Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help Forums Windows Startup Programs Database Virus, Spyware, and Malware Removal Guides Computer Tutorials Uninstall Database File Database Computer Glossary Computer Resources
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
MalwareByte's Anti-Malware Download

> Forum Guidelines

Read this topic before posting a log.


DO NOT post a ComboFix log unless requested to.


Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

5 Pages V  < 1 2 3 4 5 >  
Closed TopicStart new topic
> Need Lots Of Help Please
pcdome
post Aug 28 2006, 02:53 AM
Post #31


Member
**

Group: Members
Posts: 39
Joined: 3-July 06
Member No.: 74,474
Hi Whisperer,

Okay Qoofix did not find anything here is the Qoofix Logfile:

Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [8/27/2006] at [2:30:58 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [8/27/2006] at [2:32:49 PM]

Note: Some registry keys may have been removed.


Here is the latest WinPFind logfile:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

뻣뻣뻣뻣뻣뻣뻣뻣?Windows OS and Versions 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣?
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

뻣뻣뻣뻣뻣뻣뻣뻣?Checking Selected Standard Folders 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣

Checking %SystemDrive% folder...
PECompact2 5/7/2005 12:09:12 AM 1011032 C:\WebCleaner.dll
aspack 5/7/2005 12:09:12 AM 1011032 C:\WebCleaner.dll

Checking %ProgramFilesDir% folder...
UPX! 1/12/2006 11:30:34 PM 289183480 C:\Program Files\coldfusion-70-win.exe
PEC2 1/12/2006 11:30:34 PM 289183480 C:\Program Files\coldfusion-70-win.exe

Checking %WinDir% folder...
UPX! 3/15/2004 7:28:50 PM 69120 C:\WINDOWS\daemon.dll
UPX! 8/15/2005 2:03:36 PM 65536 C:\WINDOWS\IFinst27.exe
UPX! 6/10/2002 12:00:00 PM 31426 C:\WINDOWS\VRUNACE.DLL
UPX! 6/10/2002 12:00:00 PM 57598 C:\WINDOWS\VRUNCAB.DLL
UPX! 6/10/2002 12:00:00 PM 44032 C:\WINDOWS\VRUNGZIP.DLL
UPX! 6/10/2002 12:00:00 PM 41589 C:\WINDOWS\VRUNRAR.DLL

Checking %System% folder...
PEC2 8/24/2001 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 2/23/2003 8:24:06 PM 86016 C:\WINDOWS\SYSTEM32\div3ds32.ax
PEC2 1/20/2005 2:40:44 PM 716800 C:\WINDOWS\SYSTEM32\divx.dll
PECompact2 1/20/2005 2:40:44 PM 716800 C:\WINDOWS\SYSTEM32\divx.dll
UPX! 1/19/2005 5:26:32 AM 49019 C:\WINDOWS\SYSTEM32\Dunzip32.dll
aspack 6/30/2005 5:37:06 PM 56320 C:\WINDOWS\SYSTEM32\IdiskLauncherEx.exe
aspack 6/14/2004 11:42:24 AM 109568 C:\WINDOWS\SYSTEM32\IdiskUpdateParan.dll
UPX! 6/8/2005 9:00:00 PM 689152 C:\WINDOWS\SYSTEM32\LIVECALL.DLL
PECompact2 6/9/2006 10:19:50 AM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/9/2006 10:19:50 AM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
PEC2 2/3/2003 3:01:02 PM 186368 C:\WINDOWS\SYSTEM32\msaud32_divx.acm
UPX! 3/31/2004 5:55:24 PM 172544 C:\WINDOWS\SYSTEM32\npkcsvc.exe
UPX! 5/9/2005 8:26:00 PM 694784 C:\WINDOWS\SYSTEM32\npscan.dll
Umonitor 8/29/2002 12:41:10 PM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 5/20/2005 4:10:10 PM 1691648 C:\WINDOWS\SYSTEM32\RPRes.dll
UPX! 2/7/2005 6:29:32 PM 170496 C:\WINDOWS\SYSTEM32\upx.exe
qoologic 6/23/2006 8:20:00 PM 2008665 C:\WINDOWS\SYSTEM32\v3warpns.v3d
aspack 5/19/2004 4:55:12 PM 250368 C:\WINDOWS\SYSTEM32\VRAZMAIN.DLL
UPX! 5/3/2005 12:01:00 PM 33792 C:\WINDOWS\SYSTEM32\VRMEM.DLL
UPX! 6/9/2004 2:01:58 PM 52736 C:\WINDOWS\SYSTEM32\vrpacker.dll
winsync 8/24/2001 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 12/18/2005 12:01:00 PM 2304352 C:\WINDOWS\SYSTEM32\drivers\vrcore.sys
ad-beh 12/18/2005 12:01:00 PM 2304352 C:\WINDOWS\SYSTEM32\drivers\vrcore.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/25/2006 9:29:44 PM S 2048 C:\WINDOWS\bootstat.dat
7/4/2006 10:54:44 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini
7/4/2006 10:54:44 PM RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme
7/4/2006 10:54:44 PM RH 0 C:\WINDOWS\assembly\pubpol1.dat
7/4/2006 10:59:54 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1b.dat
7/4/2006 10:59:58 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1c.dat
8/27/2006 8:40:06 AM H 35981 C:\WINDOWS\system32\vsconfig.xml
8/15/2006 8:31:48 AM H 4212 C:\WINDOWS\system32\zllictbl.dat
8/28/2006 10:30:00 AM H 1024 C:\WINDOWS\system32\config\default.LOG
8/25/2006 9:29:50 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
8/25/2006 9:33:00 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
8/28/2006 10:38:22 AM H 20480 C:\WINDOWS\system32\config\software.LOG
8/28/2006 10:16:06 AM H 1024 C:\WINDOWS\system32\config\system.LOG
8/25/2006 9:29:56 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
1/20/2005 2:38:54 PM 417792 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 2/9/2004 7:38:24 PM 14225408 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/29/2002 12:41:28 PM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 12/23/2003 3:40:52 PM 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 7/26/2006 3:03:14 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 11/15/2004 4:51:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
The Weather Channel Interactive11/7/2005 3:49:38 PM 2980976 C:\WINDOWS\SYSTEM32\wxfw.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/29/2002 12:41:28 PM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/24/2001 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

뻣뻣뻣뻣뻣뻣뻣뻣?Checking Selected Startup Folders 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣?

Checking files in %ALLUSERSPROFILE%\Startup folder...
5/29/2006 11:20:44 PM 1926 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
6/28/2005 5:55:08 PM 1765 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
1/18/2005 3:51:58 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
1/18/2005 9:41:10 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
6/30/2006 11:34:58 AM 1390 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
1/18/2005 3:51:58 PM HS 84 C:\Documents and Settings\Robb\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
1/18/2005 9:41:10 PM HS 62 C:\Documents and Settings\Robb\Application Data\desktop.ini

뻣뻣뻣뻣뻣뻣뻣뻣?Checking Selected Registry Keys 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣?

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ALSee
{2AA489CC-FEDC-4DD5-A693-0B8FED9D8B0D} = C:\PROGRA~1\ESTsoft\ALSee\ASSHLE~1.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PowerISO
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PWRISOSH.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerISO
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PWRISOSH.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PWRISOSH.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar2.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
ButtonText = Yahoo! Messenger : C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
IMJPMIG8.1 "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
PHIME2002ASync C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
SoundMan SOUNDMAN.EXE
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
SnoopFreeUI SnoopFreeUI.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
KernelFaultCheck %systemroot%\system32\dumprep 0 -k
BigDogPath C:\WINDOWS\VM_STI.EXE lebeca web camera driver
SunJavaUpdateSched "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe
BitComet "C:\Program Files\BitComet\BitComet.exe"
updateMgr "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
PeerGuardian C:\Program Files\PeerGuardian2\pg2.exe
Yahoo! Pager "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
ypagerps1 cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps1.DLL"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoCDBurning 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
winupx Service winupx.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\Userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 Scan Complete 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/28/2006 10:38:38 AM

Lastly here is the latest HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 2:35:20 PM, on 8/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\VM_STI.EXE
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\Program Files\BitComet\BitComet.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\HijackThis\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE lebeca web camera driver
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunOnce: [ypagerps1] cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps1.DLL"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {3E5BBDC8-18F9-4A70-94B5-DD64929C0AF4} (AniCastH Class) - http://gogo.jaeminara.co.kr/gogo/hansol/na...ol/axacastH.cab
O16 - DPF: {4E52C32F-C143-4963-A758-2DB07703CB49} (YahooCS Class) - http://kr.memo.yahoo.com/CAB/YahooWCS.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.spatic.go.kr/www/msxml4.cab
O16 - DPF: {95FAA6CA-9CD5-40A5-B9EA-2ED419D4D9E7} (MapView Class) - http://www.spatic.go.kr/www/ZeusWEB.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - http://kings.nefficient.co.kr/kings/kdfx/k...29/kdfense8.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://id.hangame.com/common/HanSetup1008.cab
O16 - DPF: {D2A4C311-F608-4E0E-BBFE-6B25E31AC15B} (Kdfense5 Control) - http://kings.cachenet.com/kdf5106/kdfense5.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Release/C...amulMap_V17.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hope you are doing well.

pcDome
Go to the top of the page
 
+Quote Post
Whisperer
post Aug 29 2006, 02:59 AM
Post #32


Senior Member
****

Group: Members
Posts: 405
Joined: 29-May 05
Member No.: 21,742
Hi pcdome,

I am well and thank you for the enquiry. Apart from your BitComet ( smile.gif )your HijackThis log appears clear of malware. I am glad that the Qoologic was also clear, further research shows that the file in question, v3warpns.v3d, is associated with a game, sorry for the error.

I do have more queries that are caused by unknown programs that may be familiar to you or your Wife, so I will start with them.

Q1. Are you happy with the assembly directory here C:\WINDOWS\assembly and what does it do? Which leads to Are you a Programmer?

Q2. What can you tell me about the following files as I can not find any 'English' information about them, I will give the full path of each
  • C:\WINDOWS\IFinst27.exe
  • C:\WINDOWS\SYSTEM32\IdiskLauncherEx.exe
  • C:\WINDOWS\SYSTEM32\IdiskUpdateParan.dll
  • C:\WINDOWS\SYSTEM32\npkcsvc.exe
  • C:\WINDOWS\SYSTEM32\RPRes.dll
  • C:\WINDOWS\SYSTEM32\upx.exe
  • C:\WINDOWS\SYSTEM32\vrpacker.dll
  • C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
Q3. Do you have an NVIDIA card installed?

Next is to complete the information quest by putting any of the unknown files above through to our friends at Jotti and VirusTotals except QTSBandwidthCache. In this case please give me some idea what is in the folder.

If needed then…
  1. I would like you to upload any remaining unknown files to the Jotti web site.
    • Click on the Browse button and navigate to the directory for the file
    • Locate the file and click to select
    • Click the Submit button
    • You may have to try more than once if the service load is close to 100% but you will get an online answer
  2. Now repeat the upload to the VirusTotal site.
    • Click the Browse button, navigate to the conime.exe and click to select.
    • Click the Send icon
    • This time you will receive an email response
    • Please copy the contents and place in your next reply
  3. Please forward the information about each of the files and any other amplifying comments
GT thumbup2.gif
Go to the top of the page
 
+Quote Post
pcdome
post Sep 6 2006, 11:26 PM
Post #33


Member
**

Group: Members
Posts: 39
Joined: 3-July 06
Member No.: 74,474
Hi Whisperer,

I'm sorry for such a long delay in my reply. However, everytime I've gone to use Jotti the server was too busy, I haven't tried to post on VirusTotal yet, simply because I was trying to follow the steps in order, so I forgot about VirusTotal.

Anyhow, to answer some of your questions. No, I am not a programmer, and I don't know what the assembly folder is for. Secondly, I don't know what any of those programs are for so I don't have any further information on them. I will post them to Jotti & VirusTotal as soon as possible, to check them. Lastly, yes, I have a nvidia card installed.

Sincerely,

pcDome
Go to the top of the page
 
+Quote Post
Whisperer
post Sep 7 2006, 05:39 AM
Post #34


Senior Member
****

Group: Members
Posts: 405
Joined: 29-May 05
Member No.: 21,742
Thanks for the update, there is so much unknown malware around nowadays that it is not surprising that Jotti is clogged.
Please push the files to VirusTotal first, it makes no difference, and when you get the reports from them please post their answers.
We may not have to use Jotti, but two engines are better than one! thumbup2.gif
Go to the top of the page
 
+Quote Post
Whisperer
post Sep 17 2006, 09:50 AM
Post #35


Senior Member
****

Group: Members
Posts: 405
Joined: 29-May 05
Member No.: 21,742
Hi pcdome,

Any progress as yet?

GT thumbup2.gif
Go to the top of the page
 
+Quote Post
pcdome
post Sep 18 2006, 05:36 PM
Post #36


Member
**

Group: Members
Posts: 39
Joined: 3-July 06
Member No.: 74,474
Sorry I just moved apartments and was without the internet for like a week. I'm going to get back on this today.
Go to the top of the page
 
+Quote Post
pcdome
post Sep 20 2006, 08:18 AM
Post #37


Member
**

Group: Members
Posts: 39
Joined: 3-July 06
Member No.: 74,474
Phew! I'm finally getting to upload these files to Jotti & Virus Total. Actually, I've finished with Jotti, but Virus Total is taking foreeevver. Actually, I think Virus Total has frozen up on me, and I'm very tired, and need to go to bed b/c I have an early morning class tomorrow. However, I figured I could give you the information I have from these virus search programs.

Jotti found nothing on the files but put up a cautionary statement on every file except the final one. Please see the results post below. All the programs on Virus Total found nothing except for one on each file from different virus search programs. Please see this posting below too. Note, that the Virus Total posting is not complete, I hope to continue tomorrow morning.

Jotti Post:

File: IFinst27.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

File: IdiskLauncherEx.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)

File: IdiskUpdateParan.dll
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)

File: npkcsvc.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)

File: Rpres.dll
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)

File: upx.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

File: vrpacker.dll
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)

File: QTSBandwidthCache
Status: OK


Partial Virus Total Post:

STATUS: FINISHEDComplete scanning result of "IFinst27.exe", received in VirusTotal at 09.20.2006, 13:58:11 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.20.2006 no virus found
Authentium 4.93.8 09.19.2006 no virus found
Avast 4.7.844.0 09.19.2006 no virus found
AVG 386 09.19.2006 no virus found
BitDefender 7.2 09.20.2006 no virus found
CAT-QuickHeal 8.00 09.20.2006 no virus found
ClamAV devel-20060426 09.20.2006 no virus found
DrWeb 4.33 09.20.2006 no virus found
eTrust-InoculateIT 23.73.0 09.20.2006 no virus found
eTrust-Vet 30.3.3088 09.20.2006 no virus found
Ewido 4.0 09.20.2006 no virus found
Fortinet 2.82.0.0 09.20.2006 suspicious
F-Prot 3.16f 09.19.2006 no virus found
F-Prot4 4.2.1.29 09.19.2006 no virus found
Ikarus 0.2.65.0 09.20.2006 no virus found
Kaspersky 4.0.2.24 09.20.2006 no virus found
McAfee 4855 09.19.2006 no virus found
Microsoft 1.1560 09.19.2006 no virus found
NOD32v2 1.1763 09.19.2006 no virus found
Norman 5.90.23 09.19.2006 no virus found
Panda 9.0.0.4 09.19.2006 no virus found
Sophos 4.09.0 09.20.2006 no virus found
Symantec 8.0 09.20.2006 no virus found
TheHacker 6.0.1.074 09.20.2006 no virus found
UNA 1.83 09.20.2006 no virus found
VBA32 3.11.1 09.19.2006 no virus found
VirusBuster 4.3.7:9 09.19.2006 no virus found


STATUS: FINISHEDComplete scanning result of "IdiskLauncherEx.exe", received in VirusTotal at 09.20.2006, 14:09:50 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.20.2006 no virus found
Authentium 4.93.8 09.19.2006 no virus found
Avast 4.7.844.0 09.19.2006 no virus found
AVG 386 09.19.2006 no virus found
BitDefender 7.2 09.20.2006 no virus found
CAT-QuickHeal 8.00 09.20.2006 no virus found
ClamAV devel-20060426 09.20.2006 no virus found
eTrust-InoculateIT 23.73.0 09.20.2006 no virus found
eTrust-Vet 30.3.3088 09.20.2006 no virus found
DrWeb 4.33 09.20.2006 no virus found
Ewido 4.0 09.20.2006 no virus found
Fortinet 2.82.0.0 09.20.2006 suspicious
F-Prot 3.16f 09.19.2006 no virus found
F-Prot4 4.2.1.29 09.19.2006 no virus found
Ikarus 0.2.65.0 09.20.2006 no virus found
Kaspersky 4.0.2.24 09.20.2006 no virus found
McAfee 4855 09.19.2006 no virus found
Microsoft 1.1560 09.19.2006 no virus found
NOD32v2 1.1763 09.19.2006 no virus found
Norman 5.80.02 09.19.2006 no virus found
Panda 9.0.0.4 09.19.2006 no virus found
Sophos 4.09.0 09.20.2006 no virus found
Symantec 8.0 09.20.2006 no virus found
TheHacker 6.0.1.074 09.20.2006 no virus found
UNA 1.83 09.20.2006 no virus found
VBA32 3.11.1 09.19.2006 no virus found
VirusBuster 4.3.7:9 09.19.2006 no virus found


STATUS: FINISHEDComplete scanning result of "IdiskUpdateParan.dll", received in VirusTotal at 09.20.2006, 14:20:51 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.20.2006 no virus found
Authentium 4.93.8 09.19.2006 no virus found
Avast 4.7.844.0 09.19.2006 no virus found
AVG 386 09.19.2006 no virus found
BitDefender 7.2 09.20.2006 no virus found
CAT-QuickHeal 8.00 09.20.2006 no virus found
ClamAV devel-20060426 09.20.2006 no virus found
eTrust-InoculateIT 23.73.0 09.20.2006 no virus found
eTrust-Vet 30.3.3088 09.20.2006 no virus found
DrWeb 4.33 09.20.2006 no virus found
Ewido 4.0 09.20.2006 no virus found
Fortinet 2.82.0.0 09.20.2006 suspicious
F-Prot 3.16f 09.19.2006 no virus found
F-Prot4 4.2.1.29 09.19.2006 no virus found
Ikarus 0.2.65.0 09.20.2006 no virus found
Kaspersky 4.0.2.24 09.20.2006 no virus found
McAfee 4855 09.19.2006 no virus found
Microsoft 1.1560 09.19.2006 no virus found
NOD32v2 1.1763 09.19.2006 no virus found
Norman 5.80.02 09.19.2006 no virus found
Panda 9.0.0.4 09.19.2006 no virus found
Sophos 4.09.0 09.20.2006 no virus found
Symantec 8.0 09.20.2006 no virus found
TheHacker 6.0.1.074 09.20.2006 no virus found
UNA 1.83 09.20.2006 no virus found
VBA32 3.11.1 09.19.2006 no virus found
VirusBuster 4.3.7:9 09.19.2006 no virus found


STATUS: FINISHEDComplete scanning result of "npkcsvc.exe", received in VirusTotal at 09.20.2006, 14:36:53 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.20.2006 no virus found
Authentium 4.93.8 09.19.2006 no virus found
Avast 4.7.844.0 09.19.2006 no virus found
AVG 386 09.19.2006 no virus found
BitDefender 7.2 09.20.2006 no virus found
CAT-QuickHeal 8.00 09.20.2006 no virus found
ClamAV devel-20060426 09.20.2006 no virus found
eTrust-InoculateIT 23.73.0 09.20.2006 no virus found
eTrust-Vet 30.3.3088 09.20.2006 no virus found
DrWeb 4.33 09.20.2006 no virus found
Ewido 4.0 09.20.2006 no virus found
Fortinet 2.82.0.0 09.20.2006 suspicious
F-Prot 3.16f 09.20.2006 no virus found
F-Prot4 4.2.1.29 09.19.2006 no virus found
Ikarus 0.2.65.0 09.20.2006 no virus found
Kaspersky 4.0.2.24 09.20.2006 no virus found
McAfee 4855 09.19.2006 no virus found
Microsoft 1.1560 09.19.2006 no virus found
NOD32v2 1.1764 09.20.2006 no virus found
Norman 5.80.02 09.19.2006 no virus found
Panda 9.0.0.4 09.19.2006 no virus found
Sophos 4.09.0 09.20.2006 no virus found
Symantec 8.0 09.20.2006 no virus found
TheHacker 6.0.1.074 09.20.2006 no virus found
UNA 1.83 09.20.2006 no virus found
VBA32 3.11.1 09.19.2006 no virus found
VirusBuster 4.3.7:9 09.19.2006 no virus found


Thank you again for everything and putting up with my lengthy delays lately. sad.gif

pcDome
Go to the top of the page
 
+Quote Post
pcdome
post Sep 20 2006, 09:06 AM
Post #38


Member
**

Group: Members
Posts: 39
Joined: 3-July 06
Member No.: 74,474
Hi Whisperer,

It looks like we are both on at the same time. It's too bad we can't chat and do this live, but I gotta go to bed as I said in previous post. I'm only still up because I got VirusTotal back up & running, and decided to take advantage of it. BTW sorry that I ran the Jotti Scan on the Docs & Settings file, I missed that part of the post when scanning tonight.

Here are the rest of the VirusTotal scans:

STATUS: FINISHEDComplete scanning result of "RPRes.dll_", received in VirusTotal at 09.20.2006, 15:35:14 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.20.2006 no virus found
Authentium 4.93.8 09.20.2006 no virus found
Avast 4.7.844.0 09.19.2006 no virus found
AVG 386 09.19.2006 no virus found
BitDefender 7.2 09.20.2006 no virus found
CAT-QuickHeal 8.00 09.20.2006 no virus found
ClamAV devel-20060426 09.20.2006 no virus found
eTrust-InoculateIT 23.73.0 09.20.2006 no virus found
eTrust-Vet 30.3.3088 09.20.2006 no virus found
DrWeb 4.33 09.20.2006 no virus found
Ewido 4.0 09.20.2006 no virus found
Fortinet 2.82.0.0 09.20.2006 no virus found
F-Prot 3.16f 09.20.2006 no virus found
F-Prot4 4.2.1.29 09.19.2006 no virus found
Ikarus 0.2.65.0 09.20.2006 no virus found
Kaspersky 4.0.2.24 09.20.2006 no virus found
McAfee 4855 09.19.2006 no virus found
Microsoft 1.1560 09.19.2006 no virus found
NOD32v2 1.1764 09.20.2006 no virus found
Norman 5.80.02 09.19.2006 no virus found
Panda 9.0.0.4 09.20.2006 no virus found
Sophos 4.09.0 09.20.2006 no virus found
Symantec 8.0 09.20.2006 no virus found
TheHacker 6.0.1.074 09.20.2006 no virus found
UNA 1.83 09.20.2006 no virus found
VBA32 3.11.1 09.19.2006 no virus found
VirusBuster 4.3.7:9 09.19.2006 no virus found

STATUS: FINISHEDComplete scanning result of "upx.exe", received in VirusTotal at 09.20.2006 15:43:03 (CET)

Antivirus Version Update Result
AntiVir 7.2.0.16 09.20.2006 no virus found
Authentium 4.93.8 09.20.2006 no virus found
Avast 4.7.844.0 09.19.2006 no virus found
AVG 386 09.19.2006 no virus found
BitDefender 7.2 09.20.2006 no virus found
CAT-QuickHeal 8.00 09.20.2006 no virus found
ClamAV devel-20060426 09.20.2006 no virus found
DrWeb 4.33 09.20.2006 no virus found
eTrust-InoculateIT 23.73.0 09.20.2006 no virus found
eTrust-Vet 30.3.3088 09.20.2006 no virus found
Ewido 4.0 09.20.2006 no virus found
Fortinet 2.82.0.0 09.20.2006 no virus found
F-Prot 3.16f 09.20.2006 no virus found
F-Prot4 4.2.1.29 09.20.2006 no virus found
Ikarus 0.2.65.0 09.20.2006 no virus found
Kaspersky 4.0.2.24 09.20.2006 no virus found
McAfee 4855 09.19.2006 no virus found
Microsoft 1.1560 09.19.2006 no virus found
NOD32v2 1.1764 09.20.2006 no virus found
Norman 5.90.23 09.19.2006 no virus found
Panda 9.0.0.4 09.20.2006 no virus found
Sophos 4.09.0 09.20.2006 no virus found
Symantec 8.0 09.20.2006 no virus found
TheHacker 6.0.1.074 09.20.2006 no virus found
UNA 1.83 09.20.2006 no virus found
VBA32 3.11.1 09.19.2006 no virus found
VirusBuster 4.3.7:9 09.20.2006 no virus found

STATUS: FINISHEDComplete scanning result of "vrpacker.dll", received in VirusTotal at 09.20.2006, 15:52:14 (CET)

Antivirus Version Update Result
AntiVir 7.2.0.16 09.20.2006 no virus found
Authentium 4.93.8 09.20.2006 no virus found
Avast 4.7.844.0 09.19.2006 no virus found
AVG 386 09.19.2006 no virus found
BitDefender 7.2 09.20.2006 no virus found
CAT-QuickHeal 8.00 09.20.2006 no virus found
ClamAV devel-20060426 09.20.2006 no virus found
DrWeb 4.33 09.20.2006 no virus found
eTrust-InoculateIT 23.73.0 09.20.2006 no virus found
eTrust-Vet 30.3.3088 09.20.2006 no virus found
Ewido 4.0 09.20.2006 no virus found
Fortinet 2.82.0.0 09.20.2006 no virus found
F-Prot 3.16f 09.20.2006 no virus found
F-Prot4 4.2.1.29 09.20.2006 no virus found
Ikarus 0.2.65.0 09.20.2006 no virus found
Kaspersky 4.0.2.24 09.20.2006 no virus found
McAfee 4855 09.19.2006 no virus found
Microsoft 1.1560 09.19.2006 no virus found
NOD32v2 1.1764 09.20.2006 no virus found
Norman 5.90.23 09.19.2006 no virus found
Panda 9.0.0.4 09.20.2006 no virus found
Sophos 4.09.0 09.20.2006 no virus found
Symantec 8.0 09.20.2006 no virus found
TheHacker 6.0.1.074 09.20.2006 no virus found
UNA 1.83 09.20.2006 no virus found
VBA32 3.11.1 09.19.2006 no virus found
VirusBuster 4.3.7:9 09.20.2006 no virus found

Thanks again!
Go to the top of the page
 
+Quote Post
Whisperer
post Sep 21 2006, 11:46 AM
Post #39


Senior Member
****

Group: Members
Posts: 405
Joined: 29-May 05
Member No.: 21,742
Hi pcdome,

Thanks for all of the information, there is nothing there to give cause for concern so I would like you to reboot your computer, take and post a new HijackThis log together with any comments on the behaviour of the computer now.

GT thumbup2.gif
Go to the top of the page
 
+Quote Post
pcdome
post Sep 23 2006, 07:00 PM
Post #40


Member
**

Group: Members
Posts: 39
Joined: 3-July 06
Member No.: 74,474
Okay Whisperer,

I'm hoping that my computer is almost clean, because you've been a great help, and I hate taking so much of your time. I am posting my HJT log, but I also wanted to ask you a couple of questions. I was trying to remove some programs in the Add/Remove program feature in the Control Panel (A/R C.P.) but I can't find the programs there, or any names that I think they are associated with. However, while looking I did find some strange program names that I didn't install, and I don't think are with the programs that I'm trying to get rid of. So my questions are first, do you know of another way I can uninstall these programs other than via A/R C.P.? Secondly, can you look into these programs and let me know if they are malware, or what they might be because I'm not sure. I know that some of them seem okay, and some are from Korea, but I didn't install them (maybe my wife did, argh. BTW asking her if they are legit is useless, because she will say any Korean company is legit, if you remember I had myLinker on my computer b4, something I didn't put on and told her not to put on, but she did anyhow, b/c she is Korean and it's a Korean company. Basically it's a cultural thing that I'm sure you don't want me to get into.) And I know that Korean companies often install stuff without people's knowledge and do watch you, but they may look legit too, like one called nProtect KeyCrypt. It looks legit, but I'm not sure it is. Anyhow, here are the programs I need your expertise in please:

nProtect KeyCrypt
nProtect Netizen
Slim TVDriver
SoftCamp Secure KeyStroke 4.0
Spyware Remover (by the way when I click on this it doesn't give me the option to remove it, and it looks like an install program, not a program itself)
TV Card
TV Card Driver
TV Driver
XecureWeb Control

(Note I had a TV card once before, but it was a Sigma TV card, and when I removed the card I removed the program too, so I don't know what these other TV Cards are. I also can't recall if they were here or not the last time you instructed me to remove a program.)

Here's my latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:35:59 AM, on 9/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\WINDOWS\ksvhtcgidsler.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\HijackThis\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE lebeca web camera driver
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\SymProbe.exe -r "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [hsvgtckidsler] hsvgtckidsler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {3D51DCE5-683F-422E-AB48-9D21E6DD5808} (cRsiteup.acRsiteup) - http://www.hebogo.com/ActiveX/cRsiteup.cab
O16 - DPF: {3E5BBDC8-18F9-4A70-94B5-DD64929C0AF4} (AniCastH Class) - http://gogo.jaeminara.co.kr/gogo/hansol/na...ol/axacastH.cab
O16 - DPF: {4E52C32F-C143-4963-A758-2DB07703CB49} (YahooCS Class) - http://kr.memo.yahoo.com/CAB/YahooWCS.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.spatic.go.kr/www/msxml4.cab
O16 - DPF: {95FAA6CA-9CD5-40A5-B9EA-2ED419D4D9E7} - http://www.spatic.go.kr/www/ZeusWEB.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - http://kings.nefficient.co.kr/kings/kdfx/k...29/kdfense8.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://id.hangame.com/common/HanSetup1008.cab
O16 - DPF: {D2A4C311-F608-4E0E-BBFE-6B25E31AC15B} (Kdfense5 Control) - http://kings.cachenet.com/kdf5106/kdfense5.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Release/C...amulMap_V17.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_28.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks again for your help!

pcDome
Go to the top of the page
 
+Quote Post
Whisperer
post Sep 24 2006, 03:23 PM
Post #41


Senior Member
****

Group: Members
Posts: 405
Joined: 29-May 05
Member No.: 21,742
Hi pcdome,

Worry not; time at my age is unimportant! Please post more information about the files that you are trying to remove and I guess it is time to update me on what is in your Uninstall list
  1. Please do a search for hsvgtckidsler.exe, you may not find it but it is highly suspicious because there is a running process with a very similar name, the difference being that the 1st, 4th and 7th characters have been rotated forward such that hsvgtckidsler.exe becomes ksvhtcgidsler.exe!!!! If you find the original then make a note of its path for submission to the 2 analysis sites. If you are unable to find it then do a search for *idsler.exe , exactly as shown in bold.
  2. Please submit C:\WINDOWS\ksvhtcgidsler.exe followed by hsvgtckidsler.exe (if you have found a path for it) to Jotti and VirusTotal in whichever order.
  3. Go to the Jotti web site.
    • Click on the Browse button and navigate to the directory for the file
    • Locate the file and click to select
    • Click the Submit button
    • You may have to try more than once if the service load is close to 100% but you will get an online answer
  4. Now repeat the upload to the VirusTotal site.
    • Click the Browse button, navigate to the file's location and click to select.
    • Click the Send icon
    • This time you will receive an email response
    • Please copy the contents and place in your next reply
  5. Finally please submit both files to our analysis cell
  6. Update your Uninstall list by opening your HijackThis
    1. Click on Open the Misc Tools section or Config… button, depending on how you are set up.
    2. If you used the Config... option then click the Misc Tools tab
    3. Select Open Uninstall Manager , a list of your installed programs will be displayed.
    4. Select the Save List… button and save the file to your desktop.
  7. That will do for this one, please post
    • The results of the two scans and the submission when available
    • More information about the files that you are trying to remove
    • A new Uninstall list
    • A new HijackThis log
GT thumbup2.gif
Go to the top of the page
 
+Quote Post
pcdome
post Sep 29 2006, 02:52 AM
Post #42


Member
**

Group: Members
Posts: 39
Joined: 3-July 06
Member No.: 74,474
Hi Whisperer,

The files ksvhtcgidsler.exe & hsvgtccidsker.exe were both something that I was going to look up on Jotti & VirusTotal because one of my security programs had posted a warning but never tried to delete or fix it. Anyhow, I have the results from Jotti & VirusTotal that I'm posting here. I will also post them to the analysis cell. I will have to post the uninstall stuff later, because I'm getting ready for work, but I thought this info would be helpful.

By the way when browsing I found two other files that looked kind of strange to me so I uploaded those files to Jotti & VirusTotal too and have posted those results here as well. Also when I searched for the ksvhtcgidsler.exe & hsvgtccidsker.exe files I couldn't find them. I then proceeded to search for the other file you mentioned *idsaer.exe or something like that I don't remember the file name now, I just copied & pasted it into the search function. Nothing was found though. Strangely, though one of the files that I found prior to searching that I thought was strange contained a similar ending, so you'll find that posted here.

I don't know if this is related to this malware/virus or not, but my internet has been extremely slow, since my security programs first discovered these files.

One more thing, I'm going to try and get this stuff taken care of this weekend, but there is a huge almost weeklong holiday next week here, in which I have to travel to my in-laws home for the week and won't be here to work on this, so if you don't hear from me you know why.

Thanks,

pcDome

Jotti:

C:\WINDOWS\ksvhtcgidsler.exe

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

C:\WINDOWS\hsvgtccidsker.exe

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Here are some additional files that I have found that looked suspicous so I ran tests, and here are the results:
C:\WINDOWS\vsv\tchidsver.exe

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

C:\WINDOWS\lsvktcvidsaer.exe

File: lsvktcvidsaer.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
MD5 5e1932c09dcf598ce4aa32d506a26a28
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Virus Total:


STATUS: FINISHEDComplete scanning result of "ksvhtcgidsler.exe", received in VirusTotal at 09.29.2006, 06:58:05 (CET).

Antivirus Version Update Result
AntiVir n - no virus found
Authentium n - no virus found
Avast n - no virus found
AVG n - no virus found
BitDefender n - no virus found
CAT-QuickHeal n - no virus found
ClamAV n - no virus found
DrWeb n - no virus found
eTrust-InoculateIT n - no virus found
eTrust-Vet n - no virus found
Ewido n - no virus found
Fortinet n - no virus found
F-Prot n - no virus found
F-Prot4 n - no virus found
Ikarus n - no virus found
Kaspersky n - no virus found
McAfee n - no virus found
Microsoft n - no virus found
NOD32v2 n - no virus found
Norman n - no virus found
Panda n - no virus found
Sophos n - no virus found
Symantec n - no virus found
TheHacker n - no virus found
UNA n - no virus found
VBA32 n - no virus found
VirusBuster n - no virus found


Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
packers: base64


STATUS: FINISHEDComplete scanning result of "hsvgtccidsker.exe", received in VirusTotal at 09.29.2006, 07:15:51 (CET).

Antivirus Version Update Result
AntiVir n - no virus found
Authentium n - no virus found
Avast n - no virus found
AVG n - no virus found
BitDefender n - no virus found
CAT-QuickHeal n - no virus found
ClamAV n - no virus found
DrWeb n - no virus found
eTrust-InoculateIT n - no virus found
eTrust-Vet n - no virus found
Ewido n - no virus found
Fortinet n - no virus found
F-Prot n - no virus found
F-Prot4 n - no virus found
Ikarus n - no virus found
Kaspersky n - no virus found
McAfee n - no virus found
Microsoft n - no virus found
NOD32v2 n - no virus found
Norman n - no virus found
Panda n - no virus found
Sophos n - no virus found
Symantec n - no virus found
TheHacker n - no virus found
UNA n - no virus found
VBA32 n - no virus found
VirusBuster n - no virus found


Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709

STATUS: FINISHEDComplete scanning result of "tchidsver.exe", received in VirusTotal at 09.29.2006, 07:38:28 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.18 09.28.2006 no virus found
Authentium 4.93.8 09.28.2006 no virus found
Avast 4.7.892.0 09.27.2006 no virus found
AVG 386 09.27.2006 no virus found
BitDefender 7.2 09.29.2006 no virus found
CAT-QuickHeal 8.00 09.28.2006 no virus found
ClamAV devel-20060426 09.28.2006 no virus found
eTrust-InoculateIT 23.73.8 09.29.2006 no virus found
eTrust-Vet 30.3.3104 09.28.2006 no virus found
DrWeb 4.33 09.28.2006 no virus found
Ewido 4.0 09.28.2006 no virus found
Fortinet 2.82.0.0 09.29.2006 no virus found
F-Prot 3.16f 09.28.2006 no virus found
F-Prot4 4.2.1.29 09.28.2006 no virus found
Ikarus 0.2.65.0 09.28.2006 no virus found
Kaspersky 4.0.2.24 09.29.2006 no virus found
McAfee 4862 09.28.2006 no virus found
Microsoft 1.1603 09.29.2006 no virus found
NOD32v2 1.1782 09.29.2006 no virus found
Norman 5.80.02 09.28.2006 no virus found
Panda 9.0.0.4 09.28.2006 no virus found
Sophos 4.10.0 09.29.2006 no virus found
Symantec 8.0 09.29.2006 no virus found
TheHacker 6.0.1.086 09.29.2006 no virus found
UNA 1.83 09.28.2006 no virus found
VBA32 3.11.1 09.28.2006 no virus found
VirusBuster 4.3.7:9 09.28.2006 no virus found


Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709

STATUS: FINISHEDComplete scanning result of "lsvktcvidsaer.exe", received in VirusTotal at 09.29.2006, 08:01:50 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.18 09.28.2006 no virus found
Authentium 4.93.8 09.28.2006 no virus found
Avast 4.7.892.0 09.27.2006 no virus found
AVG 386 09.27.2006 no virus found
BitDefender 7.2 09.29.2006 no virus found
CAT-QuickHeal 8.00 09.28.2006 no virus found
ClamAV devel-20060426 09.28.2006 no virus found
DrWeb 4.33 09.28.2006 no virus found
eTrust-InoculateIT 23.73.8 09.29.2006 no virus found
eTrust-Vet 30.3.3104 09.28.2006 no virus found
Ewido 4.0 09.28.2006 no virus found
Fortinet 2.82.0.0 09.29.2006 no virus found
F-Prot 3.16f 09.28.2006 no virus found
F-Prot4 4.2.1.29 09.28.2006 no virus found
Ikarus 0.2.65.0 09.28.2006 no virus found
Kaspersky 4.0.2.24 09.29.2006 no virus found
McAfee 4862 09.28.2006 no virus found
Microsoft 1.1603 09.29.2006 no virus found
NOD32v2 1.1782 09.28.2006 probably unknown NewHeur_PE virus
Norman 5.90.23 09.28.2006 no virus found
Panda 9.0.0.4 09.28.2006 no virus found
Sophos 4.10.0 09.29.2006 no virus found
Symantec 8.0 09.29.2006 no virus found
TheHacker 6.0.1.086 09.29.2006 no virus found
UNA 1.83 09.28.2006 no virus found
VBA32 3.11.1 09.28.2006 no virus found
VirusBuster 4.3.7:9 09.28.2006 no virus found


Aditional Information
File size: 57344 bytes
MD5: 5e1932c09dcf598ce4aa32d506a26a28
SHA1: 44fd1460edb0d1e54cc06bbc15925bc94732faf5
Go to the top of the page
 
+Quote Post
Whisperer
post Sep 29 2006, 04:31 AM
Post #43


Senior Member
****

Group: Members
Posts: 405
Joined: 29-May 05
Member No.: 21,742
Thanks a lot for the latest,

If you could not find the files in a search how did you manage to upload them to Jotti and VirusTotal?

Please try a search on your computer for files containing the following ?sv?tc?ids?er.exe including the question marks - make sure that hidden files are still showing.

I would also like to know where and how you found those additional files, did they show up in HijackThis or just your own investigative browsing, either way well done for pushing upwards. clapping.gif

Be back later


GT thumbup2.gif

This post has been edited by Whisperer: Sep 29 2006, 04:52 AM
Go to the top of the page
 
+Quote Post
Whisperer
post Sep 29 2006, 02:15 PM
Post #44


Senior Member
****

Group: Members
Posts: 405
Joined: 29-May 05
Member No.: 21,742
Hi pcdome,

Please post the answers to the above when available and continue with what follows as you can.
  1. Download Silentrunners.zip from here and save it to your Desktop.
    1. First you will need to extract the file(s).
      • Right click on the zipped folder and from the new menu click on Extract All
      • In the 'Extraction Wizard' window that opens, click on Next
      • Click on Next again.
      • In the final window, click on Finish
      • You should now see the contents of the Silent Runners folder - Silent Runnners.vbs.
    2. Double click Silent Runners.vbs to run it.
      IMPORTANT
      Some real-time protection programs may warn you of a possibly malicious script being detected when you run Silent Runnners.vbs, allow it to run. Alternatively, disable any script blocking software you have running before you start.
    3. You will receive a prompt: Do you want to skip supplementary searches? - click NO
    4. Once the All Done! prompt flashes up, open the Startup Program text file that has appeared in the folder and copy & paste it into your next reply.
  2. Open your HijackThis
    1. Click on Open the Misc Tools section or Config… button, depending on how you are set up.
    2. If you used the Config... option then click the Misc Tools tab
    3. Next to Generate StartupList log place a check next to List also minor sections (full) and List empty sections (complete). then click Generate StartupList log
    4. Click Yes
    5. A list of your startup programs will be displayed in the file startuplist.txt .
  3. Download Gmer to your Desktop and unzip it to your Desktop.
    • Disconnect from internet and close running programs.
      There is a small chance this application may crash your computer so save any work you have open.
    • Double click gmer.exe and let the gmer.sys driver load if asked.
      If it gives you a warning at program start about rootkit activity and asks if you want to run scan ...say Ok.
    • If no warning Click the Rootkit tab and click Scan .
    • Wait for scan to finish.
    • Once done click the Copy button.
    • Open Notepad and hit Ctrl+V to paste the log. Save it to your Desktop as Gmer1 please.
      Next…
    • Click the Autostart tab then the Scan button. Once its done click the Copy button and paste it into a new notepad document. Save that document as Gmer2 to your desktop please.
    • Close gmer. Reconnect to the internet.
      If for any reason Gmer fails to run in Normal mode then reboot to Safe mode as this tool will work well in either. Then run the two Gmer scans
  4. Please post
    • A copy of 'startuplist.txt'
    • The SilentRunners file
    • The two Gmer logs
    • An up-to-date HijackThis log in your next reply
GT thumbup2.gif
Go to the top of the page
 
+Quote Post
pcdome
post Sep 29 2006, 06:38 PM
Post #45


Member
**

Group: Members
Posts: 39
Joined: 3-July 06
Member No.: 74,474
Hi Whisperer,

Here are the files that I found using the "?" mark file you told me to search for. They are all in the C:\WINDOWS folder

asvvtccidsger
csvatcgidsher
gsvctcaidsger

To answer your questions I copied and posted the files and directories into the Jotti & VirusTotal site, but I could never find them searching on my own. However, they are definetly somewhere because everytime I turn my computer on SnoopFree tells me that one of the files is trying to log my keystrokes, so I always deny access to the program. SnoopFree always reports that their in C:\WINDOWS\filename but I can't find them.

The new files were found while looking for the other files, I just thought they were strange names, with similar names to the files I was searching for, and were rather lengthy file names. All of these things set of alarms in my head that there is something wrong, so I figured it wouldn't be a bad thing to have them looked at by Jotti & VirusTotal.

Okay, I have a few minutes so I'm going to upload the files to the analysis cell now. I didn't have the time yesterday.

Talk to you later,

pcDome
Go to the top of the page
 
+Quote Post
« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »
 

5 Pages V  < 1 2 3 4 5 >
Closed TopicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version Time is now: 21st November 2009 - 05:49 AM


Advertise   |   About Us   |   Terms of Use   |   Privacy Policy   |   Contact Us   |   Site Map   |   Chat   |   Tutorials   |   Uninstall List
Discussion Forums   |   The Computer Glossary   |   Resources   |   RSS Feeds   |   Startups   |   The File Database   |   Virus Removal Guides

© 2003-2009 All Rights Reserved Bleeping Computer LLC.

Powered By IP.Board © 2009  IPS, Inc.