edmandoo Posted June 4, 2007 Report Share Posted June 4, 2007 Logfile of HijackThis v1.99.1Scan saved at 8:23:13 AM, on 6/4/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5700.0006)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\nvdualhd.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXEC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\asrotray.exeC:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\ktf\svchost.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Documents and Settings\Edmundo Unit\Desktop\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: linkprohelper - {11E78485-C932-4944-BDCD-3B57CD676E5C} - (no file)O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O2 - BHO: NetCtrl Class - {68FACDB7-76C2-481F-BED0-5176BFC06F40} - C:\WINDOWS\system32\jng.dll (file missing)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO2 - BHO: chkprc Class - {7DA7BE7D-A382-4AA7-A125-CA55A2070125} - C:\WINDOWS\system32\onpcs.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dllO2 - BHO: ApoUp Class - {DA96C092-D3A6-4772-AB95-21523D152BEA} - C:\WINDOWS\system32\apo.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [asro] C:\WINDOWS\asrotray.exeO4 - HKLM\..\Run: [NateOnMain] C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exeO4 - HKLM\..\Run: [MSNMessenger] "C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe"O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [Xweb] "C:\Program Files\SoftForum\XecureWeb\ActiveX\Xecureweb.exe"O4 - HKLM\..\Run: [sdae] "C:\ktf\svchost.exe"O4 - HKLM\..\Run: [ccman] C:\WINDOWS\system32\ccman.exeO4 - HKLM\..\Run: [carion] C:\WINDOWS\system32\carion.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [rundl64] C:\WINDOWS\rundl64.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [exfine] C:\Program Files\Common Files\System\exfine.exeO4 - HKCU\..\Run: [asro] C:\WINDOWS\asrotray.exeO4 - HKCU\..\Run: [MSNMessenger] "C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe"O4 - HKCU\..\Run: [NateOnMain] C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Xweb] "C:\Program Files\SoftForum\XecureWeb\ActiveX\Xecureweb.exe"O4 - HKCU\..\Run: [mswasie.exe] C:\WINDOWS\system32\mswasie.exeO4 - HKCU\..\Run: [uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /SO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exeO8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO11 - Options group: [iNTERNATIONAL] International*O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.comO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CABO16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cabO16 - DPF: {7606693A-C18D-4567-AF85-6194FF70761E} (GomWeb Control) - http://app.ipop.co.kr/gom/GomWeb.cabO16 - DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} (BugsInstallEx Control) - http://install.bugs.co.kr/install/BugsInstallerEx.cabO16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cabO18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLLO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLLO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dllO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Error Event Log (ereventlog) - Unknown owner - C:\WINDOWS\system32\drivers\erelog.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeO23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXEO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PCI lagacy (PCIlagacy) - Unknown owner - C:\WINDOWS\nerochk.exeO23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe Quote Link to post Share on other sites
jwbirdsong Posted June 4, 2007 Report Share Posted June 4, 2007 Well you have got a couple of different infections...some Korean trojans probably an IRC bot or two...but you have a couple of unknowns also. So as a first step I'd like to do a little file collecting.First (and this is VERY important)..Delete the HijackThis from your desktop.Click here to download HJTsetup.exeSave HJTsetup.exe to your desktop.Doubleclick on the HJTsetup.exe icon on your desktop.By default it will install to C:\Program Files\Hijack This.Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.Put a check by Create a desktop icon then click Next again.Continue to follow the rest of the prompts from there.At the final dialogue box click Finish and it will launch Hijack This. You can leave it open you'l need it in a minute.Now go to Start>Run> type in cmd hit enterCopy the following 2 lines, one at a time, into the command prompt that opens then hit enter after each one.sc stop ereventlogsc stop PCIlagacyClose the command window nowPlease download Suspicious file Packer from HERE then unzip it to your desktop.Run SFP.exe.Please copy the following lines by hilighting them all and then Right click and choose copyC:\WINDOWS\asrotray.exeC:\ktf\C:\WINDOWS\system32\onpcs.dllC:\WINDOWS\system32\apo.dllC:\WINDOWS\asrotray.exeC:\Program Files\MSN Messenger\Device Manager\Loc\3099\C:\WINDOWS\system32\ccman.exeC:\WINDOWS\system32\carion.exeC:\WINDOWS\rundl64.exeC:\WINDOWS\system32\mswasie.exeC:\WINDOWS\system32\drivers\erelog.exeC:\WINDOWS\nerochk.exeand paste those into the box in SFP, then click "Continue".It will create a file call RequestedFile[some numbers].cab on your desktop. Please go here to upload a suspicious file for analysis. Enter your username from this forumCopy and paste the link to this threadBrowse to your desktop for the filename: RequestedFile[some numbers].cabIn the comments, please mention that I asked you to upload this fileClick on Send FileTHANK YOU!!You need to print this out or save a copy to Notepad for reading because you can NOT have IE/FF or any browser open while doing the fix.Open HijackThis and click on Do a system scan only. (unless it's still open from previous step) Place a check mark next to the following: O2 - BHO: linkprohelper - {11E78485-C932-4944-BDCD-3B57CD676E5C} - (no file)O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O2 - BHO: NetCtrl Class - {68FACDB7-76C2-481F-BED0-5176BFC06F40} - C:\WINDOWS\system32\jng.dll (file missing)O2 - BHO: chkprc Class - {7DA7BE7D-A382-4AA7-A125-CA55A2070125} - C:\WINDOWS\system32\onpcs.dllO2 - BHO: ApoUp Class - {DA96C092-D3A6-4772-AB95-21523D152BEA} - C:\WINDOWS\system32\apo.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O4 - HKLM\..\Run: [asro] C:\WINDOWS\asrotray.exeO4 - HKLM\..\Run: [MSNMessenger] "C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe"O4 - HKLM\..\Run: [Xweb] "C:\Program Files\SoftForum\XecureWeb\ActiveX\Xecureweb.exe"O4 - HKLM\..\Run: [sdae] "C:\ktf\svchost.exe"O4 - HKLM\..\Run: [ccman] C:\WINDOWS\system32\ccman.exeO4 - HKLM\..\Run: [carion] C:\WINDOWS\system32\carion.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [rundl64] C:\WINDOWS\rundl64.exeO4 - HKLM\..\Run: [exfine] C:\Program Files\Common Files\System\exfine.exeO4 - HKCU\..\Run: [asro] C:\WINDOWS\asrotray.exeO4 - HKCU\..\Run: [MSNMessenger] "C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe"O4 - HKCU\..\Run: [Xweb] "C:\Program Files\SoftForum\XecureWeb\ActiveX\Xecureweb.exe"O4 - HKCU\..\Run: [mswasie.exe] C:\WINDOWS\system32\mswasie.exe Close ALL other open windows and programs (even this one) and click Fix checked Download Combofix to your desktop.Doubleclick combofix.exeFollow the prompts.Don't click on the window while the fix is running, because that will cause your system to hang.When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt. Post this log in your next reply together with a new HijackThis log.Whew!!!! Pretty good start. Quote Link to post Share on other sites
edmandoo Posted June 4, 2007 Author Report Share Posted June 4, 2007 wow so pro.So yea if i do that will the errors or korean trojans or whatever be deleted/fixed?Because you say this is a good start....? And after your message there is a line------------Then it says things like you needand things like you want...do i have to download that or do you just put that in every message you post?Thanks!Im at a community college right now waiting for my sister to finish signing up for some summer college classes and im typing this message to youThanks for helping again!Im going to go home and fix this right away! Quote Link to post Share on other sites
jwbirdsong Posted June 4, 2007 Report Share Posted June 4, 2007 the line and all below it are just my 'signature'. they are in every post I make.I said a good start because there WILL be more to do. Although what I posted will go a long way to stopping a lot of your problems. You have SEVERAL, MAJOR infections.....we will NOT fix them all in one step, no matter how long and detailed it is. Quote Link to post Share on other sites
edmandoo Posted June 4, 2007 Author Report Share Posted June 4, 2007 well thank you song~here is the combofix log file (weirdly it didnt ask me to reboot the computer)Combofix log file"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]"Uniblue RegistryBooster2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [][HKEY_USERS\.default\software\microsoft\windows\currentversion\run]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]"SystemManager"=C:\WINDOWS\system32\a3p.exe[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]C:\Program Files\AlienGUIse\fastload.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"appinit_dlls"=wbsys.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]Usnsvc usnsvcHKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*Contents of the 'Scheduled Tasks' folder2007-06-04 14:53:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job2007-06-02 04:27:01 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Edmundo Unit.job**************************************************************************catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.netRootkit scan 2007-06-04 14:52:02Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...scanning hidden autostart entries ...scanning hidden files ...scan completed successfullyhidden files: 0**************************************************************************Completion time: 2007-06-04 14:52:38C:\ComboFix-quarantined-files.txt ... 2007-06-04 14:52 --- E O F ---Here is my new hijackthis log.Logfile of HijackThis v1.99.1Scan saved at 2:56:12 PM, on 6/4/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5700.0006)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\nvdualhd.exeC:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXEC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\WINDOWS\explorer.exeC:\Program Files\AIM\aim.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\notepad.exeC:\Program Files\Hijackthis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dllO2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [NateOnMain] C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exeO4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKCU\..\Run: [NateOnMain] C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /SO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exeO8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO11 - Options group: [iNTERNATIONAL] International*O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.comO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CABO16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cabO16 - DPF: {7606693A-C18D-4567-AF85-6194FF70761E} (GomWeb Control) - http://app.ipop.co.kr/gom/GomWeb.cabO16 - DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} (BugsInstallEx Control) - http://install.bugs.co.kr/install/BugsInstallerEx.cabO16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cabO18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLLO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLLO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dllO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Error Event Log (ereventlog) - Unknown owner - C:\WINDOWS\system32\drivers\erelog.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeO23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXEO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PCI lagacy (PCIlagacy) - Unknown owner - C:\WINDOWS\nerochk.exeO23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exeTHANK YOU SO MUCH! PLEASE REPLY BACK WITH MORE DETAILS!peacep.s. combofix created a quarantine folder...what should i do with it? Quote Link to post Share on other sites
jwbirdsong Posted June 5, 2007 Report Share Posted June 5, 2007 (edited) That's only like 1/4 of what should be in the combofix log..will you try and run it again plz. Don't worry about quatentee folder just yet..we'll deal with it in time.If you still havent rebooted since it ran..manually reboot and run it again plz. Edited June 5, 2007 by jwbirdsong Quote Link to post Share on other sites
edmandoo Posted June 5, 2007 Author Report Share Posted June 5, 2007 yea sorry i carelessly forgot to paste the rest of it in stupid me.Oh and quick question before i post.I remember i was in the regedit place...and i think i accidentally deleted one of my realtek functions which automatically detects a headphone/microphone in the beginning. Because now i have to constantly go back to the realtek folder in program files and run the audio wizard whenever i want to use my headset.How can i make it so it functions again whenever i start the computer?Oh and the virus doesn't install anymore woot! but i know there's still more to do"Edmundo Unit" - 2007-06-04 14:48:12 Service Pack 2 NTFS ComboFix 07-06-3 - Running from: "C:\Documents and Settings\Edmundo Unit\Desktop\"((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))C:\Program Files\winupdateC:\WINDOWS\system32\msmon.sys((((((((((((((((((((((((( Files Created from 2007-05-04 to 2007-06-04 )))))))))))))))))))))))))))))))2007-06-04 07:51 <DIR> d-------- C:\WINDOWS\10882007-06-03 20:52 <DIR> d-------- C:\Program Files\uhelp2007-06-03 07:58 <DIR> d-------- C:\NVSTEREO.LOG2007-06-03 07:33 53,248 --a------ C:\WINDOWS\system32\mswasie.exe2007-06-03 07:33 221,184 --a------ C:\WINDOWS\system32\install.exe2007-06-01 08:19 222,568 --a------ C:\WINDOWS\system32\carion.exe2007-05-31 17:16 221,643 --a------ C:\WINDOWS\system32\ccman.exe2007-05-31 16:34 421 --a------ C:\WINDOWS\system32\ccman.sys2007-05-31 16:34 218,624 --a------ C:\WINDOWS\system32\ccmansetup.exe2007-05-31 16:34 <DIR> d-------- C:\ktf2007-05-31 00:48 69,632 --a------ C:\WINDOWS\rundl64.exe2007-05-30 12:50 188,416 --a------ C:\WINDOWS\system32\apo.dll2007-05-30 12:50 <DIR> d-------- C:\WINDOWS\10592007-05-30 12:50 <DIR> d-------- C:\WINDOWS\10572007-05-29 09:06 347 --a------ C:\WINDOWS\system32\takeup.sys2007-05-29 09:06 226,304 --a------ C:\WINDOWS\system32\takeup.exe2007-05-29 09:06 208,896 --a------ C:\WINDOWS\msconfig_uninstaller.exe2007-05-29 09:06 <DIR> d-------- C:\WINDOWS\system32\nwproc2007-05-29 09:06 <DIR> d-------- C:\WINDOWS\10452007-05-29 09:06 <DIR> d-------- C:\Program Files\nwproc2007-05-28 15:36 <DIR> d-------- C:\DOCUME~1\Glara\APPLIC~1\Viewpoint2007-05-28 08:25 <DIR> d-------- C:\WINDOWS\10512007-05-26 18:39 204,800 --a------ C:\WINDOWS\system32\urluninstaller.exe2007-05-24 17:21 1,718 --a------ C:\WINDOWS\system32\exchange.sys2007-05-22 19:45 458,752 --a------ C:\WINDOWS\LinkProSetupAx_8.exe2007-05-22 19:45 15,872 --a------ C:\WINDOWS\system32\linkpro.exe2007-05-20 17:37 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment2007-05-19 21:29 <DIR> d-------- C:\DOCUME~1\EDMUND~1\APPLIC~1\dvdcss2007-05-18 22:54 <DIR> d--h----- C:\WINDOWS\HUL2007-05-15 15:26 <DIR> d-------- C:\WINDOWS\13652007-05-14 01:35 246,784 --a------ C:\WINDOWS\dlwl.exe2007-05-11 16:53 57,344 --a------ C:\WINDOWS\melonsrv.dll2007-05-11 16:53 40,960 --a------ C:\WINDOWS\nerochk.exe2007-05-11 16:53 35,840 --a------ C:\WINDOWS\nvdualhd.exe2007-05-10 21:48 1,543 --a------ C:\WINDOWS\system32\fine.sys2007-05-10 21:48 1,486 --a------ C:\WINDOWS\uninstall_all.sys2007-05-10 21:47 <DIR> d-------- C:\WINDOWS\13692007-05-10 16:51 <DIR> d-------- C:\WINDOWS\13582007-05-08 21:17 345,600 --a------ C:\WINDOWS\system32\super.exe2007-05-08 21:02 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))2007-06-03 15:12:13 -------- d-----w C:\DOCUME~1\EDMUND~1\APPLIC~1\Uniblue2007-06-03 15:05:16 -------- d--h--w C:\Program Files\InstallShield Installation Information2007-06-03 15:05:15 -------- d-----w C:\Program Files\Netmarble2007-06-03 03:01:18 -------- d-----w C:\Program Files\Windows Media Connect 22007-06-02 00:12:06 -------- d-----w C:\Program Files\Common Files\Symantec Shared2007-05-30 19:52:31 -------- d-----w C:\DOCUME~1\EDMUND~1\APPLIC~1\Lavasoft2007-05-29 20:38:15 -------- d-----w C:\Program Files\Steam2007-05-26 04:51:56 -------- d-----w C:\DOCUME~1\EDMUND~1\APPLIC~1\Azureus2007-05-01 23:49:17 94,208 ----a-w C:\WINDOWS\system32\~res0003.exe2007-04-29 15:31:55 204,800 ----a-w C:\WINDOWS\system32viuninstaller.exe2007-04-29 15:31:32 53,248 ----a-w C:\WINDOWS\system32\spintmp.exe2007-04-26 01:58:32 200,704 ----a-w C:\WINDOWS\system32\pcsafe_uninstaller.exe2007-04-25 22:58:38 242,688 ----a-w C:\WINDOWS\system32\uninst_vcpr.exe2007-04-22 00:41:02 204,800 ----a-w C:\WINDOWS\system32\rsq.exe2007-04-19 03:29:57 -------- d-----w C:\Program Files\Winamp2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll2007-04-15 16:45:35 -------- d-----w C:\Program Files\Norton AntiVirus2007-04-15 16:42:30 -------- d-----w C:\Program Files\Symantec2007-04-15 16:42:28 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL2007-04-15 16:42:28 115,000 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS2007-04-14 04:40:48 204,800 ----a-w C:\WINDOWS\system32\viuninstaller.exe2007-04-14 04:34:02 242,176 ----a-w C:\WINDOWS\system32\uninst_zerov.exe2007-04-11 22:49:17 94,309 ----a-w C:\WINDOWS\Nate_Setup19.exe2007-04-10 01:59:44 200,704 ----a-w C:\WINDOWS\system32\vacprouninstaller.exe2007-04-08 03:56:02 -------- d-----w C:\Program Files\iTunes2007-04-08 03:55:53 -------- d-----w C:\Program Files\iPod2007-04-08 03:55:26 -------- d-----w C:\Program Files\QuickTime2007-04-08 03:53:15 -------- d-----w C:\Program Files\Apple Software Update2007-03-29 20:51:46 300,784 ----a-w C:\WINDOWS\system32\Bugsctrl.dll2007-03-29 01:51:54 538,256 ----a-w C:\WINDOWS\system32\SymNeti.dll2007-03-29 01:51:52 161,424 ----a-w C:\WINDOWS\system32\SymRedir.dll2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys2007-03-08 03:02:36 6,420,160 ----a-w C:\WINDOWS\system32\FoxSetup_Monkey3.exe((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))*Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 02:56]{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-04-17 13:32]{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2007-04-02 19:19][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"@"="" []"NateOnMain"="C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exe" []"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 23:19]"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-03 17:33][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NateOnMain"="C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exe" []"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]"Uniblue RegistryBooster2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [][HKEY_USERS\.default\software\microsoft\windows\currentversion\run]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]"SystemManager"=C:\WINDOWS\system32\a3p.exe[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]C:\Program Files\AlienGUIse\fastload.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"appinit_dlls"=wbsys.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]Usnsvc usnsvcHKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*Contents of the 'Scheduled Tasks' folder2007-06-04 14:53:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job2007-06-02 04:27:01 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Edmundo Unit.job**************************************************************************catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.netRootkit scan 2007-06-04 14:52:02Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...scanning hidden autostart entries ...scanning hidden files ...scan completed successfullyhidden files: 0**************************************************************************Completion time: 2007-06-04 14:52:38C:\ComboFix-quarantined-files.txt ... 2007-06-04 14:52 --- E O F --- Quote Link to post Share on other sites
jwbirdsong Posted June 6, 2007 Report Share Posted June 6, 2007 (edited) Please download OTMoveIt by OldTimer:Save it to your desktop.Please double-click OTMoveIt.exe to run it.Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):C:\WINDOWS\asrotray.exeC:\ktf\C:\WINDOWS\system32\onpcs.dllC:\WINDOWS\system32\apo.dllC:\WINDOWS\system32\a3p.exeC:\WINDOWS\asrotray.exeC:\WINDOWS\system32\ccman.exeC:\WINDOWS\system32\carion.exeC:\WINDOWS\rundl64.exeC:\WINDOWS\system32\mswasie.exeC:\WINDOWS\system32\drivers\erelog.exeC:\WINDOWS\nerochk.exeReturn to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".Click the red "MoveIt!" button.Close OTMoveIt.Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".Copy the following RED lines to Notepad and save it on your desktop as "fix.reg". When you are nameing the file to save on the desktop make sure you use the quotes just like I did else the file won't run rightREGEIDT4[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]"SystemManager"=-[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"appinit_dlls"=-If you saved it right it will have an icon like Right click on the fix.reg file and choose Merge . Anwser YES when asked if you are sure you want to merge. Close the windowClean your Cache and Cookies in IE:Go to Control Panel > Internet Options > General tab.Click the "Delete Cookies" button and then the "Delete Files" button next to it.When prompted, place a check in: "Delete all offline content",(You will have to re-enter passwords at websites that require them.)Click OKClean other Temporary files + Recycle bin:Go to start > run and type: cleanmgr and click ok.Let it scan your system for files to remove.Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.Press OK to remove them.Please go HERE to run Panda's ActiveScanOnce you are on the Panda site click the Scan your PC buttonA new window will open...click the Check Now buttonEnter your CountryEnter your State/ProvinceEnter your e-mail address and click sendSelect either Home User or CompanyClick the big Scan Now buttonIf it wants to install an ActiveX component allow itIt will start downloading the files it requires for the scan (Note: It may take a couple of minutes)When download is complete, click on My Computer to start the scanWhen the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan reportPlease post the log from OTMoveIt, located here:C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.logWhere mmddyyyy_hhmmss is the date of the tool run. And a Fresh HijackThis log and a new HijackThis log. Edited June 6, 2007 by jwbirdsong Quote Link to post Share on other sites
edmandoo Posted June 6, 2007 Author Report Share Posted June 6, 2007 before i post i think i need to tell you why panda detected so many spyware.My sister and my dad has an account on this computer also..and i dont think they deleted the temporary internet files WHICH I WILL DO and WHICH I APOLOGIZE FOR NOT TELLING BEFOREHAND (if there are any mistakes i have made -__-)So yea and the weird thing is..when panda was scanning...avg detected (maybe it is just infected) a backup file in the hijackthis backups folder stated as a threat because the description stated some trojan horse generic4.SQG and the dll name was backup-20070604-144722-876.dllIt indeed was a backup copy and infected. (i double checked)Im just going to leave it in the virusvault for now.So yea tomorrow i'll delete every temporary internet file from my sister's and dad's account.Here is the OTMoveIt logC:\WINDOWS\asrotray.exe moved successfully.Folder C:\ktf\ not found.File/Folder C:\WINDOWS\system32\onpcs.dll not found.File/Folder C:\WINDOWS\system32\apo.dll not found.C:\WINDOWS\system32\a3p.exe moved successfully.File/Folder C:\WINDOWS\asrotray.exe not found.C:\WINDOWS\system32\ccman.exe moved successfully.C:\WINDOWS\system32\carion.exe moved successfully.C:\WINDOWS\rundl64.exe moved successfully.C:\WINDOWS\system32\mswasie.exe moved successfully.C:\WINDOWS\system32\drivers\erelog.exe moved successfully.C:\WINDOWS\nerochk.exe moved successfully.Created on 06/05/2007 21:52:35Here is the Panda Scan log(wow a lot of spyware..probably because of the other accounts mentioned above)Incident Status Location Virus:Trj/Agent.FHL Disinfected Operating system Virus:Trj/Agent.FHL Disinfected Operating system Adware:adware/statblaster Not disinfected Windows Registry Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.statcounter.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.trafficmp.com/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.fastclick.net/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.fastclick.net/] Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.trafficmp.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.trafficmp.com/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.fastclick.net/] Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.trafficmp.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.advertising.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[searchportal.information.com/] Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.revenue.net/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.adrevolver.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.com.com/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.zedo.com/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.atwola.com/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Edmundo Unit\Application Data\Mozilla\Firefox\Profiles\gtjsf4vz.default\cookies.txt[.2o7.net/] Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Edmundo Unit\Desktop\ComboFix.exe[ComboFixT\nircmd.exe] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.advertising.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.2o7.net/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.atwola.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.adrevolver.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.atdmt.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.realmedia.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[server.iad.liveperson.net/hc/LPpacificsunwear] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[server.iad.liveperson.net/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[server.iad.liveperson.net/hc/LPpacificsunwear] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.overture.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.perf.overture.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.trafficmp.com/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.zedo.com/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.fastclick.net/] Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[counter.hitslink.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.bluestreak.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.statcounter.com/] Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.burstnet.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.hitbox.com/] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.ehg-dig.hitbox.com/] Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.tradedoubler.com/] Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[searchportal.information.com/] Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[statse.webtrendslive.com/S148222] Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[statse.webtrendslive.com/] Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[statse.webtrendslive.com/S148222] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.247realmedia.com/] Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Glara\Application Data\Mozilla\Firefox\Profilesynrkohc.default\cookies.txt[.entrepreneur.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Glara\Cookies\glara@247realmedia[1].txt Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Glara\Cookies\glara@2o7[2].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Glara\Cookies\glara@adrevolver[1].txt Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Glara\Cookies\glara@advertising[2].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Glara\Cookies\glara@apmebf[2].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Glara\Cookies\glara@atdmt[2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Glara\Cookies\glara@atwola[2].txt Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Glara\Cookies\glara@banner[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Glara\Cookies\glara@belnk[1].txt Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Glara\Cookies\glara@bfast[1].txt Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Glara\Cookies\glara@bluestreak[1].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Glara\Cookies\glara@burstnet[2].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Glara\Cookies\glara@casalemedia[1].txt Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Glara\Cookies\glara@com[1].txt Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Glara\Cookies\glara@doubleclick[1].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Glara\Cookies\glara@fastclick[1].txt Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Glara\Cookies\glara@gostats[1].txt Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Glara\Cookies\glara@hitbox[2].txt Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Glara\Cookies\glara@maxserving[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][3].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Glara\Cookies\glara@mediaplex[2].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Glara\Cookies\glara@overture[2].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Glara\Cookies\glara@qksrv[2].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Glara\Cookies\glara@questionmarket[1].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Glara\Cookies\glara@realmedia[2].txt Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Glara\Cookies\glara@revenue[1].txt Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][5].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Glara\Cookies\glara@serving-sys[1].txt Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Glara\Cookies\glara@spylog[1].txt Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Glara\Cookies\glara@statcounter[2].txt Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][2].txt Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Glara\Cookies\glara@targetnet[1].txt Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Glara\Cookies\glara@target[1].txt Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Glara\Cookies\glara@tradedoubler[1].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Glara\Cookies\glara@trafficmp[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Glara\Cookies\glara@tribalfusion[2].txt Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Glara\Cookies\glara@valueclick[1].txt Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Glara\Cookies\glara@xiti[1].txt Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Glara\Cookies\[email protected][1].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Glara\Cookies\glara@zedo[1].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\[email protected][1].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\glara@advertising[2].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\glara@atdmt[2].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\glara@casalemedia[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\glara@doubleclick[1].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\glara@fastclick[2].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\glara@mediaplex[1].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\glara@realmedia[1].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\glara@trafficmp[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Glara\Local Settings\Temp\Cookies\glara@tribalfusion[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.fastclick.net/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.atdmt.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.realmedia.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.advertising.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.ad.yieldmanager.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.ad.yieldmanager.com/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.microsofteup.112.2o7.net/] Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.go.com/] Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.statse.webtrendslive.com/S134168] Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rjjdmvmu.default\cookies.txt[.statse.webtrendslive.com/S0014-01-3-13-180631-60051] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@247realmedia[1].txt Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adrevolver[1].txt Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@belnk[1].txt Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bluestreak[2].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Owner\Cookies\owner@did-it[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[2].txt Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@overture[2].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Owner\Cookies\owner@revenue[1].txt Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\owner@serving-sys[1].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][3].txt Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Owner\Cookies\owner@target[2].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt Virus:Bck/Agent.FKJ Disinfected C:\WINDOWS\1045\JJG_setup.exe Virus:Trj/Agent.FHL Disinfected C:\WINDOWS\melonsrv.dll Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe Virus:Trj/Agent.FHL Disinfected C:\WINDOWS\system32\~res0003.exe Virus:Trj/Agent.FHL Disinfected C:\_OTMoveIt\MovedFiles\WINDOWS\nerochk.exe Virus:Trj/Agent.FHL Disinfected C:\_OTMoveIt\MovedFiles\WINDOWS\system32\drivers\erelog.exe THIS IS THE FRESH (after scanning with panda and "moving it") HIJACKTHIS logLogfile of HijackThis v1.99.1Scan saved at 11:17:55 PM, on 6/5/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5700.0006)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXEC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\ALCWZRD.EXEC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\AIM\aim.exeC:\Program Files\Hijackthis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dllO2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [NateOnMain] C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exeO4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [MSNMessenger] "C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe"O4 - HKLM\..\Run: [asro] C:\WINDOWS\asrotray.exeO4 - HKCU\..\Run: [NateOnMain] C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /SO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exeO8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO11 - Options group: [iNTERNATIONAL] International*O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.comO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CABO16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cabO16 - DPF: {7606693A-C18D-4567-AF85-6194FF70761E} (GomWeb Control) - http://app.ipop.co.kr/gom/GomWeb.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} (BugsInstallEx Control) - http://install.bugs.co.kr/install/BugsInstallerEx.cabO16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cabO18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLLO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLLO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dllO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Error Event Log (ereventlog) - Unknown owner - C:\WINDOWS\system32\drivers\erelog.exe (file missing)O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeO23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXEO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PCI lagacy (PCIlagacy) - Unknown owner - C:\WINDOWS\nerochk.exe (file missing)O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exeP.S. thank you for helping me so much. I have never felt luckier.THANK YOU SERIOUSLY! Quote Link to post Share on other sites
jwbirdsong Posted June 6, 2007 Report Share Posted June 6, 2007 Open HijackThis and check the followingO2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)O4 - HKLM\..\Run: [asro] C:\WINDOWS\asrotray.exeClose ALL other windows and programs (even this one) and click Fix checked.Yeah just do the clear cache and cookies that I posted for EVERY profile the computer has.How is every thing running now??PS AVG popped up like that because an infected file was being "read or written to" IE read my Panda...It's normal. Quote Link to post Share on other sites
edmandoo Posted June 6, 2007 Author Report Share Posted June 6, 2007 everything worked fine after the first post you made (and youre a mother freakin genius)thank you for everything. and yea i removed the last two.Thanks for being there for me so quickMatt told me that you techies had like finals and stuff to study for (our high school being charter got out a month earlier than all of you guys, yet we start a month earlier T_T)So yea and are you korean? because your name is birdsong and i have a friend named daniel song and i call him songbird.lol that was random but yea everything works fine THANKS MAN!Hope to encounter you again haha Quote Link to post Share on other sites
edmandoo Posted June 7, 2007 Author Report Share Posted June 7, 2007 NOT ONLY THATbut what should i do with the quarantined files in the otmovieit folder and the Qoobox folder?shouldnt i delete those files?Not only that, but what should i do with the "fix.reg" file. just leave it on my desktop?And that dll that was infected...what should i do with that (the one avg detected as infected) should i just leave it as is or delete it?thanks Quote Link to post Share on other sites
jwbirdsong Posted June 7, 2007 Report Share Posted June 7, 2007 Well it's true what Matt said about finals etc but I've been out of college for 35 years or so so it didn't really pertain to me..lolNo I live in the USpost me one final(?) HijackThis log please Quote Link to post Share on other sites
edmandoo Posted June 10, 2007 Author Report Share Posted June 10, 2007 hey you still didn't tell me what to do with the moved files. Should i delete them?Not only that..but today i turned on my computer...and this bmpatch.exe installed itself in my computerWhat is that?I searched it on google and it showed up on like chinese sites..?Should i delete it or what?Oh btw here's a new hijack log.Please tell me what to do with the quarantined and moved files...And why did this bmpatch.exe install itself into my computer?Is it a program extension?It's in my C drive in program files in a folder called "pcmedic"And the files inside include bmpatch.exe, pcmedic.dll2, and pcmedic.exe2PLEASE HELP!this is my hijack logLogfile of HijackThis v1.99.1Scan saved at 9:02:18 PM, on 6/9/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5700.0006)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXEC:\Program Files\AIM\aim.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\pcmedic\bmpatch.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\Norton AntiVirus\NAVW32.EXEC:\Program Files\Hijackthis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [NateOnMain] C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exeO4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [MSNMessenger] "C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe"O4 - HKLM\..\Run: [pcmedic] C:\Program Files\pcmedic\pcmedic.exe Icon <---- what is that?O4 - HKCU\..\Run: [NateOnMain] C:\Program Files\NATEON\Addin\B926D852-194B-4c62-9C73-3F0ECA8950EA\NateOnMain.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /SO4 - HKCU\..\Run: [MSNMessenger] "C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe"O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exeO8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO11 - Options group: [iNTERNATIONAL] International*O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.comO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CABO16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cabO16 - DPF: {7606693A-C18D-4567-AF85-6194FF70761E} (GomWeb Control) - http://app.ipop.co.kr/gom/GomWeb.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} (BugsInstallEx Control) - http://install.bugs.co.kr/install/BugsInstallerEx.cabO16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cabO18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLLO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLLO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dllO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Error Event Log (ereventlog) - Unknown owner - C:\WINDOWS\system32\drivers\erelog.exe (file missing)O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeO23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXEO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PCI lagacy (PCIlagacy) - Unknown owner - C:\WINDOWS\nerochk.exe (file missing)O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe Quote Link to post Share on other sites
edmandoo Posted June 10, 2007 Author Report Share Posted June 10, 2007 yea it was another korean virus scanner thing....im getting scared now. Quote Link to post Share on other sites
edmandoo Posted June 10, 2007 Author Report Share Posted June 10, 2007 the one's in the moved it files. I deleted them..because everyone i searched on google dealt with korean siets and virus etc.So please help!Should i delete the msmon.sys.vir file also? in the qoobox folder from combofix i believe. Quote Link to post Share on other sites
jwbirdsong Posted June 12, 2007 Report Share Posted June 12, 2007 (edited) As far as deleting the 'moved' files..we'll remove them once you are ALL clean; there is not much sense in deleteing a folder if we may just recreate it later...the file that are in those folder are safe for now...Go to start>run>type in cmd hit enter Enter the following lines, one at a time with Enter after each one.sc stop ereventlogsc delete ereventlogClose the command window now.Open HiajckThis and put a check next to O4 - HKLM\..\Run: [pcmedic] C:\Program Files\pcmedic\pcmedic.exe Icon Close ALL windows and click fix checked.Now DELETE the Combofix you have on your Desktop.Download the version from HEREand run it. NOTE it is VERY important NOT to click or do anything else while combofix is running....it may seem like it has stalled out at times so just be patient.Post the latest combofix log Edited June 12, 2007 by jwbirdsong Quote Link to post Share on other sites
edmandoo Posted June 13, 2007 Author Report Share Posted June 13, 2007 ComboFix 07-06-13.3 - C:\Documents and Settings\Edmundo Unit\Desktop\ComboFix.exe"Edmundo Unit" - 2007-06-12 21:23:58 - Service Pack 2 NTFS ((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))2007-06-12 21:18 337,920 --a------ C:\WINDOWS\system32\bmdelete.exe2007-06-05 22:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan2007-06-04 14:52 49,152 --a------ C:\WINDOWS\nircmd.exe2007-06-04 07:51 <DIR> d-------- C:\WINDOWS\10882007-06-03 07:58 <DIR> d-------- C:\NVSTEREO.LOG2007-06-03 07:33 221,184 --a------ C:\WINDOWS\system32\install.exe2007-05-31 16:34 421 --a------ C:\WINDOWS\system32\ccman.sys2007-05-31 16:34 218,624 --a------ C:\WINDOWS\system32\ccmansetup.exe2007-05-30 12:50 <DIR> d-------- C:\WINDOWS\10592007-05-30 12:50 <DIR> d-------- C:\WINDOWS\10572007-05-29 09:06 347 --a------ C:\WINDOWS\system32\takeup.sys2007-05-29 09:06 226,304 --a------ C:\WINDOWS\system32\takeup.exe2007-05-29 09:06 208,896 --a------ C:\WINDOWS\msconfig_uninstaller.exe2007-05-29 09:06 <DIR> d-------- C:\WINDOWS\system32\nwproc2007-05-29 09:06 <DIR> d-------- C:\WINDOWS\10452007-05-29 09:06 <DIR> d-------- C:\Program Files\nwproc2007-05-28 15:36 <DIR> d-------- C:\DOCUME~1\Glara\APPLIC~1\Viewpoint2007-05-28 08:25 <DIR> d-------- C:\WINDOWS\10512007-05-26 18:39 204,800 --a------ C:\WINDOWS\system32\urluninstaller.exe2007-05-24 17:21 1,718 --a------ C:\WINDOWS\system32\exchange.sys2007-05-22 19:45 458,752 --a------ C:\WINDOWS\LinkProSetupAx_8.exe2007-05-22 19:45 15,872 --a------ C:\WINDOWS\system32\linkpro.exe2007-05-20 17:37 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment2007-05-19 21:29 <DIR> d-------- C:\DOCUME~1\EDMUND~1\APPLIC~1\dvdcss2007-05-18 22:54 <DIR> d--h----- C:\WINDOWS\HUL2007-05-15 15:26 <DIR> d-------- C:\WINDOWS\13652007-05-14 01:35 246,784 --a------ C:\WINDOWS\dlwl.exe(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))2007-06-08 03:09:09 -------- d-----w C:\Program Files\Common Files\Symantec Shared2007-06-06 05:54:29 -------- d-----w C:\Program Files\Symantec2007-06-06 05:45:57 -------- d-----w C:\Program Files\Messenger2007-06-06 05:40:04 -------- d-----w C:\Program Files\Easy CD-DA Extractor 102007-06-06 05:34:48 -------- d-----w C:\Program Files\AlienGUIse2007-06-06 05:14:28 -------- d-----w C:\DOCUME~1\EDMUND~1\APPLIC~1\Symantec2007-06-03 15:12:13 -------- d-----w C:\DOCUME~1\EDMUND~1\APPLIC~1\Uniblue2007-06-03 15:05:16 -------- d--h--w C:\Program Files\InstallShield Installation Information2007-06-03 15:05:15 -------- d-----w C:\Program Files\Netmarble2007-06-03 03:01:18 -------- d-----w C:\Program Files\Windows Media Connect 22007-05-31 23:34:24 1,486 ----a-w C:\WINDOWS\uninstall_all.sys2007-05-30 19:52:31 -------- d-----w C:\DOCUME~1\EDMUND~1\APPLIC~1\Lavasoft2007-05-29 20:38:15 -------- d-----w C:\Program Files\Steam2007-05-26 04:51:56 -------- d-----w C:\DOCUME~1\EDMUND~1\APPLIC~1\Azureus2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll2007-05-11 04:48:13 1,543 ----a-w C:\WINDOWS\system32\fine.sys2007-05-09 04:17:51 345,600 ----a-w C:\WINDOWS\system32\super.exe2007-05-09 04:02:15 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.22007-04-29 15:31:55 204,800 ----a-w C:\WINDOWS\system32viuninstaller.exe2007-04-29 15:31:32 53,248 ----a-w C:\WINDOWS\system32\spintmp.exe2007-04-26 01:58:32 200,704 ----a-w C:\WINDOWS\system32\pcsafe_uninstaller.exe2007-04-25 22:58:38 242,688 ----a-w C:\WINDOWS\system32\uninst_vcpr.exe2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll2007-04-22 00:41:02 204,800 ----a-w C:\WINDOWS\system32\rsq.exe2007-04-19 03:29:57 -------- d-----w C:\Program Files\Winamp2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll2007-04-17 05:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll2007-04-17 05:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll2007-04-15 16:45:35 -------- d-----w C:\Program Files\Norton AntiVirus2007-04-15 16:42:28 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL2007-04-15 16:42:28 115,000 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS2007-04-14 04:40:48 204,800 ----a-w C:\WINDOWS\system32\viuninstaller.exe2007-04-14 04:34:02 242,176 ----a-w C:\WINDOWS\system32\uninst_zerov.exe2007-04-11 22:49:17 94,309 ----a-w C:\WINDOWS\Nate_Setup19.exe2007-04-10 01:59:44 200,704 ----a-w C:\WINDOWS\system32\vacprouninstaller.exe2007-03-29 20:51:46 300,784 ----a-w C:\WINDOWS\system32\Bugsctrl.dll2007-03-29 01:51:54 538,256 ----a-w C:\WINDOWS\system32\SymNeti.dll2007-03-29 01:51:52 161,424 ----a-w C:\WINDOWS\system32\SymRedir.dll2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))*Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 02:56]{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-04-17 13:32]{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2007-04-02 19:19][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"@"="" []"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 23:19]"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-03 17:33]"nwiz"="nwiz.exe" [2006-03-09 15:29 C:\WINDOWS\system32\nwiz.exe]"MSNMessenger"="C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe" [2007-04-07 11:29][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]"Uniblue RegistryBooster2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []"MSNMessenger"="C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe" [2007-04-07 11:29][HKEY_USERS\.default\software\microsoft\windows\currentversion\run]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]"SystemManager"=C:\WINDOWS\system32\a3p.exe[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]C:\Program Files\AlienGUIse\fastload.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]Usnsvc usnsvcContents of the 'Scheduled Tasks' folder2007-06-04 14:53:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job2007-06-09 03:00:16 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Edmundo Unit.job**************************************************************************catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.netRootkit scan 2007-06-12 21:27:16Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...scanning hidden autostart entries ...scanning hidden files ...scan completed successfullyhidden files: 0**************************************************************************Completion time: 2007-06-12 21:27:52C:\ComboFix-quarantined-files.txt ... 2007-06-12 21:27C:\ComboFix2.txt ... 2007-06-04 14:52 --- E O F --- Quote Link to post Share on other sites
edmandoo Posted June 23, 2007 Author Report Share Posted June 23, 2007 yea even if i do combofix.exeand hijackthis scans.I believe i'm still getting signs of this korean stuff.Not only that, but i think now it's weekly...instead of daily that these things show upI scanned with hijackthis today and it scanned 3 ctfmon.exe, ususally only scanning one.And i found out that two of them were in the WINDOWS folder so i checked what it was.And it was in korean again , and definitely not related to Microsoft Office.PLEASE HELP! Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.