BleepingComputer.com > Need Lots Of Help Please

pcdome

Jul 3 2006, 11:13 PM

Hello,

I'm far from being an expert, and I've tried to ask some of my more knowlegeable friends but I'm not getting anywhere with them. My original problem was that I have a BF Ghost (is that correct) running on my computer called conime.exe. I found a way to get rid of it on this forum once before but stupidly I closed that page without saving it as a favorite.

Anyhow, I'm glad I did lose that page because I have found several other problems thanks to your pinned topic on what I have to do before posting an HJT log. Now, I don't know how to fix those problems either, and I haven't noticed them come up in my HJT log, so I'm going to type those problems in first and then list my HJT log. (I will title each new problem in red and italicized. Please don't think I'm rude, I just thought it easier that way. Okay? Thanks. I'm sorry that this is going to be such a long post.

First Problem:

This is the report from the Trend Micro page, after cleaning:

Detected grayware/spyware

Note: Complete removal of the grayware listed below failed! If you require general hints and tips to solve the problem please click here. (My personal side note: I tried this and was told they have no solution for this problem. Back to Trend Micro report.) Grayware specific information is available from the relevant grayware section.

TSPY_CLICKER.CP 1 infections

There is no more information available for this grayware/spyware...
General information about this type of grayware/spyware.

Some of this grayware/spyware could not be removed automatically! Click here to receive instructions on how to remove this infection manually. (My personal side note: I tried this and received a message box that says: There is currently no information available on how to remove this malware/grayware manually. Please contact HouseCall Support (via the "Support" link) and describe your problem. (My personal side note: I'll do this, if the problem can't be solved here.))

Cleanup Options
(radio button) Clean all detected infections automatically (My personal side note: This doesn't work.)
(radio button) Select an individual action for each detected infection
(Checkbox with no logo above) Checked (Checkbox with broom above) Checking Not Allowed (Checkbox with a red "x"a above) Can be checked (Reason box) The current platform does not support cleanup (Files infected by this grayware/spyware) Files infected by this grayware/spyware

Second Problem:

From Stinger:

Scan initiated on Tue Jul 04 01:33:40 2006
C:\Documents and Settings\Robb\MyDocuments\h0ya\CDmage.exe
Found the W32/Pate.dam virus !!!
C:\Documents and Settings\Robb\MyDocuments\h0ya\CDmage.exe could not be repaired.
Number of Clean Files: 239106
Number of infected Files: 1

Third Problem:

ZoneLabs ZoneAlarm Firewall Download

According to the File Download Box the whole file is finished but the File Download box won't stop downloading and close the dialog box. I have it set to automatically close when finished but it won't close, I only have an option to cancel. I also don't see the file in my save location. Actually, I just recevied a message box that said the operation timed out.

Anyhow, I don't know if this is a problem for this forum or not, but I thought I would tell you, just in case.

Fourth & Last Problem: (at least that I'm aware of

)

This is my original problem conime.exe

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:10:44 PM, on 7/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\SIGMA\TV\sigmatv.exe
C:\Program Files\Sigma\common\SMBM.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\conime.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ADSpider] C:\Program Files\ADSPider\ADSpider.exe /start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TV_Path] C:\Program Files\SIGMA\TV\sigmatv.exe /t
O4 - HKLM\..\Run: [SMBM] C:\Program Files\Sigma\common\SMBM.EXE /D
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\RunOnce: [NAVNT 2005Seq] C:\DOCUME~1\Robb\LOCALS~1\Temp\LUProdRg.exe /f:C:\DOCUME~1\Robb\LOCALS~1\Temp\2005LU~1.INI /s:SPW_Set_Sequence
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: 799BB2EC-572A-42A9-84AD-112806F4F551 -
O16 - DPF: DCD7F1D9-8E57-45F8-8C0C-4400CD84C8BF -
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://kherald.contents.mylinker.co.kr/module/MyLinker.cab
O16 - DPF: {18D63578-EA2F-4A59-A49A-7F62E6B3DF3E} (ImP3 Control) - http://activexdown.paran.com/paranactivex/data/ImP3.cab
O16 - DPF: {240F0899-15BB-49AE-B820-62CEB9116C0F} (SkyCom Control) - http://www.skylove.com/connect/skycom.cab
O16 - DPF: {247D3068-ABDA-4A56-A48A-112183AC08B5} (GK_YH_Launcher Control) - http://kr.wbgames.yahoo.com/GK_YH_Launcher.cab
O16 - DPF: {27E4B2A9-D554-40DE-B6CD-F11E9B44FBD0} (SimFileControl Control) - http://simfile.chol.com/down/SimFileControl.cab
O16 - DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} (INISAFEWeb6 V6 Class) - http://www.hanabank.com/plugin/INIS60.cab
O16 - DPF: {2882C368-D508-11D4-A2AB-000102598CE4} (LProtect Control) - http://www.livecall.co.kr/pds/module/livecall.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {36F46B1E-11B7-4221-B4F7-F1FC9687E7F6} (MBox Control) - http://kr.music.yahoo.com/m_box/component/mbox.cab
O16 - DPF: {3E59D482-6ABF-4560-A0C7-F90ACC0DC6BC} (MOHAAStarterX Control) - http://www.mohonline.co.kr/up/cab/MOHAAStarterX.cab
O16 - DPF: {4A55BA7E-0379-4DB5-BDEF-70454A548AB2} (AgentReal Control) - http://kr.baduk.yahoo.com/cab/YahooBaduk.cab
O16 - DPF: {4B48CEDD-EB09-4FD3-AA22-5BDE98EDEF90} (EZXSActiveX Control) - http://www.buykorea.org/buykorea/front/ezx...ezxsactivex.cab
O16 - DPF: {4BF107D8-CFB8-4BC8-B54D-375CA564A33B} (EAJamDn Control) - http://www.mohonline.co.kr/up/cab/EADownloader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {52A5D8F2-7C23-42AB-B6BF-5E7840CB1F27} (BxPopHandler Control) - http://www.netian.com/lib/BxPopHandler.cab
O16 - DPF: {5CBED04F-42E6-4BEC-A087-C20012B6308B} (SCLiveUp Class) - http://www.metlife.co.kr/cs/scCab/scLiveUp.cab
O16 - DPF: {6359EFB8-A988-4572-976B-3BA42C3A6177} (PMViewerX Control) - http://www.wholsee.com/Web/Scripts/Common/Map/PMapX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106110171734
O16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler Class) - http://emailimg.sktelecom.com/inimas/autoc...niMasPlugin.cab
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://www.myipq.com/hosting/cibrowser/cib...r_1_1_1_119.cab
O16 - DPF: {799BB2EC-572A-42A9-84AD-112806F4F551} (Imweb Control) - http://activexdown.paran.com/paranactivex/data/imweb.cab
O16 - DPF: {79C871A6-F9C8-44DA-B2C9-CD9438D9642C} (EZXSInstaller Control) - http://www.buykorea.org/buykorea/front/ezx...xsinstaller.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.softforum.co.kr/Published/.../xw_install.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.vrboard.co.kr/bin/cortvrml.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} (ALDx Class) - http://www.altools.co.kr/ALDX.cab
O16 - DPF: {97745861-F1A6-45B2-8AD1-0C17334550E6} (YahooCabinet Control) - http://img.yahoo.co.kr/ycabinet/cab/YahooCabinet.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plu...yfirewall20.cab
O16 - DPF: {9DD4E0E8-2CED-4064-BF11-DDB2196CEC40} (SOLWeB4SIB Class) - http://www.solomonbank.com/cab/SOLWeB4SIB.cab
O16 - DPF: {A099920B-630C-426B-91EC-737685CEEE17} (AxCrossCert Class) - http://www.solomonbank.com/cab/AxCrossCert_2.5.0.1.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {B0A75875-3622-48BA-B5FF-45AD77AC2D0E} (BankPayEFTCtrl Control) - http://download.auction.co.kr/activexpay/BankPayEFT.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://cdn.hangame.com/hangame/hansetup/HanSetup1008.cab
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/nprotect/keb/check_new/npkcx.cab
O16 - DPF: {D95F5F60-5BB7-4655-BACE-FC5371EFC3E0} (Npx2 Control) - http://update.nprotect.net/nprotect/keb/check_new/npx2.cab
O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) - http://asp.congnamul.com/AspActiveX/CongnamulMap4Asp_V23.cab
O16 - DPF: {D9701E87-A34D-11D4-BE29-000102598CE4} (VrUpdate Control) - http://download.hauri.net/Kor/online_up/vrupdate.cab
O16 - DPF: {DA76E8AE-2E7F-49A8-B5F2-D1C4FF70ECD5} (SamsungMap Control) - http://mapsvc.samsung.co.kr/ActiveX/SamsungMap_V25.cab
O16 - DPF: {DCD7F1D9-8E57-45F8-8C0C-4400CD84C8BF} (Imhtml Control) - http://activexdown.paran.com/paranactivex/data/imhtml.cab
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Release/C...amulMap_V17.cab
O16 - DPF: {E40DEFEA-9133-4374-BB1B-E138DEFFF247} (SOLWeBLiveUpdate Class) - http://www.solomonbank.com/cab/SOLWeBLiveUpdate.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} - http://image.shinhan.com/initech/plugin/ve...NISafeWeb50.cab
O20 - Winlogon Notify: asnt3 - C:\WINDOWS\SYSTEM32\AsntDll.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thank you so much for your help.

Whisperer

Jul 9 2006, 02:16 PM

Hi pcdome and welcome to the Bleeping Computer forums. My name is Whisperer and I will be helping you with your problem. Although I am experienced with computers, I am currently a Trainee in Malware removal and, as such, ALL of my replies will be vetted by malware experts.

If you have not done so already, please do the initial cleanup steps in the following instructions and then post a new log: Preparation Guide For Use Before Posting a HijackThis Log

I would like you to produce a list of installed programs to assist me in any cleanup.

To do this open your HijackThis
1. Click on Open the Misc Tools section or Config… button, depending on how you are set up.
2. If you used the Config... option then click the Misc Tools tab
3. Select Open Uninstall Manager , a list of your installed programs will be displayed.
4. Select the Save List… button and save the file to your desktop.
Please post a copy of this list and an up-to-date HijackThis log in your next reply

GT

pcdome

Jul 10 2006, 06:37 PM

Hi Whisperer,

Thanks for your help. Just to let you know I did follow all the steps that I was suppossed to do before posting a HJT log. However, I ran into some problems in the virus scans and firewall download process that I posted in my original topic. (Please see the top of the original topic for details of these problems that could not be solved.)

Anyhow, here is the HJT uninstall_list (below this is a current HJT log):

Ad-Aware SE Personal
Adobe Download Manager 2.0(¼³A¡ A|°A¸¸ CØ´c)
Adobe Flash Player 9 ActiveX
Adobe Illustrator CS
Adobe Photoshop CS
Adobe Reader 7.0.7
Adobe SVG Viewer 3.0
AeCOAUμ|(Unified Codec Pack) 8.0.0.5 ≫eA|
Alcohol 120% (Trial Version)
BitComet 0.56
Canon MP Drivers 7.0
Canon ScanGear Starter
CASHFLOW?202 THE E-GAME
CASHFLOW?THE E-GAME
ccCommon
CN°OAO
CN°OAO AUμ¿ AI½ºAc·?
CN¹æ¿¡~ V2.15
Codec 7.8i
Democracy Player 0.8.4.1
Desktop Weather by The Weather Channel
GOM Player
Google Earth
Google SketchUp
Google Toolbar for Internet Explorer
HijackThis 1.99.1
IKEA Home Planner Kitchen
Internet Explorer Q903235
Internet Worm Protection
iPod for Windows 2005-10-12
iTunes
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Juice 2.2
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia ColdFusion MX 7
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Macromedia Shockwave Player
Microsoft .NET Framework 2.0
Microsoft Data Access Components KB870669
Microsoft Office Professional Edition 2003
MSN Messenger 7.5
Nero 6 Ultra Edition
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
nProtect KeyCrypt
nProtect Netizen Ver.3(remove only)
NVIDIA Drivers
PDF reDirect (remove only)
PeerGuardian 2.0
PowerISO
QuickTime
Real Alternative 1.46
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896426)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Serif DrawPlus 4.0
Slim TV Driver
SnoopFree Privacy Shield
SoftCamp Secure KeyStroke 4.0
SPBBC
Spybot - Search & Destroy 1.4
Symantec
Symantec Script Blocking Installer
SymNet
The Rosetta Stone
TV Card
TV Card Driver
TV Driver
TVAnts 1.0
TVUPlayer 1.5.12
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
VideoLAN VLC media player 0.8.4a
VobSub v2.23 (Remove Only)
Weather Services
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB883939
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889293
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix - KB896688
Windows XP Hotfix - KB896727
Windows XP Hotfix - KB897715
Windows XP Hotfix - KB905915
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB912812
Windows XP Hotfix - KB916281
Windows XP Hotfix - KB918439
WinISO 5.3
WinRAR archiver
XecureWeb Control
Yahoo! Messenger

Here is the current HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:34:08 AM, on 7/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\SIGMA\TV\sigmatv.exe
C:\Program Files\Sigma\common\SMBM.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ADSpider] C:\Program Files\ADSPider\ADSpider.exe /start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TV_Path] C:\Program Files\SIGMA\TV\sigmatv.exe /t
O4 - HKLM\..\Run: [SMBM] C:\Program Files\Sigma\common\SMBM.EXE /D
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\RunOnce: [NAVNT 2005Seq] C:\DOCUME~1\Robb\LOCALS~1\Temp\LUProdRg.exe /f:C:\DOCUME~1\Robb\LOCALS~1\Temp\2005LU~1.INI /s:SPW_Set_Sequence
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: 799BB2EC-572A-42A9-84AD-112806F4F551 -
O16 - DPF: DCD7F1D9-8E57-45F8-8C0C-4400CD84C8BF -
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://kherald.contents.mylinker.co.kr/module/MyLinker.cab
O16 - DPF: {18D63578-EA2F-4A59-A49A-7F62E6B3DF3E} (ImP3 Control) - http://activexdown.paran.com/paranactivex/data/ImP3.cab
O16 - DPF: {240F0899-15BB-49AE-B820-62CEB9116C0F} (SkyCom Control) - http://www.skylove.com/connect/skycom.cab
O16 - DPF: {247D3068-ABDA-4A56-A48A-112183AC08B5} (GK_YH_Launcher Control) - http://kr.wbgames.yahoo.com/GK_YH_Launcher.cab
O16 - DPF: {27E4B2A9-D554-40DE-B6CD-F11E9B44FBD0} (SimFileControl Control) - http://simfile.chol.com/down/SimFileControl.cab
O16 - DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} (INISAFEWeb6 V6 Class) - http://www.hanabank.com/plugin/INIS60.cab
O16 - DPF: {2882C368-D508-11D4-A2AB-000102598CE4} (LProtect Control) - http://www.livecall.co.kr/pds/module/livecall.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {36F46B1E-11B7-4221-B4F7-F1FC9687E7F6} (MBox Control) - http://kr.music.yahoo.com/m_box/component/mbox.cab
O16 - DPF: {3E59D482-6ABF-4560-A0C7-F90ACC0DC6BC} (MOHAAStarterX Control) - http://www.mohonline.co.kr/up/cab/MOHAAStarterX.cab
O16 - DPF: {4A55BA7E-0379-4DB5-BDEF-70454A548AB2} (AgentReal Control) - http://kr.baduk.yahoo.com/cab/YahooBaduk.cab
O16 - DPF: {4B48CEDD-EB09-4FD3-AA22-5BDE98EDEF90} (EZXSActiveX Control) - http://www.buykorea.org/buykorea/front/ezx...ezxsactivex.cab
O16 - DPF: {4BF107D8-CFB8-4BC8-B54D-375CA564A33B} (EAJamDn Control) - http://www.mohonline.co.kr/up/cab/EADownloader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {52A5D8F2-7C23-42AB-B6BF-5E7840CB1F27} (BxPopHandler Control) - http://www.netian.com/lib/BxPopHandler.cab
O16 - DPF: {5CBED04F-42E6-4BEC-A087-C20012B6308B} (SCLiveUp Class) - http://www.metlife.co.kr/cs/scCab/scLiveUp.cab
O16 - DPF: {6359EFB8-A988-4572-976B-3BA42C3A6177} (PMViewerX Control) - http://www.wholsee.com/Web/Scripts/Common/Map/PMapX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106110171734
O16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler Class) - http://emailimg.sktelecom.com/inimas/autoc...niMasPlugin.cab
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://www.myipq.com/hosting/cibrowser/cib...r_1_1_1_119.cab
O16 - DPF: {799BB2EC-572A-42A9-84AD-112806F4F551} (Imweb Control) - http://activexdown.paran.com/paranactivex/data/imweb.cab
O16 - DPF: {79C871A6-F9C8-44DA-B2C9-CD9438D9642C} (EZXSInstaller Control) - http://www.buykorea.org/buykorea/front/ezx...xsinstaller.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.softforum.co.kr/Published/.../xw_install.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.vrboard.co.kr/bin/cortvrml.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} (ALDx Class) - http://www.altools.co.kr/ALDX.cab
O16 - DPF: {97745861-F1A6-45B2-8AD1-0C17334550E6} (YahooCabinet Control) - http://img.yahoo.co.kr/ycabinet/cab/YahooCabinet.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plu...yfirewall20.cab
O16 - DPF: {9DD4E0E8-2CED-4064-BF11-DDB2196CEC40} (SOLWeB4SIB Class) - http://www.solomonbank.com/cab/SOLWeB4SIB.cab
O16 - DPF: {A099920B-630C-426B-91EC-737685CEEE17} (AxCrossCert Class) - http://www.solomonbank.com/cab/AxCrossCert_2.5.0.1.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {B0A75875-3622-48BA-B5FF-45AD77AC2D0E} (BankPayEFTCtrl Control) - http://download.auction.co.kr/activexpay/BankPayEFT.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://cdn.hangame.com/hangame/hansetup/HanSetup1008.cab
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/nprotect/keb/check_new/npkcx.cab
O16 - DPF: {D95F5F60-5BB7-4655-BACE-FC5371EFC3E0} (Npx2 Control) - http://update.nprotect.net/nprotect/keb/check_new/npx2.cab
O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) - http://asp.congnamul.com/AspActiveX/CongnamulMap4Asp_V23.cab
O16 - DPF: {D9701E87-A34D-11D4-BE29-000102598CE4} (VrUpdate Control) - http://download.hauri.net/Kor/online_up/vrupdate.cab
O16 - DPF: {DA76E8AE-2E7F-49A8-B5F2-D1C4FF70ECD5} (SamsungMap Control) - http://mapsvc.samsung.co.kr/ActiveX/SamsungMap_V25.cab
O16 - DPF: {DCD7F1D9-8E57-45F8-8C0C-4400CD84C8BF} (Imhtml Control) - http://activexdown.paran.com/paranactivex/data/imhtml.cab
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Release/C...amulMap_V17.cab
O16 - DPF: {E40DEFEA-9133-4374-BB1B-E138DEFFF247} (SOLWeBLiveUpdate Class) - http://www.solomonbank.com/cab/SOLWeBLiveUpdate.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} - http://image.shinhan.com/initech/plugin/ve...NISafeWeb50.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: asnt3 - C:\WINDOWS\SYSTEM32\AsntDll.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks again!

pcdome

Whisperer

Jul 11 2006, 05:06 AM

Back again,

I want to classify the conime.exe entry first.
1. Please navigate to the C:\WINDOWS\System32\ directory
2. Locate the conime.exe file.
3. Right-click the file and select Properties
4. Click the Version tab and make a note of the
  - File Version
  - Description
  - Copyright
5. Finally please make a note of the information in Other version information
6. Because it could either be Microsoft's 'console ime' or BFGhost, please upload conime.exe to the following agencies for detailed analysis.
7. First I would like you to upload the file to the Jotti web site.
  - Click on the Browse button and navigate to the C:\WINDOWS\System32\ directory
  - Locate the conime.exe file and click to select
  - Click the Submit button
  - You may have to try more than once if the service load is close to 100% but you will get an online answer
  - Please copy the response and post in your next reply
8. Now repeat the upload to the VirusTotal site.
  - Click the Browse button, navigate to the conime.exe and click to select.
  - Click the Send icon
  - This time you will receive an email response
  - Please copy the contents and place in your next reply
Please forward the information about the file and any other amplifying comments

GT

pcdome

Jul 12 2006, 07:46 AM

Hey Whisperer,

Alright as I said before I don't really know much about things going on in my computer, but the virus scan's look okay.

I'll post all info below, maybe I jumped the gun but all the info I found on conime.exe was that it was a BF Ghost from some Korean software, and I figued I live in Korea & my wife is Korean so I could maybe have easily stumbled across it. Anyhow, from running the previous scans & my HJT log, I think I still have some problems going on, so I look forward to your help.

Property info on Conime.exe:

File Version: 5.1.2600.1106

Description: Console IME

Copyright: Microsoft Corp.

Other Version Information:

Company: Microsoft

File Version: 5.1.2600.1106 (xpsp1.020828-1920)

Internal Name: Console

Language: English (U.S.)

Original File Name: Conime.exe

Product Name: Microsoft Windows Operating System

Product Version: 5.1.2600.1106

Jotti.org Scan Results:

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: conime.exe
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 4ccf9182fe0be9cc2992f8a9e361cc49
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

VirusTotal Scan Results:

Antivirus Version Update Result
AntiVir 6.35.0.21 07.12.2006 no virus found
Authentium 4.93.8 07.11.2006 no virus found
Avast 4.7.844.0 07.12.2006 no virus found
AVG 386 07.12.2006 no virus found
BitDefender 7.2 07.12.2006 no virus found
CAT-QuickHeal 8.00 07.12.2006 no virus found
ClamAV devel-20060426 07.11.2006 no virus found
DrWeb 4.33 07.12.2006 no virus found
eTrust-InoculateIT 23.72.66 07.11.2006 no virus found
eTrust-Vet 12.6.2295 07.12.2006 no virus found
Ewido 4.0 07.12.2006 no virus found
Fortinet 2.77.0.0 07.12.2006 no virus found
F-Prot 3.16f 07.11.2006 no virus found
F-Prot4 4.2.1.29 07.11.2006 no virus found
Ikarus 0.2.65.0 07.11.2006 no virus found
Kaspersky 4.0.2.24 07.12.2006 no virus found
McAfee 4804 07.11.2006 no virus found
Microsoft 1.1481 07.10.2006 no virus found
NOD32v2 1.1655 07.12.2006 no virus found
Norman 5.90.23 07.12.2006 no virus found
Panda 9.0.0.4 07.12.2006 no virus found
Sophos 4.07.0 07.12.2006 no virus found
Symantec 8.0 07.12.2006 no virus found
TheHacker 5.9.8.173 07.11.2006 no virus found
UNA 1.83 07.11.2006 no virus found
VBA32 3.11.0 07.11.2006 no virus found
VirusBuster 4.3.7:9 07.11.2006 no virus found

Thank you again. I'm really hoping there is nothing majorly bad in here.

PcDome

Whisperer

Jul 12 2006, 03:56 PM

Hi pcdome,

Thanks for the file information, I am pleased to say that your version of conime is indeed the Microsoft Console IME so we can move on to the rest of the log, and there is not much wrong with that, one undesirable program, a couple of resource hogs and an out-of-date Java installation.

Your Java installation is out of date as the current release is Update 7.
- Please go to this link to update your Java.
Next we will remove a couple of old Java installations – not 7!
Click Start and open Control Panel
- Select Add or Remove programs
- Locate each of the following programs in turn, select and then click Remove
  
  J2SE Runtime Environment 5.0 Update 4
  J2SE Runtime Environment 5.0 Update 6
  
  P2P programs are notorious for the malware that can be placed on a computer, mainly in the form of unwanted adverts but occasionally worse. Some of them come complete with Malware on installation but I am pleased to report that your P2P program – BitComet – is a clean one. You are still vulnerable to Malware from the programs that you download with it. If you can live without it then remove this program.
  BitComet 0.56
Now cleaning the HijackThis log
With all other windows closed, start your HijackThis and click on Scan
1. Click in the check-box to the left of each of the following entries, if found
  - O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
2. Select Fix Checked
That should be it so please post
- Comments on how the computer is behaving now

GT

pcdome

Jul 13 2006, 10:03 AM

Alright Whisperer,

I've done everything you said, except get rid of BitComet. (It's something I can't live without, sorry.)

Now, I don't have a report yet on how things are running yet, b/c I've just completed what you told me to do. I do have one item that I found when I came home tonight, and it's a problem I've seen before but I thought it was finally cleaned out when I completed the initial 5 steps before posting my HJT log, b/c I haven't seen this warning since then. Here's the warning:

Norton Anti Virus
High Risk
Norton AntiVirus has detected a virus on your computer.
Object Name: C:\Documents and ...\msc32.exe (Personal Note: The "..." is appears in the warning and I can't find out what the directory actually is.)
Virus Name: W32.HCCW.Gaobot.gen (Personal Note: Sorry I'm very tired and when I hand wrote the warning it was very messy, I didn't realize it at the time, so that could be W32.HLLW.Gaobot.gen or W32.HLCW.Gaobot.gen or W32.HCLW.Gaobot.gen)
Action taken: Unable to repair this file

I then click OK and the same message comes up 3 or 4 more times, and then the last one says in the "Action taken" field: "Access to file was denied."

Please update me if this is something I should be worried about, and if so how can I fix it. Thanks.

When I fixed the HJT problems, I folder was created called backups. I didn't instruct the program to do this it did it automatically. Should I keep or delete this folder? Otherwise all seems good. Here is my most recent HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:50:59 PM, on 7/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\SIGMA\TV\sigmatv.exe
C:\Program Files\Sigma\common\SMBM.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TV_Path] C:\Program Files\SIGMA\TV\sigmatv.exe /t
O4 - HKLM\..\Run: [SMBM] C:\Program Files\Sigma\common\SMBM.EXE /D
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks again your the best!!!

pcdome

Whisperer

Jul 15 2006, 06:53 AM

Hi pcdome,

Norton could be pulling that file from one of the backup files but you did have some peculiar early symptoms that you spelt out, so we will continue on the side of caution. I would like you to download and use a different cleaner and a scanner

Your current log is clean (excepting the P2P lol), but it is possible that something is hiding from HijackThis. To check this I would like you confirm your configuration settings.
- Please click Start and select Run.
- In the run box, type in MsConfig and from the dialogue box, select the General tab
- Select the top radio button labelled Normal Startup – load all device drivers and services
- If this was not already selected, please post a new HijackThis log and then carry on with the remaining cleaning.
Download CCleaner
1. Select the Download Latest Version link (top of green column) and save to your desktop
2. Right-click the ccsetup127.exe file on your desktop and select Open
3. Follow the on-screen instructions through to the Install Options page. I suggest you only retain the following 2 options
  - Add Desktop Shortcut
  - Automatically check for updates etc…
4. Click Install
  To setup CCleaner
5. Click on the CCleaner icon on your desktop.
6. From the menu on the left select Options
7. Now select Advanced. On the right remove the check against Only delete files in Windows Temp folders older than 48 hours.
8. Select Cookies. When CCleaner is run it will remove all of the cookies in the left window; if there are cookies that you wish to retain then select them and transfer them to the right window. Multiple selections can be made by holding down the Ctrl key before selecting.
9. Select Cleaner from the left menu and the Windows tab
  - Under Internet Explorer place ticks in all but the last box
  - Under Windows Explorer tick the last two only
  - Under System tick all boxes
  - There is no need to tick anything under Advanced
10. From the menu on the left click on Analyze
11. When the analysis is complete, click on Run Cleaner and OK at the next screen.
12. Close CCleaner
Download the Ewido security suite here the suite is fully functional on a trial basis
1. Deselect the Run Ewido now option and close the installer
2. Launch ewido, there should be an orange Turks head icon on your desktop or in the Systray, double-click it.
3. Click the Update now button.
4. When the update has completed click on theScanner icon at the top menu
  - Click on Settings tab
  - Confirm that all check boxes are ticked on the left
  - Under Reports , select the first option to Automatically generate report after every scan and remove the check against Only if threats were found
  - Scan every file is selected
5. Exit Ewido for now.
I suggest that you print out the following instructions or highlight the remainder and save to a WordPad file on your desktop as you will no longer have an internet connection until we have finished this phase of the clean up
Physically disconnect your computer from the internet by unplugging the lead.
Reboot the computer into safe mode using a clean boot sequence
1. Select the Start button and Turn Off Computer
2. Select the Turn Off option, when the computer has shut down switch off the power supply.
3. After 10 seconds, restore the power supply and switch on the computer
  - Some computers have a progress bar that refers to the word BIOS. Others may not let you know what is happening.
  - As soon as the BIOS loads, or a single Beep is heard then begin tapping the F8 key on your keyboard. Do so until the Windows Advanced Options menu appears.
  - If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. If this happens, restart the computer and try again.
  - Using the arrow keys on the keyboard, select Safe mode and then press Enter.
4. When in Safe mode you will have your desktop with the word ‘Safe’ in the 4 corners.
To reduce the chance of AntiSpyware interfering with the fixes, please stop all antispyware on your computer. If you right-click on the appropriate icon(s) in the systems tray you will find an option to ‘exit’. When you reboot, this will all return to normal.
I would now like you to run the Ewido program
1. Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
2. Open the programme by clicking on the orange Turks head
  - Click on the Scanner icon at the top
  - Select the Scan tab and then the Complete system scan option.
  - Let the program scan the machine, the progress is shown and could take a little time.
3. When the scan has finished:
  - Ensure that Set all elements to: is set to Quarantine if not click on the link and choose Quarantine from the popup menu.
  - At the bottom of the window click on the Apply all Actions button.
4. When done, click the Save Scan Report button.
  - Click theSave Report as button.
  - Save the report to your Desktop.
5. Right-click the Ewido Tray Icon and select Exit . Confirm by clicking Yes .
Reboot back to Normal
Please post
- Updated comments on the computers behaviour

GT

pcdome

Jul 17 2006, 06:48 AM

Hi Whisperer,

Okay I'm posting a new HJT log, b/c the radio button labelled Normal Startup was not selected, instead the Selective Startup button was. This HJT log was created before downloading CCcleaner as your posting suggessted. After posting this log I will download CCcleaner.

I hope this helps.

Thanks,

pcDome

Logfile of HijackThis v1.99.1
Scan saved at 8:44:42 PM, on 7/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\SIGMA\TV\sigmatv.exe
C:\Program Files\Sigma\common\SMBM.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\Program Files\BitComet\BitComet.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TV_Path] C:\Program Files\SIGMA\TV\sigmatv.exe /t
O4 - HKLM\..\Run: [SMBM] C:\Program Files\Sigma\common\SMBM.EXE /D
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://id.hangame.com/common/HanSetup1008.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Whisperer

Jul 17 2006, 07:54 AM

Thanks for the log, looking a it now. Looking forward to the ewido log etc.

GT

pcdome

Jul 17 2006, 09:11 AM

Hi Whisperer,

It looks like I just missed you.

Okay first is the Ewido log, then the new HJT log, and finally comments on my computer's performance.

Ewido log:

ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:49:51 PM 7/17/2006

+ Scan result:

C:\Documents and Settings\Robb\Local Settings\Application Data\Microsoft\Internet Explorer\V0.26.dat -> Trojan.Dialer.fy : Cleaned with backup (quarantined).

::Report end

Latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:00:36 PM, on 7/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\SIGMA\TV\sigmatv.exe
C:\Program Files\Sigma\common\SMBM.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Juice\Juice.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TV_Path] C:\Program Files\SIGMA\TV\sigmatv.exe /t
O4 - HKLM\..\Run: [SMBM] C:\Program Files\Sigma\common\SMBM.EXE /D
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Startup: Juice.lnk = C:\Program Files\Juice\Juice.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://id.hangame.com/common/HanSetup1008.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Comments:

Okay since changing the MSConfig Startup (I'm not sure if that's what it was called, I didn't print that part of the post.) Anyhow, the part that I changed to Normal Startup, many programs that I no longer had launching at startup, are now launching at startup. Which in turn, has slowed my computer waaaayyyy down, of course. So any help on this would also be great.

Have a good day, I'm going to bed!

pcDome

Whisperer

Jul 18 2006, 11:41 AM

Hi pcdome

Ewido proved its worth again by finding that one! In this session I want to glean some more information, try and clear up a couple of loose ends and then go through 3 of your 4 points you made earlier as we have resolved conime.

I now need you to ensure that any hidden and system files are visible to the system.
1. Select the Start button and from the available options
2. Right-click the My Computer option.
3. Select Explore from the drop-down menu
4. Select the Tools menu and click Folder Options. from the new window
5. Select the View Tab.
6. Under the Hidden files and folders heading select Show hidden files and folders by clicking in the check-box to its left
7. Remove the check against Hide protected operating system files (recommended) option, again by clicking the check-box to its left.
8. Click Yes to confirm.
9. Click OK.
10. Windows does not search for hidden or system files by default so
  - Click the Start button and select Search choosing For Files or Folders
  - From the dialogue box select All files and folders and at the bottom select More Advanced Options
  - Place selection ticks in the check-boxes for
    - Search system folders
    - Search hidden files and folders
    - Search subfolders
11. Close the search dialogue box
I would like to continue this session with a question. Stinger found an infected file called CDmage in the h0ya directory, what can you tell me about this directory, what it is, number of files and whether it is required for further use by you. The full path was C:\Documents and Settings\Robb\MyDocuments\h0ya . Please post the information when you are able. My expert advisor believes that this could be a false positive that Stinger has found but recommends a removal trial just in case.
- Please download and run this tool to remove the W32/Pate virus
- If you wish to run Stinger again then feel free to do so. I learned that the .dam extension on the file meant that it was damaged and therefore as a virus - dormant
Next the question of a decent firewall. I assume that in the absence of a successful ZoneAlarm installation that you reverted to or retained the Microsoft firewall – half a firewall is better than none. I would like you to try again to install a better firewall.
- It would appear that version 6.5 of ZoneAlarm is a bit buggy therefore we will try 6.1 and, if successful, then refuse any update offers to 6.5 for a while
- Please download ZoneAlarm 6.1 from this link , and save it to your desktop.
- Disconnect physically from the internet whilst we effect the changeover
- Shut down the windows firewall
- Now install the 6.1 version that you downloaded, let me know if you continue to have problems
Your Java installation is out of date as the current release is Update 7.
- Please go to this link to update your Java.
- Click Start and open the Control Panel . Select Add or Remove programs
- From the populated list select the following programs and then Remove
  - J2SE Runtime Environment 5.0 Update 4
  - J2SE Runtime Environment 5.0 Update 6
I can find very little information about the TSPY_CLICKER that was reported by Trend Micro, but all antivirus solutions have different names for different virii – very confusing. Ewido did find a dialler and successfully quarantined it so…
- Open ewido and select the Infections icon
- Click the Select All button and then the Remove finally button
- Now please run the online scanner at Trend Micro again to see whether the file has now gone. If it is still there then take as much detail as you can about its whereabouts on your computer and we will try a different tack.

GT

pcdome

Jul 18 2006, 06:02 PM

Hi Whisperer,

I don't have the time right now to do everything you asked, because I have to get ready to go to work.

But, I wanted to post a comment real quick to your reply, because I think it is strange. You asked me before to install the new java 7 and remove the old java programs, which I did. But now your posting is saying that I still have the out of date java programs, and not the new ones.

Any thoughts on why this happened?

Thanks,

pcDome

pcdome

Jul 18 2006, 08:32 PM

Hello again,

My a.m. classes have been cancelled.

So, now I can finish going through your posting.

I have set the computer to look for all hidden files and folders, etc.

I looked into the CDmage file in h0ya directory. I see no reason why this can't be removed it was something that my "computer expert" friend put on my computer when I first bought this. I never use this program, so I can get rid of it. Please instruct me how to do so.

I tried to run your tool for removing the W32/Pate virus, however, your link did not work.

I installed ZoneAlarm 6.1, no problem. I just would like to know about setting it up in the future. I'm currently using a single pc and have set ZoneAlarm to "Keep in Internet Zone". In October, I will be getting married and at that point I will be setting up a network with my wife's computer & possibly one more we might get as a gift. Wahoo! 3 computers!!!

Anyhow, could you please tell me how I can change ZoneAlarm to operate on the network after I establish one. Thanks.

Regarding Java 7, when I went to the site I accidentally clicked the verify installation link, and it told me that I already have Java 7. I then proceeded to remove the old Java software, and could not find it in the Add/Remove Programs option. So, if it's being reported then I guess this is still a problem that needs to be resolved. Sorry.

Lastly, after removing finally the infection from ewido, I returned to the Trend Micro scanner. While Trend Micro was about 20 minutes into the scan my computer shut down/crashed on it's own and restarted. I don't know if this was because of a conflict or not from Trend Micro, or what happened exactly. I am currently running Trend Micro again. I am posting this reply before Trend Micro finishes just in case the pc crashes again. I will post the results after Trend Micro finishes.

Thanks again.

pcDome

pcdome

Jul 18 2006, 09:24 PM

Good news!

Trend Micro did not find the Tspy_clicker anymore. My computer also did not crash the second time Trend Micro was run.

Look forward to your post.

pcDome

Whisperer

Jul 19 2006, 03:13 AM

Forget the Java, I was working two different logs, my error! Sorreeee!

With regards ZA, just install individual copies on each machine on the network, if you have a hardware firewall built into your router you should retain software firewalls as well.

If you wish to add to your knowledge of firewalls then try here

Catch you later

GT

P.S. You could also try another Stinger run to see if it still finds that same damaged pate virus in the h0ya file or whether it was another example of a different name!

pcdome

Jul 19 2006, 07:30 AM

Hi Whisperer,

Thanks for the firewall info.

Here is the latest from Stinger. The W32/Pate virus is still there.

McAfee AVERT Stinger Version 2.6.0. built on Apr 5 2006

Copyright © 2005 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on Feb 2 2006.

Ready to scan for 55 viruses, trojans and variants.

Scan initiated on Wed Jul 19 19:49:12 2006

C:\Documents and Settings\Robb\My Documents\h0ya\CDmage.exe

Found the W32/Pate.dam virus !!!

C:\Documents and Settings\Robb\My Documents\h0ya\CDmage.exe could not be repaired.

Number of clean files: 198576

Number of infected files: 1

Have a good day!

pcDome

Whisperer

Jul 20 2006, 02:46 AM

Back again,

You are looking good so we will do a bit more of a clean-up, remove 2 known resource hogs (optional) and then you can restore your msconfig as you wish.

Please navigate to the C:\Documents and Settings\Robb\My Documents\h0ya directory
- If there is an Uninstall option there for CDmage then click to run.
- As CDmage does not appear in your uninstall list then I doubt that the first option will work
- In either case go up to the My Documents directory and delete the h0ya directory and all of its contents
- That should take care of the W32/Pate.dam infection at the same time
With all other windows closed, start your HijackThis and click on Scan
1. Click in the check-box to the left of each of the following entries, if found
  - O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
2. Select Fix Checked
Please feel free to restore your MSConfig back to the state that you had before, removing any programs that you do not wish to run automatically.
I would suggest another CCleaner run followed by a Defragmentation of your computer. If you have not done one recently then it could take a fair time, hours as opposed to minutes!
Before I give some final general advice aimed at the clean computer, please post me a new HijackThis log and make any comments that you feel appropriate concerning your computers performance now

GT

pcdome

Jul 24 2006, 07:08 PM

Hi Whisperer,

Sorry for the long delay in replying, I had a busy weekend. (Actually, I had to defrag my own head after the weekend I had.

)

Anyhow, I've done everything you said. The W32/Pate virus is gone, Hooray!!!

I also ran CCleaner again, and defraged my computer, and that all looks good.

However, I tried to reset my MSCONFIG back to what it was, I assumed that I would just have to click the radio button that was originally highlighted. (and I remember my 8th grade teacher saying "Never assume b/c it makes an "ass" out of 'u' and me," and of course it did out of me but not you.) However, changing MSCONFIG back to the original radio button didn't work, when I restarted it my pc still launches a bunch of programs that my friend had previously setup to only launch when I choose not at startup. Could you please help me fix this, b/c it slows my computer way down at startup. Thank you.

Below is my latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:05:18 AM, on 7/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\SIGMA\TV\sigmatv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Sigma\common\SMBM.EXE
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TV_Path] C:\Program Files\SIGMA\TV\sigmatv.exe /t
O4 - HKLM\..\Run: [SMBM] C:\Program Files\Sigma\common\SMBM.EXE /D
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Startup: Juice.lnk = C:\Program Files\Juice\Juice.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) -
O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) -
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} (WStarter Control) -
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://id.hangame.com/common/HanSetup1008.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Release/C...amulMap_V17.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks so much for all of your help.

Looking forward to your final answer.

Best regards,

pcDome

Whisperer

Jul 28 2006, 03:52 AM

Hi pcdome,

You have a couple of not so nice O16's that need removing so

With all other windows closed, start your HijackThis and click on Scan

Click in the check-box to the left of each of the following entries, if found
- O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} (WStarter Control) -
Select Fix Checked

Once you have done this you will have a clean log

Clean Log

Well done, your log is clean. Just a tidy up required.

First we make sure that any files in a System Restore point can not reinfect your computer by removing all old system restore points.
1. Select the Start button and from the available options
2. Right-click the My Computer option and select Properties.
3. Click on the System Restore tab.
4. Check the box against Turn off System Restore on all drives. Click OK
5. Click Yes to confirm, then restart the computer
6. After the restart, re-enable System Restore by following steps a-c, but in step c, click to clear the Turn off System Restore on all drives. check box.
Restore your Hidden & System files to their normal state by
1. Select the Start button and from the available options
2. Right-click the My Computer option.
3. Select Explore from the drop-down menu
4. Select the Tools menu and click Folder Options. from the new window
5. Select the View Tab.
6. Under the Hidden files and folders heading remove the tick from Show hidden files and folders by clicking in the check-box to its left
7. Replace the check against Hide protected operating system files (recommended) option, again by clicking the check-box to its left.
8. Click Yes to confirm.
9. Click OK.
Finally, HijackThis makes backups of all corrections made in a sub-folder of your HJT folder called Backups. Please navigate to this Backups folder and delete the contents

Preventative measures

Retain both Spybot and AdAware and run them at regular intervals after updating them. Do the same with CCleaner.
In addition I would suggest that you install the following 3 free programs, keep these updated as they are background tools
1. SpywareBlaster - Excellent prevention tool to keep Malware from installing on your system.
2. SpywareGuard provides a shield against infection
3. IE-SpyAd puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. A tutorial is available here
Windows Updates – Please bring your Windows and Internet Explorer up-to-date with Service Pack 2. It is very important to ensure that Internet Explorer and Windows are kept up to date with the latest critical security patches from Microsoft. Click on the Start button and select Windows Update, follow the online instructions from there.
On a similar vein do ensure that all of your Anti-Virus and Anti-Malware software are also kept up to date.
To find out more information about how you got infected in the first place and some excellent guide lines to follow to prevent future infections you can read this one by Lawrence Abrams

The only advice that I could give you in restoring your computer configuration is the difference between your first HijackThis log and the current one. If you select the following in HijackThis you will be somewhere close to your start position – without the malware!

With all other windows closed, start your HijackThis and click on Scan

Click in the check-box to the left of each of the following entries, if found
- O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) -
Select Fix Checked

Best wishes and safe surfing

GT

pcdome

Jul 29 2006, 11:12 PM

Hi Whisperer,

Thanks again for all of your help. Everything seems ok now. I'm crossing my fingers. I only have one more issue and it's related to SpywareGuard. When I try to run SG it goes to a configuring box, during the configure process another window pops up that reads as below:

SpywareRemover

The feature you are trying to use is on a network resource that is unavailable.

Click Ok to try again or enter an alternate path to a folder containing the installation package "SpywareRemover.msi" in the box below.

Use source:

D:\Spyware.Adware.Remover,v7.0&keygen\

When I click "Ok", it gives this response in another window:

The path 'D:\Spyware.Adware.Remover.v7.0&keygen\SpywareRemover.msi' cannot be found. Verify that you have access to the location and try again, or try to find the installation package 'SpywareRemover.msi' in a folder from which you can install the product SpywareRemover.

OK

I don't know what this product is, so I can't find it when use the "Browse..." option. If I click "Cancel" SG tries to configure 3 times, each time coming back to the same point.

Please let me know what I should do.

Thank you.

pcDome

Whisperer

Jul 30 2006, 03:01 AM

Hi Pcdome,

On the face of it, it might be another nasty, so please show the hidden files again and do another look for SpywareRemover.msi. The program SpywareRemover is a rogue but how it got to your computer is unknown. Please do not attempt any self-fixes until my tutor gives you the OK through me.

I would like you to produce an updated list of your installed programs to see if it has crept in there.

To do this open your HijackThis
1. Click on Open the Misc Tools section or Config… button, depending on how you are set up.
2. If you used the Config... option then click the Misc Tools tab
3. Select Open Uninstall Manager , a list of your installed programs will be displayed.
4. Select the Save List… button and save the file to your desktop.
Next I would like you to rename your HijackThis.exe file to HJT.exe and then run a scan using HJT.exe.
Please post a copy of the updated list and an up-to-date HJT log in your next reply

GT

pcdome

Aug 1 2006, 09:09 AM

Hi Whisperer,

Here are the logs you requested. I think I changed the Hijackthis.exe to HJT.exe but I'm not 100% on that.

Uninstall list:

³￢¼¶²￥°O
Ad-Aware SE Personal
Adobe Download Manager 2.0(¼³A¡ A|°A¸¸ CØ´c)
Adobe Flash Player 9 ActiveX
Adobe Illustrator CS
Adobe Photoshop CS
Adobe Reader 7.0.8
Adobe SVG Viewer 3.0
AeCOAUμ|(Unified Codec Pack) 8.0.0.5 ≫eA|
afreeca A|°A
Alcohol 120% (Trial Version)
BitComet 0.56
Canon MP Drivers 7.0
Canon ScanGear Starter
CASHFLOW?202 THE E-GAME
CASHFLOW?THE E-GAME
ccCommon
CCleaner (remove only)
CN°OAO
CN°OAO AUμ¿ AI½ºAc·?
CN¹æ¿¡~ V2.15
Codec 7.8i
Democracy Player 0.8.4.1
Desktop Weather by The Weather Channel
ewido anti-spyware 4.0
GOM Player
Google Earth
Google SketchUp
Google Toolbar for Internet Explorer
HijackThis 1.99.1
IKEA Home Planner Kitchen
Internet Explorer Q903235
Internet Worm Protection
iPod for Windows 2005-10-12
iTunes
J2SE Runtime Environment 5.0 Update 7
Juice 2.2
K-Defense8 Control - A°º¸μa º¸¾E
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia ColdFusion MX 7
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Macromedia Shockwave Player
Microsoft .NET Framework 2.0
Microsoft Data Access Components KB870669
Microsoft Office Professional Edition 2003
MSN Messenger 7.5
myLinker
Nero 6 Ultra Edition
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
nProtect KeyCrypt
nProtect Netizen Ver.3(remove only)
NVIDIA Drivers
PDF reDirect (remove only)
PeerGuardian 2.0
PowerISO
PPLive 1.2.35
PPStream
QuickTime
Real Alternative 1.46
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896426)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Serif DrawPlus 4.0
Slim TV Driver
SnoopFree Privacy Shield
SoftCamp Secure KeyStroke 4.0
SopCast 0.9.8
SPBBC
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SpywareGuard v2.2
Symantec
Symantec Script Blocking Installer
SymNet
The Rosetta Stone
ToToBrowser verion 2
TV Card
TV Card Driver
TV Driver
TVAnts 1.0
TVUPlayer 1.5.12
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
VideoLAN VLC media player 0.8.4a
VobSub v2.23 (Remove Only)
Weather Services
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB883939
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889293
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix - KB896688
Windows XP Hotfix - KB896727
Windows XP Hotfix - KB897715
Windows XP Hotfix - KB905915
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB912812
Windows XP Hotfix - KB916281
Windows XP Hotfix - KB918439
WinISO 5.3
WinRAR archiver
XecureWeb Control
Yahoo! Messenger
ZeusWEB
ZoneAlarm Pro

HJT.exe log:

Logfile of HijackThis v1.99.1
Scan saved at 11:05:51 PM, on 8/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\WINDOWS\System32\rundll32.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\conime.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://hmall.contents.mylinker.co.kr/module/MyLinker.cab
O16 - DPF: {3E5BBDC8-18F9-4A70-94B5-DD64929C0AF4} (AniCastH Class) - http://gogo.jaeminara.co.kr/gogo/hansol/na...ol/axacastH.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.spatic.go.kr/www/msxml4.cab
O16 - DPF: {95FAA6CA-9CD5-40A5-B9EA-2ED419D4D9E7} (MapView Class) - http://www.spatic.go.kr/www/ZeusWEB.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://kings.nefficient.co.kr/kings/kdfx/k...29/kdfense8.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://id.hangame.com/common/HanSetup1008.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/keycrypt/ntservice/npkcx.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Release/C...amulMap_V17.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I will not do any self fixes until you instruct me otherwise.

Once again thank you very much.

pcDome

Whisperer

Aug 2 2006, 05:48 AM

Pcdome,

Your log is effectively clean. There are a couple of bad O16 entries, but most importantly I see you are still using SP1. It is imperative that you get the extra security of SP2 on your system at the earliest opportunity, together with any other security updates and that must be before you go onto any P2P sites or any other site apart from Windows Update and those sites that you are required to download tools from. Please do NOT update to SP2 until you are given the all-clear again, then make it your first priority.

I have checked your uninstall log and will need your help in classifying the following entries as my Korean is non-existent!
- K-Defense8 Control - A°º¸μa º¸¾E
Please use Add or Remove Programs to remove SpywareGuard V2.2 from your computer, it could just be that this is a corrupted download.
Please download WinpFind , we will use this to find hidden files that could be giving you the problem.
- Locate the WinPFind.zip file, right-click and extract it to your C:\ folder.
- This will create a folder called WinPFind in the C:\ folder
I suggest that you print out the following instructions or highlight the remainder and save to a WordPad file on your desktop as you will no longer have an internet connection until we have finished the clean up
Physically disconnect your computer from the internet by unplugging the lead.
Reboot the computer into safe mode using a clean boot sequence
1. Select the Start button and Turn Off Computer
2. Select the Turn Off option, when the computer has shut down switch off the power supply.
3. After 10 seconds, restore the power supply and switch on the computer
  - Some computers have a progress bar that refers to the word BIOS. Others may not let you know what is happening.
  - As soon as the BIOS loads, or a single Beep is heard then begin tapping the F8 key on your keyboard. Do so until the Windows Advanced Options menu appears.
  - If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. If this happens, restart the computer and try again.
  - Using the arrow keys on the keyboard, select Safe mode and then press Enter.
4. When in Safe mode you will have your desktop with the word ‘Safe’ in the 4 corners.
To reduce the chance of AntiSpyware interfering with the fixes, please stop all antispyware on your computer. If you right-click on the icon in the systems tray you will find an option to ‘exit’. When you reboot, this will all return to normal.
Navigate to the C:\WinPFind directory and click the file called WinPFind.exe .to open it
- Once it is open, click on the Start Scan button and wait for it to finish.
  This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.
- When it is done, it will show the results of the scan.
- Click on the Copy to Clipboard button
Please post
- The contents of the log in your clipboard as a reply in your next post.
- A new HJT log
- Any update to your problem that you can, now that we have removed SpywareGuard

GT

Whisperer

Aug 11 2006, 06:22 AM

Hi pcdome,

I have not heard from you for over a week, is all OK?

If I do not hear from you by the 16th I will assume that the topic is now closed.

GT

pcdome

Aug 14 2006, 07:09 PM

Hi Whisperer,

Sorry I've been so busy & tired lately that I haven't been able to keep up. Okay, at this point I only have accomplished a little bit of your last instructions.

To start with I have found out the reason why I have not upgraded to SP2, I know it sounds odd that I had to ask someone but I had to ask my friends here why they keep telling me not to use SP2. The reason for it is that many of the Korean programs won't work on my computer if I upgrade to SP2, since my wife is Korean and will be using this computer along with I use some Korean programs too, I don't think I can upgrade to SP2 at this time. Unless you know of a way I can fix this problem.

In regards to the list of programs I will post the list below and write next to it what I know of the program.

³￢¼¶²￥°O I have no idea what this program is, it's not Korean, Chinese, or Japanese (I have my computer set to read all 3 languages for studying purposes) so it seems kind of fishy. Is there a way I can run this program using the posted characters? I suspect it is one of the TV streaming programs that I have but that should appear in English, Japanese, Chinese, or Korean.
Adobe Download Manager 2.0(¼³A¡ A|°A¸¸ CØ´c) This was downloaded from Adobe before I could update my latest Adobe Acrobat, it seems to be a requirement now. I tried to download Acrobat but this was downloaded when I clicked on the download Acrobat link.
AeCOAUμ|(Unified Codec Pack) 8.0.0.5 ≫eA| I have no idea what this program is, it's not Korean, Chinese, or Japanese (I have my computer set to read all 3 languages for studying purposes) so it seems kind of fishy. Is there a way I can run this program using the posted characters? I suspect it is one of the TV streaming programs that I have but that should appear in English, Japanese, Chinese, or Korean.
afreeca A|°A This is a streaming TV program that I have.
CN°OAOI have no idea what this program is, it's not Korean, Chinese, or Japanese (I have my computer set to read all 3 languages for studying purposes) so it seems kind of fishy. Is there a way I can run this program using the posted characters? I suspect it is one of the TV streaming programs that I have but that should appear in English, Japanese, Chinese, or Korean.
CN°OAO AUμ¿ AI½ºAc??I have no idea what this program is, it's not Korean, Chinese, or Japanese (I have my computer set to read all 3 languages for studying purposes) so it seems kind of fishy. Is there a way I can run this program using the posted characters? I suspect it is one of the TV streaming programs that I have but that should appear in English, Japanese, Chinese, or Korean.
CN¹æ¿¡~ V2.15 I have no idea what this program is, it's not Korean, Chinese, or Japanese (I have my computer set to read all 3 languages for studying purposes) so it seems kind of fishy. Is there a way I can run this program using the posted characters? I suspect it is one of the TV streaming programs that I have but that should appear in English, Japanese, Chinese, or Korean.
K-Defense8 Control - A°º¸μa º¸¾E I have no idea what this is.

Spyware Guard removed and no problem since removal.

WinPFind log is listed below:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

뻣뻣뻣뻣뻣뻣뻣뻣?Windows OS and Versions 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣?
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

뻣뻣뻣뻣뻣뻣뻣뻣?Checking Selected Standard Folders 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣

Checking %SystemDrive% folder...
PECompact2 5/7/2005 12:09:12 AM 1011032 C:\WebCleaner.dll
aspack 5/7/2005 12:09:12 AM 1011032 C:\WebCleaner.dll

Checking %ProgramFilesDir% folder...
UPX! 1/12/2006 11:30:34 PM 289183480 C:\Program Files\coldfusion-70-win.exe
PEC2 1/12/2006 11:30:34 PM 289183480 C:\Program Files\coldfusion-70-win.exe

Checking %WinDir% folder...
UPX! 3/15/2004 7:28:50 PM 69120 C:\WINDOWS\daemon.dll
UPX! 8/15/2005 2:03:36 PM 65536 C:\WINDOWS\IFinst27.exe
UPX! 6/10/2002 12:00:00 PM 31426 C:\WINDOWS\VRUNACE.DLL
UPX! 6/10/2002 12:00:00 PM 57598 C:\WINDOWS\VRUNCAB.DLL
UPX! 6/10/2002 12:00:00 PM 44032 C:\WINDOWS\VRUNGZIP.DLL
UPX! 6/10/2002 12:00:00 PM 41589 C:\WINDOWS\VRUNRAR.DLL

Checking %System% folder...
PEC2 8/24/2001 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 2/23/2003 8:24:06 PM 86016 C:\WINDOWS\SYSTEM32\div3ds32.ax
PEC2 1/20/2005 2:40:44 PM 716800 C:\WINDOWS\SYSTEM32\divx.dll
PECompact2 1/20/2005 2:40:44 PM 716800 C:\WINDOWS\SYSTEM32\divx.dll
UPX! 1/19/2005 5:26:32 AM 49019 C:\WINDOWS\SYSTEM32\Dunzip32.dll
aspack 6/30/2005 5:37:06 PM 56320 C:\WINDOWS\SYSTEM32\IdiskLauncherEx.exe
aspack 6/14/2004 11:42:24 AM 109568 C:\WINDOWS\SYSTEM32\IdiskUpdateParan.dll
UPX! 6/8/2005 9:00:00 PM 689152 C:\WINDOWS\SYSTEM32\LIVECALL.DLL
PECompact2 6/9/2006 10:19:50 AM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/9/2006 10:19:50 AM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
PEC2 2/3/2003 3:01:02 PM 186368 C:\WINDOWS\SYSTEM32\msaud32_divx.acm
UPX! 3/31/2004 5:55:24 PM 172544 C:\WINDOWS\SYSTEM32\npkcsvc.exe
UPX! 5/9/2005 8:26:00 PM 694784 C:\WINDOWS\SYSTEM32\npscan.dll
Umonitor 8/29/2002 12:41:10 PM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 5/20/2005 4:10:10 PM 1691648 C:\WINDOWS\SYSTEM32\RPRes.dll
UPX! 2/7/2005 6:29:32 PM 170496 C:\WINDOWS\SYSTEM32\upx.exe
qoologic 6/23/2006 8:20:00 PM 2008665 C:\WINDOWS\SYSTEM32\v3warpns.v3d
aspack 5/19/2004 4:55:12 PM 250368 C:\WINDOWS\SYSTEM32\VRAZMAIN.DLL
UPX! 5/3/2005 12:01:00 PM 33792 C:\WINDOWS\SYSTEM32\VRMEM.DLL
UPX! 6/9/2004 2:01:58 PM 52736 C:\WINDOWS\SYSTEM32\vrpacker.dll
winsync 8/24/2001 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 12/18/2005 12:01:00 PM 2304352 C:\WINDOWS\SYSTEM32\drivers\vrcore.sys
ad-beh 12/18/2005 12:01:00 PM 2304352 C:\WINDOWS\SYSTEM32\drivers\vrcore.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/3/2006 1:28:56 PM S 2048 C:\WINDOWS\bootstat.dat
8/1/2006 10:50:40 PM H 54156 C:\WINDOWS\QTFont.qfn
7/4/2006 10:54:44 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini
7/4/2006 10:54:44 PM RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme
7/4/2006 10:54:44 PM RH 0 C:\WINDOWS\assembly\pubpol1.dat
7/4/2006 10:59:54 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1b.dat
7/4/2006 10:59:58 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1c.dat
6/4/2006 11:28:06 PM H 10820 C:\WINDOWS\Help\nocontnt.GID
6/26/2006 4:14:20 PM H 459 C:\WINDOWS\system32\200606.npl
8/3/2006 1:26:48 PM H 35981 C:\WINDOWS\system32\vsconfig.xml
7/19/2006 9:18:18 AM H 4212 C:\WINDOWS\system32\zllictbl.dat
6/22/2006 8:18:30 PM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
8/3/2006 1:29:08 PM H 12288 C:\WINDOWS\system32\config\default.LOG
8/3/2006 1:29:08 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
8/3/2006 1:28:58 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
8/3/2006 1:33:28 PM H 102400 C:\WINDOWS\system32\config\software.LOG
8/3/2006 1:29:58 PM H 1273856 C:\WINDOWS\system32\config\system.LOG
6/16/2006 3:04:14 AM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
6/7/2006 8:43:24 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\259ed44a-49ee-4c51-a45c-198ed5d86054
6/7/2006 8:43:24 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/3/2006 1:26:56 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
1/20/2005 2:38:54 PM 417792 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 2/9/2004 7:38:24 PM 14225408 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/29/2002 12:41:28 PM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 12/23/2003 3:40:52 PM 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 5/3/2006 2:56:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 11/15/2004 4:51:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
The Weather Channel Interactive11/7/2005 3:49:38 PM 2980976 C:\WINDOWS\SYSTEM32\wxfw.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

뻣뻣뻣뻣뻣뻣뻣뻣?Checking Selected Startup Folders 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣?

Checking files in %ALLUSERSPROFILE%\Startup folder...
5/29/2006 11:20:44 PM 1926 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
6/28/2005 5:55:08 PM 1765 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
1/18/2005 3:51:58 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
1/18/2005 9:41:10 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
6/30/2006 11:34:58 AM 1390 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
1/18/2005 3:51:58 PM HS 84 C:\Documents and Settings\Robb\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
7/11/2006 8:10:26 PM 1071 C:\Documents and Settings\Robb\Application Data\AdobeDLM.log
1/18/2005 9:41:10 PM HS 62 C:\Documents and Settings\Robb\Application Data\desktop.ini
7/11/2006 8:10:26 PM 0 C:\Documents and Settings\Robb\Application Data\dm.ini

뻣뻣뻣뻣뻣뻣뻣뻣?Checking Selected Registry Keys 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣?

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ALSee
{2AA489CC-FEDC-4DD5-A693-0B8FED9D8B0D} = C:\PROGRA~1\ESTsoft\ALSee\ASSHLE~1.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PowerISO
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PWRISOSH.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerISO
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PWRISOSH.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PWRISOSH.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar2.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
IMJPMIG8.1 "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
PHIME2002ASync C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
SoundMan SOUNDMAN.EXE
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
SnoopFreeUI SnoopFreeUI.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
!ewido "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
KernelFaultCheck %systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe
BitComet "C:\Program Files\BitComet\BitComet.exe"
updateMgr "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
PeerGuardian C:\Program Files\PeerGuardian2\pg2.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoCDBurning 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
winupx Service winupx.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 Scan Complete 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/3/2006 2:28:51 PM

Latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:05:54 AM, on 8/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\YahooWCS.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\HijackThis\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://hmall.contents.mylinker.co.kr/module/MyLinker.cab
O16 - DPF: {3E5BBDC8-18F9-4A70-94B5-DD64929C0AF4} (AniCastH Class) - http://gogo.jaeminara.co.kr/gogo/hansol/na...ol/axacastH.cab
O16 - DPF: {4E52C32F-C143-4963-A758-2DB07703CB49} (YahooCS Class) - http://kr.memo.yahoo.com/CAB/YahooWCS.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.spatic.go.kr/www/msxml4.cab
O16 - DPF: {95FAA6CA-9CD5-40A5-B9EA-2ED419D4D9E7} (MapView Class) - http://www.spatic.go.kr/www/ZeusWEB.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://kings.nefficient.co.kr/kings/kdfx/k...29/kdfense8.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://id.hangame.com/common/HanSetup1008.cab
O16 - DPF: {D2A4C311-F608-4E0E-BBFE-6B25E31AC15B} (Kdfense5 Control) - http://kings.cachenet.com/kdf5106/kdfense5.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/keycrypt/ntservice/npkcx.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Release/C...amulMap_V17.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I will try to be faster in my replies.

Sorry,

pcDome

Whisperer

Aug 17 2006, 01:58 PM

Hi pcdome,

Thanks for the response, I will look at the WinPFind log shortly but you have some installed programs that can go, your Java installation is out-of-date again and your HijackThis log has a couple of things that need fixing.

Before we start I would like to pose some more queries.
Q1. Do you use the Inca Internet facility?
Q2. Do you have Novell's Netware installed or in use?
Q3. Do you use hauri virobot, as an antivirus program?[/list]

On to the fixes

We will now remove the unknown programs, the old Java and one adware program.Click Start , select Control Panel and then Add or Remove Programs
- Once the list has populated scroll down to the following entries, click on them and select Remove
  - ³￢¼¶²￥°O
    Adobe Download Manager 2.0(¼³A¡ A|°A¸¸ CØ´c)
    AeCOAUμ|(Unified Codec Pack) 8.0.0.5 ≫eA|
    CN°OAO
    CN°OAO AUμ¿ AI½ºAc•?
    CN¹æ¿¡~ V2.15
    J2SE Runtime Environment 5.0 Update 7
    K-Defense8 Control - A°º¸μa º¸¾E
    myLinker
Replace the Java as the current release is Update 8.
- Use Internet Explorer and go to this link to update your Java.
- Scroll down and select Java Runtime Environment (JRE) 5.0 Update 8
With all other windows closed, start your HijackThis and click on Scan
1. Click in the check-box to the left of each of the following entries, if found
  - O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
2. Select Fix Checked
Until I get back to you with the WinPFind results that will do for now

GT

pcdome

Aug 17 2006, 05:34 PM

Hi Whisperer,

You posted 3 questions in your last reply before we started the clean up. So, I'm getting ready for work right now and can't start the clean up but thought I would quickly reply to the questions, in case they help you/me. The answer is no, I don't use them nor do I know what they are.

I hope that helps. Have a good day.

pcDome

pcdome

Aug 21 2006, 08:11 PM

Hi Whisperer,

I have done as you instructed, however (doesn't seem like there is always a "however?") when I removed the programs the only ones that were listed were as follows:

Adobe Download Manager
K-defense8 Control
myLinker
J2SE 7 Update

Therefore, the other non-readable programs did not appear or at least in their non-readable format. I also found in the Add/Remove programs something called "ZeusWEB". Do you know anything about this program, because I don't.

Thanks,

pcDome

Whisperer

Aug 24 2006, 02:45 AM

Hi pcdome,

Apologies for the delay but you slipped through my net. I will deal with your specific queries as I get to them, no cause for concern.

I have found some evidence of a Qoologic infection in your WinPFind log, we will deal with this next

Please download Qoofix by RubbeR DuckY from here or here . A tutorial is available from here .
1. Unzip all files to a convenient location such as C:\Qoofix.
2. Go to the folder you unzipped all files and run Qoofix.exe.
3. Click Begin Removal and wait for the scan to finish.
4. If an infection has been found, select Yes to restart your computer.
Please carry out a new WinPFind and a HijackThis
Finally post a new HijackThis log, the contents of the Qoofix logfile and the new WinPFind log.

GT

pcdome

Aug 28 2006, 02:53 AM

Hi Whisperer,

Okay Qoofix did not find anything here is the Qoofix Logfile:

Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [8/27/2006] at [2:30:58 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [8/27/2006] at [2:32:49 PM]

Note: Some registry keys may have been removed.

Here is the latest WinPFind logfile:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

뻣뻣뻣뻣뻣뻣뻣뻣?Windows OS and Versions 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣?
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

뻣뻣뻣뻣뻣뻣뻣뻣?Checking Selected Standard Folders 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣

Checking %SystemDrive% folder...
PECompact2 5/7/2005 12:09:12 AM 1011032 C:\WebCleaner.dll
aspack 5/7/2005 12:09:12 AM 1011032 C:\WebCleaner.dll

Checking %ProgramFilesDir% folder...
UPX! 1/12/2006 11:30:34 PM 289183480 C:\Program Files\coldfusion-70-win.exe
PEC2 1/12/2006 11:30:34 PM 289183480 C:\Program Files\coldfusion-70-win.exe

Checking %WinDir% folder...
UPX! 3/15/2004 7:28:50 PM 69120 C:\WINDOWS\daemon.dll
UPX! 8/15/2005 2:03:36 PM 65536 C:\WINDOWS\IFinst27.exe
UPX! 6/10/2002 12:00:00 PM 31426 C:\WINDOWS\VRUNACE.DLL
UPX! 6/10/2002 12:00:00 PM 57598 C:\WINDOWS\VRUNCAB.DLL
UPX! 6/10/2002 12:00:00 PM 44032 C:\WINDOWS\VRUNGZIP.DLL
UPX! 6/10/2002 12:00:00 PM 41589 C:\WINDOWS\VRUNRAR.DLL

Checking %System% folder...
PEC2 8/24/2001 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 2/23/2003 8:24:06 PM 86016 C:\WINDOWS\SYSTEM32\div3ds32.ax
PEC2 1/20/2005 2:40:44 PM 716800 C:\WINDOWS\SYSTEM32\divx.dll
PECompact2 1/20/2005 2:40:44 PM 716800 C:\WINDOWS\SYSTEM32\divx.dll
UPX! 1/19/2005 5:26:32 AM 49019 C:\WINDOWS\SYSTEM32\Dunzip32.dll
aspack 6/30/2005 5:37:06 PM 56320 C:\WINDOWS\SYSTEM32\IdiskLauncherEx.exe
aspack 6/14/2004 11:42:24 AM 109568 C:\WINDOWS\SYSTEM32\IdiskUpdateParan.dll
UPX! 6/8/2005 9:00:00 PM 689152 C:\WINDOWS\SYSTEM32\LIVECALL.DLL
PECompact2 6/9/2006 10:19:50 AM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/9/2006 10:19:50 AM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
PEC2 2/3/2003 3:01:02 PM 186368 C:\WINDOWS\SYSTEM32\msaud32_divx.acm
UPX! 3/31/2004 5:55:24 PM 172544 C:\WINDOWS\SYSTEM32\npkcsvc.exe
UPX! 5/9/2005 8:26:00 PM 694784 C:\WINDOWS\SYSTEM32\npscan.dll
Umonitor 8/29/2002 12:41:10 PM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 5/20/2005 4:10:10 PM 1691648 C:\WINDOWS\SYSTEM32\RPRes.dll
UPX! 2/7/2005 6:29:32 PM 170496 C:\WINDOWS\SYSTEM32\upx.exe
qoologic 6/23/2006 8:20:00 PM 2008665 C:\WINDOWS\SYSTEM32\v3warpns.v3d
aspack 5/19/2004 4:55:12 PM 250368 C:\WINDOWS\SYSTEM32\VRAZMAIN.DLL
UPX! 5/3/2005 12:01:00 PM 33792 C:\WINDOWS\SYSTEM32\VRMEM.DLL
UPX! 6/9/2004 2:01:58 PM 52736 C:\WINDOWS\SYSTEM32\vrpacker.dll
winsync 8/24/2001 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 12/18/2005 12:01:00 PM 2304352 C:\WINDOWS\SYSTEM32\drivers\vrcore.sys
ad-beh 12/18/2005 12:01:00 PM 2304352 C:\WINDOWS\SYSTEM32\drivers\vrcore.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/25/2006 9:29:44 PM S 2048 C:\WINDOWS\bootstat.dat
7/4/2006 10:54:44 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini
7/4/2006 10:54:44 PM RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme
7/4/2006 10:54:44 PM RH 0 C:\WINDOWS\assembly\pubpol1.dat
7/4/2006 10:59:54 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1b.dat
7/4/2006 10:59:58 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1c.dat
8/27/2006 8:40:06 AM H 35981 C:\WINDOWS\system32\vsconfig.xml
8/15/2006 8:31:48 AM H 4212 C:\WINDOWS\system32\zllictbl.dat
8/28/2006 10:30:00 AM H 1024 C:\WINDOWS\system32\config\default.LOG
8/25/2006 9:29:50 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
8/25/2006 9:33:00 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
8/28/2006 10:38:22 AM H 20480 C:\WINDOWS\system32\config\software.LOG
8/28/2006 10:16:06 AM H 1024 C:\WINDOWS\system32\config\system.LOG
8/25/2006 9:29:56 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
1/20/2005 2:38:54 PM 417792 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 2/9/2004 7:38:24 PM 14225408 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/29/2002 12:41:28 PM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 12/23/2003 3:40:52 PM 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 7/26/2006 3:03:14 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 11/15/2004 4:51:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
The Weather Channel Interactive11/7/2005 3:49:38 PM 2980976 C:\WINDOWS\SYSTEM32\wxfw.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

뻣뻣뻣뻣뻣뻣뻣뻣?Checking Selected Startup Folders 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣?

Checking files in %ALLUSERSPROFILE%\Startup folder...
5/29/2006 11:20:44 PM 1926 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
6/28/2005 5:55:08 PM 1765 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
1/18/2005 3:51:58 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
1/18/2005 9:41:10 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
6/30/2006 11:34:58 AM 1390 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
1/18/2005 3:51:58 PM HS 84 C:\Documents and Settings\Robb\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
1/18/2005 9:41:10 PM HS 62 C:\Documents and Settings\Robb\Application Data\desktop.ini

뻣뻣뻣뻣뻣뻣뻣뻣?Checking Selected Registry Keys 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣?

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ALSee
{2AA489CC-FEDC-4DD5-A693-0B8FED9D8B0D} = C:\PROGRA~1\ESTsoft\ALSee\ASSHLE~1.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PowerISO
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PWRISOSH.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerISO
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PWRISOSH.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PWRISOSH.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar2.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
ButtonText = Yahoo! Messenger : C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
IMJPMIG8.1 "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
PHIME2002ASync C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
SoundMan SOUNDMAN.EXE
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
SnoopFreeUI SnoopFreeUI.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
KernelFaultCheck %systemroot%\system32\dumprep 0 -k
BigDogPath C:\WINDOWS\VM_STI.EXE lebeca web camera driver
SunJavaUpdateSched "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe
BitComet "C:\Program Files\BitComet\BitComet.exe"
updateMgr "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
PeerGuardian C:\Program Files\PeerGuardian2\pg2.exe
Yahoo! Pager "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
ypagerps1 cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps1.DLL"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoCDBurning 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
winupx Service winupx.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\Userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 Scan Complete 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/28/2006 10:38:38 AM

Lastly here is the latest HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 2:35:20 PM, on 8/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\VM_STI.EXE
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\Program Files\BitComet\BitComet.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\HijackThis\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE lebeca web camera driver
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunOnce: [ypagerps1] cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps1.DLL"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {3E5BBDC8-18F9-4A70-94B5-DD64929C0AF4} (AniCastH Class) - http://gogo.jaeminara.co.kr/gogo/hansol/na...ol/axacastH.cab
O16 - DPF: {4E52C32F-C143-4963-A758-2DB07703CB49} (YahooCS Class) - http://kr.memo.yahoo.com/CAB/YahooWCS.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.spatic.go.kr/www/msxml4.cab
O16 - DPF: {95FAA6CA-9CD5-40A5-B9EA-2ED419D4D9E7} (MapView Class) - http://www.spatic.go.kr/www/ZeusWEB.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - http://kings.nefficient.co.kr/kings/kdfx/k...29/kdfense8.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://id.hangame.com/common/HanSetup1008.cab
O16 - DPF: {D2A4C311-F608-4E0E-BBFE-6B25E31AC15B} (Kdfense5 Control) - http://kings.cachenet.com/kdf5106/kdfense5.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Release/C...amulMap_V17.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hope you are doing well.

pcDome

Whisperer

Aug 29 2006, 02:59 AM

Hi pcdome,

I am well and thank you for the enquiry. Apart from your BitComet (

)your HijackThis log appears clear of malware. I am glad that the Qoologic was also clear, further research shows that the file in question, v3warpns.v3d, is associated with a game, sorry for the error.

I do have more queries that are caused by unknown programs that may be familiar to you or your Wife, so I will start with them.

Q1. Are you happy with the assembly directory here C:\WINDOWS\assembly and what does it do? Which leads to Are you a Programmer?

Q2. What can you tell me about the following files as I can not find any 'English' information about them, I will give the full path of each

C:\WINDOWS\IFinst27.exe
C:\WINDOWS\SYSTEM32\IdiskLauncherEx.exe
C:\WINDOWS\SYSTEM32\IdiskUpdateParan.dll
C:\WINDOWS\SYSTEM32\npkcsvc.exe
C:\WINDOWS\SYSTEM32\RPRes.dll
C:\WINDOWS\SYSTEM32\upx.exe
C:\WINDOWS\SYSTEM32\vrpacker.dll
C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Q3. Do you have an NVIDIA card installed?

Next is to complete the information quest by putting any of the unknown files above through to our friends at Jotti and VirusTotals except QTSBandwidthCache. In this case please give me some idea what is in the folder.

If needed then…

I would like you to upload any remaining unknown files to the Jotti web site.
- Click on the Browse button and navigate to the directory for the file
- Locate the file and click to select
- Click the Submit button
- You may have to try more than once if the service load is close to 100% but you will get an online answer
Now repeat the upload to the VirusTotal site.
- Click the Browse button, navigate to the conime.exe and click to select.
- Click the Send icon
- This time you will receive an email response
- Please copy the contents and place in your next reply
Please forward the information about each of the files and any other amplifying comments

GT

pcdome

Sep 6 2006, 11:26 PM

Hi Whisperer,

I'm sorry for such a long delay in my reply. However, everytime I've gone to use Jotti the server was too busy, I haven't tried to post on VirusTotal yet, simply because I was trying to follow the steps in order, so I forgot about VirusTotal.

Anyhow, to answer some of your questions. No, I am not a programmer, and I don't know what the assembly folder is for. Secondly, I don't know what any of those programs are for so I don't have any further information on them. I will post them to Jotti & VirusTotal as soon as possible, to check them. Lastly, yes, I have a nvidia card installed.

Sincerely,

pcDome

Whisperer

Sep 7 2006, 05:39 AM

Thanks for the update, there is so much unknown malware around nowadays that it is not surprising that Jotti is clogged.
Please push the files to VirusTotal first, it makes no difference, and when you get the reports from them please post their answers.
We may not have to use Jotti, but two engines are better than one!

Whisperer

Sep 17 2006, 09:50 AM

Hi pcdome,

Any progress as yet?

GT

pcdome

Sep 18 2006, 05:36 PM

Sorry I just moved apartments and was without the internet for like a week. I'm going to get back on this today.

pcdome

Sep 20 2006, 08:18 AM

Phew! I'm finally getting to upload these files to Jotti & Virus Total. Actually, I've finished with Jotti, but Virus Total is taking foreeevver. Actually, I think Virus Total has frozen up on me, and I'm very tired, and need to go to bed b/c I have an early morning class tomorrow. However, I figured I could give you the information I have from these virus search programs.

Jotti found nothing on the files but put up a cautionary statement on every file except the final one. Please see the results post below. All the programs on Virus Total found nothing except for one on each file from different virus search programs. Please see this posting below too. Note, that the Virus Total posting is not complete, I hope to continue tomorrow morning.

Jotti Post:

File: IFinst27.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

File: IdiskLauncherEx.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)

File: IdiskUpdateParan.dll
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)

File: npkcsvc.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)

File: Rpres.dll
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)

File: upx.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

File: vrpacker.dll
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)

File: QTSBandwidthCache
Status: OK

Partial Virus Total Post:

STATUS: FINISHEDComplete scanning result of "IFinst27.exe", received in VirusTotal at 09.20.2006, 13:58:11 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.20.2006 no virus found
Authentium 4.93.8 09.19.2006 no virus found
Avast 4.7.844.0 09.19.2006 no virus found
AVG 386 09.19.2006 no virus found
BitDefender 7.2 09.20.2006 no virus found
CAT-QuickHeal 8.00 09.20.2006 no virus found
ClamAV devel-20060426 09.20.2006 no virus found
DrWeb 4.33 09.20.2006 no virus found
eTrust-InoculateIT 23.73.0 09.20.2006 no virus found
eTrust-Vet 30.3.3088 09.20.2006 no virus found
Ewido 4.0 09.20.2006 no virus found
Fortinet 2.82.0.0 09.20.2006 suspicious
F-Prot 3.16f 09.19.2006 no virus found
F-Prot4 4.2.1.29 09.19.2006 no virus found
Ikarus 0.2.65.0 09.20.2006 no virus found
Kaspersky 4.0.2.24 09.20.2006 no virus found
McAfee 4855 09.19.2006 no virus found
Microsoft 1.1560 09.19.2006 no virus found
NOD32v2 1.1763 09.19.2006 no virus found
Norman 5.90.23 09.19.2006 no virus found
Panda 9.0.0.4 09.19.2006 no virus found
Sophos 4.09.0 09.20.2006 no virus found
Symantec 8.0 09.20.2006 no virus found
TheHacker 6.0.1.074 09.20.2006 no virus found
UNA 1.83 09.20.2006 no virus found
VBA32 3.11.1 09.19.2006 no virus found
VirusBuster 4.3.7:9 09.19.2006 no virus found

STATUS: FINISHEDComplete scanning result of "IdiskLauncherEx.exe", received in VirusTotal at 09.20.2006, 14:09:50 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.20.2006 no virus found
Authentium 4.93.8 09.19.2006 no virus found
Avast 4.7.844.0 09.19.2006 no virus found
AVG 386 09.19.2006 no virus found
BitDefender 7.2 09.20.2006 no virus found
CAT-QuickHeal 8.00 09.20.2006 no virus found
ClamAV devel-20060426 09.20.2006 no virus found
eTrust-InoculateIT 23.73.0 09.20.2006 no virus found
eTrust-Vet 30.3.3088 09.20.2006 no virus found
DrWeb 4.33 09.20.2006 no virus found
Ewido 4.0 09.20.2006 no virus found
Fortinet 2.82.0.0 09.20.2006 suspicious
F-Prot 3.16f 09.19.2006 no virus found
F-Prot4 4.2.1.29 09.19.2006 no virus found
Ikarus 0.2.65.0 09.20.2006 no virus found
Kaspersky 4.0.2.24 09.20.2006 no virus found
McAfee 4855 09.19.2006 no virus found
Microsoft 1.1560 09.19.2006 no virus found
NOD32v2 1.1763 09.19.2006 no virus found
Norman 5.80.02 09.19.2006 no virus found
Panda 9.0.0.4 09.19.2006 no virus found
Sophos 4.09.0 09.20.2006 no virus found
Symantec 8.0 09.20.2006 no virus found
TheHacker 6.0.1.074 09.20.2006 no virus found
UNA 1.83 09.20.2006 no virus found
VBA32 3.11.1 09.19.2006 no virus found
VirusBuster 4.3.7:9 09.19.2006 no virus found

STATUS: FINISHEDComplete scanning result of "IdiskUpdateParan.dll", received in VirusTotal at 09.20.2006, 14:20:51 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.20.2006 no virus found
Authentium 4.93.8 09.19.2006 no virus found
Avast 4.7.844.0 09.19.2006 no virus found
AVG 386 09.19.2006 no virus found
BitDefender 7.2 09.20.2006 no virus found
CAT-QuickHeal 8.00 09.20.2006 no virus found
ClamAV devel-20060426 09.20.2006 no virus found
eTrust-InoculateIT 23.73.0 09.20.2006 no virus found
eTrust-Vet 30.3.3088 09.20.2006 no virus found
DrWeb 4.33 09.20.2006 no virus found
Ewido 4.0 09.20.2006 no virus found
Fortinet 2.82.0.0 09.20.2006 suspicious
F-Prot 3.16f 09.19.2006 no virus found
F-Prot4 4.2.1.29 09.19.2006 no virus found
Ikarus 0.2.65.0 09.20.2006 no virus found
Kaspersky 4.0.2.24 09.20.2006 no virus found
McAfee 4855 09.19.2006 no virus found
Microsoft 1.1560 09.19.2006 no virus found
NOD32v2 1.1763 09.19.2006 no virus found
Norman 5.80.02 09.19.2006 no virus found
Panda 9.0.0.4 09.19.2006 no virus found
Sophos 4.09.0 09.20.2006 no virus found
Symantec 8.0 09.20.2006 no virus found
TheHacker 6.0.1.074 09.20.2006 no virus found
UNA 1.83 09.20.2006 no virus found
VBA32 3.11.1 09.19.2006 no virus found
VirusBuster 4.3.7:9 09.19.2006 no virus found

STATUS: FINISHEDComplete scanning result of "npkcsvc.exe", received in VirusTotal at 09.20.2006, 14:36:53 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.20.2006 no virus found
Authentium 4.93.8 09.19.2006 no virus found
Avast 4.7.844.0 09.19.2006 no virus found
AVG 386 09.19.2006 no virus found
BitDefender 7.2 09.20.2006 no virus found
CAT-QuickHeal 8.00 09.20.2006 no virus found
ClamAV devel-20060426 09.20.2006 no virus found
eTrust-InoculateIT 23.73.0 09.20.2006 no virus found
eTrust-Vet 30.3.3088 09.20.2006 no virus found
DrWeb 4.33 09.20.2006 no virus found
Ewido 4.0 09.20.2006 no virus found
Fortinet 2.82.0.0 09.20.2006 suspicious
F-Prot 3.16f 09.20.2006 no virus found
F-Prot4 4.2.1.29 09.19.2006 no virus found
Ikarus 0.2.65.0 09.20.2006 no virus found
Kaspersky 4.0.2.24 09.20.2006 no virus found
McAfee 4855 09.19.2006 no virus found
Microsoft 1.1560 09.19.2006 no virus found
NOD32v2 1.1764 09.20.2006 no virus found
Norman 5.80.02 09.19.2006 no virus found
Panda 9.0.0.4 09.19.2006 no virus found
Sophos 4.09.0 09.20.2006 no virus found
Symantec 8.0 09.20.2006 no virus found
TheHacker 6.0.1.074 09.20.2006 no virus found
UNA 1.83 09.20.2006 no virus found
VBA32 3.11.1 09.19.2006 no virus found
VirusBuster 4.3.7:9 09.19.2006 no virus found

Thank you again for everything and putting up with my lengthy delays lately.

pcDome

pcdome

Sep 20 2006, 09:06 AM

Hi Whisperer,

It looks like we are both on at the same time. It's too bad we can't chat and do this live, but I gotta go to bed as I said in previous post. I'm only still up because I got VirusTotal back up & running, and decided to take advantage of it. BTW sorry that I ran the Jotti Scan on the Docs & Settings file, I missed that part of the post when scanning tonight.

Here are the rest of the VirusTotal scans:

STATUS: FINISHEDComplete scanning result of "RPRes.dll_", received in VirusTotal at 09.20.2006, 15:35:14 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.20.2006 no virus found
Authentium 4.93.8 09.20.2006 no virus found
Avast 4.7.844.0 09.19.2006 no virus found
AVG 386 09.19.2006 no virus found
BitDefender 7.2 09.20.2006 no virus found
CAT-QuickHeal 8.00 09.20.2006 no virus found
ClamAV devel-20060426 09.20.2006 no virus found
eTrust-InoculateIT 23.73.0 09.20.2006 no virus found
eTrust-Vet 30.3.3088 09.20.2006 no virus found
DrWeb 4.33 09.20.2006 no virus found
Ewido 4.0 09.20.2006 no virus found
Fortinet 2.82.0.0 09.20.2006 no virus found
F-Prot 3.16f 09.20.2006 no virus found
F-Prot4 4.2.1.29 09.19.2006 no virus found
Ikarus 0.2.65.0 09.20.2006 no virus found
Kaspersky 4.0.2.24 09.20.2006 no virus found
McAfee 4855 09.19.2006 no virus found
Microsoft 1.1560 09.19.2006 no virus found
NOD32v2 1.1764 09.20.2006 no virus found
Norman 5.80.02 09.19.2006 no virus found
Panda 9.0.0.4 09.20.2006 no virus found
Sophos 4.09.0 09.20.2006 no virus found
Symantec 8.0 09.20.2006 no virus found
TheHacker 6.0.1.074 09.20.2006 no virus found
UNA 1.83 09.20.2006 no virus found
VBA32 3.11.1 09.19.2006 no virus found
VirusBuster 4.3.7:9 09.19.2006 no virus found

STATUS: FINISHEDComplete scanning result of "upx.exe", received in VirusTotal at 09.20.2006 15:43:03 (CET)

Antivirus Version Update Result
AntiVir 7.2.0.16 09.20.2006 no virus found
Authentium 4.93.8 09.20.2006 no virus found
Avast 4.7.844.0 09.19.2006 no virus found
AVG 386 09.19.2006 no virus found
BitDefender 7.2 09.20.2006 no virus found
CAT-QuickHeal 8.00 09.20.2006 no virus found
ClamAV devel-20060426 09.20.2006 no virus found
DrWeb 4.33 09.20.2006 no virus found
eTrust-InoculateIT 23.73.0 09.20.2006 no virus found
eTrust-Vet 30.3.3088 09.20.2006 no virus found
Ewido 4.0 09.20.2006 no virus found
Fortinet 2.82.0.0 09.20.2006 no virus found
F-Prot 3.16f 09.20.2006 no virus found
F-Prot4 4.2.1.29 09.20.2006 no virus found
Ikarus 0.2.65.0 09.20.2006 no virus found
Kaspersky 4.0.2.24 09.20.2006 no virus found
McAfee 4855 09.19.2006 no virus found
Microsoft 1.1560 09.19.2006 no virus found
NOD32v2 1.1764 09.20.2006 no virus found
Norman 5.90.23 09.19.2006 no virus found
Panda 9.0.0.4 09.20.2006 no virus found
Sophos 4.09.0 09.20.2006 no virus found
Symantec 8.0 09.20.2006 no virus found
TheHacker 6.0.1.074 09.20.2006 no virus found
UNA 1.83 09.20.2006 no virus found
VBA32 3.11.1 09.19.2006 no virus found
VirusBuster 4.3.7:9 09.20.2006 no virus found

STATUS: FINISHEDComplete scanning result of "vrpacker.dll", received in VirusTotal at 09.20.2006, 15:52:14 (CET)

Antivirus Version Update Result
AntiVir 7.2.0.16 09.20.2006 no virus found
Authentium 4.93.8 09.20.2006 no virus found
Avast 4.7.844.0 09.19.2006 no virus found
AVG 386 09.19.2006 no virus found
BitDefender 7.2 09.20.2006 no virus found
CAT-QuickHeal 8.00 09.20.2006 no virus found
ClamAV devel-20060426 09.20.2006 no virus found
DrWeb 4.33 09.20.2006 no virus found
eTrust-InoculateIT 23.73.0 09.20.2006 no virus found
eTrust-Vet 30.3.3088 09.20.2006 no virus found
Ewido 4.0 09.20.2006 no virus found
Fortinet 2.82.0.0 09.20.2006 no virus found
F-Prot 3.16f 09.20.2006 no virus found
F-Prot4 4.2.1.29 09.20.2006 no virus found
Ikarus 0.2.65.0 09.20.2006 no virus found
Kaspersky 4.0.2.24 09.20.2006 no virus found
McAfee 4855 09.19.2006 no virus found
Microsoft 1.1560 09.19.2006 no virus found
NOD32v2 1.1764 09.20.2006 no virus found
Norman 5.90.23 09.19.2006 no virus found
Panda 9.0.0.4 09.20.2006 no virus found
Sophos 4.09.0 09.20.2006 no virus found
Symantec 8.0 09.20.2006 no virus found
TheHacker 6.0.1.074 09.20.2006 no virus found
UNA 1.83 09.20.2006 no virus found
VBA32 3.11.1 09.19.2006 no virus found
VirusBuster 4.3.7:9 09.20.2006 no virus found

Thanks again!

Whisperer

Sep 21 2006, 11:46 AM

Hi pcdome,

Thanks for all of the information, there is nothing there to give cause for concern so I would like you to reboot your computer, take and post a new HijackThis log together with any comments on the behaviour of the computer now.

GT

pcdome

Sep 23 2006, 07:00 PM

Okay Whisperer,

I'm hoping that my computer is almost clean, because you've been a great help, and I hate taking so much of your time. I am posting my HJT log, but I also wanted to ask you a couple of questions. I was trying to remove some programs in the Add/Remove program feature in the Control Panel (A/R C.P.) but I can't find the programs there, or any names that I think they are associated with. However, while looking I did find some strange program names that I didn't install, and I don't think are with the programs that I'm trying to get rid of. So my questions are first, do you know of another way I can uninstall these programs other than via A/R C.P.? Secondly, can you look into these programs and let me know if they are malware, or what they might be because I'm not sure. I know that some of them seem okay, and some are from Korea, but I didn't install them (maybe my wife did, argh. BTW asking her if they are legit is useless, because she will say any Korean company is legit, if you remember I had myLinker on my computer b4, something I didn't put on and told her not to put on, but she did anyhow, b/c she is Korean and it's a Korean company. Basically it's a cultural thing that I'm sure you don't want me to get into.) And I know that Korean companies often install stuff without people's knowledge and do watch you, but they may look legit too, like one called nProtect KeyCrypt. It looks legit, but I'm not sure it is. Anyhow, here are the programs I need your expertise in please:

nProtect KeyCrypt
nProtect Netizen
Slim TVDriver
SoftCamp Secure KeyStroke 4.0
Spyware Remover (by the way when I click on this it doesn't give me the option to remove it, and it looks like an install program, not a program itself)
TV Card
TV Card Driver
TV Driver
XecureWeb Control

(Note I had a TV card once before, but it was a Sigma TV card, and when I removed the card I removed the program too, so I don't know what these other TV Cards are. I also can't recall if they were here or not the last time you instructed me to remove a program.)

Here's my latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:35:59 AM, on 9/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\WINDOWS\ksvhtcgidsler.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\HijackThis\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE lebeca web camera driver
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\SymProbe.exe -r "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [hsvgtckidsler] hsvgtckidsler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {3D51DCE5-683F-422E-AB48-9D21E6DD5808} (cRsiteup.acRsiteup) - http://www.hebogo.com/ActiveX/cRsiteup.cab
O16 - DPF: {3E5BBDC8-18F9-4A70-94B5-DD64929C0AF4} (AniCastH Class) - http://gogo.jaeminara.co.kr/gogo/hansol/na...ol/axacastH.cab
O16 - DPF: {4E52C32F-C143-4963-A758-2DB07703CB49} (YahooCS Class) - http://kr.memo.yahoo.com/CAB/YahooWCS.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.spatic.go.kr/www/msxml4.cab
O16 - DPF: {95FAA6CA-9CD5-40A5-B9EA-2ED419D4D9E7} - http://www.spatic.go.kr/www/ZeusWEB.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - http://kings.nefficient.co.kr/kings/kdfx/k...29/kdfense8.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://id.hangame.com/common/HanSetup1008.cab
O16 - DPF: {D2A4C311-F608-4E0E-BBFE-6B25E31AC15B} (Kdfense5 Control) - http://kings.cachenet.com/kdf5106/kdfense5.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Release/C...amulMap_V17.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_28.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks again for your help!

pcDome

Whisperer

Sep 24 2006, 03:23 PM

Hi pcdome,

Worry not; time at my age is unimportant! Please post more information about the files that you are trying to remove and I guess it is time to update me on what is in your Uninstall list

Please do a search for hsvgtckidsler.exe, you may not find it but it is highly suspicious because there is a running process with a very similar name, the difference being that the 1st, 4th and 7th characters have been rotated forward such that hsvgtckidsler.exe becomes ksvhtcgidsler.exe!!!! If you find the original then make a note of its path for submission to the 2 analysis sites. If you are unable to find it then do a search for *idsler.exe , exactly as shown in bold.
Please submit C:\WINDOWS\ksvhtcgidsler.exe followed by hsvgtckidsler.exe (if you have found a path for it) to Jotti and VirusTotal in whichever order.
Go to the Jotti web site.
- Click on the Browse button and navigate to the directory for the file
- Locate the file and click to select
- Click the Submit button
- You may have to try more than once if the service load is close to 100% but you will get an online answer
Now repeat the upload to the VirusTotal site.
- Click the Browse button, navigate to the file's location and click to select.
- Click the Send icon
- This time you will receive an email response
- Please copy the contents and place in your next reply
Finally please submit both files to our analysis cell
Update your Uninstall list by opening your HijackThis
1. Click on Open the Misc Tools section or Config… button, depending on how you are set up.
2. If you used the Config... option then click the Misc Tools tab
3. Select Open Uninstall Manager , a list of your installed programs will be displayed.
4. Select the Save List… button and save the file to your desktop.
That will do for this one, please post
- The results of the two scans and the submission when available
- More information about the files that you are trying to remove
- A new Uninstall list
- A new HijackThis log

GT

pcdome

Sep 29 2006, 02:52 AM

Hi Whisperer,

The files ksvhtcgidsler.exe & hsvgtccidsker.exe were both something that I was going to look up on Jotti & VirusTotal because one of my security programs had posted a warning but never tried to delete or fix it. Anyhow, I have the results from Jotti & VirusTotal that I'm posting here. I will also post them to the analysis cell. I will have to post the uninstall stuff later, because I'm getting ready for work, but I thought this info would be helpful.

By the way when browsing I found two other files that looked kind of strange to me so I uploaded those files to Jotti & VirusTotal too and have posted those results here as well. Also when I searched for the ksvhtcgidsler.exe & hsvgtccidsker.exe files I couldn't find them. I then proceeded to search for the other file you mentioned *idsaer.exe or something like that I don't remember the file name now, I just copied & pasted it into the search function. Nothing was found though. Strangely, though one of the files that I found prior to searching that I thought was strange contained a similar ending, so you'll find that posted here.

I don't know if this is related to this malware/virus or not, but my internet has been extremely slow, since my security programs first discovered these files.

One more thing, I'm going to try and get this stuff taken care of this weekend, but there is a huge almost weeklong holiday next week here, in which I have to travel to my in-laws home for the week and won't be here to work on this, so if you don't hear from me you know why.

Thanks,

pcDome

Jotti:

C:\WINDOWS\ksvhtcgidsler.exe

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

C:\WINDOWS\hsvgtccidsker.exe

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Here are some additional files that I have found that looked suspicous so I ran tests, and here are the results:
C:\WINDOWS\vsv\tchidsver.exe

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

C:\WINDOWS\lsvktcvidsaer.exe

File: lsvktcvidsaer.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
MD5 5e1932c09dcf598ce4aa32d506a26a28
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Virus Total:

STATUS: FINISHEDComplete scanning result of "ksvhtcgidsler.exe", received in VirusTotal at 09.29.2006, 06:58:05 (CET).

Antivirus Version Update Result
AntiVir n - no virus found
Authentium n - no virus found
Avast n - no virus found
AVG n - no virus found
BitDefender n - no virus found
CAT-QuickHeal n - no virus found
ClamAV n - no virus found
DrWeb n - no virus found
eTrust-InoculateIT n - no virus found
eTrust-Vet n - no virus found
Ewido n - no virus found
Fortinet n - no virus found
F-Prot n - no virus found
F-Prot4 n - no virus found
Ikarus n - no virus found
Kaspersky n - no virus found
McAfee n - no virus found
Microsoft n - no virus found
NOD32v2 n - no virus found
Norman n - no virus found
Panda n - no virus found
Sophos n - no virus found
Symantec n - no virus found
TheHacker n - no virus found
UNA n - no virus found
VBA32 n - no virus found
VirusBuster n - no virus found

Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
packers: base64

STATUS: FINISHEDComplete scanning result of "hsvgtccidsker.exe", received in VirusTotal at 09.29.2006, 07:15:51 (CET).

Antivirus Version Update Result
AntiVir n - no virus found
Authentium n - no virus found
Avast n - no virus found
AVG n - no virus found
BitDefender n - no virus found
CAT-QuickHeal n - no virus found
ClamAV n - no virus found
DrWeb n - no virus found
eTrust-InoculateIT n - no virus found
eTrust-Vet n - no virus found
Ewido n - no virus found
Fortinet n - no virus found
F-Prot n - no virus found
F-Prot4 n - no virus found
Ikarus n - no virus found
Kaspersky n - no virus found
McAfee n - no virus found
Microsoft n - no virus found
NOD32v2 n - no virus found
Norman n - no virus found
Panda n - no virus found
Sophos n - no virus found
Symantec n - no virus found
TheHacker n - no virus found
UNA n - no virus found
VBA32 n - no virus found
VirusBuster n - no virus found

Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709

STATUS: FINISHEDComplete scanning result of "tchidsver.exe", received in VirusTotal at 09.29.2006, 07:38:28 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.18 09.28.2006 no virus found
Authentium 4.93.8 09.28.2006 no virus found
Avast 4.7.892.0 09.27.2006 no virus found
AVG 386 09.27.2006 no virus found
BitDefender 7.2 09.29.2006 no virus found
CAT-QuickHeal 8.00 09.28.2006 no virus found
ClamAV devel-20060426 09.28.2006 no virus found
eTrust-InoculateIT 23.73.8 09.29.2006 no virus found
eTrust-Vet 30.3.3104 09.28.2006 no virus found
DrWeb 4.33 09.28.2006 no virus found
Ewido 4.0 09.28.2006 no virus found
Fortinet 2.82.0.0 09.29.2006 no virus found
F-Prot 3.16f 09.28.2006 no virus found
F-Prot4 4.2.1.29 09.28.2006 no virus found
Ikarus 0.2.65.0 09.28.2006 no virus found
Kaspersky 4.0.2.24 09.29.2006 no virus found
McAfee 4862 09.28.2006 no virus found
Microsoft 1.1603 09.29.2006 no virus found
NOD32v2 1.1782 09.29.2006 no virus found
Norman 5.80.02 09.28.2006 no virus found
Panda 9.0.0.4 09.28.2006 no virus found
Sophos 4.10.0 09.29.2006 no virus found
Symantec 8.0 09.29.2006 no virus found
TheHacker 6.0.1.086 09.29.2006 no virus found
UNA 1.83 09.28.2006 no virus found
VBA32 3.11.1 09.28.2006 no virus found
VirusBuster 4.3.7:9 09.28.2006 no virus found

Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709

STATUS: FINISHEDComplete scanning result of "lsvktcvidsaer.exe", received in VirusTotal at 09.29.2006, 08:01:50 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.18 09.28.2006 no virus found
Authentium 4.93.8 09.28.2006 no virus found
Avast 4.7.892.0 09.27.2006 no virus found
AVG 386 09.27.2006 no virus found
BitDefender 7.2 09.29.2006 no virus found
CAT-QuickHeal 8.00 09.28.2006 no virus found
ClamAV devel-20060426 09.28.2006 no virus found
DrWeb 4.33 09.28.2006 no virus found
eTrust-InoculateIT 23.73.8 09.29.2006 no virus found
eTrust-Vet 30.3.3104 09.28.2006 no virus found
Ewido 4.0 09.28.2006 no virus found
Fortinet 2.82.0.0 09.29.2006 no virus found
F-Prot 3.16f 09.28.2006 no virus found
F-Prot4 4.2.1.29 09.28.2006 no virus found
Ikarus 0.2.65.0 09.28.2006 no virus found
Kaspersky 4.0.2.24 09.29.2006 no virus found
McAfee 4862 09.28.2006 no virus found
Microsoft 1.1603 09.29.2006 no virus found
NOD32v2 1.1782 09.28.2006 probably unknown NewHeur_PE virus
Norman 5.90.23 09.28.2006 no virus found
Panda 9.0.0.4 09.28.2006 no virus found
Sophos 4.10.0 09.29.2006 no virus found
Symantec 8.0 09.29.2006 no virus found
TheHacker 6.0.1.086 09.29.2006 no virus found
UNA 1.83 09.28.2006 no virus found
VBA32 3.11.1 09.28.2006 no virus found
VirusBuster 4.3.7:9 09.28.2006 no virus found

Aditional Information
File size: 57344 bytes
MD5: 5e1932c09dcf598ce4aa32d506a26a28
SHA1: 44fd1460edb0d1e54cc06bbc15925bc94732faf5

Whisperer

Sep 29 2006, 04:31 AM

Thanks a lot for the latest,

If you could not find the files in a search how did you manage to upload them to Jotti and VirusTotal?

Please try a search on your computer for files containing the following ?sv?tc?ids?er.exe including the question marks - make sure that hidden files are still showing.

I would also like to know where and how you found those additional files, did they show up in HijackThis or just your own investigative browsing, either way well done for pushing upwards.

Be back later

GT

Whisperer

Sep 29 2006, 02:15 PM

Hi pcdome,

Please post the answers to the above when available and continue with what follows as you can.

Download Silentrunners.zip from here and save it to your Desktop.
1. First you will need to extract the file(s).
  - Right click on the zipped folder and from the new menu click on Extract All
  - In the 'Extraction Wizard' window that opens, click on Next
  - Click on Next again.
  - In the final window, click on Finish
  - You should now see the contents of the Silent Runners folder - Silent Runnners.vbs.
2. Double click Silent Runners.vbs to run it.
  IMPORTANT
  Some real-time protection programs may warn you of a possibly malicious script being detected when you run Silent Runnners.vbs, allow it to run. Alternatively, disable any script blocking software you have running before you start.
3. You will receive a prompt: Do you want to skip supplementary searches? - click NO
4. Once the All Done! prompt flashes up, open the Startup Program text file that has appeared in the folder and copy & paste it into your next reply.
Open your HijackThis
1. Click on Open the Misc Tools section or Config… button, depending on how you are set up.
2. If you used the Config... option then click the Misc Tools tab
3. Next to Generate StartupList log place a check next to List also minor sections (full) and List empty sections (complete). then click Generate StartupList log
4. Click Yes
5. A list of your startup programs will be displayed in the file startuplist.txt .
Download Gmer to your Desktop and unzip it to your Desktop.
- Disconnect from internet and close running programs.
  There is a small chance this application may crash your computer so save any work you have open.
- Double click gmer.exe and let the gmer.sys driver load if asked.
  If it gives you a warning at program start about rootkit activity and asks if you want to run scan ...say Ok.
- If no warning Click the Rootkit tab and click Scan .
- Wait for scan to finish.
- Once done click the Copy button.
- Open Notepad and hit Ctrl+V to paste the log. Save it to your Desktop as Gmer1 please.
  Next…
- Click the Autostart tab then the Scan button. Once its done click the Copy button and paste it into a new notepad document. Save that document as Gmer2 to your desktop please.
- Close gmer. Reconnect to the internet.
  If for any reason Gmer fails to run in Normal mode then reboot to Safe mode as this tool will work well in either. Then run the two Gmer scans
Please post
- An up-to-date HijackThis log in your next reply

GT

pcdome

Sep 29 2006, 06:38 PM

Hi Whisperer,

Here are the files that I found using the "?" mark file you told me to search for. They are all in the C:\WINDOWS folder

asvvtccidsger
csvatcgidsher
gsvctcaidsger

To answer your questions I copied and posted the files and directories into the Jotti & VirusTotal site, but I could never find them searching on my own. However, they are definetly somewhere because everytime I turn my computer on SnoopFree tells me that one of the files is trying to log my keystrokes, so I always deny access to the program. SnoopFree always reports that their in C:\WINDOWS\filename but I can't find them.

The new files were found while looking for the other files, I just thought they were strange names, with similar names to the files I was searching for, and were rather lengthy file names. All of these things set of alarms in my head that there is something wrong, so I figured it wouldn't be a bad thing to have them looked at by Jotti & VirusTotal.

Okay, I have a few minutes so I'm going to upload the files to the analysis cell now. I didn't have the time yesterday.

Talk to you later,

pcDome

pcdome

Sep 30 2006, 07:08 PM

Hi Whisperer,

I'm going to post up my HJT Uninstall list. I'm sorry that I'm not doing it all in one posting, but my internet is acting so slowly these days (I suspect it's these malware problems that your helping me with) that I can only do what item from the list at a time. So, I want to post them when I finish just in case I can't get through the next step before I have to go somewhere.

Here's the list, I'm writing in red next to the files either "Don't Know" for the files that I don't know what they are. These are files that I can't seem to uninstall through the control panel or don't appear on the control panel's list. If you see anything on here that I should remove and I don't mark it please let me know.

Below the uninstall list is a new HJT posting. I'm a little concerned with a file on there called VM_STI.exe I've recently seen it running in my task manager. I've tried to search for the file on the internet but can't find any info about it. So I'm a little worried b/c as far as I can tell it's new on my computer and not something I installed, also there is no info so that worries me. Usually, if a program is safe it can be found when searching for the programs name. The last reason I'm concerned about it is because of it's locations the following are the 3 locations I found it in:

C:\WINDOWS\VM_STI
C:\WINDOWS\LastGood\VM_STI (the file path LastGood, I have no idea what that is from)
C:\WINDOWS\Programfiles\Vimicro\VM301B\Driver Autoinstall\Driver Files (spaces are included in the directory)

I'm not trying to step on your toes, because I'm by no means the professional you are, but having been working on these problems with you for so long, I'm starting to notice odd things and learn a little bit about this stuff. So, I'm posting this info only to try and help make your life easier, if I notice something funny.

Thanks a million times over.

pcDome

Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Illustrator CS
Adobe Photoshop CS
Adobe Reader 7.0.8
Adobe SVG Viewer 3.0
AeCOAUμ|(Unified Codec Pack) 8.0.0.5 ≫eA|
Alcohol 120% (Trial Version)
BitComet 0.56
Canon MP Drivers 7.0
Canon ScanGear Starter
CASHFLOW?202 THE E-GAME
CASHFLOW?THE E-GAME
ccCommon Don't Know
CCleaner (remove only)
CN°OAO Don't Know
CN°OAO AUμ¿ AI½ºAc·? Don't Know
CN°OAO º¸¾EÆÐA¡ Don't Know
CN¹æ¿¡~ V2.15 Don't Know
Codec 7.8i
Desktop Weather by The Weather Channel
ewido anti-spyware 4.0
GOM Player
Google Earth
Google SketchUp
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Internet Explorer Q903235
Internet Worm Protection Don't Know
iPod for Windows 2005-10-12
iTunes
J2SE Runtime Environment 5.0 Update 8
Juice 2.2
LiveUpdate 3.0 (Symantec Corporation)
Macromedia ColdFusion MX 7
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Macromedia Shockwave Player
Microsoft .NET Framework 2.0
Microsoft Data Access Components KB870669
Microsoft Office Professional Edition 2003
MSN Messenger 7.5
NAVShortcut
Nero 6 Ultra Edition
Norton AntiVirus 2006
Norton AntiVirus 2006 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
Norton WMI Update
nProtect KeyCrypt Don't Know
nProtect Netizen Ver.3(remove only) Don't Know
NVIDIA Drivers
PDF reDirect (remove only)
PeerGuardian 2.0
PowerISO
QuickTime
Real Alternative 1.46
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896426)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Serif DrawPlus 4.0
Slim TV Driver Don't Know
SnoopFree Privacy Shield
SoftCamp Secure KeyStroke 4.0 Don't Know
SPBBC Don't Know
Spybot - Search & Destroy 1.4
Symantec
The Rosetta Stone
ToToBrowser verion 2
TV Card Don't Know
TV Card Driver Don't Know
TV Driver Don't Know
TVUPlayer 2.2.0
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
VideoLAN VLC media player 0.8.4a
VobSub v2.23 (Remove Only)
Weather Services
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB883939
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889293
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix - KB896688
Windows XP Hotfix - KB896727
Windows XP Hotfix - KB897715
Windows XP Hotfix - KB905915
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB912812
Windows XP Hotfix - KB916281
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
WinISO 5.3
WinRAR archiver
XecureWeb Control Don't Know
Yahoo! Messenger
ZoneAlarm Pro

HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 9:09:24 AM, on 10/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE lebeca web camera driver
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\SymProbe.exe -r "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ksvhtclidsver] ksvhtclidsver.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {3D51DCE5-683F-422E-AB48-9D21E6DD5808} (cRsiteup.acRsiteup) - http://www.hebogo.com/ActiveX/cRsiteup.cab
O16 - DPF: {3E5BBDC8-18F9-4A70-94B5-DD64929C0AF4} (AniCastH Class) - http://gogo.jaeminara.co.kr/gogo/hansol/na...ol/axacastH.cab
O16 - DPF: {4E52C32F-C143-4963-A758-2DB07703CB49} (YahooCS Class) - http://kr.memo.yahoo.com/CAB/YahooWCS.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.spatic.go.kr/www/msxml4.cab
O16 - DPF: {95FAA6CA-9CD5-40A5-B9EA-2ED419D4D9E7} - http://www.spatic.go.kr/www/ZeusWEB.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - http://kings.nefficient.co.kr/kings/kdfx/k...29/kdfense8.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://id.hangame.com/common/HanSetup1008.cab
O16 - DPF: {D2A4C311-F608-4E0E-BBFE-6B25E31AC15B} (Kdfense5 Control) - http://kings.cachenet.com/kdf5106/kdfense5.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Release/C...amulMap_V17.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_28.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

pcdome

Sep 30 2006, 08:43 PM

Alrighty, I've finished the scans. Only one note when I started SilentRunners it tried to install that SpywareRemover Program that we removed a while ago, the install could never find the program, but I still had to hit cancel 3 or 4 times in order for SilentRunners to start. Also, the SilentRunners program never said "All Done" but it did automatically save the list to the desktop.

Once again, I just want to remind you that for most of this coming week I won't be at my computer. I'll be gone from your Monday night until your Friday morning. So if you post during this time please understand that I won't be able to work on your instructions.

Have a great weekend!

pcDome

SilentRunners:

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"BitComet" = ""C:\Program Files\BitComet\BitComet.exe"" ["www.BitComet.com"]
"updateMgr" = ""C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1" ["Adobe Systems Incorporated"]
"PeerGuardian" = "C:\Program Files\PeerGuardian2\pg2.exe" ["Methlabs"]
"Yahoo! Pager" = ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet" ["Yahoo! Inc."]
"ksvhtclidsver" = "ksvhtclidsver.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"winupx Service" = "winupx.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"PHIME2002ASync" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"SnoopFreeUI" = "SnoopFreeUI.exe" ["SnoopFree Software"]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"BigDogPath" = "C:\WINDOWS\VM_STI.EXE lebeca web camera driver" ["VM."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"SSC_UserPrompt" = ""C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"" ["Symantec Corporation"]
"NAV CfgWiz" = "C:\Program Files\Common Files\Symantec Shared\SymProbe.exe -r "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll" ["Sun Microsystems, Inc."]
{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}\(Default) = "NAV Helper"
-> {HKLM...CLSID} = "CNavExtBho Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{2AA489CC-FEDC-4DD5-A693-0B8FED9D8B0D}" = "ALSee 1.0 Context Menu Shell Extension"
-> {HKLM...CLSID} = "ALSee 1.0 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\ESTsoft\ALSee\ASSHLE~1.DLL" [file not found]
"{170C6CC2-9FB2-42e1-9184-5336C51EBE6D}" = "ViRobot Expert Ver 4.0"
-> {HKLM...CLSID} = "ViRobot Expert Ver 4.0"
\InProcServer32\(Default) = "C:\Program Files\ViRobotXP\VShExt.dll" [file not found]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\System32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\System32\dfshim.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ALSee\(Default) = "{2AA489CC-FEDC-4DD5-A693-0B8FED9D8B0D}"
-> {HKLM...CLSID} = "ALSee 1.0 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\ESTsoft\ALSee\ASSHLE~1.DLL" [file not found]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Bliss.bmp"

Startup items in "Robb" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Run Full System Scan - Robb" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /TASK:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{C4069E3A-68F1-403E-B40E-20066696354B}"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{C4069E3A-68F1-403E-B40E-20066696354B}" = "Norton AntiVirus"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" ["Yahoo! Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
ColdFusion MX 7 Application Server, ColdFusion MX 7 Application Server, ""C:\CFusionMX7\runtime\bin\jrunsvc.exe"" ["Macromedia Inc."]
ColdFusion MX 7 Search Server, ColdFusion MX 7 Search Server, ""C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1" ["Verity, Inc."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"]
Norton Protection Center Service, NSCService, ""C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE"" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Snoop Free Service, SnoopFreeSvc, "System32\SnoopFreeSvc.exe" [null data]
SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor MP110\Driver = "CNMLM6f.DLL" ["CANON INC."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PDF reDirect Monitor\Driver = "PDFreDirectMonNT.dll" [null data]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 198 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 261 seconds.
---------- (total run time: 1331 seconds)

HJT Startup List:

StartupList report, 10/1/2006, 9:36:17 AM
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\HJT.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\HijackThis\HJT.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\Userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
SoundMan = SOUNDMAN.EXE
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
SnoopFreeUI = SnoopFreeUI.exe
BigDogPath = C:\WINDOWS\VM_STI.EXE lebeca web camera driver
SunJavaUpdateSched = "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
NAV CfgWiz = C:\Program Files\Common Files\Symantec Shared\SymProbe.exe -r "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
BitComet = "C:\Program Files\BitComet\BitComet.exe"
updateMgr = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
PeerGuardian = C:\Program Files\PeerGuardian2\pg2.exe
Yahoo! Pager = "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
ksvhtclidsver = ksvhtclidsver.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Run Full System Scan - Robb.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/get/shock...director/sw.cab

[cRsiteup.acRsiteup]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\cRsiteup.ocx
CODEBASE = http://www.hebogo.com/ActiveX/cRsiteup.cab

[AniCastH Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\axACastH.dll
CODEBASE = http://gogo.jaeminara.co.kr/gogo/hansol/na...ol/axacastH.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[Malicious Software Removal Tool]
InProcServer32 = C:\WebCleaner.dll
CODEBASE = http://download.microsoft.com/download/b/d.../WebCleaner.cab

[YahooCS Class]
CODEBASE = http://kr.memo.yahoo.com/CAB/YahooWCS.cab

[XML DOM Document 4.0]
InProcServer32 = %SystemRoot%\System32\msxml4.dll
CODEBASE = http://www.spatic.go.kr/www/msxml4.cab

[{95FAA6CA-9CD5-40A5-B9EA-2ED419D4D9E7}]
CODEBASE = http://www.spatic.go.kr/www/ZeusWEB.cab

[{A4508A45-F1C4-40F3-99B4-0CA08AC77E3B}]
CODEBASE = http://kings.nefficient.co.kr/kings/kdfx/k...29/kdfense8.cab

[HanSetupCtrl1008 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\HanSetup1008.dll
CODEBASE = http://id.hangame.com/common/HanSetup1008.cab

[{D27CDB6E-AE6D-11CF-96B8-444553530000}]
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

[Kdfense5 Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\kdfense5.ocx
CODEBASE = http://kings.cachenet.com/kdf5106/kdfense5.cab

[CongnamulMap Control]
InProcServer32 = C:\WINDOWS\System32\CONGNA~1.OCX
CODEBASE = http://www.congnamul.com/ActiveX/Release/C...amulMap_V17.cab

[GameDesire Pool 8]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Billard8.dll
CODEBASE = http://67.15.101.3/g_bin/eng/billard8_2_0_0_28.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

winupx Service = winupx.exe

--------------------------------------------------

End of report, 9,138 bytes
Report generated in 1.063 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

pcdome

Sep 30 2006, 08:50 PM

Sorry I ran out of space for posting so I had to split the Gmer1 scan here and Gmer2 scans.
Gmer1:

GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-01 10:19:32
Windows 5.1.2600 Service Pack 1

---- System - GMER 1.0.11 ----

SSDT 81FC1410 ZwAlertResumeThread
SSDT 81FE8C20 ZwAlertThread
SSDT 820BC160 ZwAllocateVirtualMemory
SSDT d346bus.sys ZwClose
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwCreateKey
SSDT 81FF8A60 ZwCreateMutant
SSDT d346bus.sys ZwCreatePagingFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT 820C6158 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteKey
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT d346bus.sys ZwEnumerateKey
SSDT d346bus.sys ZwEnumerateValueKey
SSDT 820B4C60 ZwFreeVirtualMemory
SSDT 82016BE0 ZwImpersonateAnonymousToken
SSDT 82017478 ZwImpersonateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadDriver
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwMapViewOfSection
SSDT 81FCD410 ZwOpenEvent
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT d346bus.sys ZwOpenKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT 820BD1A8 ZwOpenProcessToken
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT 82042268 ZwOpenThreadToken
SSDT d346bus.sys ZwQueryKey
SSDT 8202AEA0 ZwQueryValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT 821896D8 ZwResumeThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT 82081238 ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT 8202C1C8 ZwSetInformationProcess
SSDT 81FC7D18 ZwSetInformationThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation
SSDT d346bus.sys ZwSetSystemPowerState
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwSetValueKey
SSDT 8202AB18 ZwSuspendProcess
SSDT 81FDEEB0 ZwSuspendThread
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
SSDT 82037A48 ZwTerminateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwUnloadDriver
SSDT 82039168 ZwUnmapViewOfSection
SSDT 820B9DC8 ZwWriteVirtualMemory

---- Devices - GMER 1.0.11 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 82365BB0
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F6B40230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F6B40230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F6B40230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F6B40230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F6B40230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F6B40230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F6B40230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F6B40230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F6B40230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F6B40230] vsdatant.sys
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 8208F280
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 8208F280
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 82018C00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 8208F280
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 8208F280
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_NAMED_PIPE 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_READ 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_WRITE 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_INFORMATION 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_INFORMATION 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_EA 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_EA 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FLUSH_BUFFERS 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_VOLUME_INFORMATION 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_VOLUME_INFORMATION 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DIRECTORY_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FILE_SYSTEM_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN

pcdome

Sep 30 2006, 08:52 PM

Gmer1 Cont'd:

820F2E40
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 820F2E40
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 820F2E40
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 820F2E40
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 820F2E40
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 820F2E40
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 820F2E40
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 820F2E40
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 820F2E40
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 820F2E40
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 820F2E40
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 820F2E40
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CREATE 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CREATE_NAMED_PIPE 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CLOSE 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_READ 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_WRITE 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_INFORMATION 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_INFORMATION 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_EA 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_EA 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_FLUSH_BUFFERS 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_VOLUME_INFORMATION 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_VOLUME_INFORMATION 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_DIRECTORY_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_FILE_SYSTEM_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_DEVICE_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_INTERNAL_DEVICE_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SHUTDOWN 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_LOCK_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CLEANUP 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CREATE_MAILSLOT 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_SECURITY 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_SECURITY 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_POWER 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SYSTEM_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_DEVICE_CHANGE 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_QUOTA 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_QUOTA 820F2E40
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_PNP 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_CREATE 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_CREATE_NAMED_PIPE 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_CLOSE 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_READ 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_WRITE 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_QUERY_INFORMATION 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SET_INFORMATION 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_QUERY_EA 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SET_EA 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_FLUSH_BUFFERS 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_QUERY_VOLUME_INFORMATION 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SET_VOLUME_INFORMATION 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_DIRECTORY_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_FILE_SYSTEM_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_DEVICE_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_INTERNAL_DEVICE_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SHUTDOWN 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_LOCK_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_CLEANUP 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_CREATE_MAILSLOT 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_QUERY_SECURITY 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SET_SECURITY 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_POWER 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SYSTEM_CONTROL 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_DEVICE_CHANGE 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_QUERY_QUOTA 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SET_QUOTA 820F2E40
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_PNP 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-12 IRP_MJ_CREATE 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-12 IRP_MJ_CREATE_NAMED_PIPE 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-12 IRP_MJ_CLOSE 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-12 IRP_MJ_READ 820F2E40
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-12 IRP_MJ_WRITE 820F2E40
Device \Driver\atapi \Device\Ide\IdeDevi