Jump to content


Photo

Help removing Trojan


  • This topic is locked This topic is locked
16 replies to this topic

#1 fier

fier

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 07 March 2010 - 01:35 PM

Hello,

My antivirus softwares (AVG and MSE), keep detecting some sort of trojan. After quarantining, it later will recur and be detected again. Please advise how best to remove this, my HJT log is below. Many thanks in advance in helping fix my computer!!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:04 AM, on 3/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\MSI\MSI Q-Face\webtest.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MarkAny\ContentSAFER\MAAgent.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\npkcmsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: uiwn1 - {19AAAA41-568A-450E-9CD5-6D3C06321790} - C:\PROGRA~1\uracn2\uracn2.dll (file missing)
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: WinAWRCls - {6079C124-AD20-40AF-BB9E-3BCED480A98F} - C:\WINDOWS\system32\winawrcls.dat
O2 - BHO: Onbp Class - {786F389F-C02E-4DC3-AC0C-1FAB1D105C6E} - C:\Program Files\PrivacyON\Onb.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ulineguide Helper - {C3105EEE-9977-460E-B842-B04DE95921B5} - C:\Program Files\ulineguide\ulineguidepack.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [Q-Face agent] C:\Program Files\MSI\MSI Q-Face\webtest.exe
O4 - HKLM\..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSAFER\MAAgent.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [AutoUtil] C:\Program Files\AutoUtil\AutoUtil.exe
O4 - HKLM\..\Run: [Redemption] "\redemption.exe" /STARTUP
O4 - HKLM\..\Run: [yomqinmm] C:\Documents and Settings\CKA\Local Settings\Application Data\phvtmb\itvrsftav.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [yomqinmm] C:\Documents and Settings\CKA\Local Settings\Application Data\phvtmb\itvrsftav.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msi.com.tw
O15 - Trusted Zone: http://*.wedisk.co.kr
O15 - Trusted Zone: http://*.wedisk.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} (XacsPop Control) - http://mpi.dacom.net...PI_20090320.cab
O16 - DPF: {39461460-2552-4D51-A062-3AB6A7B902E9} (INISAFE Updater Control) - http://www.citibank...._ie8/INIS70.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://www.citibank....r/ie8/SCSK4.cab
O16 - DPF: {3F68E1C3-39EC-4990-85E3-ABFE61AB86C5} (BugsInstaller Control) - http://dl.bugsm.co.k...gsInstaller.cab
O16 - DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} (Nps Control) - http://image.gmarket.../tyscan/nps.cab
O16 - DPF: {5025DF8C-595F-44AD-B64F-81C986E1AFDC} (DSCertManagerXV Class) - http://www.dla.go.kr...rtManagerXV.cab
O16 - DPF: {65C5B3CE-9410-4CEF-B9B0-956E2460F325} (DSProxyXV Class) - http://www.dla.go.kr...p/DSProxyXV.cab
O16 - DPF: {77AB1CE3-41B3-49B5-8836-1FBC07FE452D} (MLReport Class) - http://www.hrd.go.kr...rt/MLReport.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.soft.../xw_install.cab
O16 - DPF: {81B14C2D-6436-42C6-83EC-F60DEF852AEC} (MakeShortCut Control) - http://www.gmarket.c...akeShortCut.cab
O16 - DPF: {99806ADD-C5EF-4632-A3D0-3E778B051F94} (MASetupCaller Class) - http://www.csafer.ne...izard_vista.cab
O16 - DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} (mkdplusCtrl Class) - http://platform.nexo...lab/mkdplus.cab
O16 - DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} (SKCInst1 Class) - http://cyimg7.cyworl...age/skcinst.cab
O16 - DPF: {CEA0326D-CF4F-4B49-B903-C39ACEA9B8AC} (UtilDownLauncher Class) - http://down.autoutil...ownLauncher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://vbv.shinhanc...popup/npkcx.cab
O16 - DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} (INIwallet60 Control) - http://plugin.inicis...INIwallet60.cab
O16 - DPF: {DC4207CE-C03E-4449-ACB1-032CA4137053} (Npz Control) - http://download.kbst...tizenv4/npz.cab
O16 - DPF: {E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} (Payplus Client Control) - https://pay.kcp.co.k...ile/payplus.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - http://www.vpay.co.k.../KVPISPCTLD.cab
O16 - DPF: {F6E7ECCE-6E60-4681-8D9B-4BBC12A07110} (GWallCtrl Class) - http://www.gmarket.c..._1810/GWall.cab
O16 - DPF: {FCFB03F0-DC81-45B1-AC98-2BE2527B7103} (MLInstallerV Class) - http://www.dla.go.kr...LInstallerV.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27B3A2A3-495F-40E3-91E5-33C860DB849E}: NameServer = 168.126.63.1,192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - C:\Program Files\INITECH\SHTTP\InitechSHTTPInterface.10115.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Micro Star SCM - Unknown owner - C:\Program Files\System Control Manager\MSIService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcmsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 12537 bytes

#2 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,819 posts

Posted 09 March 2010 - 11:34 AM

Hi,

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#3 fier

fier

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 10 March 2010 - 12:13 AM

Thanks very much for that. I followed your instructions, here's the pasted text from ComboFix.txt:


ComboFix 10-03-09.04 - CKA 0/2010 Wed 13:23:42.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.949.1.1042.18.1013.601 [GMT 9:00]
Running from: C:\Documents and Settings\CKA\바탕 화면\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\CKA\시작 메뉴\프로그램\시작프로그램\MagicDisc.lnk
C:\LOG.TXT
C:\Program Files\Nate
C:\Program Files\ulineguide\ulINeguidepack.dll
C:\WINDOWS\system32\ieuinit.inf
C:\WINDOWS\system32\npkpdb.dll
C:\WINDOWS\system32\npz.ocx

.

#4 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,819 posts

Posted 10 March 2010 - 03:55 AM

Hi again,

You have only posted a small part of a normal Combofix log, can you please post the complete log. If this was all there was please also let me know.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#5 fier

fier

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 11 March 2010 - 08:22 PM

Hey again there,

Yes that's all there was in the file unfortunately. Please advise what I should do, thanks!

#6 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,819 posts

Posted 12 March 2010 - 03:25 AM

Hi again,

OK, please do the following:

Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Next:

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#7 fier

fier

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 16 March 2010 - 12:02 AM

Hey thanks for the further reply, I followed your instructions and below are the logs you mentioned:


MBAM log:

Malwarebytes' Anti-Malware 1.44
Database version: 3872
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

3/16/2010 1:51:48 PM
mbam-log-2010-03-16 (13-51-48).txt

Scan type: Quick Scan
Objects scanned: 115347
Time elapsed: 6 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\winawrcls.winawrcls (Trojan.Agent.K) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6079c124-ad20-40af-bb9e-3bced480a98f} (Trojan.Agent.K) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6079c124-ad20-40af-bb9e-3bced480a98f} (Trojan.Agent.K) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6079c124-ad20-40af-bb9e-3bced480a98f} (Trojan.Agent.K) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\winawucls.winawucls (Adware.UtilGuide) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d5fa9678-c772-4759-810f-93911474f63e} (Adware.Ulineguide) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{84626512-e565-4911-87bf-b51418162071} (Adware.Ulineguide) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{19aaaa41-568a-450e-9cd5-6d3c06321790} (Adware.Unovt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{19aaaa41-568a-450e-9cd5-6d3c06321790} (Adware.Unovt) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\okun1 uninstall (Adware.Unovt) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\uracn2.uiwn1 (Adware.Unovt) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\uawan2.unoqun1 (Adware.Unovt) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\uawan2 (Adware.Unovt) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\usyan2 (Adware.Overtls) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\okun1 (Adware.Unovt) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\ulineguidepack.DLL (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yomqinmm (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yomqinmm (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\ulineguide (Adware.Ulineguide) -> Quarantined and deleted successfully.
C:\Program Files\okun1 (Adware.Unovt) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\winawrcls.dat (Trojan.Agent.K) -> Quarantined and deleted successfully.
C:\Program Files\okun1\uninstall.exe (Adware.Unovt) -> Quarantined and deleted successfully.



HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:35 PM, on 3/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\MSI\MSI Q-Face\webtest.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MarkAny\ContentSAFER\MAAgent.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\WINDOWS\system32\npkcmsvc.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: uiwn1 - {19AAAA41-D6E1-4CCE-B793-2C34E44D5C43} - C:\PROGRA~1\ucucn2\ucucn2.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [Q-Face agent] C:\Program Files\MSI\MSI Q-Face\webtest.exe
O4 - HKLM\..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSAFER\MAAgent.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [AutoUtil] C:\Program Files\AutoUtil\AutoUtil.exe
O4 - HKLM\..\Run: [Redemption] "\redemption.exe" /STARTUP
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msi.com.tw
O15 - Trusted Zone: http://*.wedisk.co.kr
O15 - Trusted Zone: http://*.wedisk.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} (XacsPop Control) - http://mpi.dacom.net...PI_20090320.cab
O16 - DPF: {39461460-2552-4D51-A062-3AB6A7B902E9} (INISAFE Updater Control) - http://www.citibank...._ie8/INIS70.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://www.citibank....r/ie8/SCSK4.cab
O16 - DPF: {3F68E1C3-39EC-4990-85E3-ABFE61AB86C5} (BugsInstaller Control) - http://dl.bugsm.co.k...gsInstaller.cab
O16 - DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} (Nps Control) - http://image.gmarket.../tyscan/nps.cab
O16 - DPF: {5025DF8C-595F-44AD-B64F-81C986E1AFDC} (DSCertManagerXV Class) - http://www.dla.go.kr...rtManagerXV.cab
O16 - DPF: {65C5B3CE-9410-4CEF-B9B0-956E2460F325} (DSProxyXV Class) - http://www.dla.go.kr...p/DSProxyXV.cab
O16 - DPF: {77AB1CE3-41B3-49B5-8836-1FBC07FE452D} (MLReport Class) - http://www.hrd.go.kr...rt/MLReport.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.soft.../xw_install.cab
O16 - DPF: {81B14C2D-6436-42C6-83EC-F60DEF852AEC} (MakeShortCut Control) - http://www.gmarket.c...akeShortCut.cab
O16 - DPF: {99806ADD-C5EF-4632-A3D0-3E778B051F94} (MASetupCaller Class) - http://www.csafer.ne...izard_vista.cab
O16 - DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} (mkdplusCtrl Class) - http://platform.nexo...lab/mkdplus.cab
O16 - DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} (SKCInst1 Class) - http://cyimg7.cyworl...age/skcinst.cab
O16 - DPF: {CEA0326D-CF4F-4B49-B903-C39ACEA9B8AC} (UtilDownLauncher Class) - http://down.autoutil...ownLauncher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://vbv.shinhanc...popup/npkcx.cab
O16 - DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} (INIwallet60 Control) - http://plugin.inicis...INIwallet60.cab
O16 - DPF: {E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} (Payplus Client Control) - https://pay.kcp.co.k...ile/payplus.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - http://www.vpay.co.k.../KVPISPCTLD.cab
O16 - DPF: {F6E7ECCE-6E60-4681-8D9B-4BBC12A07110} (GWallCtrl Class) - http://www.gmarket.c..._1810/GWall.cab
O16 - DPF: {FCFB03F0-DC81-45B1-AC98-2BE2527B7103} (MLInstallerV Class) - http://www.dla.go.kr...LInstallerV.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27B3A2A3-495F-40E3-91E5-33C860DB849E}: NameServer = 168.126.63.1,192.168.0.1
O18 - Protocol: s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - C:\Program Files\INITECH\SHTTP\InitechSHTTPInterface.10115.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Micro Star SCM - Unknown owner - C:\Program Files\System Control Manager\MSIService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcmsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 10595 bytes

#8 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,819 posts

Posted 16 March 2010 - 06:17 AM

Hi again,

How is the PC running now? Any further alerts from your AV?

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#9 fier

fier

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 20 March 2010 - 10:56 AM

Hi, I just ran the scan from Spyware Doctor. It detected still some trojan.generic (4 infections)and Application.NirCmd (111 infections) threats. I selected fix checked and it says they had all been cleaned, but I think they may pop up again.

Please advise what I can further do to nip it in the bud, thank you.

#10 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,819 posts

Posted 21 March 2010 - 07:35 AM

Hi again,

Those may be remnants residing in System Restore, but let's check. Let's try Combofix again:

1. Download this file -
ComboFix
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

Also:

Please do the following:
Run a BitDefender Online scan Here and post the results.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#11 fier

fier

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 21 March 2010 - 05:43 PM

Okay, I've run both ComboFix and the bitdefender online scan. Please see the results below.

ComboFix.txt:

ComboFix 10-03-20.06 - CKA 2/2010 Mon 0:59:19.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.949.1.1042.18.1013.441 [GMT 9:00]
Running from: C:\Documents and Settings\CKA\바탕 화면\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\PROGRA~1\ucucn2\ucUCn2.dll

Infected copy of C:\WINDOWS\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - C:\WINDOWS\I386\NTFS.SYS




BitDefender results:

BitDefender QuickScan Beta 32-bit v0.9.9.10
-------------------------------------------

Scan date: Mon Mar 22 07:39:21 2010
Machine ID: DC60B3E0

Process BDTUpdateService.exe (1812) - Trojan.FakeAlert.5


Found 2 infected files!
-------------------------
c:\program files\spyware doctor\bdt\pctbrowserdefender.dll - Trojan.FakeAlert.5
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe - Trojan.FakeAlert.5


Processes
---------
<unsigned> Bluetooth Stack for Windows by TOSHIBA 3272 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
<unsigned> Bluetooth Stack for Windows by TOSHIBA 3412 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
<unsigned> MaAgent 응용 프로그램 1712 C:\Program Files\MarkAny\ContentSAFER\MAAgent.exe
<unsigned> MSI_QFace 924 C:\Program Files\MSI\MSI Q-Face\webtest.exe
<unsigned> MSIService.exe 780 C:\Program Files\System Control Manager\MSIService.exe
<unsigned> nProtect KeyCrypt Manager Service 1444 C:\WINDOWS\system32\npkcmsvc.exe

<verified> Apple Mobile Device Service 1700 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
<verified> Bluetooth Stack for Windows by Toshiba 3604 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
<verified> Bluetooth Stack for Windows by TOSHIBA 2216 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
<verified> Bluetooth Stack for Windows by TOSHIBA 152 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
<verified> Bonjour 1760 C:\Program Files\Bonjour\mDNSResponder.exe
<verified> Firefox 3136 C:\Program Files\Mozilla Firefox\firefox.exe
<verified> Intel® Common User Interface 604 C:\WINDOWS\system32\hkcmd.exe
<verified> Intel® Common User Interface 612 C:\WINDOWS\system32\igfxpers.exe
<verified> Intel® Common User Interface 820 C:\WINDOWS\system32\igfxsrvc.exe
<verified> Intel® Common User Interface 556 C:\WINDOWS\system32\igfxtray.exe
<verified> Intuit Update Service 364 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
<verified> iTunes 3964 C:\Program Files\iPod\bin\iPodService.exe
<verified> iTunes 1548 C:\Program Files\iTunes\iTunesHelper.exe
<verified> Microsoft Malware Protection 1248 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
<verified> Microsoft Security Essentials 2060 C:\Program Files\Microsoft Security Essentials\msseces.exe
<verified> Microsoft® Windows® Operating Syste 800 C:\WINDOWS\system32\winlogon.exe
<verified> Microsoft® Windows® Operating System 1860 C:\WINDOWS\Explorer.EXE
<verified> Microsoft® Windows® Operating System 3848 C:\WINDOWS\Explorer.EXE
<verified> Microsoft® Windows® Operating System 1780 C:\WINDOWS\System32\alg.exe
<verified> Microsoft® Windows® Operating System 372 C:\WINDOWS\system32\conime.exe
<verified> Microsoft® Windows® Operating System 768 C:\WINDOWS\system32\csrss.exe
<verified> Microsoft® Windows® Operating System 856 C:\WINDOWS\system32\lsass.exe
<verified> Microsoft® Windows® Operating System 1480 C:\WINDOWS\system32\NOTEPAD.EXE
<verified> Microsoft® Windows® Operating System 844 C:\WINDOWS\system32\services.exe
<verified> Microsoft® Windows® Operating System 700 C:\WINDOWS\System32\smss.exe
<verified> Microsoft® Windows® Operating System 1960 C:\WINDOWS\system32\spoolsv.exe
<verified> Microsoft® Windows® Operating System 528 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1600 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1652 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1508 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1296 C:\WINDOWS\System32\svchost.exe
<verified> Microsoft® Windows® Operating System 1344 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1072 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1012 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 2532 C:\WINDOWS\system32\wbem\unsecapp.exe
<verified> Microsoft® Windows® Operating System 2964 C:\WINDOWS\system32\wbem\wmiprvse.exe
<verified> Microsoft® Windows® Operating System 3872 C:\WINDOWS\system32\wuauclt.exe
<verified> Realtek HD Audio Sound Effect Manager 1824 C:\WINDOWS\RTHDCPL.EXE
<verified> Threat Expert Ltd. Browser Defender 1812 C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
<verified> Virtual CloneDrive 1588 C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe


Network activity
----------------
Process firefox.exe (3136) connected on port 80 (HTTP) - 96.16.244.20
Process firefox.exe (3136) connected on port 80 (HTTP) - 199.7.48.190
Process firefox.exe (3136) connected on port 80 (HTTP) - 72.247.205.115
Process firefox.exe (3136) connected on port 80 (HTTP) - 199.7.71.190
Process firefox.exe (3136) connected on port 80 (HTTP) - 64.18.25.38
Process firefox.exe (3136) connected on port 80 (HTTP) - 208.51.221.9
Process firefox.exe (3136) connected on port 80 (HTTP) - 74.125.95.102

Process svchost.exe (1072) listens on ports: 135 (RPC)


Autoruns and critical files
---------------------------
<unsigned> AutoUtil.exe C:\Program Files\AutoUtil\AutoUtil.exe
<unsigned> MaAgent 응용 프로그램 C:\Program Files\MarkAny\ContentSAFER\MAAgent.exe
<unsigned> macsmanager.dll c:\program files\markany\contentsafer\macsmanager.dll
<unsigned> MSI_QFace C:\Program Files\MSI\MSI Q-Face\webtest.exe
<unsigned> QuickTime C:\Program Files\QuickTime\qttask.exe
<unsigned> System Control Manager C:\Program Files\System Control Manager\MGSysCtrl.exe

<verified> Adobe CS4 Service Manager C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
<verified> Apple Software Update C:\Program Files\Apple Software Update\SoftwareUpdate.exe
<verified> Bluetooth Stack for Windows by Toshiba C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
<verified> Intel® Common User Interface C:\WINDOWS\system32\hkcmd.exe
<verified> Intel® Common User Interface C:\WINDOWS\system32\igfxdev.dll
<verified> Intel® Common User Interface C:\WINDOWS\system32\igfxpers.exe
<verified> Intel® Common User Interface C:\WINDOWS\system32\igfxtray.exe
<verified> iTunes C:\Program Files\iTunes\iTunesHelper.exe
<verified> Microsoft IME 2002 C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
<verified> Microsoft Malware Protection c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe
<verified> Microsoft Security Essentials C:\Program Files\Microsoft Security Essentials\msseces.exe
<verified> Microsoft® Office IME 2007 C:\Program Files\Common Files\Microsoft Shared\IME12\IMEKR\IMKRMIG.EXE
<verified> Microsoft® Windows® Operating Syste C:\WINDOWS\system32\crypt32.dll
<verified> Microsoft® Windows® Operating Syste C:\WINDOWS\system32\sclgntfy.dll
<verified> Microsoft® Windows® Operating Syste c:\windows\system32\userinit.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\browseui.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\dimsntfy.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\shell32.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\webcheck.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\wlnotify.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\WPDShServiceObj.dll
<verified> Realtek HD Audio Sound Effect Manager C:\WINDOWS\RTHDCPL.EXE
<verified> Virtual CloneDrive C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
<verified> 新注音 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE


Browser plugins
---------------
<unsigned> BitCometAgent C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll
<unsigned> Bonjour C:\Program Files\Bonjour\mdnsNSP.dll
<unsigned> DSCertManagerXV Module C:\WINDOWS\Downloaded Program Files\DSCertManagerXV.dll
<unsigned> DSProxyXV Module C:\WINDOWS\Downloaded Program Files\DSProxyXV.dll
<unsigned> GWall Module C:\WINDOWS\Downloaded Program Files\GWall.dll
<unsigned> IBitCometExtension.dll C:\Documents and Settings\CKA\Application Data\Mozilla\Firefox\Profiles/mphnby93.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
<unsigned> Infraware Co. ML Report C:\WINDOWS\Downloaded Program Files\MLReportCtrl.dll
<unsigned> KvpIspCtlD ActiveX Control Module C:\WINDOWS\Downloaded Program Files\KvpIspCtlD.ocx
<unsigned> MakeShortCut ActiveX Control Module C:\WINDOWS\Downloaded Program Files\MakeShortCut.ocx
<unsigned> MLInstallerV Module C:\WINDOWS\Downloaded Program Files\MLInstallerV.dll
<unsigned> npitunes.dll C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
<unsigned> QuickTime Plug-in 7.6.2 C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<unsigned> QuickTime Plug-in 7.6.2 C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<unsigned> QuickTime Plug-in 7.6.2 C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<unsigned> QuickTime Plug-in 7.6.2 C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<unsigned> QuickTime Plug-in 7.6.2 C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<unsigned> QuickTime Plug-in 7.6.2 C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<unsigned> 안심클릭 C:\WINDOWS\Downloaded Program Files\XacsPopProj1.ocx

<verified> AcroIEHelper Library C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
<verified> AdminTask Module C:\WINDOWS\Downloaded Program Files\AdminTask.dll
<verified> Adobe® Flash® Player ActiveX C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
<verified> AhnLab MyKeyDefense 2.5 C:\Program Files\AhnLab\ASP\MyKeyDefense 2.5\npmkd25aos.dll
<verified> BitCometBHO c:\program files\bitcomet\tools\bitcometbho_1.3.3.2.dll
<verified> BitDefender QuickScan C:\Documents and Settings\CKA\Application Data\Mozilla\Firefox\Profiles/mphnby93.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
<verified> BitDefender QuickScan C:\Documents and Settings\CKA\Application Data\Mozilla\Firefox\Profiles/mphnby93.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
<verified> Facebook Photo Uploader 5 C:\WINDOWS\Downloaded Program Files\PhotoUploader5.ocx
<verified> gomtvx NIE Module C:\Program Files\Mozilla Firefox\plugins\NPGomtvx_nie.dll
<verified> INIwallet60 ActiveX Control Module C:\WINDOWS\Downloaded Program Files\INIwallet60.ocx
<verified> Messenger C:\Program Files\Messenger\msmsgs.exe
<verified> Microsoft® Windows® Operating Syste C:\WINDOWS\system32\mswsock.dll
<verified> Microsoft® Windows Live Login Helper c:\program files\common files\microsoft shared\windows live\windowslivelogin.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\shdocvw.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\winrnr.dll
<verified> Mozilla Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified> Nexon Game Controller C:\Documents and Settings\All Users\Application Data\Nexon\NGM\npNxGame.dll
<verified> NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
<verified> Threat Expert Ltd. Browser Defender c:\program files\spyware doctor\bdt\pctbrowserdefender.dll
<verified> Windows Genuine Advantage C:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
<verified> Windows Presentation Foundation C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll


Missing files
-------------
File not found: C:\DOCUME~1\CKA\LOCALS~1\Temp\catchme.sys
referenced in: HKLM\System\ControlSet001\services\catchme\Parameters\"ImagePath"

File not found: C:\DOCUME~1\CKA\LOCALS~1\Temp\mbr.sys
referenced in: HKLM\System\ControlSet001\services\mbr\Parameters\"ImagePath"

File not found: C:\WINDOWS\System32\appmgmts.dll
referenced in: HKLM\System\ControlSet001\services\AppMgmt\Parameters\"ServiceDll"

File not found: C:\WINDOWS\system32\drivers\EagleNT.sys
referenced in: HKLM\System\ControlSet001\services\EagleNT\Parameters\"ImagePath"

File not found: \redemption.exe
referenced in: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"Redemption"

File not found: system32\drivers\scsk5.sys
referenced in: HKLM\System\ControlSet001\services\scsk5\Parameters\"ImagePath"


Scan
----
<unsigned> MD5: 47cc495723eaaa8e790599b8ce2b69d2 C:\Documents and Settings\CKA\Application Data\Mozilla\Firefox\Profiles/mphnby93.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
<unsigned> MD5: a453d3d6fbc2317bce488930fd7d5a10 C:\Program Files\AutoUtil\AutoUtil.exe
<unsigned> MD5: 292f92469efb2fd402e00742c06d539d C:\Program Files\Bonjour\mdnsNSP.dll
<unsigned> MD5: 2094bc9a0fc9c0e15eea5f4a9581dd14 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\pdfshell.dll
<unsigned> MD5: 092e43b1482eafe815e18dd48a1019fd C:\Program Files\Common Files\Apple\Mobile Device Support\bin\iTunesMobileDevice.dll
<unsigned> MD5: 10c24827c91cf238c00dd1c5b097380b C:\Program Files\iPod\bin\iPodService.Resources\en.lproj\iPodServiceLocalized.dll
<unsigned> MD5: 356b50983b8ee80cca7e884ea33bb3ec C:\Program Files\iPod\bin\iPodService.Resources\iPodService.dll
<unsigned> MD5: 7e35cb30478d2fe56e922eb1b6710114 C:\Program Files\iTunes\iTunesHelper.Resources\en.lproj\iTunesHelperLocalized.dll
<unsigned> MD5: caa4870a66fc29c444765a3025f4a6aa C:\Program Files\iTunes\iTunesHelper.Resources\iTunesHelper.dll
<unsigned> MD5: e7af1f6d89354bdb810a8523613ea2c3 C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
<unsigned> MD5: 5d2844770b902b21a627e4e2a98a2843 C:\Program Files\MarkAny\ContentSAFER\MAAgent.exe
<unsigned> MD5: 4b6708f7d8152508a6dd870cb2896483 c:\program files\markany\contentsafer\macsmanager.dll
<unsigned> MD5: fba0f329e428a70c04d592fe7a32f6f7 C:\Program Files\MarkAny\ContentSAFER\MaCSProHook.dll
<unsigned> MD5: 0eca19ad42856d19ddd1404850760b06 C:\Program Files\MarkAny\ContentSAFER\UserShare.dll
<unsigned> MD5: 15344b10d3d0fe6998d0988258ceecad C:\Program Files\Mozilla Firefox\freebl3.dll
<unsigned> MD5: b44776f15c457530a5dd5f28ad175872 C:\Program Files\Mozilla Firefox\nssdbm3.dll
<unsigned> MD5: c7a101e426aca6d88935db2c877df69c C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll
<unsigned> MD5: 561d32861cee4f4674e20e5729b0cd31 C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<unsigned> MD5: 561d32861cee4f4674e20e5729b0cd31 C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<unsigned> MD5: 561d32861cee4f4674e20e5729b0cd31 C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<unsigned> MD5: 561d32861cee4f4674e20e5729b0cd31 C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<unsigned> MD5: 561d32861cee4f4674e20e5729b0cd31 C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<unsigned> MD5: 561d32861cee4f4674e20e5729b0cd31 C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<unsigned> MD5: 7624ce5282e8e0e27a1d551d2c3d1d26 C:\Program Files\Mozilla Firefox\softokn3.dll
<unsigned> MD5: 3a5755a3b842dce58060e6dc686d4094 C:\Program Files\MSI\MSI Q-Face\webtest.exe
<unsigned> MD5: a84e7d2fc9648943d072c606f04fe1c4 C:\Program Files\QuickTime\QTSystem\QuickTime.qts
<unsigned> MD5: dd7b6b5e905b081d1fbbc714e9350b4e C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\en.lproj\QuickTimeLocalized.dll
<unsigned> MD5: 773bc5140191244d62045bf911be6a84 C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\QuickTime.dll
<unsigned> MD5: fabad2bfd44661d8cc627e5485bfafaf C:\Program Files\QuickTime\qttask.exe
<unsigned> MD5: 9e7ebe41c0ce715e96dc0c6744e53690 C:\Program Files\System Control Manager\MGSysCtrl.exe
<unsigned> MD5: 7e0506bf8148d74d2823e0a418e4ad31 C:\Program Files\System Control Manager\MSIService.exe
<unsigned> MD5: 0031f024493b26e1e6443010b065e615 C:\Program Files\System Control Manager\MSIWmiAcpi.dll
<unsigned> MD5: 2e154ecb31864a9c221a866a545d39a5 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\BtUsrMod.dll
<unsigned> MD5: 0111a79720350b4457039ab9142ad7b5 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ECHelper.dll
<unsigned> MD5: 5d4b273d4001c950bcf62d932a0f4080 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\OemBtAcpiAPI.dll
<unsigned> MD5: df7f51a7b97aff3a80f5c2ef18c1ab4c C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
<unsigned> MD5: f2a71a0ace6148bed49acba0eb436032 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
<unsigned> MD5: 42869dc617da31f5318d82334b5c4e69 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtLoad.dll
<unsigned> MD5: 4a3b74e60d9b9d9fe0d35a7b86fd6810 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMngHelp.dll
<unsigned> MD5: fefa614b9aa8d3191b4539b2c8a8454d C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMngLang.dll
<unsigned> MD5: 4fa5de17bb1dc4a5a4aa406b8a18d220 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosCpsAPI.dll
<unsigned> MD5: 4b6708f7d8152508a6dd870cb2896483 C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL
<unsigned> MD5: bd1e2bb8c96105353078ad23ff5489d0 C:\WINDOWS\assembly\GAC_32\System.Data.SQLite\1.0.56.0__28c9bcd4dddc48a1\System.Data.SQLite.DLL
<unsigned> MD5: 16f96c1496cbd0965285ab19a9271d02 C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
<unsigned> MD5: f054572a92573ca32d5f3aa8c15d2bac C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
<unsigned> MD5: 34dcf0e4754f8fa599e33aa444742481 C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Portability\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Portability.dll
<unsigned> MD5: 58ed45bfb06ec7c6b7d151b77247e4b3 C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.Config\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.Config.dll
<unsigned> MD5: 8da93d9a662e4ba18802bc6c2ccacd66 C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.ExceptionHandling\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.ExceptionHandling.dll
<unsigned> MD5: 5ac46a3a31bc58e512c4cafd87327922 C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.Logging\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.Logging.dll
<unsigned> MD5: 04de2774c2a6602da45e9e76d46bc071 C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\4.0.114.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll
<unsigned> MD5: 7e1174e9a3d17855680e144aa5d130a1 C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.WindowsFirewallUtilities\4.0.114.0__7ce6deabcb36a8ea\Intuit.Spc.Map.WindowsFirewallUtilities.dll
<unsigned> MD5: c1c4025b5f5311ac8bcc318b0c244d58 C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
<unsigned> MD5: 179cc375c81b39902825abfe3a7cd49d C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
<unsigned> MD5: 2849f13593d2712ccb97ffbdd3c1232e C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
<unsigned> MD5: 50d2943d426ba91771ad87fdec802ac3 C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
<unsigned> MD5: 4bbb50ee0660ad59380e27ea00f318c9 C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
<unsigned> MD5: eb97291e3c9e0035b47b45dbb1af710d C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
<unsigned> MD5: 86601f6a08c75a16d4d0509cb31ee318 C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
<unsigned> MD5: fc6427ffb3d95cf1bb9babe68baa8385 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\7124a40b9998f7b63c86bd1a2125ce26\mscorlib.ni.dll
<unsigned> MD5: 3f46bc1429a8fd01f1808754310309d7 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\1f61bccb700d687775cf778dd77752e9\System.ServiceProcess.ni.dll
<unsigned> MD5: b9a6dde053d32ae313e7fd295f14fc7f C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\3de5bd01124463d7862bd173af90bc83\System.ni.dll
<unsigned> MD5: b4e38070a9df50f55e31ea6a4cfb7e3e C:\WINDOWS\Downloaded Program Files\DSCertManagerXV.dll
<unsigned> MD5: 5f93c1b85425263af46bdf911a821c6e C:\WINDOWS\Downloaded Program Files\DSProxyXV.dll
<unsigned> MD5: b63768585fbe56f616d2a90746fac5c2 C:\WINDOWS\Downloaded Program Files\GWall.dll
<unsigned> MD5: 61d14da34d89af89a93fff7fec22f9ec C:\WINDOWS\Downloaded Program Files\KvpIspCtlD.ocx
<unsigned> MD5: bad2b141f23109f3dae5115bcac1523b C:\WINDOWS\Downloaded Program Files\MakeShortCut.ocx
<unsigned> MD5: 3ad3a29344580d547293a1bb47112336 C:\WINDOWS\Downloaded Program Files\MLInstallerV.dll
<unsigned> MD5: 64215cb48e71dac4befac602fec292da C:\WINDOWS\Downloaded Program Files\MLReportCtrl.dll
<unsigned> MD5: 187b1b3b48e4a069e089a4855b3e66e4 C:\WINDOWS\Downloaded Program Files\XacsPopProj1.ocx
<unsigned> MD5: 8fd868e32459ece2a1bb0169f513d31e C:\WINDOWS\system32\DRIVERS\mcdbus.sys
<unsigned> MD5: c3da35aaaf86284ec46f48fc1c9c3e88 C:\WINDOWS\system32\drivers\Mkd2kfNt.sys
<unsigned> MD5: 0716efda4769995c67a3450fcd36e47e C:\WINDOWS\system32\drivers\Mkd2Nadr.sys
<unsigned> MD5: a4e07da3ae2078bd96e84d4baa07b71d C:\WINDOWS\System32\Drivers\ULCDRHlp.sys
<unsigned> MD5: 4cb2f7ace8fbaf2c2c030ea1f63e7f04 C:\WINDOWS\system32\LCWizard.dll
<unsigned> MD5: 78f1dd6e5e806a61242e5f3d4b8e665e C:\WINDOWS\system32\MaDRM.dll
<unsigned> MD5: ce5221dd7f9a68cedd637af77933a923 C:\WINDOWS\system32\NPFWFLT.SYS
<unsigned> MD5: 1ae9f9d5f2b35e9018a24937924f0fd7 C:\WINDOWS\system32\npkcmsvc.exe
<unsigned> MD5: e662722d5c50ad1c0e201499e405fd73 C:\WINDOWS\system32\TBTMon.dll
<unsigned> MD5: 61fb95b6f2a8715282e05c92e4527c5a C:\WINDOWS\system32\tbtmon98Language.dll
<unsigned> MD5: 6a8a953f7eab8a2d0603b029190c3609 C:\WINDOWS\system32\TosAvAPI.dll
<unsigned> MD5: 7d8b6405da7999bfea889ac5fea85dd5 C:\WINDOWS\system32\TosAvdtAPI.dll
<unsigned> MD5: 2cdef39641bc63a337b6ea13e61b32c6 C:\WINDOWS\system32\TosBdAPI.dll
<unsigned> MD5: c385d4d4ec16e637aa4d2d18a06e80c9 C:\WINDOWS\system32\TosBtAPI.dll
<unsigned> MD5: eb670772c3562f3991fa8227fb88fdb5 C:\WINDOWS\system32\TosBtECCAPI.dll
<unsigned> MD5: de955d6a5097dc306af8c9f67e9a5f2d C:\WINDOWS\system32\TosBtHcrpAPI.dll
<unsigned> MD5: e00a198b232d8ff86fc4c2d9c76198ad C:\WINDOWS\system32\TosBtSDDB.dll
<unsigned> MD5: c427d04a9741b9e479e084aa1855f9f6 C:\WINDOWS\system32\TosCommAPI.dll
<unsigned> MD5: 865292ee1bca080d86ed973a52c0d04f C:\WINDOWS\system32\TosGnsAPI.dll
<unsigned> MD5: a31d75246ba79a89141316f31eb17b23 C:\WINDOWS\system32\TosHidAPI.dll
<unsigned> MD5: 9e165d07bf6c08cceee41cbc2d22427d C:\WINDOWS\system32\TosLaneAPI.dll
<unsigned> MD5: e910ebbb4cc16e950e7f99a075663ee7 C:\WINDOWS\system32\TosSndAPI.dll
<unsigned> MD5: a159b3e8191f3fe7548ba118430ec777 C:\WINDOWS\system32\TosSndPlug.dll
<unsigned> MD5: 9631b15db7c43c267636ff43c3075e07 C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll

The following file(s) must be uploaded for server-side scanning:
C:\Program Files\AutoUtil\AutoUtil.exe

Upload started - 1 file(s)
C:\Program Files\AutoUtil\AutoUtil.exe (914432)
Upload speed - 28 KB/s
Upload finished - 1 uploaded, 0 failed

The uploaded file(s) were found clean.

Scan finished - communication took 35 sec
Total traffic - 0.96 MB sent, 3.26 KB recvd
Scanned 1078 files and modules - 174 seconds

#12 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,819 posts

Posted 23 March 2010 - 12:21 AM

Hi again,

Good, that's better.

Do Start->Control Panel->System, System restore. Check "Turn off System Restore" and reboot. That will erase all restore points.
After reboot, go back in and turn System Restore back on.

Now create a new restore point:
http://bertk.mvps.or...l/createrp.html

Let me know how the PC is running.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#13 fier

fier

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 25 March 2010 - 10:26 PM

Hello again.

I did what you suggested and everything seemed to be operating well, until all of a sudden I got some popups on my screen. I think it might be fake security type messages telling me to update my antivirus software, security alerts that my computer is infected etc, I don't click on them as they look suspicious.. Please let me know how to make it go away, and as always thanks very much for your help.

#14 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,819 posts

Posted 27 March 2010 - 10:03 AM

Hi again,

Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to Desktop.

Please close any open programs/windows!

Open the program and click on the Rootkit/Malware tab.

Make sure all the boxes on the right of the screen are checked, apart from 'Show All'.

Click on Scan (1).

When the scan has run click Copy (2) and paste the results (if any) into this thread.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#15 fier

fier

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 28 March 2010 - 04:48 PM

Ok followed what you told me, the following is the pasted output from the scan. Note that this scan was run in safe mode for my laptop, as the security alerts / trojan prevents me from opening up many programs when in normal mode.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-29 06:19:41
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\CKA\LOCALS~1\Temp\fwlyykow.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF757BE22]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF755CCDC]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF755CECE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF757C610]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF757C8C4]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF757AB14]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF757CD30]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF757C0E2]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF755C982]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 11A 804E6974 2 Bytes [22, BE]
.text ntoskrnl.exe!ZwYieldExecution + 252 804E6AAC 2 Bytes [14, AB] {ADC AL, 0xab}

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip AMonTDnt.sys (AhnLab Network Filter Driver, Level 2/AhnLab, Inc.)
Device \Driver\Tcpip \Device\Tcp AMonTDnt.sys (AhnLab Network Filter Driver, Level 2/AhnLab, Inc.)
Device \Driver\Tcpip \Device\Udp AMonTDnt.sys (AhnLab Network Filter Driver, Level 2/AhnLab, Inc.)
Device \Driver\Tcpip \Device\RawIp AMonTDnt.sys (AhnLab Network Filter Driver, Level 2/AhnLab, Inc.)
Device \Driver\Tcpip \Device\IPMULTICAST AMonTDnt.sys (AhnLab Network Filter Driver, Level 2/AhnLab, Inc.)
Device \FileSystem\Fastfat \Fat F684FD20

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@ 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@( 1?2?3?4?5?
Reg HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@ 1?
Reg HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@( 1?2?3?4?5?
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@t?\0 129
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@t? 32897
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@ 20609
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@ 53377
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@ 4225
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@ 36993
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@\24 16513
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@\24 49281
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FriendlyName Indeo? video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FilterData 0x02 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@EncoderType 1

---- EOF - GMER 1.0.15 ----

#16 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,819 posts

Posted 29 March 2010 - 12:21 PM

Hi again,

Download the latest version of Kaspersky Virus Removal Tool
  • Close all other applications and double-click and run the installer.
  • When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
  • In the Scan window click the Reports button and select Save to file.
  • Name the report AVPT.txt, and save it to the Desktop.
  • Close AVPTool.
  • You will be prompted if you want to uninstall the program; click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.
jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#17 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,819 posts

Posted 12 May 2010 - 10:46 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button