QQ chinese pop up virus??

  1. Please download the latest copy of HijackThis from Trend Micro and save it to your desktop.
  2. Double click on HJTInstall.exe to install it. Click on Install. By default, it will install to C:\Program Files\Trend Micro\HijackThis.
  3. Read through the License Agreement presented to you on the next screen and click on I Accept.
  4. Once installed, HijackThis will start automatically. If it doesn't, please go to your desktop and rename the HijackThis shortcut created there to "clean.exe" and then double click on it.
  5. Select Do a system scan and save a logfile.
  6. Close HijackThis.

Please post the contents of the post here for the experts to review and help you with the removal.
Note: Do not click on the AnalyzeThis button.

Do not fix any lines you see in HijackThis as most entries are harmless and needed for the normal functioning of Windows.

P.S :Please note that I will not be participating in your fix because I'm still under training. This is just to help the experts here and to save time.
 
Last edited:
xxarlokxx said:
Everytime i turn on my comp, it has a pop=up saying QQ and then i cant close it or move it...So i was asked to post a hijackthis log,but then i cant even launch that .exe file. So what can i do?? Please help...:confused:

i got this off some other guy in this forum who has the same problem.
http://img46.imageshack.us/my.php?image=qqtw5.jpg
Click to expand...

Out of curiosity did you use some Chinese software? Such as a messenger or antivirus from China?

Try this first, download combofix and post the log back here. Make sure you have your antivirus and firewall disabled. You can download it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You could try to download McAfee Stinger and see if that helps. If it does not run try it in safe mode.

Here's the link:

http://vil.nai.com/vil/stinger/
 
Last edited:
Hello:

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
combo fix stalled and i end process vfind.exe

ComboFix 08-06-20.4 - Steven C 2008-06-28 2:34:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.176 [GMT -4:00]Running from: C:\Documents and Settings\Steven C\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\microsoft\office\system
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\ntptdb.sys
C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata
C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata\_keepfile
C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata\GcO7m7nTPh.dll
C:\Documents and Settings\All Users\Application Data\microsoft\pctools
C:\Documents and Settings\All Users\Application Data\microsoft\pctools\pctools.dll
C:\Documents and Settings\Steven C\Favorites\ÕÒµ½123ÍøÖ·µ¼º½.url
C:\Documents and Settings\Steven C\Favorites\Ò»ÆðÀ´ÒôÀÖÉçÇø.url
C:\Documents and Settings\Steven C\Local Settings\Temporary Internet Files\__fdkfjfjgjitijk
C:\Documents and Settings\Steven C\Local Settings\Temporary Internet Files\_inifid
C:\Documents and Settings\Steven C\Local Settings\Temporary Internet Files\_inifiletime3
C:\Documents and Settings\Steven C\Local Settings\Temporary Internet Files\_inimac
C:\Documents and Settings\Steven C\Local Settings\Temporary Internet Files\_kdacoptfg
C:\Documents and Settings\Steven C\Local Settings\Temporary Internet Files\_loaderfiletime2
C:\Program Files\Internet Explorer\PLUGINS\UnixSys32.Jmp
C:\Program Files\Microsoft Office\SYSTEM\apcdli.sys
C:\WINDOWS\Fonts\system
C:\WINDOWS\KB611311.log
C:\WINDOWS\system32\12143287191.exe
C:\WINDOWS\system32\12143363291.exe
C:\WINDOWS\system32\12143399311.exe
C:\WINDOWS\system32\12143435321.exe
C:\WINDOWS\system32\12144095141.exe
C:\WINDOWS\system32\12144131261.exe
C:\WINDOWS\system32\12144167341.exe
C:\WINDOWS\system32\12145453241.exe
C:\WINDOWS\system32\aitlasys.exe
C:\WINDOWS\system32\axmsawin.exe
C:\WINDOWS\system32\azzxaime.exe
C:\WINDOWS\system32\cgsqatyu.sys
C:\WINDOWS\system32\d3d1caps.srg
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\F411997C.EXE
C:\WINDOWS\system32\fstlbsys.sys
C:\WINDOWS\system32\fxzxbime.sys
C:\WINDOWS\system32\fzmsbwin.sys
C:\WINDOWS\system32\ghwxattb.exe
C:\WINDOWS\system32\gpsgajba.sys
C:\WINDOWS\system32\gsdhadwd.sys
C:\WINDOWS\system32\ijsgajba.sys
C:\WINDOWS\system32\isdsasrv.exe
C:\WINDOWS\system32\ismhasrv.exe
C:\WINDOWS\system32\jbhxabyt.exe
C:\WINDOWS\system32\jkhxaklo.dll
C:\WINDOWS\system32\lofsdjbo.dll
C:\WINDOWS\system32\lojxadwd.exe
C:\WINDOWS\system32\lpsgajba.exe
C:\WINDOWS\system32\mnmhgsrv.dll
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
C:\WINDOWS\system32\newxbttb.sys
C:\WINDOWS\system32\oohxdbyt.dll
C:\WINDOWS\system32\oswxdttb.dll
C:\WINDOWS\system32\ozfyebyt.dll
C:\WINDOWS\system32\pjjxedwd.dll
C:\WINDOWS\system32\pldhadwd.exe
C:\WINDOWS\system32\pmjhbhlp.sys
C:\WINDOWS\system32\posqatyu.exe
C:\WINDOWS\system32\ptjhehlp.dll
C:\WINDOWS\system32\s2da2f323.dll
C:\WINDOWS\system32\simyaapi.exe
C:\WINDOWS\system32\smhxbbyt.sys
C:\WINDOWS\system32\smmhbsrv.sys
C:\WINDOWS\system32\spjhahlp.exe
C:\WINDOWS\system32\spmybapi.sys
C:\WINDOWS\system32\tisqatyu.dll
C:\WINDOWS\system32\tiwxattb.sys
C:\WINDOWS\system32\wymxajkl.sys
C:\WINDOWS\system32\xfztbmsn.sys
C:\WINDOWS\system32\xzcsbhlp.sys
C:\WINDOWS\system32\ysjxbdwd.sys
C:\WINDOWS\system32\yxcschlp.dll
C:\WINDOWS\system32\zaztamsn.exe
C:\WINDOWS\system32\zptlcsys.dll
C:\WINDOWS\system32\zxcsahlp.exe
C:\WINDOWS\system32\zycbdime.dll
C:\WINDOWS\system32\zyzxjime.dll
C:\WINDOWS\tempaq

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPIDISK
-------\Legacy_APCDLI
-------\Legacy_NTPTDB
-------\Service_acpidisk
-------\Service_apcdli
-------\Service_F411997C
-------\Service_ntptdb
-------\Legacy_A3EE8B5E
-------\Service_A3EE8B5E


((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-28 )))))))))))))))))))))))))))))))
.

2008-06-28 02:21 . 2008-06-28 02:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-28 01:51 . 2008-06-28 01:51 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-06-27 00:32 . 2008-06-28 01:39 189,440 --a------ C:\WINDOWS\system32\syswindrv.dll
2008-06-26 12:48 . 2008-06-27 00:44 31,200 --a------ C:\Documents and Settings\Steven C\setupj.exe
2008-06-25 14:56 . 2008-06-25 14:56 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-25 14:49 . 2008-06-25 14:49 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-25 06:11 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-25 04:38 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-06-25 03:59 . 2008-06-25 03:59 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-25 03:59 . 2008-06-25 05:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-25 03:33 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-06-25 02:09 . 2008-06-25 13:31 30,968 --a------ C:\Documents and Settings\Steven C\setupg.exe
2008-06-24 12:46 . 2008-01-05 16:53 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-24 09:49 . 2008-06-26 08:38 183,296 --a------ C:\WINDOWS\system32\systemdrv.dll
2008-06-24 08:14 . 2008-06-24 00:10 31,048 --------- C:\Documents and Settings\Steven C\setupd.exe
2008-06-24 06:47 . 2008-06-24 06:47 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-06-24 06:04 . 2008-06-28 01:39 49,152 --a------ C:\WINDOWS\system32\5A634FAC.DLL
2008-06-24 06:04 . 2008-06-24 06:04 30,840 --a------ C:\WINDOWS\mplayer1925.mp4
2008-06-24 06:04 . 2008-06-24 06:04 24,576 --a------ C:\WINDOWS\system32\quaryfy.dll
2008-06-24 06:04 . 2008-06-24 06:04 24,576 --a------ C:\WINDOWS\system32\padlod.dll
2008-06-24 06:04 . 2008-06-24 06:04 24,576 --a------ C:\WINDOWS\system32\jordspa.dll
2008-06-24 06:03 . 2008-06-24 06:03 28,672 --a------ C:\WINDOWS\system32\verptw.dll
2008-06-24 06:03 . 2008-06-24 06:03 24,576 --a------ C:\WINDOWS\system32\termilly.dll
2008-06-24 06:03 . 2008-06-24 06:03 24,576 --a------ C:\WINDOWS\system32\msbod.dll
2008-06-24 06:03 . 2008-06-28 01:38 24 --a------ C:\WINDOWS\system32\qbhxaklo.sys
2008-06-24 06:03 . 2008-06-28 02:46 24 --a------ C:\WINDOWS\system32\ijzhatde.sys
2008-06-24 06:02 . 2008-06-24 06:02 25,788 --a------ C:\WINDOWS\mplayer7947.mp4
2008-06-24 06:01 . 2008-06-24 06:01 24,576 --a------ C:\WINDOWS\system32\welldon.dll
2008-06-24 06:01 . 2008-06-24 06:01 11,264 --a------ C:\WINDOWS\system32\welldonk.exe
2008-06-24 06:00 . 2008-06-24 06:04 6,483 --a------ C:\WINDOWS\system32\atielf.dat
2008-06-24 01:15 . 2008-06-24 01:16 <DIR> d-------- C:\Program Files\QuickTime
2008-06-24 01:13 . 2008-06-24 01:13 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-22 04:15 . 2008-06-22 04:15 <DIR> d-------- C:\Downloads
2008-06-22 04:15 . 2008-06-22 04:15 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-06-22 04:14 . 2008-06-22 04:20 <DIR> d-------- C:\Program Files\BitComet
2008-06-06 02:05 . 2008-06-06 02:05 <DIR> d-------- C:\WINDOWS\system32\NtmsData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 09:51 --------- d-----w C:\Program Files\Steam
2008-06-24 15:52 --------- d-----w C:\Program Files\Warcraft III
2008-06-24 05:18 --------- d-----w C:\Documents and Settings\Steven C\Application Data\Apple Computer
2008-06-24 05:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-22 08:02 --------- d-----w C:\Documents and Settings\Steven C\Application Data\uTorrent
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-21 16:47 --------- d-----w C:\Documents and Settings\Steven C\Application Data\Samsung
2008-05-21 16:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-21 06:11 --------- d-----w C:\Program Files\Samsung
2008-05-18 09:46 --------- d-----w C:\Program Files\Tales of Pirates Online
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 03:02 --------- d-----w C:\Program Files\SopCast
2008-05-06 04:16 --------- d-----w C:\Documents and Settings\Steven C\Application Data\vlc
2008-05-06 04:15 --------- d-----w C:\Program Files\VideoLAN
2008-04-30 14:36 --------- d-----w C:\Program Files\NETVIGATOR
2008-02-01 02:35 28,080 ----a-w C:\Documents and Settings\Steven C\Application Data\GDIPFONTCACHEV1.DAT
2004-08-08 10:02 537,608 --sh--w C:\WINDOWS\system32\apsggjba.dll
2004-08-08 10:03 538,120 --sh--w C:\WINDOWS\system32\apzhctde.dll
2004-08-08 10:04 535,560 --sh--w C:\WINDOWS\system32\arjreler.dll
2004-08-08 10:02 16,613 --sh--w C:\WINDOWS\system32\azcbaime.exe
2004-08-08 10:03 16,255 --sh--w C:\WINDOWS\system32\dehxaklo.exe
2004-08-08 10:04 16,582 --sh--w C:\WINDOWS\system32\dsdyapaw.exe
2004-08-08 10:04 541,192 --sh--w C:\WINDOWS\system32\fgfsbkuy.dll
2004-08-08 10:02 520 --sh--w C:\WINDOWS\system32\fxcbbime.sys
2004-08-08 10:03 520 --sh--w C:\WINDOWS\system32\gpzhatde.sys
2004-08-08 10:04 533,000 --sh--w C:\WINDOWS\system32\ietzbpaq.dll
2004-08-08 10:04 536,584 --sh--w C:\WINDOWS\system32\ijdyapaw.dll
2004-08-08 10:04 520 --sh--w C:\WINDOWS\system32\iujraler.sys
2004-08-08 10:02 16,289 --sh--w C:\WINDOWS\system32\lpmxajkl.exe
2004-08-08 10:03 17,228 --sh--w C:\WINDOWS\system32\lpzhatde.exe
2004-08-08 10:04 16,530 --sh--w C:\WINDOWS\system32\mkjraler.exe
2004-08-08 10:02 536,072 --sh--w C:\WINDOWS\system32\mndhfdwd.dll
2004-08-08 10:02 534,024 --sh--w C:\WINDOWS\system32\mndsgsrv.dll
2004-08-08 10:02 536,072 --sh--w C:\WINDOWS\system32\nhmxcjkl.dll
2004-08-08 10:04 520 --sh--w C:\WINDOWS\system32\nttzapaq.sys
2004-08-08 10:04 15,154 --sh--w C:\WINDOWS\system32\oltzapaq.exe
2004-08-08 10:04 520 --sh--w C:\WINDOWS\system32\pgfsakuy.sys
2004-08-08 10:04 520 --sh--w C:\WINDOWS\system32\pzdyapaw.sys
2004-08-08 10:02 520 --sh--w C:\WINDOWS\system32\rnmxajkl.sys
2004-08-08 10:02 520 --sh--w C:\WINDOWS\system32\smdsbsrv.sys
2004-08-08 10:04 520 --sh--w C:\WINDOWS\system32\snfybbyt.sys
2004-08-08 10:04 15,129 --sh--w C:\WINDOWS\system32\tjfyabyt.exe
2004-08-08 10:04 15,629 --sh--w C:\WINDOWS\system32\tpfsajbo.exe
2004-08-08 10:03 520 --sh--w C:\WINDOWS\system32\vlhxaklo.sys
2004-08-08 10:04 520 --sh--w C:\WINDOWS\system32\xbfsbjbo.sys
2004-08-08 10:03 520 --sh--w C:\WINDOWS\system32\xscqbhlp.sys
2004-08-08 10:03 539,144 --sh--w C:\WINDOWS\system32\ypcqghlp.dll
2004-08-08 10:04 19,684 --sh--w C:\WINDOWS\system32\yufsakuy.exe
2004-08-08 10:02 536,584 --sh--w C:\WINDOWS\system32\yzztkmsn.dll
2004-08-08 10:03 19,297 --sh--w C:\WINDOWS\system32\zscqahlp.exe
2004-08-08 10:02 537,608 --sh--w C:\WINDOWS\system32\zxmsdwin.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14698742-2059-3025-9058-954023874141}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18093456-9012-4568-9076-908765467181}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A698452-C5D8-C584-C256-C264C987C5A1}]
2004-08-08 06:04 536584 ---hs---- C:\WINDOWS\system32\ijdyapaw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29109876-7619-9101-7012-901938475192}]
2004-08-08 06:04 533000 ---hs---- C:\WINDOWS\system32\ietzbpaq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35671234-7890-ABCD-CDEF-567801237653}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37AC9076-C898-B098-D098-A18319080973}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D698451-2015-6358-9871-2015987452D3}]
2004-08-08 06:03 538120 ---hs---- C:\WINDOWS\system32\apzhctde.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43512378-9874-5641-1025-985420368734}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{470165F1-9F65-569F-F895-F14F58F41074}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A698102-5904-AFD0-20DF-CD1A65829CA4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50940F85-F015-14F1-A05F-F69858AC6D05}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{528DF602-9541-A985-210A-984A698C6F25}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54FAE856-AD58-20CB-A025-CD4895FA6E45}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A069845-2036-6084-9054-6087502480A5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B1AEF69-DDAE-FDAD-DCAB-698F026ABDB5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}]
2004-08-08 06:02 536072 ---hs---- C:\WINDOWS\system32\mndhfdwd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E091341-6715-2098-51F0-178367AE53E6}]
2004-08-08 06:04 541192 ---hs---- C:\WINDOWS\system32\fgfsbkuy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74381DEC-D78B-43E4-BA5D-5244F669EBE4}]
2008-06-24 06:04 44664 --ahs---- C:\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77FD640A-158F-48AC-FD14-1597F14A9777}]
2004-08-08 06:02 534024 ---hs---- C:\WINDOWS\system32\mndsgsrv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A041F13-A111-12A3-B0CF-F99818AA68A7}]
2004-08-08 06:02 537608 ---hs---- C:\WINDOWS\system32\zxmsdwin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C69034A-F45F-D34D-A33A-C33C4D324FC7}]
2004-08-08 06:04 535560 ---hs---- C:\WINDOWS\system32\arjreler.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C8D1401-A58D-A81C-CD24-A5915C4517C7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FD45A54-9875-698F-E56E-65102358FDF7}]
2004-08-08 06:02 537608 ---hs---- C:\WINDOWS\system32\apsggjba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}]
2004-08-08 06:03 539144 ---hs---- C:\WINDOWS\system32\ypcqghlp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{986488AF-13D5-9DDF-4FEF-9FB88698CFC1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A629FF4F-ACDB-5C90-A098-FACB3456A26A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA59145F-315D-BC23-AC1F-145DF81A34AA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B490415F-65F8-B5C5-D8BA-9405FB12054B}]
2004-08-08 06:02 536584 ---hs---- C:\WINDOWS\system32\yzztkmsn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Sticker"="C:\Program Files\MoRUN.net\Sticker\sticker.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 13:54 5674352]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 23:32 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 17:39 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 17:39 455168]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 13:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 15:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 18:49 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23 75520]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-04 22:24 185896]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 06:48 157592]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"EPSON Stylus CX1500 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE" [2004-03-22 13:00 99840]
"EPSON Stylus CX1500 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE" [2004-03-22 13:00 99840]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]

C:\Documents and Settings\Steven C\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B490415F-65F8-B5C5-D8BA-9405FB12054B}"= C:\WINDOWS\system32\yzztkmsn.dll [2004-08-08 06:02 536584]
"{7A041F13-A111-12A3-B0CF-F99818AA68A7}"= C:\WINDOWS\system32\zxmsdwin.dll [2004-08-08 06:02 537608]
"{7FD45A54-9875-698F-E56E-65102358FDF7}"= C:\WINDOWS\system32\apsggjba.dll [2004-08-08 06:02 537608]
"{6C648541-1025-9650-9057-6541258720C6}"= C:\WINDOWS\system32\mndhfdwd.dll [2004-08-08 06:02 536072]
"{77FD640A-158F-48AC-FD14-1597F14A9777}"= C:\WINDOWS\system32\mndsgsrv.dll [2004-08-08 06:02 534024]
"{80AF1289-F140-A140-D012-C1458759FC08}"= C:\WINDOWS\system32\ypcqghlp.dll [2004-08-08 06:03 539144]
"{3D698451-2015-6358-9871-2015987452D3}"= C:\WINDOWS\system32\apzhctde.dll [2004-08-08 06:03 538120]
"{6E091341-6715-2098-51F0-178367AE53E6}"= C:\WINDOWS\system32\fgfsbkuy.dll [2004-08-08 06:04 541192]
"{7C69034A-F45F-D34D-A33A-C33C4D324FC7}"= C:\WINDOWS\system32\arjreler.dll [2004-08-08 06:04 535560]
"{29109876-7619-9101-7012-901938475192}"= C:\WINDOWS\system32\ietzbpaq.dll [2004-08-08 06:04 533000]
"{1A698452-C5D8-C584-C256-C264C987C5A1}"= C:\WINDOWS\system32\ijdyapaw.dll [2004-08-08 06:04 536584]
"{74381DEC-D78B-43E4-BA5D-5244F669EBE4}"= C:\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys [2008-06-24 06:04 44664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=welldon.dll,nhmxcjkl.dll,yzztkmsn.dll msbod.dll,tisqatyu.dll termilly.dll verptw.dll quaryfy.dll padlod.dll,arjreler.dll,ietzbpaq.dll jordspa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ati2evxx.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\egui.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\idag.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kaccore.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\OllyDBG.EXE]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\OllyICE.EXE]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\procexp.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ravtool.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regtool.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwproxy.exeFYFireWall.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safebank.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WinDbg.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-31 01:42 1271032 C:\Program Files\Steam\Steam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaws.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike\\hl.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Steam\\steamapps\\[email protected]\\day of defeat\\hl.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:Utor1
"1720:TCP"= 1720:TCP:utorrent
"1720:UDP"= 1720:UDP:utorrent1
"12535:TCP"= 12535:TCP:BitComet 12535 TCP
"12535:UDP"= 12535:UDP:BitComet 12535 UDP

S0 hjjku3xohj;hjjku3xohj;C:\WINDOWS\system32\drivers\hjjku3xohj.sys [2004-08-04 01:56]
S0 tfj4g0kc8q;tfj4g0kc8;C:\WINDOWS\system32\DRIVERS\tfj4g0kc8q.sys [2004-08-04 01:56]
S3 epflt15;epflt15;C:\WINDOWS\system32\DRIVERS\epflt15.SYS [2004-10-09 16:10]
S3 esflt15;esflt15;C:\WINDOWS\system32\DRIVERS\esflt15.SYS [2004-11-16 19:52]
S3 sssdbus;SAMSUNG WMC Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sssdbus.sys [2007-07-05 12:37]
S3 sssdmdfl;SAMSUNG Modem Filter;C:\WINDOWS\system32\DRIVERS\sssdmdfl.sys [2007-07-05 12:37]
S3 sssdmdm;SAMSUNG Modem Driver;C:\WINDOWS\system32\DRIVERS\sssdmdm.sys [2007-07-05 12:37]
S3 sssdmgmt;SAMSUNG AT command Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sssdmgmt.sys [2007-07-05 12:37]
S3 sssdobex;SAMSUNG OBEX Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sssdobex.sys [2007-07-05 12:37]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-28 02:46:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2008-06-28 2:53:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-28 06:52:48

Pre-Run: 29,551,484,928 bytes free
Post-Run: 32,333,004,800 bytes free

377 --- E O F --- 2008-06-28 05:53:03


Respital said:
Hello:

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Click to expand...
 
sorry for double post...
To the other person question about using china's program.
Nah, i use english messenger, i was on some chinese forum thought. Somehow i started getting this pop-up
 
Thanks for the process information.
This looks like a heavy infection. Among these files to delete, more than 30 were some Chinese origin random files.
Download Avenger, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).

Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.

  • Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.
  • Click Format, and ensure Word Wrap is unchecked.
  • Copy and Paste the text in the box below into Notepad.
  • Now save the file as RemoveFiles.txt in a location where you can find it.

Files to delete:
C:\WINDOWS\system32\syswindrv.dll
C:\Documents and Settings\Steven C\setupj.exe
C:\WINDOWS\system32\systemdrv.dll
C:\WINDOWS\mplayer1925.mp4
C:\WINDOWS\system32\quaryfy.dll
C:\WINDOWS\system32\padlod.dll
C:\WINDOWS\system32\jordspa.dll
C:\WINDOWS\system32\verptw.dll
C:\WINDOWS\system32\termilly.dll
C:\WINDOWS\system32\msbod.dll
C:\WINDOWS\system32\qbhxaklo.sys
C:\WINDOWS\system32\ijzhatde.sys
C:\WINDOWS\mplayer7947.mp4
C:\WINDOWS\system32\welldon.dll
C:\WINDOWS\system32\welldonk.exe
C:\WINDOWS\system32\atielf.dat
C:\WINDOWS\system32\apsggjba.dll
C:\WINDOWS\system32\apzhctde.dll
C:\WINDOWS\system32\arjreler.dll
C:\WINDOWS\system32\azcbaime.exe
C:\WINDOWS\system32\dehxaklo.exe
C:\WINDOWS\system32\dsdyapaw.exe
C:\WINDOWS\system32\fgfsbkuy.dll
C:\WINDOWS\system32\fxcbbime.sys
C:\WINDOWS\system32\gpzhatde.sys
C:\WINDOWS\system32\ietzbpaq.dll
C:\WINDOWS\system32\ijdyapaw.dll
C:\WINDOWS\system32\iujraler.sys
C:\WINDOWS\system32\lpmxajkl.exe
C:\WINDOWS\system32\lpzhatde.exe
C:\WINDOWS\system32\mkjraler.exe
C:\WINDOWS\system32\mndhfdwd.dll
C:\WINDOWS\system32\mndsgsrv.dll
C:\WINDOWS\system32\nhmxcjkl.dll
C:\WINDOWS\system32\nttzapaq.sys
C:\WINDOWS\system32\oltzapaq.exe
C:\WINDOWS\system32\pgfsakuy.sys
C:\WINDOWS\system32\pzdyapaw.sys
C:\WINDOWS\system32\rnmxajkl.sys
C:\WINDOWS\system32\smdsbsrv.sys
C:\WINDOWS\system32\snfybbyt.sys
C:\WINDOWS\system32\tjfyabyt.exe
C:\WINDOWS\system32\tpfsajbo.exe
C:\WINDOWS\system32\vlhxaklo.sys
C:\WINDOWS\system32\xbfsbjbo.sys
C:\WINDOWS\system32\xscqbhlp.sys
C:\WINDOWS\system32\ypcqghlp.dll
C:\WINDOWS\system32\yufsakuy.exe
C:\WINDOWS\system32\yzztkmsn.dll
C:\WINDOWS\system32\zscqahlp.exe
C:\WINDOWS\system32\zxmsdwin.dll
Drivers to unload:
C:\WINDOWS\system32\qbhxaklo.sys
C:\WINDOWS\system32\ijzhatde.sys
C:\WINDOWS\system32\fxcbbime.sys
C:\WINDOWS\system32\gpzhatde.sys
C:\WINDOWS\system32\nttzapaq.sys
C:\WINDOWS\system32\pgfsakuy.sys
C:\WINDOWS\system32\pzdyapaw.sys
C:\WINDOWS\system32\rnmxajkl.sys
C:\WINDOWS\system32\smdsbsrv.sys
C:\WINDOWS\system32\snfybbyt.sys
C:\WINDOWS\system32\vlhxaklo.sys
C:\WINDOWS\system32\xbfsbjbo.sys
C:\WINDOWS\system32\xscqbhlp.sys
Click to expand...
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.
  • Check Load script from file:
  • Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
  • Double click it to enter it into Avenger.
  • Click the green traffic light symbol.
  • You will be asked if you want to execute the script, answer Yes.
  • At this point you may get prompts from your protection systems, allow them please.
  • Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
  • Answer Yes, and allow your computer to re-boot.
  • Upon re-boot a command window will briefly appear on screen (this is normal).
  • A Notepad text file will be created C:\avenger.txt.
  • Copy and Paste it into your next post please.

Please post a HijackThis log in the next post, with the Avenger.txt.
To post a HijackThis log:
Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\syswindrv.dll" deleted successfully.
File "C:\Documents and Settings\Steven C\setupj.exe" deleted successfully.
File "C:\WINDOWS\system32\systemdrv.dll" deleted successfully.
File "C:\WINDOWS\mplayer1925.mp4" deleted successfully.
File "C:\WINDOWS\system32\quaryfy.dll" deleted successfully.
File "C:\WINDOWS\system32\padlod.dll" deleted successfully.
File "C:\WINDOWS\system32\jordspa.dll" deleted successfully.
File "C:\WINDOWS\system32\verptw.dll" deleted successfully.
File "C:\WINDOWS\system32\termilly.dll" deleted successfully.
File "C:\WINDOWS\system32\msbod.dll" deleted successfully.
File "C:\WINDOWS\system32\qbhxaklo.sys" deleted successfully.
File "C:\WINDOWS\system32\ijzhatde.sys" deleted successfully.
File "C:\WINDOWS\mplayer7947.mp4" deleted successfully.
File "C:\WINDOWS\system32\welldon.dll" deleted successfully.
File "C:\WINDOWS\system32\welldonk.exe" deleted successfully.
File "C:\WINDOWS\system32\atielf.dat" deleted successfully.
File "C:\WINDOWS\system32\apsggjba.dll" deleted successfully.
File "C:\WINDOWS\system32\apzhctde.dll" deleted successfully.
File "C:\WINDOWS\system32\arjreler.dll" deleted successfully.
File "C:\WINDOWS\system32\azcbaime.exe" deleted successfully.
File "C:\WINDOWS\system32\dehxaklo.exe" deleted successfully.
File "C:\WINDOWS\system32\dsdyapaw.exe" deleted successfully.
File "C:\WINDOWS\system32\fgfsbkuy.dll" deleted successfully.
File "C:\WINDOWS\system32\fxcbbime.sys" deleted successfully.
File "C:\WINDOWS\system32\gpzhatde.sys" deleted successfully.
File "C:\WINDOWS\system32\ietzbpaq.dll" deleted successfully.
File "C:\WINDOWS\system32\ijdyapaw.dll" deleted successfully.
File "C:\WINDOWS\system32\iujraler.sys" deleted successfully.
File "C:\WINDOWS\system32\lpmxajkl.exe" deleted successfully.
File "C:\WINDOWS\system32\lpzhatde.exe" deleted successfully.
File "C:\WINDOWS\system32\mkjraler.exe" deleted successfully.
File "C:\WINDOWS\system32\mndhfdwd.dll" deleted successfully.
File "C:\WINDOWS\system32\mndsgsrv.dll" deleted successfully.
File "C:\WINDOWS\system32\nhmxcjkl.dll" deleted successfully.
File "C:\WINDOWS\system32\nttzapaq.sys" deleted successfully.
File "C:\WINDOWS\system32\oltzapaq.exe" deleted successfully.
File "C:\WINDOWS\system32\pgfsakuy.sys" deleted successfully.
File "C:\WINDOWS\system32\pzdyapaw.sys" deleted successfully.
File "C:\WINDOWS\system32\rnmxajkl.sys" deleted successfully.
File "C:\WINDOWS\system32\smdsbsrv.sys" deleted successfully.
File "C:\WINDOWS\system32\snfybbyt.sys" deleted successfully.
File "C:\WINDOWS\system32\tjfyabyt.exe" deleted successfully.
File "C:\WINDOWS\system32\tpfsajbo.exe" deleted successfully.
File "C:\WINDOWS\system32\vlhxaklo.sys" deleted successfully.
File "C:\WINDOWS\system32\xbfsbjbo.sys" deleted successfully.
File "C:\WINDOWS\system32\xscqbhlp.sys" deleted successfully.
File "C:\WINDOWS\system32\ypcqghlp.dll" deleted successfully.
File "C:\WINDOWS\system32\yufsakuy.exe" deleted successfully.
File "C:\WINDOWS\system32\yzztkmsn.dll" deleted successfully.
File "C:\WINDOWS\system32\zscqahlp.exe" deleted successfully.
File "C:\WINDOWS\system32\zxmsdwin.dll" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\system32\qbhxaklo.sys" not found!
Deletion of driver "C:\WINDOWS\system32\qbhxaklo.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\system32\ijzhatde.sys" not found!
Deletion of driver "C:\WINDOWS\system32\ijzhatde.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\system32\fxcbbime.sys" not found!
Deletion of driver "C:\WINDOWS\system32\fxcbbime.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\system32\gpzhatde.sys" not found!
Deletion of driver "C:\WINDOWS\system32\gpzhatde.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\system32\nttzapaq.sys" not found!
Deletion of driver "C:\WINDOWS\system32\nttzapaq.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\system32\pgfsakuy.sys" not found!
Deletion of driver "C:\WINDOWS\system32\pgfsakuy.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\system32\pzdyapaw.sys" not found!
Deletion of driver "C:\WINDOWS\system32\pzdyapaw.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\system32\rnmxajkl.sys" not found!
Deletion of driver "C:\WINDOWS\system32\rnmxajkl.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\system32\smdsbsrv.sys" not found!
Deletion of driver "C:\WINDOWS\system32\smdsbsrv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\system32\snfybbyt.sys" not found!
Deletion of driver "C:\WINDOWS\system32\snfybbyt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\system32\vlhxaklo.sys" not found!
Deletion of driver "C:\WINDOWS\system32\vlhxaklo.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\system32\xbfsbjbo.sys" not found!
Deletion of driver "C:\WINDOWS\system32\xbfsbjbo.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\system32\xscqbhlp.sys" not found!
Deletion of driver "C:\WINDOWS\system32\xscqbhlp.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
 
This is the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:10 AM, on 6/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: ijdyapaw.dll - {1A698452-C5D8-C584-C256-C264C987C5A1} - C:\WINDOWS\system32\ijdyapaw.dll (file missing)
O2 - BHO: ietzbpaq.dll - {29109876-7619-9101-7012-901938475192} - C:\WINDOWS\system32\ietzbpaq.dll (file missing)
O2 - BHO: nhmxcjkl.dll - {37AC9076-C898-B098-D098-A18319080973} - C:\WINDOWS\system32\nhmxcjkl.dll (file missing)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: apzhctde.dll - {3D698451-2015-6358-9871-2015987452D3} - C:\WINDOWS\system32\apzhctde.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: mndhfdwd.dll - {6C648541-1025-9650-9057-6541258720C6} - C:\WINDOWS\system32\mndhfdwd.dll (file missing)
O2 - BHO: fgfsbkuy.dll - {6E091341-6715-2098-51F0-178367AE53E6} - C:\WINDOWS\system32\fgfsbkuy.dll (file missing)
O2 - BHO: (no name) - {74381DEC-D78B-43E4-BA5D-5244F669EBE4} - C:\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: mndsgsrv.dll - {77FD640A-158F-48AC-FD14-1597F14A9777} - C:\WINDOWS\system32\mndsgsrv.dll (file missing)
O2 - BHO: zxmsdwin.dll - {7A041F13-A111-12A3-B0CF-F99818AA68A7} - C:\WINDOWS\system32\zxmsdwin.dll (file missing)
O2 - BHO: arjreler.dll - {7C69034A-F45F-D34D-A33A-C33C4D324FC7} - C:\WINDOWS\system32\arjreler.dll (file missing)
O2 - BHO: apsggjba.dll - {7FD45A54-9875-698F-E56E-65102358FDF7} - C:\WINDOWS\system32\apsggjba.dll (file missing)
O2 - BHO: ypcqghlp.dll - {80AF1289-F140-A140-D012-C1458759FC08} - C:\WINDOWS\system32\ypcqghlp.dll (file missing)
O2 - BHO: yzztkmsn.dll - {B490415F-65F8-B5C5-D8BA-9405FB12054B} - C:\WINDOWS\system32\yzztkmsn.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P35 "EPSON Stylus CX1500 Series (Copy 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sticker] C:\Program Files\MoRUN.net\Sticker\sticker.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://stevenching28.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214379191747
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162425286125
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45ABDAA6-9586-4E5E-A01E-2E395570E348}: NameServer = 203.198.23.208 205.252.144.126
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: welldon.dll,nhmxcjkl.dll,yzztkmsn.dll msbod.dll,tisqatyu.dll termilly.dll verptw.dll quaryfy.dll padlod.dll,arjreler.dll,ietzbpaq.dll jordspa.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 10200 bytes
 
Surely your system is now running much better! Am I right?

Open HijackThis and choose Do a system scan only.
Place a check next to these entries if found:
  • O2 - BHO: ijdyapaw.dll - {1A698452-C5D8-C584-C256-C264C987C5A1} - C:\WINDOWS\system32\ijdyapaw.dll (file missing)
  • O2 - BHO: ietzbpaq.dll - {29109876-7619-9101-7012-901938475192} - C:\WINDOWS\system32\ietzbpaq.dll (file missing)
  • O2 - BHO: nhmxcjkl.dll - {37AC9076-C898-B098-D098-A18319080973} - C:\WINDOWS\system32\nhmxcjkl.dll (file missing)
  • O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
  • O2 - BHO: apzhctde.dll - {3D698451-2015-6358-9871-2015987452D3} - C:\WINDOWS\system32\apzhctde.dll (file missing)
  • O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
  • O2 - BHO: mndhfdwd.dll - {6C648541-1025-9650-9057-6541258720C6} - C:\WINDOWS\system32\mndhfdwd.dll (file missing)
  • O2 - BHO: fgfsbkuy.dll - {6E091341-6715-2098-51F0-178367AE53E6} - C:\WINDOWS\system32\fgfsbkuy.dll (file missing)
  • O2 - BHO: (no name) - {74381DEC-D78B-43E4-BA5D-5244F669EBE4} - C:\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys
  • O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
  • O2 - BHO: mndsgsrv.dll - {77FD640A-158F-48AC-FD14-1597F14A9777} - C:\WINDOWS\system32\mndsgsrv.dll (file missing)
  • O2 - BHO: zxmsdwin.dll - {7A041F13-A111-12A3-B0CF-F99818AA68A7} - C:\WINDOWS\system32\zxmsdwin.dll (file missing)
  • O2 - BHO: arjreler.dll - {7C69034A-F45F-D34D-A33A-C33C4D324FC7} - C:\WINDOWS\system32\arjreler.dll (file missing)
  • O2 - BHO: apsggjba.dll - {7FD45A54-9875-698F-E56E-65102358FDF7} - C:\WINDOWS\system32\apsggjba.dll (file missing)
  • O2 - BHO: ypcqghlp.dll - {80AF1289-F140-A140-D012-C1458759FC08} - C:\WINDOWS\system32\ypcqghlp.dll (file missing)
  • O2 - BHO: yzztkmsn.dll - {B490415F-65F8-B5C5-D8BA-9405FB12054B} - C:\WINDOWS\system32\yzztkmsn.dll (file missing)
  • O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

Close all open windows except for HijackThis and click Fix checked. Reboot your computer.

How is your system running now? Any problems?
 
You must log in or register to reply here.
Back
Top