Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Computer is very slow. [CLOSED]

Started by nurdin , Jun 23 2008 02:24 PM

  • This topic is locked This topic is locked

#1
nurdin
Posted 23 June 2008 - 02:24 PM

nurdin

    New Member

  • Member
  • Pip
  • 6 posts
My computer has been functioning very weird these past few months. My wallpaper image has been changed an blue color with the text "warning! spyware detected on your computer install an antivirus or spyware remover to clean your computer". Please help! my firefox has been freezing as of late and extra IEXPLORER.exe's have been opening by themselves causing my internet to freeze as well.

log is right here:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:48 PM, on 6/23/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soomaalinews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7603F10D-A48F-4CD7-8BB4-C466BCDD877f} - C:\WINDOWS\System32\rrjlhlpq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: RHSI Toolbar - {4DF5B116-4FD9-4039-B377-1130953A980F} - C:\Program Files\Rogers Hi-Speed Internet\RHSI Toolbar\ToolBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\System32\ctfmona.exe
O4 - HKLM\..\Run: [AXPDefender] C:\Program Files\AXPDefender\AXPDefender.exe
O4 - HKLM\..\Run: [SMshc73lj0e79p] C:\Program Files\shc73lj0e79p\shc73lj0e79p.exe
O4 - HKLM\..\Run: [Coal Burn Mpeg Inter] C:\Documents and Settings\All Users\Application Data\Second Keep Coal Burn\settings long.exe
O4 - HKLM\..\Run: [SMrhc53lj0e79p] C:\Program Files\rhc53lj0e79p\rhc53lj0e79p.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [wipeboob] C:\DOCUME~1\User\APPLIC~1\SKIPLI~1\VC CORN TRANS.exe
O4 - HKCU\..\Run: [Shell] "C:\WINDOWS\System32\Rundll32.exe" "C:\WINDOWS\System32\shell32.dll",Control_RunDLL "C:\DOCUME~1\User\LOCALS~1\Temp\dat1C5.tmp"
O4 - HKUS\S-1-5-19\..\RunOnce: [*dsdmw] rundll32.exe C:\WINDOWS\System32\dsdmw.dll,init (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [*dsdmw] rundll32.exe C:\WINDOWS\System32\dsdmw.dll,init (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Wini] "C:\WINDOWS\System32\YSTEM3~1\explorer.exe" -vt ndrv (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Wini] "C:\WINDOWS\System32\YSTEM3~1\explorer.exe" -vt ndrv (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://crystal.atkin...orku.ca/qp2.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1151686142609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1175633051015
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\dsdmw.dll
O20 - Winlogon Notify: mcdw - C:\WINDOWS\AppPatch\mcdw.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 6270 bytes
  • 0

Advertisements

#2
nurdin
Posted 31 July 2008 - 10:07 PM

nurdin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
err.. I still need help!

sorry for the bump, but its been a month and some odd days now :)
  • 0

#3
Octagonal
Posted 01 August 2008 - 12:40 AM

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Your topic appears to have slipped through the cracks for some reason.

Please read this thread which will give further instructions for help.
  • 0

#4
sage5
Posted 12 August 2008 - 04:54 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi nurdin,

Welcome to Geeks To Go,

I'm sorry that we haven't got to you until now, but the forum can get hectic at times.

I am sage5 and I will be helping you with this problem.

First I need you to download the following tools & save them to your Desktop.
ComboFix
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.

Now, go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the Recovery Console setup package & save it as originally named, next to ComboFix.exe.

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Now, drag the Recovery Console setup package onto ComboFix.exe and drop it.
  • When finished, it will produce a report for you.
  • Please post the text from C:\ComboFix.txt along with a new HijackThis log for further review.
** Note: Do not mouseclick combofix's window while it's running. That may cause it to stall **
  • 0

#5
nurdin
Posted 14 August 2008 - 09:06 AM

nurdin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
sorry about the late reply, here is the combofix log:

ComboFix 08-08-13.05 - User 2008-08-14 10:24:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.274 [GMT -4:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\User\Application Data\macromedia\Flash Player\#SharedObjects\4WSB2C2H\interclick.com
C:\Documents and Settings\User\Application Data\macromedia\Flash Player\#SharedObjects\4WSB2C2H\interclick.com\ud.sol
C:\Documents and Settings\User\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\User\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\User\Cookies.\user@~~local~~[2].txt
C:\Documents and Settings\User\Cookies.\[email protected][1].txt
C:\Documents and Settings\User\Cookies.\[email protected][2].txt
C:\Documents and Settings\User\Cookies.\[email protected][4].txt
C:\Documents and Settings\User\Cookies.\[email protected][6].txt
C:\Documents and Settings\User\Cookies.\user@2o7[1].txt
C:\Documents and Settings\User\Cookies.\user@2o7[3].txt
C:\Documents and Settings\User\Cookies.\[email protected][10].txt
C:\Documents and Settings\User\Cookies.\[email protected][2].txt
C:\Documents and Settings\User\Cookies.\[email protected][3].txt
C:\Documents and Settings\User\Cookies.\[email protected][4].txt
C:\Documents and Settings\User\Cookies.\[email protected][5].txt
C:\Documents and Settings\User\Cookies.\[email protected][6].txt
C:\Documents and Settings\User\Cookies.\[email protected][7].txt
C:\Documents and Settings\User\Cookies.\[email protected][8].txt
C:\Documents and Settings\User\Cookies.\[email protected][6].txt
C:\Documents and Settings\User\Cookies.\[email protected][7].txt
C:\Documents and Settings\User\Cookies.\[email protected][3].txt
C:\Documents and Settings\User\Cookies.\[email protected][1].txt
C:\Documents and Settings\User\Cookies.\[email protected][10].txt
C:\Documents and Settings\User\Cookies.\[email protected][11].txt
C:\Documents and Settings\User\Cookies.\[email protected][2].txt
C:\Documents and Settings\User\Cookies.\[email protected][4].txt
C:\Documents and Settings\User\Cookies.\[email protected][5].txt
C:\Documents and Settings\User\Cookies.\[email protected][6].txt
C:\Documents and Settings\User\Cookies.\[email protected][7].txt
C:\Documents and Settings\User\Cookies.\[email protected][8].txt
C:\Documents and Settings\User\Cookies.\[email protected][1].txt
C:\Documents and Settings\User\Cookies.\[email protected][10].txt
C:\Documents and Settings\User\Cookies.\[email protected][11].txt
C:\Documents and Settings\User\Cookies.\[email protected][12].txt
C:\Documents and Settings\User\Cookies.\[email protected][13].txt
C:\Documents and Settings\User\Cookies.\[email protected][14].txt
C:\Documents and Settings\User\Cookies.\[email protected][15].txt
C:\Documents and Settings\User\Cookies.\[email protected][16].txt
C:\Documents and Settings\User\Cookies.\[email protected][17].txt
C:\Documents and Settings\User\Cookies.\[email protected][18].txt
C:\Documents and Settings\User\Cookies.\[email protected][19].txt
C:\Documents and Settings\User\Cookies.\[email protected][2].txt
C:\Documents and Settings\User\Cookies.\[email protected][20].txt
C:\Documents and Settings\User\Cookies.\[email protected][21].txt
C:\Documents and Settings\User\Cookies.\[email protected][22].txt
C:\Documents and Settings\User\Cookies.\[email protected][23].txt
C:\Documents and Settings\User\Cookies.\[email protected][3].txt
C:\Documents and Settings\User\Cookies.\[email protected][4].txt
C:\Documents and Settings\User\Cookies.\[email protected][5].txt
C:\Documents and Settings\User\Cookies.\[email protected][6].txt
C:\Documents and Settings\User\Cookies.\[email protected][7].txt
C:\Documents and Settings\User\Cookies.\[email protected][8].txt
C:\Documents and Settings\User\Cookies.\[email protected][9].txt
C:\Documents and Settings\User\Cookies.\user@adserver[1].txt
C:\Documents and Settings\User\Cookies.\user@adtrgt[2].txt
C:\Documents and Settings\User\Cookies.\user@adtrgt[3].txt
C:\Documents and Settings\User\Cookies.\user@advancedcleaner[1].txt
C:\Documents and Settings\User\Cookies.\user@antispywaremaster[2].txt
C:\Documents and Settings\User\Cookies.\user@cubics[2].txt
C:\Documents and Settings\User\Cookies.\[email protected][1].txt
C:\Documents and Settings\User\Cookies.\[email protected][2].txt
C:\Documents and Settings\User\Cookies.\user@experts-exchange[2].txt
C:\Documents and Settings\User\Cookies.\user@facebook[2].txt
C:\Documents and Settings\User\Cookies.\user@incentaclick[1].txt
C:\Documents and Settings\User\Cookies.\user@mygeek[1].txt
C:\Documents and Settings\User\Cookies.\[email protected][1].txt
C:\Documents and Settings\User\Cookies.\[email protected][10].txt
C:\Documents and Settings\User\Cookies.\[email protected][11].txt
C:\Documents and Settings\User\Cookies.\[email protected][12].txt
C:\Documents and Settings\User\Cookies.\[email protected][13].txt
C:\Documents and Settings\User\Cookies.\[email protected][14].txt
C:\Documents and Settings\User\Cookies.\[email protected][15].txt
C:\Documents and Settings\User\Cookies.\[email protected][16].txt
C:\Documents and Settings\User\Cookies.\[email protected][17].txt
C:\Documents and Settings\User\Cookies.\[email protected][2].txt
C:\Documents and Settings\User\Cookies.\[email protected][3].txt
C:\Documents and Settings\User\Cookies.\[email protected][4].txt
C:\Documents and Settings\User\Cookies.\[email protected][5].txt
C:\Documents and Settings\User\Cookies.\[email protected][6].txt
C:\Documents and Settings\User\Cookies.\[email protected][7].txt
C:\Documents and Settings\User\Cookies.\[email protected][8].txt
C:\Documents and Settings\User\Cookies.\[email protected][9].txt
C:\Documents and Settings\User\Cookies.\user@revsci[1].txt
C:\Documents and Settings\User\Cookies.\user@safepctool[2].txt
C:\Documents and Settings\User\Cookies.\user@shareasale[1].txt
C:\Documents and Settings\User\Cookies.\[email protected][2].txt
C:\Documents and Settings\User\Cookies.\user@trafficmp[1].txt
C:\Documents and Settings\User\Cookies.\user@trafficmp[2].txt
C:\Documents and Settings\User\Cookies.\user@trafficmp[3].txt
C:\Documents and Settings\User\Cookies.\user@trafficmp[4].txt
C:\Documents and Settings\User\Cookies.\user@trafficmp[5].txt
C:\Documents and Settings\User\Cookies.\user@trafficmp[6].txt
C:\Documents and Settings\User\Cookies.\user@tribalfusion[2].txt
C:\Documents and Settings\User\Cookies.\user@trustedantivirus[1].txt
C:\Documents and Settings\User\Cookies.\user@vimby[1].txt
C:\Documents and Settings\User\Cookies.\user@winanonymous[1].txt
C:\Documents and Settings\User\Cookies.\[email protected][1].txt
C:\WINDOWS\BMf3b05b12.txt
C:\WINDOWS\BMf3b05b12.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aemxqmjt.dll
C:\WINDOWS\system32\aymdxhyh.dll
C:\WINDOWS\system32\bidfoigd.dll
C:\WINDOWS\system32\ctmjkopt.dll
C:\WINDOWS\system32\dgdevo.dll
C:\WINDOWS\system32\dgiofdib.ini
C:\WINDOWS\system32\gdqffujb.dll
C:\WINDOWS\system32\ianbyytn.dll
C:\WINDOWS\system32\iawicevg.dll
C:\WINDOWS\system32\jlUvxyay.ini
C:\WINDOWS\system32\jlUvxyay.ini2
C:\WINDOWS\system32\kcagdvkw.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mqcpxw.dll
C:\WINDOWS\system32\ntyybnai.ini
C:\WINDOWS\system32\tpokjmtc.ini
C:\WINDOWS\system32\wvcmmfwq.dll
C:\WINDOWS\system32\xmkgey.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.

2008-08-14 10:04 . 2008-08-14 10:04 2,048 --a------ C:\WINDOWS\system32\sdagbmwn.exe
2008-08-14 09:16 . 2008-08-14 09:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-14 09:16 . 2008-08-14 09:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-13 10:04 . 2008-08-13 10:04 2,048 --a------ C:\WINDOWS\system32\wsarwwls.exe
2008-08-12 10:01 . 2008-08-12 10:01 2,048 --a------ C:\WINDOWS\system32\tlnkfeyv.exe
2008-08-12 09:46 . 2008-08-12 09:46 <DIR> d-------- C:\Program Files\skip list road
2008-08-12 09:42 . 2008-08-12 09:42 312,320 --a------ C:\WINDOWS\system32\yayxvUlj.dll
2008-08-12 08:51 . 2008-08-14 03:25 542 --a------ C:\WINDOWS\system32\srclihnt.dat
2008-08-12 08:51 . 2008-08-14 03:25 488 --a------ C:\WINDOWS\system32\wshnxtbs.dat
2008-08-12 08:51 . 2008-08-14 03:25 0 --a------ C:\WINDOWS\system32\sbeoea.dat
2008-08-11 21:34 . 2008-08-14 10:35 9,227 --a------ C:\WINDOWS\system32\msreor40.dat
2008-08-11 21:34 . 2008-08-14 10:35 2,048 --a------ C:\WINDOWS\system32\perfntty.dat
2008-08-11 21:34 . 2008-08-14 10:18 392 --a------ C:\WINDOWS\system32\laprmyd.dat
2008-08-11 21:34 . 2008-08-14 10:34 0 --a------ C:\WINDOWS\system32\kbdplv.dat
2008-08-11 09:38 . 2008-08-11 09:38 2,048 --a------ C:\WINDOWS\system32\humkliuq.exe
2008-08-11 09:23 . 2008-08-11 09:23 <DIR> d-------- C:\Documents and Settings\User\Application Data\True Sword
2008-08-11 09:22 . 2008-08-11 13:12 <DIR> d-------- C:\Program Files\True Sword 5
2008-08-11 09:06 . 2008-08-11 09:06 <DIR> d-------- C:\Program Files\Panda Security
2008-08-10 10:13 . 2008-08-10 10:13 2,048 --a------ C:\WINDOWS\system32\hpafhyuh.exe
2008-08-09 05:37 . 2008-08-09 05:37 2,048 --a------ C:\WINDOWS\system32\sbeiwsmk.exe
2008-08-09 00:46 . 2008-08-09 00:46 <DIR> d-------- C:\Program Files\Ventrilo
2008-08-09 00:44 . 2008-08-09 00:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-08 16:06 . 2008-08-08 16:06 2,048 --a------ C:\WINDOWS\system32\peoxgclg.exe
2008-08-07 16:51 . 2008-08-07 16:51 2,048 --a------ C:\WINDOWS\system32\yanlpotf.exe
2008-08-07 13:01 . 2008-08-07 13:01 2,048 --a------ C:\WINDOWS\system32\gxvljewr.exe
2008-08-06 06:13 . 2008-08-06 06:13 2,048 --a------ C:\WINDOWS\system32\orvrfwsh.exe
2008-08-05 12:42 . 2008-08-05 12:42 2,048 --a------ C:\WINDOWS\system32\nllxjakj.exe
2008-08-04 12:18 . 2008-08-04 12:18 2,048 --a------ C:\WINDOWS\system32\jyphanrm.exe
2008-08-04 12:16 . 2008-08-04 12:16 91,648 --a------ C:\WINDOWS\system32\behveprv.dll
2008-08-03 00:46 . 2008-08-03 15:41 <DIR> d-------- C:\Documents and Settings\User\Application Data\OSI
2008-07-27 23:50 . 2008-07-28 09:00 <DIR> d-------- C:\WINDOWS\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 22:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-08-13 07:02 --------- d-----w C:\Program Files\Steam
2008-08-12 13:49 --------- d-----w C:\Documents and Settings\User\Application Data\skip list road
2008-08-12 13:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Second Keep Coal Burn
2008-08-11 18:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-11 17:16 --------- d-----w C:\Program Files\Google
2008-08-11 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-06 03:15 --------- d-----w C:\Program Files\MSN Messenger
2007-08-31 05:39 17,824 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2007-01-25 22:44 151,320 ----a-w C:\Documents and Settings\User\Application Data\pcturboproinstallerfree[1].exe
2007-07-11 00:20 1,330,312 --sh--w C:\WINDOWS\AppPatch\wdcm.bak1
2007-07-11 04:53 1,329,838 --sh--w C:\WINDOWS\AppPatch\wdcm.bak2
2007-07-11 08:20 1,334,804 --sh--w C:\WINDOWS\AppPatch\wdcm.ini2
.

((((((((((((((((((((((((((((( snapshot@2008-08-12_10.02.07.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-11 16:10:28 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-13 17:43:14 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-11 16:10:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-13 17:43:14 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0BA59DA5-C438-4C84-8867-C64EEFB22AE4}]
2008-08-14 10:40 312320 --a------ C:\WINDOWS\System32\wvUnoLEw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A6F7AC9-6AD9-4C97-9AC0-23C866E07208}]
2008-08-12 09:42 312320 --a------ C:\WINDOWS\System32\yayxvUlj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C514A4E5-E889-4CA8-BE28-CAC7E19F25FE}]
2008-08-03 00:51 274432 --a------ C:\Documents and Settings\User\Application Data\OSI\dlls\EFOToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA93D885-6248-4A14-8C49-6BAF5E4CA44C}]
2008-07-03 12:08 25840 --a------ C:\WINDOWS\system32\mlJYsssQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e1ca5296-423a-421a-93a2-3703e6aaf67f}]
2008-08-14 10:53 107008 --a------ C:\WINDOWS\System32\jyppoz.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{AB26BF6C-BB04-4F00-8F98-BDE786CDE97D}"= "C:\Documents and Settings\User\Application Data\OSI\dlls\EFOToolbar.dll" [2008-08-03 00:51 274432]

[HKEY_CLASSES_ROOT\clsid\{ab26bf6c-bb04-4f00-8f98-bde786cde97d}]
[HKEY_CLASSES_ROOT\EFOToolbar.EFOObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{668611E3-7EC2-44EF-BF11-2D814E19FAA3}]
[HKEY_CLASSES_ROOT\EFOToolbar.EFOObj]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\laprmyd]
@="{DE1B9245-99F1-786C-6C83-8449D888F3EF}"
[HKEY_CLASSES_ROOT\CLSID\{DE1B9245-99F1-786C-6C83-8449D888F3EF}]
2004-09-22 18:45 82944 --a------ C:\WINDOWS\System32\laprmyd.dIl

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wipeboob"="C:\DOCUME~1\User\APPLIC~1\SKIPLI~1\VC CORN TRANS.exe" [2008-08-12 09:45 503296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Coal Burn Mpeg Inter"="C:\Documents and Settings\All Users\Application Data\Second Keep Coal Burn\1 STYLE.exe" [2008-08-14 10:37 2015744]
"f083688e"="C:\WINDOWS\System32\xtrlungt.dll" [2008-08-14 10:47 82432]
"BMf3b05b12"="C:\WINDOWS\System32\wkslagix.dll" [2008-08-14 10:47 89088]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{DA93D885-6248-4A14-8C49-6BAF5E4CA44C}"= "C:\WINDOWS\system32\mlJYsssQ.dll" [2008-07-03 12:08 25840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJYsssQ]
2008-07-03 12:08 25840 C:\WINDOWS\system32\mlJYsssQ.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\System32\wvUnoLEw

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^palstart.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
backup=C:\WINDOWS\pss\palstart.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalStart.lnk.disabled
backup=C:\WINDOWS\pss\PalStart.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=C:\WINDOWS\pss\PalTalk.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jrjy]
C:\Documents and Settings\User\Application Data\??pPatch\w?nword.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wqzlz]
C:\WINDOWS\system32\F?nts\i?xplore.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wxfxz]
C:\Documents and Settings\User\Application Data\?dobe\w?nspool.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Athan]
--a------ 2006-05-23 07:32 974848 C:\Program Files\Athan\Athan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2002-10-15 23:05 114688 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-12-05 15:41 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
--a------ 2004-02-02 04:41 495616 C:\WINDOWS\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
--a------ 2003-11-12 09:23 49152 C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2002-10-15 23:18 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
--a------ 2004-07-22 21:53 86016 C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2005-03-29 18:28 6815744 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
--a------ 2002-10-23 10:15 86016 c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 07:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Quran_AR]
--a------ 2005-10-13 13:59 290816 C:\Program Files\Quran_AR\Quran_AR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RHSI SHS]
--a------ 2003-06-03 14:34 1036288 C:\Program Files\Rogers Hi-Speed Internet\RHSI SelfHealing\SHS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shell]
--a------ 2006-07-13 09:46 8353280 C:\WINDOWS\system32\shell32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-06-24 01:10 1271032 c:\Program Files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-07-08 21:07 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Wini"="C:\PROGRA~1\SEMBLY~1\notepad.exe" -vt ndrv
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background
"Steam"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IpWins"=C:\Program Files\ipwins\ipwins.exe
"Quran_AR"=C:\Program Files\Quran_AR\Quran_AR.exe

S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\System32\DRIVERS\RimSerial.sys [2005-08-16 13:02]
.
Contents of the 'Scheduled Tasks' folder

2008-08-14 C:\WINDOWS\Tasks\A7C8E6BC918F6190.job
- c:\docume~1\user\applic~1\skipli~1\bird defy browse.exe [2008-08-12 09:49]

2008-08-14 C:\WINDOWS\Tasks\Norton Security Scan.job
- C:\Program Files\Norton Security Scan\Nss.exe [2008-01-09 04:08]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9jv9gb7n.default\
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 10:36:57
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\wvUnoLEw.dll 312320 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\mlJYsssQ.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2008-08-14 11:02:25 - machine was rebooted [User]
ComboFix-quarantined-files.txt 2008-08-14 15:01:48
ComboFix2.txt 2008-08-12 14:05:14

Pre-Run: 3,479,498,752 bytes free
Post-Run: 3,714,895,872 bytes free

343 --- E O F --- 2008-07-03 15:06:59
  • 0

#6
nurdin
Posted 14 August 2008 - 09:07 AM

nurdin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:48 AM, on 8/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchsave.co...dex.php?sm=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {5A6F7AC9-6AD9-4C97-9AC0-23C866E07208} - C:\WINDOWS\System32\yayxvUlj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: BrowserHelperEFO Class - {C514A4E5-E889-4CA8-BE28-CAC7E19F25FE} - C:\Documents and Settings\User\Application Data\OSI\dlls\EFOToolbar.dll
O2 - BHO: (no name) - {DA93D885-6248-4A14-8C49-6BAF5E4CA44C} - C:\WINDOWS\system32\mlJYsssQ.dll
O2 - BHO: {f76faa6e-3073-2a39-a124-a3246925ac1e} - {e1ca5296-423a-421a-93a2-3703e6aaf67f} - C:\WINDOWS\System32\jyppoz.dll
O3 - Toolbar: RHSI Toolbar - {4DF5B116-4FD9-4039-B377-1130953A980F} - C:\Program Files\Rogers Hi-Speed Internet\RHSI Toolbar\ToolBand.dll
O4 - HKLM\..\Run: [Coal Burn Mpeg Inter] C:\Documents and Settings\All Users\Application Data\Second Keep Coal Burn\1 STYLE.exe
O4 - HKLM\..\Run: [f083688e] rundll32.exe "C:\WINDOWS\System32\xtrlungt.dll",b
O4 - HKLM\..\Run: [BMf3b05b12] Rundll32.exe "C:\WINDOWS\System32\wkslagix.dll",s
O4 - HKCU\..\Run: [wipeboob] C:\DOCUME~1\User\APPLIC~1\SKIPLI~1\VC CORN TRANS.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://crystal.atkin...orku.ca/qp2.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1151686142609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1175633051015
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O20 - Winlogon Notify: mlJYsssQ - C:\WINDOWS\SYSTEM32\mlJYsssQ.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 3824 bytes
  • 0

#7
sage5
Posted 14 August 2008 - 05:15 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
You seem to have had a problem with the installation of the Recovery Console. This needs to be in place before we continue with the fix.
Did you follow the instructions?
Did the download fail?
Did you get any error messages?
  • 0

#8
nurdin
Posted 15 August 2008 - 12:28 AM

nurdin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Im sorry, I seem to have not dragged the recovery console icon onto combofix.. sorry :)

ComboFix 08-08-13.05 - User 2008-08-15 1:48:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.316 [GMT -4:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMf3b05b12.txt
C:\WINDOWS\BMf3b05b12.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\hykvhnwj.dll
C:\WINDOWS\system32\jwnhvkyh.ini
C:\WINDOWS\system32\jyppoz.dll
C:\WINDOWS\system32\lsfamumr.dll
C:\WINDOWS\system32\qigsiu.dll
C:\WINDOWS\system32\swjyisol.dll
C:\WINDOWS\system32\tgnulrtx.ini
C:\WINDOWS\system32\UCehPqru.ini
C:\WINDOWS\system32\UCehPqru.ini2
C:\WINDOWS\system32\wELonUvw.ini
C:\WINDOWS\system32\wELonUvw.ini2
C:\WINDOWS\system32\wkslagix.dll
C:\WINDOWS\system32\xtrlungt.dll
C:\WINDOWS\system32\yncrukga.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))
.

2008-08-14 11:16 . 2008-08-14 11:16 2,048 --a------ C:\WINDOWS\system32\pukbuvsw.exe
2008-08-14 11:08 . 2008-08-14 11:08 312,320 --a------ C:\WINDOWS\system32\urqPheCU.dll
2008-08-14 10:50 . 2008-08-14 10:50 2,048 --a------ C:\WINDOWS\system32\kasixpht.exe
2008-08-14 10:40 . 2008-08-14 10:40 312,320 --a------ C:\WINDOWS\system32\wvUnoLEw.dll
2008-08-14 10:04 . 2008-08-14 10:04 2,048 --a------ C:\WINDOWS\system32\sdagbmwn.exe
2008-08-14 09:16 . 2008-08-14 09:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-14 09:16 . 2008-08-14 09:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-13 10:04 . 2008-08-13 10:04 2,048 --a------ C:\WINDOWS\system32\wsarwwls.exe
2008-08-12 10:01 . 2008-08-12 10:01 2,048 --a------ C:\WINDOWS\system32\tlnkfeyv.exe
2008-08-12 09:46 . 2008-08-12 09:46 <DIR> d-------- C:\Program Files\skip list road
2008-08-12 09:42 . 2008-08-12 09:42 312,320 --a------ C:\WINDOWS\system32\yayxvUlj.dll
2008-08-12 08:51 . 2008-08-15 01:41 829 --a------ C:\WINDOWS\system32\srclihnt.dat
2008-08-12 08:51 . 2008-08-14 20:13 544 --a------ C:\WINDOWS\system32\wshnxtbs.dat
2008-08-12 08:51 . 2008-08-14 20:11 0 --a------ C:\WINDOWS\system32\sbeoea.dat
2008-08-11 21:34 . 2008-08-15 01:57 9,876 --a------ C:\WINDOWS\system32\msreor40.dat
2008-08-11 21:34 . 2008-08-15 01:57 2,392 --a------ C:\WINDOWS\system32\perfntty.dat
2008-08-11 21:34 . 2008-08-14 15:10 392 --a------ C:\WINDOWS\system32\laprmyd.dat
2008-08-11 21:34 . 2008-08-15 01:56 0 --a------ C:\WINDOWS\system32\kbdplv.dat
2008-08-11 09:38 . 2008-08-11 09:38 2,048 --a------ C:\WINDOWS\system32\humkliuq.exe
2008-08-11 09:23 . 2008-08-11 09:23 <DIR> d-------- C:\Documents and Settings\User\Application Data\True Sword
2008-08-11 09:22 . 2008-08-11 13:12 <DIR> d-------- C:\Program Files\True Sword 5
2008-08-11 09:06 . 2008-08-11 09:06 <DIR> d-------- C:\Program Files\Panda Security
2008-08-10 10:13 . 2008-08-10 10:13 2,048 --a------ C:\WINDOWS\system32\hpafhyuh.exe
2008-08-09 05:37 . 2008-08-09 05:37 2,048 --a------ C:\WINDOWS\system32\sbeiwsmk.exe
2008-08-09 00:46 . 2008-08-09 00:46 <DIR> d-------- C:\Program Files\Ventrilo
2008-08-09 00:44 . 2008-08-09 00:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-08 16:06 . 2008-08-08 16:06 2,048 --a------ C:\WINDOWS\system32\peoxgclg.exe
2008-08-07 16:51 . 2008-08-07 16:51 2,048 --a------ C:\WINDOWS\system32\yanlpotf.exe
2008-08-07 13:01 . 2008-08-07 13:01 2,048 --a------ C:\WINDOWS\system32\gxvljewr.exe
2008-08-06 06:13 . 2008-08-06 06:13 2,048 --a------ C:\WINDOWS\system32\orvrfwsh.exe
2008-08-05 12:42 . 2008-08-05 12:42 2,048 --a------ C:\WINDOWS\system32\nllxjakj.exe
2008-08-04 12:18 . 2008-08-04 12:18 2,048 --a------ C:\WINDOWS\system32\jyphanrm.exe
2008-08-04 12:16 . 2008-08-04 12:16 91,648 --a------ C:\WINDOWS\system32\behveprv.dll
2008-08-03 00:46 . 2008-08-03 15:41 <DIR> d-------- C:\Documents and Settings\User\Application Data\OSI
2008-07-27 23:50 . 2008-07-28 09:00 <DIR> d-------- C:\WINDOWS\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 22:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-08-13 07:02 --------- d-----w C:\Program Files\Steam
2008-08-12 13:49 --------- d-----w C:\Documents and Settings\User\Application Data\skip list road
2008-08-12 13:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Second Keep Coal Burn
2008-08-11 18:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-11 17:16 --------- d-----w C:\Program Files\Google
2008-08-11 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-06 03:15 --------- d-----w C:\Program Files\MSN Messenger
2008-07-05 04:17 109,056 ----a-w C:\WINDOWS\system32\kjdwhami.exe
2008-07-03 16:08 25,840 ----a-w C:\WINDOWS\system32\mlJYsssQ.dll
2008-06-23 18:25 94,208 ----a-w C:\WINDOWS\system32\72.tmp
2007-08-31 05:39 17,824 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2007-01-25 22:44 151,320 ----a-w C:\Documents and Settings\User\Application Data\pcturboproinstallerfree[1].exe
2007-07-11 00:20 1,330,312 --sh--w C:\WINDOWS\AppPatch\wdcm.bak1
2007-07-11 04:53 1,329,838 --sh--w C:\WINDOWS\AppPatch\wdcm.bak2
2007-07-11 08:20 1,334,804 --sh--w C:\WINDOWS\AppPatch\wdcm.ini2
.

((((((((((((((((((((((((((((( snapshot@2008-08-12_10.02.07.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-11 16:10:28 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-13 17:43:14 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-11 16:10:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-13 17:43:14 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1EBC11E1-1E7F-41ED-AF11-3F883D19B0BF}]
2008-08-14 11:08 312320 --a------ C:\WINDOWS\System32\urqPheCU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A6F7AC9-6AD9-4C97-9AC0-23C866E07208}]
2008-08-12 09:42 312320 --a------ C:\WINDOWS\System32\yayxvUlj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a66976a9-1de0-4427-a0fa-d1e8fcd7ae28}]
2008-08-15 02:18 107008 --a------ C:\WINDOWS\System32\npitbt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C514A4E5-E889-4CA8-BE28-CAC7E19F25FE}]
2008-08-03 00:51 274432 --a------ C:\Documents and Settings\User\Application Data\OSI\dlls\EFOToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA93D885-6248-4A14-8C49-6BAF5E4CA44C}]
2008-07-03 12:08 25840 --a------ C:\WINDOWS\system32\mlJYsssQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E771EF9A-D86C-4CB4-9146-6CE9BA03C10C}]
2008-08-15 02:02 312320 --a------ C:\WINDOWS\System32\ljJBQJyW.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{AB26BF6C-BB04-4F00-8F98-BDE786CDE97D}"= "C:\Documents and Settings\User\Application Data\OSI\dlls\EFOToolbar.dll" [2008-08-03 00:51 274432]

[HKEY_CLASSES_ROOT\clsid\{ab26bf6c-bb04-4f00-8f98-bde786cde97d}]
[HKEY_CLASSES_ROOT\EFOToolbar.EFOObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{668611E3-7EC2-44EF-BF11-2D814E19FAA3}]
[HKEY_CLASSES_ROOT\EFOToolbar.EFOObj]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\laprmyd]
@="{DE1B9245-99F1-786C-6C83-8449D888F3EF}"
[HKEY_CLASSES_ROOT\CLSID\{DE1B9245-99F1-786C-6C83-8449D888F3EF}]
2004-09-22 18:45 82944 --a------ C:\WINDOWS\System32\laprmyd.dIl

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wipeboob"="C:\DOCUME~1\User\APPLIC~1\SKIPLI~1\VC CORN TRANS.exe" [2008-08-12 09:45 503296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Coal Burn Mpeg Inter"="C:\Documents and Settings\All Users\Application Data\Second Keep Coal Burn\1 STYLE.exe" [2008-08-15 01:59 2169856]
"f083688e"="C:\WINDOWS\System32\epqqpqty.dll" [2008-08-15 02:15 82432]
"BMf3b05b12"="C:\WINDOWS\System32\qexyxthk.dll" [2008-08-15 02:09 89088]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{DA93D885-6248-4A14-8C49-6BAF5E4CA44C}"= "C:\WINDOWS\system32\mlJYsssQ.dll" [2008-07-03 12:08 25840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJYsssQ]
2008-07-03 12:08 25840 C:\WINDOWS\system32\mlJYsssQ.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\System32\ljJBQJyW

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^palstart.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
backup=C:\WINDOWS\pss\palstart.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalStart.lnk.disabled
backup=C:\WINDOWS\pss\PalStart.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=C:\WINDOWS\pss\PalTalk.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jrjy]
C:\Documents and Settings\User\Application Data\??pPatch\w?nword.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wqzlz]
C:\WINDOWS\system32\F?nts\i?xplore.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wxfxz]
C:\Documents and Settings\User\Application Data\?dobe\w?nspool.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Athan]
--a------ 2006-05-23 07:32 974848 C:\Program Files\Athan\Athan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2002-10-15 23:05 114688 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-12-05 15:41 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
--a------ 2004-02-02 04:41 495616 C:\WINDOWS\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
--a------ 2003-11-12 09:23 49152 C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2002-10-15 23:18 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
--a------ 2004-07-22 21:53 86016 C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2005-03-29 18:28 6815744 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
--a------ 2002-10-23 10:15 86016 c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 07:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Quran_AR]
--a------ 2005-10-13 13:59 290816 C:\Program Files\Quran_AR\Quran_AR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RHSI SHS]
--a------ 2003-06-03 14:34 1036288 C:\Program Files\Rogers Hi-Speed Internet\RHSI SelfHealing\SHS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shell]
--a------ 2006-07-13 09:46 8353280 C:\WINDOWS\system32\shell32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-06-24 01:10 1271032 c:\Program Files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-07-08 21:07 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Wini"="C:\PROGRA~1\SEMBLY~1\notepad.exe" -vt ndrv
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background
"Steam"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IpWins"=C:\Program Files\ipwins\ipwins.exe
"Quran_AR"=C:\Program Files\Quran_AR\Quran_AR.exe

S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\System32\DRIVERS\RimSerial.sys [2005-08-16 13:02]
.
Contents of the 'Scheduled Tasks' folder

2008-08-15 C:\WINDOWS\Tasks\A7C8E6BC918F6190.job
- c:\docume~1\user\applic~1\skipli~1\bird defy browse.exe [2008-08-12 09:49]

2008-08-14 C:\WINDOWS\Tasks\Norton Security Scan.job
- C:\Program Files\Norton Security Scan\Nss.exe [2008-01-09 04:08]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9jv9gb7n.default\
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-15 01:58:26
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\ljJBQJyW.dll 312320 bytes executable
C:\WINDOWS\system32\WyJQBJjl.ini 347 bytes
C:\WINDOWS\system32\WyJQBJjl.ini2 347 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\mlJYsssQ.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\System32\epqqpqty.dll
-> C:\WINDOWS\System32\qexyxthk.dll
-> C:\WINDOWS\System32\ljJBQJyW.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-08-15 2:23:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-15 06:22:31
ComboFix2.txt 2008-08-14 15:02:26
ComboFix3.txt 2008-08-12 14:05:14

Pre-Run: 3,679,186,944 bytes free
Post-Run: 3,693,477,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

268 --- E O F --- 2008-07-03 15:06:59

____________________________________

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:39 AM, on 8/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchsave.co...dex.php?sm=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: RHSI Toolbar - {4DF5B116-4FD9-4039-B377-1130953A980F} - C:\Program Files\Rogers Hi-Speed Internet\RHSI Toolbar\ToolBand.dll
O4 - HKLM\..\Run: [Coal Burn Mpeg Inter] C:\Documents and Settings\All Users\Application Data\Second Keep Coal Burn\1 STYLE.exe
O4 - HKLM\..\Run: [f083688e] rundll32.exe "C:\WINDOWS\System32\epqqpqty.dll",b
O4 - HKLM\..\Run: [BMf3b05b12] Rundll32.exe "C:\WINDOWS\System32\qexyxthk.dll",s
O4 - HKCU\..\Run: [wipeboob] C:\DOCUME~1\User\APPLIC~1\SKIPLI~1\VC CORN TRANS.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://crystal.atkin...orku.ca/qp2.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1151686142609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1175633051015
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 3076 bytes
  • 0

#9
sage5
Posted 15 August 2008 - 01:40 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi nurdin,


Clean up Registry with a Reg file:
  • Please open a new Notepad file by clicking Start\All Programs\Accessories\Notepad
  • Copy the text from the following Code box, by highlighting all the text and right click, Select Copy. (or use the Ctrl+C keyboard shortcut)
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
  • Paste it into Notepad. Right click in the window and select Paste. (or use Ctrl+V)
  • Save the file to the Desktop, make sure Type is All Files, and name it Fixreg.reg
  • Double click on the file created and click Yes when asked to merge the information into the Registry


Run HijackThis.
  • Click the Do a system scan only button.
  • Check the boxes for the all the entries listed below:
O4 - HKLM\..\Run: [Coal Burn Mpeg Inter] C:\Documents and Settings\All Users\Application Data\Second Keep Coal Burn\1 STYLE.exe
O4 - HKLM\..\Run: [f083688e] rundll32.exe "C:\WINDOWS\System32\epqqpqty.dll",b
O4 - HKLM\..\Run: [BMf3b05b12] Rundll32.exe "C:\WINDOWS\System32\qexyxthk.dll",s
O4 - HKCU\..\Run: [wipeboob] C:\DOCUME~1\User\APPLIC~1\SKIPLI~1\VC CORN TRANS.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://crystal.atkin...orku.ca/qp2.cab
  • Now close all windows other than HijackThis and click Fix Checked.
  • Close HijackThis.


Your log shows you are not running Anti-virus or Firewall software.
These are essential items and need to be loaded before we can continue fixing your PC.

I have listed a couple of free versions of both. Please download and install 1 Anti-virus and 1 Firewall.

Firewalls: Please install one only.
Comodo Firewall Pro or Sunbelt Personal Firewall

Anti-virus: Please install one only:
Avast! Free Edition or AntiVir PersonalEdition Classic

Anti-Virus Tutorials/Manuals:
Avast Tutorial
Avast Manual
Antivir Manual

Please allow the new Anti-virus to run a full System scan, and at the end of the process you should be able to save a scan log.
If the scan report window does not have a "Save as Report" button (or similar), please highlight the text in the window & copy & paste it to a new Notepad file.
Save it as C:\avscan.txt if you can.

I need you to post me a fresh HijackThis log to confirm correct installation of the Anti-virus and Firewall programs.

Run HijackThis:
  • Select the Run a system scan and save a logfile option. The logfile opens in Notepad.
  • Start your Web Browser and navigate back to this thread.
  • Click the Add Reply button
  • Copy and Paste the text into the Reply window.
  • Also paste me the text from C:\avscan.txt

Cheers,

sage5

Edited by sage5, 15 August 2008 - 01:44 AM.

  • 0

#10
sage5
Posted 26 August 2008 - 01:34 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP