A machine with over 400 virus and trojans

[force123]

Hey guys

My friend brought me his pc, Which he said it has various problem that he can't name all. Like it restart by itself while he is working, it shows various errors ...

I checked it, (windows xp). and first run spybot search and destroy.

It found over 400 problems. after "fixing" those. I run ComboFix and it took more time than i expected.

After that i run hijackthis and saved a log.

Can someone help me with these logs to see every things fine now ? or should i do something else ?

thanks in advance

ComboFix

HijackThis

 

[cohen]

Was the hijackthis log, before or after the combo fix????

PLs post the logs in a reply, the hijack this logs especially, combo fix won't fit i understand.

 

[force123]

hijackthis log is after combofix.

The forum didn't let me upload the combofix log, because it said the size of the file (35k) is more than the amount defined for that extension. and didn't let me copy and paste, as it exceed 30000 characters. so i upload it on a server.

but here the hijack this log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:17:17 ?.?, on 2008/07/23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Intense Language Office\COMMON\Offman.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [BM0b6ee4c9] Rundll32.exe "C:\WINDOWS\system32\jnqihrlu.dll",s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O24 - Desktop Component 0: (no name) - http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/10_8/mail/mailcommonlib.js

--
End of file - 6452 bytes

 

[ceewi1]

I'm afraid there's more work to do. Your logfile shows a flash drive infection. Any portable drives or memory sticks that have been plugged into this computer since contracting the infection are likely infected, as may be any computers that these drives have been connected to. I recommend you run scans on any computers that have shared portable drives or memory sticks with this one, and post logfiles if necessary. This infection is designed to steal passwords to an instant messaging program called QQ, if you use that program I recommend changing your password immediately.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure Advanced Mode is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck Resident TeaTimer and OK any prompts
You can reenable TeaTimer once your system is clean.

• Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  H:\sxs.exe
  H:\4sv.exe
  C:\WINDOWS\system32\winmds.exe
  C:\WINDOWS\system32\Y8MThmov.exe
  C:\WINDOWS\system32\svvci32.exe
  C:\WINDOWS\Tasks\AT1.job
  C:\WINDOWS\Tasks\AT2.job
  C:\WINDOWS\Tasks\AT3.job
  C:\WINDOWS\Tasks\AT4.job
  C:\WINDOWS\Tasks\AT5.job
  C:\WINDOWS\Tasks\AT6.job
  C:\WINDOWS\Tasks\AT7.job
  C:\WINDOWS\Tasks\AT8.job
  C:\WINDOWS\Tasks\AT9.job
  C:\WINDOWS\Tasks\AT10.job
  C:\WINDOWS\Tasks\AT11.job
  C:\WINDOWS\Tasks\AT12.job
  C:\WINDOWS\Tasks\AT13.job
  C:\WINDOWS\Tasks\AT14.job
  C:\WINDOWS\Tasks\AT15.job
  C:\WINDOWS\Tasks\AT16.job
  C:\WINDOWS\Tasks\AT17.job
  C:\WINDOWS\Tasks\AT18.job
  C:\WINDOWS\Tasks\AT19.job
  C:\WINDOWS\Tasks\AT20.job
  C:\WINDOWS\Tasks\AT21.job
  C:\WINDOWS\Tasks\AT22.job
  C:\WINDOWS\Tasks\AT23.job
  C:\WINDOWS\Tasks\AT24.job
  C:\WINDOWS\Tasks\AT25.job
  C:\WINDOWS\Tasks\AT26.job
  C:\WINDOWS\Tasks\AT27.job
  C:\WINDOWS\Tasks\AT28.job
  C:\WINDOWS\Tasks\AT29.job
  C:\WINDOWS\Tasks\AT30.job
  C:\WINDOWS\Tasks\AT31.job
  C:\WINDOWS\Tasks\AT32.job
  C:\WINDOWS\Tasks\AT33.job
  C:\WINDOWS\Tasks\AT34.job
  C:\WINDOWS\Tasks\AT35.job
  C:\WINDOWS\Tasks\AT36.job
  C:\WINDOWS\Tasks\AT37.job
  C:\WINDOWS\Tasks\AT38.job
  C:\WINDOWS\Tasks\AT39.job
  C:\WINDOWS\Tasks\AT40.job
  C:\WINDOWS\Tasks\AT41.job
  C:\WINDOWS\Tasks\AT42.job
  C:\WINDOWS\Tasks\AT43.job
  C:\WINDOWS\Tasks\AT44.job
  C:\WINDOWS\Tasks\AT45.job
  C:\WINDOWS\Tasks\AT46.job
  C:\WINDOWS\Tasks\AT47.job
  C:\WINDOWS\Tasks\AT48.job
  C:\WINDOWS\Tasks\AT49.job
  C:\WINDOWS\Tasks\AT50.job
  C:\WINDOWS\Tasks\AT51.job
  C:\WINDOWS\Tasks\AT52.job
  C:\WINDOWS\Tasks\AT53.job
  C:\WINDOWS\Tasks\AT54.job
  C:\WINDOWS\Tasks\AT55.job
  C:\WINDOWS\Tasks\AT56.job
  C:\WINDOWS\Tasks\AT57.job
  C:\WINDOWS\Tasks\AT58.job
  C:\WINDOWS\Tasks\AT59.job
  C:\WINDOWS\Tasks\AT60.job
  C:\WINDOWS\Tasks\AT61.job
  C:\WINDOWS\Tasks\AT62.job
  C:\WINDOWS\Tasks\AT63.job
  C:\WINDOWS\Tasks\AT64.job
  C:\WINDOWS\Tasks\AT65.job
  C:\WINDOWS\Tasks\AT66.job
  C:\WINDOWS\Tasks\AT67.job
  C:\WINDOWS\Tasks\AT68.job
  C:\WINDOWS\Tasks\AT69.job
  C:\WINDOWS\Tasks\AT70.job
  C:\WINDOWS\Tasks\AT71.job
  C:\WINDOWS\Tasks\AT72.job
  C:\WINDOWS\Tasks\AT73.job
  C:\WINDOWS\Tasks\AT74.job
  C:\WINDOWS\Tasks\AT75.job
  C:\WINDOWS\Tasks\AT76.job
  C:\WINDOWS\Tasks\AT77.job
  C:\WINDOWS\Tasks\AT78.job
  C:\WINDOWS\Tasks\AT79.job
  C:\WINDOWS\Tasks\AT80.job
  C:\WINDOWS\Tasks\AT81.job
  C:\WINDOWS\Tasks\AT82.job
  C:\WINDOWS\Tasks\AT83.job
  C:\WINDOWS\Tasks\AT84.job
  C:\WINDOWS\Tasks\AT85.job
  C:\WINDOWS\Tasks\AT86.job
  C:\WINDOWS\Tasks\AT87.job
  C:\WINDOWS\Tasks\AT88.job
  C:\WINDOWS\Tasks\AT89.job
  C:\WINDOWS\Tasks\AT90.job
  C:\WINDOWS\Tasks\AT91.job
  C:\WINDOWS\Tasks\AT92.job
  C:\WINDOWS\Tasks\AT93.job
  C:\WINDOWS\Tasks\AT94.job
  C:\WINDOWS\Tasks\AT95.job
  C:\WINDOWS\Tasks\AT96.job
  C:\WINDOWS\Tasks\AT97.job
  C:\WINDOWS\Tasks\AT98.job
  C:\WINDOWS\Tasks\AT99.job
  C:\WINDOWS\Tasks\AT100.job
  C:\WINDOWS\Tasks\AT101.job
  C:\WINDOWS\Tasks\AT102.job
  C:\WINDOWS\Tasks\AT103.job
  C:\WINDOWS\Tasks\AT104.job
  C:\WINDOWS\Tasks\AT105.job
  C:\WINDOWS\Tasks\AT106.job
  C:\WINDOWS\Tasks\AT107.job
  C:\WINDOWS\Tasks\AT108.job
  C:\WINDOWS\Tasks\AT109.job
  C:\WINDOWS\Tasks\AT110.job
  C:\WINDOWS\Tasks\AT111.job
  C:\WINDOWS\Tasks\AT112.job
  C:\WINDOWS\Tasks\AT113.job
  C:\WINDOWS\Tasks\AT114.job
  C:\WINDOWS\Tasks\AT115.job
  C:\WINDOWS\Tasks\AT116.job
  C:\WINDOWS\Tasks\AT117.job
  C:\WINDOWS\Tasks\AT118.job
  C:\WINDOWS\Tasks\AT119.job
  C:\WINDOWS\Tasks\AT120.job
  C:\WINDOWS\Tasks\AT121.job
  C:\WINDOWS\Tasks\AT122.job
  C:\WINDOWS\Tasks\AT123.job
  C:\WINDOWS\Tasks\AT124.job
  C:\WINDOWS\Tasks\AT125.job
  C:\WINDOWS\Tasks\AT126.job
  C:\WINDOWS\Tasks\AT127.job
  C:\WINDOWS\Tasks\AT128.job
  C:\WINDOWS\Tasks\AT129.job
  C:\WINDOWS\Tasks\AT130.job
  C:\WINDOWS\Tasks\AT131.job
  C:\WINDOWS\Tasks\AT132.job
  C:\WINDOWS\Tasks\AT133.job
  C:\WINDOWS\Tasks\AT134.job
  C:\WINDOWS\Tasks\AT135.job
  C:\WINDOWS\Tasks\AT136.job
  C:\WINDOWS\Tasks\AT137.job
  C:\WINDOWS\Tasks\AT138.job
  C:\WINDOWS\Tasks\AT139.job
  C:\WINDOWS\Tasks\AT140.job
  C:\WINDOWS\Tasks\AT141.job
  C:\WINDOWS\Tasks\AT142.job
  C:\WINDOWS\Tasks\AT143.job
  C:\WINDOWS\Tasks\AT144.job
  C:\WINDOWS\Tasks\AT145.job
  C:\WINDOWS\Tasks\AT146.job
  C:\WINDOWS\Tasks\AT147.job
  C:\WINDOWS\Tasks\AT148.job
  C:\WINDOWS\Tasks\AT149.job
  C:\WINDOWS\Tasks\AT150.job
  C:\WINDOWS\Tasks\AT151.job
  C:\WINDOWS\Tasks\AT152.job
  C:\WINDOWS\Tasks\AT153.job
  C:\WINDOWS\Tasks\AT154.job
  C:\WINDOWS\Tasks\AT155.job
  C:\WINDOWS\Tasks\AT156.job
  C:\WINDOWS\Tasks\AT157.job
  C:\WINDOWS\Tasks\AT158.job
  C:\WINDOWS\Tasks\AT159.job
  C:\WINDOWS\Tasks\AT160.job
  C:\WINDOWS\Tasks\AT161.job
  C:\WINDOWS\Tasks\AT162.job
  C:\WINDOWS\Tasks\AT163.job
  C:\WINDOWS\Tasks\AT164.job
  C:\WINDOWS\Tasks\AT165.job
  C:\WINDOWS\Tasks\AT166.job
  C:\WINDOWS\Tasks\AT167.job
  C:\WINDOWS\Tasks\AT168.job
  C:\WINDOWS\Tasks\AT169.job
  C:\WINDOWS\Tasks\AT170.job
  C:\WINDOWS\Tasks\AT171.job
  C:\WINDOWS\Tasks\AT172.job
  C:\WINDOWS\Tasks\AT173.job
  C:\WINDOWS\Tasks\AT174.job
  C:\WINDOWS\Tasks\AT175.job
  C:\WINDOWS\Tasks\AT176.job
  C:\WINDOWS\Tasks\AT177.job
  C:\WINDOWS\Tasks\AT178.job
  C:\WINDOWS\Tasks\AT179.job
  C:\WINDOWS\Tasks\AT180.job
  C:\WINDOWS\Tasks\AT181.job
  C:\WINDOWS\Tasks\AT182.job
  C:\WINDOWS\Tasks\AT183.job
  C:\WINDOWS\Tasks\AT184.job
  C:\WINDOWS\Tasks\AT185.job
  C:\WINDOWS\Tasks\AT186.job
  C:\WINDOWS\Tasks\AT187.job
  C:\WINDOWS\Tasks\AT188.job
  C:\WINDOWS\Tasks\AT189.job
  C:\WINDOWS\Tasks\AT190.job
  C:\WINDOWS\Tasks\AT191.job
  C:\WINDOWS\Tasks\AT192.job
  C:\WINDOWS\Tasks\AT193.job
  C:\WINDOWS\Tasks\AT194.job
  C:\WINDOWS\Tasks\AT195.job
  C:\WINDOWS\Tasks\AT196.job
  C:\WINDOWS\Tasks\AT197.job
  C:\WINDOWS\Tasks\AT198.job
  C:\WINDOWS\Tasks\AT199.job
  C:\WINDOWS\Tasks\AT200.job
  C:\WINDOWS\Tasks\AT201.job
  C:\WINDOWS\Tasks\AT202.job
  C:\WINDOWS\Tasks\AT203.job
  C:\WINDOWS\Tasks\AT204.job
  C:\WINDOWS\Tasks\AT205.job
  C:\WINDOWS\Tasks\AT206.job
  C:\WINDOWS\Tasks\AT207.job
  C:\WINDOWS\Tasks\AT208.job
  C:\WINDOWS\Tasks\AT209.job
  C:\WINDOWS\Tasks\AT210.job
  C:\WINDOWS\Tasks\AT211.job
  C:\WINDOWS\Tasks\AT212.job
  C:\WINDOWS\Tasks\AT213.job
  C:\WINDOWS\Tasks\AT214.job
  C:\WINDOWS\Tasks\AT215.job
  C:\WINDOWS\Tasks\AT216.job
  
  AWF::
  C:\Program Files\Netropa\Multimedia Keyboard\bak\MMKeybd.exe
  C:\WINDOWS\system32\bak\ezSP_Px.exe
  C:\WINDOWS\system32\bak\hphmon05.exe
  C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe
  
  Registry::
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "BM0b6ee4c9"=-
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0d0dee6-3941-11dc-bb78-f1ee2ad8c829}]
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9d777e6-17fb-11dc-bb52-bb844cdcb42a}]
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0b214d0-42d4-11dd-ac64-ac81ca50547e}]

• Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.
  
  
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

Please download Flash Disinfector and save it to your Desktop.

Please connect any flash drives that have been used in this PC.

Double click on Flash Disinfector and follow the prompts.

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• In the drop down box labelled Files of type change the type to Text file.
• Save the file to your desktop.
• Copy and paste that information in your next post.

Please post

• The ComboFix log
• The Kaspersky report
• A new HijackThis log

 

[force123]

Ok, Kasper took so long.

I did everything you said. Here's the files exactly as you wanted :

I did first drag that txt file to combo fix . then did kasper scan. and hijackthis log at last.

Combofix

Kasper

hijackthis

 

[cohen]

This one is big, i'll leave it to the higher guys, like ceewi1.

Force123, you will be well looked after by ceewi1.

 

[ceewi1]

My apologies for the delay, there is still more to do.

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\WINDOWS\Tasks\*.job
  C:\WINDOWS\system32\apliolmb.dll
  C:\WINDOWS\system32\ezSP_Px.ex_
  C:\WINDOWS\system32\iafnpjny.dll
  C:\WINDOWS\system32\lsasss.ex_
  C:\WINDOWS\system32\msguoiet.dll
  C:\WINDOWS\system32\NeroCheck.exe
  C:\WINDOWS\system32\pfravfoq.dll
  C:\WINDOWS\system32\ptmtrnss.dll
  C:\WINDOWS\system32\qcyY3hA3.dll
  C:\WINDOWS\system32\tolaqwor.dll
  C:\WINDOWS\system32\vdwyfrhc.dll
  C:\WINDOWS\system32\xbsnkwwg.dll

• Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. These results are also located at C:\_OTMoveIt\MovedFiles\Date_Time.log, where Date_Time is the date and time you ran OTMoveIt.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please download FindAWF

Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced.
Please provide Find AWF report in your reply.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Please post

• The OTMoveIt2 report
• The FindAWF report
• The DSS logs

 

[force123]

Here's 4 files as you wanted :

OTMoveIt2

AWF

Main

Extra

 

[ceewi1]

Much better, those logs now appear to be clean. How is the system running?

 

[force123]

Perfect

After ComboFix it got way much better . But now it is running so much faster and load quick on startup.

I really really don't know how to thank you, I have nothing to say. Thanks A TON man.

Just for the last thing :
How can i learn it what you did ?
Is it pure experience ?
Somewhere I can read about it ?

for example how did you know that you must put these addresses ?

C:\WINDOWS\Tasks\*.job
C:\WINDOWS\system32\apliolmb.dll
C:\WINDOWS\system32\ezSP_Px.ex_
C:\WINDOWS\system32\iafnpjny.dll
C:\WINDOWS\system32\lsasss.ex_
C:\WINDOWS\system32\msguoiet.dll
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\system32\pfravfoq.dll
C:\WINDOWS\system32\ptmtrnss.dll
C:\WINDOWS\system32\qcyY3hA3.dll
C:\WINDOWS\system32\tolaqwor.dll
C:\WINDOWS\system32\vdwyfrhc.dll
C:\WINDOWS\system32\xbsnkwwg.dll

 

[ceewi1]

Good to hear, learning to do this is a matter of both training and experience. There are a number of online sites that provide training in this area, and I've listed a number of them here. All these courses require significant time and effort to complete, but it is rewarding.

Please click on Start -> Run. Type ComboFix /u and click OK.
Note the space between the ComboFix and the /u
This will remove the backups that ComboFix has created as well as the program itself.

I notice that you do not seem to be running antivirus software. This is somewhat suicidal in today's digital world, and makes it almost inevitable that you will be reinfected. AVG makes an excellent free antivirus client, as do AntiVir or avast!.

I strongly suggest you download and install one of these free programs, allow it to do a full scan and remove anything it finds.

You can safely re-enable TeaTimer now by opening up Spybot S&D, clicking on Tools -> Resident and checking Resident TeaTimer

Below I have included some other ideas on how to prevent future infections.

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Some good free firewalls are ZoneAlarm, Kerio, or Outpost. All of these will provide a far greater level of protection than the firewall built into Windows.
A tutorial on understanding and using firewalls may be found here.

I notice you are running Spybot, which is good. You might want to consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

 

[force123]

Again thanks for the big help, I'll just bookmark this thread for later reviews.

Personally I use firefox, I can't stand IE. As I've face much trouble coding html with it.
This pc was my friends. I'll just start reading and learning about the whole process.

Glad to meet you man