help please!!! no explorer.exe [Archive]

View Full Version : help please!!! no explorer.exe

playerzhao

2008-05-01, 13:25

hi everybody, started two days ago my PC has no explorer.exe, everytime i start the computer theres only my wallpaper showing and i have to use the Task Manager to do everything. please help!! thanks.
heres my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:46 AM, on 5/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1060915
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/learnmore/learnmore.asp?close=true&lcode=en-us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eREAD\IEeREAD.dll
O2 - BHO: 892267 helper - {25E0128D-AAFC-49FF-AB11-1F12C2FCC391} - C:\WINDOWS\system32\892267\892267.dll
O2 - BHO: (no name) - {398C9B84-4EF7-47B5-9862-DE29543B3C42} - C:\Program Files\Internet Explorer\PLUGINS\Nt_Sys32.Sys
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [WSockDrv32] C:\WINDOWS\WSockDrv32.exe
O4 - HKLM\..\Run: [TBMonEx] C:\WINDOWS\Fonts\syn00-15-C5-6E-7D-09\system\smss.exe
O4 - HKLM\..\Run: [inudhya] C:\WINDOWS\Fonts\syn00-15-C5-6E-7D-09\system\1a.exe
O4 - HKLM\..\Run: [fiosectc] C:\WINDOWS\fiosectc.exe
O4 - HKLM\..\Run: [mfchlp64] C:\WINDOWS\mfchlp64.exe
O4 - HKLM\..\Run: [bincdwsa] C:\WINDOWS\bincdwsa.exe
O4 - HKLM\..\Run: [fmsjhif] C:\WINDOWS\fmsjhif.exe
O4 - HKLM\..\Run: [dbhlp32] C:\WINDOWS\dbhlp32.exe
O4 - HKLM\..\Run: [dionpis] C:\WINDOWS\dionpis.exe
O4 - HKLM\..\Run: [LotusHlp] C:\WINDOWS\LotusHlp.exe
O4 - HKLM\..\Run: [fmsbbqi] C:\WINDOWS\fmsbbqi.exe
O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [foxy] "C:\Program Files\Foxy\Foxy.exe" -tray
O4 - HKLM\..\Policies\Explorer\Run: [DXDLG32] DXDLG.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDWG32] LYLoadbr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDCG32 ] LYLeador.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDOG32] LYLoador.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDSG32] LYLoadar.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDMG32] LYLoadmr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDHG32] LYLoadhr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDQG32] LYLoadqr.exe
O4 - HKUS\S-1-5-21-3502331526-2687567259-3609013378-500\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-3502331526-2687567259-3609013378-500\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'Administrator')
O4 - Startup: ÌÚÑ¶QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Add to QQ Customized Emoticons - C:\PROGRAM FILES\TENCENT\QQ\AddEmotion.htm
O8 - Extra context menu item: Add to QQ Customized Panel - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: Add to QQ Emotions - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Foxy ?? - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Send picture by MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Send Picture with QQ MMS - C:\PROGRAM FILES\TENCENT\QQ\SendMMS.htm
O8 - Extra context menu item: Upload to QQ Network Hard Disk - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O20 - AppInit_DLLs: wfhyt.dll,kghk.dll,ethsh.dll,stehs.dll,sthth.dll,frntrn.dll,qrhhb.dll,drghszd.dll,fngn.dll,gjjte.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,xdndn.dll,xdfntt.dll,hgfhk.dll,dnteh.dll,xfng.dll,njritc.dll,chmfcmh.dll,jwlah.dll,gmnait.dll,hfjg.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,fehom.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,ydgn.dll,dbfb.dll,fjnbv.dll,wmsat.dll,setrhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdhdg.dll,rhs.dll,mrjhtjd.dll,zdbfbd.dll,fjyjy.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,rdthr.dll,rgfjj.dll,dscef.dll,crugd.dll,lariytrz.dll,hjaiq.dll,kduy.dll,hkfgh.dll,awef.dll,dfhsh.dll,msepbe.dll,
O22 - SharedTaskScheduler: exegeses - {db763ed8-100a-481b-8913-50a2f41dcdc3} - (no file)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9801 bytes

Rorschach112

2008-05-01, 15:10

Hello

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

playerzhao

2008-05-02, 11:52

hi, i tried to use ComboFix but my computer will reboot before i get to log (it will reboot itself after completing stage 43), is there any otherways to get the infos needed to fix my computer? and can u see anythings wrong from the HijackThis log? thanks!!

Rorschach112

2008-05-02, 14:19

Can you see if the log is in C:\ComboFix

If not do this

Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

playerzhao

2008-05-02, 21:31

hi, i finally got the Combofix log along with the new HijackThis log.

Combofix:

ComboFix 08-05-01.1 - zhao zheng 2008-05-02 1:39:42.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.720 [GMT -7:00]
Running from: C:\Documents and Settings\zhao zheng\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\msosmsfpfis64.sys
C:\WINDOWS\system32\sperls.dll
.
---- Previous Run -------
.
C:\Autorun.inf
C:\Documents and Settings\zhao zheng\Application Data\macromedia\Flash Player\#SharedObjects\4K6Z7Z2L\www.broadcaster.com
C:\Documents and Settings\zhao zheng\Application Data\macromedia\Flash Player\#SharedObjects\4K6Z7Z2L\www.inter-focus.cn
C:\Documents and Settings\zhao zheng\Application Data\macromedia\Flash Player\#SharedObjects\4K6Z7Z2L\www.inter-focus.cn\IFFLASHAD_PLAYER.sol
C:\Documents and Settings\zhao zheng\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\zhao zheng\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\zhao zheng\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\Documents and Settings\zhao zheng\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol
C:\Program Files\Internet Explorer\PLUGINS\Nt_Win32.Jmp
C:\WINDOWS\bincdwsa.exe
C:\WINDOWS\dbhlp32.exe
C:\WINDOWS\dionpis.exe
C:\WINDOWS\dxtmechk
C:\WINDOWS\fiosectc.exe
C:\WINDOWS\fmsbbqi.exe
C:\WINDOWS\Fonts\syn00-15-C5-6E-7D-09\system
C:\WINDOWS\Fonts\syn00-15-C5-6E-7D-09\system\16a.exe
C:\WINDOWS\Fonts\syn00-15-C5-6E-7D-09\system\1a.exe
C:\WINDOWS\Fonts\syn00-15-C5-6E-7D-09\system\inudhya.dll
C:\WINDOWS\Fonts\syn00-15-C5-6E-7D-09\system\smss.exe
C:\WINDOWS\Fonts\syn00-15-C5-6E-7D-09\system\SYSTEM128.vxd
C:\WINDOWS\Fonts\syn00-16-6F-B0-A5-E5\system
C:\WINDOWS\hbyzkfaa.dll
C:\WINDOWS\kezjuaoa.dll
C:\WINDOWS\LotusHlp.exe
C:\WINDOWS\mfchlp64.exe
C:\WINDOWS\SHAProc.exe
C:\WINDOWS\system32\13.exe
C:\WINDOWS\system32\18.exe
C:\WINDOWS\system32\20.exe
C:\WINDOWS\system32\22.exe
C:\WINDOWS\system32\23.exe
C:\WINDOWS\system32\24.exe
C:\WINDOWS\system32\892267\892267.dll
C:\WINDOWS\system32\bincdwsa.dll
C:\WINDOWS\system32\bjrvm.cfg
C:\WINDOWS\system32\bjrvm.dll
C:\WINDOWS\system32\crugd.cfg
C:\WINDOWS\system32\crugd.dll
C:\WINDOWS\system32\D3D9_32.DLL
C:\WINDOWS\system32\D3D9_64.DLL
C:\WINDOWS\system32\dbhlp32.dlL
C:\WINDOWS\system32\dionpis.dll
C:\WINDOWS\system32\dqDXYDXY1009.dll
C:\WINDOWS\system32\dqHADHAD1066.dll
C:\WINDOWS\system32\dqKAFKAF1066.dll
C:\WINDOWS\system32\dqMYSMYS1045.dll
C:\WINDOWS\system32\dqMYSMYS1049.dll
C:\WINDOWS\system32\dqQACQAC1041.dll
C:\WINDOWS\system32\dqSADSAD1040.dll
C:\WINDOWS\system32\drivers\msyecp.sys
C:\WINDOWS\system32\DXDLG.EXE
C:\WINDOWS\system32\ektvm.cfg
C:\WINDOWS\system32\ektvm.dll
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\fiosectc.dll
C:\WINDOWS\system32\fmsbbqi.dll
C:\WINDOWS\system32\fmsjhif.dll
C:\WINDOWS\system32\frntrn.dll
C:\WINDOWS\system32\gmsajpwzx.dll
C:\WINDOWS\system32\gnolnait.cfg
C:\WINDOWS\system32\gnolnait.dll
C:\WINDOWS\system32\hfjg.cfg
C:\WINDOWS\system32\hfjg.dll
C:\WINDOWS\system32\hfrdzx.dll
C:\WINDOWS\system32\ijatnaw.cfg
C:\WINDOWS\system32\ijatnaw.dll
C:\WINDOWS\system32\JADJAD1038.dll
C:\WINDOWS\system32\kiluw.cfg
C:\WINDOWS\system32\kiluw.dll
C:\WINDOWS\system32\lariytrz.cfg
C:\WINDOWS\system32\lariytrz.dll
C:\WINDOWS\system32\LotusHlp.dll
C:\WINDOWS\system32\lyloader.exe
C:\WINDOWS\system32\lymangr.dll
C:\WINDOWS\system32\mfchlp64.dll
C:\WINDOWS\system32\msdeg32.dll
C:\WINDOWS\system32\mseion.sys
C:\WINDOWS\system32\msepbe.dll
C:\WINDOWS\system32\msosmnsf.dat
C:\WINDOWS\system32\msosmnsf00.dll
C:\WINDOWS\system32\NNNNNN1026.dll
C:\WINDOWS\system32\oqrthc.cfg
C:\WINDOWS\system32\oqrthc.dll
C:\WINDOWS\system32\QABQAB1013.dll
C:\WINDOWS\system32\qqxyd.dll
C:\WINDOWS\system32\qqxyd.exe
C:\WINDOWS\system32\REGKEY.hiv
C:\WINDOWS\system32\rhs.cfg
C:\WINDOWS\system32\rhs.dll
C:\WINDOWS\system32\sperls.dll
C:\WINDOWS\system32\tahowcjwow.dll
C:\WINDOWS\system32\uagnwcjdj.dll
C:\WINDOWS\system32\WSockDrv32.dll
C:\WINDOWS\system32\xgnfn.cfg
C:\WINDOWS\system32\xgnfn.dll
C:\WINDOWS\system32\yflrahnwm.dll
C:\WINDOWS\system32\ytf.dll
C:\WINDOWS\system32\zjydcx.dll
C:\WINDOWS\WSockDrv32.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IPRIP
-------\Legacy_MSERTK
-------\Legacy_MSFPFIS64
-------\Service_6to4
-------\Service_Iprip
-------\Service_mnsf
-------\Service_msertk
-------\Service_msfpfis64

((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.

2008-05-01 03:01 . 2008-05-01 03:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-30 00:01 . 2008-04-30 00:01 19,019 --a------ C:\WINDOWS\system32\dqMYSMYS1049.exe
2008-04-28 23:32 . 2008-04-30 00:01 17,757 --a------ C:\WINDOWS\system32\dqDXYDXY1009.exe
2008-04-28 17:17 . 2008-04-28 17:17 11,008 --a------ C:\WINDOWS\system32\drivers\obj2.sys
2008-04-28 05:17 . 2008-04-28 23:32 2,816 --a------ C:\WINDOWS\system32\drivers\ReloadAnti.sys
2008-04-28 05:13 . 2008-04-28 23:32 19,062 --a------ C:\WINDOWS\system32\dqMYSMYS1045.exe
2008-04-28 05:13 . 2008-04-30 00:01 18,339 --a------ C:\WINDOWS\system32\dqSADSAD1040.exe
2008-04-28 05:13 . 2008-04-30 00:01 17,836 --a------ C:\WINDOWS\system32\dqKAFKAF1066.exe
2008-04-28 05:13 . 2008-04-30 00:01 17,797 --a------ C:\WINDOWS\system32\dqHADHAD1066.exe
2008-04-28 05:13 . 2008-04-30 00:01 17,735 --a------ C:\WINDOWS\system32\dqQACQAC1041.exe
2008-04-28 05:13 . 2008-04-28 05:13 8,704 --a------ C:\WINDOWS\system32\espter.sys
2008-04-28 05:13 . 2008-04-30 00:01 2,816 --a------ C:\WINDOWS\system32\drivers\RESS.sys
2008-04-28 05:13 . 2008-04-30 00:01 2,688 --a------ C:\WINDOWS\system32\drivers\XNGAnti.sys
2008-04-28 05:12 . 2008-04-30 00:01 19,625 --a------ C:\WINDOWS\fmsjhif.exe
2008-04-28 05:12 . 2004-08-04 03:00 18,481 ---hs---- C:\ntldr.exe
2008-04-28 05:12 . 2008-04-30 00:01 824 ---hs---- C:\WINDOWS\system32\fjyjy.cfg
2008-04-27 03:45 . 2008-04-30 23:30 <DIR> d-------- C:\Program Files\eREAD
2008-04-21 00:57 . 2008-04-21 00:57 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-21 00:57 . 2008-04-21 00:57 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-04-20 11:57 . 2008-04-20 12:37 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 11:56 . 2008-05-01 22:45 <DIR> d-------- C:\WINDOWS\system32\892267
2008-04-14 22:36 . 2008-04-20 02:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NJStar
2008-04-14 22:08 . 2008-04-14 23:02 <DIR> d-------- C:\Documents and Settings\zhao zheng\Application Data\Tencent
2008-04-14 22:07 . 2008-04-14 22:51 <DIR> d-------- C:\WINDOWS\system32\qqedit
2008-04-14 22:07 . 2008-04-21 00:27 <DIR> d-------- C:\Documents and Settings\zhao zheng\Application Data\QQ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 06:30 --------- d-----w C:\Program Files\Microsoft Works
2008-04-26 19:09 3,156 -c--a-w C:\Documents and Settings\zhao zheng\Application Data\wklnhst.dat
2008-04-15 18:42 --------- d-----w C:\Program Files\Google
2008-03-13 06:59 --------- d-----w C:\Program Files\BitComet
2008-02-22 18:19 9,739 --sh--w C:\WINDOWS\bzfarhli.exe
2008-02-22 18:19 9,739 --sh--w C:\WINDOWS\aycpoejoa.exe
2007-04-16 15:52 24,856 --sh--w C:\WINDOWS\system32\fjyjy.dll
.

------- Sigcheck -------

2006-04-20 05:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 09:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 03:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 04:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 10:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 10:20 360064 ed06c31200714e734118f9a47f5df5ce C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F06550-65E3-4D1C-8CFE-839C296B5530}]
2007-06-28 17:25 57344 --a------ C:\Program Files\eREAD\IEeREAD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{398C9B84-4EF7-47B5-9862-DE29543B3C42}]
2008-04-30 00:01 44658 --ahs---- C:\Program Files\Internet Explorer\PLUGINS\Nt_Sys32.Sys

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"foxy"="C:\Program Files\Foxy\Foxy.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 18:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 18:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 18:50 114688]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 12:59 385024]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 21:30 282624 C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 14:19 53248]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-20 12:49 185784]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 03:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 03:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 03:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 03:00 455168]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 06:33 122941]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [ ]
"fmsjhif"="C:\WINDOWS\fmsjhif.exe" [2008-04-30 00:01 19625]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 20:05:26 29696]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 20:07:32 81920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{45AADFAA-DD36-42AB-83AD-0521BBF58C24}"= C:\WINDOWS\system32\zjydcx.dll [ ]
"{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}"= C:\WINDOWS\system32\wyrsdj.dll [2008-02-22 11:19 158961]
"{5aca2e15-0790-4170-812a-890df2fb6144}"= C:\WINDOWS\system32\QABQAB1013.dll [ ]
"{548ecd3f-89c5-4cfa-ad72-73f41a403932}"= C:\WINDOWS\system32\NNNNNN1026.dll [ ]
"{1DB3C525-5271-46F7-887A-D4E1ADAA7632}"= C:\WINDOWS\system32\hfrdzx.dll [ ]
"{d21ac220-ebb3-4110-9817-37aa0cce636b}"= C:\WINDOWS\system32\dqSADSAD1040.dll [ ]
"{5f24d354-e8fd-410e-8f85-35351ccc9eda}"= C:\WINDOWS\system32\dqHADHAD1066.dll [ ]
"{398C9B84-4EF7-47B5-9862-DE29543B3C42}"= C:\Program Files\Internet Explorer\PLUGINS\Nt_Sys32.Sys [2008-04-30 00:01 44658]
"{0ec6c922-a3a0-4130-bd14-c0e716b16c54}"= C:\WINDOWS\system32\dqKAFKAF1066.dll [ ]
"{633fb0d7-0f9c-4590-bf6b-2d952a1e9ab1}"= C:\WINDOWS\system32\dqMYSMYS1045.dll [ ]
"{1f102fa9-e182-41f3-937b-b5418bfc43e4}"= C:\WINDOWS\system32\dqQACQAC1041.dll [ ]
"{917238cc-685a-4bed-b840-8185e894ad0c}"= C:\WINDOWS\system32\dqDXYDXY1009.dll [ ]
"{c5c2054b-fca9-4968-b457-baf9499a5beb}"= dqMYSMYS1049.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 14:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ÐÞ¸´¹¤¾ß.exe]
Debugger=net

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitComet\\BitComet.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10044:TCP"= 10044:TCP:BitComet 10044 TCP
"10044:UDP"= 10044:UDP:BitComet 10044 UDP
"13542:TCP"= 13542:TCP:BitComet 13542 TCP
"13542:UDP"= 13542:UDP:BitComet 13542 UDP
"18207:TCP"= 18207:TCP:BitComet 18207 TCP
"18207:UDP"= 18207:UDP:BitComet 18207 UDP
"10725:TCP"= 10725:TCP:BitComet 10725 TCP
"10725:UDP"= 10725:UDP:BitComet 10725 UDP
"3587:TCP"= 3587:TCP:*:Disabled:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"18180:TCP"= 18180:TCP:*:Disabled:Foxy (192.168.1.101:18180) 18180 TCP
"18180:UDP"= 18180:UDP:*:Disabled:Foxy (192.168.1.101:18180) 18180 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

S3 npkycryp;npkycryp;C:\WINDOWS\system32\npkycryp.sys []
S3 obj2;obj2;C:\WINDOWS\system32\DRIVERS\obj2.sys [2008-04-28 17:17]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 03:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 03:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 03:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 03:00]
S3 sys_flt;sys_flt;C:\DOCUME~1\ZHAOZH~1\LOCALS~1\Temp\~09.tmp []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a2f8498-f141-11dc-bd8a-0015c56e7d09}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
\Shell\´ò¿ª(&O)\command - setup.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 11:19:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sys_flt]
"ImagePath"="\??\C:\DOCUME~1\ZHAOZH~1\LOCALS~1\Temp\~09.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-05-02 11:22:55 - machine was rebooted [zhao zheng]
ComboFix-quarantined-files.txt 2008-05-02 18:22:52

Pre-Run: 4,050,735,104 bytes free
Post-Run: 4,012,748,800 bytes free

288 --- E O F --- 2008-05-02 18:07:07

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:13 AM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1060915
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/learnmore/learnmore.asp?close=true&lcode=en-us
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eREAD\IEeREAD.dll
O2 - BHO: (no name) - {398C9B84-4EF7-47B5-9862-DE29543B3C42} - C:\Program Files\Internet Explorer\PLUGINS\Nt_Sys32.Sys
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [fmsjhif] C:\WINDOWS\fmsjhif.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [foxy] "C:\Program Files\Foxy\Foxy.exe" -tray
O4 - Startup: ÌÚÑ¶QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Add to QQ Customized Emoticons - C:\PROGRAM FILES\TENCENT\QQ\AddEmotion.htm
O8 - Extra context menu item: Add to QQ Customized Panel - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: Add to QQ Emotions - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Foxy ?? - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Send picture by MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Send Picture with QQ MMS - C:\PROGRAM FILES\TENCENT\QQ\SendMMS.htm
O8 - Extra context menu item: Upload to QQ Network Hard Disk - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O22 - SharedTaskScheduler: exegeses - {db763ed8-100a-481b-8913-50a2f41dcdc3} - (no file)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7512 bytes

Rorschach112

2008-05-03, 02:27

Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\dqMYSMYS1049.exe
C:\WINDOWS\system32\dqDXYDXY1009.exe
C:\WINDOWS\system32\drivers\obj2.sys
C:\WINDOWS\system32\drivers\ReloadAnti.sys
C:\WINDOWS\system32\dqMYSMYS1045.exe
C:\WINDOWS\system32\dqSADSAD1040.exe
C:\WINDOWS\system32\dqKAFKAF1066.exe
C:\WINDOWS\system32\dqHADHAD1066.exe
C:\WINDOWS\system32\dqQACQAC1041.exe
C:\WINDOWS\system32\espter.sys
C:\WINDOWS\system32\drivers\RESS.sys
C:\WINDOWS\system32\drivers\XNGAnti.sys
C:\WINDOWS\fmsjhif.exe
C:\ntldr.exe
C:\WINDOWS\system32\fjyjy.cfg
C:\WINDOWS\bzfarhli.exe
C:\WINDOWS\aycpoejoa.exe
C:\WINDOWS\system32\fjyjy.dll

DirLook::
C:\WINDOWS\system32\892267
C:\WINDOWS\system32\qqedit

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ÐÞ¸´¹¤¾ß.exe]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a2f8498-f141-11dc-bd8a-0015c56e7d09}]

Driver::
obj2
sys_flt

Save this as CFScript.txt, in the same location as ComboFix.exe

http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Reboot and post a new HijackThis log

Rorschach112

2008-05-08, 04:02

Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.