Spam zombie [Computer sending multiple spam messages]

deadmeat · 2008/02/17

Hi, everyone. First time poster here, and what a great site!

I have reasons to believe that one of my computers is a spam zombie (ie. it sends out hundreds of spams every min. probably as a proxy).

About a week ago, this PC became a target to Downloder virus from a "free **** site," thanks to my big uncle. From what I could tell, Norton Internet Security apparently blocked Downloader 3 times (according to NIS Activity Log), but obviously failed to stop a dodgy app/trojan being installed. This led to hundreds of "Scanning outgoing email" NIS popups, making it impossible to use the PC, whenever explorer/IE is launched.

Please help me catch and remove this spam app/trojan, which can't be detected by Spyware Doctors, NIS and a few web-based anti-virus S/W.

Many thanks in advance.

BTW, the OS is Korean Win XP.

------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 오후 7:59:11, on 2008-02-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nPComSVC.exe
C:\WINDOWS\system32\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader 링크 도우미 - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: FLV Media - {2542358C-6758-89BC-0AB9-BAECDC14F78E} - C:\WINDOWS\system\wkcstd32.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE "
O4 - HKLM\..\Run: [HncUpdate] C:\WINDOWS\system32\HncUpdate.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PsMgrX] C:\Program Files\EveryZone\PCsaferX\PsMgr.exe /update
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java 콘솔 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: 리서치 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - Trusted Zone: *.teacher.co.kr
O15 - Trusted Zone: *.unitel.co.kr
O16 - DPF: {00001025-B831-448B-9ABD-3D3DF187F359} (DaumGameStarter25 Class) - http://download.netmarble.com/web/nmstarter/Daum/DaumGameStarter25.cab
O16 - DPF: {044123B5-35DF-4C4E-BAED-26B8ED964342} (HLiveRobotWeb Control) - http://fx.hauri.net/HProduct/livesuite/shinhan/CLIENT/LiveSuite/web/HLiveRobotWeb.cab
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg7.cyworld.com/ImageUpload/CyImageUpload_10217.cab
O16 - DPF: {1514EB38-3F47-4DB9-B295-21209446CC1A} (SecureSession Class) - http://pcyber.samsunglife.com/cab/SecuiBohumIE.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4FC3AF-3253-43A4-B346-5D1198D1EB8E} (CINIWebPlus Class) - http://img.shinhan.com/rib/common/INISWebPlus/INISWebPlus10.cab
O16 - DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} (XacsPop Control) - http://mpi.dacom.net/XMPI/js/xmpi2007.cab
O16 - DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} (INISAFEWeb6 V6 Class) - http://banking.nonghyup.com/plugin/client/INIS.cab
O16 - DPF: {32D94A9F-9A18-4E12-863D-8AABA8CBDA78} (NateOnMMSAtx3 Class) - http://sms.nate.com/NateOnMMS_AX3.cab
O16 - DPF: {39461460-2552-4D51-A062-3AB6A7B902E9} (INISAFE Updater Control) - http://img.shinhan.com/shttp/install/down/INIS70.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://img.shinhan.com/rib/common/keyStroke/SoftCamp/40208/scsk4.cab
O16 - DPF: {4A62748B-A398-4E99-B44E-1140E5C829C8} (MAWS_HDCARD Class) - http://www.hyundaicard.com/hdimg/yunmal/MAOnFPS_HDCARD.cab
O16 - DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} (Nps Control) - http://image.gmarket.co.kr/tools/tyscan/nps.cab
O16 - DPF: {53EED863-B547-40F8-B24A-2D6DE807CFE8} (Printmade Control) - http://img.shinhan.com/rib//ko/print/Printmade.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202405782375
O16 - DPF: {66413DC2-F891-40BC-822D-B7EEC8ADC281} (ProWorksGrid Control) - http://img.shinhan.com/rib/common/ProWorksGrid_78.cab
O16 - DPF: {6CE20149-ABE3-462E-A1B4-5B549971AA38} (XecureCKKB Class) - http://www.gmarket.co.kr/CKKeyPro/CKKeyPro.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202405764515
O16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler Class) - http://www.citibank.co.kr/mailplugin/IniMasPlugin.cab
O16 - DPF: {7805334B-666B-43E0-B4D8-14B1235E63C0} (ShortCut Control) - http://download.auction.co.kr/ActiveX/ShortCut.cab
O16 - DPF: {789B70A5-14A1-49A0-A166-4DA45DB95662} (PopUpBlocker Control) - http://www.myasset.com/myasset/login/install/PopUpBlocker_1006.cab
O16 - DPF: {78E27FE2-EB04-4008-9979-F7AB2751F7C2} (NPCom Control) - https://updates.nprotect.net/nprotect2004/hsbc_cwd/nPCom.cab
O16 - DPF: {7B1BB066-7BBB-11D4-A34E-0000F01A209C} (UniAuth Class) - http://login.unitel.co.kr/iplug/lmgr2128.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://img.kbstar.com/xecure/xw_install_v7202.cab
O16 - DPF: {8EEB54D5-CC70-40E4-B015-AC478C02ECC8} (SLViewer Control) - http://www.seemedia.co.kr/products/lu2/sm8459/kor/172/SLViewer.cab
O16 - DPF: {8FA8D5F7-7CBA-46D4-9568-68D70C5280E8} (NoPhishingX Control) - http://www.nophishing.co.kr/softrun/SH02/SRNPSH.cab
O16 - DPF: {90375875-5035-452F-857D-7BCCD1596468} (inlineparser Class) - http://login.unitel.co.kr/iplug/download_mail.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/activex/dmcc2.cab?Version=1,0,0,10
O16 - DPF: {93F83364-58E3-43C6-BE34-DE1252B26307} (Cruzbill Control) - http://sbill.em4s.com/sbill/cruzbill.cab
O16 - DPF: {97533519-FBD3-42D5-BB07-C49F022B39EE} (MAWS_NTS Class) - http://download.hts.nefficient.co.kr/hts/yesone/cab/MAOnFPS_NTS.cab
O16 - DPF: {99C709C7-4F58-46C1-855B-90213C760395} (v3d Class) - https://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab
O16 - DPF: {9CDD57AC-CA86-464C-B920-3228A388CC78} (NaverFileControl Control) - http://file.naver.com/activex/NaverFile.cab
O16 - DPF: {9DEFEDFC-8193-4BE6-AA60-B6375AB7C8BE} (Launcher Class) - http://patch.mnet.com/NaverMusic/ActiveX/naverx.cab
O16 - DPF: {9FC84F7D-D177-4A75-A7BB-429DA5BD0A3E} (SG_CAppAtx Control) -
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://kings.nefficient.co.kr/kings/kdfx/kdfx305/kdfense8.cab
O16 - DPF: {B0A75875-3622-48BA-B5FF-45AD77AC2D0E} (BankPayEFTCtrl Control) - http://download.auction.co.kr/activexpay/20080104/BankPayEFT.cab
O16 - DPF: {B3260660-93AC-48D8-8DDC-2C22192CA2AB} (Naver Mail BigFile Upload Control2) - http://mail.naver.com/activex/NvBigFileUpload2_NT.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://kspay.ksnet.to/newmpi/KSNetMPI.cab
O16 - DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} (PDRInst1 Class) - http://imgcdn.pandora.tv/pan_img/p3player/package/pdrinst.cab
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,2
O16 - DPF: {BBB0FC2D-1D95-45CA-BDCF-03B53F247FCC} (EwsLoader Class) -
O16 - DPF: {BC92F07B-05F7-47A9-A216-1BC9F66BA03F} (eGSignPlus Class) - https://member.moneta.co.kr/Auth/egsign_plus.cab
O16 - DPF: {BFD1558F-8803-42B4-923A-AB8C56BE1D59} (AnyHelpLoader Control) - http://ack.anyhelp.net/download/AnyHelpLoader.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1010 Class) - http://id.hangame.com/common/HanSetup1010.cab
O16 - DPF: {C296DB5F-4B01-47E1-AB57-C590BE769111} (MOPlayerWnd Class) - http://www.melon.com/cab/P3MelInstall.cab
O16 - DPF: {CF392830-663F-11D5-89EE-000086551DF6} (PS_NTSATL Class) - http://download.hts.nefficient.co.kr/hts/yesone/cab/yesone_crypto.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/hyundaicard/npx.cab
O16 - DPF: {D4681BF4-A927-4774-A207-1CF61BC1992E} (TrustedSite Control) - http://www.bankpay.or.kr/TrustedSiteCtrl.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/keycrypt/hyundaicard/npkcx_inca.cab
O16 - DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} (INIwallet60 Control) - http://plugin.inicis.com/wallet60/INIwallet60.cab
O16 - DPF: {D923AE0C-190D-4EDF-B07A-76AC571FBFD4} (SCSKEx Control) - http://img.shinhan.com/rib/common/keyStroke/SoftCamp/401020/scskex.cab
O16 - DPF: {D95F5F60-5BB7-4655-BACE-FC5371EFC3E0} (Npx2 Control) - http://update.nprotect.net/nprotect/lgcard/npx2.cab
O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) - http://www.congnamul.com/ActiveX/Release/ASP/CongnamulMap4Asp_V29.cab
O16 - DPF: {DC4207CE-C03E-4449-ACB1-032CA4137053} (Npz Control) - http://update.nprotect.net/nprotect2006/yescard/npz.cab
O16 - DPF: {E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} (Payplus Client Control) - https://pay.kcp.co.kr/plugin/file/payplus.cab
O16 - DPF: {E831AA9C-C980-4F16-B252-09AAF40D0E9B} (Kdfense9 Control) - http://kings.cachenet.com/kdfx218/kbstar/kdfense9.cab
O16 - DPF: {EA0995BF-45DD-4DB0-ADD5-A39C37397841} (ShbAutoTrustSite Control) - http://img.shinhan.com/rib/common/TrustSite/vista/ShbAutoTrustSiteX.cab
O16 - DPF: {EC5D5118-9FDE-4A3E-84F3-C2B711740E70} (SKCommAX Control) - http://www.myasset.com/myasset/login/install/SKCommAX_7203.cab
O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} (WebCtl Class) - http://www.shinhancard.com/initech/plugin/down/INIS50.cab
O16 - DPF: {F36BB72B-9876-4C6D-B22F-D68E480A39B5} (XFileUploadListDown.ListDownCTL) - http://download.inavi.com/Component/XFileUpload/XFileUpload.CAB
O16 - DPF: {F6E7ECCE-6E60-4681-8D9B-4BBC12A07110} (GWallCtrl Class) - http://www.gmarket.co.kr/challenge/neo_goods/dlls/GWall_1800_Vista/GWall.cab
O16 - DPF: {FAA8F1BE-CDCE-4993-9EE6-F67F4856B860} - http://activeon.co.kr/http/app/activex/activeonax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B10D1A7D-D942-4456-8CD8-FD4ADAB81BA1}: NameServer = 168.126.63.1,192.168.123.254
O18 - Protocol: s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - C:\Program Files\Initech\SHTTP\InitechSHTTPInterface.10111.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: nPCom Service nProtect (nPComSVC) - INCA - C:\WINDOWS\system32\nPComSVC.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 15370 bytes

