Sponsored By

edmandoo

My Hijackthis Log (please Help!)

Recommended Posts

Logfile of HijackThis v1.99.1

Scan saved at 8:23:13 AM, on 6/4/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\nvdualhd.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\asrotray.exe

C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\ktf\svchost.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Edmundo Unit\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: linkprohelper - {11E78485-C932-4944-BDCD-3B57CD676E5C} - (no file)

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: NetCtrl Class - {68FACDB7-76C2-481F-BED0-5176BFC06F40} - C:\WINDOWS\system32\jng.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: chkprc Class - {7DA7BE7D-A382-4AA7-A125-CA55A2070125} - C:\WINDOWS\system32\onpcs.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: ApoUp Class - {DA96C092-D3A6-4772-AB95-21523D152BEA} - C:\WINDOWS\system32\apo.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [asro] C:\WINDOWS\asrotray.exe

O4 - HKLM\..\Run: [NateOnMain] C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exe

O4 - HKLM\..\Run: [MSNMessenger] "C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Xweb] "C:\Program Files\SoftForum\XecureWeb\ActiveX\Xecureweb.exe"

O4 - HKLM\..\Run: [sdae] "C:\ktf\svchost.exe"

O4 - HKLM\..\Run: [ccman] C:\WINDOWS\system32\ccman.exe

O4 - HKLM\..\Run: [carion] C:\WINDOWS\system32\carion.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [rundl64] C:\WINDOWS\rundl64.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [exfine] C:\Program Files\Common Files\System\exfine.exe

O4 - HKCU\..\Run: [asro] C:\WINDOWS\asrotray.exe

O4 - HKCU\..\Run: [MSNMessenger] "C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe"

O4 - HKCU\..\Run: [NateOnMain] C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Xweb] "C:\Program Files\SoftForum\XecureWeb\ActiveX\Xecureweb.exe"

O4 - HKCU\..\Run: [mswasie.exe] C:\WINDOWS\system32\mswasie.exe

O4 - HKCU\..\Run: [uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204

O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB

O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab

O16 - DPF: {7606693A-C18D-4567-AF85-6194FF70761E} (GomWeb Control) - http://app.ipop.co.kr/gom/GomWeb.cab

O16 - DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} (BugsInstallEx Control) - http://install.bugs.co.kr/install/BugsInstallerEx.cab

O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Error Event Log (ereventlog) - Unknown owner - C:\WINDOWS\system32\drivers\erelog.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PCI lagacy (PCIlagacy) - Unknown owner - C:\WINDOWS\nerochk.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Share this post


Link to post
Share on other sites

Well you have got a couple of different infections...some Korean trojans probably an IRC bot or two...but you have a couple of unknowns also. So as a first step I'd like to do a little file collecting.

First (and this is VERY important)..Delete the HijackThis from your desktop.

Click here to download HJTsetup.exe

  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • You can leave it open you'l need it in a minute.

Now go to Start>Run> type in cmd hit enter

Copy the following 2 lines, one at a time, into the command prompt that opens then hit enter after each one.

sc stop ereventlog

sc stop PCIlagacy

Close the command window now

Please download Suspicious file Packer from HERE then unzip it to your desktop.

Run SFP.exe.

Please copy the following lines by hilighting them all and then Right click and choose copy

C:\WINDOWS\asrotray.exe

C:\ktf\

C:\WINDOWS\system32\onpcs.dll

C:\WINDOWS\system32\apo.dll

C:\WINDOWS\asrotray.exe

C:\Program Files\MSN Messenger\Device Manager\Loc\3099\

C:\WINDOWS\system32\ccman.exe

C:\WINDOWS\system32\carion.exe

C:\WINDOWS\rundl64.exe

C:\WINDOWS\system32\mswasie.exe

C:\WINDOWS\system32\drivers\erelog.exe

C:\WINDOWS\nerochk.exe

and paste those into the box in SFP, then click "Continue".

It will create a file call RequestedFile[some numbers].cab on your desktop.

Please go here to upload a suspicious file for analysis.

  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse to your desktop for the filename: RequestedFile[some numbers].cab
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File

THANK YOU!!

You need to print this out or save a copy to Notepad for reading because you can NOT have IE/FF or any browser open while doing the fix.

