Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Korean Spyware Lag Returns


  • This topic is locked This topic is locked
32 replies to this topic

#1 Khevinet

Khevinet

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Korea
  • Local time:09:03 PM

Posted 17 December 2007 - 09:15 AM

I had posted about a month ago when I had serious lag problems. THey were fixed then, but now they have suddenly reappeared.

I have my hijackthis log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:05 PM, on 17/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\Program Files\Codec Pack\v14\codecsnd.exe
C:\Program Files\Samsung\AnyPC\APSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ModulerSvc.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\James Leborgne\Desktop\HiJackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: V2WinSP - {85F3E26A-AF03-4ED0-896C-650AD2951434} - C:\Program Files\SPack\SPack1213.dll (file missing)
O2 - BHO: (no name) - {CAD2484D-6D58-858D-F48A-CABAC5757DCA_} - (no file)
O3 - Toolbar: easykey - {CAD2484D-6D58-858D-F48A-CABAC5757DCA} - c:\program files\easykey\easykey.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [netsvrs32.exe] "C:\Program Files\Internet Explorer\Connection Wizard\netsvrs32.exe" svr01
O4 - HKLM\..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE
O4 - HKLM\..\Run: [GDIPlus] C:\Windows\AppPatch\GDIPlus.exe
O4 - HKLM\..\Run: [dgup.exe] C:\Program Files\dweb\dgup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Mnsets] C:\Program Files\Internet Explorer\Connection Wizard\Mnsets.exe
O4 - HKLM\..\Run: [Sense] c:\windows\Sense.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [fimpsvbehk] C:\WINDOWS\system32\fimpsvbehk.exe
O4 - HKLM\..\Run: [bfilosvadh] C:\WINDOWS\system32\bfilosvadh.exe
O4 - HKLM\..\Run: [swbehlorua] C:\WINDOWS\system32\swbehlorua.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Getta] c:\windows\system32\Getta.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [netsvrs32.exe] "C:\Program Files\Internet Explorer\Connection Wizard\netsvrs32.exe" svr01
O4 - HKCU\..\Run: [RUNON] C:\Program Files\Internet Explorer\Custom\RUNON.exe
O4 - HKCU\..\Run: [fnf] "C:\WINDOWS\Config\bp.exe"
O4 - HKCU\..\Run: [intr] "C:\WINDOWS\Config\bp.exe"
O4 - HKCU\..\Run: [qmat] "C:\WINDOWS\Config\bp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [bfilosvadh] C:\WINDOWS\system32\bfilosvadh.exe
O4 - HKCU\..\Run: [MyComGoPlus] "C:\Program Files\MyComGoPlus\MGUpdate.exe" boot
O4 - HKCU\..\Run: [swbehlorua] C:\WINDOWS\system32\swbehlorua.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: directkey - {3548DCFA-FE35-435D-34DA-B175FAEF1685} - c:\PROGRA~1\DIRECT~1\DIRECT~1.DLL
O9 - Extra 'Tools' menuitem: directkey - {3548DCFA-FE35-435D-34DA-B175FAEF1685} - c:\PROGRA~1\DIRECT~1\DIRECT~1.DLL
O9 - Extra button: AIƮA?E - {37785D32-1604-410b-BF6E-82E65C67DB6C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AIƮA?E - {37785D32-1604-410b-BF6E-82E65C67DB6C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: CashOn - {731B4EB2-B447-4108-86EB-6F9B6A46E576} - C:\PROGRA~1\CashOn\bin\NCBUTT~1.DLL
O9 - Extra button: easykey - {ED157DAB-B415-DF48-48DA-4A8D5F48DABC} - c:\program files\easykey\easykey.dll
O9 - Extra 'Tools' menuitem: easykey - {ED157DAB-B415-DF48-48DA-4A8D5F48DABC} - c:\program files\easykey\easykey.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg5.cyworld.nate.com/ImageUpload...mageUpload2.cab
O16 - DPF: {0E96B258-D5FA-405E-A540-DB53E03376BD} (OrangeFileBox Control) - http://www.orangefile.com/ActiveX/OrangeFileBox.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18D63578-EA2F-4A59-A49A-7F62E6B3DF3E} (ImP3 Control) - http://activexdown.paran.com/paranactivex/data/ImP3.cab
O16 - DPF: {1ABB898B-8A1A-40CB-8DE7-DAF5E560E814} (DSubActX Control) - http://cab1.diskster.com/recab/DSubActX.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {31FA72F5-BE46-4D6D-A10D-857C8D6F4BFA} (OrangeFileSearch Control) - http://www.orangefile.com/ActiveX/OrangeFileSearch.cab
O16 - DPF: {32D94A9F-9A18-4E12-863D-8AABA8CBDA78} (NateOnMMSAtx3 Class) - http://sms.nate.com/NateOnMMS_AX3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} (KTCtrl Class) - http://support.kornet.net/sw5/order/Speed/...peedNewCtrl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {788649EC-2622-4EE8-84A3-F49F6AA8399C} (QuizHelperCtrl Class) - http://www.activetutor.net/pub/cabs/quizhe.../QuizHelper.cab
O16 - DPF: {7C09DD8F-D1C6-4315-AE96-AC328FDF734B} (KTActiveX Control) - http://support.kornet.net/sw5/order/Speed/cab/KTActiveX.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://xecure.kbstar.com/xecure/xw_install_v7202.cab
O16 - DPF: {8D88D553-E13C-492E-BC64-2DAF12782A81} (AClientChecker.AxAClientChecker) - http://image.cdi.co.kr/ibtprep/install/web...ientChecker.CAB
O16 - DPF: {913BF18F-672D-4676-9855-F9A192A88886} (IMBCContents Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {91A6D076-F1AA-44DC-9825-9F7DE41E2398} (WooricyMap Control) - http://traffic.local.naver.com/Traffic_bro...p(1,0,0,23).cab
O16 - DPF: {99C709C7-4F58-46C1-855B-90213C760395} (v3d Class) - https://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.cinewel.com/down/MagicLockOCX.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - http://k-defence.kbstar.com/kings/kdfx/kdfx238/kdfense8.cab
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab
O16 - DPF: {AF11AA64-87A5-4146-AF3B-A7BD0F278485} (SBStarter Control) - http://download.soribada.com/down/Soribada...206/SBStart.CAB
O16 - DPF: {AF60D574-F249-4243-8040-5521AAA5BB5E} (PandoraTVSet Class) - http://imgcdn.pandora.tv/pan_img/p3player/...ge/pdrtvset.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {B8ECD16B-EC0C-407E-AF2D-7B4A6B6F8DCB} (AllatPayXATL Class) - https://tx.allatpay.com/component/AllatPayX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} (PlayerCue Control) - http://touch.imbc.com/ActiveX/iMBCOnlineService.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://n-protect.kbstar.com/nprotect/module/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://vbv.samsungcard.co.kr/keycrypt/npkcx.cab
O16 - DPF: {E3EAC26D-891F-499A-9C38-D8F165DE02B8} (SsoAccess Class) - http://www.daegu.go.kr/SSODemo/ssoObject/SsoAccess.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F1149E8A-79EB-4859-835E-95432B72FEA2} (AnycallLAND_DownCheck Control) - http://img.anycall.com/anycall/support/act...nCheckProj1.cab
O16 - DPF: {F36C3235-C4AF-409F-B6A1-4F96BB1B533E} (CyGlobalCtl Class) - http://fs1.us.cyworld.com/common/activex/CyGlobal.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: bcsdlsvcs - Unknown owner - C:\WINDOWS\system32\bcsdlsvcs.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: codecsnd14 - Unknown owner - c:\Program Files\Codec Pack\v14\codecsnd.exe
O23 - Service: COM Interface Service (comifsrv) - Unknown owner - C:\WINDOWS\system32\comifs.exe (file missing)
O23 - Service: CoolGate Helper - DoctorSoft - C:\Program Files\Samsung\AnyPC\APSvc.exe
O23 - Service: enginev14 - Unknown owner - c:\Program Files\Intel\v14\engine.exe (file missing)
O23 - Service: Help Manager Log (hlpmnglog) - Unknown owner - C:\WINDOWS\media\neternel.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MudulerSvc - ANIJCORP - C:\WINDOWS\system32\ModulerSvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: PCI Adapter (PCIDown) - Unknown owner - C:\WINDOWS\alg.exe (file missing)
O23 - Service: servcproc - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Network Connect Valid Control (Sndsvmc) - Unknown owner - C:\WINDOWS\system32\sndsvmc.exe (file missing)

--
End of file - 14435 bytes
________________________________________________________________________________________________________________________________

Additionally, I ran combofix and SDFix as well

Here is SDFix

SDFix: Version 1.116

Run by James Leborgne on 2007-12-17 at 14:10

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 14:27:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\xc865\xc865\f?\xb7ed]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,a0,5d,00,00,00,00,00,64,2a,3c,61,32,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\xc865\xc865\f?\xb7ed]
"Inno Setup: Setup Version"="5.0.7"
"Inno Setup: App Path"="C:\Program Files\ToToBrowser"
"InstallLocation"="C:\Program Files\ToToBrowser\"
"Inno Setup: Icon Group"="\xd1a0\xd1a0\xbe0c\xb77c\xc6b0\xc800"
"Inno Setup: User"="James Leborgne"
"DisplayName"="ToToBrowser verion 2"
"DisplayIcon"="C:\Program Files\ToToBrowser\ToToBrowser.exe"
"UninstallString"=""C:\Program Files\ToToBrowser\unins000.exe""
"QuietUninstallString"=""C:\Program Files\ToToBrowser\unins000.exe" /SILENT"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\\xb124\xc774\xd2b8\xc628]
"Order"=hex:08,00,00,00,02,00,00,00,06,01,00,00,01,00,00,00,02,00,00,00,78,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xb124\xc774\xd2b8\xc628]
"Order"=hex:08,00,00,00,02,00,00,00,06,01,00,00,01,00,00,00,02,00,00,00,78,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xd074\xb7fd\xbc15\xc2a4]
"Order"=hex:08,00,00,00,02,00,00,00,00,01,00,00,01,00,00,00,02,00,00,00,78,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xf9760?\xc1b0]
"Order"=hex:08,00,00,00,02,00,00,00,f8,00,00,00,01,00,00,00,02,00,00,00,76,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\24\xd3a4\xd5e4\xb7a0?]
"Order"=hex:08,00,00,00,02,00,00,00,fa,01,00,00,01,00,00,00,04,00,00,00,76,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\24\xd3a4\xd5e4\xb7a0??]
"Order"=hex:08,00,00,00,02,00,00,00,0a,01,00,00,01,00,00,00,02,00,00,00,7c,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\24\xd3a4\xd5e4\xb7a0\xca08?]
"Order"=hex:08,00,00,00,02,00,00,00,0a,01,00,00,01,00,00,00,02,00,00,00,7c,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\1\xc1b0\xd623?\x8fa3\xf94e\xd2c8?]
"Order"=hex:08,00,00,00,02,00,00,00,0e,02,00,00,01,00,00,00,04,00,00,00,76,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\1\xc1b0\xc9da???]
"Order"=hex:08,00,00,00,02,00,00,00,06,02,00,00,01,00,00,00,04,00,00,00,76,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\34\xd586\x52fe]
"Order"=hex:08,00,00,00,02,00,00,00,fe,00,00,00,01,00,00,00,02,00,00,00,7c,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\34\xd586\x4e45]
"Order"=hex:08,00,00,00,02,00,00,00,fe,00,00,00,01,00,00,00,02,00,00,00,7c,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\H\xd1f4\xf93c\xd15d]
"Order"=hex:08,00,00,00,02,00,00,00,ec,01,00,00,01,00,00,00,04,00,00,00,76,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\ ?\x916a\xd531\xd4d4?\x7d93]
"Order"=hex:08,00,00,00,02,00,00,00,8a,00,00,00,01,00,00,00,01,00,00,00,7e,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\x???]
"Order"=hex:08,00,00,00,02,00,00,00,94,02,00,00,01,00,00,00,05,00,00,00,80,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\t\x9035?]
"Order"=hex:08,00,00,00,02,00,00,00,fe,01,00,00,01,00,00,00,04,00,00,00,76,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xc865\xc865\f?\xb7ed]
"Order"=hex:08,00,00,00,02,00,00,00,0a,01,00,00,01,00,00,00,02,00,00,00,7c,..

scanning hidden files ...

C:\Documents and Settings\James Leborgne\Local Settings\Application Data\Microsoft\Messenger\thaneg45@hotmail.com\SharingMetadata\aweebitscrewy@hotmail.com\DFSR\Staging\CS{8BDA4B38-EC1B-79B4-9A30-42B1B216760A}\01\11-{8BDA4B38-EC1B-79B4-9A30-42B1B216760A}-v1-{8905571A-236E-496D-97E2-25B4358F98D6}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\James Leborgne\Local Settings\Application Data\Microsoft\Messenger\thaneg45@hotmail.com\SharingMetadata\aweebitscrewy@hotmail.com\DFSR\Staging\CS{8BDA4B38-EC1B-79B4-9A30-42B1B216760A}\15\115-{17D2DDF7-87E2-4353-9106-FDA580CF03D7}-v115-{17D2DDF7-87E2-4353-9106-FDA580CF03D7}-v115-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 3440 bytes hidden from API
C:\Documents and Settings\James Leborgne\Local Settings\Application Data\Microsoft\Messenger\thaneg45@hotmail.com\SharingMetadata\ciao9@hotmail.com\DFSR\Staging\CS{A77F0376-651C-2B80-6EA8-EE214D922557}\01\10-{A77F0376-651C-2B80-6EA8-EE214D922557}-v1-{8905571A-236E-496D-97E2-25B4358F98D6}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 3


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Sat 8 Sep 2007 578 ...H. --- "C:\Documents and Settings\James Leborgne\peogtb.sys"
Mon 29 Oct 2007 351 ...H. --- "C:\Documents and Settings\James Leborgne\regbs.tmp"
Wed 10 Oct 2007 625,152 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Thu 14 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Thu 6 Apr 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 29 Aug 2005 34,304 ...H. --- "C:\Documents and Settings\James Leborgne\My Documents\~WRL0001.tmp"
Thu 19 Apr 2007 22,528 ...H. --- "C:\Documents and Settings\James Leborgne\My Documents\~WRL0002.tmp"
Mon 17 Sep 2007 139,264 ...H. --- "C:\Program Files\Internet Explorer\Connection Wizard\hsheo.dll"
Mon 3 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 21 Nov 2007 929,792 A..H. --- "C:\Documents and Settings\James Leborgne\Local Settings\Temporary Internet Files\ijjistarter2.exe"
Sat 16 Sep 2006 22,016 ...H. --- "C:\Documents and Settings\James Leborgne\My Documents\Native\~WRL0003.tmp"
Sat 16 Jul 2005 26,624 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\Portfolio\~WRL0003.tmp"
Thu 12 Jul 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d3226ed0a8904ae940c1794b1cd8b325\BIT1.tmp"
Thu 4 Oct 2007 21,504 ...H. --- "C:\Documents and Settings\James Leborgne\Application Data\Microsoft\Word\~WRL0378.tmp"
Wed 15 Sep 2004 4,348 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\My Music\License Backup\drmv1key.bak"
Wed 15 Sep 2004 20 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 15 Sep 2004 400 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\My Music\License Backup\drmv2key.bak"
Wed 15 Sep 2004 1,536 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\My Music\License Backup\drmv2lic.bak"
Wed 7 Nov 2007 29,184 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\1B\Nov-03\~WRL3092.tmp"
Sat 27 Oct 2007 24,064 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\~WRL0047.tmp"
Sat 27 Oct 2007 25,088 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\~WRL2326.tmp"
Sat 27 Oct 2007 24,064 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\~WRL2471.tmp"
Sat 27 Oct 2007 24,576 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\~WRL3087.tmp"
Sat 27 Oct 2007 25,088 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\~WRL3832.tmp"
Sat 27 Oct 2007 25,088 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\~WRL4053.tmp"
Sat 27 Oct 2007 24,064 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL0007.tmp"
Sat 27 Oct 2007 25,600 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL0106.tmp"
Sat 27 Oct 2007 25,600 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL0220.tmp"
Sat 27 Oct 2007 26,112 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL0337.tmp"
Sat 27 Oct 2007 26,624 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL0497.tmp"
Sat 27 Oct 2007 26,624 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL0849.tmp"
Sat 27 Oct 2007 26,624 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL0875.tmp"
Sat 27 Oct 2007 24,064 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL0945.tmp"
Sat 27 Oct 2007 25,088 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL1316.tmp"
Sat 27 Oct 2007 24,576 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL1438.tmp"
Sat 27 Oct 2007 24,064 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL1538.tmp"
Sat 27 Oct 2007 25,088 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL1987.tmp"
Sat 27 Oct 2007 25,600 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL2380.tmp"
Sat 27 Oct 2007 24,064 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL2669.tmp"
Sat 27 Oct 2007 25,600 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL3103.tmp"
Sat 27 Oct 2007 25,088 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL3180.tmp"
Sat 27 Oct 2007 25,600 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL3250.tmp"
Sat 27 Oct 2007 24,064 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL3455.tmp"
Sat 27 Oct 2007 24,064 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL3487.tmp"
Sat 27 Oct 2007 26,112 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL3672.tmp"
Sat 27 Oct 2007 26,112 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL3969.tmp"
Sat 27 Oct 2007 26,624 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL3990.tmp"
Sat 27 Oct 2007 24,064 A..H. --- "C:\Documents and Settings\James Leborgne\My Documents\IBT writing\2A\Oct-27\Oct-27\~WRL4081.tmp"

Finished!
______________________________________________________________________

and ComboFix:

ComboFix 07-12-16.4 - James Leborgne 2007-12-17 15:05:11.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.949.82.1033.18.756 [GMT 9:00]
Running from: C:\Documents and Settings\James Leborgne\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.

2007-12-17 13:53 . 2007-12-17 13:53 <DIR> d-a------ C:\_systemcom.go
2007-12-17 12:26 . 2007-12-17 12:26 <DIR> d-------- C:\Documents and Settings\James Leborgne\DoctorWeb
2007-12-13 13:44 . 2007-12-13 13:44 49,152 --a------ C:\WINDOWS\system32\swbehlorua.exe
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-11 00:43 . 2007-12-11 00:43 <DIR> d-------- C:\Documents and Settings\James Leborgne\WooricyMap
2007-12-09 23:53 . 2007-12-09 23:53 <DIR> d-------- C:\Program Files\Samsung
2007-12-09 23:53 . 2007-04-24 21:24 12,248 --a------ C:\WINDOWS\system32\cgdrvnt3.dll
2007-12-09 23:53 . 2007-04-24 21:24 2,688 --a------ C:\WINDOWS\system32\drivers\cgdrvnt3.sys
2007-12-07 10:01 . 2007-12-07 10:01 <DIR> d-------- C:\Program Files\ANIJ
2007-12-06 03:16 . 2007-12-06 03:16 <DIR> d-------- C:\HNC
2007-12-04 14:13 . 2007-12-06 10:57 45,056 --a------ C:\WINDOWS\system32\ResetCSSvc.exe
2007-12-04 11:59 . 2007-12-04 12:00 <DIR> d-------- C:\WINDOWS\system32\drivers\_systemcom.go
2007-12-04 11:59 . 2007-12-04 11:59 <DIR> d-------- C:\Program Files\MyComGoPlus
2007-12-04 11:56 . 2007-12-04 11:56 363,008 --a------ C:\WINDOWS\mycomgo_mgpt.exe
2007-12-04 10:33 . 2007-12-04 10:33 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 10:33 . 2007-12-04 10:33 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 10:33 . 2007-12-04 10:33 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 10:33 . 2007-12-04 10:33 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2007-12-03 19:38 . 2007-12-03 19:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-03 19:19 . 2007-12-03 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-03 19:18 . 2007-12-17 13:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-03 19:18 . 2007-12-03 19:18 <DIR> d-------- C:\Documents and Settings\James Leborgne\Application Data\SUPERAntiSpyware.com
2007-12-03 19:07 . 2007-12-03 19:07 220,672 --a------ C:\WINDOWS\kpu3_200701129.exe
2007-12-02 03:02 . 2007-12-02 03:02 <DIR> d-------- C:\WINDOWS\SDFIX
2007-12-02 02:55 . 2007-12-02 02:55 <DIR> d-------- C:\Program Files\Sun
2007-12-02 02:55 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-02 02:36 . 2007-12-02 02:37 <DIR> d-------- C:\Documents and Settings\James Leborgne\.SunDownloadManager
2007-11-30 22:14 . 2007-11-25 21:04 14,848 --a------ C:\WINDOWS\uninstall_Neo.exe
2007-11-30 22:13 . 2007-12-07 00:45 <DIR> d-------- C:\Program Files\InstallProc
2007-11-30 22:13 . 2007-11-30 22:13 <DIR> d-------- C:\Program Files\IEBSiteSetup
2007-11-30 22:13 . 2007-11-30 22:13 81,920 --a------ C:\WINDOWS\system32\CleanSearch.dll
2007-11-30 22:13 . 2007-11-30 22:13 67,637 --a------ C:\WINDOWS\UninstallCleanSearch.zip
2007-11-30 22:13 . 2007-12-06 08:50 36,864 --a------ C:\WINDOWS\snssn.exe
2007-11-30 22:13 . 2007-11-30 22:13 244 --a------ C:\WINDOWS\ResetCSSvc.ini
2007-11-30 22:08 . 2007-11-30 22:08 20,480 --a------ C:\WINDOWS\system32\WinSp3Drv.exe
2007-11-30 22:08 . 2007-11-30 22:08 2 --a------ C:\WINDOWS\prta0.ini
2007-11-30 22:07 . 2007-11-30 22:14 <DIR> d-------- C:\Program Files\SearchSpy
2007-11-30 22:06 . 2007-11-30 22:14 <DIR> d-------- C:\Program Files\SPack
2007-11-30 22:05 . 2007-11-30 22:14 <DIR> d-------- C:\Program Files\SearchURL
2007-11-30 22:05 . 2007-11-30 22:05 220,672 --a------ C:\WINDOWS\SearchPackAppInstaller.exe
2007-11-30 22:05 . 2007-11-30 22:05 32,768 --a------ C:\WINDOWS\system32\SearchPackAppInstaller_apart.exe
2007-11-30 22:03 . 2007-11-30 22:03 28,672 --a------ C:\WINDOWS\system32\ModulerSvc.exe
2007-11-30 22:03 . 2007-11-30 22:03 28,672 --a------ C:\Documents and Settings\James Leborgne\ModulerSvc.exe
2007-11-30 22:03 . 2007-11-30 22:03 3,072 --a------ C:\WINDOWS\system32\userGC.dll
2007-11-30 07:30 . 2007-11-30 07:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-11-30 07:30 . 2007-11-30 07:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-11-30 07:30 . 2007-11-30 07:30 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-11-30 07:28 . 2007-11-30 07:28 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-11-30 07:28 . 2007-11-30 07:28 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-11-30 07:28 . 2007-11-30 07:28 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2007-11-30 07:28 . 2007-11-30 07:28 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2007-11-29 16:15 . 2007-11-29 16:15 32,768 --a------ C:\WINDOWS\system32\fimpsvbehk.exe
2007-11-29 16:15 . 2007-11-29 16:15 32,768 --a------ C:\WINDOWS\system32\bfilosvadh.exe
2007-11-29 06:55 . 2007-11-29 06:55 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-29 06:53 . 2007-11-29 06:53 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-11-29 06:53 . 2007-11-29 06:53 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-11-29 06:53 . 2007-11-29 06:53 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-11-29 06:53 . 2007-11-29 06:53 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-11-29 06:53 . 2007-11-29 06:53 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-11-29 06:53 . 2007-11-29 06:53 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-11-29 06:52 . 2007-11-29 06:52 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-29 02:11 . 2007-11-29 02:11 194,048 --a------ C:\WINDOWS\dkservices.exe
2007-11-28 08:47 . 2007-11-28 08:47 363 --a------ C:\WINDOWS\system32\servcproc.exe
2007-11-28 00:20 . 2007-11-28 00:20 8 --a------ C:\WINDOWS\wininit8.ini
2007-11-27 09:51 . 2007-11-27 09:51 <DIR> d-------- C:\Program Files\oyeaouo
2007-11-27 09:51 . 2007-11-27 09:51 700,928 --a------ C:\WINDOWS\system32\oyeaouo.EXE
2007-11-26 08:40 . 2007-11-28 13:17 <DIR> d-------- C:\Program Files\SolutionKSG
2007-11-26 08:39 . 2007-11-26 08:39 598 --a------ C:\WINDOWS\Demeter.sys
2007-11-25 21:04 . 2007-11-25 21:05 312,944 --a------ C:\WINDOWS\system32\sayax0.dll
2007-11-24 09:07 . 2007-11-24 09:07 333,312 --a------ C:\c4.exe
2007-11-17 09:32 . 2007-11-25 01:29 <DIR> d-------- C:\Program Files\kpang

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-16 22:22 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\AVG7
2007-12-16 17:23 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\Skype
2007-12-16 15:29 --------- d-----w C:\Program Files\iTunes
2007-12-16 15:28 --------- d-----w C:\Program Files\iPod
2007-12-16 15:27 --------- d-----w C:\Program Files\QuickTime
2007-12-14 17:52 --------- d-----w C:\Program Files\Temp
2007-12-09 14:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-07 08:11 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\Azureus
2007-12-07 07:58 --------- d-----w C:\Program Files\DivX
2007-12-03 10:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-01 17:55 --------- d-----w C:\Program Files\Java
2007-11-28 01:23 --------- d-----w C:\Program Files\Common Files\ksv
2007-11-24 16:29 --------- d-----w C:\Program Files\PointUrl
2007-11-24 00:06 --------- d-----w C:\Program Files\isearch
2007-11-23 07:16 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\U3
2007-11-13 13:36 --------- d-----w C:\Program Files\CashOn
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 00:50 --------- d-----w C:\Program Files\sync
2007-11-10 12:15 --------- d-----w C:\Program Files\lbhjngbfggg
2007-11-09 00:47 --------- d-----w C:\Program Files\dweb
2007-11-08 01:40 235,008 ----a-w C:\WINDOWS\netmap.exe
2007-11-07 02:22 389,120 ----a-w C:\WINDOWS\WooricyCtrl.dll
2007-11-07 02:00 --------- d-----w C:\Program Files\EGSearch
2007-11-06 01:49 --------- d-----w C:\Program Files\vaccine2008
2007-11-06 01:49 --------- d-----w C:\Program Files\mstobe
2007-11-06 01:49 --------- d-----w C:\Program Files\ktbr
2007-11-05 07:01 65,536 ----a-w C:\WINDOWS\ODsay_SundoKT.dll
2007-11-05 00:32 --------- d-----w C:\Program Files\cash-backmoll
2007-10-31 05:43 --------- d-----w C:\Program Files\coolcode
2007-10-31 03:48 --------- d-----w C:\Program Files\keywordsearch
2007-10-31 03:48 --------- d-----w C:\Program Files\centrim
2007-10-31 00:23 --------- d-----w C:\Program Files\webprotect
2007-10-31 00:23 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\Temp
2007-10-30 14:02 87,040 ----a-w C:\DelZip179.dll
2007-10-30 14:02 6,668 ----a-w C:\WINDOWS\setup_count003.zip
2007-10-30 14:02 264,518 ----a-w C:\WINDOWS\srrun_coolcode.zip
2007-10-30 14:02 --------- d-----w C:\Program Files\webprotect2
2007-10-30 14:02 --------- d-----w C:\Program Files\okcashreturn
2007-10-29 07:33 6,669 ----a-w C:\WINDOWS\setup_count001.zip
2007-10-29 03:31 --------- d-----w C:\Program Files\fanmae
2007-10-28 08:05 28,672 ----a-w C:\WINDOWS\setup_count003.exe
2007-10-28 08:04 28,672 ----a-w C:\WINDOWS\setup_count001.exe
2007-10-25 14:40 46,080 ----a-w C:\WINDOWS\pickdisk_clean.exe
2007-10-25 14:36 44,032 ----a-w C:\WINDOWS\vmmregs32.exe
2007-10-21 13:07 --------- d-----w C:\Program Files\SEOSTECH
2007-10-21 00:49 --------- d-----w C:\Program Files\Common Files\Skype
2007-10-21 00:05 141,200 ----a-w C:\WINDOWS\cliati.exe
2007-10-20 01:45 153,031 ----a-w C:\conedit.exe
2007-10-19 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-19 16:22 --------- d-----w C:\Program Files\MSBuild
2007-10-19 16:22 --------- d-----w C:\Program Files\Microsoft Works
2007-10-19 16:19 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-19 16:15 --------- d-----w C:\Program Files\LG Electronics
2007-10-19 16:15 --------- d-----w C:\Program Files\kcsrsc
2007-10-19 16:15 --------- d-----w C:\Program Files\grapati
2007-10-19 16:15 --------- d-----w C:\Program Files\DacomAdapte
2007-10-19 16:15 --------- d-----w C:\Program Files\Common Files\sec
2007-10-19 16:15 --------- d-----w C:\Program Files\CodecPack
2007-10-19 16:14 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-10-19 16:12 490,496 ----a-w C:\WINDOWS\cdrv14.exe
2007-10-19 16:12 --------- d-----w C:\Program Files\Common Files\LGT
2007-10-19 16:12 --------- d-----w C:\Program Files\Codec Pack
2007-10-19 16:12 --------- d-----w C:\Program Files\Adaptec
2007-10-19 16:10 --------- d-----w C:\Program Files\nsidebar
2007-10-19 16:10 --------- d-----w C:\Program Files\nreward
2007-10-19 16:09 --------- d-----w C:\Program Files\Intel
2007-10-19 16:09 --------- d-----w C:\Program Files\DirectX
2007-10-19 16:09 --------- d-----w C:\Program Files\Common Files\GRETECH
2007-10-19 16:06 --------- d-----w C:\Program Files\MediaPack
2007-10-19 16:06 --------- d-----w C:\Program Files\devdrv
2007-10-19 16:06 --------- d-----w C:\Program Files\Common Files\devdrv
2007-10-19 07:44 3 ----a-w C:\pmng.dat
2007-10-18 17:12 --------- d-----w C:\Program Files\doublepoint
2007-10-18 17:11 321,100 ----a-w C:\WINDOWS\srrun_doublepoint.zip
2007-10-16 16:40 3,532 ----a-w C:\drmHeader.bin
2007-10-16 09:42 532,480 ----a-w C:\WINDOWS\srrun_coolcode.exe
2007-10-15 00:02 8,052 ----a-w C:\WINDOWS\setup_xfile0u_ektl.zip
2007-10-13 02:41 659,456 ----a-w C:\WINDOWS\srrun_doublepoint.exe
2007-10-12 10:08 28,672 ----a-w C:\WINDOWS\setup_xfile0u_ektl.exe
2007-10-07 06:26 7,680 ----a-w C:\katewins.exe
2007-10-05 12:36 149,665 ----a-w C:\callname.exe
2007-10-05 01:28 155,648 ----a-w C:\WINDOWS\poseidon_poseidon01.exe
2007-09-11 01:16 139,264 ---h--w C:\Program Files\ntfs
2007-09-07 18:02 578 ---h--w C:\Documents and Settings\James Leborgne\peogtb.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-17_13.24.40.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-21 06:12:10 153,714 ----a-w C:\WINDOWS\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
+ 2007-11-21 06:12:10 153,714 ----a-w C:\WINDOWS\pchealth\helpctr\Config\Cache\Personal_32_1033.dat.bak
- 2007-12-17 02:23:59 5,472,256 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-12-17 05:09:52 5,500,928 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2007-12-17 02:23:59 307,200 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-17 05:09:52 307,200 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2007-07-11 13:57:55 6,137,328 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2007-12-17 04:54:03 285,112 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85F3E26A-AF03-4ED0-896C-650AD2951434}]
C:\Program Files\SPack\SPack1213.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CAD2484D-6D58-858D-F48A-CABAC5757DCA_}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CAD2484D-6D58-858D-F48A-CABAC5757DCA}

[HKEY_CLASSES_ROOT\clsid\{cad2484d-6d58-858d-f48a-cabac5757dca}]
[HKEY_CLASSES_ROOT\easykey.StockBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{27486DAB-BA57-58D4-C521-197ADFBACDAB}]
[HKEY_CLASSES_ROOT\easykey.StockBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"netsvrs32.exe"="C:\Program Files\Internet Explorer\Connection Wizard\netsvrs32.exe" []
"RUNON"="C:\Program Files\Internet Explorer\Custom\RUNON.exe" []
"fnf"="C:\WINDOWS\Config\bp.exe" []
"intr"="C:\WINDOWS\Config\bp.exe" []
"qmat"="C:\WINDOWS\Config\bp.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00]
"bfilosvadh"="C:\WINDOWS\system32\bfilosvadh.exe" [2007-11-29 16:15]
"MyComGoPlus"="C:\Program Files\MyComGoPlus\MGUpdate.exe" [2007-10-29 17:50]
"swbehlorua"="C:\WINDOWS\system32\swbehlorua.exe" [2007-12-13 13:44]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 21:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 21:11]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 21:05]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 14:01]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 13:24]
"netsvrs32.exe"="C:\Program Files\Internet Explorer\Connection Wizard\netsvrs32.exe" []
"Korean IME Migration"="C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE" [2006-10-26 14:53]
"GDIPlus"="C:\Windows\AppPatch\GDIPlus.exe" []
"dgup.exe"="C:\Program Files\dweb\dgup.exe" [2007-11-09 09:47]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-27 22:57]
"Mnsets"="C:\Program Files\Internet Explorer\Connection Wizard\Mnsets.exe" []
"Sense"="c:\windows\Sense.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"fimpsvbehk"="C:\WINDOWS\system32\fimpsvbehk.exe" [2007-11-29 16:15]
"bfilosvadh"="C:\WINDOWS\system32\bfilosvadh.exe" [2007-11-29 16:15]
"swbehlorua"="C:\WINDOWS\system32\swbehlorua.exe" [2007-12-13 13:44]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10]
"Getta"="c:\windows\system32\Getta.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-31 12:46]
"fimpsvbehk"="C:\WINDOWS\system32\fimpsvbehk.exe" [2007-11-29 16:15]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=C:\WINDOWS\pss\DVD Check.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
C:\Program Files\Advanced Registry Optimizer\aro.exe -rem

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-03-22 21:05 339968 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2005-02-17 14:01 233534 --a------ C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-16 23:11 49152 --a------ C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-04-12 07:21 794624 --a------ C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-12-11 12:10 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-02-23 12:30 67128 --a------ C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-15 05:54 253952 --a------ c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2002-12-10 17:54 127022 --a------ C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2005-07-05 05:47 184320 --a------ C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMSRC]
C:\Program Files\Windows Media Player\siratic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
2003-12-02 00:38 892928 --a------ C:\Program Files\Logitech\iTouch\iTouch.exe

R1 cgdrvnt3;cgdrvnt3;C:\WINDOWS\system32\DRIVERS\cgdrvnt3.sys
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys
S2 systemmycom;systemmycom;\??\C:\WINDOWS\system32\drivers\_systemcom.go\systemmycom.sys
S3 kpang;kpang;\??\C:\WINDOWS\system32\drivers\kpang.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1143f1f-cea8-11db-8c66-00904bf74095}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-09-16 05:07:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 15:25:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe???????9?7?4?1?????? ??B?????????????hLC? ?????

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-17 15:37:03
C:\ComboFix2.txt ... 2007-12-02 11:55
.
2007-12-13 00:37:11 --- E O F ---

Any help, as well as preventative advice, would be really helpful

BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 24 December 2007 - 11:36 AM

khevinet

Wow, that's quite an infection you have there. Since much of it is "new" or "unknown" variants, it will take a few runs at this to remove it so please be patient.

1. Open NotePad (not wordpad). Copy and paste the following into Notepad (Not the word code)
File::
C:\WINDOWS\system32\bfilosvadh.exe
C:\WINDOWS\system32\swbehlorua.exe
C:\WINDOWS\system32\fimpsvbehk.exe

Driver::
kpang

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"netsvrs32.exe"=-
"RUNON"=-
"fnf"=-
"intr"=-
"qmat"=-
"bfilosvadh"=-
"swbehlorua"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"netsvrs32.exe"=-
"GDIPlus"=-
"Sense"=-
"fimpsvbehk"=-
"bfilosvadh"=-
"swbehlorua"=-
"Getta"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"fimpsvbehk"=-
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Posted Image
Microsoft MVP - Windows Security

#3 Khevinet

Khevinet
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Korea
  • Local time:09:03 PM

Posted 24 December 2007 - 01:23 PM

Thanks for the reply. I think I did this correctly

ComboFix 07-12-25.2 - James Leborgne 2007-12-25 3:01:52.4 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.949.82.1033.18.972 [GMT 9:00]
Running from: C:\Documents and Settings\James Leborgne\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James Leborgne\Desktop\CFScript.txt

FILE
C:\WINDOWS\system32\bfilosvadh.exe
C:\WINDOWS\system32\fimpsvbehk.exe
C:\WINDOWS\system32\swbehlorua.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\swbehlorua.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_KPANG
-------\kpang


((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-21 10:57 . 2007-12-21 11:06 <DIR> d-------- C:\Documents and Settings\James Leborgne\Application Data\AVG7
2007-12-21 10:56 . 2007-12-21 10:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-21 10:56 . 2007-12-21 10:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-21 10:53 . 2007-12-21 10:59 <DIR> d-------- C:\Program Files\cashbagmoll
2007-12-21 10:53 . 2007-12-21 10:53 189,952 --a------ C:\WINDOWS\setsam1220.exe
2007-12-21 10:53 . 2007-12-21 10:53 189,952 --a------ C:\WINDOWS\Getoas.exe
2007-12-21 10:53 . 2007-12-21 10:53 1,683 --a------ C:\WINDOWS\system32\Getta.sys
2007-12-21 10:47 . 2007-12-21 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-18 01:28 . 2007-12-18 01:28 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-17 13:53 . 2007-12-17 13:53 <DIR> d-a------ C:\_systemcom.go
2007-12-17 12:26 . 2007-12-17 12:26 <DIR> d-------- C:\Documents and Settings\James Leborgne\DoctorWeb
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-11 00:43 . 2007-12-11 00:43 <DIR> d-------- C:\Documents and Settings\James Leborgne\WooricyMap
2007-12-10 17:43 . 2007-12-10 17:43 49,152 --a------ C:\WINDOWS\system32\nruxdgjmqt.exe
2007-12-09 23:53 . 2007-12-09 23:53 <DIR> d-------- C:\Program Files\Samsung
2007-12-09 23:53 . 2007-04-24 21:24 12,248 --a------ C:\WINDOWS\system32\cgdrvnt3.dll
2007-12-09 23:53 . 2007-04-24 21:24 2,688 --a------ C:\WINDOWS\system32\drivers\cgdrvnt3.sys
2007-12-07 10:01 . 2007-12-07 10:01 <DIR> d-------- C:\Program Files\ANIJ
2007-12-06 03:16 . 2007-12-06 03:16 <DIR> d-------- C:\HNC
2007-12-04 14:13 . 2007-12-06 10:57 45,056 --a------ C:\WINDOWS\system32\ResetCSSvc.exe
2007-12-04 11:59 . 2007-12-04 12:00 <DIR> d-------- C:\WINDOWS\system32\drivers\_systemcom.go
2007-12-04 11:56 . 2007-12-04 11:56 363,008 --a------ C:\WINDOWS\mycomgo_mgpt.exe
2007-12-04 10:33 . 2007-12-04 10:33 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 10:33 . 2007-12-04 10:33 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 10:33 . 2007-12-04 10:33 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 10:33 . 2007-12-04 10:33 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2007-12-03 19:38 . 2007-12-03 19:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-03 19:19 . 2007-12-03 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-03 19:18 . 2007-12-17 16:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-03 19:18 . 2007-12-03 19:18 <DIR> d-------- C:\Documents and Settings\James Leborgne\Application Data\SUPERAntiSpyware.com
2007-12-02 03:02 . 2007-12-02 03:02 <DIR> d-------- C:\WINDOWS\SDFIX
2007-12-02 02:55 . 2007-12-02 02:55 <DIR> d-------- C:\Program Files\Sun
2007-12-02 02:55 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-02 02:36 . 2007-12-02 02:37 <DIR> d-------- C:\Documents and Settings\James Leborgne\.SunDownloadManager
2007-11-30 22:14 . 2007-11-25 21:04 14,848 --a------ C:\WINDOWS\uninstall_Neo.exe
2007-11-30 22:13 . 2007-12-07 00:45 <DIR> d-------- C:\Program Files\InstallProc
2007-11-30 22:13 . 2007-12-20 02:07 <DIR> d-------- C:\Program Files\IEBSiteSetup
2007-11-30 22:13 . 2007-11-30 22:13 81,920 --a------ C:\WINDOWS\system32\CleanSearch.dll
2007-11-30 22:13 . 2007-11-30 22:13 67,637 --a------ C:\WINDOWS\UninstallCleanSearch.zip
2007-11-30 22:13 . 2007-11-30 22:13 244 --a------ C:\WINDOWS\ResetCSSvc.ini
2007-11-30 22:08 . 2007-11-30 22:08 2 --a------ C:\WINDOWS\prta0.ini
2007-11-30 22:07 . 2007-11-30 22:14 <DIR> d-------- C:\Program Files\SearchSpy
2007-11-30 22:06 . 2007-12-18 14:19 <DIR> d-------- C:\Program Files\SPack
2007-11-30 22:05 . 2007-11-30 22:14 <DIR> d-------- C:\Program Files\SearchURL
2007-11-30 22:05 . 2007-11-30 22:05 220,672 --a------ C:\WINDOWS\SearchPackAppInstaller.exe
2007-11-30 22:03 . 2007-11-30 22:03 28,672 --a------ C:\WINDOWS\system32\ModulerSvc.exe
2007-11-30 22:03 . 2007-11-30 22:03 28,672 --a------ C:\Documents and Settings\James Leborgne\ModulerSvc.exe
2007-11-30 22:03 . 2007-11-30 22:03 3,072 --a------ C:\WINDOWS\system32\userGC.dll
2007-11-30 07:30 . 2007-11-30 07:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-11-30 07:30 . 2007-11-30 07:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-11-30 07:30 . 2007-11-30 07:30 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-11-30 07:28 . 2007-11-30 07:28 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-11-30 07:28 . 2007-11-30 07:28 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-11-30 07:28 . 2007-11-30 07:28 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2007-11-30 07:28 . 2007-11-30 07:28 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2007-11-29 06:55 . 2007-11-29 06:55 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-29 06:53 . 2007-11-29 06:53 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-11-29 06:53 . 2007-11-29 06:53 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-11-29 06:53 . 2007-11-29 06:53 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-11-29 06:53 . 2007-11-29 06:53 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-11-29 06:53 . 2007-11-29 06:53 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-11-29 06:53 . 2007-11-29 06:53 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-11-29 06:52 . 2007-11-29 06:52 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-28 08:47 . 2007-11-28 08:47 363 --a------ C:\WINDOWS\system32\servcproc.exe
2007-11-28 00:20 . 2007-11-28 00:20 8 --a------ C:\WINDOWS\wininit8.ini
2007-11-27 09:51 . 2007-12-20 02:07 <DIR> d-------- C:\Program Files\oyeaouo
2007-11-26 08:39 . 2007-11-26 08:39 598 --a------ C:\WINDOWS\Demeter.sys
2007-11-25 21:04 . 2007-11-25 21:05 312,944 --a------ C:\WINDOWS\system32\sayax0.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-22 12:10 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\Skype
2007-12-19 17:07 --------- d-----w C:\Program Files\sync
2007-12-19 17:07 --------- d-----w C:\Program Files\lbhjngbfggg
2007-12-18 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-12-18 05:55 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\ZoomBrowser EX
2007-12-18 05:16 --------- d-----w C:\Program Files\coolcode
2007-12-16 15:29 --------- d-----w C:\Program Files\iTunes
2007-12-16 15:28 --------- d-----w C:\Program Files\iPod
2007-12-16 15:27 --------- d-----w C:\Program Files\QuickTime
2007-12-14 17:52 --------- d-----w C:\Program Files\Temp
2007-12-09 14:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-07 08:11 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\Azureus
2007-12-07 07:58 --------- d-----w C:\Program Files\DivX
2007-12-03 10:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-01 17:55 --------- d-----w C:\Program Files\Java
2007-11-28 01:23 --------- d-----w C:\Program Files\Common Files\ksv
2007-11-24 16:29 --------- d-----w C:\Program Files\PointUrl
2007-11-24 00:06 --------- d-----w C:\Program Files\isearch
2007-11-23 07:16 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\U3
2007-11-13 13:36 --------- d-----w C:\Program Files\CashOn
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 00:47 --------- d-----w C:\Program Files\dweb
2007-11-08 01:40 235,008 ----a-w C:\WINDOWS\netmap.exe
2007-11-07 02:22 389,120 ----a-w C:\WINDOWS\WooricyCtrl.dll
2007-11-07 02:00 --------- d-----w C:\Program Files\EGSearch
2007-11-06 01:49 --------- d-----w C:\Program Files\vaccine2008
2007-11-06 01:49 --------- d-----w C:\Program Files\mstobe
2007-11-06 01:49 --------- d-----w C:\Program Files\ktbr
2007-11-05 07:01 65,536 ----a-w C:\WINDOWS\ODsay_SundoKT.dll
2007-11-05 00:32 --------- d-----w C:\Program Files\cash-backmoll
2007-10-31 03:48 --------- d-----w C:\Program Files\keywordsearch
2007-10-31 03:48 --------- d-----w C:\Program Files\centrim
2007-10-31 00:23 --------- d-----w C:\Program Files\webprotect
2007-10-31 00:23 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\Temp
2007-10-30 14:02 87,040 ----a-w C:\DelZip179.dll
2007-10-30 14:02 6,668 ----a-w C:\WINDOWS\setup_count003.zip
2007-10-30 14:02 264,518 ----a-w C:\WINDOWS\srrun_coolcode.zip
2007-10-30 14:02 --------- d-----w C:\Program Files\webprotect2
2007-10-30 14:02 --------- d-----w C:\Program Files\okcashreturn
2007-10-29 07:33 6,669 ----a-w C:\WINDOWS\setup_count001.zip
2007-10-29 03:31 --------- d-----w C:\Program Files\fanmae
2007-10-28 08:05 28,672 ----a-w C:\WINDOWS\setup_count003.exe
2007-10-28 08:04 28,672 ----a-w C:\WINDOWS\setup_count001.exe
2007-10-25 14:36 44,032 ----a-w C:\WINDOWS\vmmregs32.exe
2007-10-21 00:05 141,200 ----a-w C:\WINDOWS\cliati.exe
2007-10-20 01:45 153,031 ----a-w C:\conedit.exe
2007-10-19 07:44 3 ----a-w C:\pmng.dat
2007-10-18 17:11 321,100 ----a-w C:\WINDOWS\srrun_doublepoint.zip
2007-10-16 16:40 3,532 ----a-w C:\drmHeader.bin
2007-10-16 09:42 532,480 ----a-w C:\WINDOWS\srrun_coolcode.exe
2007-10-15 00:02 8,052 ----a-w C:\WINDOWS\setup_xfile0u_ektl.zip
2007-10-13 02:41 659,456 ----a-w C:\WINDOWS\srrun_doublepoint.exe
2007-10-12 10:08 28,672 ----a-w C:\WINDOWS\setup_xfile0u_ektl.exe
2007-10-07 06:26 7,680 ----a-w C:\katewins.exe
2007-10-05 12:36 149,665 ----a-w C:\callname.exe
2007-10-05 01:28 155,648 ----a-w C:\WINDOWS\poseidon_poseidon01.exe
2007-09-11 01:16 139,264 ---h--w C:\Program Files\ntfs
2007-09-07 18:02 578 ---h--w C:\Documents and Settings\James Leborgne\peogtb.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-17_13.24.40.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-21 01:53:44 189,952 ----a-w C:\WINDOWS\AppPatch\Alinics.exe
+ 2007-12-21 01:53:34 195,072 ----a-w C:\WINDOWS\Config\KTech.exe
- 2007-03-13 01:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-30 23:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-11-21 06:12:10 153,714 ----a-w C:\WINDOWS\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
+ 2007-11-21 06:12:10 153,714 ----a-w C:\WINDOWS\pchealth\helpctr\Config\Cache\Personal_32_1033.dat.bak
- 2007-12-17 02:23:59 5,472,256 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-12-17 05:09:52 5,500,928 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2007-12-17 02:23:59 307,200 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-17 05:09:52 307,200 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2007-04-16 14:25:18 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2007-12-21 02:01:21 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
- 2007-06-26 00:19:12 19,904 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2007-12-21 02:01:00 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2007-12-21 01:53:39 9,216 ----a-w C:\WINDOWS\system32\lbhjngbfggg\lbhjngbfgggba.dll
- 2007-07-11 13:57:55 6,137,328 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2007-12-17 04:54:03 285,112 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
- 2007-12-13 12:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-30 23:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{412A7265-DBFE-4761-ACEA-7C054A5F657D}]
2007-12-21 10:53 244224 --a------ C:\PROGRA~1\CASHBA~1\CASHBA~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85F3E26A-AF03-4ED0-896C-650AD2951434}]
C:\Program Files\SPack\SPack1213.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CAD2484D-6D58-858D-F48A-CABAC5757DCA_}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CAD2484D-6D58-858D-F48A-CABAC5757DCA}

[HKEY_CLASSES_ROOT\clsid\{cad2484d-6d58-858d-f48a-cabac5757dca}]
[HKEY_CLASSES_ROOT\easykey.StockBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{27486DAB-BA57-58D4-C521-197ADFBACDAB}]
[HKEY_CLASSES_ROOT\easykey.StockBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00]
"MyComGoPlus"="C:\Program Files\MyComGoPlus\MGUpdate.exe" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"nruxdgjmqt"="C:\WINDOWS\system32\nruxdgjmqt.exe" [2007-12-10 17:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 21:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 21:11]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 21:05]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 14:01]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 13:24]
"Korean IME Migration"="C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE" [2006-10-26 14:53]
"dgup.exe"="C:\Program Files\dweb\dgup.exe" [2007-11-09 09:47]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-27 22:57]
"Mnsets"="C:\Program Files\Internet Explorer\Connection Wizard\Mnsets.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10]
"nruxdgjmqt"="C:\WINDOWS\system32\nruxdgjmqt.exe" [2007-12-10 17:43]
"Samtek"="C:\Program Files\Internet Explorer\MUI\Samtek.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 11:01]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"KTech"="C:\Windows\Config\KTech.exe" [2007-12-21 10:53]
"Getoas"="c:\windows\Getoas.exe" [2007-12-21 10:53]
"Alinics"="C:\Windows\AppPatch\Alinics.exe" [2007-12-21 10:53]
"Wizards"="C:\Program Files\Internet Explorer\Connection Wizard\Wizards.exe" [2007-12-21 10:53]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-21 10:56]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"lbhjngbfgggaa.exe"="C:\WINDOWS\system32\lbhjngbfggg\lbhjngbfgggaa.exe" []
"cashbagmoll.exe"="C:\Program Files\cashbagmoll\cashbagmoll.exe" [2007-12-06 18:18]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=C:\WINDOWS\pss\DVD Check.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
C:\Program Files\Advanced Registry Optimizer\aro.exe -rem

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-03-22 21:05 339968 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2005-02-17 14:01 233534 --a------ C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-16 23:11 49152 --a------ C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-04-12 07:21 794624 --a------ C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-12-11 12:10 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-02-23 12:30 67128 --a------ C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-15 05:54 253952 --a------ c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2002-12-10 17:54 127022 --a------ C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2005-07-05 05:47 184320 --a------ C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMSRC]
C:\Program Files\Windows Media Player\siratic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
2003-12-02 00:38 892928 --a------ C:\Program Files\Logitech\iTouch\iTouch.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-09-16 05:07:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-25 03:08:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe???????9?7?4?1??p??? ??B?????????????hLC? ?????

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-25 3:16:07 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-17 15:37
C:\ComboFix3.txt ... 2007-12-02 11:55
.
2007-12-13 00:37:11 --- E O F ---

See if you can make heads or tails of it :thumbsup:

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 26 December 2007 - 09:23 AM

khevinet

You did well. You may want to print out these instructions for reference.

1. Rt click and delete the CFScript file we made earlier, we are going to make another

2. We need to make sure we can see hidden files and folders

To enable the viewing of Hidden and System files follow these steps: Right click on Start and select Explore.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Click Yes To confirm
Press the Apply button and then the OK button.
3. You have some suspicious files I would like to have a look at.

Please go HERE

Put Your Name, and Bleeping Computer HJT forum

and In the file to submit box, click Browse.Using Windows Explorer(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate the files (PLacing one in each box)C:\Program Files\Internet Explorer\Connection Wizard\Wizards.exe
C:\Program Files\dweb\dgup.exe
C:\WINDOWS\system32\servcproc.exe
C:\WINDOWS\wininit8.ini
C:\katewins.exe
C:\callname.exe

In the comments tell them that I asked you to upload the file
Then Select Send Files.

1. Open NotePad (not wordpad). Copy and paste the following into Notepad

File::
C:\Program Files\cashbagmoll\cashbagmoll.exe
C:\Windows\AppPatch\Alinics.exe 
c:\windows\Getoas.exe
C:\Windows\Config\KTech.exe
C:\WINDOWS\system32\nruxdgjmqt.exe
C:\WINDOWS\setsam1220.exe
C:\WINDOWS\system32\Getta.sys
C:\WINDOWS\setup_count003.zip
C:\WINDOWS\srrun_coolcode.zip
C:\WINDOWS\setup_count001.zip
C:\WINDOWS\setup_count003.exe
C:\WINDOWS\setup_count001.exe
C:\WINDOWS\vmmregs32.exe
C:\WINDOWS\cliati.exe
C:\WINDOWS\srrun_doublepoint.zip
C:\WINDOWS\srrun_coolcode.exe

Folder::
C:\Program Files\cashbagmoll
C:\Program Files\lbhjngbfggg
C:\Program Files\coolcode
C:\Program Files\CashOn
C:\Program Files\cash-backmoll
C:\Program Files\webprotect
C:\Program Files\webprotect2
C:\Program Files\okcashreturn

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nruxdgjmqt"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mnsets"=-
"nruxdgjmqt"=-
"Samtek"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"KTech"=-
"Getoas"=-
"Alinics"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"lbhjngbfgggaa.exe"=-
"cashbagmoll.exe"=-
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Posted Image
Microsoft MVP - Windows Security

#5 Khevinet

Khevinet
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Korea
  • Local time:09:03 PM

Posted 26 December 2007 - 10:01 AM

Got the new log here :

ComboFix 07-12-25.2 - James Leborgne 2007-12-26 23:51:45.5 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.949.82.1033.18.1010 [GMT 9:00]
Running from: C:\Documents and Settings\James Leborgne\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James Leborgne\Desktop\CFScript.txt

FILE
C:\Program Files\cashbagmoll\cashbagmoll.exe
C:\Windows\AppPatch\Alinics.exe
C:\WINDOWS\cliati.exe
C:\Windows\Config\KTech.exe
c:\windows\Getoas.exe
C:\WINDOWS\setsam1220.exe
C:\WINDOWS\setup_count001.exe
C:\WINDOWS\setup_count001.zip
C:\WINDOWS\setup_count003.exe
C:\WINDOWS\setup_count003.zip
C:\WINDOWS\srrun_coolcode.exe
C:\WINDOWS\srrun_coolcode.zip
C:\WINDOWS\srrun_doublepoint.zip
C:\WINDOWS\system32\Getta.sys
C:\WINDOWS\system32\nruxdgjmqt.exe
C:\WINDOWS\vmmregs32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\cash-backmoll
C:\Program Files\cash-backmoll\auc.exe
C:\Program Files\cash-backmoll\auction.ico
C:\Program Files\cash-backmoll\cashbackmoll.dll
C:\Program Files\cash-backmoll\cashbackmollbar.dll
C:\Program Files\cash-backmoll\shoppingmall.zip
C:\Program Files\cash-backmoll\uninstall.exe
C:\Program Files\cashbagmoll
C:\Program Files\cashbagmoll\auc.exe
C:\Program Files\cashbagmoll\cashbagmoll.dll
C:\Program Files\cashbagmoll\cashbagmoll.exe
C:\Program Files\cashbagmoll\cashbagmollbar.dll
C:\Program Files\cashbagmoll\dat1.dll
C:\Program Files\cashbagmoll\dat2.dll
C:\Program Files\cashbagmoll\uninstall.exe
C:\Program Files\CashOn
C:\Program Files\CashOn\bin\CashOnUpdate11250832.exe
C:\Program Files\CashOn\bin\NCBar11132236.dll
C:\Program Files\CashOn\bin\ncbnd11132236.dll
C:\Program Files\CashOn\bin\ncButton11132236.dll
C:\Program Files\CashOn\bin\uninToolbar.exe
C:\Program Files\CashOn\data\background.dsk
C:\Program Files\CashOn\data\cpc.dat
C:\Program Files\CashOn\data\cps.dat
C:\Program Files\CashOn\data\cpsmust.dat
C:\Program Files\CashOn\data\cpspass.dat
C:\Program Files\CashOn\data\favorite.fav
C:\Program Files\CashOn\data\popup.dat
C:\Program Files\CashOn\file.cfg
C:\Program Files\CashOn\icons\ico_y79.Ico
C:\Program Files\CashOn\icons\TotalIcon.dll
C:\Program Files\coolcode
C:\Program Files\coolcode\coolcodeuninstall.exe
C:\Program Files\lbhjngbfggg
C:\Program Files\lbhjngbfggg\lbhjngbfgggba.dll
C:\Program Files\okcashreturn
C:\Program Files\okcashreturn\auc.exe
C:\Program Files\okcashreturn\auction.ico
C:\Program Files\okcashreturn\okcashbackmallr.dll
C:\Program Files\okcashreturn\okcashbackmallsb.dll
C:\Program Files\okcashreturn\shoppingmall.zip
C:\Program Files\okcashreturn\uninstall.exe
C:\Program Files\webprotect
C:\Program Files\webprotect2
C:\Windows\AppPatch\Alinics.exe
C:\WINDOWS\cliati.exe
C:\Windows\Config\KTech.exe
c:\windows\Getoas.exe
C:\WINDOWS\setsam1220.exe
C:\WINDOWS\setup_count001.exe
C:\WINDOWS\setup_count001.zip
C:\WINDOWS\setup_count003.exe
C:\WINDOWS\setup_count003.zip
C:\WINDOWS\srrun_coolcode.exe
C:\WINDOWS\srrun_coolcode.zip
C:\WINDOWS\srrun_doublepoint.zip
C:\WINDOWS\system32\Getta.sys
C:\WINDOWS\system32\nruxdgjmqt.exe
C:\WINDOWS\vmmregs32.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
.

2007-12-26 23:44 . 2007-12-26 23:44 150 --a------ C:\DelUS.bat
2007-12-25 03:15 . 2007-12-25 03:15 101,066 --a------ C:\uinstall.exe
2007-12-25 03:15 . 2007-12-26 23:43 18,944 --a------ C:\WINDOWS\system32\drivers\kpang.sys
2007-12-25 03:14 . 2007-12-25 03:15 <DIR> d-------- C:\Program Files\oneguide
2007-12-25 03:14 . 2007-12-25 03:15 <DIR> d-------- C:\Program Files\kpang
2007-12-25 03:14 . 2007-12-26 23:43 11,776 --a------ C:\WINDOWS\system32\drivers\oneguide.sys
2007-12-25 03:10 . 2007-12-26 23:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-25 03:10 . 2007-12-25 03:10 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-24 14:59 . 2007-12-24 14:59 24,576 --a------ C:\WINDOWS\system32\apphost.exe
2007-12-21 10:57 . 2007-12-21 11:06 <DIR> d-------- C:\Documents and Settings\James Leborgne\Application Data\AVG7
2007-12-21 10:56 . 2007-12-21 10:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-21 10:56 . 2007-12-21 10:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-21 10:47 . 2007-12-21 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-18 01:28 . 2007-12-18 01:28 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-17 13:53 . 2007-12-17 13:53 <DIR> d-a------ C:\_systemcom.go
2007-12-17 12:26 . 2007-12-17 12:26 <DIR> d-------- C:\Documents and Settings\James Leborgne\DoctorWeb
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-11 00:43 . 2007-12-11 00:43 <DIR> d-------- C:\Documents and Settings\James Leborgne\WooricyMap
2007-12-09 23:53 . 2007-12-09 23:53 <DIR> d-------- C:\Program Files\Samsung
2007-12-09 23:53 . 2007-04-24 21:24 12,248 --a------ C:\WINDOWS\system32\cgdrvnt3.dll
2007-12-09 23:53 . 2007-04-24 21:24 2,688 --a------ C:\WINDOWS\system32\drivers\cgdrvnt3.sys
2007-12-07 10:01 . 2007-12-07 10:01 <DIR> d-------- C:\Program Files\ANIJ
2007-12-06 03:16 . 2007-12-06 03:16 <DIR> d-------- C:\HNC
2007-12-04 14:13 . 2007-12-06 10:57 45,056 --a------ C:\WINDOWS\system32\ResetCSSvc.exe
2007-12-04 11:59 . 2007-12-04 12:00 <DIR> d-------- C:\WINDOWS\system32\drivers\_systemcom.go
2007-12-04 11:56 . 2007-12-04 11:56 363,008 --a------ C:\WINDOWS\mycomgo_mgpt.exe
2007-12-04 10:33 . 2007-12-04 10:33 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 10:33 . 2007-12-04 10:33 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 10:33 . 2007-12-04 10:33 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 10:33 . 2007-12-04 10:33 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2007-12-03 19:38 . 2007-12-03 19:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-03 19:19 . 2007-12-03 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-03 19:18 . 2007-12-17 16:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-03 19:18 . 2007-12-03 19:18 <DIR> d-------- C:\Documents and Settings\James Leborgne\Application Data\SUPERAntiSpyware.com
2007-12-02 03:02 . 2007-12-02 03:02 <DIR> d-------- C:\WINDOWS\SDFIX
2007-12-02 02:55 . 2007-12-02 02:55 <DIR> d-------- C:\Program Files\Sun
2007-12-02 02:55 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-02 02:36 . 2007-12-02 02:37 <DIR> d-------- C:\Documents and Settings\James Leborgne\.SunDownloadManager
2007-11-30 22:14 . 2007-11-25 21:04 14,848 --a------ C:\WINDOWS\uninstall_Neo.exe
2007-11-30 22:13 . 2007-12-07 00:45 <DIR> d-------- C:\Program Files\InstallProc
2007-11-30 22:13 . 2007-12-20 02:07 <DIR> d-------- C:\Program Files\IEBSiteSetup
2007-11-30 22:13 . 2007-11-30 22:13 81,920 --a------ C:\WINDOWS\system32\CleanSearch.dll
2007-11-30 22:13 . 2007-11-30 22:13 67,637 --a------ C:\WINDOWS\UninstallCleanSearch.zip
2007-11-30 22:13 . 2007-11-30 22:13 244 --a------ C:\WINDOWS\ResetCSSvc.ini
2007-11-30 22:08 . 2007-11-30 22:08 2 --a------ C:\WINDOWS\prta0.ini
2007-11-30 22:07 . 2007-11-30 22:14 <DIR> d-------- C:\Program Files\SearchSpy
2007-11-30 22:06 . 2007-12-18 14:19 <DIR> d-------- C:\Program Files\SPack
2007-11-30 22:05 . 2007-11-30 22:14 <DIR> d-------- C:\Program Files\SearchURL
2007-11-30 22:05 . 2007-11-30 22:05 220,672 --a------ C:\WINDOWS\SearchPackAppInstaller.exe
2007-11-30 22:03 . 2007-11-30 22:03 28,672 --a------ C:\WINDOWS\system32\ModulerSvc.exe
2007-11-30 22:03 . 2007-11-30 22:03 28,672 --a------ C:\Documents and Settings\James Leborgne\ModulerSvc.exe
2007-11-30 22:03 . 2007-11-30 22:03 3,072 --a------ C:\WINDOWS\system32\userGC.dll
2007-11-30 07:30 . 2007-11-30 07:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-11-30 07:30 . 2007-11-30 07:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-11-30 07:30 . 2007-11-30 07:30 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-11-30 07:28 . 2007-11-30 07:28 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-11-30 07:28 . 2007-11-30 07:28 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-11-30 07:28 . 2007-11-30 07:28 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2007-11-30 07:28 . 2007-11-30 07:28 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2007-11-29 06:55 . 2007-11-29 06:55 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-29 06:53 . 2007-11-29 06:53 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-11-29 06:53 . 2007-11-29 06:53 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-11-29 06:53 . 2007-11-29 06:53 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-11-29 06:53 . 2007-11-29 06:53 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-11-29 06:53 . 2007-11-29 06:53 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-11-29 06:53 . 2007-11-29 06:53 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-11-29 06:52 . 2007-11-29 06:52 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-28 08:47 . 2007-11-28 08:47 363 --a------ C:\WINDOWS\system32\servcproc.exe
2007-11-28 00:20 . 2007-11-28 00:20 8 --a------ C:\WINDOWS\wininit8.ini
2007-11-27 09:51 . 2007-12-20 02:07 <DIR> d-------- C:\Program Files\oyeaouo
2007-11-26 08:39 . 2007-11-26 08:39 598 --a------ C:\WINDOWS\Demeter.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 14:06 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\Skype
2007-12-19 17:07 --------- d-----w C:\Program Files\sync
2007-12-18 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-12-18 05:55 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\ZoomBrowser EX
2007-12-16 15:29 --------- d-----w C:\Program Files\iTunes
2007-12-16 15:28 --------- d-----w C:\Program Files\iPod
2007-12-16 15:27 --------- d-----w C:\Program Files\QuickTime
2007-12-14 17:52 --------- d-----w C:\Program Files\Temp
2007-12-09 14:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-07 08:11 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\Azureus
2007-12-07 07:58 --------- d-----w C:\Program Files\DivX
2007-12-03 10:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-01 17:55 --------- d-----w C:\Program Files\Java
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-28 01:23 --------- d-----w C:\Program Files\Common Files\ksv
2007-11-25 12:05 312,944 ----a-w C:\WINDOWS\system32\sayax0.dll
2007-11-24 16:29 --------- d-----w C:\Program Files\PointUrl
2007-11-24 00:06 --------- d-----w C:\Program Files\isearch
2007-11-23 07:16 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\U3
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 00:47 --------- d-----w C:\Program Files\dweb
2007-11-08 01:40 235,008 ----a-w C:\WINDOWS\netmap.exe
2007-11-07 13:50 8,192 ----a-w C:\WINDOWS\system32\srvany.exe
2007-11-07 13:50 235,008 ----a-w C:\WINDOWS\system32\netmap.exe
2007-11-07 02:22 389,120 ----a-w C:\WINDOWS\WooricyCtrl.dll
2007-11-07 02:00 --------- d-----w C:\Program Files\EGSearch
2007-11-06 01:49 --------- d-----w C:\Program Files\vaccine2008
2007-11-06 01:49 --------- d-----w C:\Program Files\mstobe
2007-11-06 01:49 --------- d-----w C:\Program Files\ktbr
2007-11-06 01:40 361,712 ----a-w C:\WINDOWS\system32\HCR.exe
2007-11-05 07:01 65,536 ----a-w C:\WINDOWS\ODsay_SundoKT.dll
2007-11-05 00:32 87,040 ----a-w C:\WINDOWS\system32\DelZip179.dll
2007-10-31 03:48 --------- d-----w C:\Program Files\keywordsearch
2007-10-31 03:48 --------- d-----w C:\Program Files\centrim
2007-10-31 00:23 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\Temp
2007-10-30 23:42 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 14:02 87,040 ----a-w C:\DelZip179.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-29 03:31 787,317 ----a-w C:\WINDOWS\system32\comdlgcfgsp.exe
2007-10-29 03:31 --------- d-----w C:\Program Files\fanmae
2007-10-27 08:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 08:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-21 00:05 889,049 ----a-w C:\WINDOWS\system32\keysafedesetup.exe
2007-10-20 01:45 153,031 ----a-w C:\conedit.exe
2007-10-19 07:44 339,456 ----a-w C:\WINDOWS\system32\dbp.exe
2007-10-19 07:44 3 ----a-w C:\pmng.dat
2007-10-18 17:12 53,248 ----a-w C:\WINDOWS\system32\ProtHK.dll
2007-10-18 17:12 49,152 ----a-w C:\WINDOWS\system32\SiteProt.dll
2007-10-18 17:12 44,544 ----a-w C:\WINDOWS\system32\SiteDB_SW.dll
2007-10-18 17:12 2,995,712 ----a-w C:\WINDOWS\system32\SiteDB.dll
2007-10-18 13:52 40,960 ----a-w C:\WINDOWS\system32\hocninstall.exe
2007-10-18 13:33 40,960 ----a-w C:\WINDOWS\system32\hocnuninstall.exe
2007-10-16 16:40 3,532 ----a-w C:\drmHeader.bin
2007-10-15 00:02 8,052 ----a-w C:\WINDOWS\setup_xfile0u_ektl.zip
2007-10-13 02:41 659,456 ----a-w C:\WINDOWS\srrun_doublepoint.exe
2007-10-12 10:08 28,672 ----a-w C:\WINDOWS\setup_xfile0u_ektl.exe
2007-10-10 23:56 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-10-07 06:26 7,680 ----a-w C:\katewins.exe
2007-10-05 12:36 149,665 ----a-w C:\callname.exe
2007-10-05 01:28 155,648 ----a-w C:\WINDOWS\poseidon_poseidon01.exe
2007-09-11 01:16 139,264 ---h--w C:\Program Files\ntfs
2007-09-07 18:02 578 ---h--w C:\Documents and Settings\James Leborgne\peogtb.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-17_13.24.40.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-13 01:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-30 23:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-11-21 06:12:10 153,714 ----a-w C:\WINDOWS\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
+ 2007-11-21 06:12:10 153,714 ----a-w C:\WINDOWS\pchealth\helpctr\Config\Cache\Personal_32_1033.dat.bak
- 2007-12-17 02:23:59 5,472,256 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-12-17 05:09:52 5,500,928 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2007-12-17 02:23:59 307,200 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-17 05:09:52 307,200 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2007-04-16 14:25:18 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2007-12-21 02:01:21 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
- 2007-06-26 00:19:12 19,904 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2007-12-21 02:01:00 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2007-12-21 01:53:39 9,216 ----a-w C:\WINDOWS\system32\lbhjngbfggg\lbhjngbfgggba.dll
- 2007-07-11 13:57:55 6,137,328 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2007-12-17 04:54:03 285,112 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
- 2007-12-13 12:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-30 23:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2FB0D3A8-6374-490f-A299-DA336EF5C586}]
2007-12-22 14:52 110592 --a------ C:\Program Files\oneguide\oneguidehelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CAD2484D-6D58-858D-F48A-CABAC5757DCA}]
2007-10-05 09:49 106496 --a------ c:\program files\easykey\easykey.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E8405E2F-288D-4D82-A091-9D168DFDF2A8}]
2007-11-29 14:15 81920 --a------ C:\Program Files\kpang\KPangHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CAD2484D-6D58-858D-F48A-CABAC5757DCA}
{A03399C9-D379-4A0F-B154-AF7336E9EFDF}

[HKEY_CLASSES_ROOT\clsid\{cad2484d-6d58-858d-f48a-cabac5757dca}]
[HKEY_CLASSES_ROOT\easykey.StockBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{27486DAB-BA57-58D4-C521-197ADFBACDAB}]
[HKEY_CLASSES_ROOT\easykey.StockBar]

[HKEY_CLASSES_ROOT\clsid\{a03399c9-d379-4a0f-b154-af7336e9efdf}]
[HKEY_CLASSES_ROOT\kpangbar.kpangbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{8B2C5D18-FBF6-43b3-A173-0BE525D14E87}]
[HKEY_CLASSES_ROOT\kpangbar.kpangbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00]
"MyComGoPlus"="C:\Program Files\MyComGoPlus\MGUpdate.exe" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"apphost"="C:\WINDOWS\system32\apphost.exe" [2007-12-24 14:59]
"kpang"="C:\Program Files\kpang\kpangupdate.exe" [2007-12-24 14:46]
"oneguide"="C:\Program Files\oneguide\oneguideupdate.exe" [2007-12-22 23:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 21:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 21:11]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 21:05]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 14:01]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 13:24]
"Korean IME Migration"="C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE" [2006-10-26 14:53]
"dgup.exe"="C:\Program Files\dweb\dgup.exe" [2007-11-09 09:47]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-27 22:57]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 11:01]
"apphost"="C:\WINDOWS\system32\apphost.exe" [2007-12-24 14:59]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Wizards"="C:\Program Files\Internet Explorer\Connection Wizard\Wizards.exe" [2007-12-21 10:53]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-21 10:56]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=C:\WINDOWS\pss\DVD Check.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
C:\Program Files\Advanced Registry Optimizer\aro.exe -rem

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-03-22 21:05 339968 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2005-02-17 14:01 233534 --a------ C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-16 23:11 49152 --a------ C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-04-12 07:21 794624 --a------ C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-12-11 12:10 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-02-23 12:30 67128 --a------ C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-15 05:54 253952 --a------ c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2002-12-10 17:54 127022 --a------ C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2005-07-05 05:47 184320 --a------ C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMSRC]
C:\Program Files\Windows Media Player\siratic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
2003-12-02 00:38 892928 --a------ C:\Program Files\Logitech\iTouch\iTouch.exe

R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-11-07 18:50]
S1 cgdrvnt3;cgdrvnt3;C:\WINDOWS\system32\DRIVERS\cgdrvnt3.sys [2007-04-24 21:24]
S2 bcsdlsvcs;bcsdlsvcs;C:\WINDOWS\system32\bcsdlsvcs.exe []
S2 codecsnd14;codecsnd14;c:\Program Files\Codec Pack\v14\codecsnd.exe [2007-10-20 01:12]
S2 comifsrv;COM Interface Service;C:\WINDOWS\system32\comifs.exe []
S2 CoolGate Helper;CoolGate Helper;C:\Program Files\Samsung\AnyPC\APSvc.exe [2007-04-24 21:24]
S2 enginev14;enginev14;c:\Program Files\Intel\v14\engine.exe []
S2 hlpmnglog;Help Manager Log;C:\WINDOWS\media\neternel.exe []
S2 MudulerSvc;MudulerSvc;C:\WINDOWS\system32\ModulerSvc.exe [2007-11-30 22:03]
S2 PCIDown;PCI Adapter;C:\WINDOWS\alg.exe []
S2 servcproc;servcproc;C:\WINDOWS\system32\srvany.exe [2007-11-07 22:50]
S2 Sndsvmc;Network Connect Valid Control;C:\WINDOWS\system32\sndsvmc.exe []
S2 systemmycom;systemmycom;C:\WINDOWS\system32\drivers\_systemcom.go\systemmycom.sys []
S3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-03-22 23:39]
S3 kpang;kpang;C:\WINDOWS\system32\drivers\kpang.sys [2007-12-26 23:43]
S3 oneguide;oneguide;C:\WINDOWS\system32\drivers\oneguide.sys [2007-12-26 23:43]
S4 lesstheme1;lesstheme1;c:\Program Files\MediaPack\40\lesstheme.exe [2007-11-25 08:33]
S4 systemcache4;systemcache4;c:\Program Files\CodecPack\40\systemcache.exe []
S4 videoctls;videoctls;c:\Program Files\LG Electronics\drv\videoctl.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-09-16 05:07:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 23:56:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe???????9?7?4?1??0??? ??B?????????????hLC? ?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-26 23:56:44
C:\ComboFix2.txt ... 2007-12-25 03:16
C:\ComboFix3.txt ... 2007-12-17 15:37
.
2007-12-13 00:37:11 --- E O F ---

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 26 December 2007 - 11:21 AM

khevinet

Excellent work. Making progress, hang in there with me. :thumbsup:

5 of the 6 files you sent in were infected.

1. Rt click and delete the CFScript file we made earlier, we are going to make another

2. I have some more files I would like to look at

Please go HERE

Put Your Name, and Bleeping Computer HJT forum

and In the file to submit box, click Browse.Using Windows Explorer(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate the files (One in each box)C:\WINDOWS\system32\drivers\oneguide.sys
C:\WINDOWS\system32\cgdrvnt3.dll
C:\WINDOWS\system32\ResetCSSvc.exe
C:\WINDOWS\system32\CleanSearch.dll
C:\WINDOWS\system32\ModulerSvc.exe

In the comments tell them that I asked you to upload the file
Then Select Send File.

3. Open NotePad (not wordpad). Copy and paste the following into Notepad

File::
C:\Program Files\Internet Explorer\Connection Wizard\Wizards.exe
C:\Program Files\dweb\dgup.exe
C:\WINDOWS\wininit8.ini
C:\katewins.exe
C:\callname.exe
C:\WINDOWS\system32\drivers\kpang.sys
C:\WINDOWS\system32\apphost.exe
c:\Program Files\MediaPack\40\lesstheme.exe

Folder::
C:\Program Files\kpang

Driver::
kpang
lesstheme1
systemcache4
videoctls

Registry::
[-HKEY_CLASSES_ROOT\clsid\{a03399c9-d379-4a0f-b154-af7336e9efdf}]
[-HKEY_CLASSES_ROOT\kpangbar.kpangbar.1]
[-HKEY_CLASSES_ROOT\TypeLib\{8B2C5D18-FBF6-43b3-A173-0BE525D14E87}]
[-HKEY_CLASSES_ROOT\kpangbar.kpangbar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"apphost"=-
"kpang"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dgup.exe"=-
"apphost"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Wizards"=-
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Posted Image
Microsoft MVP - Windows Security

#7 Khevinet

Khevinet
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Korea
  • Local time:09:03 PM

Posted 26 December 2007 - 07:09 PM

My new log:

ComboFix 07-12-25.2 - James Leborgne 2007-12-27 8:44:11.5 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.949.82.1033.18.899 [GMT 9:00]
Running from: C:\Documents and Settings\James Leborgne\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James Leborgne\Desktop\CFScript.txt

FILE
C:\callname.exe
C:\katewins.exe
C:\Program Files\dweb\dgup.exe
C:\Program Files\Internet Explorer\Connection Wizard\Wizards.exe
c:\Program Files\MediaPack\40\lesstheme.exe
C:\WINDOWS\system32\apphost.exe
C:\WINDOWS\system32\drivers\kpang.sys
C:\WINDOWS\wininit8.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\callname.exe
C:\katewins.exe
C:\Program Files\dweb\dgup.exe
C:\Program Files\Internet Explorer\Connection Wizard\Wizards.exe
C:\Program Files\kpang
C:\Program Files\kpang\KPangHelper.dll
C:\Program Files\kpang\kpangtoolbar.dll
C:\Program Files\kpang\kpangupdate.exe
C:\Program Files\kpang\License.txt
C:\Program Files\kpang\uninstall.exe
c:\Program Files\MediaPack\40\lesstheme.exe
C:\WINDOWS\system32\apphost.exe
C:\WINDOWS\system32\drivers\kpang.sys
C:\WINDOWS\wininit8.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_KPANG
-------\LEGACY_LESSTHEME1
-------\LEGACY_SYSTEMCACHE4
-------\LEGACY_VIDEOCTLS
-------\kpang
-------\lesstheme1
-------\systemcache4
-------\videoctls


((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
.

2007-12-26 23:44 . 2007-12-26 23:44 150 --a------ C:\DelUS.bat
2007-12-25 03:15 . 2007-12-25 03:15 101,066 --a------ C:\uinstall.exe
2007-12-25 03:14 . 2007-12-25 03:15 <DIR> d-------- C:\Program Files\oneguide
2007-12-25 03:14 . 2007-12-27 00:07 11,776 --a------ C:\WINDOWS\system32\drivers\oneguide.sys
2007-12-25 03:10 . 2007-12-27 00:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-25 03:10 . 2007-12-25 03:10 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-21 10:57 . 2007-12-21 11:06 <DIR> d-------- C:\Documents and Settings\James Leborgne\Application Data\AVG7
2007-12-21 10:56 . 2007-12-21 10:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-21 10:56 . 2007-12-21 10:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-21 10:47 . 2007-12-21 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-18 01:28 . 2007-12-18 01:28 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-17 13:53 . 2007-12-17 13:53 <DIR> d-a------ C:\_systemcom.go
2007-12-17 12:26 . 2007-12-17 12:26 <DIR> d-------- C:\Documents and Settings\James Leborgne\DoctorWeb
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-11 00:43 . 2007-12-11 00:43 <DIR> d-------- C:\Documents and Settings\James Leborgne\WooricyMap
2007-12-09 23:53 . 2007-12-09 23:53 <DIR> d-------- C:\Program Files\Samsung
2007-12-09 23:53 . 2007-04-24 21:24 12,248 --a------ C:\WINDOWS\system32\cgdrvnt3.dll
2007-12-09 23:53 . 2007-04-24 21:24 2,688 --a------ C:\WINDOWS\system32\drivers\cgdrvnt3.sys
2007-12-07 10:01 . 2007-12-07 10:01 <DIR> d-------- C:\Program Files\ANIJ
2007-12-06 03:16 . 2007-12-06 03:16 <DIR> d-------- C:\HNC
2007-12-04 14:13 . 2007-12-06 10:57 45,056 --a------ C:\WINDOWS\system32\ResetCSSvc.exe
2007-12-04 11:59 . 2007-12-04 12:00 <DIR> d-------- C:\WINDOWS\system32\drivers\_systemcom.go
2007-12-04 11:56 . 2007-12-04 11:56 363,008 --a------ C:\WINDOWS\mycomgo_mgpt.exe
2007-12-04 10:33 . 2007-12-04 10:33 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 10:33 . 2007-12-04 10:33 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 10:33 . 2007-12-04 10:33 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 10:33 . 2007-12-04 10:33 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2007-12-03 19:38 . 2007-12-03 19:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-03 19:19 . 2007-12-03 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-03 19:18 . 2007-12-17 16:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-03 19:18 . 2007-12-03 19:18 <DIR> d-------- C:\Documents and Settings\James Leborgne\Application Data\SUPERAntiSpyware.com
2007-12-02 03:02 . 2007-12-02 03:02 <DIR> d-------- C:\WINDOWS\SDFIX
2007-12-02 02:55 . 2007-12-02 02:55 <DIR> d-------- C:\Program Files\Sun
2007-12-02 02:55 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-02 02:36 . 2007-12-02 02:37 <DIR> d-------- C:\Documents and Settings\James Leborgne\.SunDownloadManager
2007-11-30 22:14 . 2007-11-25 21:04 14,848 --a------ C:\WINDOWS\uninstall_Neo.exe
2007-11-30 22:13 . 2007-12-07 00:45 <DIR> d-------- C:\Program Files\InstallProc
2007-11-30 22:13 . 2007-12-20 02:07 <DIR> d-------- C:\Program Files\IEBSiteSetup
2007-11-30 22:13 . 2007-11-30 22:13 81,920 --a------ C:\WINDOWS\system32\CleanSearch.dll
2007-11-30 22:13 . 2007-11-30 22:13 67,637 --a------ C:\WINDOWS\UninstallCleanSearch.zip
2007-11-30 22:13 . 2007-11-30 22:13 244 --a------ C:\WINDOWS\ResetCSSvc.ini
2007-11-30 22:08 . 2007-11-30 22:08 2 --a------ C:\WINDOWS\prta0.ini
2007-11-30 22:07 . 2007-11-30 22:14 <DIR> d-------- C:\Program Files\SearchSpy
2007-11-30 22:06 . 2007-12-18 14:19 <DIR> d-------- C:\Program Files\SPack
2007-11-30 22:05 . 2007-11-30 22:14 <DIR> d-------- C:\Program Files\SearchURL
2007-11-30 22:05 . 2007-11-30 22:05 220,672 --a------ C:\WINDOWS\SearchPackAppInstaller.exe
2007-11-30 22:03 . 2007-11-30 22:03 28,672 --a------ C:\WINDOWS\system32\ModulerSvc.exe
2007-11-30 22:03 . 2007-11-30 22:03 28,672 --a------ C:\Documents and Settings\James Leborgne\ModulerSvc.exe
2007-11-30 22:03 . 2007-11-30 22:03 3,072 --a------ C:\WINDOWS\system32\userGC.dll
2007-11-30 07:30 . 2007-11-30 07:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-11-30 07:30 . 2007-11-30 07:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-11-30 07:30 . 2007-11-30 07:30 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-11-30 07:28 . 2007-11-30 07:28 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-11-30 07:28 . 2007-11-30 07:28 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-11-30 07:28 . 2007-11-30 07:28 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2007-11-30 07:28 . 2007-11-30 07:28 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2007-11-29 06:55 . 2007-11-29 06:55 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-29 06:53 . 2007-11-29 06:53 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-11-29 06:53 . 2007-11-29 06:53 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-11-29 06:53 . 2007-11-29 06:53 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-11-29 06:53 . 2007-11-29 06:53 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-11-29 06:53 . 2007-11-29 06:53 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-11-29 06:53 . 2007-11-29 06:53 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-11-29 06:52 . 2007-11-29 06:52 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-28 08:47 . 2007-11-28 08:47 363 --a------ C:\WINDOWS\system32\servcproc.exe
2007-11-27 09:51 . 2007-12-20 02:07 <DIR> d-------- C:\Program Files\oyeaouo
2007-11-26 08:39 . 2007-11-26 08:39 598 --a------ C:\WINDOWS\Demeter.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 23:48 --------- d-----w C:\Program Files\dweb
2007-12-26 15:07 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\Skype
2007-12-19 17:07 --------- d-----w C:\Program Files\sync
2007-12-18 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-12-18 05:55 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\ZoomBrowser EX
2007-12-16 15:29 --------- d-----w C:\Program Files\iTunes
2007-12-16 15:28 --------- d-----w C:\Program Files\iPod
2007-12-16 15:27 --------- d-----w C:\Program Files\QuickTime
2007-12-14 17:52 --------- d-----w C:\Program Files\Temp
2007-12-09 14:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-07 08:11 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\Azureus
2007-12-07 07:58 --------- d-----w C:\Program Files\DivX
2007-12-03 10:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-01 17:55 --------- d-----w C:\Program Files\Java
2007-11-28 01:23 --------- d-----w C:\Program Files\Common Files\ksv
2007-11-24 16:29 --------- d-----w C:\Program Files\PointUrl
2007-11-24 00:06 --------- d-----w C:\Program Files\isearch
2007-11-23 07:16 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\U3
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-08 01:40 235,008 ----a-w C:\WINDOWS\netmap.exe
2007-11-07 02:22 389,120 ----a-w C:\WINDOWS\WooricyCtrl.dll
2007-11-07 02:00 --------- d-----w C:\Program Files\EGSearch
2007-11-06 01:49 --------- d-----w C:\Program Files\vaccine2008
2007-11-06 01:49 --------- d-----w C:\Program Files\mstobe
2007-11-06 01:49 --------- d-----w C:\Program Files\ktbr
2007-11-05 07:01 65,536 ----a-w C:\WINDOWS\ODsay_SundoKT.dll
2007-10-31 03:48 --------- d-----w C:\Program Files\keywordsearch
2007-10-31 03:48 --------- d-----w C:\Program Files\centrim
2007-10-31 00:23 --------- d-----w C:\Documents and Settings\James Leborgne\Application Data\Temp
2007-10-30 14:02 87,040 ----a-w C:\DelZip179.dll
2007-10-29 03:31 --------- d-----w C:\Program Files\fanmae
2007-10-20 01:45 153,031 ----a-w C:\conedit.exe
2007-10-19 07:44 3 ----a-w C:\pmng.dat
2007-10-16 16:40 3,532 ----a-w C:\drmHeader.bin
2007-10-15 00:02 8,052 ----a-w C:\WINDOWS\setup_xfile0u_ektl.zip
2007-10-13 02:41 659,456 ----a-w C:\WINDOWS\srrun_doublepoint.exe
2007-10-12 10:08 28,672 ----a-w C:\WINDOWS\setup_xfile0u_ektl.exe
2007-10-05 01:28 155,648 ----a-w C:\WINDOWS\poseidon_poseidon01.exe
2007-09-11 01:16 139,264 ---h--w C:\Program Files\ntfs
2007-09-07 18:02 578 ---h--w C:\Documents and Settings\James Leborgne\peogtb.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-17_13.24.40.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-13 01:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-30 23:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-11-21 06:12:10 153,714 ----a-w C:\WINDOWS\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
+ 2007-11-21 06:12:10 153,714 ----a-w C:\WINDOWS\pchealth\helpctr\Config\Cache\Personal_32_1033.dat.bak
- 2007-12-17 02:23:59 5,472,256 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-12-17 05:09:52 5,500,928 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2007-12-17 02:23:59 307,200 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-17 05:09:52 307,200 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2007-04-16 14:25:18 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2007-12-21 02:01:21 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
- 2007-06-26 00:19:12 19,904 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2007-12-21 02:01:00 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2007-12-21 01:53:39 9,216 ----a-w C:\WINDOWS\system32\lbhjngbfggg\lbhjngbfgggba.dll
- 2007-07-11 13:57:55 6,137,328 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2007-12-17 04:54:03 285,112 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
- 2007-12-13 12:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-30 23:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2FB0D3A8-6374-490f-A299-DA336EF5C586}]
2007-12-22 14:52 110592 --a------ C:\Program Files\oneguide\oneguidehelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CAD2484D-6D58-858D-F48A-CABAC5757DCA}]
2007-10-05 09:49 106496 --a------ c:\program files\easykey\easykey.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CAD2484D-6D58-858D-F48A-CABAC5757DCA}

[HKEY_CLASSES_ROOT\clsid\{cad2484d-6d58-858d-f48a-cabac5757dca}]
[HKEY_CLASSES_ROOT\easykey.StockBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{27486DAB-BA57-58D4-C521-197ADFBACDAB}]
[HKEY_CLASSES_ROOT\easykey.StockBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00]
"MyComGoPlus"="C:\Program Files\MyComGoPlus\MGUpdate.exe" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"nruxdgjmqt"="C:\WINDOWS\system32\nruxdgjmqt.exe" []
"oneguide"="C:\Program Files\oneguide\oneguideupdate.exe" [2007-12-22 23:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 21:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 21:11]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 21:05]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 14:01]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 13:24]
"Korean IME Migration"="C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE" [2006-10-26 14:53]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-27 22:57]
"Mnsets"="C:\Program Files\Internet Explorer\Connection Wizard\Mnsets.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10]
"nruxdgjmqt"="C:\WINDOWS\system32\nruxdgjmqt.exe" []
"Samtek"="C:\Program Files\Internet Explorer\MUI\Samtek.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 11:01]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"KTech"="C:\Windows\Config\KTech.exe" []
"Getoas"="c:\windows\Getoas.exe" []
"Alinics"="C:\Windows\AppPatch\Alinics.exe" []
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-21 10:56]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"lbhjngbfgggaa.exe"="C:\WINDOWS\system32\lbhjngbfggg\lbhjngbfgggaa.exe" []
"cashbagmoll.exe"="C:\Program Files\cashbagmoll\cashbagmoll.exe" []

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=C:\WINDOWS\pss\DVD Check.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
C:\Program Files\Advanced Registry Optimizer\aro.exe -rem

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-03-22 21:05 339968 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2005-02-17 14:01 233534 --a------ C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-16 23:11 49152 --a------ C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-04-12 07:21 794624 --a------ C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-12-11 12:10 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-02-23 12:30 67128 --a------ C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-15 05:54 253952 --a------ c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2002-12-10 17:54 127022 --a------ C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2005-07-05 05:47 184320 --a------ C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMSRC]
C:\Program Files\Windows Media Player\siratic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
2003-12-02 00:38 892928 --a------ C:\Program Files\Logitech\iTouch\iTouch.exe

R1 cgdrvnt3;cgdrvnt3;C:\WINDOWS\system32\DRIVERS\cgdrvnt3.sys [2007-04-24 21:24]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-03-22 23:39]
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-11-07 18:50]
R3 oneguide;oneguide;C:\WINDOWS\system32\drivers\oneguide.sys [2007-12-27 08:54]
S2 systemmycom;systemmycom;C:\WINDOWS\system32\drivers\_systemcom.go\systemmycom.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-09-16 05:07:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 08:52:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe???????9?7?4?1??`??? ??B?????????????hLC? ?????

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-27 9:02:08 - machine was rebooted [James Leborgne]
C:\ComboFix2.txt ... 2007-12-26 23:56
C:\ComboFix3.txt ... 2007-12-25 03:16
.
2007-12-13 00:37:11 --- E O F ---
______________________________________________________________________________

Just so you know, I've been running all of these in safe mode. If I try to boot up normally, it takes a year for normal system functionality to restore, and always tells me afterwards that Combofix has encountered an error.

#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 27 December 2007 - 08:27 AM

Khevinet

Just so you know, I've been running all of these in safe mode. If I try to boot up normally, it takes a year for normal system functionality to restore, and always tells me afterwards that Combofix has encountered an error.

Is this just when you run Combofix or is it for any time you try to reboot into Normal windows mode?

Post a fresh Hijackthis log as well
Posted Image
Microsoft MVP - Windows Security

#9 Khevinet

Khevinet
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Korea
  • Local time:09:03 PM

Posted 27 December 2007 - 08:50 AM

I can't run combofix at all in normal mode, and it's too buggy to use internet functions when not in safe mode (I'm using safe mode to write this.)

Here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:05 PM, on 27/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\James Leborgne\Desktop\HiJackThis.exe

O2 - BHO: (no name) - {2FB0D3A8-6374-490f-A299-DA336EF5C586} - C:\Program Files\oneguide\oneguidehelper.dll
O2 - BHO: easykey - {CAD2484D-6D58-858D-F48A-CABAC5757DCA} - c:\program files\easykey\easykey.dll
O3 - Toolbar: easykey - {CAD2484D-6D58-858D-F48A-CABAC5757DCA} - c:\program files\easykey\easykey.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Mnsets] C:\Program Files\Internet Explorer\Connection Wizard\Mnsets.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nruxdgjmqt] C:\WINDOWS\system32\nruxdgjmqt.exe
O4 - HKLM\..\Run: [Samtek] C:\Program Files\Internet Explorer\MUI\Samtek.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MyComGoPlus] "C:\Program Files\MyComGoPlus\MGUpdate.exe" boot
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [nruxdgjmqt] C:\WINDOWS\system32\nruxdgjmqt.exe
O4 - HKCU\..\Run: [oneguide] C:\Program Files\oneguide\oneguideupdate.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [KTech] C:\Windows\Config\KTech.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [lbhjngbfgggaa.exe] C:\WINDOWS\system32\lbhjngbfggg\lbhjngbfgggaa.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [KTech] C:\Windows\Config\KTech.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [lbhjngbfgggaa.exe] C:\WINDOWS\system32\lbhjngbfggg\lbhjngbfgggaa.exe (User 'Default user')
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: directkey - {3548DCFA-FE35-435D-34DA-B175FAEF1685} - c:\PROGRA~1\DIRECT~1\DIRECT~1.DLL
O9 - Extra 'Tools' menuitem: directkey - {3548DCFA-FE35-435D-34DA-B175FAEF1685} - c:\PROGRA~1\DIRECT~1\DIRECT~1.DLL
O9 - Extra button: AIƮA?E - {37785D32-1604-410b-BF6E-82E65C67DB6C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AIƮA?E - {37785D32-1604-410b-BF6E-82E65C67DB6C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: oneguide - {5E255680-6A44-4AFB-B525-B8C432CB0269} - C:\Program Files\oneguide\oneguide.dll
O9 - Extra button: CashOn - {731B4EB2-B447-4108-86EB-6F9B6A46E576} - C:\PROGRA~1\CashOn\bin\NCBUTT~1.DLL (file missing)
O9 - Extra button: easykey - {ED157DAB-B415-DF48-48DA-4A8D5F48DABC} - c:\program files\easykey\easykey.dll
O9 - Extra 'Tools' menuitem: easykey - {ED157DAB-B415-DF48-48DA-4A8D5F48DABC} - c:\program files\easykey\easykey.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg5.cyworld.nate.com/ImageUpload...mageUpload2.cab
O16 - DPF: {0E96B258-D5FA-405E-A540-DB53E03376BD} (OrangeFileBox Control) - http://www.orangefile.com/ActiveX/OrangeFileBox.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18D63578-EA2F-4A59-A49A-7F62E6B3DF3E} (ImP3 Control) - http://activexdown.paran.com/paranactivex/data/ImP3.cab
O16 - DPF: {1ABB898B-8A1A-40CB-8DE7-DAF5E560E814} (DSubActX Control) - http://cab1.diskster.com/recab/DSubActX.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {31FA72F5-BE46-4D6D-A10D-857C8D6F4BFA} (OrangeFileSearch Control) - http://www.orangefile.com/ActiveX/OrangeFileSearch.cab
O16 - DPF: {32D94A9F-9A18-4E12-863D-8AABA8CBDA78} (NateOnMMSAtx3 Class) - http://sms.nate.com/NateOnMMS_AX3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} (KTCtrl Class) - http://support.kornet.net/sw5/order/Speed/...peedNewCtrl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {788649EC-2622-4EE8-84A3-F49F6AA8399C} (QuizHelperCtrl Class) - http://www.activetutor.net/pub/cabs/quizhe.../QuizHelper.cab
O16 - DPF: {7C09DD8F-D1C6-4315-AE96-AC328FDF734B} (KTActiveX Control) - http://support.kornet.net/sw5/order/Speed/cab/KTActiveX.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://xecure.kbstar.com/xecure/xw_install_v7202.cab
O16 - DPF: {8D88D553-E13C-492E-BC64-2DAF12782A81} (AClientChecker.AxAClientChecker) - http://image.cdi.co.kr/ibtprep/install/web...ientChecker.CAB
O16 - DPF: {913BF18F-672D-4676-9855-F9A192A88886} (IMBCContents Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {91A6D076-F1AA-44DC-9825-9F7DE41E2398} (WooricyMap Control) - http://traffic.local.naver.com/Traffic_bro...p(1,0,0,23).cab
O16 - DPF: {99C709C7-4F58-46C1-855B-90213C760395} (v3d Class) - https://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.cinewel.com/down/MagicLockOCX.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - http://k-defence.kbstar.com/kings/kdfx/kdfx238/kdfense8.cab
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab
O16 - DPF: {AF11AA64-87A5-4146-AF3B-A7BD0F278485} (SBStarter Control) - http://download.soribada.com/down/Soribada...206/SBStart.CAB
O16 - DPF: {AF60D574-F249-4243-8040-5521AAA5BB5E} (PandoraTVSet Class) - http://imgcdn.pandora.tv/pan_img/p3player/...ge/pdrtvset.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {B8ECD16B-EC0C-407E-AF2D-7B4A6B6F8DCB} (AllatPayXATL Class) - https://tx.allatpay.com/component/AllatPayX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} (PlayerCue Control) - http://touch.imbc.com/ActiveX/iMBCOnlineService.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://n-protect.kbstar.com/nprotect/module/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://vbv.samsungcard.co.kr/keycrypt/npkcx.cab
O16 - DPF: {E3EAC26D-891F-499A-9C38-D8F165DE02B8} (SsoAccess Class) - http://www.daegu.go.kr/SSODemo/ssoObject/SsoAccess.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F1149E8A-79EB-4859-835E-95432B72FEA2} (AnycallLAND_DownCheck Control) - http://img.anycall.com/anycall/support/act...nCheckProj1.cab
O16 - DPF: {F36C3235-C4AF-409F-B6A1-4F96BB1B533E} (CyGlobalCtl Class) - http://fs1.us.cyworld.com/common/activex/CyGlobal.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: bcsdlsvcs - Unknown owner - C:\WINDOWS\system32\bcsdlsvcs.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: codecsnd14 - Unknown owner - c:\Program Files\Codec Pack\v14\codecsnd.exe
O23 - Service: COM Interface Service (comifsrv) - Unknown owner - C:\WINDOWS\system32\comifs.exe (file missing)
O23 - Service: CoolGate Helper - DoctorSoft - C:\Program Files\Samsung\AnyPC\APSvc.exe
O23 - Service: enginev14 - Unknown owner - c:\Program Files\Intel\v14\engine.exe (file missing)
O23 - Service: Help Manager Log (hlpmnglog) - Unknown owner - C:\WINDOWS\media\neternel.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MudulerSvc - ANIJCORP - C:\WINDOWS\system32\ModulerSvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: PCI Adapter (PCIDown) - Unknown owner - C:\WINDOWS\alg.exe (file missing)
O23 - Service: servcproc - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Network Connect Valid Control (Sndsvmc) - Unknown owner - C:\WINDOWS\system32\sndsvmc.exe (file missing)

--
End of file - 12815 bytes

#10 Khevinet

Khevinet
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Korea
  • Local time:09:03 PM

Posted 27 December 2007 - 08:52 AM

Crap, disregard that scan. I'll boot it up in normal mode to do the hijackthis assessment

#11 Khevinet

Khevinet
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Korea
  • Local time:09:03 PM

Posted 27 December 2007 - 09:05 AM

This is the full scan run in normal windows boot-up mode:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:39 PM, on 27/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\Program Files\Codec Pack\v14\codecsnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Samsung\AnyPC\APSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ModulerSvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Documents and Settings\James Leborgne\Desktop\HiJackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe

O2 - BHO: easykey - {CAD2484D-6D58-858D-F48A-CABAC5757DCA} - c:\program files\easykey\easykey.dll
O3 - Toolbar: easykey - {CAD2484D-6D58-858D-F48A-CABAC5757DCA} - c:\program files\easykey\easykey.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Mnsets] C:\Program Files\Internet Explorer\Connection Wizard\Mnsets.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nruxdgjmqt] C:\WINDOWS\system32\nruxdgjmqt.exe
O4 - HKLM\..\Run: [Samtek] C:\Program Files\Internet Explorer\MUI\Samtek.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MyComGoPlus] "C:\Program Files\MyComGoPlus\MGUpdate.exe" boot
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [nruxdgjmqt] C:\WINDOWS\system32\nruxdgjmqt.exe
O4 - HKCU\..\Run: [oneguide] C:\Program Files\oneguide\oneguideupdate.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [KTech] C:\Windows\Config\KTech.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [lbhjngbfgggaa.exe] C:\WINDOWS\system32\lbhjngbfggg\lbhjngbfgggaa.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [KTech] C:\Windows\Config\KTech.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [lbhjngbfgggaa.exe] C:\WINDOWS\system32\lbhjngbfggg\lbhjngbfgggaa.exe (User 'Default user')
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: directkey - {3548DCFA-FE35-435D-34DA-B175FAEF1685} - c:\PROGRA~1\DIRECT~1\DIRECT~1.DLL
O9 - Extra 'Tools' menuitem: directkey - {3548DCFA-FE35-435D-34DA-B175FAEF1685} - c:\PROGRA~1\DIRECT~1\DIRECT~1.DLL
O9 - Extra button: AIƮA?E - {37785D32-1604-410b-BF6E-82E65C67DB6C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AIƮA?E - {37785D32-1604-410b-BF6E-82E65C67DB6C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: oneguide - {5E255680-6A44-4AFB-B525-B8C432CB0269} - C:\Program Files\oneguide\oneguide.dll
O9 - Extra button: CashOn - {731B4EB2-B447-4108-86EB-6F9B6A46E576} - C:\PROGRA~1\CashOn\bin\NCBUTT~1.DLL (file missing)
O9 - Extra button: easykey - {ED157DAB-B415-DF48-48DA-4A8D5F48DABC} - c:\program files\easykey\easykey.dll
O9 - Extra 'Tools' menuitem: easykey - {ED157DAB-B415-DF48-48DA-4A8D5F48DABC} - c:\program files\easykey\easykey.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg5.cyworld.nate.com/ImageUpload...mageUpload2.cab
O16 - DPF: {0E96B258-D5FA-405E-A540-DB53E03376BD} (OrangeFileBox Control) - http://www.orangefile.com/ActiveX/OrangeFileBox.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18D63578-EA2F-4A59-A49A-7F62E6B3DF3E} (ImP3 Control) - http://activexdown.paran.com/paranactivex/data/ImP3.cab
O16 - DPF: {1ABB898B-8A1A-40CB-8DE7-DAF5E560E814} (DSubActX Control) - http://cab1.diskster.com/recab/DSubActX.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {31FA72F5-BE46-4D6D-A10D-857C8D6F4BFA} (OrangeFileSearch Control) - http://www.orangefile.com/ActiveX/OrangeFileSearch.cab
O16 - DPF: {32D94A9F-9A18-4E12-863D-8AABA8CBDA78} (NateOnMMSAtx3 Class) - http://sms.nate.com/NateOnMMS_AX3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} (KTCtrl Class) - http://support.kornet.net/sw5/order/Speed/...peedNewCtrl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {788649EC-2622-4EE8-84A3-F49F6AA8399C} (QuizHelperCtrl Class) - http://www.activetutor.net/pub/cabs/quizhe.../QuizHelper.cab
O16 - DPF: {7C09DD8F-D1C6-4315-AE96-AC328FDF734B} (KTActiveX Control) - http://support.kornet.net/sw5/order/Speed/cab/KTActiveX.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://xecure.kbstar.com/xecure/xw_install_v7202.cab
O16 - DPF: {8D88D553-E13C-492E-BC64-2DAF12782A81} (AClientChecker.AxAClientChecker) - http://image.cdi.co.kr/ibtprep/install/web...ientChecker.CAB
O16 - DPF: {913BF18F-672D-4676-9855-F9A192A88886} (IMBCContents Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {91A6D076-F1AA-44DC-9825-9F7DE41E2398} (WooricyMap Control) - http://traffic.local.naver.com/Traffic_bro...p(1,0,0,23).cab
O16 - DPF: {99C709C7-4F58-46C1-855B-90213C760395} (v3d Class) - https://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.cinewel.com/down/MagicLockOCX.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - http://k-defence.kbstar.com/kings/kdfx/kdfx238/kdfense8.cab
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab
O16 - DPF: {AF11AA64-87A5-4146-AF3B-A7BD0F278485} (SBStarter Control) - http://download.soribada.com/down/Soribada...206/SBStart.CAB
O16 - DPF: {AF60D574-F249-4243-8040-5521AAA5BB5E} (PandoraTVSet Class) - http://imgcdn.pandora.tv/pan_img/p3player/...ge/pdrtvset.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {B8ECD16B-EC0C-407E-AF2D-7B4A6B6F8DCB} (AllatPayXATL Class) - https://tx.allatpay.com/component/AllatPayX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} (PlayerCue Control) - http://touch.imbc.com/ActiveX/iMBCOnlineService.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://n-protect.kbstar.com/nprotect/module/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://vbv.samsungcard.co.kr/keycrypt/npkcx.cab
O16 - DPF: {E3EAC26D-891F-499A-9C38-D8F165DE02B8} (SsoAccess Class) - http://www.daegu.go.kr/SSODemo/ssoObject/SsoAccess.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F1149E8A-79EB-4859-835E-95432B72FEA2} (AnycallLAND_DownCheck Control) - http://img.anycall.com/anycall/support/act...nCheckProj1.cab
O16 - DPF: {F36C3235-C4AF-409F-B6A1-4F96BB1B533E} (CyGlobalCtl Class) - http://fs1.us.cyworld.com/common/activex/CyGlobal.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: bcsdlsvcs - Unknown owner - C:\WINDOWS\system32\bcsdlsvcs.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: codecsnd14 - Unknown owner - c:\Program Files\Codec Pack\v14\codecsnd.exe
O23 - Service: COM Interface Service (comifsrv) - Unknown owner - C:\WINDOWS\system32\comifs.exe (file missing)
O23 - Service: CoolGate Helper - DoctorSoft - C:\Program Files\Samsung\AnyPC\APSvc.exe
O23 - Service: enginev14 - Unknown owner - c:\Program Files\Intel\v14\engine.exe (file missing)
O23 - Service: Help Manager Log (hlpmnglog) - Unknown owner - C:\WINDOWS\media\neternel.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MudulerSvc - ANIJCORP - C:\WINDOWS\system32\ModulerSvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: PCI Adapter (PCIDown) - Unknown owner - C:\WINDOWS\alg.exe (file missing)
O23 - Service: servcproc - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Network Connect Valid Control (Sndsvmc) - Unknown owner - C:\WINDOWS\system32\sndsvmc.exe (file missing)

--
End of file - 13878 bytes

_______________________________________________________________________________

Sorry, I've been running in safe mode the last few days to get my work done, it's kind of second nature now.

#12 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 28 December 2007 - 09:21 AM

Khevinet

1. Rerun Hijackthis (scan only) and place checks beside the following entriesO4 - HKLM\..\Run: [Mnsets] C:\Program Files\Internet Explorer\Connection Wizard\Mnsets.exe
O4 - HKLM\..\Run: [nruxdgjmqt] C:\WINDOWS\system32\nruxdgjmqt.exe
O4 - HKCU\..\Run: [nruxdgjmqt] C:\WINDOWS\system32\nruxdgjmqt.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [lbhjngbfgggaa.exe] C:\WINDOWS\system32\lbhjngbfggg\lbhjngbfgggaa.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [lbhjngbfgggaa.exe] C:\WINDOWS\system32\lbhjngbfggg\lbhjngbfgggaa.exe (User 'Default user')
O9 - Extra button: CashOn - {731B4EB2-B447-4108-86EB-6F9B6A46E576} - C:\PROGRA~1\CashOn\bin\NCBUTT~1.DLL (file missing

Close all other open windows except Hijackthis and Select "Fix checked"

Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log

2. And in your reply give me an update on how your PC is running.
Posted Image
Microsoft MVP - Windows Security

#13 Khevinet

Khevinet
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Korea
  • Local time:09:03 PM

Posted 28 December 2007 - 10:12 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:48 AM, on 29/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\Program Files\Codec Pack\v14\codecsnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\AnyPC\APSvc.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ModulerSvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\James Leborgne\Desktop\HiJackThis.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe

O2 - BHO: (no name) - {2FB0D3A8-6374-490f-A299-DA336EF5C586} - C:\Program Files\oneguide\oneguidehelper.dll
O2 - BHO: easykey - {CAD2484D-6D58-858D-F48A-CABAC5757DCA} - c:\program files\easykey\easykey.dll
O3 - Toolbar: easykey - {CAD2484D-6D58-858D-F48A-CABAC5757DCA} - c:\program files\easykey\easykey.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Samtek] C:\Program Files\Internet Explorer\MUI\Samtek.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MyComGoPlus] "C:\Program Files\MyComGoPlus\MGUpdate.exe" boot
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [oneguide] C:\Program Files\oneguide\oneguideupdate.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [KTech] C:\Windows\Config\KTech.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [cashbagmoll.exe] C:\Program Files\cashbagmoll\cashbagmoll.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [KTech] C:\Windows\Config\KTech.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [cashbagmoll.exe] C:\Program Files\cashbagmoll\cashbagmoll.exe (User 'Default user')
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: directkey - {3548DCFA-FE35-435D-34DA-B175FAEF1685} - c:\PROGRA~1\DIRECT~1\DIRECT~1.DLL
O9 - Extra 'Tools' menuitem: directkey - {3548DCFA-FE35-435D-34DA-B175FAEF1685} - c:\PROGRA~1\DIRECT~1\DIRECT~1.DLL
O9 - Extra button: AIƮA?E - {37785D32-1604-410b-BF6E-82E65C67DB6C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AIƮA?E - {37785D32-1604-410b-BF6E-82E65C67DB6C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: oneguide - {5E255680-6A44-4AFB-B525-B8C432CB0269} - C:\Program Files\oneguide\oneguide.dll
O9 - Extra button: easykey - {ED157DAB-B415-DF48-48DA-4A8D5F48DABC} - c:\program files\easykey\easykey.dll
O9 - Extra 'Tools' menuitem: easykey - {ED157DAB-B415-DF48-48DA-4A8D5F48DABC} - c:\program files\easykey\easykey.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg5.cyworld.nate.com/ImageUpload...mageUpload2.cab
O16 - DPF: {0E96B258-D5FA-405E-A540-DB53E03376BD} (OrangeFileBox Control) - http://www.orangefile.com/ActiveX/OrangeFileBox.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18D63578-EA2F-4A59-A49A-7F62E6B3DF3E} (ImP3 Control) - http://activexdown.paran.com/paranactivex/data/ImP3.cab
O16 - DPF: {1ABB898B-8A1A-40CB-8DE7-DAF5E560E814} (DSubActX Control) - http://cab1.diskster.com/recab/DSubActX.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {31FA72F5-BE46-4D6D-A10D-857C8D6F4BFA} (OrangeFileSearch Control) - http://www.orangefile.com/ActiveX/OrangeFileSearch.cab
O16 - DPF: {32D94A9F-9A18-4E12-863D-8AABA8CBDA78} (NateOnMMSAtx3 Class) - http://sms.nate.com/NateOnMMS_AX3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} (KTCtrl Class) - http://support.kornet.net/sw5/order/Speed/...peedNewCtrl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {788649EC-2622-4EE8-84A3-F49F6AA8399C} (QuizHelperCtrl Class) - http://www.activetutor.net/pub/cabs/quizhe.../QuizHelper.cab
O16 - DPF: {7C09DD8F-D1C6-4315-AE96-AC328FDF734B} (KTActiveX Control) - http://support.kornet.net/sw5/order/Speed/cab/KTActiveX.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://xecure.kbstar.com/xecure/xw_install_v7202.cab
O16 - DPF: {8D88D553-E13C-492E-BC64-2DAF12782A81} (AClientChecker.AxAClientChecker) - http://image.cdi.co.kr/ibtprep/install/web...ientChecker.CAB
O16 - DPF: {913BF18F-672D-4676-9855-F9A192A88886} (IMBCContents Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {91A6D076-F1AA-44DC-9825-9F7DE41E2398} (WooricyMap Control) - http://traffic.local.naver.com/Traffic_bro...p(1,0,0,23).cab
O16 - DPF: {99C709C7-4F58-46C1-855B-90213C760395} (v3d Class) - https://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.cinewel.com/down/MagicLockOCX.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - http://k-defence.kbstar.com/kings/kdfx/kdfx238/kdfense8.cab
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab
O16 - DPF: {AF11AA64-87A5-4146-AF3B-A7BD0F278485} (SBStarter Control) - http://download.soribada.com/down/Soribada...206/SBStart.CAB
O16 - DPF: {AF60D574-F249-4243-8040-5521AAA5BB5E} (PandoraTVSet Class) - http://imgcdn.pandora.tv/pan_img/p3player/...ge/pdrtvset.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {B8ECD16B-EC0C-407E-AF2D-7B4A6B6F8DCB} (AllatPayXATL Class) - https://tx.allatpay.com/component/AllatPayX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} (PlayerCue Control) - http://touch.imbc.com/ActiveX/iMBCOnlineService.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://n-protect.kbstar.com/nprotect/module/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://vbv.samsungcard.co.kr/keycrypt/npkcx.cab
O16 - DPF: {E3EAC26D-891F-499A-9C38-D8F165DE02B8} (SsoAccess Class) - http://www.daegu.go.kr/SSODemo/ssoObject/SsoAccess.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F1149E8A-79EB-4859-835E-95432B72FEA2} (AnycallLAND_DownCheck Control) - http://img.anycall.com/anycall/support/act...nCheckProj1.cab
O16 - DPF: {F36C3235-C4AF-409F-B6A1-4F96BB1B533E} (CyGlobalCtl Class) - http://fs1.us.cyworld.com/common/activex/CyGlobal.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: bcsdlsvcs - Unknown owner - C:\WINDOWS\system32\bcsdlsvcs.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: codecsnd14 - Unknown owner - c:\Program Files\Codec Pack\v14\codecsnd.exe
O23 - Service: COM Interface Service (comifsrv) - Unknown owner - C:\WINDOWS\system32\comifs.exe (file missing)
O23 - Service: CoolGate Helper - DoctorSoft - C:\Program Files\Samsung\AnyPC\APSvc.exe
O23 - Service: enginev14 - Unknown owner - c:\Program Files\Intel\v14\engine.exe (file missing)
O23 - Service: Help Manager Log (hlpmnglog) - Unknown owner - C:\WINDOWS\media\neternel.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MudulerSvc - ANIJCORP - C:\WINDOWS\system32\ModulerSvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: PCI Adapter (PCIDown) - Unknown owner - C:\WINDOWS\alg.exe (file missing)
O23 - Service: servcproc - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Network Connect Valid Control (Sndsvmc) - Unknown owner - C:\WINDOWS\system32\sndsvmc.exe (file missing)

--
End of file - 15861 bytes

_______________________________________________________________________________________________________________________

In normal mode, my system takes a long time to function after starting a program. All activity seems to stall or move at diminished speed, and certain programs, such as Skype, will either not open or open several minutes after being initiated.

#14 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 28 December 2007 - 11:39 AM

khevinet

In normal mode, my system takes a long time to function after starting a program. All activity seems to stall or move at diminished speed, and certain programs, such as Skype, will either not open or open several minutes after being initiated.

+
That let's me know where we are.

1. Open Task manager (Rt click the clock in the lower system tray->>Taskmanager)

Locate the process (under the Process tab)codecsnd.exe
Hilite and Select End Process.
Close the Taskmanager

2. Copy and paste the following into NotePad (Not Wordpad)sc stop bcsdlsvcs
sc delete bcsdlsvcs
sc stop codecsnd14
sc delete codecsnd14
sc stop comifsrv
sc delete comifsrv
sc stop enginev14
sc delete enginev14
sc stop hlpmnglog
sc delete hlpmnglog
sc stop Sndsvmc
sc delete Sndsvmc

Click File ->>Save as ->>type in cmd.batUnder "Save as type" Select "all files" ->>Save it to your Desktop
Close Notepad
The cmd.bat file should now appear on your Desktop (if it saved properly it should appear as a blue box with a gear in the middle of it)
Double Click that file (It will appear that nothing has happened, but that's o.k.)
3. Using Windows Explorer(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and Delete the following filec:\Program Files\Codec Pack\v14\codecsnd.exe
4. Close windows explorer ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log
Posted Image
Microsoft MVP - Windows Security

#15 Khevinet

Khevinet
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Korea
  • Local time:09:03 PM

Posted 28 December 2007 - 12:15 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:31 AM, on 29/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgu
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\AnyPC\APSvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ModulerSvc.exe
C:\WINDOWS\system32\srvany.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\conime.exe
C:\Documents and Settings\James Leborgne\Desktop\HiJackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: (no name) - {2FB0D3A8-6374-490f-A299-DA336EF5C586} - C:\Program Files\oneguide\oneguidehelper.dll
O2 - BHO: easykey - {CAD2484D-6D58-858D-F48A-CABAC5757DCA} - c:\program files\easykey\easykey.dll
O3 - Toolbar: easykey - {CAD2484D-6D58-858D-F48A-CABAC5757DCA} - c:\program files\easykey\easykey.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Samtek] C:\Program Files\Internet Explorer\MUI\Samtek.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MyComGoPlus] "C:\Program Files\MyComGoPlus\MGUpdate.exe" boot
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [oneguide] C:\Program Files\oneguide\oneguideupdate.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [KTech] C:\Windows\Config\KTech.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [cashbagmoll.exe] C:\Program Files\cashbagmoll\cashbagmoll.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [KTech] C:\Windows\Config\KTech.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [cashbagmoll.exe] C:\Program Files\cashbagmoll\cashbagmoll.exe (User 'Default user')
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: directkey - {3548DCFA-FE35-435D-34DA-B175FAEF1685} - c:\PROGRA~1\DIRECT~1\DIRECT~1.DLL
O9 - Extra 'Tools' menuitem: directkey - {3548DCFA-FE35-435D-34DA-B175FAEF1685} - c:\PROGRA~1\DIRECT~1\DIRECT~1.DLL
O9 - Extra button: AIƮA?E - {37785D32-1604-410b-BF6E-82E65C67DB6C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AIƮA?E - {37785D32-1604-410b-BF6E-82E65C67DB6C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: oneguide - {5E255680-6A44-4AFB-B525-B8C432CB0269} - C:\Program Files\oneguide\oneguide.dll
O9 - Extra button: easykey - {ED157DAB-B415-DF48-48DA-4A8D5F48DABC} - c:\program files\easykey\easykey.dll
O9 - Extra 'Tools' menuitem: easykey - {ED157DAB-B415-DF48-48DA-4A8D5F48DABC} - c:\program files\easykey\easykey.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg5.cyworld.nate.com/ImageUpload...mageUpload2.cab
O16 - DPF: {0E96B258-D5FA-405E-A540-DB53E03376BD} (OrangeFileBox Control) - http://www.orangefile.com/ActiveX/OrangeFileBox.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18D63578-EA2F-4A59-A49A-7F62E6B3DF3E} (ImP3 Control) - http://activexdown.paran.com/paranactivex/data/ImP3.cab
O16 - DPF: {1ABB898B-8A1A-40CB-8DE7-DAF5E560E814} (DSubActX Control) - http://cab1.diskster.com/recab/DSubActX.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {31FA72F5-BE46-4D6D-A10D-857C8D6F4BFA} (OrangeFileSearch Control) - http://www.orangefile.com/ActiveX/OrangeFileSearch.cab
O16 - DPF: {32D94A9F-9A18-4E12-863D-8AABA8CBDA78} (NateOnMMSAtx3 Class) - http://sms.nate.com/NateOnMMS_AX3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} (KTCtrl Class) - http://support.kornet.net/sw5/order/Speed/...peedNewCtrl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {788649EC-2622-4EE8-84A3-F49F6AA8399C} (QuizHelperCtrl Class) - http://www.activetutor.net/pub/cabs/quizhe.../QuizHelper.cab
O16 - DPF: {7C09DD8F-D1C6-4315-AE96-AC328FDF734B} (KTActiveX Control) - http://support.kornet.net/sw5/order/Speed/cab/KTActiveX.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://xecure.kbstar.com/xecure/xw_install_v7202.cab
O16 - DPF: {8D88D553-E13C-492E-BC64-2DAF12782A81} (AClientChecker.AxAClientChecker) - http://image.cdi.co.kr/ibtprep/install/web...ientChecker.CAB
O16 - DPF: {913BF18F-672D-4676-9855-F9A192A88886} (IMBCContents Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {91A6D076-F1AA-44DC-9825-9F7DE41E2398} (WooricyMap Control) - http://traffic.local.naver.com/Traffic_bro...p(1,0,0,23).cab
O16 - DPF: {99C709C7-4F58-46C1-855B-90213C760395} (v3d Class) - https://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.cinewel.com/down/MagicLockOCX.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - http://k-defence.kbstar.com/kings/kdfx/kdfx238/kdfense8.cab
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab
O16 - DPF: {AF11AA64-87A5-4146-AF3B-A7BD0F278485} (SBStarter Control) - http://download.soribada.com/down/Soribada...206/SBStart.CAB
O16 - DPF: {AF60D574-F249-4243-8040-5521AAA5BB5E} (PandoraTVSet Class) - http://imgcdn.pandora.tv/pan_img/p3player/...ge/pdrtvset.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {B8ECD16B-EC0C-407E-AF2D-7B4A6B6F8DCB} (AllatPayXATL Class) - https://tx.allatpay.com/component/AllatPayX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} (PlayerCue Control) - http://touch.imbc.com/ActiveX/iMBCOnlineService.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://n-protect.kbstar.com/nprotect/module/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://vbv.samsungcard.co.kr/keycrypt/npkcx.cab
O16 - DPF: {E3EAC26D-891F-499A-9C38-D8F165DE02B8} (SsoAccess Class) - http://www.daegu.go.kr/SSODemo/ssoObject/SsoAccess.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F1149E8A-79EB-4859-835E-95432B72FEA2} (AnycallLAND_DownCheck Control) - http://img.anycall.com/anycall/support/act...nCheckProj1.cab
O16 - DPF: {F36C3235-C4AF-409F-B6A1-4F96BB1B533E} (CyGlobalCtl Class) - http://fs1.us.cyworld.com/common/activex/CyGlobal.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CoolGate Helper - DoctorSoft - C:\Program Files\Samsung\AnyPC\APSvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MudulerSvc - ANIJCORP - C:\WINDOWS\system32\ModulerSvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: PCI Adapter (PCIDown) - Unknown owner - C:\WINDOWS\alg.exe (file missing)
O23 - Service: servcproc - Unknown owner - C:\WINDOWS\system32\srvany.exe

--
End of file - 12921 bytes

________________________________________________________________________________________________________________________________

Is it just me, or are new entries starting to pop up as I'm deleting old ones?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users