PeteC · 2008/02/17

deadmeat - Welcome to the Board

Please do not Double Post. As a new member with less than 10 posts any post you make which contains a URL requires approval (moderation) before it is visible. There was a message to this effect when you signed up.

Please observe Posting Rules #3 - Meaningful Subject - I have adjusted your title without penalty as this is your first time here.

Geri · 2008/02/17

Hi deadmeat
Welcome to Windowsbbs.

I have a few questions, Please answer them.

Did you add these to youe trusted sites?
O15 - Trusted Zone: *.teacher.co.kr
O15 - Trusted Zone: *.unitel.co.kr

Please look through all the 016's in the HJT log and tell me if you recognize them, and if so which ones.

Did you knowingly download this?
nPCom Service nProtect

Thanks
Geri

deadmeat · 2008/02/18

Hi, Geri.

First of all, thanks for your interest in my problem.

Yes, I added those two to my trusted sites. I am going to remove *.teacher.co.kr as I no longer access the site.

Yes, I had to download nProtect. nProtect security stuff is widely used by banks in South Korea. Bank customers here have no choice but to install various nProtect S/Ws in order to use internet banking.

As for O16's, I recognize:

(URLs removed at the end of O16 entries to avoid any delay in posting; my comment in blue; ones I have no idea about in red)

O16 - DPF: {00001025-B831-448B-9ABD-3D3DF187F359} (DaumGameStarter25 Class) - ...eStarter25.cab Online card game that I occasionally play
O16 - DPF: {044123B5-35DF-4C4E-BAED-26B8ED964342} (HLiveRobotWeb Control)...veRobotWeb.cab
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - ...load_10217.cab Image upload app for my blog at cyworld.com
O16 - DPF: {1514EB38-3F47-4DB9-B295-21209446CC1A} (SecureSession Class) - SecuiBohumIE.cab Must be insurance related; don't need it and not important
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) Obvious
O16 - DPF: {1D4FC3AF-3253-43A4-B346-5D1198D1EB8E} (CINIWebPlus Class) - ...SWebPlus10.cab Internet banking related
O16 - DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} (XacsPop Control) - xmpi2007.cab LG stuff; not important and don't need it
O16 - DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} (INISAFEWeb6 V6 Class) INIS.cab Safe banking stuff
O16 - DPF: {32D94A9F-9A18-4E12-863D-8AABA8CBDA78} (NateOnMMSAtx3 Class) - NateOnMMS_AX3.cab NateOn Messenger
O16 - DPF: {39461460-2552-4D51-A062-3AB6A7B902E9} (INISAFE Updater Control) - 0.cab Another safe banking stuff
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - scsk4.cab More safe banking . . .
O16 - DPF: {4A62748B-A398-4E99-B44E-1140E5C829C8} (MAWS_HDCARD Class) - ...FPS_HDCARD.cab Credit card related stuff; not important and don't need it
O16 - DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} (Nps Control) - nps.cab Online shopping stuff; not important and don't need it
O16 - DPF: {53EED863-B547-40F8-B24A-2D6DE807CFE8} (Printmade Control) - Printmade.cab Dang, even more banking stuff
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - ...?1202405782375 Windows Update stuff
O16 - DPF: {66413DC2-F891-40BC-822D-B7EEC8ADC281} (ProWorksGrid Control) - ProWorksGrid_78.cab More banking stuff
O16 - DPF: {6CE20149-ABE3-462E-A1B4-5B549971AA38} (XecureCKKB Class) - CKKeyPro.cab Online shopping stuff; not important and don't need it
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - ...?1202405764515 Windows Update stuff
O16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler Class) - IniMasPlugin.cab Some junk from citibank
O16 - DPF: {7805334B-666B-43E0-B4D8-14B1235E63C0} (ShortCut Control) - ShortCut.cab Stuff from Korean arm of eBay
O16 - DPF: {789B70A5-14A1-49A0-A166-4DA45DB95662} (PopUpBlocker Control) - login...ocker_1006.cab
O16 - DPF: {78E27FE2-EB04-4008-9979-F7AB2751F7C2} (NPCom Control) - nPCom.cab nProtect stuff
O16 - DPF: {7B1BB066-7BBB-11D4-A34E-0000F01A209C} (UniAuth Class) - lmgr2128.cab Web-based email stuff that I use daily
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - xw_install_v7202.cab More banking stuff
O16 - DPF: {8EEB54D5-CC70-40E4-B015-AC478C02ECC8} (SLViewer Control) - SLViewer.cab Probably online shopping ****
O16 - DPF: {8FA8D5F7-7CBA-46D4-9568-68D70C5280E8} (NoPhishingX Control) - SRNPSH.cab More banking stuff
O16 - DPF: {90375875-5035-452F-857D-7BCCD1596468} (inlineparser Class) - download_mail.cab Web-based email stuff that I use daily
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - d...rsion=1,0,0,10 Stuff from another forum
O16 - DPF: {93F83364-58E3-43C6-BE34-DE1252B26307} (Cruzbill Control) - cruzbill.cab
O16 - DPF: {97533519-FBD3-42D5-BB07-C49F022B39EE} (MAWS_NTS Class) - ...AOnFPS_NTS.cab
O16 - DPF: {99C709C7-4F58-46C1-855B-90213C760395} (v3d Class) - ...ansimclick.cab Secure online transaction stuff
O16 - DPF: {9CDD57AC-CA86-464C-B920-3228A388CC78} (NaverFileControl Control) - NaverFile.cab From search engine/blog/online info site
O16 - DPF: {9DEFEDFC-8193-4BE6-AA60-B6375AB7C8BE} (Launcher Class) - naverx.cab From search engine/blog/online info site
O16 - DPF: {9FC84F7D-D177-4A75-A7BB-429DA5BD0A3E} (SG_CAppAtx Control) -
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - kdfense8.cab Banking security stuff
O16 - DPF: {B0A75875-3622-48BA-B5FF-45AD77AC2D0E} (BankPayEFTCtrl Control) - ...BankPayEFT.cab stuff from Korean arm of eBay
O16 - DPF: {B3260660-93AC-48D8-8DDC-2C22192CA2AB} (Naver Mail BigFile Upload Control2) - NvBigFileUpload2_NT.cab webased email attachment file uploader
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - KSNetMPI.cab
O16 - DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} (PDRInst1 Class) - pdrinst.cab Stuff from pandora tv ... bit like YouTube just dodgier
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - xman.cab?ver=1,2,3,2 From forums I go to.
O16 - DPF: {BBB0FC2D-1D95-45CA-BDCF-03B53F247FCC} (EwsLoader Class) -
O16 - DPF: {BC92F07B-05F7-47A9-A216-1BC9F66BA03F} (eGSignPlus Class) - egsign_plus.cab Mobile phone based payment system; I don't use it any more
O16 - DPF: {BFD1558F-8803-42B4-923A-AB8C56BE1D59} (AnyHelpLoader Control) - AnyHelpLoader.cab Remote support that I use to update programs (work-related)
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1010 Class) - HanSetup1010.cab Junk from a wellknown (at least in Korea) online gaming site
O16 - DPF: {C296DB5F-4B01-47E1-AB57-C590BE769111} (MOPlayerWnd Class) - P3MelInstall.cab More **** that I have no use for; from online music player
O16 - DPF: {CF392830-663F-11D5-89EE-000086551DF6} (PS_NTSATL Class) - ...one_crypto.cab Online on-demand streaming; junk to me
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - npx.cab Don't need it
O16 - DPF: {D4681BF4-A927-4774-A207-1CF61BC1992E} (TrustedSite Control) - TrustedSiteCtrl.cab Even more stuff from internet banking
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - ...npkcx_inca.cab Online banking related stuff
O16 - DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} (INIwallet60 Control) - INIwallet60.cab Security for electronic payment; don't need it
O16 - DPF: {D923AE0C-190D-4EDF-B07A-76AC571FBFD4} (SCSKEx Control) - scskex.cab Banking stuff
O16 - DPF: {D95F5F60-5BB7-4655-BACE-FC5371EFC3E0} (Npx2 Control) - npx2.cab Banking stuff that I don't need
O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) ...ap4Asp_V29.cab Online map/street directory of Korea
O16 - DPF: {DC4207CE-C03E-4449-ACB1-032CA4137053} (Npz Control) - npz.cab Bank stuff
O16 - DPF: {E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} (Payplus Client Control) - payplus.cab Related to online payment system; don't need it
O16 - DPF: {E831AA9C-C980-4F16-B252-09AAF40D0E9B} (Kdfense9 Control) - kdfense9.cab Yet more banking security thing
O16 - DPF: {EA0995BF-45DD-4DB0-ADD5-A39C37397841} (ShbAutoTrustSite Control) - ...TrustSiteX.cab Yet more banking security thing
O16 - DPF: {EC5D5118-9FDE-4A3E-84F3-C2B711740E70} (SKCommAX Control) - ...ommAX_7203.cab Internet banking stuff
O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} (WebCtl Class) - INIS50.cab Yet more banking security thing
O16 - DPF: {F36BB72B-9876-4C6D-B22F-D68E480A39B5} (XFileUploadListDown.ListDownCTL) - ...FileUpload.CAB GPS manufacturer
O16 - DPF: {F6E7ECCE-6E60-4681-8D9B-4BBC12A07110} (GWallCtrl Class) - GWall.cab Online shopping mall
O16 - DPF: {FAA8F1BE-CDCE-4993-9EE6-F67F4856B860} - activeonax.cab Active-X designed to notify users of ads/offers; don't know why I have this; must be my uncle

deadmeat · 2008/02/19

wkcstd32.dll = trojan!

"deadmeat said: ↑

This led to hundreds of "Scanning outgoing email" NIS popups, making it impossible to use the PC, whenever explorer/IE is launched.
Click to expand...

As I mentioned earlier, spamming only started with the launch of explorer/IE. So, I have been very suspicious of the following browser helper object:

O2 - BHO: FLV Media - {2542358C-6758-89BC-0AB9-BAECDC14F78E} - C:\WINDOWS\system\wkcstd32.dll

Today, I managed to test wkcstd32.dll. I disabled the BHO and restarted the computer. Guess what? Spamming disappeared . . . for good!

Now, my questions are:

1. How do I remove this spamming trojan? Just go to the location and delete the .dll file? If not, what should I do?

2. How can I get rid of junk O16's?

Geri · 2008/02/19

Hi deadmeat
We'll get rid of the 016's shortly.

How do I remove this spamming trojan? Just go to the location and delete the .dll file
Click to expand...

I wish it was that easy But if you look at the link below it will show all the files it "may" install on your system.
http://research.sunbelt-software.com/threatdisplay.aspx?threatid=50278

So instead of trying to find all those files manually if they're there, we'll let a tool look for them.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, the Advanced Options Menu should appear;

Select the first option, to run Windows in Safe Mode, then press Enter.

Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Please post the SDFix Log.

Thanks
Geri

deadmeat · 2008/02/20

Logs

SDFix: Version 1.144

Run by Administrator on 2008-02-21 at 오전 08:36

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Checking Files:

Trojan Files Found:

C:\WINDOWS\system\wkcstd32.dll - Deleted

Removing Temp Files...

