Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Massive Lag And Korean Hijacker Programs


  • Please log in to reply
5 replies to this topic

#1 Khevinet

Khevinet

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Korea
  • Local time:09:17 AM

Posted 30 November 2007 - 08:54 PM

I've recently began to experience a lot of lag doing the simplest things on my system. Additionally, the same Korean language programs are being installed everytime I restart my computer. Could somebody please take a look at this and tell me what's gone wrong?

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\devdrv\drv\40\devdrv16v4.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Adaptec\bin\v14\cdrv14.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\Program Files\Codec Pack\v14\codecsnd.exe
c:\Program Files\Adaptec\bin\v14\cdrv14.exe
c:\Program Files\Adaptec\bin\v14\cdrv14.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ModulerSvc.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James Leborgne\Desktop\HiJackThis.exe

O2 - BHO: V2WinSP - {85F3E26A-AF03-4ED0-896C-650AD2951434} - C:\Program Files\SPack\SPack1213.dll (file missing)
O2 - BHO: (no name) - {CAD2484D-6D58-858D-F48A-CABAC5757DCA_} - (no file)
O3 - Toolbar: easykey - {CAD2484D-6D58-858D-F48A-CABAC5757DCA} - c:\program files\easykey\easykey.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [netsvrs32.exe] "C:\Program Files\Internet Explorer\Connection Wizard\netsvrs32.exe" svr01
O4 - HKLM\..\Run: [devdrv16v4] c:\Program Files\devdrv\drv\40\devdrv16v4.exe
O4 - HKLM\..\Run: [processcore4] c:\Program Files\Common Files\devdrv\Drive\40\processcore.exe
O4 - HKLM\..\Run: [cdrv14] c:\Program Files\Adaptec\bin\v14\cdrv14.exe
O4 - HKLM\..\Run: [hpctl14] c:\Program Files\Common Files\LGT\Engine\v14\hpctl14.exe
O4 - HKLM\..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE
O4 - HKLM\..\Run: [twbfilosva1] C:\WINDOWS\system32\twbfilosva1.exe
O4 - HKLM\..\Run: [GDIPlus] C:\Windows\AppPatch\GDIPlus.exe
O4 - HKLM\..\Run: [dgup.exe] C:\Program Files\dweb\dgup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Mnsets] C:\Program Files\Internet Explorer\Connection Wizard\Mnsets.exe
O4 - HKLM\..\Run: [Sense] c:\windows\Sense.exe
O4 - HKLM\..\Run: [qjjsx8qt] C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\slqsxonj\qjjsx8qt.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [netsvrs32.exe] "C:\Program Files\Internet Explorer\Connection Wizard\netsvrs32.exe" svr01
O4 - HKCU\..\Run: [twbfilosva] C:\WINDOWS\system32\twbfilosva.exe
O4 - HKCU\..\Run: [twbfilosva1] C:\WINDOWS\system32\twbfilosva1.exe
O4 - HKCU\..\Run: [RUNON] C:\Program Files\Internet Explorer\Custom\RUNON.exe
O4 - HKCU\..\Run: [fnf] "C:\WINDOWS\Config\bp.exe"
O4 - HKCU\..\Run: [intr] "C:\WINDOWS\Config\bp.exe"
O4 - HKCU\..\Run: [qmat] "C:\WINDOWS\Config\bp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: directkey - {3548DCFA-FE35-435D-34DA-B175FAEF1685} - c:\PROGRA~1\DIRECT~1\DIRECT~1.DLL
O9 - Extra 'Tools' menuitem: directkey - {3548DCFA-FE35-435D-34DA-B175FAEF1685} - c:\PROGRA~1\DIRECT~1\DIRECT~1.DLL
O9 - Extra button: AIƮA?E - {37785D32-1604-410b-BF6E-82E65C67DB6C} - C:\Program Files\pointurl\pointurl.dll (file missing)
O9 - Extra 'Tools' menuitem: AIƮA?E - {37785D32-1604-410b-BF6E-82E65C67DB6C} - C:\Program Files\pointurl\pointurl.dll (file missing)
O9 - Extra button: CashOn - {731B4EB2-B447-4108-86EB-6F9B6A46E576} - C:\PROGRA~1\CashOn\bin\NCBUTT~1.DLL
O9 - Extra button: easykey - {ED157DAB-B415-DF48-48DA-4A8D5F48DABC} - c:\program files\easykey\easykey.dll
O9 - Extra 'Tools' menuitem: easykey - {ED157DAB-B415-DF48-48DA-4A8D5F48DABC} - c:\program files\easykey\easykey.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg5.cyworld.nate.com/ImageUpload...mageUpload2.cab
O16 - DPF: {0E96B258-D5FA-405E-A540-DB53E03376BD} (OrangeFileBox Control) - http://www.orangefile.com/ActiveX/OrangeFileBox.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18D63578-EA2F-4A59-A49A-7F62E6B3DF3E} (ImP3 Control) - http://activexdown.paran.com/paranactivex/data/ImP3.cab
O16 - DPF: {1ABB898B-8A1A-40CB-8DE7-DAF5E560E814} (DSubActX Control) - http://cab1.diskster.com/recab/DSubActX.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {31FA72F5-BE46-4D6D-A10D-857C8D6F4BFA} (OrangeFileSearch Control) - http://www.orangefile.com/ActiveX/OrangeFileSearch.cab
O16 - DPF: {32D94A9F-9A18-4E12-863D-8AABA8CBDA78} (NateOnMMSAtx3 Class) - http://sms.nate.com/NateOnMMS_AX3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} (KTCtrl Class) - http://support.kornet.net/sw5/order/Speed/...peedNewCtrl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {788649EC-2622-4EE8-84A3-F49F6AA8399C} (QuizHelperCtrl Class) - http://www.activetutor.net/pub/cabs/quizhe.../QuizHelper.cab
O16 - DPF: {7C09DD8F-D1C6-4315-AE96-AC328FDF734B} (KTActiveX Control) - http://support.kornet.net/sw5/order/Speed/cab/KTActiveX.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://xecure.kbstar.com/xecure/xw_install_v7202.cab
O16 - DPF: {882A7CC6-0163-4BC1-8BC1-505E36C9FFA2} (MaxHelper Control) - http://www.maxmp3.co.kr/Ver2/App/totalApp/...r/maxhelper.cab
O16 - DPF: {8D88D553-E13C-492E-BC64-2DAF12782A81} (AClientChecker.AxAClientChecker) - http://image.cdi.co.kr/ibtprep/install/web...ientChecker.CAB
O16 - DPF: {913BF18F-672D-4676-9855-F9A192A88886} (IMBCContents Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {99C709C7-4F58-46C1-855B-90213C760395} (v3d Class) - https://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.cinewel.com/down/MagicLockOCX.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - http://k-defence.kbstar.com/kings/kdfx/kdfx238/kdfense8.cab
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab
O16 - DPF: {AF11AA64-87A5-4146-AF3B-A7BD0F278485} (SBStarter Control) - http://download.soribada.com/down/Soribada...206/SBStart.CAB
O16 - DPF: {AF60D574-F249-4243-8040-5521AAA5BB5E} (PandoraTVSet Class) - http://imgcdn.pandora.tv/pan_img/p3player/...ge/pdrtvset.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {B8ECD16B-EC0C-407E-AF2D-7B4A6B6F8DCB} (AllatPayXATL Class) - https://tx.allatpay.com/component/AllatPayX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} (PlayerCue Control) - http://touch.imbc.com/ActiveX/iMBCOnlineService.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://n-protect.kbstar.com/nprotect/module/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://vbv.samsungcard.co.kr/keycrypt/npkcx.cab
O16 - DPF: {E3EAC26D-891F-499A-9C38-D8F165DE02B8} (SsoAccess Class) - http://www.daegu.go.kr/SSODemo/ssoObject/SsoAccess.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F36C3235-C4AF-409F-B6A1-4F96BB1B533E} (CyGlobalCtl Class) - http://fs1.us.cyworld.com/common/activex/CyGlobal.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: bcsdlsvcs - Unknown owner - C:\WINDOWS\system32\bcsdlsvcs.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: codecsnd14 - Unknown owner - c:\Program Files\Codec Pack\v14\codecsnd.exe
O23 - Service: COM Interface Service (comifsrv) - Unknown owner - C:\WINDOWS\system32\comifs.exe (file missing)
O23 - Service: CSUpdateSvc - ANIJCORP - C:\WINDOWS\CSUpdateSvc.exe
O23 - Service: enginev14 - Unknown owner - c:\Program Files\Intel\v14\engine.exe (file missing)
O23 - Service: Help Manager Log (hlpmnglog) - Unknown owner - C:\WINDOWS\media\neternel.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Control lagacy (LClagacy) - Unknown owner - C:\WINDOWS\npkscvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MudulerSvc - ANIJCORP - C:\WINDOWS\system32\ModulerSvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: PCI Adapter (PCIDown) - Unknown owner - C:\WINDOWS\alg.exe (file missing)
O23 - Service: servcproc - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Network Connect Valid Control (Sndsvmc) - Unknown owner - C:\WINDOWS\system32\sndsvmc.exe (file missing)

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 01 December 2007 - 10:08 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Khevinet
My name is Richie and i'll be helping you to fix your problems.

Please rescan with Hijackthis and post the entire log,which includes all the info at the top of the log,similar to the example below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:07 PM, on 11/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Posted Image
Posted Image

#3 Khevinet

Khevinet
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Korea
  • Local time:09:17 AM

Posted 01 December 2007 - 11:52 AM

Sorry, I kinda thought that was extraneous information. Here's the full post :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:08 AM, on 02/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\devdrv\drv\40\devdrv16v4.exe
C:\Program Files\Adaptec\bin\v14\cdrv14.exe
c:\Program Files\Codec Pack\v14\codecsnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Adaptec\bin\v14\cdrv14.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Adaptec\bin\v14\cdrv14.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ModulerSvc.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\James Leborgne\Desktop\HiJackThis.exe

O2 - BHO: V2WinSP - {85F3E26A-AF03-4ED0-896C-650AD2951434} - C:\Program Files\SPack\SPack1213.dll (file missing)
O2 - BHO: (no name) - {CAD2484D-6D58-858D-F48A-CABAC5757DCA_} - (no file)
O3 - Toolbar: easykey - {CAD2484D-6D58-858D-F48A-CABAC5757DCA} - c:\program files\easykey\easykey.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [netsvrs32.exe] "C:\Program Files\Internet Explorer\Connection Wizard\netsvrs32.exe" svr01
O4 - HKLM\..\Run: [devdrv16v4] c:\Program Files\devdrv\drv\40\devdrv16v4.exe
O4 - HKLM\..\Run: [processcore4] c:\Program Files\Common Files\devdrv\Drive\40\processcore.exe
O4 - HKLM\..\Run: [cdrv14] c:\Program Files\Adaptec\bin\v14\cdrv14.exe
O4 - HKLM\..\Run: [hpctl14] c:\Program Files\Common Files\LGT\Engine\v14\hpctl14.exe
O4 - HKLM\..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE
O4 - HKLM\..\Run: [twbfilosva1] C:\WINDOWS\system32\twbfilosva1.exe
O4 - HKLM\..\Run: [GDIPlus] C:\Windows\AppPatch\GDIPlus.exe
O4 - HKLM\..\Run: [dgup.exe] C:\Program Files\dweb\dgup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Mnsets] C:\Program Files\Internet Explorer\Connection Wizard\Mnsets.exe
O4 - HKLM\..\Run: [Sense] c:\windows\Sense.exe
O4 - HKLM\..\Run: [jjjoxljt] C:\WINDOWS\system32\ias\nnjxnlx8\jjjoxljt.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [netsvrs32.exe] "C:\Program Files\Internet Explorer\Connection Wizard\netsvrs32.exe" svr01
O4 - HKCU\..\Run: [twbfilosva] C:\WINDOWS\system32\twbfilosva.exe
O4 - HKCU\..\Run: [twbfilosva1] C:\WINDOWS\system32\twbfilosva1.exe
O4 - HKCU\..\Run: [RUNON] C:\Program Files\Internet Explorer\Custom\RUNON.exe
O4 - HKCU\..\Run: [fnf] "C:\WINDOWS\Config\bp.exe"
O4 - HKCU\..\Run: [intr] "C:\WINDOWS\Config\bp.exe"
O4 - HKCU\..\Run: [qmat] "C:\WINDOWS\Config\bp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: directkey - {3548DCFA-FE35-435D-34DA-B175FAEF1685} - c:\PROGRA~1\DIRECT~1\DIRECT~1.DLL
O9 - Extra 'Tools' menuitem: directkey - {3548DCFA-FE35-435D-34DA-B175FAEF1685} - c:\PROGRA~1\DIRECT~1\DIRECT~1.DLL
O9 - Extra button: AIƮA?E - {37785D32-1604-410b-BF6E-82E65C67DB6C} - C:\Program Files\pointurl\pointurl.dll (file missing)
O9 - Extra 'Tools' menuitem: AIƮA?E - {37785D32-1604-410b-BF6E-82E65C67DB6C} - C:\Program Files\pointurl\pointurl.dll (file missing)
O9 - Extra button: CashOn - {731B4EB2-B447-4108-86EB-6F9B6A46E576} - C:\PROGRA~1\CashOn\bin\NCBUTT~1.DLL
O9 - Extra button: easykey - {ED157DAB-B415-DF48-48DA-4A8D5F48DABC} - c:\program files\easykey\easykey.dll
O9 - Extra 'Tools' menuitem: easykey - {ED157DAB-B415-DF48-48DA-4A8D5F48DABC} - c:\program files\easykey\easykey.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg5.cyworld.nate.com/ImageUpload...mageUpload2.cab
O16 - DPF: {0E96B258-D5FA-405E-A540-DB53E03376BD} (OrangeFileBox Control) - http://www.orangefile.com/ActiveX/OrangeFileBox.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18D63578-EA2F-4A59-A49A-7F62E6B3DF3E} (ImP3 Control) - http://activexdown.paran.com/paranactivex/data/ImP3.cab
O16 - DPF: {1ABB898B-8A1A-40CB-8DE7-DAF5E560E814} (DSubActX Control) - http://cab1.diskster.com/recab/DSubActX.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {31FA72F5-BE46-4D6D-A10D-857C8D6F4BFA} (OrangeFileSearch Control) - http://www.orangefile.com/ActiveX/OrangeFileSearch.cab
O16 - DPF: {32D94A9F-9A18-4E12-863D-8AABA8CBDA78} (NateOnMMSAtx3 Class) - http://sms.nate.com/NateOnMMS_AX3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} (KTCtrl Class) - http://support.kornet.net/sw5/order/Speed/...peedNewCtrl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {788649EC-2622-4EE8-84A3-F49F6AA8399C} (QuizHelperCtrl Class) - http://www.activetutor.net/pub/cabs/quizhe.../QuizHelper.cab
O16 - DPF: {7C09DD8F-D1C6-4315-AE96-AC328FDF734B} (KTActiveX Control) - http://support.kornet.net/sw5/order/Speed/cab/KTActiveX.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://xecure.kbstar.com/xecure/xw_install_v7202.cab
O16 - DPF: {882A7CC6-0163-4BC1-8BC1-505E36C9FFA2} (MaxHelper Control) - http://www.maxmp3.co.kr/Ver2/App/totalApp/...r/maxhelper.cab
O16 - DPF: {8D88D553-E13C-492E-BC64-2DAF12782A81} (AClientChecker.AxAClientChecker) - http://image.cdi.co.kr/ibtprep/install/web...ientChecker.CAB
O16 - DPF: {913BF18F-672D-4676-9855-F9A192A88886} (IMBCContents Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {99C709C7-4F58-46C1-855B-90213C760395} (v3d Class) - https://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.cinewel.com/down/MagicLockOCX.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - http://k-defence.kbstar.com/kings/kdfx/kdfx238/kdfense8.cab
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab
O16 - DPF: {AF11AA64-87A5-4146-AF3B-A7BD0F278485} (SBStarter Control) - http://download.soribada.com/down/Soribada...206/SBStart.CAB
O16 - DPF: {AF60D574-F249-4243-8040-5521AAA5BB5E} (PandoraTVSet Class) - http://imgcdn.pandora.tv/pan_img/p3player/...ge/pdrtvset.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {B8ECD16B-EC0C-407E-AF2D-7B4A6B6F8DCB} (AllatPayXATL Class) - https://tx.allatpay.com/component/AllatPayX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} (PlayerCue Control) - http://touch.imbc.com/ActiveX/iMBCOnlineService.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://n-protect.kbstar.com/nprotect/module/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://vbv.samsungcard.co.kr/keycrypt/npkcx.cab
O16 - DPF: {E3EAC26D-891F-499A-9C38-D8F165DE02B8} (SsoAccess Class) - http://www.daegu.go.kr/SSODemo/ssoObject/SsoAccess.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F36C3235-C4AF-409F-B6A1-4F96BB1B533E} (CyGlobalCtl Class) - http://fs1.us.cyworld.com/common/activex/CyGlobal.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: bcsdlsvcs - Unknown owner - C:\WINDOWS\system32\bcsdlsvcs.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: codecsnd14 - Unknown owner - c:\Program Files\Codec Pack\v14\codecsnd.exe
O23 - Service: COM Interface Service (comifsrv) - Unknown owner - C:\WINDOWS\system32\comifs.exe (file missing)
O23 - Service: CSUpdateSvc - ANIJCORP - C:\WINDOWS\CSUpdateSvc.exe
O23 - Service: enginev14 - Unknown owner - c:\Program Files\Intel\v14\engine.exe (file missing)
O23 - Service: Help Manager Log (hlpmnglog) - Unknown owner - C:\WINDOWS\media\neternel.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Control lagacy (LClagacy) - Unknown owner - C:\WINDOWS\npkscvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MudulerSvc - ANIJCORP - C:\WINDOWS\system32\ModulerSvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: PCI Adapter (PCIDown) - Unknown owner - C:\WINDOWS\alg.exe (file missing)
O23 - Service: servcproc - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Network Connect Valid Control (Sndsvmc) - Unknown owner - C:\WINDOWS\system32\sndsvmc.exe (file missing)

--
End of file - 14095 bytes

___________________________________________________________________________________________________________________________________

I think this might be due to my girlfriend looking around on Korean sites. I've heard that they're notorious for mal-ware

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 01 December 2007 - 12:05 PM

First enable the viewing of hidden files and folders:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

Now please go here and submit the following file for analysis,thanks:
c:\program files\easykey\easykey.dll
http://www.bleepingcomputer.com/submit-mal....php?channel=13

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.

*Warning*
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could lead to your system becoming unusable.

Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 Khevinet

Khevinet
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Korea
  • Local time:09:17 AM

Posted 01 December 2007 - 11:05 PM

This is the SPFix log:


SDFix: Version 1.116

Run by Administrator on 02/12/2007 at 11:20 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
NetMap

Path:

NetMap - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\DOCUME~1\JAMESL~1\LOCALS~1\Temp\hd625.tmp - Deleted
C:\WINDOWS\system32\spoolsvc.exe - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 11:36:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\xc865\xc865\f?\xb7ed]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,a0,5d,00,00,00,00,00,64,2a,3c,61,32,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\xc865\xc865\f?\xb7ed]
"Inno Setup: Setup Version"="5.0.7"
"Inno Setup: App Path"="C:\Program Files\ToToBrowser"
"InstallLocation"="C:\Program Files\ToToBrowser\"
"Inno Setup: Icon Group"="\xd1a0\xd1a0\xbe0c\xb77c\xc6b0\xc800"
"Inno Setup: User"="James Leborgne"
"DisplayName"="ToToBrowser verion 2"
"DisplayIcon"="C:\Program Files\ToToBrowser\ToToBrowser.exe"
"UninstallString"=""C:\Program Files\ToToBrowser\unins000.exe""
"QuietUninstallString"=""C:\Program Files\ToToBrowser\unins000.exe" /SILENT"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000092
"TracesSuccessful"=dword:00000004
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\\xb124\xc774\xd2b8\xc628]
"Order"=hex:08,00,00,00,02,00,00,00,06,01,00,00,01,00,00,00,02,00,00,00,78,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xb124\xc774\xd2b8\xc628]
"Order"=hex:08,00,00,00,02,00,00,00,06,01,00,00,01,00,00,00,02,00,00,00,78,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xd074\xb7fd\xbc15\xc2a4]
"Order"=hex:08,00,00,00,02,00,00,00,00,01,00,00,01,00,00,00,02,00,00,00,78,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xf9760?\xc1b0]
"Order"=hex:08,00,00,00,02,00,00,00,f8,00,00,00,01,00,00,00,02,00,00,00,76,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\24\xd3a4\xd5e4\xb7a0?]
"Order"=hex:08,00,00,00,02,00,00,00,fa,01,00,00,01,00,00,00,04,00,00,00,76,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\24\xd3a4\xd5e4\xb7a0??]
"Order"=hex:08,00,00,00,02,00,00,00,0a,01,00,00,01,00,00,00,02,00,00,00,7c,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\24\xd3a4\xd5e4\xb7a0\xca08?]
"Order"=hex:08,00,00,00,02,00,00,00,0a,01,00,00,01,00,00,00,02,00,00,00,7c,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\1\xc1b0\xd623?\x8fa3\xf94e\xd2c8?]
"Order"=hex:08,00,00,00,02,00,00,00,0e,02,00,00,01,00,00,00,04,00,00,00,76,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\1\xc1b0\xc9da???]
"Order"=hex:08,00,00,00,02,00,00,00,06,02,00,00,01,00,00,00,04,00,00,00,76,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\34\xd586\x52fe]
"Order"=hex:08,00,00,00,02,00,00,00,fe,00,00,00,01,00,00,00,02,00,00,00,7c,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\34\xd586\x4e45]
"Order"=hex:08,00,00,00,02,00,00,00,fe,00,00,00,01,00,00,00,02,00,00,00,7c,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\H\xd1f4\xf93c\xd15d]
"Order"=hex:08,00,00,00,02,00,00,00,ec,01,00,00,01,00,00,00,04,00,00,00,76,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\ ?\x916a\xd531\xd4d4?\x7d93]
"Order"=hex:08,00,00,00,02,00,00,00,8a,00,00,00,01,00,00,00,01,00,00,00,7e,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\x???]
"Order"=hex:08,00,00,00,02,00,00,00,94,02,00,00,01,00,00,00,05,00,00,00,80,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\t\x9035?]
"Order"=hex:08,00,00,00,02,00,00,00,fe,01,00,00,01,00,00,00,04,00,00,00,76,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xc865\xc865\f?\xb7ed]
"Order"=hex:08,00,00,00,02,00,00,00,0a,01,00,00,01,00,00,00,02,00,00,00,7c,..

scanning hidden files ...

C:\Documents and Settings\James Leborgne\Local Settings\Application Data\Microsoft\Messenger\thaneg45@hotmail.com\SharingMetadata\aweebitscrewy@hotmail.com\DFSR\Staging\CS{8BDA4B38-EC1B-79B4-9A30-42B1B216760A}\01\11-{8BDA4B38-EC1B-79B4-9A30-42B1B216760A}-v1-{8905571A-236E-496D-97E2-25B4358F98D6}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\James Leborgne\Local Settings\Application Data\Microsoft\Messenger\thaneg45@hotmail.com\SharingMetadata\aweebitscrewy@hotmail.com\DFSR\Staging\CS{8BDA4B38-EC1B-79B4-9A30-42B1B216760A}\15\115-{17D2DDF7-87E2-4353-9106-FDA580CF03D7}-v115-{17D2DDF7-87E2-4353-9106-FDA580CF03D7}-v115-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 3440 bytes hidden from API
C:\Documents and Settings\James Leborgne\Local Settings\Application Data\Microsoft\Messenger\thaneg45@hotmail.com\SharingMetadata\ciao9@hotmail.com\DFSR\Staging\CS{A77F0376-651C-2B80-6EA8-EE214D922557}\01\10-{A77F0376-651C-2B80-6EA8-EE214D922557}-v1-{8905571A-236E-496D-97E2-25B4358F98D6}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 3


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
"C:\\Program Files\\NATEON\\BIN\\NateOnMain.exe"="C:\\Program Files\\NATEON\\BIN\\NateOnMain.exe:*:Enabled:NATE ON"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\dkeyup.exe"="C:\\WINDOWS\\system32\\dkeyup.exe:*:Disabled:dkeyup"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\WINDOWS\\system32\\skcbgm.exe"="C:\\WINDOWS\\system32\\skcbgm.exe:*:Enabled:SK Communications Cyworld BGM Player"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\dirkeyup.exe"="C:\\WINDOWS\\system32\\dirkeyup.exe:*:Enabled:DeskUpdata"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\system32\\complex.exe"="C:\\WINDOWS\\system32\\complex.exe:*:Enabled:DeskUpdata"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\dum.exe"="C:\\WINDOWS\\system32\\dum.exe:*:Enabled:DeskUpdata"
"C:\\WINDOWS\\system32\\eyk.exe"="C:\\WINDOWS\\system32\\eyk.exe:*:Enabled:eyk"
"C:\\Program Files\\Valve\\Steam\\Steam.exe"="C:\\Program Files\\Valve\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 8 Sep 2007 578 ...H. --- "C:\Documents and Settings\James Leborgne\peogtb.sys"
Mon 29 Oct 2007 351 ...H. --- "C:\Documents and Settings\James Leborgne\regbs.tmp"
Fri 17 Aug 2007 625,152 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Thu 14 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Thu 6 Apr 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 29 Aug 2005 34,304 ...H. --- "C:\Documents and Settings\James Leborgne\My Documents\~WRL0001.tmp"
Thu 19 Apr 2007 22,528 ...H. --- "C:\Documents and Settings\James Leborgne\My Documents\~WRL0002.tmp"
Mon 17 Sep 2007 139,264 ...H. --- "C:\Program Files\Internet Explorer\Connection Wizard\hsheo.dll"
Sat 20 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 21 Nov 2007 929,792 A..H. --- "C:\Documents and Settings\James Leborgne\Local Settings\Temporary Internet Files\ijjistarter2.exe"
Sat 16 Sep 2006 22,016 ...H. --- "C:\Documents and Settings\James Leborgne\My Documents\Native\~WRL0003.tmp"
Sat 16 Jul 2005 26,624 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\Portfolio\~WRL0003.tmp"
Thu 12 Jul 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d3226ed0a8904ae940c1794b1cd8b325\BIT1.tmp"
Thu 4 Oct 2007 21,504 ...H. --- "C:\Documents and Settings\James Leborgne\Application Data\Microsoft\Word\~WRL0378.tmp"
Wed 15 Sep 2004 4,348 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\My Music\License Backup\drmv1key.bak"
Wed 15 Sep 2004 20 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 15 Sep 2004 400 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\My Music\License Backup\drmv2key.bak"
Wed 15 Sep 2004 1,536 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\My Music\License Backup\drmv2lic.bak"
Wed 7 Nov 2007 29,184 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\1B\Nov-03\~WRL3092.tmp"
Sat 27 Oct 2007 24,064 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\~WRL0047.tmp"
Sat 27 Oct 2007 25,088 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\~WRL2326.tmp"
Sat 27 Oct 2007 24,064 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\~WRL2471.tmp"
Sat 27 Oct 2007 24,576 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\~WRL3087.tmp"
Sat 27 Oct 2007 25,088 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\~WRL3832.tmp"
Sat 27 Oct 2007 25,088 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\~WRL4053.tmp"
Sat 27 Oct 2007 24,064 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL0007.tmp"
Sat 27 Oct 2007 25,600 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL0106.tmp"
Sat 27 Oct 2007 25,600 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL0220.tmp"
Sat 27 Oct 2007 26,112 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL0337.tmp"
Sat 27 Oct 2007 26,624 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL0497.tmp"
Sat 27 Oct 2007 26,624 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL0849.tmp"
Sat 27 Oct 2007 26,624 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL0875.tmp"
Sat 27 Oct 2007 24,064 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL0945.tmp"
Sat 27 Oct 2007 25,088 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL1316.tmp"
Sat 27 Oct 2007 24,576 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL1438.tmp"
Sat 27 Oct 2007 24,064 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL1538.tmp"
Sat 27 Oct 2007 25,088 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL1987.tmp"
Sat 27 Oct 2007 25,600 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL2380.tmp"
Sat 27 Oct 2007 24,064 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL2669.tmp"
Sat 27 Oct 2007 25,600 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL3103.tmp"
Sat 27 Oct 2007 25,088 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL3180.tmp"
Sat 27 Oct 2007 25,600 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL3250.tmp"
Sat 27 Oct 2007 24,064 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL3455.tmp"
Sat 27 Oct 2007 24,064 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL3487.tmp"
Sat 27 Oct 2007 26,112 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL3672.tmp"
Sat 27 Oct 2007 26,112 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL3969.tmp"
Sat 27 Oct 2007 26,624 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL3990.tmp"
Sat 27 Oct 2007 24,064 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL4081.tmp"

Finished!

_______________________________________________________________________________________________________________________________


And the ComboFix log :

ComboFix 07-12-02.1 - James Leborgne 2007-12-02 11:49:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.949.82.1033.18.775 [GMT 9:00]
Running from: C:\Documents and Settings\James Leborgne\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Documents\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\My Playlists\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000B6C12\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0013AF10\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Pictures\_desktop.i
ni
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Videos\_desktop.ini
C:\Documents and Settings\James Leborgne\Application Data\macromedia\Flash Player\#SharedObjects\PCHZX6CJ\www.broadcaster.com
C:\Documents and Settings\James Leborgne\Application Data\macromedia\Flash Player\#SharedObjects\PCHZX6CJ\www.broadcaster.com\played_list.sol
C:\Documents and Settings\James Leborgne\Application Data\macromedia\Flash Player\#SharedObjects\PCHZX6CJ\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\James Leborgne\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\James Leborgne\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\LocalService\Application Data\b3.exe
C:\WINDOWS\Downloaded Program Files\SW
C:\WINDOWS\Downloaded Program Files\SW\ProtHK.dll
C:\WINDOWS\Downloaded Program Files\SW\ProtMng.exe
C:\WINDOWS\system32\app.exe
C:\WINDOWS\system32\instsrv.exe
C:\WINDOWS\system32\uninstall.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-12-02 03:02 . 2007-12-02 03:02 <DIR> d-------- C:\WINDOWS\SDFIX
2007-12-02 02:55 . 2007-12-02 02:55 <DIR> d-------- C:\Program Files\Sun
2007-12-02 02:55 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-02 02:36 . 2007-12-02 02:37 <DIR> d-------- C:\Documents and Settings\James Leborgne\.SunDownloadManager
2007-11-30 22:14 . 2007-11-25 21:04 14,848 --a------ C:\WINDOWS\uninstall_Neo.exe
2007-11-30 22:13 . 2007-11-30 22:13 <DIR> d-------- C:\Program Files\InstallProc
2007-11-30 22:13 . 2007-11-30 22:13 <DIR> d-------- C:\Program Files\IEBSiteSetup
2007-11-30 22:13 . 2007-11-30 22:13 81,920 --a------ C:\WINDOWS\system32\CleanSearch.dll
2007-11-30 22:13 . 2007-11-30 22:13 67,637 --a------ C:\WINDOWS\UninstallCleanSearch.zip
2007-11-30 22:13 . 2007-11-30 22:13 40,960 --a------ C:\WINDOWS\CSUpdateSvc.exe
2007-11-30 22:13 . 2007-12-02 11:08 36,864 --a------ C:\WINDOWS\snssn.exe
2007-11-30 22:13 . 2007-11-30 22:13 244 --a------ C:\WINDOWS\ResetCSSvc.ini
2007-11-30 22:08 . 2007-11-30 22:08 20,480 --a------ C:\WINDOWS\system32\WinSp3Drv.exe
2007-11-30 22:08 . 2007-11-30 22:08 2 --a------ C:\WINDOWS\prta0.ini
2007-11-30 22:07 . 2007-11-30 22:14 <DIR> d-------- C:\Program Files\SearchSpy
2007-11-30 22:06 . 2007-11-30 22:14 <DIR> d-------- C:\Program Files\SPack
2007-11-30 22:05 . 2007-11-30 22:14 <DIR> d-------- C:\Program Files\SearchURL
2007-11-30 22:05 . 2007-11-30 22:05 220,672 --a------ C:\WINDOWS\SearchPackAppInstaller.exe
2007-11-30 22:05 . 2007-11-30 22:05 32,768 --a------ C:\WINDOWS\system32\SearchPackAppInstaller_apart.exe
2007-11-30 22:03 . 2007-11-30 22:03 28,672 --a------ C:\WINDOWS\system32\ModulerSvc.exe
2007-11-30 22:03 . 2007-11-30 22:03 28,672 --a------ C:\Documents and Settings\James Leborgne\ModulerSvc.exe
2007-11-30 22:03 . 2007-11-30 22:03 3,072 --a------ C:\WINDOWS\system32\userGC.dll
2007-11-29 02:11 . 2007-11-29 02:11 194,048 --a------ C:\WINDOWS\dkservices.exe
2007-11-28 08:47 . 2007-11-28 08:47 363 --a------ C:\WINDOWS\system32\servcproc.exe
2007-11-28 00:20 . 2007-11-28 00:20 8 --a------ C:\WINDOWS\wininit8.ini
2007-11-27 09:51 . 2007-11-27 09:51 <DIR> d-------- C:\Program Files\oyeaouo
2007-11-27 09:51 . 2007-11-27 09:51 700,928 --a------ C:\WINDOWS\system32\oyeaouo.EXE
2007-11-26 08:40 . 2007-11-28 13:17 <DIR> d-------- C:\Program Files\SolutionKSG
2007-11-26 08:39 . 2007-11-26 08:39 598 --a------ C:\WINDOWS\Demeter.sys
2007-11-25 21:04 . 2007-11-25 21:05 312,944 --a------ C:\WINDOWS\system32\sayax0.dll
2007-11-25 08:32 . 2007-11-25 08:32 700,928 --a------ C:\gcashback.exe
2007-11-24 09:07 . 2007-11-24 09:07 333,312 --a------ C:\c4.exe
2007-11-17 09:32 . 2007-11-25 01:29 <DIR> d-------- C:\Program Files\kpang
2007-11-16 09:48 . 2007-11-28 13:17 <DIR> d-------- C:\WINDOWS\system32\lbhjngbfggg
2007-11-13 22:36 . 2007-11-24 09:06 <DIR> d-------- C:\Program Files\isearch
2007-11-13 22:36 . 2007-11-13 22:36 <DIR> d-------- C:\Program Files\CashOn
2007-11-13 22:35 . 2007-11-13 22:35 332,288 --a------ C:\c2.exe
2007-11-12 12:34 . 2007-11-24 13:12 8 --a------ C:\WINDOWS\system32\afx.dat
2007-11-12 08:51 . 2007-11-13 09:50 <DIR> d-------- C:\Program Files\sync
2007-11-10 21:14 . 2007-11-10 21:15 <DIR> d-------- C:\Program Files\lbhjngbfggg
2007-11-10 10:27 . 2007-11-10 10:27 281,600 --a------ C:\WINDOWS\system32\instdq.exe
2007-11-08 23:40 . 2007-11-25 01:29 <DIR> d-------- C:\Program Files\PointUrl
2007-11-08 10:40 . 2007-11-28 10:23 <DIR> d-------- C:\Program Files\Common Files\ksv
2007-11-08 10:40 . 2007-11-08 10:40 235,008 --a------ C:\WINDOWS\netmap.exe
2007-11-07 22:50 . 2007-11-09 09:47 <DIR> d-------- C:\Program Files\dweb
2007-11-07 22:50 . 2007-11-07 22:50 235,008 --a------ C:\WINDOWS\system32\netmap.exe
2007-11-07 22:50 . 2007-11-07 22:50 8,192 --a------ C:\WINDOWS\system32\srvany.exe
2007-11-06 10:52 . 2007-11-06 22:40 <DIR> d-------- C:\WINDOWS\kdefense
2007-11-06 10:40 . 2007-11-06 10:40 361,712 --a------ C:\WINDOWS\system32\HCR.exe
2007-11-06 10:40 . 2004-08-04 22:00 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2007-11-06 10:40 . 2004-08-04 22:00 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2007-11-06 10:39 . 2007-11-06 10:49 <DIR> d-------- C:\Program Files\vaccine2008
2007-11-05 09:32 . 2007-11-05 09:32 <DIR> d-------- C:\Program Files\cash-backmoll
2007-11-05 09:32 . 2007-11-05 09:32 87,040 --a------ C:\WINDOWS\system32\DelZip179.dll
2007-11-02 18:24 . 2007-11-02 18:24 2,238 --a------ C:\WINDOWS\system32\32_32_08.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 02:13 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\Skype
2007-12-01 17:55 --------- d-----w C:\Program Files\Java
2007-12-01 01:44 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\AVG7
2007-11-30 13:06 --------- d-----w C:\Program Files\Temp
2007-11-27 15:52 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\Azureus
2007-11-23 07:16 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\U3
2007-11-07 02:00 --------- d-----w C:\Program Files\EGSearch
2007-11-06 01:49 --------- d-----w C:\Program Files\mstobe
2007-11-06 01:49 --------- d-----w C:\Program Files\ktbr
2007-10-31 05:43 --------- d-----w C:\Program Files\coolcode
2007-10-31 03:48 --------- d-----w C:\Program Files\keywordsearch
2007-10-31 03:48 --------- d-----w C:\Program Files\centrim
2007-10-31 00:23 --------- d-----w C:\Program Files\webprotect
2007-10-31 00:23 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\Temp
2007-10-30 14:02 87,040 ----a-w C:\DelZip179.dll
2007-10-30 14:02 6,668 ----a-w C:\WINDOWS\setup_count003.zip
2007-10-30 14:02 264,518 ----a-w C:\WINDOWS\srrun_coolcode.zip
2007-10-30 14:02 227,328 ----a-w C:\installok.exe
2007-10-30 14:02 --------- d-----w C:\Program Files\webprotect2
2007-10-30 14:02 --------- d-----w C:\Program Files\okcashreturn
2007-10-29 07:33 6,669 ----a-w C:\WINDOWS\setup_count001.zip
2007-10-29 03:31 --------- d-----w C:\Program Files\fanmae
2007-10-28 08:05 28,672 ----a-w C:\WINDOWS\setup_count003.exe
2007-10-28 08:04 28,672 ----a-w C:\WINDOWS\setup_count001.exe
2007-10-25 14:40 46,080 ----a-w C:\WINDOWS\pickdisk_clean.exe
2007-10-25 14:36 44,032 ----a-w C:\WINDOWS\vmmregs32.exe
2007-10-21 13:07 --------- d-----w C:\Program Files\SEOSTECH
2007-10-21 13:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-21 00:49 --------- d-----w C:\Program Files\Common Files\Skype
2007-10-21 00:05 141,200 ----a-w C:\WINDOWS\cliati.exe
2007-10-20 01:45 153,031 ----a-w C:\conedit.exe
2007-10-19 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-19 16:22 --------- d-----w C:\Program Files\MSBuild
2007-10-19 16:22 --------- d-----w C:\Program Files\Microsoft Works
2007-10-19 16:19 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-19 16:15 --------- d-----w C:\Program Files\LG Electronics
2007-10-19 16:15 --------- d-----w C:\Program Files\kcsrsc
2007-10-19 16:15 --------- d-----w C:\Program Files\grapati
2007-10-19 16:15 --------- d-----w C:\Program Files\DacomAdapte
2007-10-19 16:15 --------- d-----w C:\Program Files\Common Files\sec
2007-10-19 16:15 --------- d-----w C:\Program Files\CodecPack
2007-10-19 16:14 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-10-19 16:12 490,496 ----a-w C:\WINDOWS\cdrv14.exe
2007-10-19 16:12 --------- d-----w C:\Program Files\Common Files\LGT
2007-10-19 16:12 --------- d-----w C:\Program Files\Codec Pack
2007-10-19 16:12 --------- d-----w C:\Program Files\Adaptec
2007-10-19 16:10 --------- d-----w C:\Program Files\nsidebar
2007-10-19 16:10 --------- d-----w C:\Program Files\nreward
2007-10-19 16:09 --------- d-----w C:\Program Files\Intel
2007-10-19 16:09 --------- d-----w C:\Program Files\DirectX
2007-10-19 16:09 --------- d-----w C:\Program Files\Common Files\GRETECH
2007-10-19 16:06 --------- d-----w C:\Program Files\MediaPack
2007-10-19 16:06 --------- d-----w C:\Program Files\devdrv
2007-10-19 16:06 --------- d-----w C:\Program Files\Common Files\devdrv
2007-10-19 07:44 3 ----a-w C:\pmng.dat
2007-10-18 17:12 --------- d-----w C:\Program Files\doublepoint
2007-10-18 17:11 321,100 ----a-w C:\WINDOWS\srrun_doublepoint.zip
2007-10-16 23:33 18,944 ----a-w C:\WINDOWS\npkscvc.exe
2007-10-16 16:40 3,532 ----a-w C:\drmHeader.bin
2007-10-16 09:42 532,480 ----a-w C:\WINDOWS\srrun_coolcode.exe
2007-10-15 00:02 8,052 ----a-w C:\WINDOWS\setup_xfile0u_ektl.zip
2007-10-13 02:41 659,456 ----a-w C:\WINDOWS\srrun_doublepoint.exe
2007-10-12 10:08 28,672 ----a-w C:\WINDOWS\setup_xfile0u_ektl.exe
2007-10-10 16:16 --------- d-----w C:\Program Files\Daum
2007-10-10 03:17 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\ZoomBrowser EX
2007-10-10 03:12 --------- d-----w C:\Program Files\Canon
2007-10-10 03:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-10-10 03:09 --------- d-----w C:\Program Files\Common Files\Canon
2007-10-09 01:18 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\InstallShield
2007-10-07 06:26 7,680 ----a-w C:\katewins.exe
2007-10-06 17:31 --------- d--h--r C:\Documents and Settings\James Leborgne\Application Data\yahoo!
2007-10-06 17:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-05 12:37 --------- d-----w C:\Program Files\easykey
2007-10-05 12:36 149,665 ----a-w C:\callname.exe
2007-10-05 02:42 --------- d-----w C:\Program Files\iemx
2007-10-05 01:28 155,648 ----a-w C:\WINDOWS\poseidon_poseidon01.exe
2007-09-14 19:25 240,799 ----a-w C:\cpx.exe
2007-09-11 01:16 139,264 ---h--w C:\Program Files\ntfs
2007-09-07 18:02 578 ---h--w C:\Documents and Settings\James Leborgne\peogtb.sys
2007-09-07 13:24 67,544 ----a-w C:\to-sh.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85F3E26A-AF03-4ED0-896C-650AD2951434}]
C:\Program Files\SPack\SPack1213.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CAD2484D-6D58-858D-F48A-CABAC5757DCA_}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CAD2484D-6D58-858D-F48A-CABAC5757DCA}"= c:\program files\easykey\easykey.dll [2007-10-05 09:49 106496]

[HKEY_CLASSES_ROOT\clsid\{cad2484d-6d58-858d-f48a-cabac5757dca}]
[HKEY_CLASSES_ROOT\easykey.StockBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{27486DAB-BA57-58D4-C521-197ADFBACDAB}]
[HKEY_CLASSES_ROOT\easykey.StockBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"netsvrs32.exe"="C:\Program Files\Internet Explorer\Connection Wizard\netsvrs32.exe" []
"twbfilosva"="C:\WINDOWS\system32\twbfilosva.exe" [2007-10-20 03:04]
"twbfilosva1"="C:\WINDOWS\system32\twbfilosva1.exe" [2007-10-20 03:04]
"RUNON"="C:\Program Files\Internet Explorer\Custom\RUNON.exe" []
"fnf"="C:\WINDOWS\Config\bp.exe" []
"intr"="C:\WINDOWS\Config\bp.exe" []
"qmat"="C:\WINDOWS\Config\bp.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 21:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 21:11]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 21:05]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 14:01]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 13:24]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"netsvrs32.exe"="C:\Program Files\Internet Explorer\Connection Wizard\netsvrs32.exe" []
"devdrv16v4"="c:\Program Files\devdrv\drv\40\devdrv16v4.exe" [2007-10-20 01:06]
"processcore4"="c:\Program Files\Common Files\devdrv\Drive\40\processcore.exe" [2007-10-20 01:06]
"cdrv14"="c:\Program Files\Adaptec\bin\v14\cdrv14.exe" [2007-10-20 01:12]
"hpctl14"="c:\Program Files\Common Files\LGT\Engine\v14\hpctl14.exe" [2007-10-20 01:12]
"Korean IME Migration"="C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE" [2006-10-26 14:53]
"twbfilosva1"="C:\WINDOWS\system32\twbfilosva1.exe" [2007-10-20 03:04]
"GDIPlus"="C:\Windows\AppPatch\GDIPlus.exe" []
"dgup.exe"="C:\Program Files\dweb\dgup.exe" [2007-11-09 09:47]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-27 22:57]
"Mnsets"="C:\Program Files\Internet Explorer\Connection Wizard\Mnsets.exe" []
"Sense"="c:\windows\Sense.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"8lnonsnt"="C:\WINDOWS\system32\PreInstall\WinSE\qnjsx8jt\8lnonsnt.exe" [2007-11-21 22:21]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 17:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-31 12:46]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=C:\WINDOWS\pss\DVD Check.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
C:\Program Files\Advanced Registry Optimizer\aro.exe -rem

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-03-22 21:05 339968 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2005-02-17 14:01 233534 --a------ C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-16 23:11 49152 --a------ C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-04-12 07:21 794624 --a------ C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-09-26 14:42 267064 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-02-23 12:30 67128 --a------ C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-15 05:54 253952 --a------ c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2002-12-10 17:54 127022 --a------ C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2005-07-05 05:47 184320 --a------ C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMSRC]
C:\Program Files\Windows Media Player\siratic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
2003-12-02 00:38 892928 --a------ C:\Program Files\Logitech\iTouch\iTouch.exe

R2 codecsnd14;codecsnd14;c:\Program Files\Codec Pack\v14\codecsnd.exe
R2 CSUpdateSvc;CSUpdateSvc;C:\WINDOWS\CSUpdateSvc.exe
R2 MudulerSvc;MudulerSvc;C:\WINDOWS\system32\ModulerSvc.exe
R2 servcproc;servcproc;C:\WINDOWS\system32\srvany.exe
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys
S2 bcsdlsvcs;bcsdlsvcs;C:\WINDOWS\system32\bcsdlsvcs.exe
S2 comifsrv;COM Interface Service;C:\WINDOWS\system32\comifs.exe
S2 enginev14;enginev14;c:\Program Files\Intel\v14\engine.exe
S2 hlpmnglog;Help Manager Log;C:\WINDOWS\media\neternel.exe
S2 LClagacy;Local Control lagacy;C:\WINDOWS\npkscvc.exe
S2 PCIDown;PCI Adapter;C:\WINDOWS\alg.exe
S2 Sndsvmc;Network Connect Valid Control;C:\WINDOWS\system32\sndsvmc.exe
S3 kpang;kpang;\??\C:\WINDOWS\system32\drivers\kpang.sys
S4 lesstheme1;lesstheme1;c:\Program Files\MediaPack\40\lesstheme.exe
S4 systemcache4;systemcache4;c:\Program Files\CodecPack\40\systemcache.exe
S4 videoctls;videoctls;c:\Program Files\LG Electronics\drv\videoctl.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-16 05:07:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 11:53:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe???????9?7?4?1?????? ??B?????????????hLC? ?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-02 11:55:57 - machine was rebooted
.
--- E O F ---

_____________________________________________________________________________________________________________________________

And the new HijackThis log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:41 PM, on 02/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\Program Files\Codec Pack\v14\codecsnd.exe
c:\Program Files\Adaptec\bin\v14\cdrv14.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ModulerSvc.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\devdrv\drv\40\devdrv16v4.exe
C:\Program Files\Adaptec\bin\v14\cdrv14.exe
c:\Program Files\Adaptec\bin\v14\cdrv14.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\James Leborgne\Desktop\HiJackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: V2WinSP - {85F3E26A-AF03-4ED0-896C-650AD2951434} - C:\Program Files\SPack\SPack1213.dll (file missing)
O2 - BHO: (no name) - {CAD2484D-6D58-858D-F48A-CABAC5757DCA_} - (no file)
O3 - Toolbar: easykey - {CAD2484D-6D58-858D-F48A-CABAC5757DCA} - c:\program files\easykey\easykey.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [netsvrs32.exe] "C:\Program Files\Internet Explorer\Connection Wizard\netsvrs32.exe" svr01
O4 - HKLM\..\Run: [devdrv16v4] c:\Program Files\devdrv\drv\40\devdrv16v4.exe
O4 - HKLM\..\Run: [processcore4] c:\Program Files\Common Files\devdrv\Drive\40\processcore.exe
O4 - HKLM\..\Run: [cdrv14] c:\Program Files\Adaptec\bin\v14\cdrv14.exe
O4 - HKLM\..\Run: [hpctl14] c:\Program Files\Common Files\LGT\Engine\v14\hpctl14.exe
O4 - HKLM\..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE
O4 - HKLM\..\Run: [twbfilosva1] C:\WINDOWS\system32\twbfilosva1.exe
O4 - HKLM\..\Run: [GDIPlus] C:\Windows\AppPatch\GDIPlus.exe
O4 - HKLM\..\Run: [dgup.exe] C:\Program Files\dweb\dgup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Mnsets] C:\Program Files\Internet Explorer\Connection Wizard\Mnsets.exe
O4 - HKLM\..\Run: [Sense] c:\windows\Sense.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [8jqxtojj] C:\WINDOWS\system32\mui\0409\sqqjnsxx\8jqxtojj.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [netsvrs32.exe] "C:\Program Files\Internet Explorer\Connection Wizard\netsvrs32.exe" svr01
O4 - HKCU\..\Run: [twbfilosva] C:\WINDOWS\system32\twbfilosva.exe
O4 - HKCU\..\Run: [twbfilosva1] C:\WINDOWS\system32\twbfilosva1.exe
O4 - HKCU\..\Run: [RUNON] C:\Program Files\Internet Explorer\Custom\RUNON.exe
O4 - HKCU\..\Run: [fnf] "C:\WINDOWS\Config\bp.exe"
O4 - HKCU\..\Run: [intr] "C:\WINDOWS\Config\bp.exe"
O4 - HKCU\..\Run: [qmat] "C:\WINDOWS\Config\bp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: directkey - {3548DCFA-FE35-435D-34DA-B175FAEF1685} - c:\PROGRA~1\DIRECT~1\DIRECT~1.DLL
O9 - Extra 'Tools' menuitem: directkey - {3548DCFA-FE35-435D-34DA-B175FAEF1685} - c:\PROGRA~1\DIRECT~1\DIRECT~1.DLL
O9 - Extra button: AIƮA?E - {37785D32-1604-410b-BF6E-82E65C67DB6C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AIƮA?E - {37785D32-1604-410b-BF6E-82E65C67DB6C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: CashOn - {731B4EB2-B447-4108-86EB-6F9B6A46E576} - C:\PROGRA~1\CashOn\bin\NCBUTT~1.DLL
O9 - Extra button: easykey - {ED157DAB-B415-DF48-48DA-4A8D5F48DABC} - c:\program files\easykey\easykey.dll
O9 - Extra 'Tools' menuitem: easykey - {ED157DAB-B415-DF48-48DA-4A8D5F48DABC} - c:\program files\easykey\easykey.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg5.cyworld.nate.com/ImageUpload...mageUpload2.cab
O16 - DPF: {0E96B258-D5FA-405E-A540-DB53E03376BD} (OrangeFileBox Control) - http://www.orangefile.com/ActiveX/OrangeFileBox.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18D63578-EA2F-4A59-A49A-7F62E6B3DF3E} (ImP3 Control) - http://activexdown.paran.com/paranactivex/data/ImP3.cab
O16 - DPF: {1ABB898B-8A1A-40CB-8DE7-DAF5E560E814} (DSubActX Control) - http://cab1.diskster.com/recab/DSubActX.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {31FA72F5-BE46-4D6D-A10D-857C8D6F4BFA} (OrangeFileSearch Control) - http://www.orangefile.com/ActiveX/OrangeFileSearch.cab
O16 - DPF: {32D94A9F-9A18-4E12-863D-8AABA8CBDA78} (NateOnMMSAtx3 Class) - http://sms.nate.com/NateOnMMS_AX3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} (KTCtrl Class) - http://support.kornet.net/sw5/order/Speed/...peedNewCtrl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {788649EC-2622-4EE8-84A3-F49F6AA8399C} (QuizHelperCtrl Class) - http://www.activetutor.net/pub/cabs/quizhe.../QuizHelper.cab
O16 - DPF: {7C09DD8F-D1C6-4315-AE96-AC328FDF734B} (KTActiveX Control) - http://support.kornet.net/sw5/order/Speed/cab/KTActiveX.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://xecure.kbstar.com/xecure/xw_install_v7202.cab
O16 - DPF: {882A7CC6-0163-4BC1-8BC1-505E36C9FFA2} (MaxHelper Control) - http://www.maxmp3.co.kr/Ver2/App/totalApp/...r/maxhelper.cab
O16 - DPF: {8D88D553-E13C-492E-BC64-2DAF12782A81} (AClientChecker.AxAClientChecker) - http://image.cdi.co.kr/ibtprep/install/web...ientChecker.CAB
O16 - DPF: {913BF18F-672D-4676-9855-F9A192A88886} (IMBCContents Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {99C709C7-4F58-46C1-855B-90213C760395} (v3d Class) - https://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.cinewel.com/down/MagicLockOCX.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - http://k-defence.kbstar.com/kings/kdfx/kdfx238/kdfense8.cab
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab
O16 - DPF: {AF11AA64-87A5-4146-AF3B-A7BD0F278485} (SBStarter Control) - http://download.soribada.com/down/Soribada...206/SBStart.CAB
O16 - DPF: {AF60D574-F249-4243-8040-5521AAA5BB5E} (PandoraTVSet Class) - http://imgcdn.pandora.tv/pan_img/p3player/...ge/pdrtvset.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {B8ECD16B-EC0C-407E-AF2D-7B4A6B6F8DCB} (AllatPayXATL Class) - https://tx.allatpay.com/component/AllatPayX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} (PlayerCue Control) - http://touch.imbc.com/ActiveX/iMBCOnlineService.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://n-protect.kbstar.com/nprotect/module/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://vbv.samsungcard.co.kr/keycrypt/npkcx.cab
O16 - DPF: {E3EAC26D-891F-499A-9C38-D8F165DE02B8} (SsoAccess Class) - http://www.daegu.go.kr/SSODemo/ssoObject/SsoAccess.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F36C3235-C4AF-409F-B6A1-4F96BB1B533E} (CyGlobalCtl Class) - http://fs1.us.cyworld.com/common/activex/CyGlobal.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: bcsdlsvcs - Unknown owner - C:\WINDOWS\system32\bcsdlsvcs.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: codecsnd14 - Unknown owner - c:\Program Files\Codec Pack\v14\codecsnd.exe
O23 - Service: COM Interface Service (comifsrv) - Unknown owner - C:\WINDOWS\system32\comifs.exe (file missing)
O23 - Service: CSUpdateSvc - ANIJCORP - C:\WINDOWS\CSUpdateSvc.exe
O23 - Service: enginev14 - Unknown owner - c:\Program Files\Intel\v14\engine.exe (file missing)
O23 - Service: Help Manager Log (hlpmnglog) - Unknown owner - C:\WINDOWS\media\neternel.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Control lagacy (LClagacy) - Unknown owner - C:\WINDOWS\npkscvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MudulerSvc - ANIJCORP - C:\WINDOWS\system32\ModulerSvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: PCI Adapter (PCIDown) - Unknown owner - C:\WINDOWS\alg.exe (file missing)
O23 - Service: servcproc - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Network Connect Valid Control (Sndsvmc) - Unknown owner - C:\WINDOWS\system32\sndsvmc.exe (file missing)

--
End of file - 14428 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 02 December 2007 - 05:57 AM

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


Double click on Combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users