Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Critical System Warning - CyberLog-x, etc.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Critical System Warning - CyberLog-x, etc.

Unread postby jtrag » November 17th, 2008, 4:12 am

Hello,

My computer seems to be infected with a virus that warns me I am infected and then directs me to websites to remove the virus. There is a Critical System Warning that continues to pop up warning of CyberLog-X being installed on my computer. There is a tool bar on IE called Security Toolbar 7.1 which cannot be removed. In the tray at the bottom right of IE there is a warning which continually pops up with a balloon warning of virus infection. This warning cannot be removed. The home page for IE changes to a virus protection webpage whenever the another webpage is loaded. New IE windows open intermittantly for virus warnings directing to download removal software.

I am usually very careful about viruses but this one got in somehow. I have run spybot search and destroy, adware, and just installed McAfee, but cannot get rid of this virus.

I live in Korea and this is a Korean computer with a lot of Korean software installed.

I loaded HijackThis v2.0.2 and performed a scan and save the log file which is attached below. Any help you may provide will be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 오후 4:03:19, on 2008-11-17
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WebMediaViewer\qttask.exe
C:\Program Files\WebMediaViewer\hpmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WebMediaViewer\qttaskm.exe
C:\Program Files\WebMediaViewer\hpmom.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: 야후! 툴바 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {096CBA44-4A4C-49f7-8903-1E75550ABCB7} - (no file)
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - C:\Program Files\WebMediaViewer\hpmun.dll
O2 - BHO: (no name) - {676F7A16-2D27-4E22-87F1-9D6E5BC49C57} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Reward Class - {9C37809D-A839-400b-9716-9F32ADC7E8F9} - C:\Program Files\Freechal\PlusBar\Reward\fc_reward_1c.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: IWebInterception Class - {BFDDBDBB-F62C-4D4A-B574-59D276F47196} - C:\Program Files\Click To Tweak [Basic]\WebInterception.dll
O2 - BHO: Search Class - {DAC24DC8-82EB-403d-BF69-41947EF4D941} - C:\Program Files\Freechal\PlusBar\Search\fc_search_1h.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: 네이버 툴바(&N) - {D09CFF09-A42A-4EDC-9804-E61224F59CA1} - C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll
O3 - Toolbar: Browser Toolbar - {2EEF94DF-75F6-42E9-B7FB-AF5A170A6E2E} - C:\Program Files\WebMediaViewer\browseul.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [QuickTime Task] C:\Program Files\WebMediaViewer\qttask.exe
O4 - HKLM\..\Policies\Explorer\Run: [VMware hptray] C:\Program Files\WebMediaViewer\hpmon.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 네이버 검색 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /SEARCH.HTML
O8 - Extra context menu item: 네이버 북마크하기 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /BOOKMARK.HTML
O8 - Extra context menu item: 네이버 블로그 담기 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /BLOG.HTML
O8 - Extra context menu item: 네이버 사전 검색 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /DIC.HTML
O8 - Extra context menu item: 네이버 일한 번역 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /JKTRANS.HTML
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.ietoolexpress.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IExplorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.ietoolexpress.com/redirect.php (file missing)
O9 - Extra button: 리서치 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.websale.co.kr
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {3270EED1-B285-4828-A0A7-F55913A9B724} (S2PlayerPan Class) - http://listen.daum.net/52st/52street/S2MusicPlayer.dll
O16 - DPF: {3942BD43-B5CE-465F-9AC3-16BA93994273} (DosirakControl Control) - http://www.dosirak.com/Commons/Activex/ ... ontrol.ocx
O16 - DPF: {5B420135-B86A-4854-876A-4154FD35C2E9} (Flash365X Control) - http://toolbar.flash365.co.kr/toolbar/s ... sh365X.cab
O16 - DPF: {A1E0ACF5-232E-4E85-9EC4-669809AEB8F8} (GameAngelAx Installer) - http://app.nbar.co.kr/Install/cab2/axInstall26.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O22 - SharedTaskScheduler: behaves - {1f3dd9bf-1472-4a8b-b295-b596a597149b} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0023401226891960) (0023401226891960mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\User\LOCALS~1\Temp\002340~1.EXE
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ViRobot Desktop Monitoring (vrmonsvc) - Unknown owner - C:\Program Files\HAURI\Common\Base\vrmonsvc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://img.yahoo.co.kr/kids/2007rn/k_sch2.gif

--
End of file - 9177 bytes
jtrag
Active Member
 
Posts: 11
Joined: November 17th, 2008, 3:34 am
Advertisement
Register to Remove

Re: Critical System Warning - CyberLog-x, etc.

Unread postby Odd dude » November 17th, 2008, 11:52 am

Hello and welcome to the forums!

I'm Odd dude, pleased to meet you; if it helps, you can call me OD ;). I will be helping you with your infection. However, it is important to take note of the following - quite the wall of text, I know, but please bear with me:

  • Logs from malware removal programs (Hijackthis is one of them) can take some time to analyze. I need you to be patient whilst I analyze any logs you post.
  • Please carefully read any instruction that I give you.
    Reading too lightly will cause you to miss important steps, which could have destructive effects.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • Only YOU must use these instructions, they are not suitable for any other computer with similar problems.
  • Do not do things I do not ask for, such as running a spyware scan. The one thing you should always do, though, is making sure that your antivirus definitions are up-to-date!
  • If I tell you to download a tool which you already have, please re-download it and do not use the copy you already have. This is because the tools are updated regularly.
  • In Windows Vista, all tools need to be started by right clicking and selecting Run as administrator!
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you were to do the same. From this point, we're in this together ;)
  • As I am still in training at the Malware Removal University, anything I do must be checked by an experienced malware fighter. This means there might be a slight delay in my answers.
  • Lastly, I am no magican. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system. Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

I am now analyzing your situation and hope to be back with you soon. While I am reviewing your situation, could you please do the following for me:

Make an Uninstall List
I need you to create an uninstall list so I can further analyze your situation.

  • Start HijackThis.
  • Click Open the Misc Tools section
  • Click Open Uninstall Manager
  • Click Save list...
  • Save the list to your desktop, or any other convenient place.

Please post back:
  • Uninstall list
  • New hijackthis log
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Critical System Warning - CyberLog-x, etc.

Unread postby jtrag » November 17th, 2008, 4:11 pm

Hi OD,

Thanks for your help.

Here is the uninstall list:

겜미르 게임실행 프로그램
곰오디오
곰플레이어
나나이모
네이버 툴바
네이트온
넷마블 게임 '쿵야대난투'
메탈슬러그4
미니파이터
버디버디
선언맞고
소닉 어드벤처DX
싸이월드 스튜디오
알집
야후! 고스톱
야후! 국민맞고
야후! 국민포커
야후! 윈드슬레이어
야후! 툴바
어둠의전설
어둠하데스
카트라이더
한게임 자동 인스톨러
한글 2005
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
AhnLab MyKeyDefense 2.0
AhnLab Smart Update i
BitPim 1.0.2
BnB2
Browser Toolbar
Crazy Arcade
Flash365 ActiveX 삭제
Freechal Plusbar
Frogger2 Demo
Google 업데이터
Google Earth
Guitar Pro 5.0
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
IExplorer add-on
KICA SSO Client for 교육부통합(v2.0.3.0)
kimchi vs chobob
KoongPa
Luxor 2 (remove only)
MapleStory
McAfee SecurityCenter
Metal Slug 3-5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.17)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero OEM
NetmarbleKA
Norton Security Scan
nProtect KeyCrypt
nProtect Netizen(remove only)
NVIDIA Drivers
Online Alert Manager
PCLink2000
PokerStars
Realtek AC'97 Audio
Samsung Anycall CDMA Driver
Samsung Anycall HSP Driver
Samsung Anycall HSP Plus Driver
SAMSUNG CDMA Modem Driver Set
Samsung Master
Samsung USB Driver
SBSWebPlayer
SoftCamp Secure KeyStroke 4.0
SONIC HEROES
Spybot - Search & Destroy
StoneAge2
Winamp
Winamp Toolbar
Windows Internet Explorer 7용 보안 업데이트 (KB938127)
Windows Internet Explorer 7용 보안 업데이트 (KB942615)
Windows Internet Explorer 7용 보안 업데이트 (KB944533)
Windows Internet Explorer 7용 보안 업데이트 (KB950759)
Windows Internet Explorer 7용 보안 업데이트 (KB953838)
Windows Internet Explorer 7용 보안 업데이트 (KB956390)
Windows Internet Explorer 7용 핫픽스 (KB947864)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 11 보안 업데이트(KB936782)
Windows Media Player 11 보안 업데이트(KB954154)
Windows Media Player 11 핫픽스(KB939683)
Windows XP 보안 업데이트(KB941569)
Windows XP Service Pack 3
Windows XP용 보안 업데이트 (KB938464)
Windows XP용 보안 업데이트 (KB946648)
Windows XP용 보안 업데이트 (KB950760)
Windows XP용 보안 업데이트 (KB950762)
Windows XP용 보안 업데이트 (KB950974)
Windows XP용 보안 업데이트 (KB951066)
Windows XP용 보안 업데이트 (KB951376)
Windows XP용 보안 업데이트 (KB951376-v2)
Windows XP용 보안 업데이트 (KB951698)
Windows XP용 보안 업데이트 (KB951748)
Windows XP용 보안 업데이트 (KB952954)
Windows XP용 보안 업데이트 (KB953839)
Windows XP용 보안 업데이트 (KB954211)
Windows XP용 보안 업데이트 (KB954459)
Windows XP용 보안 업데이트 (KB955069)
Windows XP용 보안 업데이트 (KB956391)
Windows XP용 보안 업데이트 (KB956803)
Windows XP용 보안 업데이트 (KB956841)
Windows XP용 보안 업데이트 (KB957095)
Windows XP용 보안 업데이트 (KB957097)
Windows XP용 보안 업데이트 (KB958644)
Windows XP용 업데이트 (KB951072-v2)
Windows XP용 업데이트 (KB951978)
Windows XP용 핫픽스 (KB952287)
XecureWeb Control
XPayMPI 2.0.2.2

And here is the new scan log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 오전 5:03:55, on 2008-11-18
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WebMediaViewer\qttask.exe
C:\Program Files\WebMediaViewer\hpmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WebMediaViewer\qttaskm.exe
C:\Program Files\WebMediaViewer\hpmom.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: 야후! 툴바 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {096CBA44-4A4C-49f7-8903-1E75550ABCB7} - (no file)
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - C:\Program Files\WebMediaViewer\hpmun.dll
O2 - BHO: (no name) - {676F7A16-2D27-4E22-87F1-9D6E5BC49C57} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Reward Class - {9C37809D-A839-400b-9716-9F32ADC7E8F9} - C:\Program Files\Freechal\PlusBar\Reward\fc_reward_1c.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: IWebInterception Class - {BFDDBDBB-F62C-4D4A-B574-59D276F47196} - C:\Program Files\Click To Tweak [Basic]\WebInterception.dll
O2 - BHO: Search Class - {DAC24DC8-82EB-403d-BF69-41947EF4D941} - C:\Program Files\Freechal\PlusBar\Search\fc_search_1h.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: 네이버 툴바(&N) - {D09CFF09-A42A-4EDC-9804-E61224F59CA1} - C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll
O3 - Toolbar: Browser Toolbar - {2EEF94DF-75F6-42E9-B7FB-AF5A170A6E2E} - C:\Program Files\WebMediaViewer\browseul.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [QuickTime Task] C:\Program Files\WebMediaViewer\qttask.exe
O4 - HKLM\..\Policies\Explorer\Run: [VMware hptray] C:\Program Files\WebMediaViewer\hpmon.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 네이버 검색 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /SEARCH.HTML
O8 - Extra context menu item: 네이버 북마크하기 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /BOOKMARK.HTML
O8 - Extra context menu item: 네이버 블로그 담기 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /BLOG.HTML
O8 - Extra context menu item: 네이버 사전 검색 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /DIC.HTML
O8 - Extra context menu item: 네이버 일한 번역 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /JKTRANS.HTML
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.ietoolexpress.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IExplorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.ietoolexpress.com/redirect.php (file missing)
O9 - Extra button: 리서치 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.websale.co.kr
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {3270EED1-B285-4828-A0A7-F55913A9B724} (S2PlayerPan Class) - http://listen.daum.net/52st/52street/S2MusicPlayer.dll
O16 - DPF: {3942BD43-B5CE-465F-9AC3-16BA93994273} (DosirakControl Control) - http://www.dosirak.com/Commons/Activex/ ... ontrol.ocx
O16 - DPF: {5B420135-B86A-4854-876A-4154FD35C2E9} (Flash365X Control) - http://toolbar.flash365.co.kr/toolbar/s ... sh365X.cab
O16 - DPF: {A1E0ACF5-232E-4E85-9EC4-669809AEB8F8} (GameAngelAx Installer) - http://app.nbar.co.kr/Install/cab2/axInstall26.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O22 - SharedTaskScheduler: behaves - {1f3dd9bf-1472-4a8b-b295-b596a597149b} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ViRobot Desktop Monitoring (vrmonsvc) - Unknown owner - C:\Program Files\HAURI\Common\Base\vrmonsvc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://img.yahoo.co.kr/kids/2007rn/k_sch2.gif

--
End of file - 9061 bytes
jtrag
Active Member
 
Posts: 11
Joined: November 17th, 2008, 3:34 am

Re: Critical System Warning - CyberLog-x, etc.

Unread postby Odd dude » November 22nd, 2008, 4:14 am

I'm very, very, very, very, very sorry it took me so long to get back to you. Miscommunication between me and the teachers.

If you're still there, these are your instructions:

Uninstall bad programs
It is required that you uninstall some infected programs. To do so:

  • Click Start :arrow: Control Panel
  • Double click Add/Remove programs and wait for the uninstall list to be composed
  • Now, highlight the first program on the following list. Next, please click the Remove button and follow the prompts to remove the infected programs. Be VERY careful to READ. Some uninstallers word their questions in a way that tricks you into keeping the program, sometimes not allowing it to be uninstalled again!
  • Repeat instructions for all other programs on the list. Don't worry if one isn't there.
    Browser Toolbar
    Freechal Plusbar
    IExplorer add-on

ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without expert guidance.

ComboFix uses very brute tactics to rip malware off your system. Do not panic if your antivirus software warns you about the file.

:!: Please disable all your antivirus software, firewalls, and antispyware software BEFORE running ComboFix!! :!:

Also, please keep your internet connection ACTIVE. I know this sounds like a strange thing to do with your protection software disabled, but please trust me on this one :)
(You only need to stay connected to the internet during the first run of ComboFix. For any further runs of ComboFix, please remember to disconnect from the internet)

  • Download ComboFix from here and save it to your desktop
  • Disable ALL antivirus/antimalware programs before proceeding!
  • Now start ComboFix
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it. Please click "Yes" when this happens and follow the prompts! When asked whether to continue scanning or to exit, click Yes to continue scanning.
  • Do not touch the computer AT ALL while ComboFix is running!
  • When finished, the report will open. Reenable your protection software and post the log in your next reply

Malwarebytes' Anti-Malware
I need you to download Malwarebytes' Anti-Malware.

  • Install the program by following the prompts after double-clicking on mbam-setup.exe
  • Once you approach the final installation screen, put a check next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish
  • MBAM (that's an acronym of Malwarebytes' Anti-Malware) will now start. Choose Perform full scan and click Scan
  • Get a cup of coffee/tea/hot chocolate and watch some TV for about an hour.
  • Once the scan has finished, click OK, then Show Results.
  • Put a check next to everything, then click Remove selected.
  • Now, a log will open. Save this to your desktop and post it. Do not attach it.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Critical System Warning - CyberLog-x, etc.

Unread postby jtrag » November 22nd, 2008, 7:39 am

Hi OD,

No problem, it's just this infection is a pain in the butt.

When I try to uninstall Browser Toolbar and IExplorer add-on a dialog box pops up saying I need to reboot the system to uninstall the program. The dialog box asks me if I want to reboot now. If I select no, the dialog box disappears and when I try to uninstall again the same dialog box pops up. I accidentally rebooted for the Browser Toolbar and after reboot the program uninstalled, no problem. I think maybe I screwed up by rebooting. The IExplorer add-on is asking the same with the dialog box. I cancelled out and restarted the computer but when I go to uninstall IExplorer add-on the same dialog box pops up.

Should I reboot and then uninstall?

Thanks a million for your help.

jtrag
jtrag
Active Member
 
Posts: 11
Joined: November 17th, 2008, 3:34 am

Re: Critical System Warning - CyberLog-x, etc.

Unread postby Odd dude » November 22nd, 2008, 2:50 pm

Well - the program will need to be uninstalled one way or another - so if it won't go if you do not reboot, I'd say you should just reboot - as long as you can get the program to go things should be fine.

So yes feel free to let it reboot the pc.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Critical System Warning - CyberLog-x, etc.

Unread postby jtrag » November 22nd, 2008, 8:47 pm

Hi OD,

Here is the CombFix log:

ComboFix 08-11-22.02 - User 2008-11-23 8:08:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.949.1.1042.18.75 [GMT 9:00]
Running from: c:\documents and settings\User\바탕 화면\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\시작 메뉴\프로그램\VirusTrigger 2.1
c:\documents and settings\User\시작 메뉴\프로그램\VirusTrigger 2.1\VirusTrigger 2.1.lnk
d:\my documents\My Documents.url
d:\my documents\My Music\My Music.url
d:\my documents\My Pictures\My Pictures.url
d:\my documents\My Videos\My Video.url

.
((((((((((((((((((((((((( Files Created from 2008-10-22 to 2008-11-22 )))))))))))))))))))))))))))))))
.

2008-11-17 16:02 . 2008-11-17 16:02 <DIR> d-------- c:\program files\Trend Micro
2008-11-17 12:37 . 2008-11-20 02:47 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2008-11-17 12:24 . 2008-11-17 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-11-17 11:52 . 2008-11-21 22:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-11-17 00:08 . 2008-11-17 00:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-11-17 00:05 . 2008-11-17 14:44 <DIR> d-------- c:\windows\system32\512686
2008-11-17 00:05 . 2008-11-23 07:58 <DIR> d-------- c:\program files\WebMediaViewer
2008-11-14 04:03 . 2008-11-14 04:03 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-14 04:00 . 2008-11-14 04:00 <DIR> d-------- c:\windows\system32\LogFiles
2008-11-14 04:00 . 2008-11-14 04:01 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-11-13 04:54 . 2008-09-05 02:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 04:54 . 2008-10-24 20:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 16:12 . 2008-11-10 16:12 243 --a------ c:\windows\system32\p3downasx.asx
2008-11-08 18:33 . 2008-11-08 18:33 <DIR> d-------- c:\windows\system32\ko
2008-11-08 18:33 . 2008-11-08 18:33 <DIR> d-------- c:\windows\system32\bits
2008-11-08 18:33 . 2008-11-08 18:33 <DIR> d-------- c:\windows\l2schemas
2008-11-08 18:31 . 2008-11-08 18:33 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-02 11:50 . 2008-11-02 11:51 <DIR> d-------- c:\program files\Winamp
2008-11-02 11:50 . 2008-11-02 11:51 <DIR> d-------- c:\documents and settings\User\Application Data\Winamp
2008-10-24 20:45 . 2008-10-16 01:35 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-22 22:55 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-22 15:00 --------- d-----w c:\program files\PokerStars
2008-11-22 10:44 --------- d-----w c:\program files\Freechal
2008-11-19 09:00 --------- d-----w c:\program files\Norton Security Scan
2008-11-17 06:28 --------- d-----w c:\program files\GemmirMini
2008-11-16 23:55 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-15 11:06 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-15 08:32 --------- d-----w c:\program files\Pandora.TV
2008-11-06 00:20 --------- d-----w c:\program files\Yahoo!
2008-11-06 00:20 --------- d-----w c:\program files\PlayNC
2008-11-06 00:20 --------- d-----w c:\program files\NCLoader
2008-10-27 21:15 90,112 ----a-w c:\windows\DUMP4bce.tmp
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-11 07:52 6,784 ----a-w c:\windows\system32\drivers\scsk4.sys
2008-10-11 07:48 --------- d-----w c:\program files\Nexon
2008-10-08 09:02 --------- d-----w c:\program files\Common Files\Symantec Shared
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"QuickTime Task"="c:\program files\WebMediaViewer\qttask.exe" [2008-11-17 55282]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 11:27 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NATEON]
--a------ 2008-04-23 11:18 507904 c:\program files\NATEON\BIN\NATEON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-10-29 16:50 4620288 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-10-29 16:50 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\겜미르 게임실행 프로그램]
--a------ 2008-11-17 08:22 355088 c:\program files\GemmirMini\gmupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-10-29 16:50 921600 c:\windows\system32\nwiz.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"겜미르 게임실행 프로그램"="c:\program files\GemmirMini\gmupdater.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\NATEON\\BIN\\NateOnMain.exe"=
"c:\\WINDOWS\\system32\\skcbgm.exe"=
"d:\\My Documents\\BuddyBuddy\\BuddyBuddy.exe"=
"c:\\WINDOWS\\system32\\pdrtvsvr.exe"=
"c:\\Documents and Settings\\User\\Application Data\\LGDacom\\Neturo\\ViewerKr\\neturoviewer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MPlay\\Crazy Arcade\\NewPatcher.exe"=
"c:\\Program Files\\Goorm\\KeroroFighter\\KeroroFighter.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Nexon\\Common\\NMService.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Nexon\\NGM\\NGM.exe"=
"c:\\Nexon\\Nanaimo\\Nanaimo.exe"=
"c:\\Nexon\\Nanaimo\\NanaimoClient.exe"=
"c:\\Nexon\\KoongPa\\KoongPa.exe"=
"c:\\Netmarble\\NetmarbleDownLoaderEx\\NetmarbleDownLoader_EngineEx.exe"=
"c:\\Program Files\\MPlay\\Crazy Arcade\\CA.exe"=

R2 npkcmsvc;npkcmsvc;c:\windows\system32\npkcmsvc.exe [2008-03-27 88727]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNt.sys [2008-03-07 130560]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2008-04-13 79104]
S3 Mkd2Usbf;Mkd2Usbf;c:\windows\system32\drivers\Mkd2Usbf.sys [2008-03-07 93440]
S3 shspusb;Samsung High Speed USB Driver;c:\windows\system32\DRIVERS\HSPUSB.sys [2007-11-26 21282]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-19 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2008-01-09 04:08]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
MSConfigStartUp-McENUI - c:\progra~1\McAfee\MHN\McENUI.exe
MSConfigStartUp-VirusTriggerBin - c:\program files\VirusTriggerBin\VirusTriggerBin.exe
MSConfigStartUp-Vrmon - c:\program files\HAURI\Common\Base\VRMONNT.EXE
MSConfigStartUp-WebsaleSystem - c:\program files\WebsaleSystem\WebsAgent.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\0ttakeip.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://kr.yahoo.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-23 08:11:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\windows\system32\WgaLogon.dll
c:\windows\system32\IMEKR70.IME
.
Completion time: 2008-11-23 8:14:37
ComboFix-quarantined-files.txt 2008-11-22 23:14:35

Pre-Run: 17,100,148,736 바이트 남음
Post-Run: 17,092,448,256 바이트 남음

153 --- E O F --- 2008-11-16 10:12:46


Here is the Malwarebytes' Anti-Malware log:

Malwarebytes' Anti-Malware 1.30
Database version: 1416
Windows 5.1.2600 Service Pack 3

2008-11-23 오전 9:17:02
mbam-log-2008-11-23 (09-17-02).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 150229
Time elapsed: 39 minute(s), 5 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 2
Files Infected: 12

Memory Processes Infected:
C:\Program Files\WebMediaViewer\qttask.exe (Trojan.Zlob) -> Unloaded process successfully.
C:\Program Files\WebMediaViewer\qttaskm.exe (Trojan.Zlob) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{EE8A3F7B-E4AB-5C41-4926-3FAED82759F5} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3b8fb116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0b385ee3-ee18-4c69-bf55-6b6b406ef591} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3b8fb116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\virustriggerbinwarning.warningbho.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online Alert Manager (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\quicktime task (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://windiwsfsearch.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\WebMediaViewer (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\512686 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MPlay\Crazy Arcade\GameGuard.des (Malware.Unknown) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\myd.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\mym.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\myp.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\myv.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\qttask.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\qttaskm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\qttasku.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\시작 메뉴\Antivirus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\시작 메뉴\Online Antispyware Test.url (Trojan.Zlob) -> Quarantined and deleted succe
jtrag
Active Member
 
Posts: 11
Joined: November 17th, 2008, 3:34 am

Re: Critical System Warning - CyberLog-x, etc.

Unread postby Odd dude » November 23rd, 2008, 3:49 pm

Hi jtrag

Open notepad and copy and paste the following:
Code: Select all
@title .
@Nircmd win hide title .
cd/d %userprofile%\desktop
dir\windows\system32\ko/l/a/s>PostThis.txt
notepad PostThis.txt
del "%0"


Save this to your desktop as "look.cmd" - please include the quotation marks.

Double click the file. A black window will quickly open and then vanish, that is normal.

Notepad will pop up, post the contents of the notepad file in your next reply.

The Recovery Console has not been installed on your machine. We will manually install it now in case something gets broken. With tools as powerful as ComboFix around you wouldn't want to risk it. Installing the Recovery Console only takes a few minutes of your time.
Please click here

Now please download the correct Setup Disks for your version of Windows XP. Please put the file on your desktop.

Image

Disconnect from the internet and disable ALL protection software! ComboFix is about to modify some critical system files and no protection software will ever allow that to happen.
Next, drag the Microsoft executable into ComboFix.
Image

Please follow the instructions ComboFix gives you. When asked whether to continue scanning for malware, click No

In your next reply,
please post the PostThis.txt file generated by the first set of instructions, and a new Hijackthis log.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Critical System Warning - CyberLog-x, etc.

Unread postby jtrag » November 23rd, 2008, 7:27 pm

Hi OD,

PostThis log:

C 드라이브의 볼륨에는 이름이 없습니다.
볼륨 일련 번호: CCE4-F349

C:\windows\system32\ko 디렉터리

2008-11-08 오후 06:33 <DIR> .
2008-11-08 오후 06:33 <DIR> ..
2008-04-14 오전 11:26 28,672 microsoft.managementconsole.resources.dll
2008-04-14 오전 11:26 36,864 mmcex.resources.dll
2008-04-14 오전 11:26 5,120 mmcfxcommon.resources.dll
3개 파일 70,656 바이트

전체 파일:
3개 파일 70,656 바이트
2개 디렉터리 17,019,629,568 바이트 남음


HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 오전 8:21:25, on 2008-11-24
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: 야후! 툴바 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: IWebInterception Class - {BFDDBDBB-F62C-4D4A-B574-59D276F47196} - C:\Program Files\Click To Tweak [Basic]\WebInterception.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: 네이버 툴바(&N) - {D09CFF09-A42A-4EDC-9804-E61224F59CA1} - C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 네이버 검색 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /SEARCH.HTML
O8 - Extra context menu item: 네이버 북마크하기 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /BOOKMARK.HTML
O8 - Extra context menu item: 네이버 블로그 담기 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /BLOG.HTML
O8 - Extra context menu item: 네이버 사전 검색 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /DIC.HTML
O8 - Extra context menu item: 네이버 일한 번역 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /JKTRANS.HTML
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: 리서치 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.websale.co.kr
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {3270EED1-B285-4828-A0A7-F55913A9B724} (S2PlayerPan Class) - http://listen.daum.net/52st/52street/S2MusicPlayer.dll
O16 - DPF: {3942BD43-B5CE-465F-9AC3-16BA93994273} (DosirakControl Control) - http://www.dosirak.com/Commons/Activex/ ... ontrol.ocx
O16 - DPF: {5B420135-B86A-4854-876A-4154FD35C2E9} (Flash365X Control) - http://toolbar.flash365.co.kr/toolbar/s ... sh365X.cab
O16 - DPF: {A1E0ACF5-232E-4E85-9EC4-669809AEB8F8} (GameAngelAx Installer) - http://app.nbar.co.kr/Install/cab2/axInstall26.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ViRobot Desktop Monitoring (vrmonsvc) - Unknown owner - C:\Program Files\HAURI\Common\Base\vrmonsvc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://img.yahoo.co.kr/kids/2007rn/k_sch2.gif

--
End of file - 5666 bytes
jtrag
Active Member
 
Posts: 11
Joined: November 17th, 2008, 3:34 am

Re: Critical System Warning - CyberLog-x, etc.

Unread postby Odd dude » November 24th, 2008, 4:11 pm

Open hijackthis, click do a system scan only, put a check next to the following, then close all open windows and click fix checked:
O16 - DPF: {A1E0ACF5-232E-4E85-9EC4-669809AEB8F8} (GameAngelAx Installer) - http://app.nbar.co.kr/Install/cab2/axInstall26.cab
O15 - Trusted Zone: http://*.websale.co.kr <-- I don't recommend putting websites in the trusted zone as they will have almost full access to your computer. Even the sites you trust can get hacked. Unless it is really necessary for the normal operation of that site, I strongly recommend you to fix this entry


Uninstall ComboFix
  • Disable all your antimalware programs like you did previously
  • Click Start > Run and enter:
    Code: Select all
    ComboFix /u
  • Click OK
  • ComboFix will now uninstall itself

Then post a new hijackthis log to make sure it's all gone :)
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Critical System Warning - CyberLog-x, etc.

Unread postby jtrag » November 25th, 2008, 8:45 am

Hi OD,

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 오후 9:41:35, on 2008-11-25
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: 야후! 툴바 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: IWebInterception Class - {BFDDBDBB-F62C-4D4A-B574-59D276F47196} - C:\Program Files\Click To Tweak [Basic]\WebInterception.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: 네이버 툴바(&N) - {D09CFF09-A42A-4EDC-9804-E61224F59CA1} - C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 네이버 검색 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /SEARCH.HTML
O8 - Extra context menu item: 네이버 북마크하기 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /BOOKMARK.HTML
O8 - Extra context menu item: 네이버 블로그 담기 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /BLOG.HTML
O8 - Extra context menu item: 네이버 사전 검색 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /DIC.HTML
O8 - Extra context menu item: 네이버 일한 번역 - res://C:\Program Files\naver\NaverToolbar\NaverTB_3_0_2_21.dll /JKTRANS.HTML
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: 리서치 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {3270EED1-B285-4828-A0A7-F55913A9B724} (S2PlayerPan Class) - http://listen.daum.net/52st/52street/S2MusicPlayer.dll
O16 - DPF: {3942BD43-B5CE-465F-9AC3-16BA93994273} (DosirakControl Control) - http://www.dosirak.com/Commons/Activex/ ... ontrol.ocx
O16 - DPF: {5B420135-B86A-4854-876A-4154FD35C2E9} (Flash365X Control) - http://toolbar.flash365.co.kr/toolbar/s ... sh365X.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ViRobot Desktop Monitoring (vrmonsvc) - Unknown owner - C:\Program Files\HAURI\Common\Base\vrmonsvc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://img.yahoo.co.kr/kids/2007rn/k_sch2.gif

--
End of file - 5519 bytes
jtrag
Active Member
 
Posts: 11
Joined: November 17th, 2008, 3:34 am

Re: Critical System Warning - CyberLog-x, etc.

Unread postby Odd dude » November 25th, 2008, 1:22 pm

Hi jtrag

Things look like you uninstalled your antivirus. That's not a good idea.

You are not running antivirus software!
Every single file you download is a potential threat to your system. Every single file can contain malware. To be protected from this, you need good antivirus software.
Antivirus software does not only cure infections. More importantly, it removes infectors (= things that infect you) before you are infected. This means you won't need to be cured from viruses, instead, they won't get in in the first place.

I noticed you are not running antivirus software. This is very bad!

I want you to download and install one free antivirus program NOW! If you can't choose any, or don't know where to look, you can pick one of these:
Avira Antivir
Avast


Also - you don't have a firewall.

Install a firewall
There is no firewall installed on your computer!
Either that, or you're using Windows Firewall, which is not a good idea.

Firewalls are programs that monitor incoming and outcoming connections to your computer. Did you know that, just by connecting to the internet, you are being exposed to hundreds of treats immediately? The way to solve this, is to use a firewall, and up-to-date antivirus software.

Windows Firewall only monitors incoming connections. This means that, once you are infected, the malware is free to ask for new instructions, send private data to its creator, or invite its malware buddies to come over. In other words: it's almost as good as no firewall at all.

Download a free for personal use firewall NOW from one of these sources:
Comodo Personal Firewall
Online Armor Free


If you don't have any other issues, then I think all the malware is gone!


Congratulations!
Image Image Image Image Image Image

As far as I can tell, you are CLEAN!


Image


Have a big cup of Image, sit back & relax, and now please follow a few of the following tips; they will dramatically reduce your chance of getting infected again.


  • Turn on Automatic Updates if you have not done so. It is MANDATORY to keep your Windows updated, otherwise you are vulnerable to exploits! To turn on Automatic Updates: click Start > Control Panel > Security Centre > Automatic Updates.

Below are optional items. It's highly recommended to read them through, but decide for yourself how many of these recommendations (if any) you follow.

  • Install WinPatrol from here. Instructions for use are here.

  • Install SpywareBlaster to protect you from bad sites. Download - How to use it

  • Install a custom hosts file. Let's say I have a directory of 640kb's worth of bad sites. Let's say I can make sure you will never be able to access those sites, so you will never get any infection from those sites. It's like blocking a site - without site blocking tools. How would you like to never be able to visit (a lot, but not all of the) malware-infected sites again? Well, now you can!
    First, we must disable a service, as Windows cannot work with a very large hosts file while that service is active. This will not affect anything else.
    The disabling routine:
    1. Click Start, then Run
    2. Copy and paste the following:
      Code: Select all
      sc config dnscache start= disabled
    3. Click OK.
    Next, you can download the custom hosts file from here. Installation instructions can be found there as well.

  • Install KeyScrambler. Keyloggers are the third biggest threats in the world of malware - next to backdoors & rootkits. KeyScrambler is an add-on that integrates with your browser and protects you from keyloggers; meaning safe online gaming, and safe online banking. There is also a paid version, which protects e-mail programs and Word, and a more expensive paid version that protects even more items! Download it from here.

Please note: you must NOT rely on programs like KeyScrambler for your protection. The program can protect against many types of keylogging software but no security program is 100% reliable and new malware is created every day. If you suspect your machine is infected with a keylogger you should immediately change all your passwords from a known clean machine and seek assistance with removing the malware.

Please reply to this thread once more so we know it can be archived

Happy surfing!! :)
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Critical System Warning - CyberLog-x, etc.

Unread postby jtrag » November 30th, 2008, 10:32 am

Hi OD,

I was installing your suggestions and when I got to the installing KeyScrambler, all of a sudden my computer was taken over by sliverlight. It installed itself in the system tray and erased my background and installed some logo and message for silverlight.

I tried to uninstall silverlight by it won't go away. I unistalled KeyScrambler. I tried installing silverlight then uninstalling. On start up text box pops up wanting me authenticate silverlight then it puts me into firefox.

How do I get rid of this thing?

jtrag
jtrag
Active Member
 
Posts: 11
Joined: November 17th, 2008, 3:34 am

Re: Critical System Warning - CyberLog-x, etc.

Unread postby Odd dude » December 1st, 2008, 11:15 am

Let's see what's going on there :shock:

DDS (Doesn't Do Squat)
Download DDS by sUBs to your desktop.
Your antivirus software might question the file. If it does, turn it off please :)
  • Double click DDS.scr to run it and wait for the scan to finish
  • When finished DDS.txt will open
  • A small while later, a prompt will open. Answer Yes
  • DDS will continue scanning
  • When done, Attach.txt will open
  • Post DDS.txt and attach Attach.txt

Post:
- DDS.txt
- new hijackthis log

Attach:

- attach.txt
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Critical System Warning - CyberLog-x, etc.

Unread postby jtrag » December 2nd, 2008, 9:22 am

Hi OD,

Here is DDS.txt

DDS (Version 1.0) - NTFSx86
Run by User at 22:08:55.28 on 2008-12-02
Microsoft Windows XP Professional 5.1.2600.3.949.82.1042.18.255.91 [GMT 9:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\conime.exe
C:\Documents and Settings\User\바탕 화면\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://kr.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mStart Page = hxxp://www.hangame.com
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
mSearchURL = hxxp://www.google.com/
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - c:\program files\winamp toolbar\winamptb.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
TB: {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - c:\program files\winamp toolbar\winamptb.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - c:\program files\winamp toolbar\winamptb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
dRunOnce: [KeyScrambler] c:\program files\keyscrambler\getting_started.html
IE: &Winamp Toolbar Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: Microsoft Excel로 내보내기(&X) - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-26 111184]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-7-7 611664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-26 20560]
R2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashServ.exe" [2008-11-26 155160]
R2 npkcmsvc;npkcmsvc;c:\windows\system32\npkcmsvc.exe [2008-3-27 88727]
R3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashMaiSv.exe" /service [2008-11-26 254040]
S3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashWebSv.exe" /service [2008-11-26 352920]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNt.sys [2008-3-7 130560]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2008-4-13 79104]
S3 Mkd2Usbf;Mkd2Usbf;c:\windows\system32\drivers\Mkd2Usbf.sys [2008-3-7 93440]
S3 shspusb;Samsung High Speed USB Driver;c:\windows\system32\drivers\HSPUSB.sys [2007-11-26 21282]

=============== Created Last 30 ================

2008-12-01 07:59 268,648 a------- c:\windows\system32\mucltui.dll
2008-12-01 07:59 208,744 a------- c:\windows\system32\muweb.dll
2008-12-01 07:59 23,400 a------- c:\windows\system32\mucltui.dll.mui
2008-11-30 21:56 <DIR> --d----- c:\program files\SpywareBlaster
2008-11-30 21:43 <DIR> --d----- c:\docume~1\user\applic~1\WinPatrol
2008-11-30 21:43 <DIR> --d----- c:\program files\BillP Studios
2008-11-28 22:33 <DIR> --d----- c:\windows\system32\nprotect
2008-11-26 20:44 <DIR> --d----- C:\OnlineArmor
2008-11-25 21:41 <DIR> --d----- C:\ComboFix
2008-11-24 08:16 <DIR> a-dshr-- C:\cmdcons
2008-11-23 08:30 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2008-11-23 08:30 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-23 08:30 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-23 08:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-11-23 08:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-11-17 16:02 <DIR> --d----- c:\program files\Trend Micro
2008-11-14 04:03 <DIR> --d----- c:\program files\Windows Media Connect 2
2008-11-14 04:00 <DIR> --d----- c:\windows\system32\LogFiles
2008-11-13 04:54 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 04:54 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-10 16:12 243 a------- c:\windows\system32\p3downasx.asx
2008-11-08 18:33 <DIR> --d----- c:\windows\system32\ko
2008-11-08 18:33 <DIR> --d----- c:\windows\system32\bits
2008-11-08 18:33 <DIR> --d----- c:\windows\l2schemas
2008-11-08 18:31 <DIR> --d----- c:\windows\ServicePackFiles

==================== Find3M ====================

2008-11-30 10:17 <DIR> --d----- c:\program files\PokerStars
2008-11-27 09:36 6,280 a------- c:\windows\system32\teexcept.dat
2008-11-27 07:10 <DIR> --d----- c:\program files\Click To Tweak [Basic]
2008-11-23 19:33 <DIR> --d----- c:\program files\Norton Security Scan
2008-11-22 19:44 <DIR> --d----- c:\program files\Freechal
2008-11-18 16:20 266,240 a------- c:\windows\system32\TeCtrl.dll
2008-11-17 15:28 <DIR> --d----- c:\program files\GemmirMini
2008-11-17 08:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-15 20:06 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-15 17:32 <DIR> --d----- c:\program files\Pandora.TV
2008-11-08 20:08 168,332 a------- c:\windows\system32\perfh012.dat
2008-11-08 20:08 40,836 a------- c:\windows\system32\perfc012.dat
2008-11-08 18:38 <DIR> --d----- c:\program files\Messenger
2008-11-08 18:36 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-08 18:30 <DIR> --d----- c:\program files\Windows NT
2008-11-06 09:20 <DIR> --d----- c:\program files\PlayNC
2008-11-06 09:20 <DIR> --d----- c:\program files\Yahoo!
2008-11-06 09:20 <DIR> --d----- c:\program files\NCLoader
2008-10-28 11:24 144,744 a------- c:\windows\system32\skcbgmf1.dll
2008-10-28 06:15 90,112 a------- c:\windows\DUMP4bce.tmp
2008-10-11 16:48 <DIR> --d----- c:\program files\Nexon
2008-10-08 18:02 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-29 19:24 1,048,576 a------- c:\windows\system32\NPDownV.exe
2008-09-16 00:24 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-12 13:31 507,904 a------- c:\windows\system32\npcopyv.exe
2008-09-12 11:37 1,014,808 a------- c:\windows\system32\SmartOn.dll
2008-09-10 10:13 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-05 02:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-07-31 10:23 <DIR> --d----- c:\docume~1\user\applic~1\Sega
2008-07-29 06:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-06-21 22:09 <DIR> --d-h--- c:\docume~1\user\applic~1\netmarble
2008-06-01 23:32 <DIR> --d----- c:\docume~1\user\applic~1\LocalLow
2008-03-04 14:41 <DIR> --d----- c:\docume~1\user\applic~1\Hnc
2008-02-03 12:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nexon
2007-12-25 20:30 <DIR> --d-h--- c:\docume~1\user\applic~1\Hangame
2007-12-14 14:10 <DIR> --d----- c:\docume~1\user\applic~1\LGDacom
2007-12-01 20:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Winamp Toolbar
2007-11-25 12:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2007-11-25 10:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MumboJumbo
2007-10-13 17:59 <DIR> --d----- c:\docume~1\user\applic~1\PandoraTV

============= FINISH: 22:09:15.96 ===============

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 오후 10:13:07, on 2008-12-02
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: 야후! 툴바 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'Default user')
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: 리서치 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {3270EED1-B285-4828-A0A7-F55913A9B724} (S2PlayerPan Class) - http://listen.daum.net/52st/52street/S2MusicPlayer.dll
O16 - DPF: {3942BD43-B5CE-465F-9AC3-16BA93994273} (DosirakControl Control) - http://www.dosirak.com/Commons/Activex/ ... ontrol.ocx
O16 - DPF: {5B420135-B86A-4854-876A-4154FD35C2E9} (Flash365X Control) - http://toolbar.flash365.co.kr/toolbar/s ... sh365X.cab
O16 - DPF: {DC4207CE-C03E-4449-ACB1-032CA4137053} (Npz Control) - http://update.nprotect.net/nprotect2006/keb/npz.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ViRobot Desktop Monitoring (vrmonsvc) - Unknown owner - C:\Program Files\HAURI\Common\Base\vrmonsvc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://img.yahoo.co.kr/kids/2007rn/k_sch2.gif

--
End of file - 5894 bytes


Thank you so much for your kind assistance.

jtrag
You do not have the required permissions to view the files attached to this post.
jtrag
Active Member
 
Posts: 11
Joined: November 17th, 2008, 3:34 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 292 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware