Tech Support banner

Status
Not open for further replies.
1 - 10 of 10 Posts

·
Registered
Joined
·
4 Posts
Discussion Starter #1
I just seemed to be having some weird problems with this computer.

Runs on XP Pro w/sp1. Today i was trying to access 2 particular sites and it
wouldn't display the pages.. so i tried it at another computer and was working fine. I thought it could've been the network or so..

There are alot of startup items that i'm not familiar with so i came here for help. Maybe someone one tell me what is legit and not. Oh.. also
cpu usage is ridiculous. Windows lag when opening up and lot of crashes.
And I ran ad-aware and online scan..Found a file? called something hothookkey? it was a keylogger anyhows...

I used the analyzer to get the new log file. Followed directions from the thread I read above this one.
Thanks in advance..


Here is the log :

====================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:41:28 PM, on 10/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\SPACE INTERNATIONAL\CDSpace 4.1\LCDPlyer.exe
C:\WINDOWS\System32\conime.exe

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\08l3xhl.dll (file missing)
O2 - BHO: (no name) - {818310C4-7673-4951-B092-A89F3C106846} - C:\WINDOWS\System32\rsvpsp32.dll (file missing)
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [6] "C:\WINDOWS\System32\6.vbs "
O4 - HKLM\..\Run: [System.exe] C:\WINDOWS\BrooDat.mpq.dat.vbs
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - Global Startup: LCDPlayer.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg4.cyworld.nate.com/ImageUpload/CyImageUpload2.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0C90C10C-96D0-43CE-906B-A64201E7A473} (NxPlayer Control) - http://file.popdj.tv/popdj/nfxFile/Tools/NxPlayer.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18D63578-EA2F-4A59-A49A-7F62E6B3DF3E} (ImP3 Control) - http://activexdown.paran.com/paranactivex/data/ImP3.cab
O16 - DPF: {25B1B4C6-BB14-4D2A-A57C-1EB08A5021CD} (PandoraTVControl Control) - http://www.4725.com/EnjStudioEditor/Cab/PandoraTVControl.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {555A4F4F-4158-494E-4744-020001000008} -
O16 - DPF: {555A4F4F-4158-494E-4744-050001000204} -
O16 - DPF: {555A4F4F-4158-494E-5054-010001000200} -
O16 - DPF: {5586077A-2041-4710-8F2E-0D5060D0378D} (Kdfense Control) - http://kings.cachenet.com/kdfx215/kdfense.cab
O16 - DPF: {60F039CE-9490-4361-A769-5419FD166359} (egnInstallXCtrl2 Control) - http://empasweb.nefficient.co.kr/empas/gamenara/egnInstallXCtrl2.cab
O16 - DPF: {68253470-5D4F-4CDF-8D9C-353C14A2F013} (SVPorsche Control) - http://www.seemedia.co.kr/products/lu/sm4355/kor/188/SVPorsche.cab
O16 - DPF: {742762DA-F5C6-46A2-8ADA-5B508FF16988} (p3ogset Class) - http://203.245.32.75/p3test/p3ogset.cab
O16 - DPF: {7606693A-C18D-4567-AF85-6194FF70761E} (GomWeb Control) - http://app.ipop.co.kr/gom/GomWeb.cab
O16 - DPF: {799BB2EC-572A-42A9-84AD-112806F4F551} (Imweb Control) - http://activexdown.paran.com/paranactivex/data/imweb.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://download.mgame.com/download/cab/mgmanagerv1001.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://with.gseshop.co.kr/XecureObject/xw_install.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9938DDF0-9B5E-4D77-8387-4DD8AFCA1DEB} (WebHardLauncher Control) - http://program.webhard.co.kr/Plus/whexplorer/WebHardLauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - http://plugin.inicis.com/wallet50/INIwallet50.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab
O16 - DPF: {AA68C1C8-7012-4E62-ADCD-120F170E592E} (HWHTMLEDIT Control) - http://www.ongamenet.com/service/board/HwHtmlEd.cab
O16 - DPF: {B3DE64C0-1AD6-41C5-9A66-1CADCE25B1D4} (MGAME SDZ Starter Class) - http://image.mgame.com/download/cab/mgsdzv2.cab
O16 - DPF: {BBA53780-591E-4C58-A0E0-A3186CB6C051} (Molcalst Control) - http://www.molcating.com/chat/chat/Molcalst.cab
O16 - DPF: {BE81B237-0EE9-40F6-BABB-0CE2C1DA7832} (ImPlayer Control) - http://activexdown.paran.com/paranactivex/data/ImPlayer.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://cdn.hangame.com/hangame/hansetup/HanSetup1008.cab
O16 - DPF: {C8EF71CC-3F2D-4854-95B5-7148D4830B31} (MGAME Game Starter V11 Class) - http://download.mgame.com/download/cab/mgamev11.cab
O16 - DPF: {E1CDC08F-F464-4682-AE6A-7689451387C0} (CAFE multiupload control) - http://cafeimg.hanmail.net/activex/dmcm.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F7530E43-3359-42D0-B8DC-843A45028584} (Hitelontop Control) - http://manager.ongamenet.com/common/control/hitelontop.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
Registered
Joined
·
2,009 Posts
Hi there and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.


We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".


regards
alba
 

·
Registered
Joined
·
2,009 Posts
Hello baby179
Please read through the instructions carefully before starting the fix.

Download Accelerator (DAP) is not technically malware, but it may include malware and allow it into your system. Here is a free download manager that you could use instead Star Downloader

===============================================

Go to http://WindowsUpdate. & install all available Critical Updates. Patch your system with the most current security fixes and plug all known vulnerabilities.

You do not appear to have an anti-virus application installed on this machine. Let's start off by getting you a free but yet effective antivirus program. Please choose one from any of these 3 programs which are free for home use:

Once you have downloaded one of the above, make sure to update the virus definition files and run the scanner
===============================================

Before proceeding any further, please make sure HJT is in a new directory - C:\PROGRAM FILES\HIJACKTHIS\
Re-locate your HijackThis files to the new directory


===============================================


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.



IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


===============================================



Next, reboot your computer in SafeMode :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.


===============================================


From Control Panel->Add/Remove Programs, uninstall the following programs, if present, :
  • DAP

===============================================


Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\08l3xhl.dll (file missing)
O2 - BHO: (no name) - {818310C4-7673-4951-B092-A89F3C106846} - C:\WINDOWS\System32\rsvpsp32.dll (file missing)
O4 - HKLM\..\Run: [6] "C:\WINDOWS\System32\6.vbs "
O4 - HKLM\..\Run: [System.exe] C:\WINDOWS\BrooDat.mpq.dat.vbs
O4 - Global Startup: LCDPlayer.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O16 - DPF: {555A4F4F-4158-494E-4744-020001000008} -
O16 - DPF: {555A4F4F-4158-494E-4744-050001000204} -
O16 - DPF: {555A4F4F-4158-494E-5054-010001000200} -
O16 - DPF: {5586077A-2041-4710-8F2E-0D5060D0378D} (Kdfense Control) - http://kings.cachenet.com/kdfx215/kdfense.cab
O16 - DPF: {68253470-5D4F-4CDF-8D9C-353C14A2F013} (SVPorsche Control) - http://www.seemedia.co.kr/products/...8/SVPorsche.cab
O16 - DPF: {742762DA-F5C6-46A2-8ADA-5B508FF16988} (p3ogset Class) - http://203.245.32.75/p3test/p3ogset.cab
O16 - DPF: {7606693A-C18D-4567-AF85-6194FF70761E} (GomWeb Control) - http://app.ipop.co.kr/gom/GomWeb.cab


Please remember to close all other windows, including browsers then click Fix checked.
===============================================

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
  • C:\Program Files\DAP


Locate and delete the following files:(if they exist)
  • C:\WINDOWS\system32\08l3xhl.dll
    C:\WINDOWS\System32\rsvpsp32.dll
    C:\WINDOWS\System32\6.vbs
    C:\WINDOWS\BrooDat.mpq.dat.vbs


REBOOT TO NORMAL MODE


Perform an online scan with Internet Explorer at one of the following sites:
Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


===============================================


Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

===============================================

In your next post, please include fresh logs from:
  1. HiJackThis
    [*] Online scan
    [*] Antispyware.log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Regards

alba
 

·
Registered
Joined
·
4 Posts
Discussion Starter #4
Followed instructions

Sorry it took a while...
Had something in my hands..but I'm done now

I followed instructions and am posting fresh logs from the scans.

BTW, trendmicro logs have emule on them but i just kept them since emule is in use by me.

Hijack this gave me an error code #52 ? while fixing one of the items checked.
And Panda Online Scan couldn't disinfect the items. See the posted logs below.
Here are the logs:



----- Hijackthis Log----------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:23:55 PM, on 10/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nProtectSCIKeycrypt] C:\Program Files\INCAInternet\SCIKeycrypt\SCIKeycrypt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg4.cyworld.nate.com/ImageUpload/CyImageUpload2.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0C90C10C-96D0-43CE-906B-A64201E7A473} (NxPlayer Control) - http://file.popdj.tv/popdj/nfxFile/Tools/NxPlayer.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18D63578-EA2F-4A59-A49A-7F62E6B3DF3E} (ImP3 Control) - http://activexdown.paran.com/paranactivex/data/ImP3.cab
O16 - DPF: {25B1B4C6-BB14-4D2A-A57C-1EB08A5021CD} (PandoraTVControl Control) - http://www.4725.com/EnjStudioEditor/Cab/PandoraTVControl.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {5E63815E-340D-47C2-BF56-E337F46CE57B} (NPkcWebInstall Control) - http://update.nprotect.net/sci/install/NPKCWebInstall.cab
O16 - DPF: {60F039CE-9490-4361-A769-5419FD166359} (egnInstallXCtrl2 Control) - http://empasweb.nefficient.co.kr/empas/gamenara/egnInstallXCtrl2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128999163187
O16 - DPF: {799BB2EC-572A-42A9-84AD-112806F4F551} (Imweb Control) - http://activexdown.paran.com/paranactivex/data/imweb.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://download.mgame.com/download/cab/mgmanagerv1001.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://with.gseshop.co.kr/XecureObject/xw_install.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9938DDF0-9B5E-4D77-8387-4DD8AFCA1DEB} (WebHardLauncher Control) - http://program.webhard.co.kr/Plus/whexplorer/WebHardLauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - http://plugin.inicis.com/wallet50/INIwallet50.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab
O16 - DPF: {AA68C1C8-7012-4E62-ADCD-120F170E592E} (HWHTMLEDIT Control) - http://www.ongamenet.com/service/board/HwHtmlEd.cab
O16 - DPF: {B3DE64C0-1AD6-41C5-9A66-1CADCE25B1D4} (MGAME SDZ Starter Class) - http://image.mgame.com/download/cab/mgsdzv2.cab
O16 - DPF: {BBA53780-591E-4C58-A0E0-A3186CB6C051} (Molcalst Control) - http://www.molcating.com/chat/chat/Molcalst.cab
O16 - DPF: {BE81B237-0EE9-40F6-BABB-0CE2C1DA7832} (ImPlayer Control) - http://activexdown.paran.com/paranactivex/data/ImPlayer.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://cdn.hangame.com/hangame/hansetup/HanSetup1008.cab
O16 - DPF: {C8EF71CC-3F2D-4854-95B5-7148D4830B31} (MGAME Game Starter V11 Class) - http://download.mgame.com/download/cab/mgamev11.cab
O16 - DPF: {E1CDC08F-F464-4682-AE6A-7689451387C0} (CAFE multiupload control) - http://cafeimg.hanmail.net/activex/dmcm.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F7530E43-3359-42D0-B8DC-843A45028584} (Hitelontop Control) - http://manager.ongamenet.com/common/control/hitelontop.cab
O16 - DPF: {F82CC28F-935F-11D3-A25B-006097755A02} (avchatAtx Class) - http://member.ohmylove.co.kr/chat/avchatatx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe


-------------------------------------------

-------------Online Scan Log----------------------


Incident: Possible Virus. Status: No disinfected Location:C:\arcldrer.com
Incident: Adware:adware/cws Status: No disinfected
Location:C:\DocumentsandSettings\Administrator\Favorites\AdultGambling.url
Incident: Dialer:Dialer.AUH Status: No disinfected Location:C:\WINDOWS\DownloadedProgramFiles\videoplay.dll
Incident: Adware:adware/cws.yexe Status: No disinfected Location:C:\WINDOWS\Loader.exe


-----------------------

-----------------Anti Spyware Log ----------------------

Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
-Found '' in 'SOFTWARE\Classes\ed2k'
-Found '' in 'SOFTWARE\Classes\ed2k\DefaultIcon'
-Found '' in 'SOFTWARE\Classes\ed2k\shell\open\command'
Internet URL Shortcuts
Files and Directories


----------------------

That's it. Please let me know what to do next. Thanks in Advance ^^
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hello baby179,

Alba will be out for a few days and has asked me to continue with you for him. :smile:

Emule---is a P2P file sharing program. Keeping it is up to you, but we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Download CWShredder at http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Reboot into Safe Mode.(tapping F8 or F5)

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\Loader.exe
C:\WINDOWS\DownloadedProgramFiles\videoplay.dll


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

Delete the following files:

C:\DocumentsandSettings\Administrator\Fav orites\AdultGambling.url
C:\arcldrer.com <--unless you know what this is.

Reboot into Normal Mode.

Perform an online scan with Internet Explorer with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
*The program will launch and then begin downloading the latest definition files:
*Once the files have been downloaded click on NEXT
*Now click on Scan Settings
*In the scan settings make that the following are selected:
*Scan using the following Anti-Virus database:
*Standard
*Scan Options:
*Scan Archives
*Scan Mail Bases
*Click OK
*Now under select a target to scan:
*Select My Computer
*This will program will start and scan your system.
*The scan will take a while so be patient and let it run.
*Once the scan is complete it will display if your system has been infected.
*Now click on the Save as Text button:
*Save the file to your desktop.
*Copy and paste that information in your next post.
 

·
Registered
Joined
·
4 Posts
Discussion Starter #6
Kaspersky online scan Log

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, October 14, 2005 01:38:54
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 14/10/2005
Kaspersky Anti-Virus database records: 144651
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 40090
Number of viruses found: 18
Number of infected objects: 66
Number of suspicious objects: 0
Duration of the scan process: 1457 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Administrator\Local Settings\Temp\arcldrer.dll Infected: Trojan-PSW.Win32.Lineage.na
C:\RECYCLER\S-1-5-21-1292428093-1409082233-725345543-500\Dc12.vbs Infected: Email-Worm.VBS.Speery.b
C:\RECYCLER\S-1-5-21-1292428093-1409082233-725345543-500\Dc13.vbs Infected: Email-Worm.VBS.Speery.b
C:\RECYCLER\S-1-5-21-1292428093-1409082233-725345543-500\Dc41.com Infected: Trojan-PSW.Win32.Lineage.na
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP101\A0029002.com Infected: Trojan-PSW.Win32.Lineage.na
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP61\A0013977.exe Infected: Trojan-Dropper.Win32.Delf.ev
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP61\A0014036.exe Infected: Backdoor.Win32.Beastdoor.201.c
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP62\A0015067.exe Infected: Backdoor.Win32.Beastdoor.201.c
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP64\A0016171.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP65\A0016317.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP65\A0016318.dll Infected: Trojan-Downloader.Win32.Agent.un
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP65\A0016319.dll Infected: Trojan.Win32.Kolweb.d
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP65\A0016329.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP65\A0016330.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP65\A0016331.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP79\A0024990.pif:dvbkg:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP79\A0024990.pif:volpin:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP79\snapshot\MFEX-1.DAT Infected: Virus.Win32.Nsag.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025087.pif:dvbkg:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025087.pif:pekqiw:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025087.pif:volpin:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025087.pif:wdzkfm:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025089.INI:heualj:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025104.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025106.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025213.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025214.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025216.dll Infected: Virus.Win32.Nsag.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025218.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\snapshot\MFEX-1.DAT Infected: Virus.Win32.Nsag.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP82\A0025298.exe Infected: Trojan-Downloader.Win32.Agent.sy
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP82\A0025299.exe Infected: Trojan-Downloader.Win32.Agent.sy
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP82\A0025303.exe Infected: Trojan.Win32.Qhost.dv
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP82\A0025304.exe Infected: Trojan.Win32.Small.fb
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP82\A0025325.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\WINDOWS\atxmq.log:eek:oeud:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\Downloaded Program Files\videoplay.dll Infected: Trojan.Win32.Dialer.ep
C:\WINDOWS\nsw.log:pdbuqy:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\setupapi.log:fuovmv:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\SMinstall.log:ymzjof:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\system32\d64.exe Infected: Trojan.Win32.Kolweb.d
C:\WINDOWS\system32\dllcache\evtquery.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\dllcache\pagefile.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\dllcache\prncnfg.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\dllcache\prndrvr.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\dllcache\prnjobs.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\dllcache\prnmngr.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\dllcache\prnport.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\dllcache\prnqctl.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\dllcache\pubprn.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\eventquery.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\KWGInfect.exe Infected: Email-Worm.VBS.Speery.a
C:\WINDOWS\system32\pagefileconfig.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\prncnfg.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\prndrvr.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\prnjobs.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\prnmngr.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\prnport.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\prnqctl.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\pubprn.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\tabletoc.log:asmosy:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\Temp\ASHeuristic\arcldrer_com.vir Infected: Trojan-PSW.Win32.Lineage.na
C:\WINDOWS\_default(2).pif:dvbkg:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\_default(2).pif:pekqiw:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\_default(2).pif:volpin:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\_default(2).pif:wdzkfm:$DATA Infected: Trojan.Win32.Agent.bi

Scan process completed.
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Reboot into Safe Mode. (tapping F8 or F5)

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\atxmq.log:eek:oeud:$DATA
C:\WINDOWS\Downloaded Program Files\videoplay.dll
C:\WINDOWS\nsw.log:pdbuqy:$DATA
C:\WINDOWS\setupapi.log:fuovmv:$DATA
C:\WINDOWS\SMinstall.log:ymzjof:$DATA
C:\WINDOWS\system32\d64.exe
C:\WINDOWS\system32\dllcache\evtquery.vbs
C:\WINDOWS\system32\dllcache\pagefile.vbs
C:\WINDOWS\system32\dllcache\prncnfg.vbs
C:\WINDOWS\system32\dllcache\prndrvr.vbs
C:\WINDOWS\system32\dllcache\prnjobs.vbs
C:\WINDOWS\system32\dllcache\prnmngr.vbs
C:\WINDOWS\system32\dllcache\prnport.vbs
C:\WINDOWS\system32\dllcache\prnqctl.vbs
C:\WINDOWS\system32\dllcache\pubprn.vbs
C:\WINDOWS\system32\eventquery.vbs
C:\WINDOWS\system32\KWGInfect.exe
C:\WINDOWS\system32\pagefileconfig.vbs
C:\WINDOWS\system32\prncnfg.vbs
C:\WINDOWS\system32\prndrvr.vbs
C:\WINDOWS\system32\prnjobs.vbs
C:\WINDOWS\system32\prnmngr.vbs
C:\WINDOWS\system32\prnport.vbs
C:\WINDOWS\system32\prnqctl.vbs
C:\WINDOWS\system32\pubprn.vbs
C:\WINDOWS\tabletoc.log:asmosy:$DATA C:\WINDOWS\Temp\ASHeuristic\arcldrer_com.vir C:\WINDOWS\_default(2).pif:dvbkg:$DATA
C:\WINDOWS\_default(2).pif:pekqiw:$DATA C:\WINDOWS\_default(2).pif:volpin:$DATA
C:\WINDOWS\_default(2).pif:wdzkfm:$DATA


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!.If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility


Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
-Empty Recycle Bins
-Temporary Internet Files
-Delete Cookies
-Delete Prefetch files
-[X]Scan local drives for temporary files (Please uncheck this option)
-Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot into Normal Mode. Run another scan at Kaspersky and post the results here along with a new HijackThis log.
 

·
Registered
Joined
·
4 Posts
Discussion Starter #8
new scan logs

Logfile of HijackThis v1.99.1
Scan saved at 2:01:40 AM, on 10/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hijackthis\HijackThis.exe

F3 - REG:win.ini: load=C:\WINDOWS\System32\explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nProtectSCIKeycrypt] C:\Program Files\INCAInternet\SCIKeycrypt\SCIKeycrypt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg4.cyworld.nate.com/ImageUpload/CyImageUpload2.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0C90C10C-96D0-43CE-906B-A64201E7A473} (NxPlayer Control) - http://file.popdj.tv/popdj/nfxFile/Tools/NxPlayer.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18D63578-EA2F-4A59-A49A-7F62E6B3DF3E} (ImP3 Control) - http://activexdown.paran.com/paranactivex/data/ImP3.cab
O16 - DPF: {25B1B4C6-BB14-4D2A-A57C-1EB08A5021CD} (PandoraTVControl Control) - http://www.4725.com/EnjStudioEditor/Cab/PandoraTVControl.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {5E63815E-340D-47C2-BF56-E337F46CE57B} (NPkcWebInstall Control) - http://update.nprotect.net/sci/install/NPKCWebInstall.cab
O16 - DPF: {60F039CE-9490-4361-A769-5419FD166359} (egnInstallXCtrl2 Control) - http://empasweb.nefficient.co.kr/empas/gamenara/egnInstallXCtrl2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128999163187
O16 - DPF: {799BB2EC-572A-42A9-84AD-112806F4F551} (Imweb Control) - http://activexdown.paran.com/paranactivex/data/imweb.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://download.mgame.com/download/cab/mgmanagerv1001.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://with.gseshop.co.kr/XecureObject/xw_install.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9938DDF0-9B5E-4D77-8387-4DD8AFCA1DEB} (WebHardLauncher Control) - http://program.webhard.co.kr/Plus/whexplorer/WebHardLauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - http://plugin.inicis.com/wallet50/INIwallet50.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab
O16 - DPF: {AA68C1C8-7012-4E62-ADCD-120F170E592E} (HWHTMLEDIT Control) - http://www.ongamenet.com/service/board/HwHtmlEd.cab
O16 - DPF: {B3DE64C0-1AD6-41C5-9A66-1CADCE25B1D4} (MGAME SDZ Starter Class) - http://image.mgame.com/download/cab/mgsdzv2.cab
O16 - DPF: {BBA53780-591E-4C58-A0E0-A3186CB6C051} (Molcalst Control) - http://www.molcating.com/chat/chat/Molcalst.cab
O16 - DPF: {BE81B237-0EE9-40F6-BABB-0CE2C1DA7832} (ImPlayer Control) - http://activexdown.paran.com/paranactivex/data/ImPlayer.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://cdn.hangame.com/hangame/hansetup/HanSetup1008.cab
O16 - DPF: {C8EF71CC-3F2D-4854-95B5-7148D4830B31} (MGAME Game Starter V11 Class) - http://download.mgame.com/download/cab/mgamev11.cab
O16 - DPF: {E1CDC08F-F464-4682-AE6A-7689451387C0} (CAFE multiupload control) - http://cafeimg.hanmail.net/activex/dmcm.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F7530E43-3359-42D0-B8DC-843A45028584} (Hitelontop Control) - http://manager.ongamenet.com/common/control/hitelontop.cab
O16 - DPF: {F82CC28F-935F-11D3-A25B-006097755A02} (avchatAtx Class) - http://member.ohmylove.co.kr/chat/avchatatx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe



------------------------

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, October 17, 2005 01:44:52
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/10/2005
Kaspersky Anti-Virus database records: 145215
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 39336
Number of viruses found: 18
Number of infected objects: 67
Number of suspicious objects: 0
Duration of the scan process: 2162 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP101\A0029002.com Infected: Trojan-PSW.Win32.Lineage.na
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP112\A0029571.dll Infected: Trojan-PSW.Win32.Lineage.nf
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP112\A0029620.vbs Infected: Email-Worm.VBS.Speery.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP112\A0029621.vbs Infected: Email-Worm.VBS.Speery.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP112\A0029639.com Infected: Trojan-PSW.Win32.Lineage.na
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP112\A0029642.exe Infected: Trojan.Win32.Kolweb.d
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP112\A0029643.vbs Infected: Email-Worm.VBS.Speery.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP112\A0029644.vbs Infected: Email-Worm.VBS.Speery.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP112\A0029645.vbs Infected: Email-Worm.VBS.Speery.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP112\A0029646.vbs Infected: Email-Worm.VBS.Speery.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP112\A0029647.vbs Infected: Email-Worm.VBS.Speery.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP112\A0029648.vbs Infected: Email-Worm.VBS.Speery.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP112\A0029649.vbs Infected: Email-Worm.VBS.Speery.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP112\A0029650.vbs Infected: Email-Worm.VBS.Speery.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP112\A0029651.vbs Infected: Email-Worm.VBS.Speery.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP112\A0029652.vbs Infected: Email-Worm.VBS.Speery.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP112\A0029653.exe Infected: Email-Worm.VBS.Speery.a
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP112\A0029654.vbs Infected: Email-Worm.VBS.Speery.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP112\A0029658.dll Infected: Trojan-PSW.Win32.Lineage.nf
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP61\A0013977.exe Infected: Trojan-Dropper.Win32.Delf.ev
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP61\A0014036.exe Infected: Backdoor.Win32.Beastdoor.201.c
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP62\A0015067.exe Infected: Backdoor.Win32.Beastdoor.201.c
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP64\A0016171.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP65\A0016317.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP65\A0016318.dll Infected: Trojan-Downloader.Win32.Agent.un
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP65\A0016319.dll Infected: Trojan.Win32.Kolweb.d
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP65\A0016329.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP65\A0016330.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP65\A0016331.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP79\A0024990.pif:dvbkg:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP79\A0024990.pif:volpin:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP79\snapshot\MFEX-1.DAT Infected: Virus.Win32.Nsag.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025087.pif:dvbkg:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025087.pif:pekqiw:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025087.pif:volpin:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025087.pif:wdzkfm:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025089.INI:heualj:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025104.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025106.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025213.exe Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025214.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025216.dll Infected: Virus.Win32.Nsag.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\A0025218.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP80\snapshot\MFEX-1.DAT Infected: Virus.Win32.Nsag.b
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP82\A0025298.exe Infected: Trojan-Downloader.Win32.Agent.sy
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP82\A0025299.exe Infected: Trojan-Downloader.Win32.Agent.sy
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP82\A0025303.exe Infected: Trojan.Win32.Qhost.dv
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP82\A0025304.exe Infected: Trojan.Win32.Small.fb
C:\System Volume Information\_restore{0DF62EF2-4C55-41D3-9CB2-25BFD8A0A426}\RP82\A0025325.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\WINDOWS\atxmq.log:eek:oeud:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\nsw.log:pdbuqy:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\setupapi.log:fuovmv:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\SMinstall.log:ymzjof:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\system32\ab1dll.dll Infected: Trojan-PSW.Win32.Lineage.nf
C:\WINDOWS\system32\explorer.exe Infected: Trojan-PSW.Win32.Lineage.nf
C:\WINDOWS\system32\prncnfg.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\prndrvr.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\prnjobs.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\prnmngr.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\prnport.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\prnqctl.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\system32\pubprn.vbs Infected: Email-Worm.VBS.Speery.b
C:\WINDOWS\tabletoc.log:asmosy:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\_default(2).pif:dvbkg:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\_default(2).pif:pekqiw:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\_default(2).pif:volpin:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\_default(2).pif:wdzkfm:$DATA Infected: Trojan.Win32.Agent.bi

Scan process completed.



That's it..
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net/en/download/updates/ to update manually.

Reboot into Safe Mode.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily and post the results here.
 
1 - 10 of 10 Posts
Status
Not open for further replies.
Top