Open HijackThis and click on Do a system scan only. (unless it's still open from previous step) Place a check mark next to the following:

O2 - BHO: linkprohelper - {11E78485-C932-4944-BDCD-3B57CD676E5C} - (no file)

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: NetCtrl Class - {68FACDB7-76C2-481F-BED0-5176BFC06F40} - C:\WINDOWS\system32\jng.dll (file missing)

O2 - BHO: chkprc Class - {7DA7BE7D-A382-4AA7-A125-CA55A2070125} - C:\WINDOWS\system32\onpcs.dll

O2 - BHO: ApoUp Class - {DA96C092-D3A6-4772-AB95-21523D152BEA} - C:\WINDOWS\system32\apo.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [asro] C:\WINDOWS\asrotray.exe

O4 - HKLM\..\Run: [MSNMessenger] "C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe"

O4 - HKLM\..\Run: [Xweb] "C:\Program Files\SoftForum\XecureWeb\ActiveX\Xecureweb.exe"

O4 - HKLM\..\Run: [sdae] "C:\ktf\svchost.exe"

O4 - HKLM\..\Run: [ccman] C:\WINDOWS\system32\ccman.exe

O4 - HKLM\..\Run: [carion] C:\WINDOWS\system32\carion.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [rundl64] C:\WINDOWS\rundl64.exe

O4 - HKLM\..\Run: [exfine] C:\Program Files\Common Files\System\exfine.exe

O4 - HKCU\..\Run: [asro] C:\WINDOWS\asrotray.exe

O4 - HKCU\..\Run: [MSNMessenger] "C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe"

O4 - HKCU\..\Run: [Xweb] "C:\Program Files\SoftForum\XecureWeb\ActiveX\Xecureweb.exe"

O4 - HKCU\..\Run: [mswasie.exe] C:\WINDOWS\system32\mswasie.exe

Close ALL other open windows and programs (even this one) and click Fix checked

Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new HijackThis log.

Whew!!!! Pretty good start.

Share this post


Link to post
Share on other sites

wow so pro.

So yea if i do that will the errors or korean trojans or whatever be deleted/fixed?

Because you say this is a good start....? :wacko:

And after your message there is a line

------------

Then it says things like you need

and things like you want...do i have to download that or do you just put that in every message you post?

Thanks!

Im at a community college right now waiting for my sister to finish signing up for some summer college classes and im typing this message to you

Thanks for helping again!

Im going to go home and fix this right away!

Share this post


Link to post
Share on other sites

the line and all below it are just my 'signature'. they are in every post I make.

I said a good start because there WILL be more to do. Although what I posted will go a long way to stopping a lot of your problems. You have SEVERAL, MAJOR infections.....we will NOT fix them all in one step, no matter how long and detailed it is.

Share this post


Link to post
Share on other sites

well thank you song~

here is the combofix log file (weirdly it didnt ask me to reboot the computer)

Combofix log file

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

"Uniblue RegistryBooster2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

"SystemManager"=C:\WINDOWS\system32\a3p.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]

C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Usnsvc usnsvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder

2007-06-04 14:53:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

2007-06-02 04:27:01 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Edmundo Unit.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-04 14:52:02

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-06-04 14:52:38

C:\ComboFix-quarantined-files.txt ... 2007-06-04 14:52

--- E O F ---

Here is my new hijackthis log.

Logfile of HijackThis v1.99.1

Scan saved at 2:56:12 PM, on 6/4/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\nvdualhd.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\explorer.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NateOnMain] C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [NateOnMain] C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204

O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB

O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab

O16 - DPF: {7606693A-C18D-4567-AF85-6194FF70761E} (GomWeb Control) - http://app.ipop.co.kr/gom/GomWeb.cab

O16 - DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} (BugsInstallEx Control) - http://install.bugs.co.kr/install/BugsInstallerEx.cab

O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Error Event Log (ereventlog) - Unknown owner - C:\WINDOWS\system32\drivers\erelog.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PCI lagacy (PCIlagacy) - Unknown owner - C:\WINDOWS\nerochk.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

THANK YOU SO MUCH! PLEASE REPLY BACK WITH MORE DETAILS!

peace

p.s. combofix created a quarantine folder...what should i do with it?

Share this post


Link to post
Share on other sites

That's only like 1/4 of what should be in the combofix log..will you try and run it again plz. Don't worry about quatentee folder just yet..we'll deal with it in time.

If you still havent rebooted since it ran..manually reboot and run it again plz.

Edited by jwbirdsong

Share this post


Link to post
Share on other sites

yea sorry i carelessly forgot to paste the rest of it in stupid me.

Oh and quick question before i post.

I remember i was in the regedit place...and i think i accidentally deleted one of my realtek functions which automatically detects a headphone/microphone in the beginning. Because now i have to constantly go back to the realtek folder in program files and run the audio wizard whenever i want to use my headset.

How can i make it so it functions again whenever i start the computer?

Oh and the virus doesn't install anymore woot!

but i know there's still more to do

"Edmundo Unit" - 2007-06-04 14:48:12 Service Pack 2 NTFS

ComboFix 07-06-3 - Running from: "C:\Documents and Settings\Edmundo Unit\Desktop\"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\winupdate

C:\WINDOWS\system32\msmon.sys

((((((((((((((((((((((((( Files Created from 2007-05-04 to 2007-06-04 )))))))))))))))))))))))))))))))

2007-06-04 07:51 <DIR> d-------- C:\WINDOWS\1088

2007-06-03 20:52 <DIR> d-------- C:\Program Files\uhelp

2007-06-03 07:58 <DIR> d-------- C:\NVSTEREO.LOG

2007-06-03 07:33 53,248 --a------ C:\WINDOWS\system32\mswasie.exe

2007-06-03 07:33 221,184 --a------ C:\WINDOWS\system32\install.exe

2007-06-01 08:19 222,568 --a------ C:\WINDOWS\system32\carion.exe

2007-05-31 17:16 221,643 --a------ C:\WINDOWS\system32\ccman.exe

2007-05-31 16:34 421 --a------ C:\WINDOWS\system32\ccman.sys

2007-05-31 16:34 218,624 --a------ C:\WINDOWS\system32\ccmansetup.exe

2007-05-31 16:34 <DIR> d-------- C:\ktf

2007-05-31 00:48 69,632 --a------ C:\WINDOWS\rundl64.exe

2007-05-30 12:50 188,416 --a------ C:\WINDOWS\system32\apo.dll

2007-05-30 12:50 <DIR> d-------- C:\WINDOWS\1059

2007-05-30 12:50 <DIR> d-------- C:\WINDOWS\1057

2007-05-29 09:06 347 --a------ C:\WINDOWS\system32\takeup.sys

2007-05-29 09:06 226,304 --a------ C:\WINDOWS\system32\takeup.exe

2007-05-29 09:06 208,896 --a------ C:\WINDOWS\msconfig_uninstaller.exe

2007-05-29 09:06 <DIR> d-------- C:\WINDOWS\system32\nwproc

2007-05-29 09:06 <DIR> d-------- C:\WINDOWS\1045

2007-05-29 09:06 <DIR> d-------- C:\Program Files\nwproc

2007-05-28 15:36 <DIR> d-------- C:\DOCUME~1\Glara\APPLIC~1\Viewpoint

2007-05-28 08:25 <DIR> d-------- C:\WINDOWS\1051

2007-05-26 18:39 204,800 --a------ C:\WINDOWS\system32\urluninstaller.exe

2007-05-24 17:21 1,718 --a------ C:\WINDOWS\system32\exchange.sys

2007-05-22 19:45 458,752 --a------ C:\WINDOWS\LinkProSetupAx_8.exe

2007-05-22 19:45 15,872 --a------ C:\WINDOWS\system32\linkpro.exe

2007-05-20 17:37 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

2007-05-19 21:29 <DIR> d-------- C:\DOCUME~1\EDMUND~1\APPLIC~1\dvdcss

2007-05-18 22:54 <DIR> d--h----- C:\WINDOWS\HUL

2007-05-15 15:26 <DIR> d-------- C:\WINDOWS\1365

2007-05-14 01:35 246,784 --a------ C:\WINDOWS\dlwl.exe

2007-05-11 16:53 57,344 --a------ C:\WINDOWS\melonsrv.dll

2007-05-11 16:53 40,960 --a------ C:\WINDOWS\nerochk.exe

2007-05-11 16:53 35,840 --a------ C:\WINDOWS\nvdualhd.exe

2007-05-10 21:48 1,543 --a------ C:\WINDOWS\system32\fine.sys

2007-05-10 21:48 1,486 --a------ C:\WINDOWS\uninstall_all.sys

2007-05-10 21:47 <DIR> d-------- C:\WINDOWS\1369

2007-05-10 16:51 <DIR> d-------- C:\WINDOWS\1358

2007-05-08 21:17 345,600 --a------ C:\WINDOWS\system32\super.exe

2007-05-08 21:02 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-03 15:12:13 -------- d-----w C:\DOCUME~1\EDMUND~1\APPLIC~1\Uniblue

2007-06-03 15:05:16 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-06-03 15:05:15 -------- d-----w C:\Program Files\Netmarble

2007-06-03 03:01:18 -------- d-----w C:\Program Files\Windows Media Connect 2

2007-06-02 00:12:06 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-05-30 19:52:31 -------- d-----w C:\DOCUME~1\EDMUND~1\APPLIC~1\Lavasoft

2007-05-29 20:38:15 -------- d-----w C:\Program Files\Steam

2007-05-26 04:51:56 -------- d-----w C:\DOCUME~1\EDMUND~1\APPLIC~1\Azureus

2007-05-01 23:49:17 94,208 ----a-w C:\WINDOWS\system32\~res0003.exe

2007-04-29 15:31:55 204,800 ----a-w C:\WINDOWS\system32viuninstaller.exe

2007-04-29 15:31:32 53,248 ----a-w C:\WINDOWS\system32\spintmp.exe

2007-04-26 01:58:32 200,704 ----a-w C:\WINDOWS\system32\pcsafe_uninstaller.exe

2007-04-25 22:58:38 242,688 ----a-w C:\WINDOWS\system32\uninst_vcpr.exe

2007-04-22 00:41:02 204,800 ----a-w C:\WINDOWS\system32\rsq.exe

2007-04-19 03:29:57 -------- d-----w C:\Program Files\Winamp

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-15 16:45:35 -------- d-----w C:\Program Files\Norton AntiVirus

2007-04-15 16:42:30 -------- d-----w C:\Program Files\Symantec

2007-04-15 16:42:28 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL

2007-04-15 16:42:28 115,000 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS

2007-04-14 04:40:48 204,800 ----a-w C:\WINDOWS\system32\viuninstaller.exe

2007-04-14 04:34:02 242,176 ----a-w C:\WINDOWS\system32\uninst_zerov.exe

2007-04-11 22:49:17 94,309 ----a-w C:\WINDOWS\Nate_Setup19.exe

2007-04-10 01:59:44 200,704 ----a-w C:\WINDOWS\system32\vacprouninstaller.exe

2007-04-08 03:56:02 -------- d-----w C:\Program Files\iTunes

2007-04-08 03:55:53 -------- d-----w C:\Program Files\iPod

2007-04-08 03:55:26 -------- d-----w C:\Program Files\QuickTime

2007-04-08 03:53:15 -------- d-----w C:\Program Files\Apple Software Update

2007-03-29 20:51:46 300,784 ----a-w C:\WINDOWS\system32\Bugsctrl.dll

2007-03-29 01:51:54 538,256 ----a-w C:\WINDOWS\system32\SymNeti.dll

2007-03-29 01:51:52 161,424 ----a-w C:\WINDOWS\system32\SymRedir.dll

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

2007-03-08 03:02:36 6,420,160 ----a-w C:\WINDOWS\system32\FoxSetup_Monkey3.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 02:56]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-04-17 13:32]

{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2007-04-02 19:19]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"@"="" []

"NateOnMain"="C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exe" []

"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 23:19]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-03 17:33]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NateOnMain"="C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exe" []

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

"Uniblue RegistryBooster2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

"SystemManager"=C:\WINDOWS\system32\a3p.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]

C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Usnsvc usnsvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder

2007-06-04 14:53:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

2007-06-02 04:27:01 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Edmundo Unit.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-04 14:52:02

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-06-04 14:52:38

C:\ComboFix-quarantined-files.txt ... 2007-06-04 14:52

--- E O F ---

Share this post


Link to post
Share on other sites

Please download OTMoveIt by OldTimer:

  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
    C:\WINDOWS\asrotray.exe
    C:\ktf\
    C:\WINDOWS\system32\onpcs.dll
    C:\WINDOWS\system32\apo.dll
    C:\WINDOWS\system32\a3p.exe
    C:\WINDOWS\asrotray.exe
    C:\WINDOWS\system32\ccman.exe
    C:\WINDOWS\system32\carion.exe
    C:\WINDOWS\rundl64.exe
    C:\WINDOWS\system32\mswasie.exe
    C:\WINDOWS\system32\drivers\erelog.exe
    C:\WINDOWS\nerochk.exe

  • Return to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
  • Click the red "MoveIt!" button.
  • Close OTMoveIt.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

Copy the following RED lines to Notepad and save it on your desktop as "fix.reg". When you are nameing the file to save on the desktop make sure you use the quotes just like I did else the file won't run right

REGEIDT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

"SystemManager"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=-

If you saved it right it will have an icon like reg.jpg

Right click on the fix.reg file and choose Merge . Anwser YES when asked if you are sure you want to merge. Close the window

Clean your Cache and Cookies in IE:

Go to Control Panel > Internet Options > General tab.

Click the "Delete Cookies" button and then the "Delete Files" button next to it.

When prompted, place a check in: "Delete all offline content",

(You will have to re-enter passwords at websites that require them.)

Click OK

Clean other Temporary files + Recycle bin:

Go to start > run and type: cleanmgr and click ok.

Let it scan your system for files to remove.

Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.

Press OK to remove them.

Please go HERE to run Panda's ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Please post the log from OTMoveIt, located here:

C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run. And a Fresh HijackThis log and a new HijackThis log.

Edited by jwbirdsong

Share this post


Link to post
Share on other sites

before i post i think i need to tell you why panda detected so many spyware.

My sister and my dad has an account on this computer also..and i dont think they deleted the temporary internet files WHICH I WILL DO and WHICH I APOLOGIZE FOR NOT TELLING BEFOREHAND (if there are any mistakes i have made -__-)

So yea and the weird thing is..when panda was scanning...avg detected (maybe it is just infected) a backup file in the hijackthis backups folder stated as a threat because the description stated some trojan horse generic4.SQG and the dll name was backup-20070604-144722-876.dll

It indeed was a backup copy and infected. (i double checked)

Im just going to leave it in the virusvault for now.

So yea tomorrow i'll delete every temporary internet file from my sister's and dad's account.

Here is the OTMoveIt log

C:\WINDOWS\asrotray.exe moved successfully.

Folder C:\ktf\ not found.

File/Folder C:\WINDOWS\system32\onpcs.dll not found.

File/Folder C:\WINDOWS\system32\apo.dll not found.

C:\WINDOWS\system32\a3p.exe moved successfully.

File/Folder C:\WINDOWS\asrotray.exe not found.

C:\WINDOWS\system32\ccman.exe moved successfully.

C:\WINDOWS\system32\carion.exe moved successfully.

C:\WINDOWS\rundl64.exe moved successfully.

C:\WINDOWS\system32\mswasie.exe moved successfully.

C:\WINDOWS\system32\drivers\erelog.exe moved successfully.

C:\WINDOWS\nerochk.exe moved successfully.

Created on 06/05/2007 21:52:35

Here is the Panda Scan log

(wow a lot of spyware..probably because of the other accounts mentioned above)

Incident Status Location

Virus:Trj/Agent.FHL Disinfected Operating system

Virus:Trj/Agent.FHL Disinfected Operating system

Adware:adware/statblaster Not disinfected Windows Registry

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.statcounter.com/]

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.doubleclick.net/]

Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.trafficmp.com/]

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.fastclick.net/]

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[ad.yieldmanager.com/]

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.fastclick.net/]

Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.trafficmp.com/]

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[ad.yieldmanager.com/]

Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.trafficmp.com/]

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.fastclick.net/]

Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.trafficmp.com/]

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.atdmt.com/]

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.casalemedia.com/]

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.advertising.com/]

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.tribalfusion.com/]

Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.ads.pointroll.com/]

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.mediaplex.com/]

Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[searchportal.information.com/]

Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.revenue.net/]

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.questionmarket.com/]

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.adrevolver.com/]

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.com.com/]

Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.zedo.com/]

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.atwola.com/]

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.2o7.net/]

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Edmundo Unit\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.advertising.com/]

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.doubleclick.net/]

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.2o7.net/]

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.atwola.com/]

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.tribalfusion.com/]

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.adrevolver.com/]

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.atdmt.com/]

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.realmedia.com/]

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[ad.yieldmanager.com/]

Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[server.iad.liveperson.net/hc/LPpacificsunwear]

Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[server.iad.liveperson.net/]

Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[server.iad.liveperson.net/hc/LPpacificsunwear]

Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.overture.com/]

Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.perf.overture.com/]

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.casalemedia.com/]

Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.trafficmp.com/]

Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.zedo.com/]

Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.ads.pointroll.com/]

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.fastclick.net/]

Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[counter.hitslink.com/]

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.mediaplex.com/]

Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.bluestreak.com/]

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.questionmarket.com/]

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.statcounter.com/]

Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.burstnet.com/]

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.serving-sys.com/]

Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.hitbox.com/]

Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.ehg-dig.hitbox.com/]

Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.tradedoubler.com/]

Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[searchportal.information.com/]

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[statse.webtrendslive.com/S148222]

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[statse.webtrendslive.com/]

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[statse.webtrendslive.com/S148222]

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.247realmedia.com/]

Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.entrepreneur.com/]

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][3].txt

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected]dia[2].txt

Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][5].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Glara\Cookies\glara[email protected][1].txt

Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt

Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\[email protected][1].txt

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\[email protected][2].txt

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\[email protected][2].txt

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\[email protected][1].txt

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\[email protected][1].txt

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\[email protected][2].txt

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\[email protected][1].txt

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\[email protected][1].txt

Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\[email protected][2].txt

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\[email protected][1].txt

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.doubleclick.net/]

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.fastclick.net/]

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.tribalfusion.com/]

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.questionmarket.com/]

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.atdmt.com/]

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.realmedia.com/]

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.mediaplex.com/]

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.advertising.com/]

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.casalemedia.com/]

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.ad.yieldmanager.com/]

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[ad.yieldmanager.com/]

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.ad.yieldmanager.com/]

Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.ads.pointroll.com/]

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.microsofteup.112.2o7.net/]

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.go.com/]

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.statse.webtrendslive.com/S134168]

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.statse.webtrendslive.com/S0014-01-3-13-180631-60051]

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][3].txt

Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Virus:Bck/Agent.FKJ Disinfected C:\WINDOWS\1045\JJG_setup.exe

Virus:Trj/Agent.FHL Disinfected C:\WINDOWS\melonsrv.dll

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

Virus:Trj/Agent.FHL Disinfected C:\WINDOWS\system32\~res0003.exe

Virus:Trj/Agent.FHL Disinfected C:\_OTMoveIt\MovedFiles\WINDOWS\nerochk.exe

Virus:Trj/Agent.FHL Disinfected C:\_OTMoveIt\MovedFiles\WINDOWS\system32\drivers\erelog.exe

THIS IS THE FRESH (after scanning with panda and "moving it") HIJACKTHIS log

Logfile of HijackThis v1.99.1

Scan saved at 11:17:55 PM, on 6/5/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NateOnMain] C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [MSNMessenger] "C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe"

O4 - HKLM\..\Run: [asro] C:\WINDOWS\asrotray.exe

O4 - HKCU\..\Run: [NateOnMain] C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204

O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB

O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab

O16 - DPF: {7606693A-C18D-4567-AF85-6194FF70761E} (GomWeb Control) - http://app.ipop.co.kr/gom/GomWeb.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} (BugsInstallEx Control) - http://install.bugs.co.kr/install/BugsInstallerEx.cab

O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Error Event Log (ereventlog) - Unknown owner - C:\WINDOWS\system32\drivers\erelog.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PCI lagacy (PCIlagacy) - Unknown owner - C:\WINDOWS\nerochk.exe (file missing)

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

P.S. thank you for helping me so much. I have never felt luckier.

THANK YOU SERIOUSLY! :thumbsup:

Share this post


Link to post
Share on other sites

Open HijackThis and check the following

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)

O4 - HKLM\..\Run: [asro] C:\WINDOWS\asrotray.exe

Close ALL other windows and programs (even this one) and click Fix checked.

Yeah just do the clear cache and cookies that I posted for EVERY profile the computer has.

How is every thing running now??

PS AVG popped up like that because an infected file was being "read or written to" IE read my Panda...

It's normal.

Share this post


Link to post
Share on other sites

everything worked fine after the first post you made (and youre a mother freakin genius)

thank you for everything. and yea i removed the last two.

Thanks for being there for me so quick

Matt told me that you techies had like finals and stuff to study for (our high school being charter got out a month earlier than all of you guys, yet we start a month earlier T_T)

So yea and are you korean? because your name is birdsong and i have a friend named daniel song and i call him songbird.

lol that was random but yea everything works fine THANKS MAN!

Hope to encounter you again haha

Share this post


Link to post
Share on other sites

NOT ONLY THAT

but what should i do with the quarantined files in the otmovieit folder and the Qoobox folder?

shouldnt i delete those files?

Not only that, but what should i do with the "fix.reg" file. just leave it on my desktop?

And that dll that was infected...what should i do with that (the one avg detected as infected) should i just leave it as is or delete it?

thanks

Share this post


Link to post
Share on other sites

Well it's true what Matt said about finals etc but I've been out of college for 35 years or so so it didn't really pertain to me..lol

No I live in the US

post me one final(?) HijackThis log please

Share this post


Link to post
Share on other sites

hey you still didn't tell me what to do with the moved files. Should i delete them?

Not only that..but today i turned on my computer...and this bmpatch.exe installed itself in my computer

What is that?

I searched it on google and it showed up on like chinese sites..?

Should i delete it or what?

Oh btw here's a new hijack log.

Please tell me what to do with the quarantined and moved files...

And why did this bmpatch.exe install itself into my computer?

Is it a program extension?

It's in my C drive in program files in a folder called "pcmedic"

And the files inside include bmpatch.exe, pcmedic.dll2, and pcmedic.exe2

PLEASE HELP!

this is my hijack log

Logfile of HijackThis v1.99.1

Scan saved at 9:02:18 PM, on 6/9/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program Files\AIM\aim.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\pcmedic\bmpatch.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Norton AntiVirus\NAVW32.EXE

C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NateOnMain] C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [MSNMessenger] "C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe"

O4 - HKLM\..\Run: [pcmedic] C:\Program Files\pcmedic\pcmedic.exe Icon <---- what is that?

O4 - HKCU\..\Run: [NateOnMain] C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [MSNMessenger] "C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe"

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204

O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB

O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab

O16 - DPF: {7606693A-C18D-4567-AF85-6194FF70761E} (GomWeb Control) - http://app.ipop.co.kr/gom/GomWeb.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} (BugsInstallEx Control) - http://install.bugs.co.kr/install/BugsInstallerEx.cab

O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Error Event Log (ereventlog) - Unknown owner - C:\WINDOWS\system32\drivers\erelog.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PCI lagacy (PCIlagacy) - Unknown owner - C:\WINDOWS\nerochk.exe (file missing)

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Share this post


Link to post
Share on other sites

the one's in the moved it files. I deleted them..because everyone i searched on google dealt with korean siets and virus etc.

So please help!

Should i delete the msmon.sys.vir file also? in the qoobox folder from combofix i believe.

Share this post


Link to post
Share on other sites

As far as deleting the 'moved' files..we'll remove them once you are ALL clean; there is not much sense in deleteing a folder if we may just recreate it later...the file that are in those folder are safe for now...

Go to start>run>type in cmd hit enter

Enter the following lines, one at a time with Enter after each one.

sc stop ereventlog

sc delete ereventlog

Close the command window now.

Open HiajckThis and put a check next to

O4 - HKLM\..\Run: [pcmedic] C:\Program Files\pcmedic\pcmedic.exe Icon

Close ALL windows and click fix checked.

Now DELETE the Combofix you have on your Desktop.

Download the version from HERE

and run it.

NOTE it is VERY important NOT to click or do anything else while combofix is running....it may seem like it has stalled out at times so just be patient.

Post the latest combofix log

Edited by jwbirdsong

Share this post


Link to post
Share on other sites

ComboFix 07-06-13.3 - C:\Documents and Settings\Edmundo Unit\Desktop\ComboFix.exe

"Edmundo Unit" - 2007-06-12 21:23:58 - Service Pack 2 NTFS

((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))

2007-06-12 21:18 337,920 --a------ C:\WINDOWS\system32\bmdelete.exe

2007-06-05 22:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2007-06-04 14:52 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-04 07:51 <DIR> d-------- C:\WINDOWS\1088

2007-06-03 07:58 <DIR> d-------- C:\NVSTEREO.LOG

2007-06-03 07:33 221,184 --a------ C:\WINDOWS\system32\install.exe

2007-05-31 16:34 421 --a------ C:\WINDOWS\system32\ccman.sys

2007-05-31 16:34 218,624 --a------ C:\WINDOWS\system32\ccmansetup.exe

2007-05-30 12:50 <DIR> d-------- C:\WINDOWS\1059

2007-05-30 12:50 <DIR> d-------- C:\WINDOWS\1057

2007-05-29 09:06 347 --a------ C:\WINDOWS\system32\takeup.sys

2007-05-29 09:06 226,304 --a------ C:\WINDOWS\system32\takeup.exe

2007-05-29 09:06 208,896 --a------ C:\WINDOWS\msconfig_uninstaller.exe

2007-05-29 09:06 <DIR> d-------- C:\WINDOWS\system32\nwproc

2007-05-29 09:06 <DIR> d-------- C:\WINDOWS\1045

2007-05-29 09:06 <DIR> d-------- C:\Program Files\nwproc

2007-05-28 15:36 <DIR> d-------- C:\DOCUME~1\Glara\APPLIC~1\Viewpoint

2007-05-28 08:25 <DIR> d-------- C:\WINDOWS\1051

2007-05-26 18:39 204,800 --a------ C:\WINDOWS\system32\urluninstaller.exe

2007-05-24 17:21 1,718 --a------ C:\WINDOWS\system32\exchange.sys

2007-05-22 19:45 458,752 --a------ C:\WINDOWS\LinkProSetupAx_8.exe

2007-05-22 19:45 15,872 --a------ C:\WINDOWS\system32\linkpro.exe

2007-05-20 17:37 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

2007-05-19 21:29 <DIR> d-------- C:\DOCUME~1\EDMUND~1\APPLIC~1\dvdcss

2007-05-18 22:54 <DIR> d--h----- C:\WINDOWS\HUL

2007-05-15 15:26 <DIR> d-------- C:\WINDOWS\1365

2007-05-14 01:35 246,784 --a------ C:\WINDOWS\dlwl.exe

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 03:09:09 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-06-06 05:54:29 -------- d-----w C:\Program Files\Symantec

2007-06-06 05:45:57 -------- d-----w C:\Program Files\Messenger

2007-06-06 05:40:04 -------- d-----w C:\Program Files\Easy CD-DA Extractor 10

2007-06-06 05:34:48 -------- d-----w C:\Program Files\AlienGUIse

2007-06-06 05:14:28 -------- d-----w C:\DOCUME~1\EDMUND~1\APPLIC~1\Symantec

2007-06-03 15:12:13 -------- d-----w C:\DOCUME~1\EDMUND~1\APPLIC~1\Uniblue

2007-06-03 15:05:16 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-06-03 15:05:15 -------- d-----w C:\Program Files\Netmarble

2007-06-03 03:01:18 -------- d-----w C:\Program Files\Windows Media Connect 2

2007-05-31 23:34:24 1,486 ----a-w C:\WINDOWS\uninstall_all.sys

2007-05-30 19:52:31 -------- d-----w C:\DOCUME~1\EDMUND~1\APPLIC~1\Lavasoft

2007-05-29 20:38:15 -------- d-----w C:\Program Files\Steam

2007-05-26 04:51:56 -------- d-----w C:\DOCUME~1\EDMUND~1\APPLIC~1\Azureus

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-11 04:48:13 1,543 ----a-w C:\WINDOWS\system32\fine.sys

2007-05-09 04:17:51 345,600 ----a-w C:\WINDOWS\system32\super.exe

2007-05-09 04:02:15 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2

2007-04-29 15:31:55 204,800 ----a-w C:\WINDOWS\system32viuninstaller.exe

2007-04-29 15:31:32 53,248 ----a-w C:\WINDOWS\system32\spintmp.exe

2007-04-26 01:58:32 200,704 ----a-w C:\WINDOWS\system32\pcsafe_uninstaller.exe

2007-04-25 22:58:38 242,688 ----a-w C:\WINDOWS\system32\uninst_vcpr.exe

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-22 00:41:02 204,800 ----a-w C:\WINDOWS\system32\rsq.exe

2007-04-19 03:29:57 -------- d-----w C:\Program Files\Winamp

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-17 05:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll

2007-04-17 05:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll

2007-04-15 16:45:35 -------- d-----w C:\Program Files\Norton AntiVirus

2007-04-15 16:42:28 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL

2007-04-15 16:42:28 115,000 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS

2007-04-14 04:40:48 204,800 ----a-w C:\WINDOWS\system32\viuninstaller.exe

2007-04-14 04:34:02 242,176 ----a-w C:\WINDOWS\system32\uninst_zerov.exe

2007-04-11 22:49:17 94,309 ----a-w C:\WINDOWS\Nate_Setup19.exe

2007-04-10 01:59:44 200,704 ----a-w C:\WINDOWS\system32\vacprouninstaller.exe

2007-03-29 20:51:46 300,784 ----a-w C:\WINDOWS\system32\Bugsctrl.dll

2007-03-29 01:51:54 538,256 ----a-w C:\WINDOWS\system32\SymNeti.dll

2007-03-29 01:51:52 161,424 ----a-w C:\WINDOWS\system32\SymRedir.dll

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 02:56]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-04-17 13:32]

{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2007-04-02 19:19]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"@"="" []

"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 23:19]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-03 17:33]

"nwiz"="nwiz.exe" [2006-03-09 15:29 C:\WINDOWS\system32\nwiz.exe]

"MSNMessenger"="C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe" [2007-04-07 11:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

"Uniblue RegistryBooster2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

"MSNMessenger"="C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe" [2007-04-07 11:29]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

"SystemManager"=C:\WINDOWS\system32\a3p.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]

C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Usnsvc usnsvc

Contents of the 'Scheduled Tasks' folder

2007-06-04 14:53:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

2007-06-09 03:00:16 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Edmundo Unit.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-12 21:27:16

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-06-12 21:27:52

C:\ComboFix-quarantined-files.txt ... 2007-06-12 21:27

C:\ComboFix2.txt ... 2007-06-04 14:52

--- E O F ---

Share this post


Link to post
Share on other sites

yea even if i do combofix.exe

and hijackthis scans.

I believe i'm still getting signs of this korean stuff.

Not only that, but i think now it's weekly...instead of daily that these things show up

I scanned with hijackthis today and it scanned 3 ctfmon.exe, ususally only scanning one.

And i found out that two of them were in the WINDOWS folder so i checked what it was.

And it was in korean again -_-, and definitely not related to Microsoft Office.

PLEASE HELP!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now