Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Please help me

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Please help me

Unread postby joes459 » May 24th, 2008, 2:00 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:30:52 PM, on 5/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\NetClient40\ncagent.exe
C:\WINDOWS\system32\npkcmsvc.exe
C:\WINDOWS\system32\NetClient40\ncclient.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\NetClient40\rc\NrDeskHlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: msvcprt4.msvcprt4d - {FAEBE5F2-5E2E-11D8-A251-00D0591C1C61} - C:\WINDOWS\system32\MSvcprt4.dll
O3 - Toolbar: (no name) - {B982A63C-9A5B-4796-80B0-EC809FCDEBF2} - (no file)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NetClient RC Helper] C:\WINDOWS\system32\NetClient40\rc\NrDeskHlp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKLM\..\Policies\Explorer\Run: [DF] C:\WINDOWS\system32\drivers\windf.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.shinhan.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00001025-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter25 Class) - http://download.netmarble.com/web/nmsta ... rter25.cab
O16 - DPF: {03F49E0E-C43A-4037-BBD6-D681E998A08E} (CodeAx Class) - http://ep.knou.ac.kr/EP/web/common/cabf ... CodeAx.cab
O16 - DPF: {044123B5-35DF-4C4E-BAED-26B8ED964342} (HLiveRobotWeb Control) - http://fx.hauri.net/HProduct/livesuite/ ... botWeb.cab
O16 - DPF: {0A4E624A-F7EA-4313-B721-C5669E0C6266} (TrustSiteAuction Control) - http://download.auction.co.kr/activexpa ... onCtrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {207444C6-E097-4F13-B9C1-F11B15DE78C4} (HackFire Control) - http://champstudy.com/hackdown/HackFire.cab
O16 - DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} (XacsPop Control) - http://mpi.dacom.net/XMPI/js/xmpi2007.cab
O16 - DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} (INISAFEWeb6 V6 Class) - http://download.banktown.com/kbstarActiveX/INIS60.cab
O16 - DPF: {317642DD-AF52-11D4-BC2A-0050DA8AEE6F} (FileMng Control) - http://mail.epis.ewha.ac.kr:8884/local/cabs/FileWiz.cab
O16 - DPF: {39461460-2552-4D51-A062-3AB6A7B902E9} (INISAFE Updater Control) - http://img.shinhan.com/shttp/install/down/INIS70.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://img.shinhan.com/rib/common/keySt ... /scsk4.cab
O16 - DPF: {3A90D051-E921-4741-8288-D1B6747A8A51} (Yessign5 Control) - http://www.giro.or.kr/html/yessign/cab/yessign5.cab
O16 - DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} (XPayMPIOCX Control) - http://mpi.dacom.net/XPayMPI/Xecure_Liv ... MPIOCX.cab
O16 - DPF: {53EED863-B547-40F8-B24A-2D6DE807CFE8} (Printmade Control) - http://img.shinhan.com/rib//ko/print/Printmade.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 2868270812
O16 - DPF: {6531D99C-0D0E-4293-B3CB-A3E1D0D41847} (AhnASP Control) - http://ahnlabdownload.nefficient.co.kr/ ... AhnASP.cab
O16 - DPF: {66413DC2-F891-40BC-822D-B7EEC8ADC281} (ProWorksGrid Control) - http://img.shinhan.com/rib/common/ProWorksGrid_78.cab
O16 - DPF: {6F517019-0482-4BD2-8AAD-1E3CB01C4148} (MiBookView Control) - http://asp.lemonbook.co.kr/CabDownLoad/MiBookView.cab
O16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler Class) - http://www.bccard.com/service/individua ... Plugin.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://xecure.kbstar.com/xecure/xw_install_v7202.cab
O16 - DPF: {8FA8D5F7-7CBA-46D4-9568-68D70C5280E8} (NoPhishingX Control) - http://www.nophishing.co.kr/softrun/SH02/SRNPSH.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/activex/dmcc ... n=1,0,0,10
O16 - DPF: {99C709C7-4F58-46C1-855B-90213C760395} (v3d Class) - https://v3d.kcp.co.kr/file/kcp_ansimclick.cab
O16 - DPF: {9D67EBF0-AF1A-4BCE-BAC9-C84A9383E0B3} (SSOCheck Class) - http://epis.ewha.ac.kr:8880/EP/web/comm ... OCheck.cab
O16 - DPF: {9FC84F7D-D177-4A75-A7BB-429DA5BD0A3E} (SG_CAppAtx Control) -
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://k-defence.kbstar.com/kings/kdfx/ ... fense8.cab
O16 - DPF: {B0A75875-3622-48BA-B5FF-45AD77AC2D0E} (BankPayEFTCtrl Control) - http://download.auction.co.kr/activexpa ... PayEFT.cab
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,5
O16 - DPF: {BBB0FC2D-1D95-45CA-BDCF-03B53F247FCC} (EwsLoader Class) -
O16 - DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} (VineTransfer Control) - http://www.giro.or.kr/html/ubikey/VineTransfer.cab
O16 - DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} (SKCInst1 Class) - http://cyimg7.cyworld.com/cymusic/package/skcinst.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://n-protect.kbstar.com/nprotect/module/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/keycrypt/kft ... _vista.cab
O16 - DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} (INIwallet60 Control) - http://plugin.inicis.com/wallet60/INIwallet60.cab
O16 - DPF: {D923AE0C-190D-4EDF-B07A-76AC571FBFD4} (SCSKEx Control) - http://img.shinhan.com/rib/common/keySt ... SCSKEX.cab
O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) - http://www.congnamul.com/ActiveX/ASPCab ... sp_V23.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {E831AA9C-C980-4F16-B252-09AAF40D0E9B} (Kdfense9 Control) - http://k-defence.kbstar.com/kdfx218/kbstar/kdfense9.cab
O16 - DPF: {E8FB2BD7-3703-483A-8EC1-43DADAFC7668} (ELauncher Control) - http://update.folderplus.com/eWebLink/eLauncher.cab
O16 - DPF: {EA0995BF-45DD-4DB0-ADD5-A39C37397841} (ShbAutoTrustSite Control) - http://img.shinhan.com/rib/common/Trust ... tSiteX.cab
O16 - DPF: {F61919F5-1292-4447-A904-1943D72ACF04} (CertCheck for KB Control) - http://img.kbstar.com/cab/certCheck.cab
O18 - Protocol: s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - C:\Program Files\INITECH\SHTTP\InitechSHTTPInterface.10111.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: iPod ¼­ºn½º (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NCClient Agent - DRSOFT - C:\WINDOWS\system32\NetClient40\ncagent.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcmsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10978 bytes
joes459
Active Member
 
Posts: 2
Joined: May 24th, 2008, 1:50 am
Advertisement
Register to Remove

Re: Please help me

Unread postby Shaba » May 24th, 2008, 4:50 am

Hi joes459

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Please help me

Unread postby joes459 » May 25th, 2008, 1:09 am

I installed combo fix and ran the scan. I accidentily forgot to connect my external hard drive before I ran the first scan, so after the 1st one was finished, I connected my external drive and ran a second scan. Below I pasted both of the 'combofix' logs and also a fresh hijackthis log.

1st ComboFix scan


ComboFix 08-05-21.3 - joes459 2008-05-25 13:50:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.1920 [GMT 9:00]
Running from: C:\Documents and Settings\joes459\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\Documents and Settings\All Users\Start Menu\UUSEE~1.LNK
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM.cfg
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM0.che
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM1.che
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM2.che
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM3.che
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM4.che
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM5.che
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM6.che
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM7.che
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM8.che
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM9.che
C:\vl.com
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\drivers\windf.hlp
C:\WINDOWS\system32\ieso0.dll
C:\WINDOWS\system32\kxvo.exe
C:\xaul0q8u.bat

.
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-24 14:30 . 2008-05-24 14:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-22 22:07 . 2008-05-22 22:07 <DIR> d-------- C:\Program Files\Network Associates
2008-05-13 11:00 . 2008-05-08 13:32 3,804 --a------ C:\WINDOWS\system32\teexcept.dat
2008-05-11 21:36 . 2008-05-11 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Application ja_JP
2008-05-11 11:16 . 2008-05-11 11:16 <DIR> d-------- C:\Program Files\Cyworld Music Player
2008-05-10 17:33 . 2008-05-25 13:50 <DIR> d-------- C:\QUARANTINE
2008-05-10 17:09 . 2008-05-10 17:09 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-10 17:09 . 2006-11-30 08:50 168,776 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-05-10 17:09 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-05-10 17:09 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-05-10 17:09 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-05-10 17:09 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-05-10 17:07 . 2008-05-10 17:09 <DIR> d-------- C:\Program Files\McAfee
2008-05-10 17:07 . 2008-05-10 17:07 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-10 17:07 . 2008-05-10 17:07 <DIR> d-------- C:\Program Files\AVDistribution
2008-05-10 17:07 . 2008-05-10 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-10 17:07 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-05-10 17:07 . 2006-11-17 03:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-05-10 16:24 . 2008-05-10 17:19 162,483 -r-hs---- C:\f6d.bat
2008-05-10 10:27 . 2008-05-10 13:31 161,329 -r-hs---- C:\sqtd.exe
2008-05-07 22:11 . 2008-05-08 11:24 161,863 -r-hs---- C:\wk.exe
2008-05-06 11:41 . 2008-05-06 11:41 <DIR> d-------- C:\WINDOWS\Application Data
2008-05-06 11:28 . 2004-08-04 21:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-05 22:02 . 2008-05-05 22:02 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-05 22:02 . 2008-05-05 22:02 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-04 14:48 . 2008-05-04 14:48 1,628 --a------ C:\WINDOWS\system32\p3downasx.asx
2008-05-03 22:27 . 2008-05-13 23:00 404,649 --a------ C:\WINDOWS\system32\nperr.npl
2008-05-03 11:07 . 2004-08-03 22:31 132,695 --a--c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-05-03 11:07 . 2001-08-17 12:11 65,278 --a--c--- C:\WINDOWS\system32\dllcache\netflx3.sys
2008-05-03 11:07 . 2001-08-17 22:36 60,480 --a--c--- C:\WINDOWS\system32\dllcache\neo20xx.dll
2008-05-03 11:07 . 2001-08-17 12:50 39,264 --a--c--- C:\WINDOWS\system32\dllcache\neo20xx.sys
2008-05-03 11:05 . 2001-08-17 13:28 797,500 --a--c--- C:\WINDOWS\system32\dllcache\ltsmt.sys
2008-05-03 11:04 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-05-03 11:03 . 2004-08-04 00:56 702,845 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2008-05-03 11:02 . 2004-08-03 22:41 1,041,536 --a--c--- C:\WINDOWS\system32\dllcache\hsfdpsp2.sys
2008-05-03 11:01 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-05-03 11:00 . 2001-08-17 12:17 629,952 --a--c--- C:\WINDOWS\system32\dllcache\eqn.sys
2008-05-03 10:59 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-05-03 10:58 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-05-03 10:57 . 2004-08-04 00:56 1,888,992 --a--c--- C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-05-03 10:56 . 2007-02-28 18:10 2,180,352 --a--c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-05-02 23:26 . 2008-05-13 23:00 16,627 ---h----- C:\WINDOWS\system32\200805.npl
2008-04-28 22:03 . 2008-04-29 22:22 162,529 -r-hs---- C:\rxub.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 01:47 --------- d-----w C:\Program Files\QuoteTracker
2008-05-18 23:17 --------- d-----w C:\Program Files\Certiprep
2008-05-13 13:57 73,728 ----a-w C:\WINDOWS\system32\kdfapi.dll
2008-05-13 13:57 159,744 ----a-w C:\WINDOWS\system32\kdfmgr.exe
2008-05-13 13:45 47,104 ----a-w C:\WINDOWS\system32\Kdfhok.dll
2008-05-11 14:11 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-05-10 08:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-10 08:07 --------- d-----w C:\Program Files\ToToBrowser
2008-05-10 08:07 --------- d-----w C:\Program Files\SopCast
2008-05-10 08:07 --------- d-----w C:\Program Files\Real Alternative
2008-05-10 08:07 --------- d-----w C:\Program Files\QuickTime
2008-05-10 08:07 --------- d-----w C:\Program Files\Java
2008-05-10 05:11 169,109 ----a-w C:\WINDOWS\system32\drivers\scskusbs.sys
2008-05-10 05:11 11,385 ----a-w C:\WINDOWS\system32\drivers\scskusbf.sys
2008-05-06 02:41 --------- d-----w C:\Program Files\NPKI
2008-05-06 02:41 --------- d-----w C:\Program Files\INITECH
2008-05-05 13:02 --------- d-----w C:\Documents and Settings\joes459\Application Data\Skype
2008-05-05 12:59 --------- d-----w C:\Documents and Settings\joes459\Application Data\skypePM
2008-05-02 05:52 1,705,562 ----a-w C:\WINDOWS\system32\npmon.exe
2008-05-02 05:10 102,461 ----a-w C:\WINDOWS\system32\nphkapi.dll
2008-04-24 12:44 159,745 --sh--r C:\9jjh.com
2008-04-23 03:14 158,316 --sh--r C:\t2mq2a.com
2008-04-23 01:40 374,784 ----a-w C:\WINDOWS\system32\kdfinj.dll
2008-04-20 09:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 03:15 --------- d-----w C:\Documents and Settings\joes459\Application Data\ESTsoft
2008-04-20 02:01 73,728 ----a-w C:\WINDOWS\system32\ISP_INISafeNet.dll
2008-04-20 02:01 708,096 ----a-w C:\WINDOWS\system32\INIcrypto20.dll
2008-04-20 02:01 638,976 ----a-w C:\WINDOWS\system32\ISPPopUpDlg.exe
2008-04-20 02:01 3,137,536 ----a-w C:\WINDOWS\system32\KvpVcmd.dll
2008-04-20 02:01 28,672 ----a-w C:\WINDOWS\system32\ISP_crgen.dll
2008-04-20 02:01 233,472 ----a-w C:\WINDOWS\system32\PubCertDlg.dll
2008-04-20 02:01 154,752 ----a-w C:\WINDOWS\system32\INIWebCrypto.dll
2008-04-20 02:00 --------- d-----w C:\Program Files\INICIS
2008-04-20 00:48 --------- d-----w C:\Program Files\Common Files\AhnLab
2008-04-20 00:48 --------- d-----w C:\Program Files\AhnLab
2008-04-19 09:40 --------- d-----w C:\Program Files\Broadcom
2008-04-19 07:55 --------- d-----w C:\Program Files\Apple Software Update
2008-04-17 00:19 --------- d-----w C:\Program Files\Microsoft Works
2008-04-17 00:19 --------- d-----w C:\Program Files\Common Files\L&H
2008-04-16 02:22 --------- d-----w C:\Program Files\Pruna
2008-04-08 01:55 --------- d-----w C:\Program Files\PowerISO
2008-04-07 04:35 953,048 ----a-w C:\WINDOWS\system32\SCSKCORE.dll
2008-04-07 01:26 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-06 09:48 --------- d-----w C:\Program Files\ESTsoft
2008-04-05 08:45 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-05 08:45 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-05 08:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-05 07:48 --------- d-----w C:\Documents and Settings\joes459\Application Data\Azureus
2008-03-23 12:53 155,716 --sh--r C:\al8u.com
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 04:17 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-03-14 14:37 149,664 --sh--r C:\x8.bat
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-25 05:26 32,768 ----a-w C:\WINDOWS\system32\UbiKeyWin32.dll
2008-02-25 05:26 32,768 ----a-w C:\WINDOWS\system32\UbiKey.dll
2008-01-17 13:19 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAEBE5F2-5E2E-11D8-A251-00D0591C1C61}]
2008-01-11 23:42 36864 --a------ C:\WINDOWS\system32\MSvcprt4.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 21:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 21:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 21:00 59392]
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-10-09 10:56 147456]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 21:00 208952]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-10-09 12:06 419120]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-10-12 16:28 1282048]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-07-11 09:14 142104]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-07-11 09:14 162584]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-08 20:59 16384512 C:\WINDOWS\RTHDCPL.exe]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 21:00 158208]
"NetClient RC Helper"="C:\WINDOWS\system32\NetClient40\rc\NrDeskHlp.exe" [2007-06-01 00:46 71440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\_ishieldA.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\_ishieldB.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^joes459^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\joes459\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-02-14 08:09 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HncUpdate]
--a------ 2008-02-17 15:44 500392 C:\Program Files\Common Files\Hnc\HncUtils\HncUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kxva]
C:\WINDOWS\system32\kxvo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 01:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kxva"=C:\WINDOWS\system32\kxvo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"NetClient RC Helper"=C:\WINDOWS\system32\NetClient40\rc\NrDeskHlp.exe
"Persistence"=C:\WINDOWS\system32\igfxpers.exe
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\ncipmgr.exe"=
"C:\\WINDOWS\\system32\\skcbgm.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Nexon\\NGM\\NGM.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Nexon\\Common\\NMService.exe"=
"C:\\Program Files\\Pruna\\Pruna.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\ncclient.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\NetChat.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\rc\\DrFtc.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\rc\\NrHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12301:TCP"= 12301:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12301:UDP"= 12301:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12302:TCP"= 12302:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"12302:UDP"= 12302:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 nrdrvnt3;nrdrvnt3;C:\WINDOWS\system32\DRIVERS\nrdrvnt3.sys [2007-06-01 00:46]
R2 AppleOSSMgr;Apple OS Switch Manager;C:\WINDOWS\system32\AppleOSSMgr.exe [2007-10-09 12:04]
R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe [2007-10-09 12:05]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2007-10-09 10:56]
R2 MacHALDriver;Mac HAL;C:\WINDOWS\system32\drivers\MacHALDriver.sys [2007-10-09 10:56]
R2 NCClient Agent;NCClient Agent;C:\WINDOWS\system32\NetClient40\ncagent.exe [2003-12-07 01:44]
R2 npkcmsvc;npkcmsvc;C:\WINDOWS\system32\npkcmsvc.exe [2008-01-22 11:57]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 21:00]
R3 aapltctp;Apple Trackpad Enabler;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2007-10-09 10:56]
R3 aapltp;Apple Trackpad;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2007-10-09 10:56]
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys [2007-10-09 10:56]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys [2007-10-09 10:56]
R3 KeyMagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2007-10-09 10:56]
R3 NCGUARD;DoctorSoft NCGuard;C:\WINDOWS\system32\DRIVERS\NCGUARD.SYS [2007-05-23 09:02]
R3 NCPMon40;NetClient Process detector;C:\WINDOWS\system32\NetClient40\NCPMon40.sys [2003-11-12 10:17]
R3 NSECU;DoctorSoft Network Secu;C:\WINDOWS\system32\DRIVERS\NSECU.SYS [2007-05-15 06:59]
S1 _ishieldA;_ishieldA;C:\WINDOWS\system32\drivers\_ishieldA.sys []
S1 _ishieldB;_ishieldB;C:\WINDOWS\system32\drivers\_ishieldB.sys []
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys [2007-10-09 10:56]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2007-10-09 10:56]
S3 ncpflt;ncpflt;C:\WINDOWS\system32\Drivers\ncpflt.sys [2007-06-15 08:11]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-03-17 13:17]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\oalvm.com
\Shell\explore\Command - C:\oalvm.com
\Shell\open\Command - C:\oalvm.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\SETUP.EXE /AUTORUN
\Shell\configure\command - F:\SETUP.EXE
\Shell\install\command - F:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3712f160-d623-11dc-8a43-001d4fa4ed19}]
\Shell\AutoRun\command - G:\f6d.bat
\Shell\explore\Command - G:\f6d.bat
\Shell\open\Command - G:\f6d.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42f17b91-c1ac-11dc-89f4-001d4fa4ed19}]
\Shell\AutoRun\command - F:\6krxwx.cmd
\Shell\explore\Command - F:\6krxwx.cmd
\Shell\open\Command - F:\6krxwx.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6443b5af-c0d9-11dc-89f1-001d4fa4ed19}]
\Shell\AutoRun\command - F:\3bqqnkd.bat
\Shell\explore\Command - F:\3bqqnkd.bat
\Shell\open\Command - F:\3bqqnkd.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0d59ce8-c234-11dc-89f5-001d4fa4ed19}]
\Shell\AutoRun\command - F:\vl.com
\Shell\explore\Command - F:\vl.com
\Shell\open\Command - F:\vl.com

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-17 04:17:29 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-05-12 00:18:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 13:51:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-25 13:52:10
ComboFix-quarantined-files.txt 2008-05-25 04:52:06

Pre-Run: 3,255,758,848 bytes free
Post-Run: 3,425,402,880 bytes free

286

2nd combox fix scan


ComboFix 08-05-21.3 - joes459 2008-05-25 13:56:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.1916 [GMT 9:00]
Running from: C:\Documents and Settings\joes459\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

G:\Autorun.inf
G:\xaul0q8u.bat

.
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-24 14:30 . 2008-05-24 14:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-22 22:07 . 2008-05-22 22:07 <DIR> d-------- C:\Program Files\Network Associates
2008-05-13 11:00 . 2008-05-08 13:32 3,804 --a------ C:\WINDOWS\system32\teexcept.dat
2008-05-11 21:36 . 2008-05-11 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Application ja_JP
2008-05-11 11:16 . 2008-05-11 11:16 <DIR> d-------- C:\Program Files\Cyworld Music Player
2008-05-10 17:33 . 2008-05-25 13:56 <DIR> d-------- C:\QUARANTINE
2008-05-10 17:09 . 2008-05-10 17:09 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-10 17:09 . 2006-11-30 08:50 168,776 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-05-10 17:09 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-05-10 17:09 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-05-10 17:09 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-05-10 17:09 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-05-10 17:07 . 2008-05-10 17:09 <DIR> d-------- C:\Program Files\McAfee
2008-05-10 17:07 . 2008-05-10 17:07 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-10 17:07 . 2008-05-10 17:07 <DIR> d-------- C:\Program Files\AVDistribution
2008-05-10 17:07 . 2008-05-10 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-10 17:07 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-05-10 17:07 . 2006-11-17 03:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-05-10 16:24 . 2008-05-10 17:19 162,483 -r-hs---- C:\f6d.bat
2008-05-10 10:27 . 2008-05-10 13:31 161,329 -r-hs---- C:\sqtd.exe
2008-05-07 22:11 . 2008-05-08 11:24 161,863 -r-hs---- C:\wk.exe
2008-05-06 11:41 . 2008-05-06 11:41 <DIR> d-------- C:\WINDOWS\Application Data
2008-05-06 11:28 . 2004-08-04 21:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-05 22:02 . 2008-05-05 22:02 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-05 22:02 . 2008-05-05 22:02 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-04 14:48 . 2008-05-04 14:48 1,628 --a------ C:\WINDOWS\system32\p3downasx.asx
2008-05-03 22:27 . 2008-05-13 23:00 404,649 --a------ C:\WINDOWS\system32\nperr.npl
2008-05-03 11:07 . 2004-08-03 22:31 132,695 --a--c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-05-03 11:07 . 2001-08-17 12:11 65,278 --a--c--- C:\WINDOWS\system32\dllcache\netflx3.sys
2008-05-03 11:07 . 2001-08-17 22:36 60,480 --a--c--- C:\WINDOWS\system32\dllcache\neo20xx.dll
2008-05-03 11:07 . 2001-08-17 12:50 39,264 --a--c--- C:\WINDOWS\system32\dllcache\neo20xx.sys
2008-05-03 11:05 . 2001-08-17 13:28 797,500 --a--c--- C:\WINDOWS\system32\dllcache\ltsmt.sys
2008-05-03 11:04 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-05-03 11:03 . 2004-08-04 00:56 702,845 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2008-05-03 11:02 . 2004-08-03 22:41 1,041,536 --a--c--- C:\WINDOWS\system32\dllcache\hsfdpsp2.sys
2008-05-03 11:01 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-05-03 11:00 . 2001-08-17 12:17 629,952 --a--c--- C:\WINDOWS\system32\dllcache\eqn.sys
2008-05-03 10:59 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-05-03 10:58 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-05-03 10:57 . 2004-08-04 00:56 1,888,992 --a--c--- C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-05-03 10:56 . 2007-02-28 18:10 2,180,352 --a--c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-05-02 23:26 . 2008-05-13 23:00 16,627 ---h----- C:\WINDOWS\system32\200805.npl
2008-04-28 22:03 . 2008-04-29 22:22 162,529 -r-hs---- C:\rxub.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 01:47 --------- d-----w C:\Program Files\QuoteTracker
2008-05-18 23:17 --------- d-----w C:\Program Files\Certiprep
2008-05-13 13:57 73,728 ----a-w C:\WINDOWS\system32\kdfapi.dll
2008-05-13 13:57 159,744 ----a-w C:\WINDOWS\system32\kdfmgr.exe
2008-05-13 13:45 47,104 ----a-w C:\WINDOWS\system32\Kdfhok.dll
2008-05-11 14:11 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-05-10 08:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-10 08:07 --------- d-----w C:\Program Files\ToToBrowser
2008-05-10 08:07 --------- d-----w C:\Program Files\SopCast
2008-05-10 08:07 --------- d-----w C:\Program Files\Real Alternative
2008-05-10 08:07 --------- d-----w C:\Program Files\QuickTime
2008-05-10 08:07 --------- d-----w C:\Program Files\Java
2008-05-10 05:11 169,109 ----a-w C:\WINDOWS\system32\drivers\scskusbs.sys
2008-05-10 05:11 11,385 ----a-w C:\WINDOWS\system32\drivers\scskusbf.sys
2008-05-06 02:41 --------- d-----w C:\Program Files\NPKI
2008-05-06 02:41 --------- d-----w C:\Program Files\INITECH
2008-05-05 13:02 --------- d-----w C:\Documents and Settings\joes459\Application Data\Skype
2008-05-05 12:59 --------- d-----w C:\Documents and Settings\joes459\Application Data\skypePM
2008-05-02 05:52 1,705,562 ----a-w C:\WINDOWS\system32\npmon.exe
2008-05-02 05:10 102,461 ----a-w C:\WINDOWS\system32\nphkapi.dll
2008-04-24 12:44 159,745 --sh--r C:\9jjh.com
2008-04-23 03:14 158,316 --sh--r C:\t2mq2a.com
2008-04-23 01:40 374,784 ----a-w C:\WINDOWS\system32\kdfinj.dll
2008-04-20 09:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 03:15 --------- d-----w C:\Documents and Settings\joes459\Application Data\ESTsoft
2008-04-20 02:01 73,728 ----a-w C:\WINDOWS\system32\ISP_INISafeNet.dll
2008-04-20 02:01 708,096 ----a-w C:\WINDOWS\system32\INIcrypto20.dll
2008-04-20 02:01 638,976 ----a-w C:\WINDOWS\system32\ISPPopUpDlg.exe
2008-04-20 02:01 3,137,536 ----a-w C:\WINDOWS\system32\KvpVcmd.dll
2008-04-20 02:01 28,672 ----a-w C:\WINDOWS\system32\ISP_crgen.dll
2008-04-20 02:01 233,472 ----a-w C:\WINDOWS\system32\PubCertDlg.dll
2008-04-20 02:01 154,752 ----a-w C:\WINDOWS\system32\INIWebCrypto.dll
2008-04-20 02:00 --------- d-----w C:\Program Files\INICIS
2008-04-20 00:48 --------- d-----w C:\Program Files\Common Files\AhnLab
2008-04-20 00:48 --------- d-----w C:\Program Files\AhnLab
2008-04-19 09:40 --------- d-----w C:\Program Files\Broadcom
2008-04-19 07:55 --------- d-----w C:\Program Files\Apple Software Update
2008-04-17 00:19 --------- d-----w C:\Program Files\Microsoft Works
2008-04-17 00:19 --------- d-----w C:\Program Files\Common Files\L&H
2008-04-16 02:22 --------- d-----w C:\Program Files\Pruna
2008-04-08 01:55 --------- d-----w C:\Program Files\PowerISO
2008-04-07 04:35 953,048 ----a-w C:\WINDOWS\system32\SCSKCORE.dll
2008-04-07 01:26 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-06 09:48 --------- d-----w C:\Program Files\ESTsoft
2008-04-05 08:45 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-05 08:45 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-05 08:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-05 07:48 --------- d-----w C:\Documents and Settings\joes459\Application Data\Azureus
2008-03-23 12:53 155,716 --sh--r C:\al8u.com
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 04:17 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-03-14 14:37 149,664 --sh--r C:\x8.bat
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-25 05:26 32,768 ----a-w C:\WINDOWS\system32\UbiKeyWin32.dll
2008-02-25 05:26 32,768 ----a-w C:\WINDOWS\system32\UbiKey.dll
2008-01-17 13:19 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAEBE5F2-5E2E-11D8-A251-00D0591C1C61}]
2008-01-11 23:42 36864 --a------ C:\WINDOWS\system32\MSvcprt4.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 21:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 21:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 21:00 59392]
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-10-09 10:56 147456]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 21:00 208952]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-10-09 12:06 419120]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-10-12 16:28 1282048]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-07-11 09:14 142104]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-07-11 09:14 162584]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-08 20:59 16384512 C:\WINDOWS\RTHDCPL.exe]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 21:00 158208]
"NetClient RC Helper"="C:\WINDOWS\system32\NetClient40\rc\NrDeskHlp.exe" [2007-06-01 00:46 71440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\_ishieldA.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\_ishieldB.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^joes459^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\joes459\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-02-14 08:09 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HncUpdate]
--a------ 2008-02-17 15:44 500392 C:\Program Files\Common Files\Hnc\HncUtils\HncUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kxva]
C:\WINDOWS\system32\kxvo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 01:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kxva"=C:\WINDOWS\system32\kxvo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"NetClient RC Helper"=C:\WINDOWS\system32\NetClient40\rc\NrDeskHlp.exe
"Persistence"=C:\WINDOWS\system32\igfxpers.exe
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\ncipmgr.exe"=
"C:\\WINDOWS\\system32\\skcbgm.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Nexon\\NGM\\NGM.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Nexon\\Common\\NMService.exe"=
"C:\\Program Files\\Pruna\\Pruna.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\ncclient.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\NetChat.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\rc\\DrFtc.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\rc\\NrHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12301:TCP"= 12301:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12301:UDP"= 12301:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12302:TCP"= 12302:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"12302:UDP"= 12302:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 nrdrvnt3;nrdrvnt3;C:\WINDOWS\system32\DRIVERS\nrdrvnt3.sys [2007-06-01 00:46]
R2 AppleOSSMgr;Apple OS Switch Manager;C:\WINDOWS\system32\AppleOSSMgr.exe [2007-10-09 12:04]
R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe [2007-10-09 12:05]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2007-10-09 10:56]
R2 MacHALDriver;Mac HAL;C:\WINDOWS\system32\drivers\MacHALDriver.sys [2007-10-09 10:56]
R2 NCClient Agent;NCClient Agent;C:\WINDOWS\system32\NetClient40\ncagent.exe [2003-12-07 01:44]
R2 npkcmsvc;npkcmsvc;C:\WINDOWS\system32\npkcmsvc.exe [2008-01-22 11:57]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 21:00]
R3 aapltctp;Apple Trackpad Enabler;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2007-10-09 10:56]
R3 aapltp;Apple Trackpad;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2007-10-09 10:56]
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys [2007-10-09 10:56]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys [2007-10-09 10:56]
R3 KeyMagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2007-10-09 10:56]
R3 NCGUARD;DoctorSoft NCGuard;C:\WINDOWS\system32\DRIVERS\NCGUARD.SYS [2007-05-23 09:02]
R3 NCPMon40;NetClient Process detector;C:\WINDOWS\system32\NetClient40\NCPMon40.sys [2003-11-12 10:17]
R3 NSECU;DoctorSoft Network Secu;C:\WINDOWS\system32\DRIVERS\NSECU.SYS [2007-05-15 06:59]
S1 _ishieldA;_ishieldA;C:\WINDOWS\system32\drivers\_ishieldA.sys []
S1 _ishieldB;_ishieldB;C:\WINDOWS\system32\drivers\_ishieldB.sys []
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys [2007-10-09 10:56]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2007-10-09 10:56]
S3 ncpflt;ncpflt;C:\WINDOWS\system32\Drivers\ncpflt.sys [2007-06-15 08:11]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-03-17 13:17]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\oalvm.com
\Shell\explore\Command - C:\oalvm.com
\Shell\open\Command - C:\oalvm.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\SETUP.EXE /AUTORUN
\Shell\configure\command - F:\SETUP.EXE
\Shell\install\command - F:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42f17b91-c1ac-11dc-89f4-001d4fa4ed19}]
\Shell\AutoRun\command - F:\6krxwx.cmd
\Shell\explore\Command - F:\6krxwx.cmd
\Shell\open\Command - F:\6krxwx.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6443b5af-c0d9-11dc-89f1-001d4fa4ed19}]
\Shell\AutoRun\command - F:\3bqqnkd.bat
\Shell\explore\Command - F:\3bqqnkd.bat
\Shell\open\Command - F:\3bqqnkd.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0d59ce8-c234-11dc-89f5-001d4fa4ed19}]
\Shell\AutoRun\command - F:\vl.com
\Shell\explore\Command - F:\vl.com
\Shell\open\Command - F:\vl.com

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-17 04:17:29 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-05-12 00:18:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 13:57:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-25 13:58:01
ComboFix-quarantined-files.txt 2008-05-25 04:57:43
ComboFix2.txt 2008-05-25 04:52:10

Pre-Run: 3,438,747,648 bytes free
Post-Run: 3,422,375,936 bytes free

265


Hijack This Scan


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:23 PM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\NetClient40\ncagent.exe
C:\WINDOWS\system32\NetClient40\ncclient.exe
C:\WINDOWS\system32\npkcmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\IRW.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\NetClient40\rc\NrDeskHlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: msvcprt4.msvcprt4d - {FAEBE5F2-5E2E-11D8-A251-00D0591C1C61} - C:\WINDOWS\system32\MSvcprt4.dll
O3 - Toolbar: (no name) - {B982A63C-9A5B-4796-80B0-EC809FCDEBF2} - (no file)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NetClient RC Helper] C:\WINDOWS\system32\NetClient40\rc\NrDeskHlp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.shinhan.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00001025-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter25 Class) - http://download.netmarble.com/web/nmsta ... rter25.cab
O16 - DPF: {03F49E0E-C43A-4037-BBD6-D681E998A08E} (CodeAx Class) - http://ep.knou.ac.kr/EP/web/common/cabf ... CodeAx.cab
O16 - DPF: {044123B5-35DF-4C4E-BAED-26B8ED964342} (HLiveRobotWeb Control) - http://fx.hauri.net/HProduct/livesuite/ ... botWeb.cab
O16 - DPF: {0A4E624A-F7EA-4313-B721-C5669E0C6266} (TrustSiteAuction Control) - http://download.auction.co.kr/activexpa ... onCtrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {207444C6-E097-4F13-B9C1-F11B15DE78C4} (HackFire Control) - http://champstudy.com/hackdown/HackFire.cab
O16 - DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} (XacsPop Control) - http://mpi.dacom.net/XMPI/js/xmpi2007.cab
O16 - DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} (INISAFEWeb6 V6 Class) - http://download.banktown.com/kbstarActiveX/INIS60.cab
O16 - DPF: {317642DD-AF52-11D4-BC2A-0050DA8AEE6F} (FileMng Control) - http://mail.epis.ewha.ac.kr:8884/local/cabs/FileWiz.cab
O16 - DPF: {39461460-2552-4D51-A062-3AB6A7B902E9} (INISAFE Updater Control) - http://img.shinhan.com/shttp/install/down/INIS70.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://img.shinhan.com/rib/common/keySt ... /scsk4.cab
O16 - DPF: {3A90D051-E921-4741-8288-D1B6747A8A51} (Yessign5 Control) - http://www.giro.or.kr/html/yessign/cab/yessign5.cab
O16 - DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} (XPayMPIOCX Control) - http://mpi.dacom.net/XPayMPI/Xecure_Liv ... MPIOCX.cab
O16 - DPF: {53EED863-B547-40F8-B24A-2D6DE807CFE8} (Printmade Control) - http://img.shinhan.com/rib//ko/print/Printmade.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 2868270812
O16 - DPF: {6531D99C-0D0E-4293-B3CB-A3E1D0D41847} (AhnASP Control) - http://ahnlabdownload.nefficient.co.kr/ ... AhnASP.cab
O16 - DPF: {66413DC2-F891-40BC-822D-B7EEC8ADC281} (ProWorksGrid Control) - http://img.shinhan.com/rib/common/ProWorksGrid_78.cab
O16 - DPF: {6F517019-0482-4BD2-8AAD-1E3CB01C4148} (MiBookView Control) - http://asp.lemonbook.co.kr/CabDownLoad/MiBookView.cab
O16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler Class) - http://www.bccard.com/service/individua ... Plugin.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://xecure.kbstar.com/xecure/xw_install_v7202.cab
O16 - DPF: {8FA8D5F7-7CBA-46D4-9568-68D70C5280E8} (NoPhishingX Control) - http://www.nophishing.co.kr/softrun/SH02/SRNPSH.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/activex/dmcc ... n=1,0,0,10
O16 - DPF: {99C709C7-4F58-46C1-855B-90213C760395} (v3d Class) - https://v3d.kcp.co.kr/file/kcp_ansimclick.cab
O16 - DPF: {9D67EBF0-AF1A-4BCE-BAC9-C84A9383E0B3} (SSOCheck Class) - http://epis.ewha.ac.kr:8880/EP/web/comm ... OCheck.cab
O16 - DPF: {9FC84F7D-D177-4A75-A7BB-429DA5BD0A3E} (SG_CAppAtx Control) -
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://k-defence.kbstar.com/kings/kdfx/ ... fense8.cab
O16 - DPF: {B0A75875-3622-48BA-B5FF-45AD77AC2D0E} (BankPayEFTCtrl Control) - http://download.auction.co.kr/activexpa ... PayEFT.cab
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,5
O16 - DPF: {BBB0FC2D-1D95-45CA-BDCF-03B53F247FCC} (EwsLoader Class) -
O16 - DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} (VineTransfer Control) - http://www.giro.or.kr/html/ubikey/VineTransfer.cab
O16 - DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} (SKCInst1 Class) - http://cyimg7.cyworld.com/cymusic/package/skcinst.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://n-protect.kbstar.com/nprotect/module/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/keycrypt/kft ... _vista.cab
O16 - DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} (INIwallet60 Control) - http://plugin.inicis.com/wallet60/INIwallet60.cab
O16 - DPF: {D923AE0C-190D-4EDF-B07A-76AC571FBFD4} (SCSKEx Control) - http://img.shinhan.com/rib/common/keySt ... SCSKEX.cab
O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) - http://www.congnamul.com/ActiveX/ASPCab ... sp_V23.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {E831AA9C-C980-4F16-B252-09AAF40D0E9B} (Kdfense9 Control) - http://k-defence.kbstar.com/kdfx218/kbstar/kdfense9.cab
O16 - DPF: {E8FB2BD7-3703-483A-8EC1-43DADAFC7668} (ELauncher Control) - http://update.folderplus.com/eWebLink/eLauncher.cab
O16 - DPF: {EA0995BF-45DD-4DB0-ADD5-A39C37397841} (ShbAutoTrustSite Control) - http://img.shinhan.com/rib/common/Trust ... tSiteX.cab
O16 - DPF: {F61919F5-1292-4447-A904-1943D72ACF04} (CertCheck for KB Control) - http://img.kbstar.com/cab/certCheck.cab
O18 - Protocol: s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - C:\Program Files\INITECH\SHTTP\InitechSHTTPInterface.10111.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: iPod ¼­ºn½º (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NCClient Agent - DRSOFT - C:\WINDOWS\system32\NetClient40\ncagent.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcmsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10835 bytes
joes459
Active Member
 
Posts: 2
Joined: May 24th, 2008, 1:50 am

Re: Please help me

Unread postby Shaba » May 25th, 2008, 5:00 am

Hi

Before we continue, I have to ask that which device is F: ?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Please help me

Unread postby Shaba » May 30th, 2008, 12:03 pm

Due to Lack of Response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 469 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware