36-42AB-83AD-0521BBF58C24} "=-
 "{6C69034A-F45F-D34D-A33A-C33C4D324FC6} "=-
 "{6FD45A54-9875-698F-E56E-65102358FDF6} "=-
 "{60A345CD-ABCD-EFAB-CDEF-ABCD01020306} "=- 
 "{5E907A48-400E-4EA8-9792-FFAE052D59E9} "=-
 "{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38} "=- 
 "{9629FF4F-ACDB-5C90-A098-FACB3456A269} "=-
 "{77FD640A-158F-48AC-FD14-1597F14A9777} "=-
 "{20909876-4567-3908-4056-909834565102} "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
 "midimapyt2 "=-
Driver::
eth8023
    Please post the combofix log and a new HJT log.

    Thanks
    Geri
     
    Geri,
    #18
  20. 2008/06/21
    snow rose

    snow rose Inactive Thread Starter

    Joined:
    2008/03/12
    Messages:
    33
    Likes Received:
    0
    Hi Geri

    This is the Reports Again :
    ---------------------------------------
    ComboFix 08-06-16.5 - ali 06/20/2008 21:54:00.4 - NTFSx86Microsoft Windows XP Professional 5.1.2600.1.1256.1.1033.18.281 [GMT 3:00]Running from: C:\Documents and Settings\ali\Desktop\ComboFix.exeCommand switches used :: C:\Documents and Settings\ali\Desktop\CFScript.txt * Created a new restore pointWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))). C:\WINDOWS\AppPatch\AcXtrnel.dllC:\WINDOWS\AppPatc h\Jview.dllC:\WINDOWS\system32\ijsgajba.sysC:\WIND OWS\system32\ismhasrv.exeC:\WINDOWS\system32\mnmhg srv.dllC:\WINDOWS\system32\smmhbsrv.sys.(((((((((( ((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_ETH8023-------\Service_eth8023((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 ))))))))))))))))))))))))))))))).No new files created in this timespan.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )).2008-06-20 15:07 30 ----a-w C:\MicroSoft.bat2008-06-20 15:07 186 ----a-w C:\MicroSoft.vbs2008-06-19 20:46 --------- d-----w C:\Documents and Settings\ali\Application Data\cleaner2008-06-18 16:22 --------- d-----w C:\Documents and Settings\ali\Application Data\CyberScrub2008-06-18 11:36 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware2008-06-16 19:28 --------- d-----w C:\Program Files\ERUNT2008-06-16 08:54 --------- d-----w C:\Documents and Settings\ali\Application Data\Media Player Classic2008-06-14 21:45 --------- d-----w C:\Documents and Settings\ali\Application Data\DivX2008-06-13 19:58 --------- d-----w C:\Program Files\Google2008-06-13 18:10 --------- d-----w C:\Program Files\Yahoo!2008-06-13 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-06-13 15:10 --------- d-----w C:\Documents and Settings\ali\Application Data\Malwarebytes2008-06-12 22:46 --------- d-----w C:\Documents and Settings\ali\Application Data\Talkback2008-06-12 21:58 --------- d-----w C:\Documents and Settings\jana\Application Data\Media Player Classic2008-06-12 18:09 --------- d-----w C:\Program Files\Yahoo! Games2008-06-12 18:09 --------- d-----w C:\Program Files\TryMedia2008-06-12 17:42 --------- d-----w C:\Program Files\K-Lite Codec Pack2008-06-12 11:32 --------- d-----w C:\Program Files\Trend Micro2008-06-10 16:02 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys2008-06-10 16:02 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys2008-06-09 14:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared2008-06-09 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec2008-06-09 09:03 --------- d-----w C:\Program Files\Common Files\xing shared2008-06-09 09:03 --------- d-----w C:\Program Files\Common Files\Real2008-06-08 20:13 --------- d-----w C:\Documents and Settings\ali\Application Data\Yahoo!2008-06-08 19:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files2008-06-07 16:11 --------- d-----w C:\Program Files\Real2008-06-07 15:30 --------- d-----w C:\Program Files\Avira2008-06-07 15:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira2008-06-07 14:09 --------- d-----w C:\Program Files\Winamp2008-06-07 14:08 --------- d-----w C:\Documents and Settings\jana\Application Data\Winamp2008-06-06 22:58 --------- d-----w C:\Documents and Settings\jana\Application Data\Yahoo!2008-06-06 22:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!2008-06-06 20:47 --------- d--h--w C:\Program Files\InstallShield Installation Information2008-06-06 20:47 --------- d-----w C:\Program Files\Realtek2008-06-06 20:46 315,392 ----a-w C:\WINDOWS\HideWin.exe2008-06-06 20:46 --------- d-----w C:\Program Files\Common Files\InstallShield2008-06-06 20:46 --------- d-----w C:\Documents and Settings\jana\Application Data\InstallShield2008-06-06 20:45 4,716 ----a-w C:\WINDOWS\gdrv.sys2008-06-06 20:42 --------- d-----w C:\Program Files\Intel2008-06-06 20:07 --------- d-----w C:\Program Files\microsoft frontpage2004-08-08 07:17 16,734 --sh--w C:\WINDOWS\system32\agxyaloe.exe2004-08-08 20:49 537,608 --sh--w C:\WINDOWS\system32\apsgfjba.dll2004-08-08 20:49 535,560 --sh--w C:\WINDOWS\system32\arjrdler.dll2004-08-08 07:15 16,497 --sh--w C:\WINDOWS\system32\dazfajke.exe2004-08-08 07:15 15,873 --sh--w C:\WINDOWS\system32\dfqnabib.exe2004-08-08 07:15 1,040 --sh--w C:\WINDOWS\system32\dtzfajke.sys2004-08-08 07:17 536,584 --sh--w C:\WINDOWS\system32\erxybloe.dll2004-08-08 07:17 520 --sh--w C:\WINDOWS\system32\igxyaloe.sys2004-08-08 20:51 538,632 --sh--w C:\WINDOWS\system32\jke34kl32.dll2004-08-08 07:15 16,520 --sh--w C:\WINDOWS\system32\mkjraler.exe2004-08-08 20:51 534,024 --sh--w C:\WINDOWS\system32\mndsgsrv.dll2004-08-08 07:15 14,831 --sh--w C:\WINDOWS\system32\posqatyu.exe2004-08-08 20:49 536,072 --sh--w C:\WINDOWS\system32\pqzfajke.dll2004-08-08 20:48 536,584 --sh--w C:\WINDOWS\system32\rijxbkin.dll2004-08-08 07:15 16,602 --sh--w C:\WINDOWS\system32\stjxakin.exe2004-08-08 07:15 15,044 --sh--w C:\WINDOWS\system32\tjfyabyt.exe2004-08-08 18:46 520 --sh--w C:\WINDOWS\system32\xsdjbbmp.sys2004-08-08 18:46 537,608 --sh--w C:\WINDOWS\system32\ypdjgbmp.dll2004-08-08 20:48 536,072 --sh--w C:\WINDOWS\system32\yzztjmsn.dll2004-08-08 18:46 16,667 --sh--w C:\WINDOWS\system32\zsdjabmp.exe.((((((((((((((((( (((((((((((( snapshot_Wed 06-18-2008_15.59.13.03 ))))))))))))))))))))))))))))))))))))))))).- 2008-06-18 12:57:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat+ 2008-06-20 18:55:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat+ 2005-10-20 09:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\19-06-2008\ERDNT.EXE+ 2008-06-19 20:46:13 2,195,456 ----a-w C:\WINDOWS\erdnt\AutoBackup\19-06-2008\Users\00000001\NTUSER.DAT+ 2008-06-19 20:46:13 32,768 ----a-w C:\WINDOWS\erdnt\AutoBackup\19-06-2008\Users\00000002\UsrClass.dat+ 2005-10-20 09:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\20-06-2008\ERDNT.EXE+ 2008-06-20 07:14:05 2,195,456 ----a-w C:\WINDOWS\erdnt\AutoBackup\20-06-2008\Users\00000001\NTUSER.DAT+ 2008-06-20 07:14:05 32,768 ----a-w C:\WINDOWS\erdnt\AutoBackup\20-06-2008\Users\00000002\UsrClass.dat+ 2005-10-20 09:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\2008-06-18\ERDNT.EXE+ 2008-06-18 12:58:20 1,929,216 ----a-w C:\WINDOWS\erdnt\AutoBackup\2008-06-18\Users\00000001\NTUSER.DAT+ 2008-06-18 12:58:20 32,768 ----a-w C:\WINDOWS\erdnt\AutoBackup\2008-06-18\Users\00000002\UsrClass.dat+ 2005-10-20 09:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\2008-06-20\ERDNT.EXE+ 2008-06-20 09:55:52 2,195,456 ----a-w C:\WINDOWS\erdnt\AutoBackup\2008-06-20\Users\00000001\NTUSER.DAT+ 2008-06-20 09:55:52 32,768 ----a-w C:\WINDOWS\erdnt\AutoBackup\2008-06-20\Users\00000002\UsrClass.dat- 2008-06-18 12:39:41 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\i ndex.dat+ 2008-06-20 18:55:50 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\i ndex.dat- 2008-06-18 12:39:41 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat+ 2008-06-20 18:55:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat- 2008-06-18 12:39:41 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat+ 2008-06-20 18:55:50 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat+ 2001-06-19 20:48:45 1,067,808 ----a-w C:\WINDOWS\system32\midimapyt2.dll+ 2008-06-20 0753 229,376 ---ha-w C:\WINDOWS\system32\pedadt.dll+ 2008-06-20 0740 218,624 ---ha-w C:\WINDOWS\system32\zdesfx.dll+ 2008-06-20 11:34:43 218,624 ---ha-w C:\WINDOWS\system32\zgrjdx.dll.((((((((((((((((((( (((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) ..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91954FAC-1023-154F-895A-1458258AD819}]08/08/2004 09:46 PM 537608 ---hs---- C:\WINDOWS\System32\ypdjgbmp.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM 4670704] "ctfmon.exe "= "C:\WINDOWS\System32\ctfmon.exe" [08/29/2002 03:00 PM 13312][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/09/2008 12:02 PM 185896]C:\Documents and Settings\ali\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912][hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks] "{91954FAC-1023-154F-895A-1458258AD819} "= C:\WINDOWS\System32\ypdjgbmp.dll [08/08/2004 09:46 PM 537608][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad] "JavaView "= {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll [ ][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls "=arjrdler.dll,yzztjmsn.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.YV12 "= yv12vfw.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]Authentication Packages REG_MULTI_SZ msv1_0 nwprovauR0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgn tmgr.sys [07/18/2007 02:22 PM]R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntd d.sys [08/09/2007 01:04 PM]R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe [08/29/2002 03:00 PM]S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [06/06/2008 11:45 PM]S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\System32\DRIVERS\loop.sys [08/17/2001 01:53 PM].************************************************* *************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-06-20 21:57:06Windows 5.1.2600 Service Pack 1 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0************************************************* *************************.------------------------ Other Running Processes ------------------------.C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe.****** ************************************************** ******************.Completion time: 06/20/2008 21:59:08 - machine was rebootedComboFix-quarantined-files.txt 2008-06-20 18:59:05ComboFix2.txt 2008-06-20 09:58:04ComboFix3.txt 2008-06-18 12:59:24ComboFix4.txt 2008-06-13 16:39:50Pre-Run: 9,992,818,688 bytes freePost-Run: 10,006,487,040 bytes free169 --- E O F --- 2008-06-16 16:58:27

    ------------------------------------------------


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:04:40, on 20/06/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masrawy.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
    O2 - BHO: arjrdler.dll - {6C69034A-F45F-D34D-A33A-C33C4D324FC6} - C:\WINDOWS\System32\arjrdler.dll
    O2 - BHO: ypdjgbmp.dll - {91954FAC-1023-154F-895A-1458258AD819} - C:\WINDOWS\System32\ypdjgbmp.dll
    O2 - BHO: yzztjmsn.dll - {A490415F-65F8-B5C5-D8BA-9405FB12054A} - C:\WINDOWS\System32\yzztjmsn.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{45E890EC-2E69-4BB8-9096-657E7C13A6B2}: NameServer = 66.11.234.90,66.11.234.91
    O20 - AppInit_DLLs: arjrdler.dll,yzztjmsn.dll
    O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll (file missing)
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    --
    End of file - 2767 bytes

    --------------------------------------

    I hope to fix it as soon as we can!

    And Thanks alot for your help :)
     
    snow rose,
    #19
  21. 2008/06/21
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    OK Lets try this again.

    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
    [​IMG]
    Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    Code:
    File::
C:\WINDOWS\system32\agxyaloe.exe
C:\WINDOWS\system32\apsgfjba.dll
C:\WINDOWS\system32\arjrdler.dll
C:\WINDOWS\system32\dazfajke.exe
C:\WINDOWS\system32\dfqnabib.exe
C:\WINDOWS\system32\dtzfajke.sys
C:\WINDOWS\system32\erxybloe.dll
C:\WINDOWS\system32\igxyaloe.sys
C:\WINDOWS\system32\jke34kl32.dll
C:\WINDOWS\system32\mkjraler.exe
C:\WINDOWS\system32\mndsgsrv.dll
C:\WINDOWS\system32\posqatyu.exe
C:\WINDOWS\system32\pqzfajke.dll
C:\WINDOWS\system32\rijxbkin.dll
C:\WINDOWS\system32\stjxakin.exe
C:\WINDOWS\system32\tjfyabyt.exe
C:\WINDOWS\system32\yzztjmsn.dll
C:\WINDOWS\system32\midimapyt2.dll
C:\WINDOWS\system32\pedadt.dll
C:\WINDOWS\system32\zdesfx.dll
C:\WINDOWS\System32\drivers\eth802 3.sys
C:\WINDOWS\System32\ypdjgbmp.dll
C:\MicroSoft.bat
C:\MicroSoft.vbs
C:\MicroSoft.pif

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20909876-4567-3908-4056-909834565102}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25FD6584-698F-BCD2-602C-698745210352}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60A345CD-ABCD-EFAB-CDEF-ABCD01020306}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C69034A-F45F-D34D-A33A-C33C4D324FC6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6FD45A54-9875-698F-E56E-65102358FDF6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77FD640A-158F-48AC-FD14-1597F14A9777}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9629FF4F-ACDB-5C90-A098-FACB3456A269}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A490415F-65F8-B5C5-D8BA-9405FB12054A}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
 "{A9895933-6636-4281-BC58-EE6DE2AF96E3} "=- 
 "{A490415F-65F8-B5C5-D8BA-9405FB12054A} "=- 
 "{25FD6584-698F-BCD2-602C-698745210352} "=- 
 "{4F4F0064-71E0-4f0d-0028-708476C7815F} "=- 
 "{45AADFAA-DD36-42AB-83AD-0521BBF58C24} "=-
 "{6C69034A-F45F-D34D-A33A-C33C4D324FC6} "=-
 "{6FD45A54-9875-698F-E56E-65102358FDF6} "=-
 "{60A345CD-ABCD-EFAB-CDEF-ABCD01020306} "=- 
 "{5E907A48-400E-4EA8-9792-FFAE052D59E9} "=-
 "{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38} "=- 
 "{9629FF4F-ACDB-5C90-A098-FACB3456A269} "=-
 "{77FD640A-158F-48AC-FD14-1597F14A9777} "=-
 "{20909876-4567-3908-4056-909834565102} "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
 "midimapyt2 "=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91954FAC-1023-154F-895A-1458258AD819}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
 "AppInit_DLLs "=" "

Driver::
eth8023
    Please post the CF Log. also please make sure Word wrap is unchecked in Notepad It is under the format tab.

    Thanks
    Geri
     
    Geri,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...