ADS Check:

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-21 08:44:53
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"\xc8bc\21??\x7f88,???? "=str(7): "1\0 "
"(\x737a??\x3152??\xe04b??\x7fe9\xd669 ?\x5203\xba15?????????? "=str(7): "1\0002\0 "
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares]
"\\xba84??\24\xb36e\xd5fe??(?D?)?????? "=str(7): "CSCFlags=0\0MaxUses=4294967295\0Path=D:\\0Permissions=0\0Remark=\0Type=0\0 "
"\24\xc190??T????? "=str(7): "CSCFlags=0\0MaxUses=4294967295\0Path=C:\Documents and Settings\Administrator\\xbc14\xd0d5 \xd654\xba74\0Permissions=0\0Remark=\0Type=0\0 "
"\4\x5375???? "=str(7): "CSCFlags=0\0MaxUses=4294967295\0Path=Microsoft Office Document Image Writer,LocalsplOnly\0Permissions=0\0Remark=Microsoft Office Document Image Writer\0Type=1\0 "
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"\xc8bc\21??\x7f88,???? "=str(7): "1\0 "
"(\x737a??\x3152??\xe04b??\x7fe9\xd669 ?\x5203\xba15?????????? "=str(7): "1\0002\0 "
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\LanmanServer\Shares]
"\\xba84??\24\xb36e\xd5fe??(?D?)?????? "=str(7): "CSCFlags=0\0MaxUses=4294967295\0Path=D:\\0Permissions=0\0Remark=\0Type=0\0 "
"\24\xc190??T????? "=str(7): "CSCFlags=0\0MaxUses=4294967295\0Path=C:\Documents and Settings\Administrator\\xbc14\xd0d5 \xd654\xba74\0Permissions=0\0Remark=\0Type=0\0 "
"\4\x5375???? "=str(7): "CSCFlags=0\0MaxUses=4294967295\0Path=Microsoft Office Document Image Writer,LocalsplOnly\0Permissions=0\0Remark=Microsoft Office Document Image Writer\0Type=1\0 "

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\20\x8043?\xd182]
"SlowInfoCache "=hex:28,02,00,00,01,00,00,00,04,49,22,08,00,00,00,00,0d,02,ac,d9,d2,..
"Changed "=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\xba02 ?1?? "=" "C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\hand.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\hnodrop.cur,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur," "
"\xba02 ?2?? "=" "C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\handwait.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\handno.ani,C:\WINDOWS\Cursors\handns.ani,C:\WINDOWS\Cursors\handwe.ani,C:\WINDOWS\Cursors\handnwse.ani,C:\WINDOWS\Cursors\handnesw.ani,C:\WINDOWS\Cursors\hmove.cur," "
"\x8278\x6414?? "=" "C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\dinosaur.ani,C:\WINDOWS\Cursors\dinosau2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\banana.ani,C:\WINDOWS\Cursors\3dsns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dsnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dsmove.cur," "
"\e?\xcee2??? "=" "C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\horse.ani,C:\WINDOWS\Cursors\barber.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\coin.ani,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur," "
"\xc760\30???? "=" "C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\drum.ani,C:\WINDOWS\Cursors\metronom.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\piano.ani,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur," "
"U??? "=" "C:\WINDOWS\Cursors\larrow.cur,,C:\WINDOWS\Cursors\lappstrt.cur,C:\WINDOWS\Cursors\lwait.cur,C:\WINDOWS\Cursors\lcross.cur,C:\WINDOWS\Cursors\libeam.cur,,C:\WINDOWS\Cursors\lnodrop.cur,C:\WINDOWS\Cursors\lns.cur,C:\WINDOWS\Cursors\lwe.cur,C:\WINDOWS\Cursors\lnwse.cur,C:\WINDOWS\Cursors\lnesw.cur,C:\WINDOWS\Cursors\lmove.cur," "
"\xc74a\25?? "=" "C:\WINDOWS\Cursors\fillitup.ani,,C:\WINDOWS\Cursors\raindrop.ani,C:\WINDOWS\Cursors\counter.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\wagtail.ani,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani," "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\1\xc154?]
@= "{67cf8cbd-e5c0-44f7-9de5-e1d599d626d8} "
"Description "= "Windows \xbc84\xc804\xc744 \xc81c\xac70\xd558\xace0 \xc774\xc804 \xc6b4\xc601 \xccb4\xc81c\xb85c \xb3cc\xc544\xac00\xb824\xb294 \xacbd\xc6b0\xc5d0\xb294 \xc774\xb7ec\xd55c \xd30c\xc77c\xc774 \xd544\xc694\xd569\xb2c8\xb2e4. "
"Display "= "\xc774\xc804 \xc6b4\xc601 \xccb4\xc81c\xc758 \xbc31\xc5c5 \xd30c\xc77c "
"IconPath "=str(2): "%SystemRoot%\system32\osuninst.EXE,0 "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FE2DACC32FFC736428AAAAFB7320283D\Usage]
"Complete "=dword:38552114
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper]
"t??? "=dword:00000081
"t?\xbb45??? "=dword:00008081
"\xac96\34?? "=dword:00005081
"\xac96\34\xc84d??? "=dword:0000d081
"\x7ce0\xc757?? "=dword:00001081
"\x7ce0\xc757\xb2ac??? "=dword:00009081
"\24\xc190?? "=dword:00004081
"\24\xc190\x7547??? "=dword:0000c081
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"t???&? ?t?\xbb45??&? ?\x7ce0\xc757 ?&? ?\x7ce0\xc757\xb2ac ?(?T?r?u?e?T?y?p?e?)??????????? "= "GULIM.TTC "
"\24\xc190??&? ?\24\xc190\x7547??&? ?\xac96\34??&? ?\xac96\34\xc84d??(?T?r?u?e?T?y?p?e?)??????????? "= "BATANG.TTC "
"4?\xd292\xd234\xbea8??(?T?r?u?e?T?y?p?e?)?????? "= "HMKMAMI.TTF "
"4??\xd2c8??(?T?r?u?e?T?y?p?e?)????? "= "HMFMOLD.TTF "
"4?\xbdf0\xbb90\xe013??(?T?r?u?e?T?y?p?e?)?????? "= "HMKMMAG.TTF "
"4?\xd2b3\xb35f?\x7cb1?\xd1a5??(?T?r?u?e?T?y?p?e?)????????? "= "HMKMRHD.TTF "
"4?\xbcb0\xd29b?? ?&? ?4?\xbd87\xd049\xcbe7??(?T?r?u?e?T?y?p?e?)?????????? "= "HMFMMUEX.TTC "
"\xd6act???(?T?r?u?e?T?y?p?e?)???? "= "NGULIM.TTF "
"4?\xbcf4\x6e5b\xe013??(?T?r?u?e?T?y?p?e?)?????? "= "HMFMPYUN.TTF "
"\\x529b?\xc190?\x84ee??(?T?r?u?e?T?y?p?e?)??????? "= "FZSong_Super.TTF "
"\\x529b\x73d6\xb0c5??(?T?r?u?e?T?y?p?e?)????? "= "HDOTUM.TTF "
"\\x529b?\xc190??(?T?r?u?e?T?y?p?e?)????? "= "HBATANG.TTF "
"\?\xd753???(?T?r?u?e?T?y?p?e?)????? "= "UNI_HSR.TTF "
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control\Realtek HD Audio output\\xd68d\x31520?]
"LineStates "=hex:00,00,00,00,c8,b9,a4,c2,30,d1,20,00,fc,bc,68,b9,00,00,00,00,00,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions]
"@?\xd628??? "=" "
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\t??\xd39f\xd72d\xd61e]
"Order "=hex:08,00,00,00,02,00,00,00,76,02,00,00,01,00,00,00,04,00,00,00,ba,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\\x80\x41a\xd51b\xd488]
"Order "=hex:08,00,00,00,02,00,00,00,82,03,00,00,01,00,00,00,06,00,00,00,bc,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\\x6641\xac14]
"Order "=hex:08,00,00,00,02,00,00,00,04,02,00,00,01,00,00,00,05,00,00,00,62,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\\x6641l\xcd65]
"Order "=hex:08,00,00,00,02,00,00,00,9e,01,00,00,01,00,00,00,04,00,00,00,5c,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\\x2032\x5192\x42e\xd669]
"Order "=hex:08,00,00,00,02,00,00,00,6c,07,00,00,01,00,00,00,14,00,00,00,58,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\?l]
"Order "=hex:08,00,00,00,02,00,00,00,70,00,00,00,01,00,00,00,01,00,00,00,64,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xb669\xaf7d]
"Order "=hex:08,00,00,00,02,00,00,00,d6,06,00,00,01,00,00,00,0b,00,00,00,a6,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x68afT]
"Order "=hex:08,00,00,00,02,00,00,00,f8,00,00,00,01,00,00,00,02,00,00,00,6a,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x68afT\\x68af\f?\xd200\xd494]
"Order "=hex:08,00,00,00,02,00,00,00,70,02,00,00,01,00,00,00,05,00,00,00,76,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xc0b9\x3269 ]
"Order "=hex:08,00,00,00,02,00,00,00,d4,03,00,00,01,00,00,00,07,00,00,00,84,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\$\xcf3e\xd4d4?]
"Order "=hex:08,00,00,00,02,00,00,00,00,01,00,00,01,00,00,00,02,00,00,00,76,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x6dfap??\xbabb?]
"Order "=hex:08,00,00,00,02,00,00,00,f8,08,00,00,01,00,00,00,0f,00,00,00,e8,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x6dfap??\xbabb?\\xb217\xb669 ]
"Order "=hex:08,00,00,00,02,00,00,00,54,02,00,00,01,00,00,00,04,00,00,00,9e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x6dfap??\xbabb?\\x5821\x3152\?]
"Order "=hex:08,00,00,00,02,00,00,00,5c,05,00,00,01,00,00,00,09,00,00,00,90,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x6dfap??\xbabb?\\x65fd0???\xbcf4]
"Order "=hex:08,00,00,00,02,00,00,00,b2,01,00,00,01,00,00,00,03,00,00,00,86,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x6dfap??\xbabb?\\xb458\x6e32]
"Order "=hex:08,00,00,00,02,00,00,00,ae,04,00,00,01,00,00,00,07,00,00,00,ae,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x42e\x604d\25\xc115?]
"Order "=hex:08,00,00,00,02,00,00,00,76,01,00,00,01,00,00,00,03,00,00,00,80,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xb67e\4\x8fa3\xf952]
"Order "=hex:08,00,00,00,02,00,00,00,7e,00,00,00,01,00,00,00,01,00,00,00,72,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x5821\xbae7\4?\xbabb?]
"Order "=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\D\xd753?\xce9d?]
"Order "=hex:08,00,00,00,02,00,00,00,16,01,00,00,01,00,00,00,02,00,00,00,82,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\t\xd444\xca0d??\x8fa3]
"Order "=hex:08,00,00,00,02,00,00,00,6a,00,00,00,01,00,00,00,01,00,00,00,5e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\t\xd444\xca0d??\x8fa3\L\xd13a]
"Order "=hex:08,00,00,00,02,00,00,00,f0,00,00,00,01,00,00,00,02,00,00,00,6e,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\20\x8043?\xd182]
"Order "=hex:08,00,00,00,02,00,00,00,76,00,00,00,01,00,00,00,01,00,00,00,6a,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\20\x8043?\xd182\\x7fe9\xd669|\xd19e\xd4d4]
"Order "=hex:08,00,00,00,02,00,00,00,8c,00,00,00,01,00,00,00,01,00,00,00,80,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\]
"Order "=hex:08,00,00,00,02,00,00,00,00,01,00,00,01,00,00,00,02,00,00,00,70,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\\\]
"Order "=hex:08,00,00,00,02,00,00,00,22,03,00,00,01,00,00,00,06,00,00,00,88,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups]
"\xb669\xaf7d?? "= "\xbcf4\xc870\xd504\xb85c\xadf8\xb7a8\\xac8c\xc784 "
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Network\\xce90T\xd2cf?]
"SaveSettings "= "1 "
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Network\\x42e\x3215\xba09 ]
"SaveSettings "= "1 "
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Network\\34\xd5ab?]
"SaveSettings "= "1 "
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Network\t\xd444\xc12f?]
"SaveSettings "= "1 "

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\NATEON\\BIN\\NateOnMain.exe "= "C:\\Program Files\\NATEON\\BIN\\NateOnMain.exe:*:Enabled:NATE ON "
"C:\\WINDOWS\\system32\\skcbgm.exe "= "C:\\WINDOWS\\system32\\skcbgm.exe:*:Enabled:SK Communications Cyworld BGM Player "
"C:\\IEOM\\FTP.exe "= "C:\\IEOM\\FTP.exe:*:Enabled:FTP "
"C:\\WINDOWS\\system32\\ftp.exe "= "C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:File Transfer Program "
"C:\\MPCL\\한국유전학연구소.exe "= "C:\\MPCL\\한국유전학연구소.exe:*:Enabled:한국유전학연구소 "
"C:\\Documents and Settings\\Administrator\\My Documents\\우편봉투\\수지원NetSoft\\Install.exe "= "C:\\Documents and Settings\\Administrator\\My Documents\\우편봉투\\수지원NetSoft\\Install.exe:*:Enabled:Install "
"C:\\수지원NetSoft\\ZipIt.exe "= "C:\\수지원NetSoft\\ZipIt.exe:*:Enabled:ZipIt "
"C:\\수지원NetSoft\\Install.exe "= "C:\\수지원NetSoft\\Install.exe:*:Enabled:Install "
"C:\\Program Files\\NATEON\\Addin\\5D1A9EDE-ED23-4790-8C04-CCABA1FC888B\\NateRSRCMain.exe "= "C:\\Program Files\\NATEON\\Addin\\5D1A9EDE-ED23-4790-8C04-CCABA1FC888B\\NateRSRCMain.exe:*:Enabled:NateRSRCMain "
"C:\\Program Files\\CELLDISK\\C2 CellDisk\\Innovation_S\\SyncPanel.c2 "= "C:\\Program Files\\CELLDISK\\C2 CellDisk\\Innovation_S\\SyncPanel.c2:*:Enabled:SyncPanel "
"C:\\Program Files\\Namo\\WebEditor FX\\bin\\WebEditor.exe "= "C:\\Program Files\\Namo\\WebEditor FX\\bin\\WebEditor.exe:*:Enabled:Namo WebEditor FX "
"C:\\Documents and Settings\\Administrator\\Application Data\\Dacom\\AnyHelp\\HOST_KR\\Neturo.exe "= "C:\\Documents and Settings\\Administrator\\Application Data\\Dacom\\AnyHelp\\HOST_KR\\Neturo.exe:*:Enabled:AnyHelp host "
"C:\\WINDOWS\\system32\\pdrtvsvr.exe "= "C:\\WINDOWS\\system32\\pdrtvsvr.exe:*:EnabledandoraTV VoD Control "
"C:\\WINDOWS\\system32\\P3MelonSvr.exe "= "C:\\WINDOWS\\system32\\P3MelonSvr.exe:*:Enabled:SKT Melon Music Control "
"C:\\Program Files\\pandora.tv\\minilite\\MiniStream.exe "= "C:\\Program Files\\pandora.tv\\minilite\\MiniStream.exe:*:Enabled:MiniStream.exe "
"C:\\Program Files\\pandora.tv\\minilite\\MiniLite.exe "= "C:\\Program Files\\pandora.tv\\minilite\\MiniLite.exe:*:Enabled:MiniLite.exe "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "

Remaining Files:

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 4 Aug 2004 59,392 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe "
Wed 10 Oct 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak "
Fri 25 Jan 2008 1,136,136 ...H. --- "C:\Documents and Settings\Administrator\Application Data\netmarble\DaumGameWizard25.exe "
Tue 5 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp "
Thu 12 Jul 2007 116,736 A..H. --- "C:\Documents and Settings\Administrator\바탕 화면\2007 인증준비\지침서\~WRL2650.tmp "
Sat 20 May 2006 92,672 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\~WRL0702.tmp "
Mon 23 Aug 2004 79,872 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\04.인증\면역혈청\~WRL1509.tmp "
Mon 23 Aug 2004 49,152 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\04.인증\면역혈청\~WRL1664.tmp "
Mon 23 Aug 2004 53,248 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\04.인증\면역혈청\~WRL2384.tmp "
Sat 22 Jul 2006 436,736 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL0430.tmp "
Sat 22 Jul 2006 409,088 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL0635.tmp "
Sat 22 Jul 2006 411,136 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL0657.tmp "
Sat 22 Jul 2006 454,656 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL0694.tmp "
Sat 22 Jul 2006 454,656 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL0714.tmp "
Sat 22 Jul 2006 455,168 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL0810.tmp "
Sat 22 Jul 2006 408,576 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL0939.tmp "
Sat 22 Jul 2006 422,400 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL1071.tmp "
Sat 22 Jul 2006 422,912 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL1201.tmp "
Sat 22 Jul 2006 409,088 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL1477.tmp "
Sat 22 Jul 2006 410,624 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL1650.tmp "
Sat 22 Jul 2006 411,136 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL1666.tmp "
Sat 22 Jul 2006 423,424 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL2197.tmp "
Sat 22 Jul 2006 455,168 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL2335.tmp "
Sat 22 Jul 2006 423,424 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL2657.tmp "
Sat 22 Jul 2006 422,400 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL2669.tmp "
Sat 22 Jul 2006 436,736 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL2746.tmp "
Sat 22 Jul 2006 455,168 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL3017.tmp "
Sat 22 Jul 2006 422,912 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL3092.tmp "
Sat 22 Jul 2006 454,656 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL3370.tmp "
Sat 22 Jul 2006 455,168 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL3511.tmp "
Sat 22 Jul 2006 455,168 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL3930.tmp "
Sat 22 Jul 2006 422,400 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL3963.tmp "
Sat 22 Jul 2006 411,136 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\manual\~WRL3984.tmp "
Tue 20 Jun 2006 30,208 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\문서\~WRL0594.tmp "
Tue 20 Jun 2006 31,232 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\문서\~WRL0733.tmp "
Tue 20 Jun 2006 30,208 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\문서\~WRL1136.tmp "
Tue 20 Jun 2006 30,208 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\문서\~WRL1596.tmp "
Tue 20 Jun 2006 27,648 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\문서\~WRL1729.tmp "
Tue 20 Jun 2006 30,208 A..H. --- "C:\Documents and Settings\All Users\Documents\바탕 화면\인증준비2006\2006\문서\~WRL2313.tmp "

Finished!

deadmeat · 2008/02/20

HJT log

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 오전 9:42:52, on 2008-02-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader 링크 도우미 - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE "
O4 - HKLM\..\Run: [HncUpdate] C:\WINDOWS\system32\HncUpdate.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PsMgrX] C:\Program Files\EveryZone\PCsaferX\PsMgr.exe /update
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java 콘솔 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: 리서치 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - Trusted Zone: *.unitel.co.kr
O16 - DPF: {00001025-B831-448B-9ABD-3D3DF187F359} (DaumGameStarter25 Class) - http://download.netmarble.com/web/nmstarter/Daum/DaumGameStarter25.cab
O16 - DPF: {044123B5-35DF-4C4E-BAED-26B8ED964342} - http://fx.hauri.net/HProduct/livesuite/shinhan/CLIENT/LiveSuite/web/HLiveRobotWeb.cab
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg7.cyworld.com/ImageUpload/CyImageUpload_10217.cab
O16 - DPF: {1514EB38-3F47-4DB9-B295-21209446CC1A} (SecureSession Class) - http://pcyber.samsunglife.com/cab/SecuiBohumIE.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4FC3AF-3253-43A4-B346-5D1198D1EB8E} (CINIWebPlus Class) - http://img.shinhan.com/rib/common/INISWebPlus/INISWebPlus10.cab
O16 - DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} (XacsPop Control) - http://mpi.dacom.net/XMPI/js/xmpi2007.cab
O16 - DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} - http://banking.nonghyup.com/plugin/client/INIS.cab
O16 - DPF: {32D94A9F-9A18-4E12-863D-8AABA8CBDA78} (NateOnMMSAtx3 Class) - http://sms.nate.com/NateOnMMS_AX3.cab
O16 - DPF: {39461460-2552-4D51-A062-3AB6A7B902E9} - http://img.shinhan.com/shttp/install/down/INIS70.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} - http://img.shinhan.com/rib/common/keyStroke/SoftCamp/40208/scsk4.cab
O16 - DPF: {4A62748B-A398-4E99-B44E-1140E5C829C8} (MAWS_HDCARD Class) - http://www.hyundaicard.com/hdimg/yunmal/MAOnFPS_HDCARD.cab
O16 - DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} (Nps Control) - http://image.gmarket.co.kr/tools/tyscan/nps.cab
O16 - DPF: {53EED863-B547-40F8-B24A-2D6DE807CFE8} (Printmade Control) - http://img.shinhan.com/rib//ko/print/Printmade.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202405782375
O16 - DPF: {66413DC2-F891-40BC-822D-B7EEC8ADC281} (ProWorksGrid Control) - http://img.shinhan.com/rib/common/ProWorksGrid_78.cab
O16 - DPF: {6CE20149-ABE3-462E-A1B4-5B549971AA38} - http://www.gmarket.co.kr/CKKeyPro/CKKeyPro.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202405764515
O16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler Class) - http://www.citibank.co.kr/mailplugin/IniMasPlugin.cab
O16 - DPF: {7805334B-666B-43E0-B4D8-14B1235E63C0} (ShortCut Control) - http://download.auction.co.kr/ActiveX/ShortCut.cab
O16 - DPF: {789B70A5-14A1-49A0-A166-4DA45DB95662} (PopUpBlocker Control) - http://www.myasset.com/myasset/login/install/PopUpBlocker_1006.cab
O16 - DPF: {78E27FE2-EB04-4008-9979-F7AB2751F7C2} - https://updates.nprotect.net/nprotect2004/hsbc_cwd/nPCom.cab
O16 - DPF: {7B1BB066-7BBB-11D4-A34E-0000F01A209C} (UniAuth Class) - http://login.unitel.co.kr/iplug/lmgr2128.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - http://img.kbstar.com/xecure/xw_install_v7202.cab
O16 - DPF: {8EEB54D5-CC70-40E4-B015-AC478C02ECC8} (SLViewer Control) - http://www.seemedia.co.kr/products/lu2/sm8459/kor/172/SLViewer.cab
O16 - DPF: {90375875-5035-452F-857D-7BCCD1596468} (inlineparser Class) - http://login.unitel.co.kr/iplug/download_mail.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/activex/dmcc2.cab?Version=1,0,0,10
O16 - DPF: {93F83364-58E3-43C6-BE34-DE1252B26307} (Cruzbill Control) - http://sbill.em4s.com/sbill/cruzbill.cab
O16 - DPF: {97533519-FBD3-42D5-BB07-C49F022B39EE} (MAWS_NTS Class) - http://download.hts.nefficient.co.kr/hts/yesone/cab/MAOnFPS_NTS.cab
O16 - DPF: {99C709C7-4F58-46C1-855B-90213C760395} (v3d Class) - https://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab
O16 - DPF: {9CDD57AC-CA86-464C-B920-3228A388CC78} (NaverFileControl Control) - http://file.naver.com/activex/NaverFile.cab
O16 - DPF: {9DEFEDFC-8193-4BE6-AA60-B6375AB7C8BE} (Launcher Class) - http://patch.mnet.com/NaverMusic/ActiveX/naverx.cab
O16 - DPF: {9FC84F7D-D177-4A75-A7BB-429DA5BD0A3E} (SG_CAppAtx Control) -
O16 - DPF: {B0A75875-3622-48BA-B5FF-45AD77AC2D0E} (BankPayEFTCtrl Control) - http://download.auction.co.kr/activexpay/20080104/BankPayEFT.cab
O16 - DPF: {B3260660-93AC-48D8-8DDC-2C22192CA2AB} (Naver Mail BigFile Upload Control2) - http://mail.naver.com/activex/NvBigFileUpload2_NT.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://kspay.ksnet.to/newmpi/KSNetMPI.cab
O16 - DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} (PDRInst1 Class) - http://imgcdn.pandora.tv/pan_img/p3player/package/pdrinst.cab
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,2
O16 - DPF: {BBB0FC2D-1D95-45CA-BDCF-03B53F247FCC} (EwsLoader Class) -
O16 - DPF: {BC92F07B-05F7-47A9-A216-1BC9F66BA03F} (eGSignPlus Class) - https://member.moneta.co.kr/Auth/egsign_plus.cab
O16 - DPF: {BFD1558F-8803-42B4-923A-AB8C56BE1D59} (AnyHelpLoader Control) - http://ack.anyhelp.net/download/AnyHelpLoader.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1010 Class) - http://id.hangame.com/common/HanSetup1010.cab
O16 - DPF: {C296DB5F-4B01-47E1-AB57-C590BE769111} (MOPlayerWnd Class) - http://www.melon.com/cab/P3MelInstall.cab
O16 - DPF: {CF392830-663F-11D5-89EE-000086551DF6} (PS_NTSATL Class) - http://download.hts.nefficient.co.kr/hts/yesone/cab/yesone_crypto.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/hyundaicard/npx.cab
O16 - DPF: {D4681BF4-A927-4774-A207-1CF61BC1992E} (TrustedSite Control) - http://www.bankpay.or.kr/TrustedSiteCtrl.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://update.nprotect.net/keycrypt/hyundaicard/npkcx_inca.cab
O16 - DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} (INIwallet60 Control) - http://plugin.inicis.com/wallet60/INIwallet60.cab
O16 - DPF: {D923AE0C-190D-4EDF-B07A-76AC571FBFD4} (SCSKEx Control) - http://img.shinhan.com/rib/common/keyStroke/SoftCamp/401020/scskex.cab
O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) - http://www.congnamul.com/ActiveX/Release/ASP/CongnamulMap4Asp_V29.cab
O16 - DPF: {E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} (Payplus Client Control) - https://pay.kcp.co.kr/plugin/file/payplus.cab
O16 - DPF: {E831AA9C-C980-4F16-B252-09AAF40D0E9B} (Kdfense9 Control) - http://kings.cachenet.com/kdfx218/kbstar/kdfense9.cab
O16 - DPF: {EA0995BF-45DD-4DB0-ADD5-A39C37397841} (ShbAutoTrustSite Control) - http://img.shinhan.com/rib/common/TrustSite/vista/ShbAutoTrustSiteX.cab
O16 - DPF: {EC5D5118-9FDE-4A3E-84F3-C2B711740E70} (SKCommAX Control) - http://www.myasset.com/myasset/login/install/SKCommAX_7203.cab
O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} - http://www.shinhancard.com/initech/plugin/down/INIS50.cab
O16 - DPF: {F36BB72B-9876-4C6D-B22F-D68E480A39B5} (XFileUploadListDown.ListDownCTL) - http://download.inavi.com/Component/XFileUpload/XFileUpload.CAB
O16 - DPF: {F6E7ECCE-6E60-4681-8D9B-4BBC12A07110} (GWallCtrl Class) - http://www.gmarket.co.kr/challenge/neo_goods/dlls/GWall_1800_Vista/GWall.cab
O16 - DPF: {FAA8F1BE-CDCE-4993-9EE6-F67F4856B860} - http://activeon.co.kr/http/app/activex/activeonax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B10D1A7D-D942-4456-8CD8-FD4ADAB81BA1}: NameServer = 168.126.63.1,192.168.123.254
O18 - Protocol: s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - C:\Program Files\Initech\SHTTP\InitechSHTTPInterface.10111.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 14492 bytes

Geri · 2008/02/20

Hi deadmeat
OK lets do this.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O16 - DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} (Nps Control) - nps.cab Online shopping stuff; not important and don't need it
O16 - DPF: {6CE20149-ABE3-462E-A1B4-5B549971AA38} (XecureCKKB Class) - CKKeyPro.cab Online shopping stuff; not important and don't need it
O16 - DPF: {789B70A5-14A1-49A0-A166-4DA45DB95662} (PopUpBlocker Control) - login...ocker_1006.cab
O16 - DPF: {8EEB54D5-CC70-40E4-B015-AC478C02ECC8} (SLViewer Control) - SLViewer.cab
O16 - DPF: {93F83364-58E3-43C6-BE34-DE1252B26307} (Cruzbill Control) - cruzbill.cab
O16 - DPF: {97533519-FBD3-42D5-BB07-C49F022B39EE} (MAWS_NTS Class) - ...AOnFPS_NTS.cab
O16 - DPF: {9FC84F7D-D177-4A75-A7BB-429DA5BD0A3E} (SG_CAppAtx Control) -
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - KSNetMPI.cab
O16 - DPF: {BBB0FC2D-1D95-45CA-BDCF-03B53F247FCC} (EwsLoader Class) -
O16 - DPF: {C296DB5F-4B01-47E1-AB57-C590BE769111} (MOPlayerWnd Class) - P3MelInstall.cab
O16 - DPF: {CF392830-663F-11D5-89EE-000086551DF6} (PS_NTSATL Class) - ...one_crypto.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - npx.cab
O16 - DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} (INIwallet60 Control) - INIwallet60.cab
O16 - DPF: {E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} (Payplus Client Control) - payplus.cab
O16 - DPF: {FAA8F1BE-CDCE-4993-9EE6-F67F4856B860} - activeonax.cab

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now lets get a on-line scan.

Please do an online scan with Kaspersky WebScanner

Click on “Accept” If your pop –up blocker blocks the ActiveX download, allow it, click on “Accept” again

You will be promted to install an ActiveX component from Kaspersky, Click Yes or Install.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:

Select My Computer

This will start the program and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.

Please post the Kaspersky scan and a new HJT log.

Thanks
Geri

deadmeat · 2008/02/22

Kaspersky Online Scanner Report

Found some more junk. I am very disappointed with NIS.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, February 22, 2008 7:38:18 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/02/2008
Kaspersky Anti-Virus database records: 575523
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 89441
Number of viruses found: 2
Number of infected objects: 4 Number of suspicious objects: 0
Duration of the scan process: 01:21:17

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008022220080223\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-02-22_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\D5EA2023.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\ED1A56B7.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{266AC250-B6C9-4977-8D4C-5FE9357F27AE}\RP16\A0001977.dll Infected: Trojan-Spy.Win32.Agent.bfp skipped
C:\System Volume Information\_restore{266AC250-B6C9-4977-8D4C-5FE9357F27AE}\RP16\A0001981.dll Infected: Trojan-Spy.Win32.Agent.bfp skipped
C:\System Volume Information\_restore{266AC250-B6C9-4977-8D4C-5FE9357F27AE}\RP17\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\autorun.inf Infected: Trojan.Win32.VB.aqt skipped
D:\System Volume Information\_restore{266AC250-B6C9-4977-8D4C-5FE9357F27AE}\RP17\change.log Object is locked skipped
E:\autorun.inf Infected: Trojan.Win32.VB.aqt skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{266AC250-B6C9-4977-8D4C-5FE9357F27AE}\RP17\change.log Object is locked skipped

Scan process completed.

deadmeat · 2008/02/22

HJT log

Geri, thanks for your guidance! The log file looks heaps better than before.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 오후 8:04:41, on 2008-02-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader 링크 도우미 - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE "
O4 - HKLM\..\Run: [HncUpdate] C:\WINDOWS\system32\HncUpdate.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java 콘솔 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: 리서치 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - Trusted Zone: *.unitel.co.kr
O16 - DPF: {00001025-B831-448B-9ABD-3D3DF187F359} (DaumGameStarter25 Class) - http://download.netmarble.com/web/nmstarter/Daum/DaumGameStarter25.cab
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg7.cyworld.com/ImageUpload/CyImageUpload_10217.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} (XacsPop Control) - http://mpi.dacom.net/XMPI/js/xmpi2007.cab
O16 - DPF: {32D94A9F-9A18-4E12-863D-8AABA8CBDA78} (NateOnMMSAtx3 Class) - http://sms.nate.com/NateOnMMS_AX3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202405782375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202405764515
O16 - DPF: {7B1BB066-7BBB-11D4-A34E-0000F01A209C} (UniAuth Class) - http://login.unitel.co.kr/iplug/lmgr2128.cab
O16 - DPF: {90375875-5035-452F-857D-7BCCD1596468} (inlineparser Class) - http://login.unitel.co.kr/iplug/download_mail.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/activex/dmcc2.cab?Version=1,0,0,10
O16 - DPF: {99C709C7-4F58-46C1-855B-90213C760395} (v3d Class) - https://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab
O16 - DPF: {9CDD57AC-CA86-464C-B920-3228A388CC78} (NaverFileControl Control) - http://file.naver.com/activex/NaverFile.cab
O16 - DPF: {9DEFEDFC-8193-4BE6-AA60-B6375AB7C8BE} (Launcher Class) - http://patch.mnet.com/NaverMusic/ActiveX/naverx.cab
O16 - DPF: {B3260660-93AC-48D8-8DDC-2C22192CA2AB} (Naver Mail BigFile Upload Control2) - http://mail.naver.com/activex/NvBigFileUpload2_NT.cab
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,2
O16 - DPF: {BFD1558F-8803-42B4-923A-AB8C56BE1D59} (AnyHelpLoader Control) - http://ack.anyhelp.net/download/AnyHelpLoader.cab
O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) - http://www.congnamul.com/ActiveX/Release/ASP/CongnamulMap4Asp_V29.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B10D1A7D-D942-4456-8CD8-FD4ADAB81BA1}: NameServer = 168.126.63.1,192.168.123.254
O18 - Protocol: s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - C:\Program Files\Initech\SHTTP\InitechSHTTPInterface.10111.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9362 bytes

Geri · 2008/02/22

Hi deadmeat

Can you tell me what your
E Drive and D Drive Are?

Is this from a past reformat or are they USB drives?

I'm a little confused, these are system restore
D:\System Volume Information
E:\System Volume Information

These are files. which could be from a thumb drive or flash drive.
E:\autorun.inf
D:\autorun.inf

Geri

deadmeat · 2008/02/24

Question re: SDFix

D drive and E drive are HDDs from my previous computers.

In July last year, I had a trojan that infected removable drives. Those autorun.inf files must have been created then.

I have deleted those autorun.inf files, and turned off the system restore to get rid of old infected restore points.

Ran Kaspersky WebScanner once again. Those two trojans are gone.

Geri, SDFix left a whole bunch of registry keys and values. Is it okay to remove those and delete SDFix files?

Thank you very much for your help!

Geri · 2008/02/24

Hi deadmeat

OK Good

Lets see if this will make the clean up easier.

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator.

Click the CleanUp Button.

This should remove SDFix and files, folders it created and then delete itself.

Then check to make sure they are gone.

Let me know.

Geri

Geri · 2008/02/24

Hi deadmeat

SDFix left a whole bunch of registry keys and values
Click to expand...

Are you refuring to the registry entries in post # 7 ?

SDFix did not add them.
Some are Operating systen entries, others I'm not sure what they are, it seems that SDFix could not read them...maybe because of Korean caricatures?

So I would not just start deleting unless you know what they are. and even at that I would back up the registry incase something is deleted by mistake and you need to fix it.

Geri

deadmeat · 2008/02/25

"Geri said: ↑

Are you refuring to the registry entries in post # 7 ?
Click to expand...

No. I was referring to:

- 16 registry values associated with catchme:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\...\LEGACY_CATCHME, Next Instance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CAT...\0000, Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Type

- 6 registry keys associated with catchme:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME...\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME...\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum

Geri · 2008/02/25

Hi deadmeat

Yeah those can go.

Lets get a on-line scan.

Please do an online scan with Kaspersky WebScanner

Click on “Accept” If your pop –up blocker blocks the ActiveX download, allow it, click on “Accept” again

You will be promted to install an ActiveX component from Kaspersky, Click Yes or Install.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:

Select My Computer

This will start the program and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.

Thanks
Geri

deadmeat · 2008/03/10

Sorry for the delay in my reply. My PSU died and it wasn't easy to replace.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 10, 2008 8:32:07 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/03/2008
Kaspersky Anti-Virus database records: 621815
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 106564
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:29:33

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-03-10_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\0AEF88F7.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\A9933EBE.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{266AC250-B6C9-4977-8D4C-5FE9357F27AE}\RP17\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F1F32C61-3D93-4F55-8188-83E0302B1B56}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Thanks, Geri.

Geri · 2008/03/10

Hi deadmeat

OK that shows clean, how are things running?

Geri

Log in or Sign up

Spam zombie [Computer sending multiple spam messages]

deadmeat Inactive Thread Starter

PeteC SuperGeek Staff

Geri Inactive Alumni

deadmeat Inactive Thread Starter

deadmeat Inactive Thread Starter

Geri Inactive Alumni

deadmeat Inactive Thread Starter

deadmeat Inactive Thread Starter

Geri Inactive Alumni

deadmeat Inactive Thread Starter

deadmeat Inactive Thread Starter

Geri Inactive Alumni

deadmeat Inactive Thread Starter

Geri Inactive Alumni

Geri Inactive Alumni

deadmeat Inactive Thread Starter

Geri Inactive Alumni

deadmeat Inactive Thread Starter

Geri Inactive Alumni

Share This Page

Log in or Sign up

Spam zombie [Computer sending multiple spam messages]

deadmeat Inactive Thread Starter

PeteC SuperGeek Staff

Geri Inactive Alumni

deadmeat Inactive Thread Starter

deadmeat Inactive Thread Starter

Geri Inactive Alumni

deadmeat Inactive Thread Starter

deadmeat Inactive Thread Starter

Geri Inactive Alumni

deadmeat Inactive Thread Starter

deadmeat Inactive Thread Starter

Geri Inactive Alumni

deadmeat Inactive Thread Starter

Geri Inactive Alumni

Geri Inactive Alumni

deadmeat Inactive Thread Starter

Geri Inactive Alumni

deadmeat Inactive Thread Starter

Geri Inactive Alumni

Share This Page

Useful Searches