Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log


  • Please log in to reply
13 replies to this topic

#1 LCD_ON_LSD

LCD_ON_LSD

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 21 October 2005 - 05:39 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:35:04 PM, on 10/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\WINDOWS\lsass.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\SIGMA\remocon.exe
C:\Program Files\SIGMA\TV\sigmatv.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Sigma\common\SMBM.EXE
C:\Program Files\Sigma\common\SMWEBEPG.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Media Gateway\MediaGateway.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragCtrl.exe
C:\Program Files\Samurize\Client.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\tb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Boyd\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Remocon_Path] C:\Program Files\SIGMA\remocon.exe
O4 - HKLM\..\Run: [TV_Path] C:\Program Files\SIGMA\TV\sigmatv.exe /t
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SMBM] C:\Program Files\Sigma\common\SMBM.EXE /D
O4 - HKLM\..\Run: [SMWEBEPG] C:\Program Files\Sigma\common\SMWEBEPG.EXE /D
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Client Default.lnk = C:\Program Files\Samurize\Client.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ashampoo Magic Defrag.lnk = C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragCtrl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble.net/game/nmstarter/NMStarter16.cab
O16 - DPF: {077C94F8-015E-4BE4-B448-4BA19182D86C} (SKTGS Control) - http://lbsk.nate.com:8080/local/SKTGS.cab
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} - http://uniz.contents.mylinker.co.kr/module/MyLinker.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.meadroid.com/scriptx/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - https://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://banking.nonghyup.com/plugin/scsk/scsk4.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/webmasterex...artload106a.exe
O16 - DPF: {45091AA2-1574-4EC8-B520-4C27E29CF889} (GifFreezerCtrl Class) - http://www.gmarket.co.kr/challenge/neo_goo.../gifFreezer.cab
O16 - DPF: {46681002-27E5-4759-8200-E7097D1C3CDD} (SKCrypAX Control) - http://img.emart.co.kr/front/WebRoot/common/ocx/SKCrypAX.cab
O16 - DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} (XPayMPIOCX Control) - http://mpi.dacom.net/XPayMPI/Xecure_LiveUp..._XPayMPIOCX.cab
O16 - DPF: {5AF23F72-BCB5-4E44-AD5B-E752973FB08C} (BankPayNewCtrl Control) - http://www.bankpay.or.kr/BankPayNew.cab
O16 - DPF: {5BB6AB77-51BE-48A1-AD94-CF1B5C3D6509} (Super Game Installer Control) - http://www.godory.net/download/sginst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110040105952
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://member.nate.com/initech/plugin/axINIplugin40.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129871954546
O16 - DPF: {716FF502-492C-418B-99A2-DD47C5D1641A} (Installer Class) - http://www.gaia3d.com/~distribution/GaiaInstaller.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://www.gseshop.co.kr/XecureObject/xw_install.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.dm.co.kr/dwms/vehi/catalogue/gm...ndix/msxml4.cab
O16 - DPF: {8C2E6E01-D1F6-4A94-B314-7C5DF4EE1853} (SpecAnalyzer Class) - http://cs.hangame.com/hangame_renew/mail/HGReport.cab
O16 - DPF: {8EEB54D5-CC70-40E4-B015-AC478C02ECC8} (SLViewer Control) - http://www.seevideo.co.kr/pub/seelive/SLViewer.CAB
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c6.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {94BBB0A0-0275-4FF8-94E7-9FAE1EAB16BB} (ShellINI20F Class) - http://download.banktown.com/nacf/BtCxIni20F.cab
O16 - DPF: {97745861-F1A6-45B2-8AD1-0C17334550E6} (YahooCabinet Control) - http://img.yahoo.co.kr/ycabinet/cab/YahooCabinet.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plu...yfirewall20.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - https://plugin.inicis.com/wallet50/INIwallet50.cab
O16 - DPF: {A8917DCC-6DBE-4562-99DE-62D633DE412D} (MLInstaller Class) - http://www.dla.go.kr/magicline/setup/MLInstaller.cab
O16 - DPF: {A9F090E5-FC80-4772-AFEE-D102AB6E77D6} (IssacWebProCMS Class) - http://pgdownload.dacom.net/dacom/IssacWebProCMS_3_1_0_1.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B869F34A-A5AD-47B8-AC46-FF5A614F3D44} (MPIClient Control) - https://pg.innotg.com/mall/MPIClient.cab
O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA¢¼OCA·I±×·¥) - http://cdn.hangame.com/hangame/messenger/h...g/HanWebMsg.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://cdn.hangame.com/hangame/hansetup/HanSetup1008.cab
O16 - DPF: {C5C64E6E-C4D8-45CB-88B2-5778A2D73AD9} (usedcarunion control) - http://www.caryonhap.com/usedcarunion.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://download.netmarble.com/nProtect/nprotect/npx.cab
O16 - DPF: {D44C7CBF-FB35-41CF-8D6C-C0A2143EB46C} (Yessign3 Control) - http://www.yessign.or.kr/yessignCert/yessign3.cab
O16 - DPF: {D59A0F32-087A-4F9A-98A6-1728A9233B3B} (HiMyCar Control) - http://www.himycar.com/himycar.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/keycrypt/keb/npkcx.cab
O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) - http://asp.congnamul.com/AspActiveX/CongnamulMap4Asp_V19.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/CongnamulMap_V14.cab
O16 - DPF: {E0D3C611-F582-4E25-A547-5D535FBFA8E5} (ShellSFM20FCom Class) - http://download.banktown.com/kbstarActiveX/BtCxSFM20F.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - http://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} (WebCtl Class) - http://banking.nonghyup.com/plugin/client/INIS.cab
O16 - DPF: {F2B794F5-B8F0-4378-B05C-E26C310D9CE2} (Viewer Control) - http://t2sleep.byus.net/viewer/sjlee_ezview_proto.cab
O16 - DPF: {F9143948-F472-4397-8B9F-237B6CB07C48} (DSProxyX Class) - http://www.dla.go.kr/magicline/setup/DSProxyX.cab
O16 - DPF: {FB49C5D6-ABCC-47ED-AC05-B80E578183B0} (DSCertManagerX Class) - http://www.dla.go.kr/magicline/setup/DSCertManagerX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:41 PM

Posted 21 October 2005 - 03:08 PM

Is this a new log or a continuation of the previous log we were working on?

#3 LCD_ON_LSD

LCD_ON_LSD
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 21 October 2005 - 06:06 PM

Is this a new log or a continuation of the previous log we were working on?

It's a new one. I can only use the internet now for about 2-3 min then a system 32/cmd.exe pops up in a prompt window and is followed by sitebar instal popup, then firewall is shut off, and internet connection service... I can't use the internet after 2-3 min of pc restart. even other programs like azerus, msmessenger, and yahoo messenger are blocked. I have a file named zxvcc73x.exe, tb.exe, low.exe,and such that I can't rid of. Here is the newest hijackthis log... Sorry for the confusion and any help on this would greatly appreciated. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 8:01:17 AM, on 10/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\WINDOWS\lsass.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\SIGMA\remocon.exe
C:\Program Files\SIGMA\TV\sigmatv.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Sigma\common\SMBM.EXE
C:\Program Files\Sigma\common\SMWEBEPG.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\PuXpMan2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragCtrl.exe
C:\Program Files\Samurize\Client.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Boyd\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Remocon_Path] C:\Program Files\SIGMA\remocon.exe
O4 - HKLM\..\Run: [TV_Path] C:\Program Files\SIGMA\TV\sigmatv.exe /t
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SMBM] C:\Program Files\Sigma\common\SMBM.EXE /D
O4 - HKLM\..\Run: [SMWEBEPG] C:\Program Files\Sigma\common\SMWEBEPG.EXE /D
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [PwrUpTweakMe] C:\WINDOWS\system32\PuXpTwks.exe /TWEAK
O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\system32\PuXpMan2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Client Default.lnk = C:\Program Files\Samurize\Client.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ashampoo Magic Defrag.lnk = C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragCtrl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble.net/game/nmstarter/NMStarter16.cab
O16 - DPF: {077C94F8-015E-4BE4-B448-4BA19182D86C} (SKTGS Control) - http://lbsk.nate.com:8080/local/SKTGS.cab
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.meadroid.com/scriptx/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - https://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://banking.nonghyup.com/plugin/scsk/scsk4.cab
O16 - DPF: {45091AA2-1574-4EC8-B520-4C27E29CF889} (GifFreezerCtrl Class) - http://www.gmarket.co.kr/challenge/neo_goo.../gifFreezer.cab
O16 - DPF: {46681002-27E5-4759-8200-E7097D1C3CDD} (SKCrypAX Control) - http://img.emart.co.kr/front/WebRoot/common/ocx/SKCrypAX.cab
O16 - DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} (XPayMPIOCX Control) - http://mpi.dacom.net/XPayMPI/Xecure_LiveUp..._XPayMPIOCX.cab
O16 - DPF: {5AF23F72-BCB5-4E44-AD5B-E752973FB08C} (BankPayNewCtrl Control) - http://www.bankpay.or.kr/BankPayNew.cab
O16 - DPF: {5BB6AB77-51BE-48A1-AD94-CF1B5C3D6509} (Super Game Installer Control) - http://www.godory.net/download/sginst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110040105952
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://member.nate.com/initech/plugin/axINIplugin40.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129871954546
O16 - DPF: {716FF502-492C-418B-99A2-DD47C5D1641A} (Installer Class) - http://www.gaia3d.com/~distribution/GaiaInstaller.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://www.gseshop.co.kr/XecureObject/xw_install.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.dm.co.kr/dwms/vehi/catalogue/gm...ndix/msxml4.cab
O16 - DPF: {8C2E6E01-D1F6-4A94-B314-7C5DF4EE1853} (SpecAnalyzer Class) - http://cs.hangame.com/hangame_renew/mail/HGReport.cab
O16 - DPF: {8EEB54D5-CC70-40E4-B015-AC478C02ECC8} (SLViewer Control) - http://www.seevideo.co.kr/pub/seelive/SLViewer.CAB
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {94BBB0A0-0275-4FF8-94E7-9FAE1EAB16BB} (ShellINI20F Class) - http://download.banktown.com/nacf/BtCxIni20F.cab
O16 - DPF: {97745861-F1A6-45B2-8AD1-0C17334550E6} (YahooCabinet Control) - http://img.yahoo.co.kr/ycabinet/cab/YahooCabinet.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plu...yfirewall20.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - https://plugin.inicis.com/wallet50/INIwallet50.cab
O16 - DPF: {A8917DCC-6DBE-4562-99DE-62D633DE412D} (MLInstaller Class) - http://www.dla.go.kr/magicline/setup/MLInstaller.cab
O16 - DPF: {A9F090E5-FC80-4772-AFEE-D102AB6E77D6} (IssacWebProCMS Class) - http://pgdownload.dacom.net/dacom/IssacWebProCMS_3_1_0_1.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B869F34A-A5AD-47B8-AC46-FF5A614F3D44} (MPIClient Control) - https://pg.innotg.com/mall/MPIClient.cab
O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA¢¼OCA·I±×·¥) - http://cdn.hangame.com/hangame/messenger/h...g/HanWebMsg.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://cdn.hangame.com/hangame/hansetup/HanSetup1008.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://download.netmarble.com/nProtect/nprotect/npx.cab
O16 - DPF: {D44C7CBF-FB35-41CF-8D6C-C0A2143EB46C} (Yessign3 Control) - http://www.yessign.or.kr/yessignCert/yessign3.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/keycrypt/keb/npkcx.cab
O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) - http://asp.congnamul.com/AspActiveX/CongnamulMap4Asp_V19.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/CongnamulMap_V14.cab
O16 - DPF: {E0D3C611-F582-4E25-A547-5D535FBFA8E5} (ShellSFM20FCom Class) - http://download.banktown.com/kbstarActiveX/BtCxSFM20F.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - http://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} (WebCtl Class) - http://banking.nonghyup.com/plugin/client/INIS.cab
O16 - DPF: {F2B794F5-B8F0-4378-B05C-E26C310D9CE2} (Viewer Control) - http://t2sleep.byus.net/viewer/sjlee_ezview_proto.cab
O16 - DPF: {F9143948-F472-4397-8B9F-237B6CB07C48} (DSProxyX Class) - http://www.dla.go.kr/magicline/setup/DSProxyX.cab
O16 - DPF: {FB49C5D6-ABCC-47ED-AC05-B80E578183B0} (DSCertManagerX Class) - http://www.dla.go.kr/magicline/setup/DSCertManagerX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by LCD_ON_LSD, 21 October 2005 - 06:13 PM.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:41 PM

Posted 22 October 2005 - 10:45 AM

Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.



C:\Program Files\Samurize\Client.exe
C:\WINDOWS\system32\PuXpTwks.exe


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\system32\PuXpMan2.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://download.netmarble.com/nProtect/nprotect/npx.cab

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\system32\PuXpMan2.exe

Reboot your computer to go back to normal mode and post a new log.

#5 LCD_ON_LSD

LCD_ON_LSD
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 22 October 2005 - 11:43 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:38:50 PM, on 10/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Sigma\common\SMBM.EXE
C:\Program Files\Sigma\common\SMWEBEPG.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragCtrl.exe
C:\Program Files\Samurize\Client.exe
C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\WINDOWS\lsass.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Documents and Settings\Boyd\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\low.exe
C:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Remocon_Path] C:\Program Files\SIGMA\remocon.exe
O4 - HKLM\..\Run: [TV_Path] C:\Program Files\SIGMA\TV\sigmatv.exe /t
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SMBM] C:\Program Files\Sigma\common\SMBM.EXE /D
O4 - HKLM\..\Run: [SMWEBEPG] C:\Program Files\Sigma\common\SMWEBEPG.EXE /D
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Client Default.lnk = C:\Program Files\Samurize\Client.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ashampoo Magic Defrag.lnk = C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragCtrl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble.net/game/nmstarter/NMStarter16.cab
O16 - DPF: {077C94F8-015E-4BE4-B448-4BA19182D86C} (SKTGS Control) - http://lbsk.nate.com:8080/local/SKTGS.cab
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.meadroid.com/scriptx/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - https://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://banking.nonghyup.com/plugin/scsk/scsk4.cab
O16 - DPF: {45091AA2-1574-4EC8-B520-4C27E29CF889} (GifFreezerCtrl Class) - http://www.gmarket.co.kr/challenge/neo_goo.../gifFreezer.cab
O16 - DPF: {46681002-27E5-4759-8200-E7097D1C3CDD} (SKCrypAX Control) - http://img.emart.co.kr/front/WebRoot/common/ocx/SKCrypAX.cab
O16 - DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} (XPayMPIOCX Control) - http://mpi.dacom.net/XPayMPI/Xecure_LiveUp..._XPayMPIOCX.cab
O16 - DPF: {5AF23F72-BCB5-4E44-AD5B-E752973FB08C} (BankPayNewCtrl Control) - http://www.bankpay.or.kr/BankPayNew.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110040105952
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://member.nate.com/initech/plugin/axINIplugin40.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129871954546
O16 - DPF: {716FF502-492C-418B-99A2-DD47C5D1641A} (Installer Class) - http://www.gaia3d.com/~distribution/GaiaInstaller.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://www.gseshop.co.kr/XecureObject/xw_install.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.dm.co.kr/dwms/vehi/catalogue/gm...ndix/msxml4.cab
O16 - DPF: {8C2E6E01-D1F6-4A94-B314-7C5DF4EE1853} (SpecAnalyzer Class) - http://cs.hangame.com/hangame_renew/mail/HGReport.cab
O16 - DPF: {8EEB54D5-CC70-40E4-B015-AC478C02ECC8} (SLViewer Control) - http://www.seevideo.co.kr/pub/seelive/SLViewer.CAB
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c6.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {94BBB0A0-0275-4FF8-94E7-9FAE1EAB16BB} (ShellINI20F Class) - http://download.banktown.com/nacf/BtCxIni20F.cab
O16 - DPF: {97745861-F1A6-45B2-8AD1-0C17334550E6} (YahooCabinet Control) - http://img.yahoo.co.kr/ycabinet/cab/YahooCabinet.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plu...yfirewall20.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - https://plugin.inicis.com/wallet50/INIwallet50.cab
O16 - DPF: {A8917DCC-6DBE-4562-99DE-62D633DE412D} (MLInstaller Class) - http://www.dla.go.kr/magicline/setup/MLInstaller.cab
O16 - DPF: {A9F090E5-FC80-4772-AFEE-D102AB6E77D6} (IssacWebProCMS Class) - http://pgdownload.dacom.net/dacom/IssacWebProCMS_3_1_0_1.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B869F34A-A5AD-47B8-AC46-FF5A614F3D44} (MPIClient Control) - https://pg.innotg.com/mall/MPIClient.cab
O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA¢¼OCA·I±×·¥) - http://cdn.hangame.com/hangame/messenger/h...g/HanWebMsg.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://cdn.hangame.com/hangame/hansetup/HanSetup1008.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://download.netmarble.com/nProtect/nprotect/npx.cab
O16 - DPF: {D44C7CBF-FB35-41CF-8D6C-C0A2143EB46C} (Yessign3 Control) - http://www.yessign.or.kr/yessignCert/yessign3.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/keycrypt/keb/npkcx.cab
O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) - http://asp.congnamul.com/AspActiveX/CongnamulMap4Asp_V19.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/CongnamulMap_V14.cab
O16 - DPF: {E0D3C611-F582-4E25-A547-5D535FBFA8E5} (ShellSFM20FCom Class) - http://download.banktown.com/kbstarActiveX/BtCxSFM20F.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - http://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} (WebCtl Class) - http://banking.nonghyup.com/plugin/client/INIS.cab
O16 - DPF: {F2B794F5-B8F0-4378-B05C-E26C310D9CE2} (Viewer Control) - http://t2sleep.byus.net/viewer/sjlee_ezview_proto.cab
O16 - DPF: {F9143948-F472-4397-8B9F-237B6CB07C48} (DSProxyX Class) - http://www.dla.go.kr/magicline/setup/DSProxyX.cab
O16 - DPF: {FB49C5D6-ABCC-47ED-AC05-B80E578183B0} (DSCertManagerX Class) - http://www.dla.go.kr/magicline/setup/DSCertManagerX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:41 PM

Posted 23 October 2005 - 08:55 PM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://download.netmarble.com/nProtect/nprotect/npx.cab
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\lsass.exe

Reboot your computer to go back to normal mode and post a new log.

#7 LCD_ON_LSD

LCD_ON_LSD
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 24 October 2005 - 06:44 AM

Internet restored, but not able to turn on firewall, it says that it is controled by group policy... But thanks for the help thus far!!!!! here is new log....
Logfile of HijackThis v1.99.1
Scan saved at 8:41:15 PM, on 10/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Sigma\common\SMBM.EXE
C:\Program Files\Sigma\common\SMWEBEPG.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragCtrl.exe
C:\Program Files\Samurize\Client.exe
C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Boyd\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Remocon_Path] C:\Program Files\SIGMA\remocon.exe
O4 - HKLM\..\Run: [TV_Path] C:\Program Files\SIGMA\TV\sigmatv.exe /t
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SMBM] C:\Program Files\Sigma\common\SMBM.EXE /D
O4 - HKLM\..\Run: [SMWEBEPG] C:\Program Files\Sigma\common\SMWEBEPG.EXE /D
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Client Default.lnk = C:\Program Files\Samurize\Client.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ashampoo Magic Defrag.lnk = C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragCtrl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble.net/game/nmstarter/NMStarter16.cab
O16 - DPF: {077C94F8-015E-4BE4-B448-4BA19182D86C} (SKTGS Control) - http://lbsk.nate.com:8080/local/SKTGS.cab
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.meadroid.com/scriptx/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - https://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://banking.nonghyup.com/plugin/scsk/scsk4.cab
O16 - DPF: {45091AA2-1574-4EC8-B520-4C27E29CF889} (GifFreezerCtrl Class) - http://www.gmarket.co.kr/challenge/neo_goo.../gifFreezer.cab
O16 - DPF: {46681002-27E5-4759-8200-E7097D1C3CDD} (SKCrypAX Control) - http://img.emart.co.kr/front/WebRoot/common/ocx/SKCrypAX.cab
O16 - DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} (XPayMPIOCX Control) - http://mpi.dacom.net/XPayMPI/Xecure_LiveUp..._XPayMPIOCX.cab
O16 - DPF: {5AF23F72-BCB5-4E44-AD5B-E752973FB08C} (BankPayNewCtrl Control) - http://www.bankpay.or.kr/BankPayNew.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110040105952
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://member.nate.com/initech/plugin/axINIplugin40.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129871954546
O16 - DPF: {716FF502-492C-418B-99A2-DD47C5D1641A} (Installer Class) - http://www.gaia3d.com/~distribution/GaiaInstaller.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://www.gseshop.co.kr/XecureObject/xw_install.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.dm.co.kr/dwms/vehi/catalogue/gm...ndix/msxml4.cab
O16 - DPF: {8C2E6E01-D1F6-4A94-B314-7C5DF4EE1853} (SpecAnalyzer Class) - http://cs.hangame.com/hangame_renew/mail/HGReport.cab
O16 - DPF: {8EEB54D5-CC70-40E4-B015-AC478C02ECC8} (SLViewer Control) - http://www.seevideo.co.kr/pub/seelive/SLViewer.CAB
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c6.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {94BBB0A0-0275-4FF8-94E7-9FAE1EAB16BB} (ShellINI20F Class) - http://download.banktown.com/nacf/BtCxIni20F.cab
O16 - DPF: {97745861-F1A6-45B2-8AD1-0C17334550E6} (YahooCabinet Control) - http://img.yahoo.co.kr/ycabinet/cab/YahooCabinet.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plu...yfirewall20.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - https://plugin.inicis.com/wallet50/INIwallet50.cab
O16 - DPF: {A8917DCC-6DBE-4562-99DE-62D633DE412D} (MLInstaller Class) - http://www.dla.go.kr/magicline/setup/MLInstaller.cab
O16 - DPF: {A9F090E5-FC80-4772-AFEE-D102AB6E77D6} (IssacWebProCMS Class) - http://pgdownload.dacom.net/dacom/IssacWebProCMS_3_1_0_1.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B869F34A-A5AD-47B8-AC46-FF5A614F3D44} (MPIClient Control) - https://pg.innotg.com/mall/MPIClient.cab
O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA¢¼OCA·I±×·¥) - http://cdn.hangame.com/hangame/messenger/h...g/HanWebMsg.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://cdn.hangame.com/hangame/hansetup/HanSetup1008.cab
O16 - DPF: {D44C7CBF-FB35-41CF-8D6C-C0A2143EB46C} (Yessign3 Control) - http://www.yessign.or.kr/yessignCert/yessign3.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/keycrypt/keb/npkcx.cab
O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) - http://asp.congnamul.com/AspActiveX/CongnamulMap4Asp_V19.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/CongnamulMap_V14.cab
O16 - DPF: {E0D3C611-F582-4E25-A547-5D535FBFA8E5} (ShellSFM20FCom Class) - http://download.banktown.com/kbstarActiveX/BtCxSFM20F.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - http://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} (WebCtl Class) - http://banking.nonghyup.com/plugin/client/INIS.cab
O16 - DPF: {F2B794F5-B8F0-4378-B05C-E26C310D9CE2} (Viewer Control) - http://t2sleep.byus.net/viewer/sjlee_ezview_proto.cab
O16 - DPF: {F9143948-F472-4397-8B9F-237B6CB07C48} (DSProxyX Class) - http://www.dla.go.kr/magicline/setup/DSProxyX.cab
O16 - DPF: {FB49C5D6-ABCC-47ED-AC05-B80E578183B0} (DSCertManagerX Class) - http://www.dla.go.kr/magicline/setup/DSCertManagerX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:41 PM

Posted 24 October 2005 - 11:08 AM

Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section.

Right click on lsass and delete it.

Reboot.

Download http://www.bleepingcomputer.com/files/winpfind.php

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the configure scan options button and under folder options click on remove all. Then under registry key options click on remove all. Then under registry options select policies, put a check mark in run addon's and put a checkmark in Policies.def. Then click on the apply button and then on the Start Scan button to scart scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

#9 LCD_ON_LSD

LCD_ON_LSD
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 17 December 2005 - 01:03 AM

Sorry, that I haven't been able to get on a much earlier post... I've been out of country for a month!
I have been seeing some very intense problems with internet explorer. Aftr running for the while, the Explorer Icon won't open I.E. It just highlites another already open window (like my computer or such) also the Homepage is not staying as www.yahoo.com it is some strange ascci chrs.
So, without further adu, My HiJackThis Log!
(Thank you for your assistance!)



Logfile of HijackThis v1.99.1
Scan saved at 2:46:29 PM, on 12/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Sigma\common\SMBM.EXE
C:\Program Files\Sigma\common\SMWEBEPG.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe
C:\Program Files\Tweak-XP Pro 4\popup.exe
C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragCtrl.exe
C:\Program Files\Samurize\Client.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Boyd\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Remocon_Path] C:\Program Files\SIGMA\remocon.exe
O4 - HKLM\..\Run: [TV_Path] C:\Program Files\SIGMA\TV\sigmatv.exe /t
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SMBM] C:\Program Files\Sigma\common\SMBM.EXE /D
O4 - HKLM\..\Run: [SMWEBEPG] C:\Program Files\Sigma\common\SMWEBEPG.EXE /D
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [MyVBApp] C:\WINDOWS\install.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe"
O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro 4\popup.exe"
O4 - Startup: Client Default.lnk = C:\Program Files\Samurize\Client.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ashampoo Magic Defrag.lnk = C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragCtrl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.siren24.co.kr
O15 - Trusted Zone: http://*.siren24.com
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble.net/game/nmstarter/NMStarter16.cab
O16 - DPF: {077C94F8-015E-4BE4-B448-4BA19182D86C} (SKTGS Control) - http://lbsk.nate.com:8080/local/SKTGS.cab
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} -
O16 - DPF: {0C72835A-34C5-4273-A700-A2347E784B58} - http://update.nprotect.net/sci/install_new...ebInstallV2.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1545689F-FB2C-4941-B7B5-FE21D1F789E7} (TrustSite 1.0 Control) - http://img.telec.co.kr/file/trustsitex/trustsitex.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.meadroid.com/scriptx/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} (INISAFEWeb6 V6 Class) - http://banking.nonghyup.com/plugin/client/INIS.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - https://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://banking.nonghyup.com/plugin/scsk/scsk4.cab
O16 - DPF: {45091AA2-1574-4EC8-B520-4C27E29CF889} (GifFreezerCtrl Class) - http://www.gmarket.co.kr/challenge/neo_goo.../gifFreezer.cab
O16 - DPF: {46681002-27E5-4759-8200-E7097D1C3CDD} (SKCrypAX Control) - http://img.emart.co.kr/front/WebRoot/common/ocx/SKCrypAX.cab
O16 - DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} (XPayMPIOCX Control) - http://mpi.dacom.net/XPayMPI/Xecure_LiveUp..._XPayMPIOCX.cab
O16 - DPF: {518419D1-F74F-48E5-9D98-599EC0DAFBEA} (MpiPlugin Class) - https://kspay.ksnet.to/ksmpi/KSNetMPI.cab
O16 - DPF: {5AF23F72-BCB5-4E44-AD5B-E752973FB08C} (BankPayNewCtrl Control) - http://www.bankpay.or.kr/BankPayNew.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110040105952
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://member.nate.com/initech/plugin/axINIplugin40.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129871954546
O16 - DPF: {716FF502-492C-418B-99A2-DD47C5D1641A} (Installer Class) - http://www.gaia3d.com/~distribution/GaiaInstaller.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://www.gseshop.co.kr/XecureObject/xw_install.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.dm.co.kr/dwms/vehi/catalogue/gm...ndix/msxml4.cab
O16 - DPF: {8C2E6E01-D1F6-4A94-B314-7C5DF4EE1853} (SpecAnalyzer Class) - http://cs.hangame.com/hangame_renew/mail/HGReport.cab
O16 - DPF: {8EEB54D5-CC70-40E4-B015-AC478C02ECC8} (SLViewer Control) - http://www.seevideo.co.kr/pub/seelive/SLViewer.CAB
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c6.cab
O16 - DPF: {913BF18F-672D-4676-9855-F9A192A88886} (IMBCContents Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {94BBB0A0-0275-4FF8-94E7-9FAE1EAB16BB} (ShellINI20F Class) - http://download.banktown.com/nacf/BtCxIni20F.cab
O16 - DPF: {97745861-F1A6-45B2-8AD1-0C17334550E6} (YahooCabinet Control) - http://img.yahoo.co.kr/ycabinet/cab/YahooCabinet.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plu...yfirewall20.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - https://plugin.inicis.com/wallet50/INIwallet50.cab
O16 - DPF: {A8917DCC-6DBE-4562-99DE-62D633DE412D} (MLInstaller Class) - http://www.dla.go.kr/magicline/setup/MLInstaller.cab
O16 - DPF: {A9F090E5-FC80-4772-AFEE-D102AB6E77D6} (IssacWebProCMS Class) - http://pgdownload.dacom.net/dacom/IssacWebProCMS_3_1_0_1.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B869F34A-A5AD-47B8-AC46-FF5A614F3D44} (MPIClient Control) - https://pg.innotg.com/mall/MPIClient.cab
O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA¢¼OCA·I±×·¥) - http://cdn.hangame.com/hangame/messenger/h...g/HanWebMsg.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://cdn.hangame.com/hangame/hansetup/HanSetup1008.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {D44C7CBF-FB35-41CF-8D6C-C0A2143EB46C} (Yessign3 Control) - http://www.yessign.or.kr/yessignCert/yessign3.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://update.nprotect.net/keycrypt/keb/npkcx.cab
O16 - DPF: {D8F001C6-43B1-4CFD-9DAF-C8BEAE0E2B6D} (Touch Control) - http://touch.imbc.com/ocx/test/Online.cab
O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) - http://asp.congnamul.com/AspActiveX/CongnamulMap4Asp_V19.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/CongnamulMap_V14.cab
O16 - DPF: {E0D3C611-F582-4E25-A547-5D535FBFA8E5} (ShellSFM20FCom Class) - http://download.banktown.com/kbstarActiveX/BtCxSFM20F.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - http://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} (WebCtl Class) - http://banking.nonghyup.com/plugin/client/INIS.cab
O16 - DPF: {F2B794F5-B8F0-4378-B05C-E26C310D9CE2} (Viewer Control) - http://t2sleep.byus.net/viewer/sjlee_ezview_proto.cab
O16 - DPF: {F9143948-F472-4397-8B9F-237B6CB07C48} (DSProxyX Class) - http://www.dla.go.kr/magicline/setup/DSProxyX.cab
O16 - DPF: {FB49C5D6-ABCC-47ED-AC05-B80E578183B0} (DSCertManagerX Class) - http://www.dla.go.kr/magicline/setup/DSCertManagerX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: npkcsvc - Unknown owner - C:\WINDOWS\system32\npkcsvc.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:41 PM

Posted 18 December 2005 - 11:50 PM

When posting a new log , please reply to the original topic.

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - (no file)
O4 - HKLM\..\Run: [MyVBApp] C:\WINDOWS\install.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\install.exe

Reboot your computer to go back to normal mode and post a new log.

#11 LCD_ON_LSD

LCD_ON_LSD
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 19 December 2005 - 03:37 PM

Sorry about that, and thank you for that... here is latest...

Logfile of HijackThis v1.99.1
Scan saved at 5:33:40 AM, on 12/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Sigma\common\SMBM.EXE
C:\Program Files\Sigma\common\SMWEBEPG.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe
C:\Program Files\Tweak-XP Pro 4\popup.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe
C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Samurize\Client.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Boyd\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Remocon_Path] C:\Program Files\SIGMA\remocon.exe
O4 - HKLM\..\Run: [TV_Path] C:\Program Files\SIGMA\TV\sigmatv.exe /t
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SMBM] C:\Program Files\Sigma\common\SMBM.EXE /D
O4 - HKLM\..\Run: [SMWEBEPG] C:\Program Files\Sigma\common\SMWEBEPG.EXE /D
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe"
O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro 4\popup.exe"
O4 - Startup: Client Default.lnk = C:\Program Files\Samurize\Client.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ashampoo Magic Defrag.lnk = C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragCtrl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.siren24.co.kr
O15 - Trusted Zone: http://*.siren24.com
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble.net/game/nmstarter/NMStarter16.cab
O16 - DPF: {00001022-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter22 Class) - http://download.netmarble.com/web/nmstarter/NMStarter22.cab
O16 - DPF: {077C94F8-015E-4BE4-B448-4BA19182D86C} (SKTGS Control) - http://lbsk.nate.com:8080/local/SKTGS.cab
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} -
O16 - DPF: {0C72835A-34C5-4273-A700-A2347E784B58} - http://update.nprotect.net/sci/install_new...ebInstallV2.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1545689F-FB2C-4941-B7B5-FE21D1F789E7} (TrustSite 1.0 Control) - http://img.telec.co.kr/file/trustsitex/trustsitex.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.meadroid.com/scriptx/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} (INISAFEWeb6 V6 Class) - http://banking.nonghyup.com/plugin/client/INIS.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - https://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://banking.nonghyup.com/plugin/scsk/scsk4.cab
O16 - DPF: {45091AA2-1574-4EC8-B520-4C27E29CF889} (GifFreezerCtrl Class) - http://www.gmarket.co.kr/challenge/neo_goo.../gifFreezer.cab
O16 - DPF: {46681002-27E5-4759-8200-E7097D1C3CDD} (SKCrypAX Control) - http://img.emart.co.kr/front/WebRoot/common/ocx/SKCrypAX.cab
O16 - DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} (XPayMPIOCX Control) - http://mpi.dacom.net/XPayMPI/Xecure_LiveUp..._XPayMPIOCX.cab
O16 - DPF: {518419D1-F74F-48E5-9D98-599EC0DAFBEA} (MpiPlugin Class) - https://kspay.ksnet.to/ksmpi/KSNetMPI.cab
O16 - DPF: {5AF23F72-BCB5-4E44-AD5B-E752973FB08C} (BankPayNewCtrl Control) - http://www.bankpay.or.kr/BankPayNew.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110040105952
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://member.nate.com/initech/plugin/axINIplugin40.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129871954546
O16 - DPF: {716FF502-492C-418B-99A2-DD47C5D1641A} (Installer Class) - http://www.gaia3d.com/~distribution/GaiaInstaller.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://www.gseshop.co.kr/XecureObject/xw_install.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.dm.co.kr/dwms/vehi/catalogue/gm...ndix/msxml4.cab
O16 - DPF: {8C2E6E01-D1F6-4A94-B314-7C5DF4EE1853} (SpecAnalyzer Class) - http://cs.hangame.com/hangame_renew/mail/HGReport.cab
O16 - DPF: {8EEB54D5-CC70-40E4-B015-AC478C02ECC8} (SLViewer Control) - http://www.seevideo.co.kr/pub/seelive/SLViewer.CAB
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c6.cab
O16 - DPF: {913BF18F-672D-4676-9855-F9A192A88886} (IMBCContents Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {94BBB0A0-0275-4FF8-94E7-9FAE1EAB16BB} (ShellINI20F Class) - http://download.banktown.com/nacf/BtCxIni20F.cab
O16 - DPF: {97745861-F1A6-45B2-8AD1-0C17334550E6} (YahooCabinet Control) - http://img.yahoo.co.kr/ycabinet/cab/YahooCabinet.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plu...yfirewall20.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - https://plugin.inicis.com/wallet50/INIwallet50.cab
O16 - DPF: {A8917DCC-6DBE-4562-99DE-62D633DE412D} (MLInstaller Class) - http://www.dla.go.kr/magicline/setup/MLInstaller.cab
O16 - DPF: {A9F090E5-FC80-4772-AFEE-D102AB6E77D6} (IssacWebProCMS Class) - http://pgdownload.dacom.net/dacom/IssacWebProCMS_3_1_0_1.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B869F34A-A5AD-47B8-AC46-FF5A614F3D44} (MPIClient Control) - https://pg.innotg.com/mall/MPIClient.cab
O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA¢¼OCA·I±×·¥) - http://cdn.hangame.com/hangame/messenger/h...g/HanWebMsg.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://cdn.hangame.com/hangame/hansetup/HanSetup1008.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {D44C7CBF-FB35-41CF-8D6C-C0A2143EB46C} (Yessign3 Control) - http://www.yessign.or.kr/yessignCert/yessign3.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://pgdownload.dacom.net/keycrypt/npkcx.cab
O16 - DPF: {D8F001C6-43B1-4CFD-9DAF-C8BEAE0E2B6D} (Touch Control) - http://touch.imbc.com/ocx/test/Online.cab
O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) - http://asp.congnamul.com/AspActiveX/CongnamulMap4Asp_V19.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/CongnamulMap_V14.cab
O16 - DPF: {E0D3C611-F582-4E25-A547-5D535FBFA8E5} (ShellSFM20FCom Class) - http://download.banktown.com/kbstarActiveX/BtCxSFM20F.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - http://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {E9702169-AFE2-477A-A79D-32151006E547} - http://www.sbs.co.kr/new/sp2/SiteSigning.CAB
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} (WebCtl Class) - http://banking.nonghyup.com/plugin/client/INIS.cab
O16 - DPF: {F2B794F5-B8F0-4378-B05C-E26C310D9CE2} (Viewer Control) - http://t2sleep.byus.net/viewer/sjlee_ezview_proto.cab
O16 - DPF: {F9143948-F472-4397-8B9F-237B6CB07C48} (DSProxyX Class) - http://www.dla.go.kr/magicline/setup/DSProxyX.cab
O16 - DPF: {FB49C5D6-ABCC-47ED-AC05-B80E578183B0} (DSCertManagerX Class) - http://www.dla.go.kr/magicline/setup/DSCertManagerX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:41 PM

Posted 22 December 2005 - 12:31 AM

Fix this entry with HJT:

O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c6.cab


Still having problems?

#13 LCD_ON_LSD

LCD_ON_LSD
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 22 December 2005 - 07:41 AM

Yes, IE changes its home page to something decipherable and I can't access internet through the I.E. icon after running the pc for an hour or two, then have to open any windo (like my computer) and type in the address to access the internet. Also, when using Azureus, after a little while, the pc shows only 12% cpu usage and low resources usage, but the thing doesn't respond to anything, I can see the mouse move but there is no response to any clicking or anything (even Ctrl-Alt Del) I have to hit reset.... Do you think that I may need to do a fresh win Xtra-Problems install??? It's driving me nuts!

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:41 PM

Posted 22 December 2005 - 02:04 PM

To use RootKit Revealer please make sure you are logged in as an Administrator to the computer.
  • Please download and unzip Rootkit Revealer to your desktop.
  • Please leave the defaults set as they are to:
    • Hide NTFS Metadata Files: this option is on by default
    • Scan Registry: this option is on by default.
  • Launch rootkit revealer on the system and press the Scan button.
    RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. It may take a long time please disconnect from the internet and leave the PC to be scanned until it is finished.
  • The log can be very large please edit out the items in the following folders in the log : C:\RECYCLER\NPROTECT and C:\System Volume Information, if in the log, before posting it.
  • Please post the balance of the log here in this thread using Add Reply (please double check that it has all been posted as it may be too long for one post)]
Then Download and Save blacklite to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
leave [X]scan through windows explorer checked,
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there... like "wbemtest.exe"
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste this log along with the rootkit revealer log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users