I can't use any Antivirus!

Sorry Geri

I don't understand what did you mean about

And I have Question, What Should i choose from Encoding in notepad when i save "CFScript.txt "??

 

Hi
If you open notepad and click on format at the top, if Word Wrap has a check next to it click on word wrap to uncheck it.

When I open mine ANIS is what is listed there, I belive this may be the default entry??

It was very hard to try and read the last combofix log.

Thanks
Geri

 

This is the Report "Sorry for the last one "

ComboFix 08-06-16.5 - ali 06/24/2008 12:00:46.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1256.1.1033.18.274 [GMT 3:00]
Running from: C:\Documents and Settings\ali\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ali\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\MicroSoft.bat
C:\MicroSoft.pif
C:\MicroSoft.vbs
C:\WINDOWS\system32\agxyaloe.exe
C:\WINDOWS\system32\apsgfjba.dll
C:\WINDOWS\system32\arjrdler.dll
C:\WINDOWS\system32\dazfajke.exe
C:\WINDOWS\system32\dfqnabib.exe
C:\WINDOWS\System32\drivers\eth802 3.sys
C:\WINDOWS\system32\dtzfajke.sys
C:\WINDOWS\system32\erxybloe.dll
C:\WINDOWS\system32\igxyaloe.sys
C:\WINDOWS\system32\jke34kl32.dll
C:\WINDOWS\system32\midimapyt2.dll
C:\WINDOWS\system32\mkjraler.exe
C:\WINDOWS\system32\mndsgsrv.dll
C:\WINDOWS\system32\pedadt.dll
C:\WINDOWS\system32\posqatyu.exe
C:\WINDOWS\system32\pqzfajke.dll
C:\WINDOWS\system32\rijxbkin.dll
C:\WINDOWS\system32\stjxakin.exe
C:\WINDOWS\system32\tjfyabyt.exe
C:\WINDOWS\System32\ypdjgbmp.dll
C:\WINDOWS\system32\yzztjmsn.dll
C:\WINDOWS\system32\zdesfx.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\AppPatch\AcXtrnel.dll
C:\WINDOWS\AppPatch\Jview.dll
C:\WINDOWS\system32\ismhasrv.exe
C:\WINDOWS\system32\mnmhgsrv.dll
C:\WINDOWS\system32\smmhbsrv.sys
.
((((((((((((((((((((((((( Files Created from 2008-05-24 to 2008-06-24 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-06-23 20:48 9,728 ----a-w C:\WINDOWS\AppPatch\AcSpecf.dll
2008-06-23 20:44 18,048 ----a-w C:\WINDOWS\system32\drivers\eth8023.sys
2008-06-21 12:22 27,136 ----a-w C:\WINDOWS\AppPatch\AcPlugin.dll
2008-06-19 20:46 --------- d-----w C:\Documents and Settings\ali\Application Data\cleaner
2008-06-18 16:22 --------- d-----w C:\Documents and Settings\ali\Application Data\CyberScrub
2008-06-18 11:36 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 19:28 --------- d-----w C:\Program Files\ERUNT
2008-06-16 08:54 --------- d-----w C:\Documents and Settings\ali\Application Data\Media Player Classic
2008-06-14 21:45 --------- d-----w C:\Documents and Settings\ali\Application Data\DivX
2008-06-13 19:58 --------- d-----w C:\Program Files\Google
2008-06-13 18:10 --------- d-----w C:\Program Files\Yahoo!
2008-06-13 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-13 15:10 --------- d-----w C:\Documents and Settings\ali\Application Data\Malwarebytes
2008-06-12 22:46 --------- d-----w C:\Documents and Settings\ali\Application Data\Talkback
2008-06-12 21:58 --------- d-----w C:\Documents and Settings\jana\Application Data\Media Player Classic
2008-06-12 18:09 --------- d-----w C:\Program Files\Yahoo! Games
2008-06-12 18:09 --------- d-----w C:\Program Files\TryMedia
2008-06-12 17:42 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-06-12 11:32 --------- d-----w C:\Program Files\Trend Micro
2008-06-10 16:02 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-10 16:02 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-09 14:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-09 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-09 09:03 --------- d-----w C:\Program Files\Common Files\xing shared
2008-06-09 09:03 --------- d-----w C:\Program Files\Common Files\Real
2008-06-08 20:13 --------- d-----w C:\Documents and Settings\ali\Application Data\Yahoo!
2008-06-08 19:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-07 16:11 --------- d-----w C:\Program Files\Real
2008-06-07 15:30 --------- d-----w C:\Program Files\Avira
2008-06-07 15:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-06-07 14:09 --------- d-----w C:\Program Files\Winamp
2008-06-07 14:08 --------- d-----w C:\Documents and Settings\jana\Application Data\Winamp
2008-06-06 22:58 --------- d-----w C:\Documents and Settings\jana\Application Data\Yahoo!
2008-06-06 22:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-06 20:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-06 20:47 --------- d-----w C:\Program Files\Realtek
2008-06-06 20:46 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-06-06 20:46 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-06 20:46 --------- d-----w C:\Documents and Settings\jana\Application Data\InstallShield
2008-06-06 20:45 4,716 ----a-w C:\WINDOWS\gdrv.sys
2008-06-06 20:42 --------- d-----w C:\Program Files\Intel
2008-06-06 20:07 --------- d-----w C:\Program Files\microsoft frontpage
2004-08-08 19:34 535,560 --sh--w C:\WINDOWS\system32\arjreler.dll
2004-08-08 19:32 1,040 --sh--w C:\WINDOWS\system32\cgsqatyu.sys
2004-08-08 19:33 16,582 --sh--w C:\WINDOWS\system32\dsdyapaw.exe
2004-08-08 19:33 536,584 --sh--w C:\WINDOWS\system32\ijdyapaw.dll
2004-08-08 19:34 1,040 --sh--w C:\WINDOWS\system32\iujraler.sys
2004-08-08 19:35 16,317 --sh--w C:\WINDOWS\system32\lpmxajkl.exe
2004-08-08 13:17 536,072 --sh--w C:\WINDOWS\system32\nhmxcjkl.dll
2004-08-08 19:33 16,421 --sh--w C:\WINDOWS\system32\pusqakol.exe
2004-08-08 19:33 520 --sh--w C:\WINDOWS\system32\pzdyapaw.sys
2004-08-08 19:35 520 --sh--w C:\WINDOWS\system32\rnmxajkl.sys
2004-08-08 07:25 538,632 --sh--w C:\WINDOWS\system32\s2da2f323.dll
2004-08-08 19:33 520 --sh--w C:\WINDOWS\system32\sbsqakol.sys
2004-08-08 19:36 520 --sh--w C:\WINDOWS\system32\smdsbsrv.sys
2004-08-08 19:34 520 --sh--w C:\WINDOWS\system32\snfybbyt.sys
2004-08-08 19:33 535,560 --sh--w C:\WINDOWS\system32\tysqbkol.dll
2004-08-08 07:24 1,040 --sh--w C:\WINDOWS\system32\xsdjbbmp.sys
2004-08-08 21:25 536,584 --sh--w C:\WINDOWS\system32\yzztkmsn.dll
2004-08-08 07:24 16,667 --sh--w C:\WINDOWS\system32\zsdjabmp.exe
.
((((((((((((((((((((((((((((( snapshot_Mon 06-23-2008_23.54.04.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-23 20:51:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-24 09:02:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 09:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\2008-06-24\ERDNT.EXE
+ 2008-06-24 08:18:21 2,195,456 ----a-w C:\WINDOWS\erdnt\AutoBackup\2008-06-24\Users\00000001\NTUSER.DAT
+ 2008-06-24 08:18:21 32,768 ----a-w C:\WINDOWS\erdnt\AutoBackup\2008-06-24\Users\00000002\UsrClass.dat
+ 2005-10-20 09:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\24-06-2008\ERDNT.EXE
+ 2008-06-24 08:12:49 2,195,456 ----a-w C:\WINDOWS\erdnt\AutoBackup\24-06-2008\Users\00000001\NTUSER.DAT
+ 2008-06-24 08:12:50 32,768 ----a-w C:\WINDOWS\erdnt\AutoBackup\24-06-2008\Users\00000002\UsrClass.dat
- 2008-06-23 20:51:20 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\i ndex.dat
+ 2008-06-24 09:02:23 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\i ndex.dat
- 2008-06-23 20:51:20 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-24 09:02:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-23 20:51:20 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-24 09:02:23 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-24 08:14:07 28,672 ----a-w C:\WINDOWS\system32\wpuplder.dll
+ 2008-06-24 08:14:07 11,776 ----a-w C:\WINDOWS\system32\wpuplderk.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A698452-C5D8-C584-C256-C264C987C5A1}]
08/08/2004 10:33 PM 536584 ---hs---- C:\WINDOWS\System32\ijdyapaw.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D098345-6785-1098-5413-678067AE03D5}]
08/08/2004 10:33 PM 535560 ---hs---- C:\WINDOWS\System32\tysqbkol.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C69034A-F45F-D34D-A33A-C33C4D324FC7}]
08/08/2004 10:34 PM 535560 ---hs---- C:\WINDOWS\System32\arjreler.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}]
06/21/2008 10:27 AM 45056 --a------ C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A629FF4F-ACDB-5C90-A098-FACB3456A26A}]
08/08/2004 10:25 AM 538632 ---hs---- C:\WINDOWS\System32\s2da2f323.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B490415F-65F8-B5C5-D8BA-9405FB12054B}]
08/09/2004 12:25 AM 536584 ---hs---- C:\WINDOWS\System32\yzztkmsn.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM 4670704]
"ctfmon.exe "= "C:\WINDOWS\System32\ctfmon.exe" [08/29/2002 03:00 PM 13312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/09/2008 12:02 PM 185896]
C:\Documents and Settings\ali\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{B490415F-65F8-B5C5-D8BA-9405FB12054B} "= C:\WINDOWS\System32\yzztkmsn.dll [08/09/2004 12:25 AM 536584]
"{81AF1CF6-D1C9-4C6A-AC01-EDE54E71945B} "= C:\WINDOWS\System32\jfdses.dll [06/23/2008 10:33 PM 218624]
"{A629FF4F-ACDB-5C90-A098-FACB3456A26A} "= C:\WINDOWS\System32\s2da2f323.dll [08/08/2004 10:25 AM 538632]
"{1A698452-C5D8-C584-C256-C264C987C5A1} "= C:\WINDOWS\System32\ijdyapaw.dll [08/08/2004 10:33 PM 536584]
"{5D098345-6785-1098-5413-678067AE03D5} "= C:\WINDOWS\System32\tysqbkol.dll [08/08/2004 10:33 PM 535560]
"{7C69034A-F45F-D34D-A33A-C33C4D324FC7} "= C:\WINDOWS\System32\arjreler.dll [08/08/2004 10:34 PM 535560]
"{00180018-0018-0018-0018-00180018BB15} "= C:\WINDOWS\System32\mstimewd.dll [06/23/2001 10:36 PM 1059476]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
"JavaView "= {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll [ ]
"ThunderAdvise "= {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll [06/21/2008 10:27 AM 45056]
"mstimewd "= {00180018-0018-0018-0018-00180018BB15} - C:\WINDOWS\System32\mstimewd.dll [06/23/2001 10:36 PM 1059476]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12 "= yv12vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgn tmgr.sys [07/18/2007 02:22 PM]
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntd d.sys [08/09/2007 01:04 PM]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe [08/29/2002 03:00 PM]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [06/06/2008 11:45 PM]
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\System32\DRIVERS\loop.sys [08/17/2001 01:53 PM]
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 12:02:47
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP.N EW 516 bytes
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP .NEW 2552 bytes
scan completed successfully
hidden files: 2
************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
************************************************** ************************
.
Completion time: 06/24/2008 12:05:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-24 09:05:05
ComboFix2.txt 2008-06-24 08:20:49
ComboFix3.txt 2008-06-23 20:54:16
ComboFix4.txt 2008-06-20 18:59:09
ComboFix5.txt 2008-06-20 09:58:04
Pre-Run: 8,779,104,256 bytes free
Post-Run: 8,773,029,888 bytes free
201 --- E O F --- 2008-06-16 16:58:27

 

And this is Hijack log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:35, on 24/06/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masrawy.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: ijdyapaw.dll - {1A698452-C5D8-C584-C256-C264C987C5A1} - C:\WINDOWS\System32\ijdyapaw.dll
O2 - BHO: tysqbkol.dll - {5D098345-6785-1098-5413-678067AE03D5} - C:\WINDOWS\System32\tysqbkol.dll
O2 - BHO: arjreler.dll - {7C69034A-F45F-D34D-A33A-C33C4D324FC7} - C:\WINDOWS\System32\arjreler.dll
O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
O2 - BHO: s2da2f323.dll - {A629FF4F-ACDB-5C90-A098-FACB3456A26A} - C:\WINDOWS\System32\s2da2f323.dll
O2 - BHO: yzztkmsn.dll - {B490415F-65F8-B5C5-D8BA-9405FB12054B} - C:\WINDOWS\System32\yzztkmsn.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{45E890EC-2E69-4BB8-9096-657E7C13A6B2}: NameServer = 66.11.234.90,66.11.234.91
O20 - AppInit_DLLs: yzztkmsn.dll,arjreler.dll
O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll (file missing)
O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
O21 - SSODL: mstimewd - {00180018-0018-0018-0018-00180018BB15} - C:\WINDOWS\System32\mstimewd.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
--
End of file - 3615 bytes

 

Hi snow rose
This just does not want to be killed.

I see there is 2 user accounts on the machine. can you tell me which one you are logging into. and who the other user is?
ali
jana

Lets try this again.


Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\WINDOWS\AppPatch\AcSpecf.dll
C:\WINDOWS\system32\drivers\eth8023.sys
C:\WINDOWS\AppPatch\AcPlugin.dll
C:\WINDOWS\system32\arjreler.dll
C:\WINDOWS\system32\cgsqatyu.sys
C:\WINDOWS\system32\dsdyapaw.exe
C:\WINDOWS\system32\ijdyapaw.dll
C:\WINDOWS\system32\iujraler.sys
C:\WINDOWS\system32\lpmxajkl.exe
C:\WINDOWS\system32\nhmxcjkl.dll
C:\WINDOWS\system32\pusqakol.exe
C:\WINDOWS\system32\pzdyapaw.sys
C:\WINDOWS\system32\rnmxajkl.sys
C:\WINDOWS\system32\s2da2f323.dll
C:\WINDOWS\system32\sbsqakol.sys
C:\WINDOWS\system32\smdsbsrv.sys
C:\WINDOWS\system32\snfybbyt.sys
C:\WINDOWS\system32\tysqbkol.dll
C:\WINDOWS\system32\xsdjbbmp.sys
C:\WINDOWS\system32\yzztkmsn.dll
C:\WINDOWS\system32\zsdjabmp.exe
C:\WINDOWS\system32\wpuplder.dll
C:\WINDOWS\system32\wpuplderk.exe
C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
C:\WINDOWS\System32\mstimewd.dll

Folder::
C:\Program Files\TryMedia

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A698452-C5D8-C584-C256-C264C987C5A1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D098345-6785-1098-5413-678067AE03D5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C69034A-F45F-D34D-A33A-C33C4D324FC7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A629FF4F-ACDB-5C90-A098-FACB3456A26A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B490415F-65F8-B5C5-D8BA-9405FB12054B}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
 "{B490415F-65F8-B5C5-D8BA-9405FB12054B} "=-
 "{81AF1CF6-D1C9-4C6A-AC01-EDE54E71945B} "=- 
 "{A629FF4F-ACDB-5C90-A098-FACB3456A26A} "=-
 "{1A698452-C5D8-C584-C256-C264C987C5A1} "=-
 "{5D098345-6785-1098-5413-678067AE03D5} "=- 
 "{7C69034A-F45F-D34D-A33A-C33C4D324FC7} "=-
 "{00180018-0018-0018-0018-00180018BB15} "=- 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
 "JavaView "=- 
 "ThunderAdvise "=- 
 "mstimewd "=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] 
 "AppInit_DLLs "=" "

Please post the CF log and a uninstall list, here's how.

To get an Uninstall List from HijackThis:

• Open HijackThis, click Config, click Misc Tools
• Click "Open Uninstall Manager "
• Click "Save List" (generates uninstall_list.txt)
• Click Save, copy and paste the results in your next post.

Thanks
Geri