fang56 Posted December 21, 2007 Report Share Posted December 21, 2007 Hi guys, I am currently connected to internet via college network, and for the past few days the network keeps suspending my internet access citing that I have a worm/trojan virus as indicated by my network activity. I have done a full system scan with a Symantec antivirus (up-to-date) and spybot S&D (up-to-date) but couldn't find the EVIL virus. Thanks a TON in advance for your help!!!Here's the result of my HijackThis.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:08:17 AM, on 12/21/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\CTsvcCDA.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\nvsvc32.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exeC:\WINDOWS\system32\Rundll32.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exeC:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exeC:\Program Files\Windows Live\Messenger\MsnMsgr.ExeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Creative\MediaSource\Detector\CTDetect.exeC:\Program Files\AIM6\aim6.exeC:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\Program Files\Common Files\AOL\Loader\aolload.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\AIM6\aolsoftware.exeC:\Program Files\AIM6\aolsoftware.exeC:\Documents and Settings\David Chang\Desktop\HiJackThis.exeC:\Program Files\Mozilla Firefox\firefox.exeO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLLO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17HelperO4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clearO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exeO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"O4 - HKLM\..\Run: [EfreeSoft Boss Key] C:\Program Files\Mgboss\mgboss.exe -minO4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noiconO4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /rO4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /SO4 - HKCU\..\Run: [soft191 Panic Station - Auto start] C:\Program Files\Soft191\Soft191 Panic Station\PS.EXEO4 - HKCU\..\Run: [ResChanger 2005] C:\Program Files\ResChanger 2005\ResChanger2005.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [jviewer] c:\program files\jviewer\jviewer.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /RO4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imAppO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXEO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: *.kdb.co.krO15 - Trusted Zone: *.nprotect.co.krO15 - Trusted Zone: *.nprotect.comO15 - Trusted Zone: *.nprotect.netO15 - Trusted Zone: http://*.wedisk.co.krO15 - Trusted Zone: http://*.wedisk.netO15 - ESC Trusted Zone: http://*.update.microsoft.comO16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/...tgameloader.cabO16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg8.cyworld.com/ImageUpload/CyIm...pload_10217.cabO16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cabO16 - DPF: {32E08E96-5B55-47AE-87EC-DE8FDF9266E3} (Jviewer Control) - http://208.70.74.58/Jviewer.cabO16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games ?Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cabO16 - DPF: {474AD63A-9B7E-40FE-8E4E-7067CC0F8D3D} (IB_OnAir.IBOnAir) - http://ionair.sbs.co.kr/onair/IB_OnAir.CABO16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cabO16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cabO16 - DPF: {5C899971-E9D6-4496-8077-98378408E340} (MPControl Control) - http://mplay.sbs.co.kr/players/SBSiMPControl.cabO16 - DPF: {6368221B-31D9-4BE6-8937-B4F37B3930B8} (NpZoneMgr Control) - http://update.nprotect.net/npzone/kdb_vista/npZoneMgr.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150346317937O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164140577078O16 - DPF: {7513B187-5954-4C64-ABF4-E652FE899F24} (Wedisk Control) - http://www.wedisk.co.kr/app/WeDisk.cabO16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {8FA141C5-29D7-4408-A57B-619C463ED7BB} (Cychannel_Club1_10.UserControl1) - http://club.cyworld.com/cychannel_club/Cyc...lubmain1_11.CABO16 - DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} (ALDx Class) - http://www.altools.co.kr/ALDX.cabO16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games ?Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cabO16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - http://plugin.inicis.com/wallet50/INIwallet50.cabO16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cabO16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cabO16 - DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} (BugsInstallEx Control) - http://install.bugs.co.kr/install/BugsInstallerEx.cabO16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1010 Class) - http://www.hangame.com/common/HanSetup1010.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://www.cramster.com/DRM/Client/FileOpen.CABO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://update.nprotect.net/nprotect/kdb/npkcx.cabO16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinematyc...inematycoon.cabO16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games ?Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cabO16 - DPF: {DA54C9C1-8109-43C9-9C80-E4210CEDF147} (EzwonSession Control) - http://www.wedisk.co.kr/app/EzwonSessionCtl.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...ploader_v10.cabO16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLLO20 - Winlogon Notify: spxcoins32 - C:\WINDOWS\SYSTEM32\spxcoins32.dllO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXEO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exeO23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXEO23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe--End of file - 13243 bytes Link to post Share on other sites
rmurphy Posted December 21, 2007 Report Share Posted December 21, 2007 Hi fang56, and welcome to BestTechie! I'm Ryan, and I'll be helping you clean your computer.I would like to see a few more things before we start to do some clean-up.Open HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)== Clear Temporary Files ==Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyClose all Internet Explorer, Firefox, and Opera windows before continuing.Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.== Kaspersky Web Scanner ==Please do an online scan with Kaspersky WebScanner You will need to use Internet Explorer to do thisClick on Kaspersky Online ScannerYou will be promted to install an ActiveX component from Kaspersky, Click Yes.The program will launch and then begin downloading the latest definition files:Once the files have been downloaded click on NEXTNow click on Scan SettingsIn the scan settings make that the following are selected:Scan using the following Anti-Virus database:Extended (if available otherwise Standard)Scan Options:Scan ArchivesScan Mail Bases[*]Click OK[*]Now under select a target to scan:Select My Computer[*]This will program will start and scan your system.[*]The scan will take a while so be patient and let it run.[*]Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button:[*]Save the file to your desktop.== Request Logs ==Please post the log from the Kaspersky scan and the uninstall list.-Ryan Link to post Share on other sites
fang56 Posted December 21, 2007 Author Report Share Posted December 21, 2007 Ryan! Thanks so much for your help! Here are the files requested! Uninstall ListAC3Filter (remove only)Adobe Reader 7.0.8Adobe Shockwave PlayerAGEIA PhysX v7.03.21AIM 6ALZipApple Software UpdateBitTorrent 5.0.9CA eTrust PestPatrolCreative EAX ConsoleCreative MediaSourceCreative Speaker SettingsDC++ 0.699Device ControleMuleFileOpen Plug-in for Adobe Acrobatc and Adobe ReadercGOM PlayerHijackThis 2.0.2Hotfix for Windows Media Format 11 SDK (KB929399)Hotfix for Windows Media Format SDK (KB902344)Hotfix for Windows Media Player 11 (KB939683)Hotfix for Windows XP (KB896344)Hotfix for Windows XP (KB914440)Hotfix for Windows XP (KB915865)Hotfix for Windows XP (KB926239)Hotfix for Windows XP (KB928388)Hotfix for Windows XP (KB929120)iTunesJava 2 Runtime Environment, SE v1.4.2_14Java 6 Update 3Kaspersky Online ScannerLiveUpdate 3.3 (Symantec Corporation)Microsoft .NET Framework 1.1Microsoft .NET Framework 1.1Microsoft .NET Framework 1.1 Hotfix (KB928366)Microsoft .NET Framework 2.0Microsoft .NET Framework 3.0Microsoft .NET Framework 3.0Microsoft Base Smart Card Cryptographic Service Provider PackageMicrosoft Compression Client Pack 1.0 for Windows XPMicrosoft Internationalized Domain Names Mitigation APIsMicrosoft National Language Support Downlevel APIsMicrosoft Office 2003 Web ComponentsMicrosoft Office Access MUI (English) 2007Microsoft Office Access Setup Metadata MUI (English) 2007Microsoft Office Accounting 2007Microsoft Office Accounting 2007Microsoft Office Accounting ADP Payroll AddinMicrosoft Office Accounting Equifax AddinMicrosoft Office Accounting Fixed Asset ManagerMicrosoft Office Accounting PayPal AddinMicrosoft Office Enterprise 2007Microsoft Office Enterprise 2007Microsoft Office Excel MUI (English) 2007Microsoft Office Groove MUI (English) 2007Microsoft Office Groove Setup Metadata MUI (English) 2007Microsoft Office InfoPath MUI (English) 2007Microsoft Office OneNote MUI (English) 2007Microsoft Office Outlook MUI (English) 2007Microsoft Office PowerPoint MUI (English) 2007Microsoft Office Proof (English) 2007Microsoft Office Proof (French) 2007Microsoft Office Proof (Spanish) 2007Microsoft Office Proofing (English) 2007Microsoft Office Publisher MUI (English) 2007Microsoft Office Shared MUI (English) 2007Microsoft Office Shared Setup Metadata MUI (English) 2007Microsoft Office Small Business Connectivity ComponentsMicrosoft Office Word MUI (English) 2007Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programsMicrosoft SQL Server 2005Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)Microsoft SQL Server Native ClientMicrosoft SQL Server Setup Support Files (English)Microsoft SQL Server VSS WriterMicrosoft User-Mode Driver Framework Feature Pack 1.0Mozilla Firefox (2.0.0.11)MPEG2 Codec(libmpeg2/mad)MSXML 4.0 SP2 (KB925672)MSXML 4.0 SP2 (KB927978)MSXML 4.0 SP2 (KB936181)MSXML 4.0 SP2 Parser and SDKMSXML 6.0 Parser (KB933579)NVIDIA DriversNVIDIA nTuneNvMixerQuickTimeRealPlayerRealtek AC'97 AudioSecurity Update for CAPICOM (KB931906)Security Update for CAPICOM (KB931906)Security Update for Excel 2007 (KB936509)Security Update for Microsoft .NET Framework 2.0 (KB928365)Security Update for Office 2007 (KB934062)Security Update for Office 2007 (KB936514)Security Update for Publisher 2007 (KB936646)Security Update for the 2007 Microsoft Office System (KB936960)Security Update for Windows Internet Explorer 7 (KB928090)Security Update for Windows Internet Explorer 7 (KB929969)Security Update for Windows Internet Explorer 7 (KB937143)Security Update for Windows Internet Explorer 7 (KB938127)Security Update for Windows Internet Explorer 7 (KB939653)Security Update for Windows Internet Explorer 7 (KB942615)Security Update for Windows Media Player (KB911564)Security Update for Windows Media Player 10 (KB911565)Security Update for Windows Media Player 10 (KB917734)Security Update for Windows Media Player 11 (KB936782)Security Update for Windows Media Player 6.4 (KB925398)Security Update for Windows XP (KB890046)Security Update for Windows XP (KB893756)Security Update for Windows XP (KB896358)Security Update for Windows XP (KB896422)Security Update for Windows XP (KB896423)Security Update for Windows XP (KB896424)Security Update for Windows XP (KB896428)Security Update for Windows XP (KB899587)Security Update for Windows XP (KB899589)Security Update for Windows XP (KB899591)Security Update for Windows XP (KB900725)Security Update for Windows XP (KB901017)Security Update for Windows XP (KB901190)Security Update for Windows XP (KB901214)Security Update for Windows XP (KB902400)Security Update for Windows XP (KB904706)Security Update for Windows XP (KB905414)Security Update for Windows XP (KB905749)Security Update for Windows XP (KB908519)Security Update for Windows XP (KB911280)Security Update for Windows XP (KB911562)Security Update for Windows XP (KB911567)Security Update for Windows XP (KB911927)Security Update for Windows XP (KB912919)Security Update for Windows XP (KB913580)Security Update for Windows XP (KB914388)Security Update for Windows XP (KB914389)Security Update for Windows XP (KB916281)Security Update for Windows XP (KB917159)Security Update for Windows XP (KB917344)Security Update for Windows XP (KB917422)Security Update for Windows XP (KB917953)Security Update for Windows XP (KB918118)Security Update for Windows XP (KB918439)Security Update for Windows XP (KB918899)Security Update for Windows XP (KB919007)Security Update for Windows XP (KB920213)Security Update for Windows XP (KB920214)Security Update for Windows XP (KB920670)Security Update for Windows XP (KB920683)Security Update for Windows XP (KB920685)Security Update for Windows XP (KB921398)Security Update for Windows XP (KB921503)Security Update for Windows XP (KB921883)Security Update for Windows XP (KB922616)Security Update for Windows XP (KB922760)Security Update for Windows XP (KB922819)Security Update for Windows XP (KB923191)Security Update for Windows XP (KB923414)Security Update for Windows XP (KB923694)Security Update for Windows XP (KB923980)Security Update for Windows XP (KB924191)Security Update for Windows XP (KB924270)Security Update for Windows XP (KB924496)Security Update for Windows XP (KB924667)Security Update for Windows XP (KB925486)Security Update for Windows XP (KB925902)Security Update for Windows XP (KB926255)Security Update for Windows XP (KB926436)Security Update for Windows XP (KB927779)Security Update for Windows XP (KB927802)Security Update for Windows XP (KB928255)Security Update for Windows XP (KB928843)Security Update for Windows XP (KB929123)Security Update for Windows XP (KB930178)Security Update for Windows XP (KB931261)Security Update for Windows XP (KB931784)Security Update for Windows XP (KB932168)Security Update for Windows XP (KB933729)Security Update for Windows XP (KB935839)Security Update for Windows XP (KB935840)Security Update for Windows XP (KB936021)Security Update for Windows XP (KB937894)Security Update for Windows XP (KB938829)Security Update for Windows XP (KB941202)Security Update for Windows XP (KB941568)Security Update for Windows XP (KB941569)Security Update for Windows XP (KB943460)Security Update for Windows XP (KB944653)Snood for Windows version 3.52-WSound Blaster AudigySpeed Up AlarmSpybot - Search & Destroy 1.4Stata/SE 8 for WindowsSymantec Endpoint ProtectionThe WitcherUpdate for Office 2007 (KB932080)Update for Office 2007 (KB934391)Update for Office 2007 (KB934393)Update for Outlook 2007 (KB937608)Update for Outlook 2007 Junk Email Filter (kb943597)Update for Windows XP (KB894391)Update for Windows XP (KB898461)Update for Windows XP (KB900485)Update for Windows XP (KB904942)Update for Windows XP (KB908531)Update for Windows XP (KB910437)Update for Windows XP (KB916595)Update for Windows XP (KB920342)Update for Windows XP (KB920872)Update for Windows XP (KB922582)Update for Windows XP (KB925720)Update for Windows XP (KB925876)Update for Windows XP (KB927891)Update for Windows XP (KB929338)Update for Windows XP (KB930916)Update for Windows XP (KB931836)Update for Windows XP (KB933360)Update for Windows XP (KB938828)Update for Windows XP (KB942763)Update for Word 2007 (KB934173)Windows Communication FoundationWindows Imaging ComponentWindows Installer 3.1 (KB893803)Windows Internet Explorer 7Windows Live installerWindows Live MessengerWindows Live Sign-in AssistantWindows Media ConnectWindows Media Format 11 runtimeWindows Media Format 11 runtimeWindows Media Format SDK Hotfix - KB891122Windows Media Player 11Windows Media Player 11Windows Presentation FoundationWindows Workflow FoundationWindows XP Hotfix - KB873339Windows XP Hotfix - KB885835Windows XP Hotfix - KB885836Windows XP Hotfix - KB886185Windows XP Hotfix - KB887472Windows XP Hotfix - KB887742Windows XP Hotfix - KB888113Windows XP Hotfix - KB888302Windows XP Hotfix - KB890859Windows XP Hotfix - KB891781Windows XP Service Pack 2------------------------------------------------------------------------------ KASPERSKY ONLINE SCANNER REPORT Friday, December 21, 2007 4:15:12 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 21/12/2007 Kaspersky Anti-Virus database records: 491206-------------------------------------------------------------------------------Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: trueScan Target - My Computer: C:\ D:\ E:\ F:\ G:\Scan Statistics: Total number of scanned objects: 107846 Number of viruses found: 1 Number of infected objects: 0 Number of suspicious objects: 2 Duration of the scan process: 02:27:51Infected Object Name / Virus Name / Last ActionC:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skippedC:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SavSubEng\submissions.idx Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\89FEE130.TMP Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\B1522C98.TMP Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skippedC:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skippedC:\Documents and Settings\David Chang\Application Data\Mozilla\Firefox\Profiles\bttb6yqz.default\cert8.db Object is locked skippedC:\Documents and Settings\David Chang\Application Data\Mozilla\Firefox\Profiles\bttb6yqz.default\formhistory.dat Object is locked skippedC:\Documents and Settings\David Chang\Application Data\Mozilla\Firefox\Profiles\bttb6yqz.default\history.dat Object is locked skippedC:\Documents and Settings\David Chang\Application Data\Mozilla\Firefox\Profiles\bttb6yqz.default\key3.db Object is locked skippedC:\Documents and Settings\David Chang\Application Data\Mozilla\Firefox\Profiles\bttb6yqz.default\parent.lock Object is locked skippedC:\Documents and Settings\David Chang\Application Data\Mozilla\Firefox\Profiles\bttb6yqz.default\search.sqlite Object is locked skippedC:\Documents and Settings\David Chang\Application Data\Mozilla\Firefox\Profiles\bttb6yqz.default\urlclassifier2.sqlite Object is locked skippedC:\Documents and Settings\David Chang\Cookies\index.dat Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Application Data\AOL OCP\AIM\Storage\data\fang5656\localStorage\common.cls Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_86FC_363F_FC36_29B7\dfsr.db Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_86FC_363F_FC36_29B7\fsr.log Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_86FC_363F_FC36_29B7\fsrtmp.log Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_86FC_363F_FC36_29B7\tmp.edb Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Application Data\Mozilla\Firefox\Profiles\bttb6yqz.default\Cache\_CACHE_001_ Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Application Data\Mozilla\Firefox\Profiles\bttb6yqz.default\Cache\_CACHE_002_ Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Application Data\Mozilla\Firefox\Profiles\bttb6yqz.default\Cache\_CACHE_003_ Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Application Data\Mozilla\Firefox\Profiles\bttb6yqz.default\Cache\_CACHE_MAP_ Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\History\History.IE5\index.dat Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Temp\fla67D.tmp Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Temp\hsperfdata_David Chang\5180 Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Temp\~DF2404.tmp Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Temp\~DF240E.tmp Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Temp\~DF61DC.tmp Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Temp\~DF8B60.tmp Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skippedC:\Documents and Settings\David Chang\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skippedC:\Documents and Settings\David Chang\NTUSER.DAT Object is locked skippedC:\Documents and Settings\David Chang\ntuser.dat.LOG Object is locked skippedC:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skippedC:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skippedC:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skippedC:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skippedC:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skippedC:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skippedC:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skippedC:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skippedC:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skippedC:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_7a4.dat Object is locked skippedC:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skippedC:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skippedC:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skippedC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skippedC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skippedC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skippedC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skippedC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skippedC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skippedC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skippedC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skippedC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skippedC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_172.trc Object is locked skippedC:\Program Files\Symantec\Symantec Endpoint Protection\AVMan.log Object is locked skippedC:\Program Files\Symantec\Symantec Endpoint Protection\GUProxy.log Object is locked skippedC:\Program Files\Symantec\Symantec Endpoint Protection\LUMan.log Object is locked skippedC:\Program Files\Symantec\Symantec Endpoint Protection\processlog.log Object is locked skippedC:\Program Files\Symantec\Symantec Endpoint Protection\rawlog.log Object is locked skippedC:\Program Files\Symantec\Symantec Endpoint Protection\seclog.log Object is locked skippedC:\Program Files\Symantec\Symantec Endpoint Protection\syslog.log Object is locked skippedC:\Program Files\Symantec\Symantec Endpoint Protection\tralog.log Object is locked skippedC:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skippedC:\WINDOWS\Debug\PASSWD.LOG Object is locked skippedC:\WINDOWS\SchedLgU.Txt Object is locked skippedC:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skippedC:\WINDOWS\system32\CatRoot2\edb.log Object is locked skippedC:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skippedC:\WINDOWS\system32\config\AppEvent.Evt Object is locked skippedC:\WINDOWS\system32\config\default Object is locked skippedC:\WINDOWS\system32\config\default.LOG Object is locked skippedC:\WINDOWS\system32\config\Internet.evt Object is locked skippedC:\WINDOWS\system32\config\ODiag.evt Object is locked skippedC:\WINDOWS\system32\config\OSession.evt Object is locked skippedC:\WINDOWS\system32\config\SAM Object is locked skippedC:\WINDOWS\system32\config\SAM.LOG Object is locked skippedC:\WINDOWS\system32\config\SecEvent.Evt Object is locked skippedC:\WINDOWS\system32\config\SECURITY Object is locked skippedC:\WINDOWS\system32\config\SECURITY.LOG Object is locked skippedC:\WINDOWS\system32\config\software Object is locked skippedC:\WINDOWS\system32\config\software.LOG Object is locked skippedC:\WINDOWS\system32\config\SysEvent.Evt Object is locked skippedC:\WINDOWS\system32\config\system Object is locked skippedC:\WINDOWS\system32\config\system.LOG Object is locked skippedC:\WINDOWS\system32\drivers\sptd.sys Object is locked skippedC:\WINDOWS\system32\h323log.txt Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skippedC:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skippedC:\WINDOWS\Temp\npnuninst.exe.npz/npnuninst.exe Suspicious: Password-protected-EXE skippedC:\WINDOWS\Temp\npnuninst.exe.npz ZIP: suspicious - 1 skippedC:\WINDOWS\Temp\Perflib_Perfdata_488.dat Object is locked skippedC:\WINDOWS\WindowsUpdate.log Object is locked skippedF:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skippedScan process completed.------------------------------------And lastly, new HijackThisLogfile of Trend Micro HijackThis v2.0.2Scan saved at 4:16:45 PM, on 12/21/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\CTsvcCDA.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\nvsvc32.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exeC:\WINDOWS\system32\Rundll32.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exeC:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exeC:\Program Files\Windows Live\Messenger\MsnMsgr.ExeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Creative\MediaSource\Detector\CTDetect.exeC:\Program Files\AIM6\aim6.exeC:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exeC:\Program Files\Common Files\AOL\Loader\aolload.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\AIM6\aolsoftware.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Windows Live\Messenger\usnsvc.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\David Chang\Desktop\HiJackThis.exeC:\Program Files\Common Files\Symantec Shared\COH\coh32.exeO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLLO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17HelperO4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clearO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exeO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noiconO4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /rO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /RO4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imAppO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXEO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: *.kdb.co.krO15 - Trusted Zone: *.nprotect.co.krO15 - Trusted Zone: *.nprotect.comO15 - Trusted Zone: *.nprotect.netO15 - Trusted Zone: http://*.wedisk.co.krO15 - Trusted Zone: http://*.wedisk.netO15 - ESC Trusted Zone: http://*.update.microsoft.comO16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/...tgameloader.cabO16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg8.cyworld.com/ImageUpload/CyIm...pload_10217.cabO16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cabO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cabO16 - DPF: {32E08E96-5B55-47AE-87EC-DE8FDF9266E3} (Jviewer Control) - http://208.70.74.58/Jviewer.cabO16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games ?Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cabO16 - DPF: {474AD63A-9B7E-40FE-8E4E-7067CC0F8D3D} (IB_OnAir.IBOnAir) - http://ionair.sbs.co.kr/onair/IB_OnAir.CABO16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cabO16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cabO16 - DPF: {5C899971-E9D6-4496-8077-98378408E340} (MPControl Control) - http://mplay.sbs.co.kr/players/SBSiMPControl.cabO16 - DPF: {6368221B-31D9-4BE6-8937-B4F37B3930B8} (NpZoneMgr Control) - http://update.nprotect.net/npzone/kdb_vista/npZoneMgr.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150346317937O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164140577078O16 - DPF: {7513B187-5954-4C64-ABF4-E652FE899F24} (Wedisk Control) - http://www.wedisk.co.kr/app/WeDisk.cabO16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {8FA141C5-29D7-4408-A57B-619C463ED7BB} (Cychannel_Club1_10.UserControl1) - http://club.cyworld.com/cychannel_club/Cyc...lubmain1_11.CABO16 - DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} (ALDx Class) - http://www.altools.co.kr/ALDX.cabO16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games ?Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cabO16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - http://plugin.inicis.com/wallet50/INIwallet50.cabO16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cabO16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cabO16 - DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} (BugsInstallEx Control) - http://install.bugs.co.kr/install/BugsInstallerEx.cabO16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1010 Class) - http://www.hangame.com/common/HanSetup1010.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://www.cramster.com/DRM/Client/FileOpen.CABO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://update.nprotect.net/nprotect/kdb/npkcx.cabO16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinematyc...inematycoon.cabO16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games ?Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cabO16 - DPF: {DA54C9C1-8109-43C9-9C80-E4210CEDF147} (EzwonSession Control) - http://www.wedisk.co.kr/app/EzwonSessionCtl.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...ploader_v10.cabO16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLLO20 - Winlogon Notify: spxcoins32 - C:\WINDOWS\SYSTEM32\spxcoins32.dllO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXEO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exeO23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXEO23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe--End of file - 12957 bytes Link to post Share on other sites
rmurphy Posted December 21, 2007 Report Share Posted December 21, 2007 Please go to Add/Remove Programs in the Control Panel, and remove the following program: Java 2 Runtime Environment, SE v1.4.2_14Delete the following file: C:\WINDOWS\Temp\npnuninst.exe.npzDownload ComboFix from one of the locations below, and save it to your Desktop. Link 1Link 2Link 3 Double click combofix.exe and follow the prompts.When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next replyNote: Do not mouseclick combofix's window while its running. That may cause it to stall-Ryan Link to post Share on other sites
fang56 Posted December 22, 2007 Author Report Share Posted December 22, 2007 Hi Ryan, I have done what you have asked me to do. First I uninstalled the java runtime, then deleted the file from the temp folder.Then I downloaded and ran ComboFix. However at the beginning of the combofix, computer popped up an error box ["swreg.cfexe" - the instruction at "0x7c9111e0" referenced memory at "0x002000069" The memory could not be "read". Click on OK to terminate the program. ] So i clicked OK, but combofix kept running and generated this report. Thanks again!!! ComboFix 07-12-21.4 - David Chang 2007-12-21 22:31:24.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.1503 [GMT -5:00]Running from: C:\Documents and Settings\David Chang\Desktop\ComboFix.exe.((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 ))))))))))))))))))))))))))))))).2007-12-21 13:06 . 2007-12-21 13:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab2007-12-21 13:06 . 2007-12-21 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab2007-12-21 12:10 . 2007-12-21 12:27 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner2007-12-21 03:39 . 2007-12-21 03:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft2007-12-21 03:31 . 2007-12-21 03:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft2007-12-21 02:13 . 2007-12-21 02:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2007-12-21 01:48 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll2007-12-21 01:47 . 2007-12-21 01:47 <DIR> d-------- C:\Documents and Settings\David Chang\Application Data\Uniblue2007-12-20 18:04 . 2007-12-20 18:07 <DIR> d-------- C:\Program Files\Windows Live2007-12-20 18:04 . 2007-12-20 18:06 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller2007-12-20 18:04 . 2007-12-20 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller2007-12-17 11:29 . 2007-12-17 11:29 <DIR> d-------- C:\WINDOWS\Soft191 Panic Station2007-12-17 05:28 . 2007-12-17 05:28 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP2007-12-15 16:46 . 2007-12-15 16:46 517,744 --a------ C:\WINDOWS\system32\skcppl.dll2007-12-15 16:46 . 2007-12-15 16:46 67,184 --a------ C:\WINDOWS\system32\CMListControl.dll2007-12-02 19:56 . 2007-12-02 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tages2007-12-02 19:55 . 2007-12-02 19:55 278,984 --a------ C:\WINDOWS\system32\drivers\atksgt.sys2007-12-02 19:55 . 2007-12-02 19:55 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys2007-12-02 19:30 . 2007-12-02 19:56 <DIR> d-------- C:\Program Files\The Witcher2007-12-02 18:33 . 2007-12-02 18:33 <DIR> d-------- C:\Documents and Settings\David Chang\Application Data\Codemasters2007-12-02 18:25 . 2007-12-02 18:25 <DIR> d-------- C:\WINDOWS\system32\AGEIA2007-12-02 18:25 . 2007-12-02 18:25 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard2007-12-02 18:25 . 2007-12-02 18:25 <DIR> d-------- C:\Program Files\AGEIA Technologies2007-12-02 18:00 . 2007-12-02 18:00 <DIR> d-------- C:\Program Files\Codemasters2007-12-02 14:58 . 2007-12-21 10:37 <DIR> d-------- C:\Program Files\MonopolyHereNowEdition_at2007-11-28 22:47 . 2007-12-02 16:40 <DIR> d-------- C:\Program Files\Stardock2007-11-28 14:17 . 2007-11-28 14:18 <DIR> d-------- C:\Program Files\Snood2007-11-28 13:06 . 2007-11-28 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia2007-11-28 11:45 . 2007-11-28 12:37 <DIR> d-------- C:\Program Files\Fish Tycoon2007-11-27 00:01 . 2007-11-27 00:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap2007-11-26 23:38 . 2007-11-26 23:38 <DIR> dr-h----- C:\Documents and Settings\David Chang\Application Data\SecuROM2007-11-26 22:05 . 2007-11-26 22:05 <DIR> d-------- C:\Documents and Settings\David Chang\Application Data\iWin2007-11-26 14:27 . 2007-11-26 14:27 <DIR> d-------- C:\Program Files\Temp2007-11-26 13:43 . 2007-11-26 13:43 4,096 --a------ C:\WINDOWS\d3dx.dat2007-11-26 13:41 . 2007-11-26 14:25 <DIR> d-------- C:\Program Files\Kinset2007-11-22 17:28 . 2007-11-22 17:28 <DIR> d-------- C:\Documents and Settings\David Chang\Application Data\PlayFirst2007-11-22 17:28 . 2007-11-22 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst2007-11-22 17:27 . 2007-11-22 17:27 <DIR> d-------- C:\Program Files\ReflexiveArcade.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2007-12-22 03:24 --------- d-----w C:\Program Files\Java2007-12-21 17:34 --------- d-----w C:\Program Files\DC++2007-12-19 16:52 --------- d-----w C:\Program Files\Unity2007-12-17 17:00 --------- d-----w C:\Program Files\eMule2007-12-15 21:46 468,592 ----a-w C:\WINDOWS\system32\skcbgm.dll2007-12-15 21:46 198,256 ----a-w C:\WINDOWS\system32\skcwmf.dll2007-12-15 21:46 169,584 ----a-w C:\WINDOWS\system32\skcbgm.exe2007-12-15 21:46 145,008 ----a-w C:\WINDOWS\system32\skcbgmf1.dll2007-12-12 08:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help2007-12-03 08:54 --------- d--h--w C:\Program Files\InstallShield Installation Information2007-12-03 02:48 --------- d-----w C:\Documents and Settings\David Chang\Application Data\BitTorrent2007-12-02 19:56 --------- d-----w C:\Program Files\DivX2007-11-28 18:15 --------- d-----w C:\Program Files\Shockwave.com2007-11-27 04:38 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll2007-11-27 03:04 --------- d-----w C:\Program Files\BitTorrent2007-11-21 02:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared2007-11-21 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec2007-11-21 02:18 806 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF2007-11-21 02:18 60,808 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL2007-11-21 02:18 136,496 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS2007-11-21 02:18 10,652 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT2007-11-21 02:18 --------- d-----w C:\Program Files\Symantec2007-11-21 02:11 --------- d-----w C:\Program Files\AutoMacroRecorder2007-11-21 02:11 --------- d-----w C:\Program Files\AutoHotkey2007-11-21 02:10 --------- d-----w C:\Program Files\MagicISO2007-11-21 02:08 --------- d-----w C:\Program Files\Viewpoint2007-11-21 02:08 --------- d-----w C:\Program Files\Cyworld Music Player2007-11-21 02:08 --------- d-----w C:\Documents and Settings\David Chang\Application Data\Viewpoint2007-11-21 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft2007-11-20 23:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Shockwave2007-11-15 17:02 --------- d-----w C:\Program Files\Bugs2007-11-13 18:11 --------- d-----w C:\Documents and Settings\David Chang\Application Data\Move Networks2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys2007-11-12 21:58 --------- d-----w C:\Program Files\iTunes2007-11-12 21:58 --------- d-----w C:\Program Files\iPod2007-11-12 21:56 --------- d-----w C:\Program Files\QuickTime2007-10-30 15:58 --------- d-----w C:\Program Files\AIM62007-10-30 15:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint2007-10-30 15:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll2007-10-29 14:17 --------- d-----w C:\Program Files\AC3Filter2007-10-29 14:16 --------- d-----w C:\Program Files\GNU2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll2007-10-18 16:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll2007-10-12 21:49 675,840 ----a-w C:\WINDOWS\system32\INIcrypt32.dll2007-10-12 21:46 995,328 ----a-w C:\WINDOWS\system32\INIcd50.dll2007-10-12 21:46 521,726 ----a-w C:\WINDOWS\system32\INIKeyLink50.dll2007-10-11 21:46 708,096 ----a-w C:\WINDOWS\system32\INIcrypto20.dll2007-10-11 21:46 475,136 ----a-w C:\WINDOWS\system32\INITray.exe2007-10-11 21:46 311,296 ----a-w C:\WINDOWS\system32\INInet52.dll2007-10-11 21:46 1,024,000 ----a-w C:\WINDOWS\system32\INImain50.dll2007-10-03 19:30 91,632 ----a-w C:\WINDOWS\system32\nts.dll2007-10-03 19:30 89,088 ----a-w C:\WINDOWS\system32\atl71.dll2007-10-03 19:30 83,440 ----a-w C:\WINDOWS\system32\pds.dll2007-10-03 19:30 83,384 ----a-w C:\WINDOWS\system32\loc32vc0.dll2007-10-03 19:30 48,000 ----a-w C:\WINDOWS\system32\FwsVpn.dll2007-10-03 19:30 46,584 ----a-w C:\WINDOWS\system32\msgsys.dll2007-10-03 19:30 34,288 ----a-w C:\WINDOWS\system32\cba.dll2007-10-03 19:30 107,904 ----a-w C:\WINDOWS\system32\SymVPN.dll2007-08-21 02:29 86,016 ----a-w C:\Documents and Settings\David Chang\IDHWTSS1.dll2007-08-21 02:29 81,920 ----a-w C:\Documents and Settings\David Chang\hobjni.dll2007-06-29 00:43 36,868 ----a-w C:\Documents and Settings\David Chang\PrtDLL.dll2006-11-30 19:12 1,327,055 ----a-w C:\Documents and Settings\David Chang\erpsetup.exe2004-03-16 03:02 538,421 ----a-w C:\Documents and Settings\David Chang\spupalarm.exe.((((((((((((((((((((((((((((( snapshot@2007-12-21_22.22.11.54 ))))))))))))))))))))))))))))))))))))))))).+ 2007-12-22 03:26:18 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1a4.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34]"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 17:23]"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 21:32]"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 21:32]"P17Helper"="Rundll32 P17.dll" []"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" [2005-01-18 11:32]"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]"CTXFIREG"="CTxfiReg.exe" []"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-03 14:30]"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]"SoundMan"="SOUNDMAN.EXE" [2006-01-10 18:08 C:\WINDOWS\soundman.exe]"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]"nwiz"="nwiz.exe" [2007-06-28 23:43 C:\WINDOWS\system32\nwiz.exe]"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 16:12]"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 21:32]"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]"eTrust PestPatrol Active Protection"="C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe" [2004-09-27 06:09]"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48]"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 15:10]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]C:\Documents and Settings\David Chang\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\spxcoins32]spxcoins32.dll 2004-07-13 20:26 8704 C:\WINDOWS\system32\spxcoins32.dll[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]@="Service"R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 04:29]R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 21:31]R3 P17;SB Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys [2007-06-15 01:47]R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys [2004-04-14 10:08]R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys [2004-04-14 10:08]S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-10-03 14:29]S3 NPFWFLT;NPFWFLT;C:\WINDOWS\system32\NPFWFLT.SYS [2007-07-25 09:39]S3 p17filt;p17filt;C:\WINDOWS\system32\drivers\p17filt.sys [2006-03-20 17:34]S3 SNAC;Symantec Network Access Control;"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" [2007-10-03 14:30]S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys [2004-04-14 10:08]S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys [2004-04-14 10:08].Contents of the 'Scheduled Tasks' folder"2007-12-17 21:48:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"- C:\Program Files\Apple Software Update\SoftwareUpdate.exe.**************************************************************************catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2007-12-21 22:35:28Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfully hidden files: 0 **************************************************************************.Completion time: 2007-12-21 22:35:58C:\ComboFix2.txt ... 2007-12-21 22:22.2007-12-12 08:03:18 --- E O F --- --------------------------------------------------------------------------------------------------------------------HERE"S THE NEW HIJACKTHIS FILE.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:36:13 PM, on 12/21/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\CTsvcCDA.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\nvsvc32.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exeC:\WINDOWS\system32\Rundll32.exeC:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exeC:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Creative\MediaSource\Detector\CTDetect.exeC:\Program Files\Common Files\AOL\Loader\aolload.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\conime.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeC:\Documents and Settings\David Chang\Desktop\HiJackThis.exeO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLLO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17HelperO4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clearO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exeO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noiconO4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /rO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /RO4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imAppO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXEO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: *.kdb.co.krO15 - Trusted Zone: *.nprotect.co.krO15 - Trusted Zone: *.nprotect.comO15 - Trusted Zone: *.nprotect.netO15 - Trusted Zone: http://*.wedisk.co.krO15 - Trusted Zone: http://*.wedisk.netO15 - ESC Trusted Zone: http://*.update.microsoft.comO16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/...tgameloader.cabO16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg8.cyworld.com/ImageUpload/CyIm...pload_10217.cabO16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cabO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cabO16 - DPF: {32E08E96-5B55-47AE-87EC-DE8FDF9266E3} (Jviewer Control) - http://208.70.74.58/Jviewer.cabO16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games ?Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cabO16 - DPF: {474AD63A-9B7E-40FE-8E4E-7067CC0F8D3D} (IB_OnAir.IBOnAir) - http://ionair.sbs.co.kr/onair/IB_OnAir.CABO16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cabO16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cabO16 - DPF: {5C899971-E9D6-4496-8077-98378408E340} (MPControl Control) - http://mplay.sbs.co.kr/players/SBSiMPControl.cabO16 - DPF: {6368221B-31D9-4BE6-8937-B4F37B3930B8} (NpZoneMgr Control) - http://update.nprotect.net/npzone/kdb_vista/npZoneMgr.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150346317937O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164140577078O16 - DPF: {7513B187-5954-4C64-ABF4-E652FE899F24} (Wedisk Control) - http://www.wedisk.co.kr/app/WeDisk.cabO16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {8FA141C5-29D7-4408-A57B-619C463ED7BB} (Cychannel_Club1_10.UserControl1) - http://club.cyworld.com/cychannel_club/Cyc...lubmain1_11.CABO16 - DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} (ALDx Class) - http://www.altools.co.kr/ALDX.cabO16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games ?Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cabO16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - http://plugin.inicis.com/wallet50/INIwallet50.cabO16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cabO16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cabO16 - DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} (BugsInstallEx Control) - http://install.bugs.co.kr/install/BugsInstallerEx.cabO16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1010 Class) - http://www.hangame.com/common/HanSetup1010.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://www.cramster.com/DRM/Client/FileOpen.CABO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://update.nprotect.net/nprotect/kdb/npkcx.cabO16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinematyc...inematycoon.cabO16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games ?Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cabO16 - DPF: {DA54C9C1-8109-43C9-9C80-E4210CEDF147} (EzwonSession Control) - http://www.wedisk.co.kr/app/EzwonSessionCtl.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...ploader_v10.cabO16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLLO20 - Winlogon Notify: spxcoins32 - C:\WINDOWS\SYSTEM32\spxcoins32.dllO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXEO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exeO23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXEO23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe--End of file - 12580 bytes Link to post Share on other sites
rmurphy Posted December 22, 2007 Report Share Posted December 22, 2007 How's the computer running? Did the help desk give you any information when they said you were infected?-Ryan Link to post Share on other sites
fang56 Posted December 22, 2007 Author Report Share Posted December 22, 2007 Ryan, the computer was infected not too long ago, think about a week or so ago, at the max week and a half.I don't know how the computer runs. but even when I have all the things that use internet turned off, I get about 0.5-1% of activity all the time. (when i ctrl alt del and check network activity)I think i am still infected. What's the next step? Link to post Share on other sites
rmurphy Posted December 23, 2007 Report Share Posted December 23, 2007 Please uninstall any filesharing programs you may have installed on the computer. From the uninstall list, the ones I saw were:BitTorrent 5.0.9DC++ 0.699eMuleOpen HiJack This and scan. When it finishes, put an X in the box next to these following item(s)O15 - Trusted Zone: *.kdb.co.krO15 - Trusted Zone: *.nprotect.co.krO15 - Trusted Zone: *.nprotect.comO15 - Trusted Zone: *.nprotect.netO15 - Trusted Zone: http://*.wedisk.co.krO15 - Trusted Zone: http://*.wedisk.netO15 - ESC Trusted Zone: http://*.update.microsoft.comO16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/...tgameloader.cabO16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg8.cyworld.com/ImageUpload/CyIm...pload_10217.cabO16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cabO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cabO16 - DPF: {32E08E96-5B55-47AE-87EC-DE8FDF9266E3} (Jviewer Control) - http://208.70.74.58/Jviewer.cabO16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games ?Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cabO16 - DPF: {474AD63A-9B7E-40FE-8E4E-7067CC0F8D3D} (IB_OnAir.IBOnAir) - http://ionair.sbs.co.kr/onair/IB_OnAir.CABO16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cabO16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cabO16 - DPF: {5C899971-E9D6-4496-8077-98378408E340} (MPControl Control) - http://mplay.sbs.co.kr/players/SBSiMPControl.cabO16 - DPF: {6368221B-31D9-4BE6-8937-B4F37B3930B8} (NpZoneMgr Control) - http://update.nprotect.net/npzone/kdb_vista/npZoneMgr.cabO16 - DPF: {7513B187-5954-4C64-ABF4-E652FE899F24} (Wedisk Control) - http://www.wedisk.co.kr/app/WeDisk.cabO16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {8FA141C5-29D7-4408-A57B-619C463ED7BB} (Cychannel_Club1_10.UserControl1) - http://club.cyworld.com/cychannel_club/Cyc...lubmain1_11.CABO16 - DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} (ALDx Class) - http://www.altools.co.kr/ALDX.cabO16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games ?Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cabO16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - http://plugin.inicis.com/wallet50/INIwallet50.cabO16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cabO16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cabO16 - DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} (BugsInstallEx Control) - http://install.bugs.co.kr/install/BugsInstallerEx.cabO16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1010 Class) - http://www.hangame.com/common/HanSetup1010.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://www.cramster.com/DRM/Client/FileOpen.CABO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://update.nprotect.net/nprotect/kdb/npkcx.cabO16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinematyc...inematycoon.cabO16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games ?Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cabO16 - DPF: {DA54C9C1-8109-43C9-9C80-E4210CEDF147} (EzwonSession Control) - http://www.wedisk.co.kr/app/EzwonSessionCtl.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...ploader_v10.cabO16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cabO20 - Winlogon Notify: spxcoins32 - C:\WINDOWS\SYSTEM32\spxcoins32.dllClose all open windows except for HiJack This and click fix checked.Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). Remove the following files in bold (if found):C:\WINDOWS\SYSTEM32\spxcoins32.dllReboot your computer.Please go to Microsoft Update and make sure you have all high security and critical updates installed.Please rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. -Ryan Link to post Share on other sites
Recommended Posts