Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan/adware Help Please!


  • This topic is locked This topic is locked
13 replies to this topic

#1 kiyoungk

kiyoungk

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 07 July 2007 - 03:01 PM

Hi there, I am a newbie, who just got attracted to this site because of how it's helped me in the past :thumbsup:

So, the problem I have is that I have popups from Ronestardoor and Drivecleaner, respectfully
- http://rond.starsdoor.com/aiw2.php?uid=0F3...p;nocache=31684
- http://www.drivecleaner.com/.freeware/index.php?

I have checked out the
- http://www.bleepingcomputer.com/forums/ind...mp;hl=starsdoor
- http://www.bleepingcomputer.com/forums/lof...php/t89420.html

sites, but still seem to have trouble. I thought that time was about right to seek individual personal help, other than public help.

So I ask you. Is there any way I can get rid of this bloody thing :flowers: without having to format the whole drive??

I've tried the SDfix.exe, but maybe I did something wrong, I don't know. :huh:

so can someone please help me???
here's my hijackthis log

++++++++++++++++++++++++++++++++++++

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 오전 2:55:20, on 2007-07-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
C:\Program Files\AhnLab\Vitzaru\MSProxy.ahn
C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\SCROLL~1\MouseElf.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe , "C:\WINDOWS\M68262\Ja278153bLay.com"
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [High Definition Audio 속성 페이지 바로 가기] HDAShCut.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE"
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\SCROLL~1\MouseElf.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AhnLab Session Process] "C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe"
O4 - HKLM\..\Run: [AHNSD] "C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\fmrdbtdk.dll",forkonce
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] C:\WINDOWS\is-E0TJV.exe /REG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 콘솔 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: 리서치 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00001023-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter23 Class) - http://download.netmarble.com/web/nmstarter/NMStarter23.cab
O16 - DPF: {00001024-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter24 Class) - http://download.netmarble.com/web/nmstarter/NMStarter24.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0C72835A-34C5-4273-A700-A2347E784B58} (NPPWebInstallV2 Control) - http://www.siren24.com/nprotect/down/NPPWebInstallV2.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://s.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163514019140
O16 - DPF: {7CD3AA7E-2C7A-4C67-9600-EFAB2EBE1C44} (BDAStart Control) - http://www.vitzaru.com/bluebelt/bda/cab/BDAStart.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/activex/dmcc2.c...ersion=1,0,0,10
O16 - DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} (ALDx Class) - http://www.altools.co.kr/ALDX.cab
O16 - DPF: {95F19BBE-F9AB-4393-B323-8A2071F3859D} (SCapbotCJ Control) - http://download.netmarble.com/web/6n/cp_si...oftCapBotCJ.cab
O16 - DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} (mkdplusCtrl Class) - http://ahnlabdownload.nefficient.co.kr/asp/cab/mkdplus.cab
O16 - DPF: {A4482A7F-F055-4E75-8657-0BEACD214332} (BDAInst Control) - http://www.vitzaru.com/bluebelt/myvitzaru/bda_inst.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netmarble.com/kdefence/kdfense8237.cab
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,1
O16 - DPF: {E185DB61-F54B-4D4E-9157-08256282E41A} (SBLoader Control) - http://www.speedbook.co.kr/activex/SPEEDBOOK.cab
O16 - DPF: {FF11C114-0824-49F5-BD5D-D8E06BF6DD53} (CAWebLauncherCtrl Class) - http://caimg.nx.com/ActiveX/CAWebLauncher.cab
O16 - DPF: {FF4A71A4-CE22-4784-B4E0-CEEAF2485F79} (WhiteWareObject Control) - http://www.vitzaru.com/bluebelt_gray/WhiteWareObject.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF14546D-92D9-40F2-872B-991F430CED3D}: NameServer = 202.152.227.25,202.152.235.146
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AhnLab Application Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
O23 - Service: AhnLab Guarantee Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
O23 - Service: AhnLab Information Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
O23 - Service: AhnLab Log Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
O23 - Service: AhnLab Task Scheduler - AhnLab, Inc. - C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\klvnhiyx.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)

--
End of file - 10061 bytes

++++++++++++++++++++++++++++++++++=

oh by the way. my korean vaccine program stopped the ig_______.exe programs such as (igfxtray.exe). I don't know if that helps. thank you!

Edited by kiyoungk, 07 July 2007 - 03:04 PM.


BC AdBot (Login to Remove)

 


#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:14 AM

Posted 09 July 2007 - 05:02 AM

Download Combofix to your desktop.

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

http://www.bleepingcomputer.com/forums/t/99085/trojanadware-help-please/

Suspect::
C:\WINDOWS\M68262\Ja278153bLay.com


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


Posted Image


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
Please submit this file to:

http://www.bleepingcomputer.com/submit-malware.php?channel=4


Please include a link to this topic in the message.


Please post the log from the ComboFix scan located at C:\ComboFix.txt together with a new hijackthislog in your next reply.

#3 kiyoungk

kiyoungk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 09 July 2007 - 08:17 AM

:thumbsup: horray! someone replied :huh:

First of all, like you asked, i performed all the steps- or tried.

the combofix didn't generate a "sumit[date].zip" on my desktop, and I ran combofix twice.

here are the logs that you requested- thankyou!
(some text is korean, because my computer is korean)

++++++++++++++++++++++++++++++++

"김기영" - 2007-07-09 19:45:55 - ComboFix 07-07-09.3 - Service Pack 2
Command switches used :: C:\Documents and Settings\김기영\바탕 화면\CFScript.txt


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\bqictapu.dll
C:\WINDOWS\system32\fmrdbtdk.dll
C:\WINDOWS\system32\gbpqkoct.dll
C:\WINDOWS\system32\knufvlcu.dll
C:\WINDOWS\system32\uasihgfb.dll
C:\WINDOWS\system32\winjvd32.dll
C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\ccbeg.ini
C:\WINDOWS\system32\kdtbdrmf.ini
C:\WINDOWS\system32\tcokqpbg.ini
C:\WINDOWS\system32\uclvfunk.ini
C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\ccbeg.ini
C:\WINDOWS\system32\cbxuuro.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\winpop
C:\Program Files\winpop\winpop.exe
C:\WINDOWS\DOWNLO~1.\38DEB48C-BE4A-4d3e-B4FF-F1744557D006
C:\WINDOWS\system32\dkkfjbma.exe
C:\WINDOWS\system32\edymhrrx.exe
C:\WINDOWS\system32\fbltnbct.exe
C:\WINDOWS\system32\lhyrhywo.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ASC3550U
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_POOF
-------\asc3550u
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 )))))))))))))))))))))))))))))))


2007-07-09 19:33 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-09 19:28 4,672 --a------ C:\WINDOWS\system32\bkctxssf.exe
2007-07-08 22:17 <DIR> d-------- C:\signed
2007-07-08 21:55 <DIR> d-------- C:\DOCUME~1\김기영\APPLIC~1\Image Zone Express
2007-07-08 02:53 401,720 --a------ C:\HijackThis.exe
2007-07-08 02:10 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-08 01:11 4,672 --a------ C:\WINDOWS\system32\unkyqnsa.exe
2007-07-07 20:38 4,672 --a------ C:\WINDOWS\system32\xelqsxja.exe
2007-07-06 16:06 4,672 --a------ C:\WINDOWS\system32\hxyjxnoh.exe
2007-07-05 18:13 4,672 --a------ C:\WINDOWS\system32\iqvugdep.exe
2007-07-05 02:30 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-06-30 18:21 <DIR> d-------- C:\DOCUME~1\JTKIM~1\APPLIC~1\Hamachi
2007-06-30 18:20 25,544 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-06-30 18:20 <DIR> d-------- C:\Program Files\Hamachi
2007-06-22 21:14 <DIR> d-------- C:\Program Files\RegWorks
2007-06-22 20:50 137,216 --a------ C:\WINDOWS\regedit.com.exe
2007-06-22 17:44 <DIR> d-------- C:\Downloads
2007-06-21 22:22 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-06-21 22:20 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-06-21 21:37 <DIR> d-------- C:\Program Files\IBM and BrainQuest
2007-06-20 17:29 <DIR> d-------- C:\DOCUME~1\김대영\APPLIC~1\Talkback
2007-06-18 21:10 0 --a------ C:\WINDOWS\nsreg.dat
2007-06-18 21:10 <DIR> d-------- C:\DOCUME~1\김기영\APPLIC~1\Talkback
2007-06-16 13:38 40,672 --a------ C:\WINDOWS\system32\drivers\CESG502.sys
2007-06-16 13:38 <DIR> d-------- C:\CASIO
2007-06-12 21:27 <DIR> d-------- C:\DOCUME~1\JTKIM~1\APPLIC~1\ESTsoft


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-08 15:16:31 -------- d-----w C:\Program Files\HP
2007-07-08 15:05:58 139,264 ----a-w C:\WINDOWS\system32\hpzjrd01.dll
2007-07-08 13:18:46 -------- d-----w C:\Program Files\NewSpeedBook
2007-07-07 19:54:33 -------- d-----w C:\Program Files\ESTsoft
2007-07-05 17:06:45 -------- d-----w C:\Program Files\Pruna
2007-07-04 18:02:17 -------- d-----w C:\Program Files\Scroll Mouse
2007-07-04 14:59:00 1,394,775 ----a-w C:\WINDOWS\system32\drivers\V3Engine.sys
2007-06-29 18:52:41 -------- d-----w C:\Program Files\동키호테
2007-06-22 13:20:53 -------- d-----w C:\Program Files\MSN 메신저 파워팩
2007-06-22 10:44:15 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2007-06-22 10:44:05 -------- d-----w C:\Program Files\BitComet
2007-06-16 06:38:41 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-12 09:15:00 64,128 ----a-w C:\WINDOWS\system32\drivers\AhnSZE.sys
2007-06-06 09:59:26 53,100 ----a-w C:\WINDOWS\system32\perfc012.dat
2007-06-06 09:59:26 202,642 ----a-w C:\WINDOWS\system32\perfh012.dat
2007-06-05 00:42:00 -------- d-----w C:\Program Files\Wizet
2007-06-04 13:46:20 -------- d-----w C:\Program Files\AhnLab
2007-05-27 05:16:00 -------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-05-27 05:15:51 -------- d-----w C:\Program Files\Common Files\SureThing Shared
2007-05-27 05:15:49 -------- d-----w C:\Program Files\Common Files\TiVo Shared
2007-05-27 02:59:53 -------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-05-23 03:19:36 -------- d-----w C:\Program Files\Mplay
2007-05-23 02:19:13 246,776 ----a-w C:\WINDOWS\nmconew.dll
2007-05-16 15:13:46 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:57:40 -------- d-----w C:\Program Files\McAfee
2007-05-13 16:57:34 -------- d-----w C:\Program Files\Netmarble
2007-05-09 17:20:59 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-08 15:21:35 112,792 ----a-w C:\WINDOWS\hpoins07.dat
2007-05-07 12:47:28 44,544 ----a-w C:\WINDOWS\system32\ALZZip.BIN
2007-05-07 12:42:22 63,488 ----a-w C:\WINDOWS\system32\ALZALZ.BIN
2007-04-28 15:41:53 532,480 ----a-w C:\WINDOWS\system32\manutd_fanzone_oldtrafford.scr
2007-04-25 14:21:02 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-21 17:39:02 73,728 ----a-w C:\WINDOWS\system32\kdfapi.dll
2007-04-21 17:39:01 47,104 ----a-w C:\WINDOWS\system32\Kdfhok.dll
2007-04-21 17:39:01 159,744 ----a-w C:\WINDOWS\system32\kdfmgr.exe
2007-04-18 16:14:05 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 15:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 15:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 15:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 15:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 15:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 15:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 15:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 15:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 15:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 15:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-15 05:47:14 485,120 ----a-w C:\WINDOWS\NMUpdate23.exe
2007-04-13 16:30:24 61,440 ----a-w C:\WINDOWS\system32\kdfmod.dll
2007-04-13 16:30:12 373,248 ----a-w C:\WINDOWS\system32\kdfinj.dll
2004-08-03 17:53:22 1,392,671 --sha-r C:\WINDOWS\system\msvbvm60.dll
2004-08-03 17:53:22 1,392,671 --sh--r C:\WINDOWS\system32\msvbvm60.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 20:38 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}]
2006-11-29 20:52 230976 --a--c--- C:\Program Files\BitComet\tools\BitCometBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E09891E-2E10-43A5-BEE0-0B4AEB6FAB4A}]
2007-05-14 10:18 497384 --a------ C:\WINDOWS\DOWNLO~1\WhiteWareObject_1,0,0,249.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-10-12 03:25 434279 --a------ C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-03-26 20:10 2403392 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-06-28 15:55 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio 속성 페이지 바로 가기"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 03:29 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 16:18]
"QlbCtrl"="%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 12:01]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 10:49]
"imekrmig7.0"="C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE" [2003-07-14 22:57]
"mouseElf"="C:\PROGRA~1\SCROLL~1\MouseElf.EXE" [2004-09-20 07:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]
"AhnLab Session Process"="C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe" [2007-03-29 23:37]
"AHNSD"="C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe" [2007-02-27 03:14]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"SDFix"="C:\SDFix\RunThis.bat /second" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:53]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 21:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"=ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\??€]
??€

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\`€]
`€

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{225d164a-da9a-11db-9a71-0016d30c5d34}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98ebdba8-e9d0-11db-9ab2-0016d30c5d34}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-09 19:58:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ??@??????????????@? ????????????@??????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-09 19:59:34 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-09 19:59

--- E O F ---

++++++++++++++++++++++++++++++++

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 오후 8:16:03, on 2007-07-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
C:\Program Files\AhnLab\Vitzaru\MSProxy.ahn
C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\SCROLL~1\MouseElf.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: wwBHO Class - {6E09891E-2E10-43A5-BEE0-0B4AEB6FAB4A} - C:\WINDOWS\DOWNLO~1\WhiteWareObject_1,0,0,249.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio 속성 페이지 바로 가기] HDAShCut.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE"
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\SCROLL~1\MouseElf.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AhnLab Session Process] "C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe"
O4 - HKLM\..\Run: [AHNSD] "C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 콘솔 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: 리서치 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00001023-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter23 Class) - http://download.netmarble.com/web/nmstarter/NMStarter23.cab
O16 - DPF: {00001024-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter24 Class) - http://download.netmarble.com/web/nmstarter/NMStarter24.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0C72835A-34C5-4273-A700-A2347E784B58} (NPPWebInstallV2 Control) - http://www.siren24.com/nprotect/down/NPPWebInstallV2.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://s.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163514019140
O16 - DPF: {7CD3AA7E-2C7A-4C67-9600-EFAB2EBE1C44} (BDAStart Control) - http://www.vitzaru.com/bluebelt/bda/cab/BDAStart.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/activex/dmcc2.c...ersion=1,0,0,10
O16 - DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} (ALDx Class) - http://www.altools.co.kr/ALDX.cab
O16 - DPF: {95F19BBE-F9AB-4393-B323-8A2071F3859D} (SCapbotCJ Control) - http://download.netmarble.com/web/6n/cp_si...oftCapBotCJ.cab
O16 - DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} (mkdplusCtrl Class) - http://ahnlabdownload.nefficient.co.kr/asp/cab/mkdplus.cab
O16 - DPF: {A4482A7F-F055-4E75-8657-0BEACD214332} (BDAInst Control) - http://www.vitzaru.com/bluebelt/myvitzaru/bda_inst.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netmarble.com/kdefence/kdfense8237.cab
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,1
O16 - DPF: {E185DB61-F54B-4D4E-9157-08256282E41A} (SBLoader Control) - http://www.speedbook.co.kr/activex/SPEEDBOOK.cab
O16 - DPF: {FF11C114-0824-49F5-BD5D-D8E06BF6DD53} (CAWebLauncherCtrl Class) - http://caimg.nx.com/ActiveX/CAWebLauncher.cab
O16 - DPF: {FF4A71A4-CE22-4784-B4E0-CEEAF2485F79} (WhiteWareObject Control) - http://www.vitzaru.com/bluebelt_gray/WhiteWareObject.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF14546D-92D9-40F2-872B-991F430CED3D}: NameServer = 202.152.227.25,202.152.235.146
O20 - Winlogon Notify: ??€ - ??€ (file missing)
O20 - Winlogon Notify: `€ - `€ (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AhnLab Application Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
O23 - Service: AhnLab Guarantee Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
O23 - Service: AhnLab Information Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
O23 - Service: AhnLab Log Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
O23 - Service: AhnLab Task Scheduler - AhnLab, Inc. - C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 9886 bytes

++++++++++++++++++++++++++++++++

Thank you!!!! :flowers:

#4 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:14 AM

Posted 09 July 2007 - 08:22 AM

Are you sure you inserted the CFScript INTO the combofix.exe file when you ran it?

#5 kiyoungk

kiyoungk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 09 July 2007 - 10:53 AM

Yes. I Definately did. I ran it again just now. I dropped the text icon on the COMBOFIX icon.

it runs this script-like thinggy, then reboots, then... nothing. just a text in the C:Drive.

I wonder what's wrong... i'll try again.

#6 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:14 AM

Posted 09 July 2007 - 03:39 PM

OK. Please move Combofix.exe and CFScript.txt to your hard drive (C:\) instead of your desktop and then try to instert the script again.

#7 kiyoungk

kiyoungk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 09 July 2007 - 08:53 PM

T_T ahhhhh it doesn't work! it just makes this, but no submit[date time].zip :thumbsup:

+++++++++++++++++++++++++++++++++++++++

"김기영" - 2007-07-10 8:45:45 - ComboFix 07-07-09.3 - Service Pack 2
Command switches used :: C:\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\DOWNLO~1.\38DEB48C-BE4A-4d3e-B4FF-F1744557D006


((((((((((((((((((((((((( Files Created from 2007-06-10 to 2007-07-10 )))))))))))))))))))))))))))))))


2007-07-10 08:42 1,124,089 --a------ C:\ComboFix.exe
2007-07-10 00:30 6,114 --a------ C:\WINDOWS\system32\popniw.dat
2007-07-09 20:37 65,536 --a------ C:\WINDOWS\IFinst27.exe
2007-07-09 19:33 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-09 19:28 4,672 --a------ C:\WINDOWS\system32\bkctxssf.exe
2007-07-08 22:17 <DIR> d-------- C:\signed
2007-07-08 21:55 <DIR> d-------- C:\DOCUME~1\김기영\APPLIC~1\Image Zone Express
2007-07-08 02:53 401,720 --a------ C:\HijackThis.exe
2007-07-08 02:10 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-08 01:11 4,672 --a------ C:\WINDOWS\system32\unkyqnsa.exe
2007-07-07 20:38 4,672 --a------ C:\WINDOWS\system32\xelqsxja.exe
2007-07-06 16:06 4,672 --a------ C:\WINDOWS\system32\hxyjxnoh.exe
2007-07-05 18:13 4,672 --a------ C:\WINDOWS\system32\iqvugdep.exe
2007-07-05 02:30 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-06-30 18:21 <DIR> d-------- C:\DOCUME~1\JTKIM~1\APPLIC~1\Hamachi
2007-06-30 18:20 25,544 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-06-22 20:50 137,216 --a------ C:\WINDOWS\regedit.com.exe
2007-06-22 17:44 <DIR> d-------- C:\Downloads
2007-06-21 22:22 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-06-21 22:20 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-06-21 21:37 <DIR> d-------- C:\Program Files\IBM and BrainQuest
2007-06-20 17:29 <DIR> d-------- C:\DOCUME~1\김대영\APPLIC~1\Talkback
2007-06-18 21:10 0 --a------ C:\WINDOWS\nsreg.dat
2007-06-18 21:10 <DIR> d-------- C:\DOCUME~1\김기영\APPLIC~1\Talkback
2007-06-16 13:38 40,672 --a------ C:\WINDOWS\system32\drivers\CESG502.sys
2007-06-16 13:38 <DIR> d-------- C:\CASIO
2007-06-12 21:27 <DIR> d-------- C:\DOCUME~1\JTKIM~1\APPLIC~1\ESTsoft


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-09 15:40:49 -------- d-----w C:\Program Files\NewSpeedBook
2007-07-08 15:16:31 -------- d-----w C:\Program Files\HP
2007-07-08 15:05:58 139,264 ----a-w C:\WINDOWS\system32\hpzjrd01.dll
2007-07-07 19:54:33 -------- d-----w C:\Program Files\ESTsoft
2007-07-05 17:06:45 -------- d-----w C:\Program Files\Pruna
2007-07-04 18:02:17 -------- d-----w C:\Program Files\Scroll Mouse
2007-07-04 14:59:00 1,394,775 ----a-w C:\WINDOWS\system32\drivers\V3Engine.sys
2007-06-29 18:52:41 -------- d-----w C:\Program Files\동키호테
2007-06-22 13:20:53 -------- d-----w C:\Program Files\MSN 메신저 파워팩
2007-06-22 10:44:15 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2007-06-22 10:44:05 -------- d-----w C:\Program Files\BitComet
2007-06-16 06:38:41 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-12 09:15:00 64,128 ----a-w C:\WINDOWS\system32\drivers\AhnSZE.sys
2007-06-06 09:59:26 53,100 ----a-w C:\WINDOWS\system32\perfc012.dat
2007-06-06 09:59:26 202,642 ----a-w C:\WINDOWS\system32\perfh012.dat
2007-06-05 00:42:00 -------- d-----w C:\Program Files\Wizet
2007-06-04 13:46:20 -------- d-----w C:\Program Files\AhnLab
2007-05-27 05:16:00 -------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-05-27 05:15:51 -------- d-----w C:\Program Files\Common Files\SureThing Shared
2007-05-27 05:15:49 -------- d-----w C:\Program Files\Common Files\TiVo Shared
2007-05-27 02:59:53 -------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-05-23 03:19:36 -------- d-----w C:\Program Files\Mplay
2007-05-23 02:19:13 246,776 ----a-w C:\WINDOWS\nmconew.dll
2007-05-16 15:13:46 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:57:40 -------- d-----w C:\Program Files\McAfee
2007-05-13 16:57:34 -------- d-----w C:\Program Files\Netmarble
2007-05-08 15:21:35 112,792 ----a-w C:\WINDOWS\hpoins07.dat
2007-05-07 12:47:28 44,544 ----a-w C:\WINDOWS\system32\ALZZip.BIN
2007-05-07 12:42:22 63,488 ----a-w C:\WINDOWS\system32\ALZALZ.BIN
2007-04-28 15:41:53 532,480 ----a-w C:\WINDOWS\system32\manutd_fanzone_oldtrafford.scr
2007-04-25 14:21:02 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-21 17:39:02 73,728 ----a-w C:\WINDOWS\system32\kdfapi.dll
2007-04-21 17:39:01 47,104 ----a-w C:\WINDOWS\system32\Kdfhok.dll
2007-04-21 17:39:01 159,744 ----a-w C:\WINDOWS\system32\kdfmgr.exe
2007-04-18 16:14:05 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 15:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 15:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 15:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 15:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 15:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 15:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 15:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 15:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 15:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 15:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-15 05:47:14 485,120 ----a-w C:\WINDOWS\NMUpdate23.exe
2007-04-13 16:30:24 61,440 ----a-w C:\WINDOWS\system32\kdfmod.dll
2007-04-13 16:30:12 373,248 ----a-w C:\WINDOWS\system32\kdfinj.dll
2004-08-03 17:53:22 1,392,671 --sha-r C:\WINDOWS\system\msvbvm60.dll
2004-08-03 17:53:22 1,392,671 --sh--r C:\WINDOWS\system32\msvbvm60.dll
2006-11-12 06:50:57 15,360 --sha-w C:\WINDOWS\system32\winpop.dll
2006-11-12 06:50:57 29,398 --sha-w C:\WINDOWS\system32\winpop.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 20:38 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}]
2006-11-29 20:52 230976 --a--c--- C:\Program Files\BitComet\tools\BitCometBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E09891E-2E10-43A5-BEE0-0B4AEB6FAB4A}]
2007-05-14 10:18 497384 --a------ C:\WINDOWS\DOWNLO~1\WhiteWareObject_1,0,0,249.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-10-12 03:25 434279 --a------ C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-03-26 20:10 2403392 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-06-28 15:55 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio 속성 페이지 바로 가기"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 03:29 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 16:18]
"QlbCtrl"="%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 12:01]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 10:49]
"imekrmig7.0"="C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE" [2003-07-14 22:57]
"mouseElf"="C:\PROGRA~1\SCROLL~1\MouseElf.EXE" [2004-09-20 07:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]
"AhnLab Session Process"="C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe" [2007-03-29 23:37]
"AHNSD"="C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe" [2007-02-27 03:14]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"SDFix"="C:\SDFix\RunThis.bat /second" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:53]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 21:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"=ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\??€]
??€

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpop]
winpop.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\`€]
`€

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{225d164a-da9a-11db-9a71-0016d30c5d34}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98ebdba8-e9d0-11db-9ab2-0016d30c5d34}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs

*Newly Created Service* - ICHEAT1

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-10 08:48:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ??@??????????????@? ???pa????????@??????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-10 8:49:43
C:\ComboFix-quarantined-files.txt ... 2007-07-10 08:49

--- E O F ---

#8 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:14 AM

Posted 10 July 2007 - 06:26 AM

Before fixing anything, open notepad and Copy/Paste the text in the box below into it:

catchme -l nul -c C:\WINDOWS\M68262\Ja278153bLay.com "C:\Ja278153bLay.com.vir"

Save this as Submit.bat Choose to "Save type as - All Files". It should look like this: Posted Image
Double click on Submit.bat & allow it to generate a renamed copy of the file at C:\Ja278153bLay.com.vir
Please submit this file to ? http://www.bleepingcomputer.com/submit-malware.php?channel=4

The file must be uploaded before proceeding to the next step.

Second download AVG Anti-Spyware from HERE and save that file to your desktop.
[i]This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan along with a fresh HijackThis log.

Edited by didom, 10 July 2007 - 07:00 AM.


#9 kiyoungk

kiyoungk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 10 July 2007 - 09:12 AM

:thumbsup: before I download anything, i can't generate the .vir file in my C:drive.

when I run the Submit.bat file, a black window pops up for half a second, then closes back down. I have no clue what that signifies, but something tells me this isn't supposed to happen :flowers: What could be the problem?

I tried:::

catchme -l nul -c C:\WINDOWS\M68262\Ja278153bLay.com "C:\Ja278153bLay.com.vir"

catchme -l nul -c C:\WINDOWS\M68262\Ja278153bLay.com "C:\Documents and settings\KY\Desktop\Ja278153bLay.com.vir"

but no file was generated for me to post on the forum. lol' what can I do T_T

#10 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:14 AM

Posted 10 July 2007 - 09:24 AM

Lol, just skipt the step for now and run AVG Anti-Spyware.

#11 kiyoungk

kiyoungk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 11 July 2007 - 08:10 PM

... ok.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

A V G A n t i - S p y w a r e - S c a n R e p o r t

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



+ C r e a t e d a t : $?? 3 : 0 9 : 0 6 2 0 0 7 - 0 7 - 1 2



+ S c a n r e s u l t :







C : \ Q o o B o x \ Q u a r a n t i n e \ C \ P r o g r a m F i l e s \ W i n P o p \ w i n p o p . e x e . v i r - > A d w a r e . R o n d : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ D o c u m e n t s a n d S e t t i n g s \ @ ?? 손? T?? S t a r C r a f t _ B r o o d W a r _ C D _ C h e c k _ v 1 . 1 0 . e x e / k e y g e n . e x e - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ Q o o B o x \ Q u a r a n t i n e \ C \ W I N D O W S \ s y s t e m 3 2 \ c b x u u r o . d l l . v i r - > A d w a r e . V i r t u m o n d e : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N D O W S \ s y s t e m 3 2 \ b k c t x s s f . e x e - > D o w n l o a d e r . T i n y . i d : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N D O W S \ s y s t e m 3 2 \ h x y j x n o h . e x e - > D o w n l o a d e r . T i n y . i d : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N D O W S \ s y s t e m 3 2 \ i q v u g d e p . e x e - > D o w n l o a d e r . T i n y . i d : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N D O W S \ s y s t e m 3 2 \ u n k y q n s a . e x e - > D o w n l o a d e r . T i n y . i d : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N D O W S \ s y s t e m 3 2 \ x e l q s x j a . e x e - > D o w n l o a d e r . T i n y . i d : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 7 5 4 B 2 D 7 B - 0 6 A 6 - 4 5 0 B - 9 6 C 8 - E F 7 2 E 4 7 5 7 3 C E } \ R P 2 \ A 0 0 0 0 3 2 2 . e x e - > L o g g e r . S C K e y L o g . 2 0 : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

D : \ @? 0? ? A l l F o l d e r s & F i l e s \ I n s t a l l F i l e s \ G a m e s \ M a p l e S t o r y \ ㅠ\못? T틊?藍??순? v 2 . 2 5 [ 2 0 0 7 - 0 6 - 1 7 ] . e x e - > L o g g e r . S C K e y L o g . 2 0 : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 7 5 4 B 2 D 7 B - 0 6 A 6 - 4 5 0 B - 9 6 C 8 - E F 7 2 E 4 7 5 7 3 C E } \ R P 1 \ A 0 0 0 0 1 0 7 . e x e - > L o g g e r . S C K e y L o g . a f : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 7 5 4 B 2 D 7 B - 0 6 A 6 - 4 5 0 B - 9 6 C 8 - E F 7 2 E 4 7 5 7 3 C E } \ R P 1 \ A 0 0 0 0 1 3 8 . e x e - > L o g g e r . S C K e y L o g . o : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 7 5 4 B 2 D 7 B - 0 6 A 6 - 4 5 0 B - 9 6 C 8 - E F 7 2 E 4 7 5 7 3 C E } \ R P 3 \ A 0 0 0 0 4 1 0 . e x e - > L o g g e r . S C K e y L o g . o : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ W I N D O W S \ s y s t e m 3 2 \ w i n p o p . d l l - > L o g g e r . S C K e y L o g . o : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

[ 2 8 8 ] C : \ W I N D O W S \ s y s t e m 3 2 \ w i n p o p . d l l - > L o g g e r . S C K e y L o g . o : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? 손? T?? z e n o s . s y s - > R o o t k i t . A g e n t : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 7 5 4 B 2 D 7 B - 0 6 A 6 - 4 5 0 B - 9 6 C 8 - E F 7 2 E 4 7 5 7 3 C E } \ R P 1 \ A 0 0 0 0 1 5 0 . s y s - > R o o t k i t . A g e n t : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 7 5 4 B 2 D 7 B - 0 6 A 6 - 4 5 0 B - 9 6 C 8 - E F 7 2 E 4 7 5 7 3 C E } \ R P 1 \ A 0 0 0 0 2 5 4 . s y s - > R o o t k i t . A g e n t : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 7 5 4 B 2 D 7 B - 0 6 A 6 - 4 5 0 B - 9 6 C 8 - E F 7 2 E 4 7 5 7 3 C E } \ R P 2 \ A 0 0 0 0 2 7 3 . s y s - > R o o t k i t . A g e n t : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

D : \ @? 0? ? A l l F o l d e r s & F i l e s \ I n s t a l l F i l e s \ G a m e s \ M a p l e S t o r y \ T틊??순? # 2 \ 斤스旽케. z i p / z e n o s . s y s - > R o o t k i t . A g e n t : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ 2 o 7 [ 1 ] . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ d i v x . 1 1 2 . 2 o 7 [ 1 ] . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ k a b o o s e . 1 1 2 . 2 o 7 [ 1 ] . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ m i c r o s o f t g a m e s t u d i o . 1 1 2 . 2 o 7 [ 1 ] . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ m i c r o s o f t w g a . 1 1 2 . 2 o 7 [ 1 ] . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ m i c r o s o f t w l m e s s e n g e r m k t . 1 1 2 . 2 o 7 [ 1 ] . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ m s n a c c o u n t s e r v i c e s . 1 1 2 . 2 o 7 [ 1 ] . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ m s n p o r t a l . 1 1 2 . 2 o 7 [ 1 ] . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? m s n a c c o u n t s e r v i c e s . 1 1 2 . 2 o 7 [ 1 ] . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 1 . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 1 0 2 . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 1 1 9 . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 9 6 . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 9 7 . t x t - > T r a c k i n g C o o k i e . 2 o 7 : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ a d b r i t e [ 2 ] . t x t - > T r a c k i n g C o o k i e . A d b r i t e : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ a d s . a d b r i t e [ 1 ] . t x t - > T r a c k i n g C o o k i e . A d b r i t e : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? 4 . a d b r i t e [ 2 ] . t x t - > T r a c k i n g C o o k i e . A d b r i t e : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? a d b r i t e [ 2 ] . t x t - > T r a c k i n g C o o k i e . A d b r i t e : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 8 . t x t - > T r a c k i n g C o o k i e . A d b r i t e : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? a d e n g a g e [ 1 ] . t x t - > T r a c k i n g C o o k i e . A d e n g a g e : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ r o t a t o r . a d j u g g l e r [ 1 ] . t x t - > T r a c k i n g C o o k i e . A d j u g g l e r : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ a d t e c h [ 2 ] . t x t - > T r a c k i n g C o o k i e . A d t e c h : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? a d t e c h [ 2 ] . t x t - > T r a c k i n g C o o k i e . A d t e c h : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 1 8 . t x t - > T r a c k i n g C o o k i e . A d t e c h : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ a d v e r t i s i n g [ 1 ] . t x t - > T r a c k i n g C o o k i e . A d v e r t i s i n g : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 1 9 . t x t - > T r a c k i n g C o o k i e . A d v e r t i s i n g : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ a t d m t [ 2 ] . t x t - > T r a c k i n g C o o k i e . A t d m t : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? a t d m t [ 2 ] . t x t - > T r a c k i n g C o o k i e . A t d m t : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 2 4 . t x t - > T r a c k i n g C o o k i e . A t d m t : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ b u r s t n e t [ 1 ] . t x t - > T r a c k i n g C o o k i e . B u r s t n e t : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ w w w . b u r s t n e t [ 2 ] . t x t - > T r a c k i n g C o o k i e . B u r s t n e t : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? b u r s t n e t [ 2 ] . t x t - > T r a c k i n g C o o k i e . B u r s t n e t : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? w w w . b u r s t n e t [ 1 ] . t x t - > T r a c k i n g C o o k i e . B u r s t n e t : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 1 6 1 . t x t - > T r a c k i n g C o o k i e . B u r s t n e t : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 2 9 . t x t - > T r a c k i n g C o o k i e . B u r s t n e t : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ c a s a l e m e d i a [ 2 ] . t x t - > T r a c k i n g C o o k i e . C a s a l e m e d i a : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 3 1 . t x t - > T r a c k i n g C o o k i e . C a s a l e m e d i a : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 4 2 . t x t - > T r a c k i n g C o o k i e . C o m : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? c o n n e x t r a [ 1 ] . t x t - > T r a c k i n g C o o k i e . C o n n e x t r a : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ d o u b l e c l i c k [ 1 ] . t x t - > T r a c k i n g C o o k i e . D o u b l e c l i c k : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? d o u b l e c l i c k [ 1 ] . t x t - > T r a c k i n g C o o k i e . D o u b l e c l i c k : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @ ?? C o o k i e s \ @ ?? d o u b l e c l i c k [ 1 ] . t x t - > T r a c k i n g C o o k i e . D o u b l e c l i c k : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 5 1 . t x t - > T r a c k i n g C o o k i e . D o u b l e c l i c k : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 2 2 . t x t - > T r a c k i n g C o o k i e . F a l k a g : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ f a s t c l i c k [ 1 ] . t x t - > T r a c k i n g C o o k i e . F a s t c l i c k : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? f a s t c l i c k [ 2 ] . t x t - > T r a c k i n g C o o k i e . F a s t c l i c k : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 6 3 . t x t - > T r a c k i n g C o o k i e . F a s t c l i c k : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 9 2 . t x t - > T r a c k i n g C o o k i e . F a s t c l i c k : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 7 0 . t x t - > T r a c k i n g C o o k i e . G o c l i c k : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ e h g - s a m s u n g u s a . h i t b o x [ 1 ] . t x t - > T r a c k i n g C o o k i e . H i t b o x : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ e h g - t w i . h i t b o x [ 2 ] . t x t - > T r a c k i n g C o o k i e . H i t b o x : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ h i t b o x [ 1 ] . t x t - > T r a c k i n g C o o k i e . H i t b o x : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? e h g - b s k y b . h i t b o x [ 1 ] . t x t - > T r a c k i n g C o o k i e . H i t b o x : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? e h g - t w i . h i t b o x [ 2 ] . t x t - > T r a c k i n g C o o k i e . H i t b o x : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? h i t b o x [ 1 ] . t x t - > T r a c k i n g C o o k i e . H i t b o x : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 5 7 . t x t - > T r a c k i n g C o o k i e . H i t b o x : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 5 8 . t x t - > T r a c k i n g C o o k i e . H i t b o x : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 5 9 . t x t - > T r a c k i n g C o o k i e . H i t b o x : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 6 0 . t x t - > T r a c k i n g C o o k i e . H i t b o x : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 7 5 . t x t - > T r a c k i n g C o o k i e . H i t b o x : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ s e a r c h p o r t a l . i n f o r m a t i o n [ 1 ] . t x t - > T r a c k i n g C o o k i e . I n f o r m a t i o n : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 1 3 2 . t x t - > T r a c k i n g C o o k i e . I n f o r m a t i o n : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ s e a r c h . l i v e [ 1 ] . t x t - > T r a c k i n g C o o k i e . L i v e : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 1 3 1 . t x t - > T r a c k i n g C o o k i e . L i v e : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? m e d i a p l e x [ 2 ] . t x t - > T r a c k i n g C o o k i e . M e d i a p l e x : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 9 3 . t x t - > T r a c k i n g C o o k i e . M e d i a p l e x : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? a u t o . s e a r c h . m s n [ 1 ] . t x t - > T r a c k i n g C o o k i e . M s n : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? s s l - h i n t s . n e t f l a m e [ 1 ] . t x t - > T r a c k i n g C o o k i e . N e t f l a m e : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ o v e r t u r e [ 1 ] . t x t - > T r a c k i n g C o o k i e . O v e r t u r e : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ p e r f . o v e r t u r e [ 1 ] . t x t - > T r a c k i n g C o o k i e . O v e r t u r e : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? o v e r t u r e [ 1 ] . t x t - > T r a c k i n g C o o k i e . O v e r t u r e : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? p e r f . o v e r t u r e [ 1 ] . t x t - > T r a c k i n g C o o k i e . O v e r t u r e : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 1 1 8 . t x t - > T r a c k i n g C o o k i e . O v e r t u r e : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? w w w . p a y p a l [ 1 ] . t x t - > T r a c k i n g C o o k i e . P a y p a l : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ a d s . p o i n t r o l l [ 1 ] . t x t - > T r a c k i n g C o o k i e . P o i n t r o l l : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 1 6 . t x t - > T r a c k i n g C o o k i e . P o i n t r o l l : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? p r o - m a r k e t [ 2 ] . t x t - > T r a c k i n g C o o k i e . P r o - m a r k e t : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ r e a l [ 1 ] . t x t - > T r a c k i n g C o o k i e . R e a l : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ r e a l g u i d e . r e a l [ 1 ] . t x t - > T r a c k i n g C o o k i e . R e a l : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 1 2 6 . t x t - > T r a c k i n g C o o k i e . R e a l m e d i a : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? s t a t s 1 . r e l i a b l e s t a t s [ 2 ] . t x t - > T r a c k i n g C o o k i e . R e l i a b l e s t a t s : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ r e v e n u e [ 2 ] . t x t - > T r a c k i n g C o o k i e . R e v e n u e : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 1 2 8 . t x t - > T r a c k i n g C o o k i e . R e v e n u e : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ b s . s e r v i n g - s y s [ 2 ] . t x t - > T r a c k i n g C o o k i e . S e r v i n g - s y s : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ s e r v i n g - s y s [ 1 ] . t x t - > T r a c k i n g C o o k i e . S e r v i n g - s y s : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ a d o p t . s p e c i f i c c l i c k [ 2 ] . t x t - > T r a c k i n g C o o k i e . S p e c i f i c c l i c k : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? s p y l o g [ 1 ] . t x t - > T r a c k i n g C o o k i e . S p y l o g : C l e a n e d .

: m o z i l l a . 6 : C : \ D o c u m e n t s a n d S e t t i n g s \ @??? A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ m f h 1 j 6 5 6 . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . S t a t c o u n t e r : C l e a n e d .

: m o z i l l a . 9 : C : \ D o c u m e n t s a n d S e t t i n g s \ @ ?? A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 5 2 d o v f s u . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . S t a t c o u n t e r : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ s t a t c o u n t e r [ 2 ] . t x t - > T r a c k i n g C o o k i e . S t a t c o u n t e r : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? s t a t c o u n t e r [ 2 ] . t x t - > T r a c k i n g C o o k i e . S t a t c o u n t e r : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 1 4 2 . t x t - > T r a c k i n g C o o k i e . S t a t c o u n t e r : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? t a c o d a [ 2 ] . t x t - > T r a c k i n g C o o k i e . T a c o d a : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 1 4 3 . t x t - > T r a c k i n g C o o k i e . T a c o d a : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ t r a f i c [ 1 ] . t x t - > T r a c k i n g C o o k i e . T r a f i c : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ t r i b a l f u s i o n [ 1 ] . t x t - > T r a c k i n g C o o k i e . T r i b a l f u s i o n : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? t r i b a l f u s i o n [ 2 ] . t x t - > T r a c k i n g C o o k i e . T r i b a l f u s i o n : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 1 4 4 . t x t - > T r a c k i n g C o o k i e . T r i b a l f u s i o n : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ m . w e b t r e n d s [ 1 ] . t x t - > T r a c k i n g C o o k i e . W e b t r e n d s : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ a d . y i e l d m a n a g e r [ 2 ] . t x t - > T r a c k i n g C o o k i e . Y i e l d m a n a g e r : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ @??? C o o k i e s \ @??? a d . y i e l d m a n a g e r [ 1 ] . t x t - > T r a c k i n g C o o k i e . Y i e l d m a n a g e r : C l e a n e d .

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 1 2 7 5 2 1 0 0 7 1 - 1 4 0 9 0 8 2 2 3 3 - 8 3 9 5 2 2 1 1 5 - 1 0 0 5 \ D c 7 . t x t - > T r a c k i n g C o o k i e . Y i e l d m a n a g e r : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ c 5 . z e d o [ 1 ] . t x t - > T r a c k i n g C o o k i e . Z e d o : C l e a n e d .

C : \ D o c u m e n t s a n d S e t t i n g s \ J T K i m \ C o o k i e s \ j t k i m @ z e d o [ 2 ] . t x t - > T r a c k i n g C o o k i e . Z e d o : C l e a n e d .

C : \ Q o o B o x \ Q u a r a n t i n e \ C \ W I N D O W S \ s y s t e m 3 2 \ d k k f j b m a . e x e . v i r - > T r o j a n . A g e n t . a o y : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ Q o o B o x \ Q u a r a n t i n e \ C \ W I N D O W S \ s y s t e m 3 2 \ e d y m h r r x . e x e . v i r - > T r o j a n . A g e n t . a o y : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ Q o o B o x \ Q u a r a n t i n e \ C \ W I N D O W S \ s y s t e m 3 2 \ f b l t n b c t . e x e . v i r - > T r o j a n . A g e n t . a o y : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ Q o o B o x \ Q u a r a n t i n e \ C \ W I N D O W S \ s y s t e m 3 2 \ l h y r h y w o . e x e . v i r - > T r o j a n . A g e n t . a o y : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .

C : \ Q o o B o x \ Q u a r a n t i n e \ C \ W I N D O W S \ s y s t e m 3 2 \ w i n j v d 3 2 . d l l . v i r - > T r o j a n . D i a l e r . q n : C l e a n e d w i t h b a c k u p ( q u a r a n t i n e d ) .





: : R e p o r t e n d



+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 오전 8:06:53, on 2007-07-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
C:\Program Files\AhnLab\Vitzaru\MSProxy.ahn
C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\SCROLL~1\MouseElf.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: wwBHO Class - {6E09891E-2E10-43A5-BEE0-0B4AEB6FAB4A} - C:\WINDOWS\DOWNLO~1\WhiteWareObject_1,0,0,249.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio 속성 페이지 바로 가기] HDAShCut.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE"
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\SCROLL~1\MouseElf.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AhnLab Session Process] "C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe"
O4 - HKLM\..\Run: [AHNSD] "C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 콘솔 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: 리서치 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00001023-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter23 Class) - http://download.netmarble.com/web/nmstarter/NMStarter23.cab
O16 - DPF: {00001024-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter24 Class) - http://download.netmarble.com/web/nmstarter/NMStarter24.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0C72835A-34C5-4273-A700-A2347E784B58} (NPPWebInstallV2 Control) - http://www.siren24.com/nprotect/down/NPPWebInstallV2.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://s.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163514019140
O16 - DPF: {7A95C123-295D-408C-9699-873A4C9873AF} (FcCommCtrl.FcUpload) - http://login.freechal.com/freechalon/FcCommCtrl.cab
O16 - DPF: {7CD3AA7E-2C7A-4C67-9600-EFAB2EBE1C44} (BDAStart Control) - http://www.vitzaru.com/bluebelt/bda/cab/BDAStart.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/activex/dmcc2.c...ersion=1,0,0,10
O16 - DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} (ALDx Class) - http://www.altools.co.kr/ALDX.cab
O16 - DPF: {95F19BBE-F9AB-4393-B323-8A2071F3859D} (SCapbotCJ Control) - http://download.netmarble.com/web/6n/cp_si...oftCapBotCJ.cab
O16 - DPF: {97745861-F1A6-45B2-8AD1-0C17334550E6} (YahooCabinet Control) - http://img.yahoo.co.kr/ycabinet/cab/YahooCabinet.cab
O16 - DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} (mkdplusCtrl Class) - http://ahnlabdownload.nefficient.co.kr/asp/cab/mkdplus.cab
O16 - DPF: {A4482A7F-F055-4E75-8657-0BEACD214332} (BDAInst Control) - http://www.vitzaru.com/bluebelt/myvitzaru/bda_inst.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netmarble.com/kdefence/kdfense8237.cab
O16 - DPF: {B9A7CB61-0060-430E-B76F-CDB83D7F680C} (YEditor for Yahoo Korea) - http://img.yahoo.co.kr/blog/jweditor/JwEdi...rea_2_3_3_6.cab
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,1
O16 - DPF: {E185DB61-F54B-4D4E-9157-08256282E41A} (SBLoader Control) - http://www.speedbook.co.kr/activex/SPEEDBOOK.cab
O16 - DPF: {FF11C114-0824-49F5-BD5D-D8E06BF6DD53} (CAWebLauncherCtrl Class) - http://caimg.nx.com/ActiveX/CAWebLauncher.cab
O16 - DPF: {FF4A71A4-CE22-4784-B4E0-CEEAF2485F79} (WhiteWareObject Control) - http://www.vitzaru.com/bluebelt_gray/WhiteWareObject.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF14546D-92D9-40F2-872B-991F430CED3D}: NameServer = 202.152.227.25,202.152.235.146
O20 - Winlogon Notify: ??€ - ??€ (file missing)
O20 - Winlogon Notify: winpop - C:\WINDOWS\SYSTEM32\winpop.dll
O20 - Winlogon Notify: `€ - `€ (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AhnLab Application Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
O23 - Service: AhnLab Guarantee Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
O23 - Service: AhnLab Information Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
O23 - Service: AhnLab Log Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
O23 - Service: AhnLab Task Scheduler - AhnLab, Inc. - C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 10602 bytes

#12 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:14 AM

Posted 12 July 2007 - 07:41 AM

O2 - BHO: wwBHO Class - {6E09891E-2E10-43A5-BEE0-0B4AEB6FAB4A} - C:\WINDOWS\DOWNLO~1\WhiteWareObject_1,0,0,249.ocx

Do you know what this is?

O20 - Winlogon Notify: ??€ - ??€ (file missing)
O20 - Winlogon Notify: `€ - `€ (file missing)

These items..can you translate them somehow? What files are related?

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

File::
C:\WINDOWS\SYSTEM32\winpop.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpop]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SDFix"=-


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


Posted Image


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

After that try running SDFix again. Post the log when it's done (Report.txt).

Please post the log from the ComboFix scan located at C:\ComboFix.txt together with a new hijackthislog.

Edited by didom, 12 July 2007 - 07:41 AM.


#13 kiyoungk

kiyoungk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 13 July 2007 - 10:58 AM

Here it goes.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

de"김기영" - 2007-07-13 21:58:29 - ComboFix 07-07-09.3 - Service Pack 2
Command switches used :: C:\Documents and Settings\김기영\바탕 화면\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\DOWNLO~1.\38DEB48C-BE4A-4d3e-B4FF-F1744557D006


((((((((((((((((((((((((( Files Created from 2007-06-13 to 2007-07-13 )))))))))))))))))))))))))))))))


2007-07-12 00:00 4,061 --ahs---- C:\WINDOWS\system32\popniw.dat
2007-07-12 00:00 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-10 15:27 <DIR> d-------- C:\Program Files\JWSoft
2007-07-10 08:42 1,124,089 --a------ C:\ComboFix.exe
2007-07-09 20:37 65,536 --a------ C:\WINDOWS\IFinst27.exe
2007-07-09 19:33 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-08 22:17 <DIR> d-------- C:\signed
2007-07-08 21:55 <DIR> d-------- C:\DOCUME~1\김기영\APPLIC~1\Image Zone Express
2007-07-08 02:53 401,720 --a------ C:\HijackThis.exe
2007-07-08 02:10 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-05 02:30 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-06-30 18:21 <DIR> d-------- C:\DOCUME~1\JTKIM~1\APPLIC~1\Hamachi
2007-06-30 18:20 25,544 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-06-22 20:50 137,216 --a------ C:\WINDOWS\regedit.com.exe
2007-06-22 17:44 <DIR> d-------- C:\Downloads
2007-06-21 22:22 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-06-21 22:20 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-06-21 21:37 <DIR> d-------- C:\Program Files\IBM and BrainQuest
2007-06-20 17:29 <DIR> d-------- C:\DOCUME~1\김대영\APPLIC~1\Talkback
2007-06-18 21:10 0 --a------ C:\WINDOWS\nsreg.dat
2007-06-18 21:10 <DIR> d-------- C:\DOCUME~1\김기영\APPLIC~1\Talkback
2007-06-16 13:38 40,672 --a------ C:\WINDOWS\system32\drivers\CESG502.sys
2007-06-16 13:38 <DIR> d-------- C:\CASIO


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-12 02:14:48 -------- d-----w C:\Program Files\NewSpeedBook
2007-07-11 11:47:27 -------- d-----w C:\Program Files\동키호테
2007-07-08 15:16:31 -------- d-----w C:\Program Files\HP
2007-07-08 15:05:58 139,264 ----a-w C:\WINDOWS\system32\hpzjrd01.dll
2007-07-07 19:54:33 -------- d-----w C:\Program Files\ESTsoft
2007-07-05 17:06:45 -------- d-----w C:\Program Files\Pruna
2007-07-04 18:02:17 -------- d-----w C:\Program Files\Scroll Mouse
2007-07-04 14:59:00 1,394,775 ----a-w C:\WINDOWS\system32\drivers\V3Engine.sys
2007-06-22 13:20:53 -------- d-----w C:\Program Files\MSN 메신저 파워팩
2007-06-22 10:44:15 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2007-06-22 10:44:05 -------- d-----w C:\Program Files\BitComet
2007-06-16 06:38:41 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-12 09:15:00 64,128 ----a-w C:\WINDOWS\system32\drivers\AhnSZE.sys
2007-06-06 09:59:26 53,100 ----a-w C:\WINDOWS\system32\perfc012.dat
2007-06-06 09:59:26 202,642 ----a-w C:\WINDOWS\system32\perfh012.dat
2007-06-05 00:42:00 -------- d-----w C:\Program Files\Wizet
2007-06-04 13:46:20 -------- d-----w C:\Program Files\AhnLab
2007-05-27 05:16:00 -------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-05-27 05:15:51 -------- d-----w C:\Program Files\Common Files\SureThing Shared
2007-05-27 05:15:49 -------- d-----w C:\Program Files\Common Files\TiVo Shared
2007-05-27 02:59:53 -------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-05-23 03:19:36 -------- d-----w C:\Program Files\Mplay
2007-05-23 02:19:13 246,776 ----a-w C:\WINDOWS\nmconew.dll
2007-05-16 15:13:46 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:57:40 -------- d-----w C:\Program Files\McAfee
2007-05-13 16:57:34 -------- d-----w C:\Program Files\Netmarble
2007-05-08 15:21:35 112,792 ----a-w C:\WINDOWS\hpoins07.dat
2007-05-07 12:47:28 44,544 ----a-w C:\WINDOWS\system32\ALZZip.BIN
2007-05-07 12:42:22 63,488 ----a-w C:\WINDOWS\system32\ALZALZ.BIN
2007-04-28 15:41:53 532,480 ----a-w C:\WINDOWS\system32\manutd_fanzone_oldtrafford.scr
2007-04-25 14:21:02 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-21 17:39:02 73,728 ----a-w C:\WINDOWS\system32\kdfapi.dll
2007-04-21 17:39:01 47,104 ----a-w C:\WINDOWS\system32\Kdfhok.dll
2007-04-21 17:39:01 159,744 ----a-w C:\WINDOWS\system32\kdfmgr.exe
2007-04-18 16:14:05 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 15:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 15:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 15:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 15:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 15:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 15:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 15:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 15:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 15:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 15:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-15 05:47:14 485,120 ----a-w C:\WINDOWS\NMUpdate23.exe
2007-04-13 16:30:24 61,440 ----a-w C:\WINDOWS\system32\kdfmod.dll
2007-04-13 16:30:12 373,248 ----a-w C:\WINDOWS\system32\kdfinj.dll
2004-08-03 17:53:22 1,392,671 --sha-r C:\WINDOWS\system\msvbvm60.dll
2004-08-03 17:53:22 1,392,671 --sh--r C:\WINDOWS\system32\msvbvm60.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 20:38 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}]
2006-11-29 20:52 230976 --a--c--- C:\Program Files\BitComet\tools\BitCometBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E09891E-2E10-43A5-BEE0-0B4AEB6FAB4A}]
2007-05-14 10:18 497384 --a------ C:\WINDOWS\DOWNLO~1\WhiteWareObject_1,0,0,249.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-03-26 20:10 2403392 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-06-28 15:55 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio 속성 페이지 바로 가기"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 03:29 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 16:18]
"QlbCtrl"="%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 12:01]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 10:49]
"imekrmig7.0"="C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE" [2003-07-14 22:57]
"mouseElf"="C:\PROGRA~1\SCROLL~1\MouseElf.EXE" [2004-09-20 07:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]
"AhnLab Session Process"="C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe" [2007-03-29 23:37]
"AHNSD"="C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe" [2007-02-27 03:14]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 16:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:53]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 21:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"=ctfmon.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 19:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\??€]
??€

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\`€]
`€

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{225d164a-da9a-11db-9a71-0016d30c5d34}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98ebdba8-e9d0-11db-9ab2-0016d30c5d34}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-13 22:02:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ??@??????????????@? ???pa????????@??????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-13 22:03:08
C:\ComboFix-quarantined-files.txt ... 2007-07-13 22:02
C:\ComboFix2.txt ... 2007-07-10 08:49

--- E O F ---

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 오후 10:57:11, on 2007-07-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
C:\Program Files\AhnLab\Vitzaru\MSProxy.ahn
C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\SCROLL~1\MouseElf.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AhnLab\ASP\MyKeyDefense 2.0\mkd20tray.exe
C:\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: wwBHO Class - {6E09891E-2E10-43A5-BEE0-0B4AEB6FAB4A} - C:\WINDOWS\DOWNLO~1\WhiteWareObject_1,0,0,249.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio 속성 페이지 바로 가기] HDAShCut.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE"
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\SCROLL~1\MouseElf.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AhnLab Session Process] "C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe"
O4 - HKLM\..\Run: [AHNSD] "C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 콘솔 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: 리서치 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00001023-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter23 Class) - http://download.netmarble.com/web/nmstarter/NMStarter23.cab
O16 - DPF: {00001024-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter24 Class) - http://download.netmarble.com/web/nmstarter/NMStarter24.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0C72835A-34C5-4273-A700-A2347E784B58} (NPPWebInstallV2 Control) - http://www.siren24.com/nprotect/down/NPPWebInstallV2.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://s.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163514019140
O16 - DPF: {7A95C123-295D-408C-9699-873A4C9873AF} (FcCommCtrl.FcUpload) - http://login.freechal.com/freechalon/FcCommCtrl.cab
O16 - DPF: {7CD3AA7E-2C7A-4C67-9600-EFAB2EBE1C44} (BDAStart Control) - http://www.vitzaru.com/bluebelt/bda/cab/BDAStart.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/activex/dmcc2.c...ersion=1,0,0,10
O16 - DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} (ALDx Class) - http://www.altools.co.kr/ALDX.cab
O16 - DPF: {95F19BBE-F9AB-4393-B323-8A2071F3859D} (SCapbotCJ Control) - http://download.netmarble.com/web/6n/cp_si...oftCapBotCJ.cab
O16 - DPF: {97745861-F1A6-45B2-8AD1-0C17334550E6} (YahooCabinet Control) - http://img.yahoo.co.kr/ycabinet/cab/YahooCabinet.cab
O16 - DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} (mkdplusCtrl Class) - http://ahnlabdownload.nefficient.co.kr/asp/cab/mkdplus.cab
O16 - DPF: {A4482A7F-F055-4E75-8657-0BEACD214332} (BDAInst Control) - http://www.vitzaru.com/bluebelt/myvitzaru/bda_inst.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netmarble.com/kdefence/kdfense8237.cab
O16 - DPF: {B9A7CB61-0060-430E-B76F-CDB83D7F680C} (YEditor for Yahoo Korea) - http://img.yahoo.co.kr/blog/jweditor/JwEdi...rea_2_3_3_6.cab
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,1
O16 - DPF: {E185DB61-F54B-4D4E-9157-08256282E41A} (SBLoader Control) - http://www.speedbook.co.kr/activex/SPEEDBOOK.cab
O16 - DPF: {FF11C114-0824-49F5-BD5D-D8E06BF6DD53} (CAWebLauncherCtrl Class) - http://caimg.nx.com/ActiveX/CAWebLauncher.cab
O16 - DPF: {FF4A71A4-CE22-4784-B4E0-CEEAF2485F79} (WhiteWareObject Control) - http://www.vitzaru.com/bluebelt_gray/WhiteWareObject.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF14546D-92D9-40F2-872B-991F430CED3D}: NameServer = 202.152.227.25,202.152.235.146
O20 - Winlogon Notify: ??€ - ??€ (file missing)
O20 - Winlogon Notify: `€ - `€ (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AhnLab Application Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
O23 - Service: AhnLab Guarantee Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
O23 - Service: AhnLab Information Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
O23 - Service: AhnLab Log Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
O23 - Service: AhnLab Task Scheduler - AhnLab, Inc. - C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 10634 bytes

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I have tried to find out what the random letters meant, but when I used regedit to surf to the folder, the folder was named the same, in random unrecognizable letters. Must be corrupt.

Thanks@!

#14 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:14 AM

Posted 20 July 2007 - 07:06 AM

Do you still need help?

If so, please create a new thread as I'm leaving for a vacation. Inculde a link to this thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users