Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search hijack/redirect + pop-ups + undetected trojans


  • This topic is locked This topic is locked
17 replies to this topic

#1 Needs Halp

Needs Halp

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 25 June 2010 - 07:21 PM

Hey this is my last resort here so please help!
System restore wont work this time lol... and reformatting is out of the question too.

So I got the hijack virus + trojans + possible other viruses and the scanners (Malwarebytes, Spybot S&D, Mcafee) don't pick them up!
The only one that does was Stopzilla, which detected 17 objects (mainly "hijack proxy viruses") in total but it's not free so I couldn't delete them. (But now I can't delete Stopzilla either.)

Also... a while ago (this does not happen anymore but still might be a problem), when I started up my computer it said that my system 32 was corrupt or missing. And now the "WINDOWS" folder has some weirdly named files in there like "MVAMVCOD.dll", "Hqazunepoza.dat", "Nmequ.bin" and "uloqabeza.dll" if that helps.

There are probably other viruses in my computer too but I have no idea. Please respond! :c

---------------------------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:12:28 PM, on 25/06/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WTouch\WTouchService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Nexon\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\ESTsoft\ALYac\AYServiceNt.aye
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ESTsoft\ALYac\AYAgent.aye
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZScanner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Nexon\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Nexon\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Nexon\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Nexon\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [international] International
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ALYac_PZSrv - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: WTouch Service (WTouchService) - Wacom Technology, Corp. - C:\Program Files\WTouch\WTouchService.exe

--
End of file - 7937 bytes


BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:07 AM

Posted 30 June 2010 - 01:43 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:


Step # 1 Download and run DDS

Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.



  • Step # 2: Download and Run Gmer

    Please download gmer.zip from Gmer and save it to your desktop.

    ***Please close any open programs ***

    Double-click gmer.exe. The program will begin to run.

    **Caution**
    These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst


    If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

    If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked.
    • Click the Scan button and let the program do its work. GMER will produce a log.
    • Once the scan is complete, you may receive another notice about rootkit activity.
    • Click OK.
    • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

    DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

    Please post the results from the GMER scan in your reply.


    In your next post/reply, I need to see the following:

    1. The two DDS Logs (DDS and Attach.txt)
    2. The GMER Log

    Use multiple posts if you can't fit everything into one post.

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #3 Needs Halp

    Needs Halp
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:02:07 PM

    Posted 02 July 2010 - 10:08 AM

    Thanks for replying! (ever since this, I've been getting even more viruses like "defence center")



    DDS (Ver_10-03-17.01) - NTFSx86
    Run by user at 2:45:27.43 on 02/07/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Professional 5.1.2600.3.949.82.1033.18.1407.748 [GMT -4:00]

    AV: 알약 *On-access scanning disabled* (Updated) {B9431E5A-E196-4B6F-843A-10E01DB25461}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\WTouch\WTouchService.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\WTouch\WTouchUser.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\DNA\btdna.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    svchost.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\Pen_Tablet.exe
    C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
    C:\WINDOWS\system32\Pen_Tablet.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Java\jre6\bin\javaw.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\user\Desktop\DOWNLOAD\dds.scr
    C:\WINDOWS\system32\conime.exe

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\nexon\spybot~1\SDHelper.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
    uRun: [SpybotSD TeaTimer] c:\nexon\spybot - search & destroy\TeaTimer.exe
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [<NO NAME>]
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\nexon\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\xra7gpqg.default\
    FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - HiddenExtension: XULRunner: {F9731B68-863F-486F-BB73-7676B05C37BE} - c:\documents and settings\user\local settings\application data\{F9731B68-863F-486F-BB73-7676B05C37BE}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2008-12-3 119808]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-3-17 4410152]
    R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2009-10-20 112936]
    R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-3-17 15656]
    S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
    S3 AYDrvSP_ALYAC;AYDrvSP_ALYAC;c:\program files\estsoft\alyac\AYDrvSP.sys [2009-3-17 24312]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-5-7 27064]
    S3 XDva288;XDva288;\??\c:\windows\system32\xdva288.sys --> c:\windows\system32\XDva288.sys [?]

    ============== File Associations ===============

    .txt=

    =============== Created Last 30 ================

    2010-06-26 18:05:19 0 d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
    2010-06-26 18:05:19 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2010-06-26 18:05:03 0 d-----w- c:\program files\SUPERAntiSpyware
    2010-06-26 16:50:57 992 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-06-25 22:13:49 16384 ---ha-w- C:\SZKGFS.dat
    2010-06-25 22:11:22 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
    2010-06-25 22:09:54 0 d-----w- c:\program files\common files\iS3
    2010-06-25 22:09:54 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
    2010-06-24 02:07:40 0 d-----w- c:\program files\Trend Micro
    2010-06-23 22:12:35 120 ----a-w- c:\windows\Hqazunepoza.dat
    2010-06-23 22:12:35 0 ----a-w- c:\windows\Nmequ.bin
    2010-06-23 22:10:46 61952 ----a-w- c:\documents and settings\user\o.dat
    2010-06-22 21:21:53 0 d-----w- c:\windows\system32\wbem\Repository
    2010-06-22 06:46:43 0 ----a-w- c:\windows\system32\8104297.jun
    2010-06-16 12:28:29 0 d-----w- c:\windows\pss
    2010-06-14 04:24:57 0 d-----w- C:\94db6abb74a35ab93260cf5dfc
    2010-06-10 23:32:52 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

    ==================== Find3M ====================

    2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet(3)(2).dll
    2010-05-06 10:41:52 1209344 ----a-w- c:\windows\system32\urlmon(3)(2).dll
    2010-05-06 10:41:50 1985536 ----a-w- c:\windows\system32\iertutil(2)(2).dll
    2010-05-06 10:41:49 11076096 ----a-w- c:\windows\system32\ieframe(2)(2).dll
    2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k(2)(2).sys
    2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
    2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd(3)(2).dll
    2009-10-31 17:51:10 2 --shatr- c:\windows\winstart.bat

    ============= FINISH: 2:47:18.39 ===============



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 17/03/2009 6:37:17 PM
    System Uptime: 07/01/2010 12:16:50 PM (4214 hours ago)

    Motherboard: ECS | | Alhena5
    Processor: Intel® Celeron® D CPU 3.46GHz | CPU 1 | 3458/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 112 GiB total, 85.964 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: PCI Simple Communications Controller
    Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200C14F1&REV_00\4&2966AB86&0&10A4
    Manufacturer:
    Name: PCI Simple Communications Controller
    PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200C14F1&REV_00\4&2966AB86&0&10A4
    Service:

    ==== System Restore Points ===================

    RP13: 25/06/2010 7:57:01 PM - Revo Uninstaller Pro's restore point - STOPzilla
    RP14: 26/06/2010 1:24:13 AM - Software Distribution Service 3.0
    RP15: 26/06/2010 1:58:23 PM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
    RP16: 27/06/2010 3:05:48 AM - Software Distribution Service 3.0
    RP17: 27/06/2010 6:01:16 AM - Software Distribution Service 3.0
    RP18: 28/06/2010 3:00:23 AM - Software Distribution Service 3.0
    RP19: 28/06/2010 3:11:07 AM - Software Distribution Service 3.0
    RP20: 29/06/2010 2:55:57 AM - Software Distribution Service 3.0
    RP21: 30/06/2010 2:11:59 AM - Software Distribution Service 3.0
    RP22: 01/07/2010 2:55:37 AM - System Checkpoint
    RP23: 01/07/2010 3:00:21 AM - Software Distribution Service 3.0
    RP24: 01/07/2010 4:09:36 AM - Software Distribution Service 3.0

    ==== Installed Programs ======================

    Adobe AIR
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe ExtendScript Toolkit 2
    Adobe Flash CS3
    Adobe Flash CS3 Professional
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 9 ActiveX
    Adobe Flash Video Encoder
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Linguistics CS3
    Adobe Media Player
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Reader 8.1.1
    Adobe Setup
    Adobe Shockwave Player 11.5
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS3
    ALZip
    ATI Catalyst Control Center
    ATI Display Driver
    Autodesk Backburner 2008.1
    BitTorrent
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    ccc-core-preinstall
    ccc-core-static
    ccc-utility
    CCC Help English
    Collab
    DNA
    Epson Easy Photo Print 2
    EPSON NX100 Series Printer Uninstall
    EPSON Scan
    Google SketchUp 7
    Google Update Helper
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB954708)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP LaserJet P1000 series
    HPCarePackCore
    HPCarePackProducts
    hppMSRedist
    hppusgP1000
    HPSSupply
    iPod for Windows 2005-09-23
    iTunes
    Java Auto Updater
    Java™ 6 Update 18
    Junk Mail filter update
    Malwarebytes' Anti-Malware
    MapleStory
    MarketResearch
    McAfee Security Scan Plus
    MFZ0 codec (Remove Only)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Office Professional Edition 2003
    Microsoft Search Enhancement Pack
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ Run Time Lib Setup
    Midi Maker
    Mozilla Firefox (3.6.6)
    MSVCRT
    O+
    Pando Media Booster
    PDF Settings
    Pen Tablet
    PoiZone
    QuickTime
    Realtek High Definition Audio Driver
    Revo Uninstaller Pro 2.2.0
    RGSS-RTP Standard
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Segoe UI
    Skins
    Spybot - Search & Destroy
    SUPERAntiSpyware
    Sword of The New World
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer
    Windows Media Format 11 runtime
    Windows Media Player 11
    WinRAR archiver
    알약
    알툴즈 업데이트

    ==== Event Viewer Messages From Past Week ========

    26/06/2010 1:24:29 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Update to .NET Framework 3.5 Service Pack 1 for the .NET Framework Assistant 1.0 x86 (KB963707).
    25/06/2010 7:56:59 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000033' while processing the file '?~U!?o' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    25/06/2010 7:27:17 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
    25/06/2010 7:26:47 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the szserver service.
    25/06/2010 6:56:18 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000033' while processing the file '?~U!?o' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    25/06/2010 6:19:07 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ahcix86
    25/06/2010 11:00:17 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    25/06/2010 11:00:17 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
    25/06/2010 11:00:11 AM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The system cannot find the path specified.
    25/06/2010 10:56:30 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update for .NET versions 2.0 through 3.5 (KB951847) x86.
    25/06/2010 10:54:21 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

    ==== End Of File ===========================



    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-07-02 11:00:10
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\kwlyapob.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAE946620]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB70EC000, 0x1A3F84, 0xE8000020]
    .rsrc C:\WINDOWS\system32\DRIVERS\cdrom.sys entry point in ".rsrc" section [0xB7697394]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[1336] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
    .text C:\WINDOWS\System32\svchost.exe[1336] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
    .text C:\WINDOWS\System32\svchost.exe[1336] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0074000C
    .text C:\WINDOWS\System32\svchost.exe[1336] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 006F000A
    .text C:\WINDOWS\System32\svchost.exe[1336] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00ED000A
    .text C:\WINDOWS\system32\wuauclt.exe[1340] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C2000A
    .text C:\WINDOWS\system32\wuauclt.exe[1340] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C3000A
    .text C:\WINDOWS\system32\wuauclt.exe[1340] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C1000C
    .text C:\WINDOWS\Explorer.EXE[1928] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BF000A
    .text C:\WINDOWS\Explorer.EXE[1928] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C5000A
    .text C:\WINDOWS\Explorer.EXE[1928] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BE000C

    ---- Devices - GMER 1.0.15 ----

    Device -> \Driver\atapi \Device\Harddisk0\DR0 897CBEC5

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter
    Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FriendlyName Indeo? video 5.10 Compression Filter
    Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
    Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FilterData 0x02 0x00 0x00 0x00 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@EncoderType 1

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\DRIVERS\cdrom.sys suspicious modification
    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----

    Attached Files


    Edited by km2357, 02 July 2010 - 01:39 PM.
    Edited in User's Logs


    #4 km2357

    km2357

    • Malware Response Team
    • 1,784 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:California
    • Local time:10:07 AM

    Posted 02 July 2010 - 01:51 PM

    Hi. smile.gif

    I went ahead and edited in your logs to your last post. From now on, please just post any logs I ask for normally, do not attach them. If they won't fit in one post, use multiple posts to get the log(s) in.

    Thanks. smile.gif


    I need for you to translate/see if you recognize something. The last two items in the Installed Programs list (in Attach.txt), what are they?:

    알약

    알툴즈 업데이트


    The first one is also listed as your AntiVirus in the main DDS Log:

    AV: 알약 *On-access scanning disabled* (Updated) {B9431E5A-E196-4B6F-843A-10E01DB25461}




    IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

    BitTorrent

    I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

    Also available here.

    My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


    Step # 1 Download and Run CKScanner.exe

    Download CKScanner from here:http://downloads.malwareremoval.com/CKScanner.exe
    Important - Save it to your desktop.
    Doubleclick CKScanner.exe and click Search For Files.
    After a very short time, when the cursor hourglass disappears, click Save List To File.
    A message box will verify the file saved.
    Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.


    In your next post/reply, I need to see the following:

    1. Translation/Information on the two programs I asked about
    2. The CKScanner Log

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #5 Needs Halp

    Needs Halp
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:02:07 PM

    Posted 02 July 2010 - 04:31 PM

    Ohh alright then! I'll post from now on :] (I also removed the BitTorrent)

    The last two programs in Attach.txt is a Korean anti-virus program (recently it keeps switching off)

    알약 - program name
    알툴즈 업데이트 - "All tools update" (for the same program)




    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\documents and settings\user\desktop\download\fruityloopsxxl\fl.stu.pro.edi.xxl.v8.0.crack.reg.zip
    scanner sequence 3.NA.11
    ----- EOF -----


    #6 km2357

    km2357

    • Malware Response Team
    • 1,784 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:California
    • Local time:10:07 AM

    Posted 02 July 2010 - 06:27 PM

    QUOTE
    Ohh alright then! I'll post from now on :] (I also removed the BitTorrent)


    thumbup2.gif


    Delete the following folder, if found:

    c:\documents and settings\user\desktop\download\fruityloopsxxl


    If your AntiVirus is giving you trouble, you may want to consider replacing it with another AntiViruses. Here are two free AV's to choose from:


    1)Antivir PersonalEdition Classic
    2)avast! Home Edition

    Download and install only one!

    If you do decide on getting a new AntiVirus, first download the install/setup file of the new AV. Then disconnect from the Internet, then uninstall (via Add/Remove Programs) the two entries related to the Korean AntiVirus. Once they've been uninstalled reboot your computer and install the new AntiVirus. Then reconnect back to the Internet and update it.



    Step # 1: Download and Run ComboFix

    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    *Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    When finished, it shall produce a log for you. Please post C:\ComboFix.txt in your next reply.

    Edited by km2357, 02 July 2010 - 06:28 PM.
    Added new instructions

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #7 Needs Halp

    Needs Halp
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:02:07 PM

    Posted 04 July 2010 - 12:33 AM

    I did everything up to the combo fix scan part, but this message popped up:
    http://i47.tinypic.com/kcdx1h.png

    should I just press yes and scan?


    #8 km2357

    km2357

    • Malware Response Team
    • 1,784 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:California
    • Local time:10:07 AM

    Posted 04 July 2010 - 11:58 AM

    Yes, you want ComboFix to download and install the Recovery Console. smile.gif

    So make sure you're connected to the Internet and click Yes when that message comes up.

    Also, make sure that before you run ComboFix, that your AntiVirus is disabled so that it doesn't interfere with the running of ComboFix.

    Edited by km2357, 04 July 2010 - 12:00 PM.

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #9 Needs Halp

    Needs Halp
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:02:07 PM

    Posted 04 July 2010 - 02:47 PM

    okay then! I finished the scan now!

    -----------------

    ComboFix 10-07-03.06 - user 04/07/2010 15:34:24.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.949.82.1033.18.1407.960 [GMT -4:00]
    Running from: c:\documents and settings\user\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Favorites\_favdata.dat
    c:\documents and settings\user\Local Settings\Application Data\{F9731B68-863F-486F-BB73-7676B05C37BE}
    c:\documents and settings\user\Local Settings\Application Data\{F9731B68-863F-486F-BB73-7676B05C37BE}\chrome.manifest
    c:\documents and settings\user\Local Settings\Application Data\{F9731B68-863F-486F-BB73-7676B05C37BE}\chrome\content\_cfg.js
    c:\documents and settings\user\Local Settings\Application Data\{F9731B68-863F-486F-BB73-7676B05C37BE}\chrome\content\overlay.xul
    c:\documents and settings\user\Local Settings\Application Data\{F9731B68-863F-486F-BB73-7676B05C37BE}\install.rdf
    c:\documents and settings\user\Local Settings\Application Data\Windows Server
    c:\windows\notepad.com

    Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
    Restored copy from - Kitty had a snack tongue.gif
    .
    ((((((((((((((((((((((((( Files Created from 2010-06-04 to 2010-07-04 )))))))))))))))))))))))))))))))
    .

    2010-07-04 05:15 . 2010-07-04 05:15 -------- d-----w- c:\documents and settings\user\Application Data\Avira
    2010-07-04 04:56 . 2010-07-04 04:56 -------- d-----w- c:\program files\Avira
    2010-07-04 04:56 . 2010-07-04 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-07-04 04:56 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-07-04 04:56 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-07-04 04:56 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-07-04 04:56 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-07-02 23:51 . 2010-07-02 23:51 -------- d-----w- C:\Nexon
    2010-07-02 21:40 . 2010-07-02 21:40 -------- d-----w- c:\program files\AhnLab
    2010-07-02 21:40 . 2010-07-02 21:40 -------- d-----w- c:\documents and settings\user\AppData
    2010-07-02 19:44 . 2005-03-29 12:34 246784 ----a-w- c:\windows\system32\sqlite3.dll
    2010-07-02 16:58 . 2010-07-02 16:58 63488 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-06-25 22:13 . 2010-06-25 22:13 16384 ---ha-w- C:\SZKGFS.dat
    2010-06-25 22:11 . 2010-06-25 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
    2010-06-25 22:09 . 2010-07-02 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2010-06-25 22:09 . 2010-06-25 22:09 -------- d-----w- c:\program files\Common Files\iS3
    2010-06-23 23:30 . 2010-06-23 23:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
    2010-06-23 22:12 . 2010-06-25 14:57 120 ----a-w- c:\windows\Hqazunepoza.dat
    2010-06-23 22:12 . 2010-06-25 14:57 0 ----a-w- c:\windows\Nmequ.bin
    2010-06-16 12:26 . 2010-06-16 13:13 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\gjgeflbb
    2010-06-14 04:24 . 2010-06-15 19:19 -------- d-----w- C:\94db6abb74a35ab93260cf5dfc
    2010-06-10 23:32 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-04 19:33 . 2009-10-21 03:16 -------- d-----w- c:\documents and settings\user\Application Data\WTablet
    2010-07-04 19:31 . 2009-04-04 17:42 -------- d-----w- c:\documents and settings\user\Application Data\DNA
    2010-07-04 16:14 . 2009-04-04 17:42 -------- d-----w- c:\program files\DNA
    2010-07-04 05:28 . 2009-10-21 12:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
    2010-07-04 04:52 . 2009-03-17 23:05 -------- d-----w- c:\program files\ESTsoft
    2010-07-04 04:52 . 2009-03-17 23:05 -------- d-----w- c:\documents and settings\user\Application Data\ESTsoft
    2010-07-02 16:58 . 2010-07-02 16:58 52224 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-07-02 16:58 . 2010-07-02 16:58 117760 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-07-02 16:58 . 2010-06-26 18:05 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-07-02 16:58 . 2010-07-02 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-07-02 16:51 . 2009-10-29 03:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-02 16:38 . 2010-07-02 16:38 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-06-26 18:05 . 2010-06-26 18:05 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
    2010-06-24 12:12 . 2009-08-01 14:52 -------- d-----w- c:\program files\Sword of The New World
    2010-06-18 08:41 . 2009-05-25 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-06-17 20:06 . 2010-05-08 03:45 -------- d-----w- c:\program files\Pando Networks
    2010-06-02 18:18 . 2010-05-09 04:55 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
    2010-05-28 23:03 . 2010-05-28 21:32 -------- dc----w- c:\documents and settings\All Users\Application Data\{16FF7A97-391D-4A55-BC79-C80FB14AADDA}
    2010-05-28 21:35 . 2010-05-28 21:35 -------- d-----w- c:\program files\Internet Content Assistant
    2010-05-28 21:34 . 2010-05-28 21:34 -------- d-----w- c:\program files\Customized Web Management
    2010-05-28 21:34 . 2010-05-28 21:34 -------- d-----w- c:\program files\Internet Connection Wizard
    2010-05-28 21:34 . 2010-05-28 21:34 -------- d-----w- c:\program files\Advanced Access Controller
    2010-05-28 21:34 . 2010-05-28 21:34 -------- d-----w- c:\program files\Count Access Advancer
    2010-05-28 21:34 . 2010-05-28 21:34 -------- d-----w- c:\program files\Common Files\Count Access Advancer
    2010-05-28 21:33 . 2010-05-28 21:33 -------- d-----w- c:\program files\Automated Result Operator
    2010-05-25 15:13 . 2010-05-25 15:13 503808 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-40ea6998-n\msvcp71.dll
    2010-05-25 15:13 . 2010-05-25 15:13 499712 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-40ea6998-n\jmc.dll
    2010-05-25 15:13 . 2010-05-25 15:13 348160 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-40ea6998-n\msvcr71.dll
    2010-05-25 15:13 . 2010-05-25 15:13 61440 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-58f05f00-n\decora-sse.dll
    2010-05-25 15:13 . 2010-05-25 15:13 12800 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-58f05f00-n\decora-d3d.dll
    2010-05-09 04:55 . 2010-05-09 04:55 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
    2010-05-09 04:55 . 2010-05-09 04:55 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
    2010-05-09 04:55 . 2010-05-09 04:55 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
    2010-05-09 04:55 . 2010-05-09 04:55 126976 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
    2010-05-09 04:55 . 2010-05-09 04:55 172032 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
    2010-05-09 04:55 . 2010-05-09 04:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
    2010-05-09 03:18 . 2009-07-13 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
    2010-05-09 02:49 . 2009-09-26 15:25 -------- d-----w- c:\program files\VstPlugins
    2010-05-09 02:49 . 2009-03-17 22:41 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-05-08 06:55 . 2010-05-08 06:55 -------- d-----w- c:\documents and settings\user\Application Data\Secret of the Solstice
    2010-05-08 03:38 . 2010-01-29 22:26 220926964 ----a-w- c:\documents and settings\user\Application Data\ijjigame\U_GUNZ_setup.exe
    2010-05-07 23:00 . 2010-05-07 23:00 -------- d-----w- c:\program files\VS Revo Group
    2010-05-07 22:55 . 2009-05-25 02:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-05-06 10:41 . 2008-04-14 09:42 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-06 10:41 . 2008-04-14 09:42 916480 ----a-w- c:\windows\system32\wininet(3)(2).dll
    2010-05-06 10:41 . 2008-04-14 09:42 1209344 ----a-w- c:\windows\system32\urlmon(3)(2).dll
    2010-05-06 10:41 . 2009-03-08 08:32 1985536 ----a-w- c:\windows\system32\iertutil(2)(2).dll
    2010-05-06 10:41 . 2009-03-08 08:39 11076096 ----a-w- c:\windows\system32\ieframe(2)(2).dll
    2010-05-02 05:22 . 2008-04-14 05:00 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-05-02 05:22 . 2008-04-14 05:00 1851264 ----a-w- c:\windows\system32\win32k(2)(2).sys
    2010-04-20 05:30 . 2008-04-14 09:39 285696 ----a-w- c:\windows\system32\atmfd.dll
    2010-04-20 05:30 . 2008-04-14 09:39 285696 ----a-w- c:\windows\system32\atmfd(3)(2).dll
    2009-10-31 17:51 . 2009-10-31 17:51 2 --shatr- c:\windows\winstart.bat
    .

    ------- Sigcheck -------

    [-] 2008-12-03 . 600D58665D16BFBB776EFEFB0E80532D . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-12 323392]
    "Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-05-08 2938552]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-29 2403568]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-09-16 274432]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "59029:TCP"= 59029:TCP:Pando Media Booster
    "59029:UDP"= 59029:UDP:Pando Media Booster
    "57002:TCP"= 57002:TCP:Pando Media Booster
    "57002:UDP"= 57002:UDP:Pando Media Booster

    R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [03/12/2008 2:57 PM 119808]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 2:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 2:41 PM 67656]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [04/07/2010 12:56 AM 135336]
    R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [17/03/2009 8:48 PM 4410152]
    R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [20/10/2009 11:47 PM 112936]
    R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [17/03/2009 8:48 PM 15656]
    S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [07/05/2010 7:00 PM 27064]
    S3 XDva288;XDva288;\??\c:\windows\system32\XDva288.sys --> c:\windows\system32\XDva288.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\xra7gpqg.default\
    FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
    FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    .
    ------- File Associations -------
    .
    .txt=
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-SpybotSD TeaTimer - c:\nexon\Spybot - Search & Destroy\TeaTimer.exe
    AddRemove-Collab - c:\program files\Image-Line\Collab\uninstall.exe
    AddRemove-PoiZone - c:\program files\Image-Line\PoiZone\uninstall.exe
    AddRemove-{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1 - c:\nexon\Spybot - Search & Destroy\unins000.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-04 15:42
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(700)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-07-04 15:45:20
    ComboFix-quarantined-files.txt 2010-07-04 19:45

    Pre-Run: 92,849,704,960 bytes free
    Post-Run: 94,879,850,496 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 4A4FE22A4FCC1F5BFA0527F6283FF769


    #10 km2357

    km2357

    • Malware Response Team
    • 1,784 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:California
    • Local time:10:07 AM

    Posted 04 July 2010 - 11:22 PM

    Step # 1 Download and Run SystemLook

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:

      CODE
      :filefind
      sfcfiles.dll

    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found at on your Desktop entitled SystemLook.txt

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #11 Needs Halp

    Needs Halp
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:02:07 PM

    Posted 06 July 2010 - 09:42 AM

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 10:40 on 06/07/2010 by user (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "sfcfiles.dll"
    C:\WINDOWS\system32\sfcfiles.dll --a--- 1614848 bytes [18:55 03/12/2008] [18:55 03/12/2008] 600D58665D16BFBB776EFEFB0E80532D

    -=End Of File=-

    #12 km2357

    km2357

    • Malware Response Team
    • 1,784 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:California
    • Local time:10:07 AM

    Posted 06 July 2010 - 01:48 PM

    Do you have an USB/Flash Drive and access to a clean computer running Windows XP SP3?

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #13 Needs Halp

    Needs Halp
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:02:07 PM

    Posted 07 July 2010 - 12:36 PM

    I have a USB but what do you mean about the computer part? another computer with Windows XP SP3? (I only have this computer and access to another computer with Windows 7)

    #14 km2357

    km2357

    • Malware Response Team
    • 1,784 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:California
    • Local time:10:07 AM

    Posted 07 July 2010 - 01:28 PM

    QUOTE
    another computer with Windows XP SP3? (I only have this computer and access to another computer with Windows 7)


    Yes, that's exactly what I meant. smile.gif I wanted to know if you had access to another computer running Windows XP SP3, either your own computer(s) or a friend's/relative's computer. But since it sounds like you don't have access to one, we'll just have to skip it and continue on:


    Step # 1 Upload Files

    Go to Jotti
    Copy the following line into the white textbox:
    C:\WINDOWS\system32\sfcfiles.dll
    Click Submit.
    Please post the results of this scan to this thread.

    If Jotti is busy, Go to VirusTotal and scan the file(s) there.

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #15 Needs Halp

    Needs Halp
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:02:07 PM

    Posted 08 July 2010 - 11:39 AM

    Ohh okay then! would it have been an important/easier step if I did?

    Jotti Results:
    -------------------
    Filename: sfcfiles.dll
    Status:
    Scan finished. 0 out of 19 scanners reported malware.
    Scan taken on: Thu 8 Jul 2010 03:05:19 (CET) Permalink




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users