Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Crazy Chinese Virus Won't Die [CLOSED]


  • This topic is locked This topic is locked

#1
marksmith

marksmith

    New Member

  • Member
  • Pip
  • 2 posts
I need help getting rid of a virus on my cousin's computer. I read another thread on this board while researching the problem, but I am completely unfamiliar with HiJack This and the other tools you guys use. Personally, I don't go onto questionable websites and don't use P2P software, so for me a "thorough" cleaning just involves booting into safemode and running a virus scan/spy sweeper. I did this multiple times and this "Cinmus" virus just absolutely will not go away.

If you guys could, I would appreciate walking me through the steps to removal of this.

Currently, the computer is usable thanks to my cleaning, but over and over again AVG's shield and Spyware Terminator tell me that services.exe is trying to register msacpe.sys and msaclue.sys and it lets me "heal" it or "move it to the vault", but then it just pops back up every few seconds.

Any help would be greatly(!) appreciated.

Thanks
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
marksmith

marksmith

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
++++++++++++++++++++++++++++++++++++++++++++++ComboFix 08-02.01.6 - Owner 2008-02-01 13:03:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.450 [GMT -6:00]Running from: c:\documents and settings\owner\desktop\combofix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\WINDOWS\System32\uohsom.dll
C:\WINDOWS\System32\ijougiemnaw.dll
C:\WINDOWS\System32\niluw.dll
C:\WINDOWS\System32\naixuhz.dll
C:\WINDOWS\System32\iqnauhc.dll
C:\WINDOWS\System32\xhqq.dll
C:\WINDOWS\System32\hjxr.dll
C:\WINDOWS\System32\gnaixnauhqq.dll
C:\WINDOWS\System32\naijihzeuyouhz.dll
C:\WINDOWS\System32\msfdfr.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\kzabqk41.sys
C:\Documents and Settings\All Users\Application Data\microsoft\office\system
C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata
C:\Documents and Settings\All Users\Application Data\microsoft\pctools
C:\Documents and Settings\Owner\Favorites\4bb6~1.lnk
C:\Documents and Settings\Owner\Favorites\7BFA~1.URL
C:\Program Files\ad4all
C:\Program Files\ad4all\Install.exe
C:\Program Files\ad4all\install.ini
C:\Program Files\ad4all\link1\eachlink.htm
C:\Program Files\ad4all\link1\eachlink.ico
C:\Program Files\ad4all\link1\ebaylink.ico
C:\Program Files\ad4all\link1\install.ini
C:\Program Files\ad4all\link1\Thumbs.db
C:\Program Files\Internet Explorer\IEXPLORE32.jmp
C:\Program Files\Internet Explorer\IEXPLORE32.Sys
C:\Program Files\Internet Explorer\PLUGINS\Sy_Win7k.Jmp
C:\Program Files\internet explorer\plugins\wn_sys8x.sys
C:\Program Files\winantispyware 2006 scanner
C:\RECYCLER\hpothb07.dat
C:\WINDOWS\14410a2d39.dll
C:\WINDOWS\40087.exe
C:\WINDOWS\4a1.bmp
C:\WINDOWS\ABNQDLKTRIGS.DLL
C:\WINDOWS\alexaie.dll
C:\WINDOWS\alxie328.dll
C:\WINDOWS\alxtb1.dll
C:\WINDOWS\arun.reg
C:\WINDOWS\AZBUD.DLL
C:\WINDOWS\banbwvok.dll
C:\WINDOWS\Downloaded Program Files.\ieodob.dll
C:\WINDOWS\Downloaded Program Files.\mszilgb2.dll
C:\WINDOWS\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe
C:\WINDOWS\FLHKOUO.DLL
C:\WINDOWS\fn00321.log
C:\WINDOWS\Fonts\avwghina.dll
C:\WINDOWS\Fonts\avzxlin.dll
C:\WINDOWS\Fonts\enhuafx.fon
C:\WINDOWS\Fonts\enweafx.fon
C:\WINDOWS\Fonts\gjcscssb.dll
C:\WINDOWS\Fonts\gjcsdss.dll
C:\WINDOWS\Fonts\gjcuaxw.fon
C:\WINDOWS\Fonts\gjcubxw.fon
C:\WINDOWS\Fonts\gjfeaxw.fon
C:\WINDOWS\Fonts\gjfhass.dll
C:\WINDOWS\Fonts\kaqhlcsa.dll
C:\WINDOWS\Fonts\kawdicsb.dll
C:\WINDOWS\Fonts\msguasd.fon
C:\WINDOWS\Fonts\mszhasd.fon
C:\WINDOWS\Fonts\swrcfcs.dll
C:\WINDOWS\Fonts\wireafw.fon
C:\WINDOWS\NHZLMNBCNK.DLL
C:\WINDOWS\rising131.exe
C:\WINDOWS\rising146.exe
C:\WINDOWS\rising892.exe
C:\WINDOWS\susp.exe
C:\WINDOWS\system\dvl
C:\WINDOWS\system\lvl
C:\WINDOWS\system32\0_exception.nls
C:\WINDOWS\system32\034.exe
C:\WINDOWS\system32\40d7a5b538.dll
C:\WINDOWS\system32\aad1.dlltmp
C:\WINDOWS\system32\adurl.ini
C:\WINDOWS\system32\bho.dll
C:\WINDOWS\system32\BTFMH.DLL
C:\WINDOWS\system32\d3d1caps.srg
C:\WINDOWS\system32\DAA_DAA_1030.dll
C:\WINDOWS\system32\dailytoolbar.dll
C:\WINDOWS\system32\dnabeser.dat
C:\WINDOWS\system32\dodolook591.exe
C:\WINDOWS\system32\drivers\kzabqk41.sys
C:\WINDOWS\system32\drivers\usbhelp.sys
C:\WINDOWS\system32\drivers\usbshow.sys
C:\WINDOWS\system32\hjiq.dll
C:\WINDOWS\system32\IGB_CQSJ_1024.dll
C:\WINDOWS\system32\inf\svch0st.exe
C:\WINDOWS\system32\inf\svchost.exe
C:\WINDOWS\system32\ini.~tmp
C:\WINDOWS\system32\jao.dll
C:\WINDOWS\system32\key.~tmp
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\kzabqk41.dllmmc.pkm
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
C:\WINDOWS\system32\mshtmll.dll
C:\WINDOWS\system32\questmod.dll
C:\WINDOWS\system32\setyahoo.ini
C:\WINDOWS\system32\SHAProc.dll
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\thlwin32.dll
C:\WINDOWS\system32\TXZUKRZDYCTALZ.DLL
C:\WINDOWS\system32\usbhelp.exe
C:\WINDOWS\system32\usbshow.dll
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\VXYVGOTNEEK.EXE
C:\WINDOWS\system32\VXYVGOTNEEK.EXE.tmp
C:\WINDOWS\system32\wbem\RGZQQ.MDA
C:\WINDOWS\system32\winsub.xml
C:\windows\system32\YAKXACJWARCBXBA.EXE
C:\WINDOWS\ukfaanrg.dll
C:\WINDOWS\vviepsjc.dll
C:\WINDOWS\wr.txt
D:\Autorun.inf
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_KZABQK41
-------\LEGACY_NDISWON
-------\LEGACY_PCIHARDDISK
-------\LEGACY_SYSLOADER
-------\LEGACY_WAMER
-------\LEGACY_YAHOOSVR
-------\kzabqk41
-------\NdisWon
-------\PciHardDisk
-------\sysloader
-------\wamer
-------\YahooSvr


((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-02-01 13:11 . 2008-02-01 13:11 12,032 --a------ C:\WINDOWS\system32\drivers\msaclue.sys
2008-02-01 12:52 . 2008-02-01 12:52 13,053 --a------ C:\WINDOWS\system32\naijihzeuyouhz.dll.vir
2008-02-01 12:52 . 2008-02-01 12:52 144 ---hs---- C:\WINDOWS\system32\naijihzeuyouhz.cfg
2008-02-01 12:50 . 2008-02-01 12:50 144 ---hs---- C:\WINDOWS\system32\hjiq.cfg
2008-02-01 12:49 . 2008-02-01 12:49 14,720 --a------ C:\WINDOWS\system32\iqnauhc.dll.vir
2008-02-01 12:49 . 2008-02-01 12:49 14,445 --a------ C:\WINDOWS\system32\xhqq.dll.vir
2008-02-01 12:49 . 2008-02-01 12:49 280 ---hs---- C:\WINDOWS\system32\xhqq.cfg
2008-02-01 12:49 . 2008-02-01 12:49 280 ---hs---- C:\WINDOWS\system32\iqnauhc.cfg
2008-02-01 12:48 . 2008-02-01 12:48 19,716 --a------ C:\WINDOWS\system32\hjxr.dll.vir
2008-02-01 12:48 . 2008-02-01 12:48 15,250 --a------ C:\WINDOWS\system32\naixuhz.dll.vir
2008-02-01 12:48 . 2008-02-01 12:48 12,210 --a------ C:\WINDOWS\system32\DAA_DAA_1030.exe
2008-02-01 12:48 . 2008-02-01 12:48 11,828 --a------ C:\WINDOWS\system32\IGB_CQSJ_1024.exe
2008-02-01 12:48 . 2008-02-01 12:52 9,344 --a------ C:\WINDOWS\system32\msepion.sys
2008-02-01 12:48 . 2008-02-01 12:48 144 ---hs---- C:\WINDOWS\system32\naixuhz.cfg
2008-02-01 12:48 . 2008-02-01 12:48 144 ---hs---- C:\WINDOWS\system32\hjxr.cfg
2008-02-01 12:46 . 2008-02-01 12:46 198 --a------ C:\WINDOWS\MicroSoft.vbs
2008-02-01 12:45 . 2008-02-01 12:45 0 --a------ C:\WINDOWS\WCFNWJXACTAHTW.DAT.tmp
2008-02-01 12:21 . 2008-02-01 12:21 31,232 --a------ C:\WINDOWS\system32\dsxwgp.dll
2008-02-01 12:21 . 2008-01-25 13:05 18,274 --a------ C:\WINDOWS\qjgvmc.exe
2008-01-28 14:19 . 2008-01-28 14:19 17,657 --a------ C:\WINDOWS\system32\drivers\92.exe
2008-01-28 14:09 . 2008-01-28 14:09 31,232 --a------ C:\WINDOWS\system32\iktnmy.dll
2008-01-28 14:08 . 2008-01-28 14:08 36,864 --a------ C:\WINDOWS\system32\boanlo.dll
2008-01-28 13:52 . 2008-01-28 13:52 18,272 --a------ C:\WINDOWS\fzsxaw.exe
2008-01-28 13:50 . 2008-01-28 13:50 21,784 --a------ C:\WINDOWS\mfzlgr.exe
2008-01-28 13:49 . 2008-01-28 13:49 34,433 --a------ C:\WINDOWS\system32\drivers\0.exe
2008-01-28 13:48 . 2008-01-28 13:48 13,336 --a------ C:\WINDOWS\system32\drivers\xx.exe
2008-01-28 13:30 . 2008-01-28 13:30 31,232 --a------ C:\WINDOWS\system32\ibehye.dll
2008-01-26 00:49 . 2008-01-25 23:18 20,793 --a------ C:\WINDOWS\yrscaz.exe
2008-01-25 23:19 . 2008-01-25 23:18 20,793 --a------ C:\WINDOWS\ozpxdh.exe
2008-01-25 23:18 . 2008-01-25 23:18 31,232 --a------ C:\WINDOWS\system32\lpolhf.dll
2008-01-25 23:18 . 2008-01-25 23:20 49 --a------ C:\zycj.bat
2008-01-25 23:16 . 2008-01-25 13:10 16,541 --a------ C:\WINDOWS\system32\ijougiemnaw.dll.vir
2008-01-25 23:16 . 2008-01-25 13:10 280 ---hs---- C:\WINDOWS\system32\ijougiemnaw.cfg
2008-01-25 23:15 . 2008-01-25 13:05 9,694 ---hs---- C:\WINDOWS\zfyvoacsv.exe
2008-01-25 23:15 . 2008-01-25 13:05 9,694 ---hs---- C:\WINDOWS\vesclzsl.exe
2008-01-25 23:15 . 2008-02-01 12:20 8,192 --ahs---- C:\WINDOWS\zfyvoacsv.exe.hiv
2008-01-25 23:15 . 2008-02-01 12:20 768 --a------ C:\WINDOWS\szitqell.dat
2008-01-25 23:15 . 2008-01-25 13:04 512 --a------ C:\WINDOWS\nqqleamr.dat
2008-01-25 23:15 . 2008-02-01 12:20 76 --a------ C:\WINDOWS\yeosvhae.dat
2008-01-25 23:14 . 2008-02-01 12:49 14,890 --a------ C:\WINDOWS\system32\niluw.dll.vir
2008-01-25 23:14 . 2008-02-01 12:49 416 ---hs---- C:\WINDOWS\system32\niluw.cfg
2008-01-25 23:13 . 2008-02-01 12:52 17,589 --a------ C:\WINDOWS\system32\uohsom.dll.vir
2008-01-25 23:12 . 2008-02-01 12:52 552 ---hs---- C:\WINDOWS\system32\uohsom.cfg
2008-01-25 15:57 . 2008-01-25 15:57 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-01-25 13:09 . 2008-01-25 13:09 14,384 --a------ C:\WINDOWS\system32\gnaixnauhqq.dll.vir
2008-01-25 13:08 . 2008-01-25 13:08 144 ---hs---- C:\WINDOWS\system32\gnaixnauhqq.cfg
2008-01-25 13:05 . 2008-01-25 13:05 32,653 --a------ C:\WINDOWS\system32\NBNCompress.dll
2008-01-10 00:02 . 2008-02-01 12:45 2,870 --a------ C:\WINDOWS\WCFNWJXACTAHTW.DAT
2008-01-09 23:59 . 2008-02-01 12:48 89 --a------ C:\WINDOWS\system32\YIQGYM.OKC
2008-01-09 23:57 . 2003-04-26 00:37 <DIR> d-------- C:\Documents and Settings\ALL\WINDOWS
2008-01-09 23:57 . 2003-04-28 20:30 <DIR> d-------- C:\Documents and Settings\ALL\Application Data\Symantec
2008-01-09 23:57 . 2003-04-26 01:01 <DIR> d-------- C:\Documents and Settings\ALL\Application Data\SampleView
2008-01-09 23:57 . 2003-04-26 00:32 <DIR> d-------- C:\Documents and Settings\ALL\Application Data\InterTrust
2008-01-09 17:28 . 2008-01-09 17:28 <DIR> d-------- C:\WINDOWS\system32\8427E
2008-01-09 16:42 . 2008-01-25 23:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-09 16:41 . 2008-01-09 16:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-09 16:41 . 2008-01-09 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-09 16:41 . 2008-02-01 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-08 17:18 . 2008-01-08 17:18 <DIR> d-------- C:\Program Files\Crawler
2008-01-08 17:18 . 2008-02-01 11:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Spyware Terminator
2008-01-08 17:18 . 2008-02-01 12:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-01-08 17:18 . 2008-01-08 17:18 8 --a------ C:\WINDOWS\system32\-58-10458-61
2008-01-08 17:17 . 2008-02-01 12:21 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-08 17:17 . 2008-01-08 17:17 1,839,104 --a------ C:\WINDOWS\system32\servershow.dll
2008-01-08 17:17 . 2008-01-08 17:17 1,839,104 --a------ C:\WINDOWS\system32\drivers\servershow.sys
2008-01-08 17:17 . 2008-01-08 17:17 374,784 --a------ C:\WINDOWS\system32\serverhelp.exe
2008-01-08 17:17 . 2008-01-08 17:17 374,784 --a------ C:\WINDOWS\system32\drivers\serverhelp.sys
2008-01-08 17:17 . 2008-01-08 17:17 27,136 -r-hs---- C:\WINDOWS\system32\wincheck080121.dll
2008-01-08 17:16 . 2008-01-08 17:16 78 --a------ C:\WINDOWS\system32\zuoyue32.ini
2008-01-08 17:15 . 2008-01-11 15:51 201,216 --a------ C:\WINDOWS\system32\mwiszyys32_080121.dll
2008-01-08 17:15 . 2008-01-08 17:15 25,600 --a------ C:\WINDOWS\system32\lwizysys16_080121.dll
2008-01-08 17:15 . 2008-01-11 15:51 536 --a------ C:\WINDOWS\zuoyue16.ini
2008-01-08 17:03 . 2003-04-26 00:37 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-B79WZ4ROSE.000\WINDOWS
2008-01-08 17:03 . 2003-04-28 20:30 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-B79WZ4ROSE.000\Application Data\Symantec
2008-01-08 17:03 . 2003-04-26 01:01 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-B79WZ4ROSE.000\Application Data\SampleView
2008-01-08 17:03 . 2003-04-26 00:32 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-B79WZ4ROSE.000\Application Data\InterTrust
2008-01-08 16:58 . 2003-04-26 00:37 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-B79WZ4ROSE\WINDOWS
2008-01-01 10:13 . 2003-09-04 18:19 2,360,374 --a------ C:\WINDOWS\Wallpaper_Tutu.bmp
2008-01-01 03:29 . 2008-01-01 03:29 16,384 --a------ C:\WINDOWS\system32\admin1_ver1231.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 18:52 3 ----a-w C:\WINDOWS\system32\drivers\zy.txt
2008-02-01 18:52 3 ----a-w C:\WINDOWS\system32\drivers\wow6.txt
2008-02-01 18:50 3 ----a-w C:\WINDOWS\system32\drivers\qj.txt
2008-02-01 18:49 3 ----a-w C:\WINDOWS\system32\drivers\wl.txt
2008-02-01 18:49 3 ----a-w C:\WINDOWS\system32\drivers\cq.txt
2008-02-01 18:48 3 ----a-w C:\WINDOWS\system32\drivers\zx.txt
2008-02-01 18:48 3 ----a-w C:\WINDOWS\system32\drivers\wm.txt
2008-02-01 18:48 3 ----a-w C:\WINDOWS\system32\drivers\jh.txt
2008-02-01 18:48 3 ----a-w C:\WINDOWS\system32\drivers\hx.txt
2008-02-01 18:48 3 ----a-w C:\WINDOWS\system32\drivers\cs.txt
2008-02-01 18:47 3 ----a-w C:\WINDOWS\system32\drivers\wd.txt
2008-02-01 18:47 3 ----a-w C:\WINDOWS\system32\drivers\tl.txt
2008-02-01 18:47 3 ----a-w C:\WINDOWS\system32\drivers\1.txt
2008-02-01 18:21 21,900 ----a-w C:\WINDOWS\system32\drivers\NYJEKHJXRJ.DAT
2008-01-28 19:52 3 ----a-w C:\WINDOWS\system32\drivers\91.txt
2008-01-28 19:51 3 ----a-w C:\WINDOWS\system32\drivers\8.txt
2008-01-28 19:50 3 ----a-w C:\WINDOWS\system32\drivers\4.txt
2008-01-28 19:49 3 ----a-w C:\WINDOWS\system32\drivers\0.txt
2008-01-28 19:48 3 ----a-w C:\WINDOWS\system32\drivers\xx.txt
2008-01-26 06:39 43,520 ----a-w C:\WINDOWS\RunSetup.exe
2008-01-22 15:31 53,248 ------w C:\WINDOWS\a311.exe
2008-01-08 22:44 0 ----a-w C:\WINDOWS\Fonts\cuy.dl
2008-01-08 22:18 --------- d-----w C:\Program Files\lg_fwupdate
2008-01-01 18:04 --------- d-----w C:\Program Files\Common Files\Real
2008-01-01 18:03 --------- d-----w C:\Program Files\MSN Messenger
2008-01-01 17:55 --------- d-----w C:\Program Files\StormII
2008-01-01 10:58 --------- d-----w C:\Program Files\tublog
2008-01-01 08:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Storm
2007-12-31 22:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Application Data
2007-12-31 22:46 21,900 ----a-w C:\WINDOWS\system32\drivers\KDZWISUUSMOFXR.DAT
2007-12-31 22:43 21,900 ----a-w C:\WINDOWS\system32\drivers\YSZHFK.DAT
2007-12-31 22:41 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-12-31 22:30 --------- d-----w C:\Program Files\Windows Live
2004-10-01 21:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-07-08 16:48 38,447 ----a-w C:\Program Files\ladiesispimpstoo.htm
2003-11-08 22:57 203,061 ----a-w C:\Program Files\AIM+Setup.exe
2003-09-26 21:08 490,608 ----a-w C:\Program Files\ie6setup.exe
2003-09-17 18:27 267,472 ----a-w C:\Program Files\NSSetup.exe
2003-09-14 18:11 488,032 ----a-w C:\Program Files\PopUpStopperFree.exe
2004-06-06 20:13 140,800 --sh--r C:\WINDOWS\system32\msfxdf.exe
2004-06-06 20:13 221,184 --sh--r C:\WINDOWS\system32\msyetr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 18:11 114688]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-09 17:26 579072]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [1987-01-08 17:25 2834432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-09 16:41 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"zfyvoacsv"= zfyvoacsv.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"mscheck"= rundll32.exe C:\WINDOWS\System32\wincheck080121.dll mymain

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 15:51 192512]
"{98907901-1416-3389-9981-372178569989}"= C:\WINDOWS\System32\kawdizy.dll [ ]
"{1D908534-AD45-920F-AC89-4024FA9D26D1}"= C:\WINDOWS\System32\gjfhayc.dll [ ]
"{3FA10261-B890-F432-A453-69F1023513F3}"= C:\WINDOWS\System32\gjcscyc.dll [ ]
"{778A7521-FA87-34AB-34C2-4893F3AD34C7}"= C:\WINDOWS\System32\swrcfzc.dll [ ]
"{1AD50A6B-2E1B-417F-A1EB-BB539E9EA06E}"= C:\WINDOWS\TEMP\tmp1Bhr.dll [ ]
"{4FA10261-B890-F432-A453-69F1023513F4}"= C:\WINDOWS\Fonts\gjcsdyc.dll [ ]
"{00E8090E-E519-4187-ADF4-B4E313A99947}"= [ ]
"{00B486C4-9758-4887-9755-C8761F5FDE61}"= [ ]
"{a572576d-320f-46a8-9d3c-98d96b319d64}"= C:\WINDOWS\System32\IGB_CQSJ_1024.dll [ ]
"{e000c9e2-1517-4970-be28-e103bda7d3dd}"= C:\WINDOWS\System32\DAA_DAA_1030.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=utgnehz.dll,nauhgnem.dll,auhad.dll,nuygnef.dll,uohsom.dll,uyom.dll,gnolnai
t.dll,ijiq.dll,ijougiemnaw.dll,iemnaw.dll,niluw.dll,naixuhz.dll,xhtd.dll,oadgnohi
ac.dll,iqnauhc.dll,nahzij.dll,gnefnaib.dll,gsqq.dll,3auhad.dll,naijoad.dll,aixauh
.dll,xhqq.dll,QQ.dll,hjxr.dll,zqhs.dll,oadnew.dll,dgzg.dll,hz.dll,2ty.dll,jsfg.dl
l,rj.dll,fmxh.dll,jmx.dll,wtwx.dll,ddtj.dll,fz.dll,gnaixnauhuoyizqq.dll,gnaixnauh
qq.dll,2nauygniqaixnaij.dll,naijihzeuyouhz.dll,uyomielnux.dll,vlihzouhgnfe.dll,sf
hx.dll,eve.dll,jsqc.dll,wtiemnaw.dll,dqncj.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator.YOUR-B79WZ4ROSE.000^Start Menu^Programs^Startup^mod_sm.lnk]
path=C:\Documents and Settings\Administrator.YOUR-B79WZ4ROSE.000\Start Menu\Programs\Startup\mod_sm.lnk
backup=C:\WINDOWS\pss\mod_sm.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-04-27 16:18 61440 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2003-04-03 21:35 50176 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DbgHlp32]
C:\WINDOWS\DbgHlp32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-04-08 12:45 212992 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
-ra------ 2002-12-17 11:40 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-05-06 23:56 188416 C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
-ra------ 2003-05-22 06:55 483328 C:\WINDOWS\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
-ra------ 2003-05-22 07:03 49152 C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 17:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2005-07-08 08:25 1397760 C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
--a------ 2005-04-12 10:11 229376 C:\Program Files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2002-08-20 23:08 1511453 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsPrint32D]
C:\WINDOWS\bzceje.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVDispDrv]
C:\WINDOWS\NVDispDRV.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-13 22:42 212992 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
--a------ 2007-09-20 08:23 132624 C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSLDyn]
C:\WINDOWS\SSLDyn.exE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-04-13 03:48 36975 C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TUTU]
--a------ 2007-10-22 22:29 503880 C:\Program Files\tublog\tublog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMedia32]
--a------ 2007-01-08 17:19 29180 C:\WINDOWS\system32\wmedia32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

R0 i7lj79;i7lj7;C:\WINDOWS\System32\DRIVERS\i7lj79.sys [2002-08-29 06:00]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\System32\drivers\sp_rsdrv2.sys [2008-01-25 15:57]
R2 bdod4zr;bdod4zr;C:\WINDOWS\System32\drivers\bdod4zr.sys [2002-08-29 06:00]
R2 msfdef;IE Security Service;C:\WINDOWS\System32\msfxdf.exe [2004-06-06 14:13]
R2 msskye;msskye;C:\WINDOWS\System32\DRIVERS\msaclue.sys [2008-02-01 13:11]
R2 VLRGLUFCWO;WLZZZEKZGQJ;C:\WINDOWS\system32\svchost.exe [2002-08-29 06:00]
S2 B3A08860;B3A08860;C:\WINDOWS\System32\EDE3F2F0.EXE []
S2 LFXLBLWSSLZSJRD;LESCZFLVZZDT;C:\WINDOWS\system32\svchost.exe [2002-08-29 06:00]
S2 mseqsy;mseqsy;C:\WINDOWS\System32\DRIVERS\msacpe.sys []
S2 Serviceserverhelp;Serviceserverhelp;C:\WINDOWS\System32\serverplay.exe []
S3 DJ;DJ;C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp263A.tmp []
S3 HnXa;HnXa;C:\WINDOWS\TEMP\tmp2F.tmp []
S3 WL;WL;C:\WINDOWS\TEMP\tmp20.tmp []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
SBYZZTEHNDHFBIL REG_MULTI_SZ LFXLBLWSSLZSJRD
FCLLTHECHMRUHKE REG_MULTI_SZ VLRGLUFCWO

.
Contents of the 'Scheduled Tasks' folder
"2007-12-25 23:31:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-08-21 02:52:57 C:\WINDOWS\Tasks\easy Internet sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2007-12-20 23:36:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7600#MY355122XD7I.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe$/#Hewlett-Packard#7600#MY355122XD7I
"2008-02-01 19:14:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 13:12:10
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\vviepsjc.dll 6269 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\uohsom.dll
-> C:\WINDOWS\System32\ijougiemnaw.dll
-> C:\WINDOWS\System32\niluw.dll
-> C:\WINDOWS\System32\naixuhz.dll
-> C:\WINDOWS\System32\iqnauhc.dll
-> C:\WINDOWS\System32\xhqq.dll
-> C:\WINDOWS\System32\hjxr.dll
-> C:\WINDOWS\System32\gnaixnauhqq.dll
-> C:\WINDOWS\System32\naijihzeuyouhz.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.1106]
-> C:\WINDOWS\system32\uohsom.dll
-> C:\WINDOWS\system32\ijougiemnaw.dll
-> C:\WINDOWS\system32\niluw.dll
-> C:\WINDOWS\system32\naixuhz.dll
-> C:\WINDOWS\system32\iqnauhc.dll
-> C:\WINDOWS\system32\xhqq.dll
-> C:\WINDOWS\system32\hjxr.dll
-> C:\WINDOWS\system32\gnaixnauhqq.dll
-> C:\WINDOWS\system32\naijihzeuyouhz.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\WINDOWS\System32\uohsom.dll
-> C:\WINDOWS\System32\ijougiemnaw.dll
-> C:\WINDOWS\System32\niluw.dll
-> C:\WINDOWS\System32\naixuhz.dll
-> C:\WINDOWS\System32\iqnauhc.dll
-> C:\WINDOWS\System32\xhqq.dll
-> C:\WINDOWS\System32\hjxr.dll
-> C:\WINDOWS\System32\gnaixnauhqq.dll
-> C:\WINDOWS\System32\naijihzeuyouhz.dll
-> C:\WINDOWS\system32\53age0l.dll
-> C:\WINDOWS\vviepsjc.dll
-> C:\WINDOWS\banbwvok.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\msfxdf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-02-01 13:17:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 19:16:50


----------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:28 PM, on 2/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\msfxdf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Policies\Explorer\Run: [zfyvoacsv] zfyvoacsv.exe
O4 - HKCU\..\Policies\Explorer\Run: [mscheck] rundll32.exe C:\WINDOWS\System32\wincheck080121.dll mymain
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {56A7DC70-E102-4408-A34A-AE06FEF01586} - http://iebar.t2t2.com/iebar.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45F790B3-2226-440E-9ED9-B6DCB6888BDF}: NameServer = 68.94.156.1 68.94.157.1
O20 - AppInit_DLLs: utgnehz.dll,nauhgnem.dll,auhad.dll,nuygnef.dll,uohsom.dll,uyom.dll,gnolnait.dll,
ijiq.dll,ijougiemnaw.dll,iemnaw.dll,niluw.dll,naixuhz.dll,xhtd.dll,oadgnohiac.dll
,iqnauhc.dll,nahzij.dll,gnefnaib.dll,gsqq.dll,3auhad.dll,naijoad.dll,aixauh.dll,x
hqq.dll,QQ.dll,hjxr.dll,zqhs.dll,oadnew.dll,dgzg.dll,hz.dll,2ty.dll,jsfg.dll,rj.d
ll,fmxh.dll,jmx.dll,wtwx.dll,ddtj.dll,fz.dll,gnaixnauhuoyizqq.dll,gnaixnauhqq.dll
,2nauygniqaixnaij.dll,naijihzeuyouhz.dll,uyomielnux.dll,vlihzouhgnfe.dll,sfhx.dll
,eve.dll,jsqc.dll,wtiemnaw.dll,dqncj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: B3A08860 - Unknown owner - C:\WINDOWS\System32\EDE3F2F0.EXE (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: IE Security Service (msfdef) - Unknown owner - C:\WINDOWS\System32\msfxdf.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Serviceserverhelp - Unknown owner - C:\WINDOWS\System32\serverplay.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6727 bytes
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\drivers\msaclue.sys
C:\WINDOWS\system32\naijihzeuyouhz.dll.vir
C:\WINDOWS\system32\naijihzeuyouhz.cfg
C:\WINDOWS\system32\hjiq.cfg
C:\WINDOWS\system32\iqnauhc.dll.vir
C:\WINDOWS\system32\xhqq.dll.vir
C:\WINDOWS\system32\xhqq.cfg
C:\WINDOWS\system32\iqnauhc.cfg
C:\WINDOWS\system32\hjxr.dll.vir
C:\WINDOWS\system32\naixuhz.dll.vir
C:\WINDOWS\system32\DAA_DAA_1030.exe
C:\WINDOWS\system32\IGB_CQSJ_1024.exe
C:\WINDOWS\system32\msepion.sys
C:\WINDOWS\system32\naixuhz.cfg
C:\WINDOWS\system32\hjxr.cfg
C:\WINDOWS\MicroSoft.vbs
C:\WINDOWS\WCFNWJXACTAHTW.DAT.tmp
C:\WINDOWS\system32\dsxwgp.dll
C:\WINDOWS\qjgvmc.exe
C:\WINDOWS\system32\drivers\92.exe
C:\WINDOWS\system32\iktnmy.dll
C:\WINDOWS\system32\boanlo.dll
C:\WINDOWS\fzsxaw.exe
C:\WINDOWS\mfzlgr.exe
C:\WINDOWS\system32\drivers\0.exe
C:\WINDOWS\system32\drivers\xx.exe
C:\WINDOWS\system32\ibehye.dll
C:\WINDOWS\yrscaz.exe
C:\WINDOWS\ozpxdh.exe
C:\WINDOWS\system32\lpolhf.dll
C:\zycj.bat
C:\WINDOWS\system32\ijougiemnaw.dll.vir
C:\WINDOWS\system32\ijougiemnaw.cfg
C:\WINDOWS\zfyvoacsv.exe
C:\WINDOWS\vesclzsl.exe
C:\WINDOWS\zfyvoacsv.exe.hiv
C:\WINDOWS\szitqell.dat
C:\WINDOWS\nqqleamr.dat
C:\WINDOWS\yeosvhae.dat
C:\WINDOWS\system32\niluw.dll.vir
C:\WINDOWS\system32\niluw.cfg
C:\WINDOWS\system32\uohsom.dll.vir
C:\WINDOWS\system32\uohsom.cfg
C:\WINDOWS\system32\gnaixnauhqq.dll.vir
C:\WINDOWS\system32\gnaixnauhqq.cfg
C:\WINDOWS\system32\NBNCompress.dll
C:\WINDOWS\WCFNWJXACTAHTW.DAT
C:\WINDOWS\system32\YIQGYM.OKC
C:\WINDOWS\system32\servershow.dll
C:\WINDOWS\system32\drivers\servershow.sys
C:\WINDOWS\system32\serverhelp.exe
C:\WINDOWS\system32\drivers\serverhelp.sys
C:\WINDOWS\system32\wincheck080121.dll
C:\WINDOWS\system32\zuoyue32.ini
C:\WINDOWS\system32\mwiszyys32_080121.dll
C:\WINDOWS\system32\lwizysys16_080121.dll
C:\WINDOWS\zuoyue16.ini
C:\WINDOWS\system32\-58-10458-61
C:\WINDOWS\system32\admin1_ver1231.exe
C:\WINDOWS\system32\drivers\zy.txt
C:\WINDOWS\system32\drivers\wow6.txt
C:\WINDOWS\system32\drivers\qj.txt
C:\WINDOWS\system32\drivers\wl.txt
C:\WINDOWS\system32\drivers\cq.txt
C:\WINDOWS\system32\drivers\zx.txt
C:\WINDOWS\system32\drivers\wm.txt
C:\WINDOWS\system32\drivers\jh.txt
C:\WINDOWS\system32\drivers\hx.txt
C:\WINDOWS\system32\drivers\cs.txt
C:\WINDOWS\system32\drivers\wd.txt
C:\WINDOWS\system32\drivers\tl.txt
C:\WINDOWS\system32\drivers\1.txt
C:\WINDOWS\system32\drivers\NYJEKHJXRJ.DAT
C:\WINDOWS\system32\drivers\91.txt
C:\WINDOWS\system32\drivers\8.txt
C:\WINDOWS\system32\drivers\4.txt
C:\WINDOWS\system32\drivers\0.txt
C:\WINDOWS\system32\drivers\xx.txt
C:\WINDOWS\RunSetup.exe
C:\WINDOWS\a311.exe
C:\WINDOWS\system32\drivers\KDZWISUUSMOFXR.DAT
C:\WINDOWS\system32\drivers\YSZHFK.DAT
C:\WINDOWS\system32\msfxdf.exe
C:\WINDOWS\system32\msyetr.dll
C:\WINDOWS\System32\wincheck080121.dll
C:\WINDOWS\DbgHlp32.exe
C:\WINDOWS\bzceje.exe
C:\WINDOWS\SSLDyn.exE
C:\WINDOWS\system32\wmedia32.exe
C:\WINDOWS\System32\DRIVERS\i7lj79.sys
C:\WINDOWS\System32\drivers\bdod4zr.sys
C:\WINDOWS\System32\msfxdf.exe
C:\WINDOWS\System32\DRIVERS\msaclue.sys

Dirlook::
C:\WINDOWS\system32\8427E

Driver::
i7lj79
bdod4zr
msfdef
msskye
B3A08860
mseqsy
Serviceserverhelp
DJ
HnXa
WL


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP