1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan.Zlob-X.a MALWARE

Discussion in 'Virus & Other Malware Removal' started by jonhwang214, Nov 11, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. jonhwang214

    jonhwang214 Thread Starter

    Joined:
    Oct 2, 2007
    Messages:
    17
    Hi.
    On my internet explorer, every time I redirect to a website, a popup message pops up, stating that I am infected with the Trojan.Zlob-X.a virus. Not only does that happen, but on Firefox, when I search something on google, and i click on a link, it redirects me to a different website. After several times of clicking on the link, it finally directs me to the proper website. Please help me!
     
  2. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Welcome to TSG :)

    Download TrendMicro Hijackthis from Here to your Desktop.
    • Double-Click on HJTInstall.exe
    • Follow the prompts and allow it to create TrendMicro folder in Program Files.
    • Check Create Desktop Icon.
    • On your Desktop, Double-Click on Hijackthis.exe.
    • Click on Do A System Scan and Save a Log File.
    • In your next reply, copy and paste the Hijackthis log.


    ==============================

    Please download SmitfraudFix

    Double-click SmitfraudFix.exe
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  3. jonhwang214

    jonhwang214 Thread Starter

    Joined:
    Oct 2, 2007
    Messages:
    17
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:32:57 PM, on 11/11/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Program Files\AIM\aim.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\MSN Messenger\livecall.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Mp3 Video - {6FFE49B7-F475-4EAB-8E80-E5D74C4E8D5F} - C:\WINDOWS\system32\VideoMP3.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{005732B5-1751-4C3C-AFE1-9B432E34D798}: NameServer = 85.255.113.195,85.255.112.64
    O17 - HKLM\System\CCS\Services\Tcpip\..\{961A35DE-70C6-4DF2-91B2-978B61BAFBE1}: NameServer = 85.255.113.195,85.255.112.64
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.195 85.255.112.64
    O17 - HKLM\System\CS1\Services\Tcpip\..\{005732B5-1751-4C3C-AFE1-9B432E34D798}: NameServer = 85.255.113.195,85.255.112.64
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.195 85.255.112.64
    O17 - HKLM\System\CS2\Services\Tcpip\..\{005732B5-1751-4C3C-AFE1-9B432E34D798}: NameServer = 85.255.113.195,85.255.112.64
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.195 85.255.112.64
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

    --
    End of file - 7010 bytes

    _______________________________________________

    SmitFraudFix v2.252

    Scan done at 19:35:28.09, Sun 11/11/2007
    Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Program Files\AIM\aim.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\MSN Messenger\livecall.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\VideoMP3.dll FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jon Hwang


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jon Hwang\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JONHWA~1\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"="kdubf.exe"

    kdubf.exe detected !


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

    Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
    DNS Server Search Order: 85.255.113.195
    DNS Server Search Order: 85.255.112.64

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{005732B5-1751-4C3C-AFE1-9B432E34D798}: DhcpNameServer=192.168.2.1
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{005732B5-1751-4C3C-AFE1-9B432E34D798}: NameServer=85.255.113.195,85.255.112.64
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{961A35DE-70C6-4DF2-91B2-978B61BAFBE1}: DhcpNameServer=85.255.113.195,85.255.112.64
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{961A35DE-70C6-4DF2-91B2-978B61BAFBE1}: NameServer=85.255.113.195,85.255.112.64
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{FE4562BD-9120-4E97-AEED-F076A2F8CA7F}: DhcpNameServer=85.255.113.195,85.255.112.64
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{005732B5-1751-4C3C-AFE1-9B432E34D798}: DhcpNameServer=192.168.2.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{005732B5-1751-4C3C-AFE1-9B432E34D798}: NameServer=85.255.113.195,85.255.112.64
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{961A35DE-70C6-4DF2-91B2-978B61BAFBE1}: DhcpNameServer=85.255.113.195,85.255.112.64
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{961A35DE-70C6-4DF2-91B2-978B61BAFBE1}: NameServer=85.255.113.195,85.255.112.64
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{FE4562BD-9120-4E97-AEED-F076A2F8CA7F}: DhcpNameServer=85.255.113.195,85.255.112.64
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{005732B5-1751-4C3C-AFE1-9B432E34D798}: DhcpNameServer=192.168.2.1
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{005732B5-1751-4C3C-AFE1-9B432E34D798}: NameServer=85.255.113.195,85.255.112.64
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{961A35DE-70C6-4DF2-91B2-978B61BAFBE1}: DhcpNameServer=85.255.113.195,85.255.112.64
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{961A35DE-70C6-4DF2-91B2-978B61BAFBE1}: NameServer=85.255.113.195,85.255.112.64
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{FE4562BD-9120-4E97-AEED-F076A2F8CA7F}: DhcpNameServer=85.255.113.195,85.255.112.64
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.113.195 85.255.112.64
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.113.195 85.255.112.64
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.113.195 85.255.112.64


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  4. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    Please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, double-click SmitfraudFix.exe
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning : running option #2 on a non infected computer will remove your Desktop background.
     
  5. jonhwang214

    jonhwang214 Thread Starter

    Joined:
    Oct 2, 2007
    Messages:
    17
    Weird!
    When I tried logging onto my account (when I first click my account profile name in the Logon screen),my mouse and keyboard freeze. I cannot move it. So I tried logging into Administrator profile and I ran Smartfix and again my mouse and keyboard froze. What can I do?
     
  6. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    If you mean what i think you do, that's correct. You can move your mouse or keyboard because it will kill all running processes. What during the fix??? Can you move it then. Or am i misunderstanding you. Have you been able to run the fix in safe mode at all???
     
  7. jonhwang214

    jonhwang214 Thread Starter

    Joined:
    Oct 2, 2007
    Messages:
    17
    I haven't been able to run the fix in the safe mode at all. Before I can even do anything, my mouse and keyboard freeze. My computer's on, but the mouse and keyboard do not work. It's very weird. I do not know why it happens. Is there another way to do this?
     
  8. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Okay, we will skip that fix.





    Please print these instructions for reference, as you will have to restart your computer during the fix.



    Please download FixWareout from Here or Here.



    Note: You will need to run this tool while having an Internet Connection. The tool will download other files while running.

    1. Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    2. The fix will begin; follow the prompts.
    3. If your firewall gives an alert, (because this tool will download an additional files from the internet), please don't let your firewall block it, but allow it instead.
    4. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
    5. Once the desktop loads a text file will open (report.txt).

      Please post the C:\fixwareout\report.txt ), along with a new HijackThis log into this topic.


    ==================================

    Download Combofix and save it to your desktop.

    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall
     
  9. jonhwang214

    jonhwang214 Thread Starter

    Joined:
    Oct 2, 2007
    Messages:
    17
    Username "Jon Hwang" - 11/12/2007 18:21:59 [Fixwareout edited 9/01/2007]

    ~~~~~ Prerun check
    HKLM\SOFTWARE\~\Winlogon\ "System"="kdubf.exe"

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    "nameserver"="85.255.113.195 85.255.112.64" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{005732B5-1751-4C3C-AFE1-9B432E34D798}
    "nameserver"="85.255.113.195,85.255.112.64" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{961A35DE-70C6-4DF2-91B2-978B61BAFBE1}
    "nameserver"="85.255.113.195,85.255.112.64" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{961A35DE-70C6-4DF2-91B2-978B61BAFBE1}
    "DhcpNameServer"="85.255.113.195,85.255.112.64" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{FE4562BD-9120-4E97-AEED-F076A2F8CA7F}
    "DhcpNameServer"="85.255.113.195,85.255.112.64" <Value cleared.

    Successfully flushed the DNS Resolver Cache.


    System was rebooted successfully.

    ~~~~~ Postrun check
    HKLM\SOFTWARE\~\Winlogon\ "system"=""
    ....
    ....
    ~~~~~ Misc files.
    ....
    ~~~~~ Checking for older varients.
    ....
    ~~~~~ Other
    C:\WINDOWS\Temp\kdubf.ren 72262 06/13/2007

    ~~~~~ Current runs (hklm hkcu "run" Keys Only)
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ShStatEXE"="\"C:\\Program Files\\McAfee\\VirusScan Enterprise\\SHSTAT.EXE\" /STANDALONE"
    "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
    "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
    "STYLEXP"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    ....
    Hosts file was reset, If you use a custom hosts file please replace it...
    ~~~~~ End report ~~~~~
    _____________________________________________________-

    ComboFix 07-11-08.3 - Jon Hwang 2007-11-12 18:26:58.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1094 [GMT -8:00]
    Running from: C:\Documents and Settings\Jon Hwang\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\dat.txt
    C:\WINDOWS\rs.txt

    .
    ((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))
    .

    2007-11-12 18:26 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-11 19:35 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2007-11-11 19:35 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2007-11-11 19:35 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2007-11-11 19:35 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-11-11 19:35 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2007-11-08 23:10 218,624 --a------ C:\WINDOWS\system32\VideoMP3.dll
    2007-11-05 18:30 <DIR> d-------- C:\Program Files\iPod
    2007-10-28 21:31 34 --ah----- C:\WINDOWS\system32\VideoConverter_sysquict.dat
    2007-10-28 21:28 262,144 --a------ C:\WINDOWS\system32\lame_enc.dll
    2007-10-28 21:28 1 --a------ C:\WINDOWS\zitp.dll
    2007-10-28 21:22 <DIR> d-------- C:\WINDOWS\Video to iPod MP4 PSP 3GP Converter
    2007-10-22 19:08 <DIR> d-------- C:\Documents and Settings\Jon Hwang\Application Data\Move Networks
    2007-10-21 14:50 <DIR> d-------- C:\Program Files\HighCriteria
    2007-10-18 11:56 <DIR> d-------- C:\Program Files\CCleaner
    2007-10-18 11:23 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
    2007-10-18 11:23 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
    2007-10-18 11:23 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
    2007-10-18 11:23 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
    2007-10-18 11:23 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
    2007-10-18 11:23 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
    2007-10-18 11:23 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
    2007-10-18 11:23 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
    2007-10-17 17:23 <DIR> d-------- C:\Program Files\Adssite Advanced Toolbar
    2007-10-17 17:23 <DIR> d-------- C:\Documents and Settings\Jon Hwang\Application Data\Adssite Advanced Toolbar
    2007-10-15 18:05 <DIR> d-------- C:\Program Files\Veoh Networks

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-12 02:07 --------- d-----w C:\Documents and Settings\Jon Hwang\Application Data\LimeWire
    2007-11-09 05:59 --------- d-----w C:\Documents and Settings\Jon Hwang\Application Data\Azureus
    2007-11-06 20:47 --------- d-----w C:\Program Files\sdf
    2007-11-06 02:30 --------- d-----w C:\Program Files\iTunes
    2007-11-06 02:29 --------- d-----w C:\Program Files\QuickTime
    2007-10-30 03:12 --------- d-----w C:\Program Files\DivX
    2007-10-26 05:08 --------- d-----w C:\Program Files\Steam
    2007-10-17 05:26 --------- d-----w C:\Program Files\Free Download Manager
    2007-10-16 02:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-10-11 00:57 --------- d-----w C:\Program Files\Azureus
    2007-10-10 04:17 --------- d-----w C:\Program Files\Starcraft
    2007-10-09 06:50 --------- d-----w C:\Documents and Settings\Jon Hwang\Application Data\Free Download Manager
    2007-10-09 05:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
    2007-10-05 02:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2007-10-05 02:58 --------- d-----w C:\Documents and Settings\Jon Hwang\Application Data\SUPERAntiSpyware.com
    2007-10-02 23:12 --------- d-----w C:\Program Files\themexp
    2007-10-02 20:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2007-10-02 20:35 --------- d-----w C:\Program Files\WinZix
    2007-10-01 04:16 --------- d-----w C:\Program Files\Common Files\Adobe
    2007-10-01 04:16 --------- d-----w C:\Documents and Settings\Jon Hwang\Application Data\InterTrust
    2007-10-01 04:11 --------- d-----w C:\Program Files\Brother
    2007-10-01 01:41 --------- d-----w C:\Program Files\LimeWire
    2007-09-28 21:12 --------- d-----w C:\Program Files\Java
    2007-09-28 21:11 --------- d-----w C:\Program Files\Common Files\Java
    2007-09-28 19:42 --------- d-----w C:\Program Files\Trend Micro
    2007-09-28 19:37 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Webroot
    2007-09-28 05:23 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Webroot
    2007-09-28 05:01 --------- d-----w C:\Program Files\McAfee
    2007-09-28 05:01 --------- d-----w C:\Program Files\Common Files\Cisco Systems
    2007-09-28 05:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
    2007-09-28 04:59 --------- d-----w C:\Program Files\Common Files\McAfee
    2007-09-03 06:53 114,688 ----a-w C:\WINDOWS\system32\msvos.dll
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\RPRSTITL.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\RPRSTEXT.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSTMP.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSPEC.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSCRP.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\RPRSREH_.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\RPRSMET_.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\RPRSCHOR.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\RPRS____.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSTEXT.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSSE__.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSS___.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSROMC.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSPC__.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSP___.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSO___.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSNN__.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSM___.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSJAPC.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSFS__.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSFBE_.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSFB__.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSCSC_.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSCS__.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSC___.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUS____.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\INKPEN2_.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\INK2TEXT.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\INK2SPEC.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\INK2SCRI.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\INK2METR.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\INK2CHOR.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\HELST___.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\HELSS___.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\HELSM___.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\HELSINKI.FOT
    2007-08-22 19:36 94,208 ----a-w C:\WINDOWS\ScUnin.exe
    2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6FFE49B7-F475-4EAB-8E80-E5D74C4E8D5F}]
    2007-11-08 23:12 218624 --a------ C:\WINDOWS\system32\VideoMP3.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 07:50]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 14:35]
    "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
    "STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 10:31]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jon Hwang^Start Menu^Programs^Startup^Spy Sweeper Fix.lnk]
    path=C:\Documents and Settings\Jon Hwang\Start Menu\Programs\Startup\Spy Sweeper Fix.lnk
    backup=C:\WINDOWS\pss\Spy Sweeper Fix.lnkStartup


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
    C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
    C:\Program Files\AIM\aim.exe -cnetwait.odl

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\axis love poll lite]
    C:\Documents and Settings\All Users\Application Data\each new axis love\exit 1.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlazeServoTool]
    "C:\Program Files\BlazeVideo\BlazeDVD 5 Professional\blazedvd\MediaDetector.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
    C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dart heck]
    C:\DOCUME~1\JONHWA~1\APPLIC~1\CLOCKI~1\64 jump.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
    rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hid_start]
    C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
    C:\WINDOWS\system32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    C:\WINDOWS\system32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    C:\WINDOWS\system32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "C:\Program Files\iTunes\iTunesHelper.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
    "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    nwiz.exe /install

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
    C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
    C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\QTTask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
    "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
    "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    "C:\Program Files\Steam\Steam.exe" -silent

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]
    "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    C:\WINDOWS\UpdReg.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
    "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

    R1 mfetdik;McAfee Inc.;C:\WINDOWS\system32\drivers\mfetdik.sys
    R1 XPROTECTOR;XPROTECTOR;\??\C:\WINDOWS\system32\drivers\Oreans.sys
    R3 mfeapfk;McAfee Inc.;C:\WINDOWS\system32\drivers\mfeapfk.sys
    R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys
    S3 dump_wmimmc;dump_wmimmc;\??\C:\Nexon\MapleStory\GameGuard\dump_wmimmc.sys
    S3 w600bus;Sony Ericsson W600 driver (WDM);C:\WINDOWS\system32\DRIVERS\w600bus.sys
    S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys
    S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w600mdm.sys

    *Newly Created Service* - CATCHME
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-09 23:58:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-12 18:28:50
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-12 18:29:35
    .
    --- E O F ---

    ______________________________________

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:31:55 PM, on 11/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Program Files\AIM\aim.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\livecall.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Mp3 Video - {6FFE49B7-F475-4EAB-8E80-E5D74C4E8D5F} - C:\WINDOWS\system32\VideoMP3.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

    --
    End of file - 5857 bytes
     
  10. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Please go to Add/Remove Programs in your Control Panel and remove the following:
    Adssite Advanced Toolbar



    Download the attached file CFScript.txt to your Desktop


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at "C:\ComboFix.txt"

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall



    Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this computer only!!!!
     

    Attached Files:

  11. jonhwang214

    jonhwang214 Thread Starter

    Joined:
    Oct 2, 2007
    Messages:
    17
    First of all, Adssite Advanced Toolbar is not located in my Add/Remove Programs list.

    ComboFix 07-11-08.3 - Jon Hwang 2007-11-12 20:10:02.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.940 [GMT -8:00]
    Running from: C:\Documents and Settings\Jon Hwang\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Jon Hwang\Desktop\CFScript.txt
    * Created a new restore point

    FILE
    C:\WINDOWS\system32\VideoMP3.dll
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Jon Hwang\Application Data\Adssite Advanced Toolbar
    C:\Documents and Settings\Jon Hwang\Application Data\Adssite Advanced Toolbar\advertbuttons.xml
    C:\Documents and Settings\Jon Hwang\Application Data\Adssite Advanced Toolbar\selected.xml
    C:\Program Files\Adssite Advanced Toolbar
    C:\WINDOWS\system32\VideoMP3.dll

    .
    ((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))
    .

    2007-11-12 18:26 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-11 19:35 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2007-11-11 19:35 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2007-11-11 19:35 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2007-11-11 19:35 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-11-11 19:35 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2007-11-05 18:30 <DIR> d-------- C:\Program Files\iPod
    2007-10-28 21:31 34 --ah----- C:\WINDOWS\system32\VideoConverter_sysquict.dat
    2007-10-28 21:28 262,144 --a------ C:\WINDOWS\system32\lame_enc.dll
    2007-10-28 21:28 1 --a------ C:\WINDOWS\zitp.dll
    2007-10-28 21:22 <DIR> d-------- C:\WINDOWS\Video to iPod MP4 PSP 3GP Converter
    2007-10-22 19:08 <DIR> d-------- C:\Documents and Settings\Jon Hwang\Application Data\Move Networks
    2007-10-21 14:50 <DIR> d-------- C:\Program Files\HighCriteria
    2007-10-18 11:56 <DIR> d-------- C:\Program Files\CCleaner
    2007-10-18 11:23 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
    2007-10-18 11:23 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
    2007-10-18 11:23 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
    2007-10-18 11:23 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
    2007-10-18 11:23 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
    2007-10-18 11:23 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
    2007-10-18 11:23 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
    2007-10-18 11:23 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
    2007-10-15 18:05 <DIR> d-------- C:\Program Files\Veoh Networks

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-12 02:07 --------- d-----w C:\Documents and Settings\Jon Hwang\Application Data\LimeWire
    2007-11-09 05:59 --------- d-----w C:\Documents and Settings\Jon Hwang\Application Data\Azureus
    2007-11-06 20:47 --------- d-----w C:\Program Files\sdf
    2007-11-06 02:30 --------- d-----w C:\Program Files\iTunes
    2007-11-06 02:29 --------- d-----w C:\Program Files\QuickTime
    2007-10-30 03:12 --------- d-----w C:\Program Files\DivX
    2007-10-26 05:08 --------- d-----w C:\Program Files\Steam
    2007-10-17 05:26 --------- d-----w C:\Program Files\Free Download Manager
    2007-10-16 02:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-10-11 00:57 --------- d-----w C:\Program Files\Azureus
    2007-10-10 04:17 --------- d-----w C:\Program Files\Starcraft
    2007-10-09 06:50 --------- d-----w C:\Documents and Settings\Jon Hwang\Application Data\Free Download Manager
    2007-10-09 05:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
    2007-10-05 02:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2007-10-05 02:58 --------- d-----w C:\Documents and Settings\Jon Hwang\Application Data\SUPERAntiSpyware.com
    2007-10-02 23:12 --------- d-----w C:\Program Files\themexp
    2007-10-02 20:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2007-10-02 20:35 --------- d-----w C:\Program Files\WinZix
    2007-10-01 04:16 --------- d-----w C:\Program Files\Common Files\Adobe
    2007-10-01 04:16 --------- d-----w C:\Documents and Settings\Jon Hwang\Application Data\InterTrust
    2007-10-01 04:11 --------- d-----w C:\Program Files\Brother
    2007-10-01 01:41 --------- d-----w C:\Program Files\LimeWire
    2007-09-28 21:12 --------- d-----w C:\Program Files\Java
    2007-09-28 21:11 --------- d-----w C:\Program Files\Common Files\Java
    2007-09-28 19:42 --------- d-----w C:\Program Files\Trend Micro
    2007-09-28 19:37 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Webroot
    2007-09-28 05:23 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Webroot
    2007-09-28 05:01 --------- d-----w C:\Program Files\McAfee
    2007-09-28 05:01 --------- d-----w C:\Program Files\Common Files\Cisco Systems
    2007-09-28 05:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
    2007-09-28 04:59 --------- d-----w C:\Program Files\Common Files\McAfee
    2007-09-03 06:53 114,688 ----a-w C:\WINDOWS\system32\msvos.dll
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\RPRSTITL.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\RPRSTEXT.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSTMP.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSPEC.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSCRP.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\RPRSREH_.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\RPRSMET_.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\RPRSCHOR.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\RPRS____.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSTEXT.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSSE__.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSS___.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSROMC.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSPC__.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSP___.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSO___.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSNN__.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSM___.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSJAPC.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSFS__.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSFBE_.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSFB__.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSCSC_.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSCS__.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUSC___.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\OPUS____.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\INKPEN2_.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\INK2TEXT.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\INK2SPEC.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\INK2SCRI.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\INK2METR.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\INK2CHOR.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\HELST___.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\HELSS___.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\HELSM___.FOT
    2007-08-28 23:25 1,409 ----a-w C:\WINDOWS\Fonts\HELSINKI.FOT
    2007-08-22 19:36 94,208 ----a-w C:\WINDOWS\ScUnin.exe
    2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 07:50]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 14:35]
    "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
    "STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 10:31]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jon Hwang^Start Menu^Programs^Startup^Spy Sweeper Fix.lnk]
    path=C:\Documents and Settings\Jon Hwang\Start Menu\Programs\Startup\Spy Sweeper Fix.lnk
    backup=C:\WINDOWS\pss\Spy Sweeper Fix.lnkStartup


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
    C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
    C:\Program Files\AIM\aim.exe -cnetwait.odl

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\axis love poll lite]
    C:\Documents and Settings\All Users\Application Data\each new axis love\exit 1.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlazeServoTool]
    "C:\Program Files\BlazeVideo\BlazeDVD 5 Professional\blazedvd\MediaDetector.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
    C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dart heck]
    C:\DOCUME~1\JONHWA~1\APPLIC~1\CLOCKI~1\64 jump.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
    rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hid_start]
    C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
    C:\WINDOWS\system32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    C:\WINDOWS\system32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    C:\WINDOWS\system32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "C:\Program Files\iTunes\iTunesHelper.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
    "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    nwiz.exe /install

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
    C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
    C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\QTTask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
    "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
    "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    "C:\Program Files\Steam\Steam.exe" -silent

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]
    "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    C:\WINDOWS\UpdReg.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
    "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

    R1 mfetdik;McAfee Inc.;C:\WINDOWS\system32\drivers\mfetdik.sys
    R1 XPROTECTOR;XPROTECTOR;\??\C:\WINDOWS\system32\drivers\Oreans.sys
    R3 mfeapfk;McAfee Inc.;C:\WINDOWS\system32\drivers\mfeapfk.sys
    R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys
    S3 dump_wmimmc;dump_wmimmc;\??\C:\Nexon\MapleStory\GameGuard\dump_wmimmc.sys
    S3 w600bus;Sony Ericsson W600 driver (WDM);C:\WINDOWS\system32\DRIVERS\w600bus.sys
    S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys
    S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w600mdm.sys

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-09 23:58:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
     
  12. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    How is everything running???
     
  13. jonhwang214

    jonhwang214 Thread Starter

    Joined:
    Oct 2, 2007
    Messages:
    17
    alot better . thank you so muchcc :]]
     
  14. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Please post a fresh Hijackthis log. Thanks
     
  15. jonhwang214

    jonhwang214 Thread Starter

    Joined:
    Oct 2, 2007
    Messages:
    17
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:03, on 2007-11-13
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Program Files\AIM\aim.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\livecall.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

    --
    End of file - 5865 bytes
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/650783

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice