INFECTED Win32:Malware-gen please help anyone

lidosara · March 24, 2013

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.03.24.04

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Sarah :: SARA [administrator]

Protection: Enabled

2013-03-24 13:38:52

mbam-log-2013-03-24 (13-38-52).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 229106

Time elapsed: 11 minute(s), 49 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 13

H:\Documents and Settings\Sarah\Local Settings\Temp\ruieFdayD (Spyware.OnlineGames) -> Quarantined and deleted successfully.

H:\Documents and Settings\Sarah\Local Settings\Temp\F58h.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

H:\Documents and Settings\Sarah\Local Settings\Temp\F8qywR.dll (Spyware.OnlineGames.ESA) -> Quarantined and deleted successfully.

H:\Documents and Settings\Sarah\Local Settings\Temp\Hiwda7t.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

H:\Documents and Settings\Sarah\Local Settings\Temp\67aa.dll (Spyware.OnlineGames.ESA) -> Quarantined and deleted successfully.

H:\Documents and Settings\Sarah\Local Settings\Temp\2wuD2.dll (Spyware.OnlineGames.ESA) -> Quarantined and deleted successfully.

H:\Documents and Settings\Sarah\Local Settings\Temp\DrfI.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

H:\Documents and Settings\Sarah\Local Settings\Temp\u5ubHwfhd.dll (Spyware.OnlineGames.ESA) -> Quarantined and deleted successfully.

H:\Documents and Settings\Sarah\Local Settings\Temp\uhBDR.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

H:\Documents and Settings\Sarah\Local Settings\Temp\hsddy30 (Spyware.OnlineGames.ESA) -> Quarantined and deleted successfully.

H:\Documents and Settings\Sarah\Local Settings\Temp\sfdw.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

H:\Documents and Settings\Sarah\Local Settings\Temp\we7auG (Spyware.OnlineGames) -> Quarantined and deleted successfully.

H:\Documents and Settings\Sarah\Local Settings\Temp\whryYeW.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

(end)

aswMBR.txt

CatByte · March 24, 2013

Please run the following:

Download ComboFix from the following location:

Link

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

lidosara · March 24, 2013

everything went fine till stage 21 compleated and a blu screen popped out A problem has been detected and windows has been shut down to prevent damage to your computer. Plug and play detected an error most likly caused by a faulty driver. technical information: ***STOP: 0x000000CA (0x00000004, 0x88cc5AF0,0x00000000,0x00000000) Beginning dump of physical memory physical memory complete. can I re-run Combofix again or it is not safe?

CatByte · March 24, 2013

please run it in safe mode, sounds like something interfered with it's run

To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY repeatedly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
go into your usual account

lidosara · March 25, 2013

ComboFix 13-03-24.03 - Sarah 2013-03-24 23:43:40.2.2 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.949.82.1033.18.2036.1742 [GMT 0:00]

Running from: h:\documents and settings\Sarah\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

h:\documents and settings\All Users\Application Data\1317810962.bdinstall.bin

h:\documents and settings\All Users\Application Data\1317836802.bdinstall.bin

h:\documents and settings\All Users\Application Data\1317836803.bdinstall.bin

h:\documents and settings\All Users\Application Data\1317837073.bdinstall.bin

h:\documents and settings\All Users\Application Data\1318006217.bdinstall.bin

h:\documents and settings\All Users\Application Data\1318006218.bdinstall.bin

h:\documents and settings\All Users\Application Data\1318010373.bdinstall.bin

h:\documents and settings\All Users\Application Data\1318024178.bdinstall.bin

h:\documents and settings\All Users\Application Data\1318024179.2668.bin

h:\documents and settings\All Users\Application Data\1318024179.2720.bin

h:\documents and settings\All Users\Application Data\1318024179.4260.bin

h:\documents and settings\All Users\Application Data\1318024179.4440.bin

h:\documents and settings\All Users\Application Data\1318446009.bdinstall.bin

h:\documents and settings\All Users\Application Data\1319036180.bdinstall.bin

h:\documents and settings\All Users\Application Data\1325288069.bdinstall.bin

h:\documents and settings\All Users\Application Data\1325331525.bdinstall.bin

h:\documents and settings\All Users\Application Data\1326314430.bdinstall.bin

h:\documents and settings\All Users\Application Data\1326314675.bdinstall.bin

h:\documents and settings\All Users\Application Data\2E0

h:\documents and settings\All Users\Application Data\2E0\{25825C59-1046-45FD-ACA2-6C60A55C718F}.swf

h:\documents and settings\All Users\Application Data\41F

h:\documents and settings\All Users\Application Data\41F\{E90A3C2E-F51B-445B-BE9C-13F992D9AA1B}.swf

h:\documents and settings\All Users\Application Data\76D

h:\documents and settings\All Users\Application Data\76D\{9745BCBC-FEDA-4C5D-B953-3E1413B15756}.swf

h:\documents and settings\All Users\Application Data\8CB

h:\documents and settings\All Users\Application Data\8CB\{EFBE7B1E-4A7F-47F6-AFC8-04D65FEFAB59}.swf

h:\documents and settings\All Users\Application Data\TEMP

h:\documents and settings\All Users\Application Data\TEMP\1041

h:\documents and settings\All Users\Application Data\TEMP\11A0

h:\documents and settings\All Users\Application Data\TEMP\11A9

h:\documents and settings\All Users\Application Data\TEMP\11E0

h:\documents and settings\All Users\Application Data\TEMP\121F

h:\documents and settings\All Users\Application Data\TEMP\1242

h:\documents and settings\All Users\Application Data\TEMP\124B

h:\documents and settings\All Users\Application Data\TEMP\1254

h:\documents and settings\All Users\Application Data\TEMP\1281

h:\documents and settings\All Users\Application Data\TEMP\129B

h:\documents and settings\All Users\Application Data\TEMP\12EB

h:\documents and settings\All Users\Application Data\TEMP\1E3D

h:\documents and settings\All Users\Application Data\TEMP\DDF

h:\documents and settings\All Users\Application Data\TEMP\DE9

h:\documents and settings\All Users\Application Data\TEMP\F10

h:\documents and settings\Sarah\Application Data\.#

h:\documents and settings\Sarah\Application Data\.#\MBX@72C@3E4150.###

h:\documents and settings\Sarah\Application Data\.#\MBX@72C@3E4180.###

h:\documents and settings\Sarah\Application Data\.#\MBX@72C@3E41B0.###

h:\documents and settings\Sarah\Application Data\LocalLow

h:\documents and settings\Sarah\Application Data\LocalLow\naver\NaverToolbar\cache.dat

h:\documents and settings\Sarah\Application Data\LocalLow\naver\NaverToolbar\DB_1_7.DAT

h:\documents and settings\Sarah\Application Data\LocalLow\naver\NaverToolbar\DB_1_8.DAT

h:\documents and settings\Sarah\Application Data\LocalLow\naver\NaverToolbar\History.xml

h:\documents and settings\Sarah\Application Data\LocalLow\naver\NaverToolbar\SearchEngines\bing_com.xml

h:\documents and settings\Sarah\Application Data\LocalLow\naver\NaverToolbar\SearchEngines\daum_net.xml

h:\documents and settings\Sarah\Application Data\LocalLow\naver\NaverToolbar\SearchEngines\nate_com.xml

h:\documents and settings\Sarah\Application Data\LocalLow\naver\NaverToolbar\SearchEngines\naver_com.xml

h:\documents and settings\Sarah\Application Data\LocalLow\naver\NaverToolbar\SearchEngines\paran_com.xml

h:\documents and settings\Sarah\Application Data\LocalLow\naver\NaverToolbar\SearchEngines\yahoo_com.xml

h:\documents and settings\Sarah\Application Data\LocalLow\naver\NaverToolbar\UserInfo.ini

h:\documents and settings\Sarah\Favorites\쇼핑 스트리트, 11번가.url

h:\documents and settings\Sarah\Local Settings\Application Data\OpenShopper

h:\documents and settings\Sarah\Local Settings\Application Data\OpenShopper\cdb.db

h:\documents and settings\Sarah\Local Settings\Application Data\OpenShopper\data.db

h:\documents and settings\Sarah\Local Settings\Application Data\OpenShopper\data.zip

h:\documents and settings\Sarah\Local Settings\Application Data\PeeringPortal\Pino\pinomate.exe

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\01d00098f732f640c6a5c8d431515b46.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\049497fd8947e722ae04b02eab871c18.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\067a9fd1541da872bb757c3da6a33d92.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\0783fa07a21528ab730a1df23334399c.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\0999dc9d92e75202025b885f39592438.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\0ba4ed06c78b5997716890d067fe2f51.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\0bb985ae9fc3a38262b3fd4c5cb03a3e.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\0ccc70e9bd23465e9e97d9445314fa13.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\0d5b5b246d05342352b6c776e1cf5212.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\11e75649feaf8ef009c4ed99aafe8310.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\1ba01a94a454af76ad1d723478b7127d.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\1ec397e7e85d3c521dc4c849c4e3ea0f.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\1f840d5d0d14655c624d157818b7003d.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\24c8b24d8a5c9889dac59d968fa1b8d8.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\251f27bb0e06e757f562bc1dc84a615f.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\25e9c02c9d769d249732f66e042c290e.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\28358b19588cf08bbb5de8b51850fe3a.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\288a0b7430370eb282f72b7e015c3c9a.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\28e51fb50e37beadbd134e4ae50e8f63.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\2a066ba87c16f28ec9819e3285252403.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\2c5a2cabd3b78548df720c3ee90efb41.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\2c86ccbe1c6e19b40bb8de244b0ba1e7.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\2d0afc3654f0a438f23598fb84be758c.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\2dfb42d5ca2c7ccc627743d095dfbac9.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\2eacacaddf4a71fe74de2b3f14074ac6.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\354c633ff9bf6fb3ecfad0ad65113c47.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\366a8f1bc352313a1074df76fdbce056.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\393e4d90773d8bbc9b905d903b618bdf.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\397bc65516fb1e815aa106a3d14d5305.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\3c1498e5ef362e757dc43d17482960f3.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\3ca41046bcb79924498d631f343d4371.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\461b3a8e7cfacb0c812e36aed9447c6d.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\46ceb001bfdc384ffe00657d8c567973.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\46eb2cd25804a00a1f22c69c4020c7e5.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\47d1dba34092ceb5412ac6f70c51e606.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\485d27cb769c9983f17e3d9eb5d03c5c.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\4b377d6eea3966e34c9a3ac2c647e5e5.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\4e216d83dc7da9779966ea4d31e236dd.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\4e6865e0bf7cf90244ce414917cc6556.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\51303604fcc7ede3ff317e6daac0c19a.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\52b483be9d71439ea530fb17638e5382.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\56613b7bd5cb1c3e01ecaa7a811022a9.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\59a83ef1238e50bddcc7caeb618d1824.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\59d3e0ea0c210c7674fea90f5382090c.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\5af1fa38e21413b7b2f5c6371f706543.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\5c5edcfe25ff895bc5c6a8d734710c5c.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\5f45a68915125fa8ad11a60ebffe29ee.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\6166b09fdf1ac1eaa1ae57a6eb20c03b.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\63eb5d17d60101356a7bbfdaae9afa57.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\654f8818ae39026c29f34808452fb02f.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\69482b1568b01b43c70d0ace76055f7e.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\6ab204a5ef9f916fe93d527a421ffdda.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\741983fb8768fa4d118c8ca59f82bb83.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\7cef98e862160d452cf773da8f4e2064.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\7f1d8b588793a67a9e8271b309c497c8.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\82724e37ddf746e5c798c9541a83d990.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\877d5ef68d1b6d7922fd09e955289803.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\8abcdf24b4bfa351f3b767c4232c6d02.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\91a1315c3d05215b1504e5899d32b936.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\9a40bf533c72981026081869543bbde2.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\9a846edeab464b62f0f2a74c54059f0b.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\9c5178781b9775c8036205fa67727330.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\9f9c2aa3ed1b1b0f922524c5a5260d1c.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\a26ba057241a8c2ae219a8db7335f51c.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\a67e0c2d6a842bf89983192c7e42d7c7.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\a9583053db1a9b326763e99e2321c517.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\ad63fa05a8e976a9e0939831eb5ba308.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\b2c8a6ebad81932fcbe8461599d71865.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\b527594c48bbaad67924ced89a416e20.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\b86745632d1223fab788478c41828d9a.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\b88e5980318f9688b4348228079f4f04.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\c25b7660062dfaf312f7142d2126cf2e.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\c2a9bad2a6f3c5b8aba800c2646abbf0.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\c36f2f770b74dd9e49947e924f85eeea.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\c636b5bf68f8ea6811c91dd569143b63.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\c73959eceda75ddf82609033ed2756e9.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\ccbebc209ee7342ed2a62b6d6e996645.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\d0d1583aaf54f587014b422167bddd89.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\d41d8cd98f00b204e9800998ecf8427e.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\d7c0d1ef6446382c3f7bb71308ba122f.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\d8c72d47eaed4bf47aa5d4f291a7c350.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\d909bf9e40d3de9bfa779059a90ff834.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\dc973701a6a9f218f60e389f479684db.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\dcc3ea4461b925db5858951892b5fa12.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\df0ea822d926c8fa5e9401e70f2cea67.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\e09d50f5972f50e03ca6be41cf66e0b5.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\e261f32b2da3462f5a3f10d0e3cb11c7.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\e52ee3c662672a47bf85d717ebb4ae8e.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\e5c061252396f14b1dca59f288bf9c20.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\ebc4635e6aeb6c62f3801a378bdfaa4d.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\ecb246b7273dc7466b406d7b8b10c09e.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\f63720489499e58792f33295e3dfbf29.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\f9531b586c797615c6b11c5d9e8b7302.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\fd44d831ab115f692f560f8ea07c9868.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\fe5046d3ac6595d8f385d8a45126456e.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\fe6d388665fbc8cdfabaa8dc587839f7.bmp

h:\documents and settings\Sarah\Local Settings\Temporary Internet Files\hgstarter_verinfo.dat

h:\documents and settings\Sarah\Templates\iplustemp.ini

h:\documents and settings\Sarah\Templates\winexpandtemp.ini

h:\documents and settings\Sarah\WINDOWS

H:\Microsoft

h:\microsoft\Small Business Accounting\AnalysisToolsReportRegistrations.xml

h:\program files\iStarNews

h:\program files\Keyword Find

h:\program files\Keyword Find\uninstall.exe

h:\program files\NAT Service

h:\program files\NAT Service\natsvc.0xe

h:\program files\NAT Service\natsvc.exe

h:\program files\NAT Service\unins000.dat

h:\program files\NAT Service\unins000.exe

h:\program files\NAT Service\upsvc.exe

h:\program files\Naver

h:\program files\Naver\NaverAgent\Inst.ini

h:\program files\Naver\NaverAgent\NaverAdminAPI.dll

h:\program files\Naver\NaverAgent\NaverAdminAPI.exe

h:\program files\Naver\NaverAgent\NaverAgent.exe

h:\program files\Naver\NaverAgent\Uninst_Agent.exe

h:\program files\Naver\NaverToolbar\aHserY8

h:\program files\Naver\NaverToolbar\DB_1_7.DAT

h:\program files\Naver\NaverToolbar\DB_1_8.DAT

h:\program files\Naver\NaverToolbar\fixIE.exe

h:\program files\Naver\NaverToolbar\hqhF7uey

h:\program files\Naver\NaverToolbar\InstlInfo.ini

h:\program files\Naver\NaverToolbar\juniver\artist.ico

h:\program files\Naver\NaverToolbar\juniver\babystudy.ico

h:\program files\Naver\NaverToolbar\juniver\blog.ico

h:\program files\Naver\NaverToolbar\juniver\bookmark.ico

h:\program files\Naver\NaverToolbar\juniver\bookmark.JPG

h:\program files\Naver\NaverToolbar\juniver\capturebrowser.ico

h:\program files\Naver\NaverToolbar\juniver\capturebrowser.jpg

h:\program files\Naver\NaverToolbar\juniver\cleaninternet.ico

h:\program files\Naver\NaverToolbar\juniver\cleaninternet.jpg

h:\program files\Naver\NaverToolbar\juniver\clinic.ico

h:\program files\Naver\NaverToolbar\juniver\comic.ico

h:\program files\Naver\NaverToolbar\juniver\config.ico

h:\program files\Naver\NaverToolbar\juniver\dic.ico

h:\program files\Naver\NaverToolbar\juniver\dicdetail.jpg

h:\program files\Naver\NaverToolbar\juniver\dicdetail2.jpg

h:\program files\Naver\NaverToolbar\juniver\dictionary.jpg

h:\program files\Naver\NaverToolbar\juniver\dongwha.ico

h:\program files\Naver\NaverToolbar\juniver\farm_01.ico

h:\program files\Naver\NaverToolbar\juniver\farm_02.ico

h:\program files\Naver\NaverToolbar\juniver\flash.ico

h:\program files\Naver\NaverToolbar\juniver\gabe.ico

h:\program files\Naver\NaverToolbar\juniver\gallery.ico

h:\program files\Naver\NaverToolbar\juniver\game.ico

h:\program files\Naver\NaverToolbar\juniver\gametalk.ico

h:\program files\Naver\NaverToolbar\juniver\gametalk.jpg

h:\program files\Naver\NaverToolbar\juniver\homework.ico

h:\program files\Naver\NaverToolbar\juniver\jr.ico

h:\program files\Naver\NaverToolbar\juniver\kidsong.ico

h:\program files\Naver\NaverToolbar\juniver\login.ico

h:\program files\Naver\NaverToolbar\juniver\logo.bmp

h:\program files\Naver\NaverToolbar\juniver\logo.png

h:\program files\Naver\NaverToolbar\juniver\logout.ico

h:\program files\Naver\NaverToolbar\juniver\move.ico

h:\program files\Naver\NaverToolbar\juniver\opencast.ico

h:\program files\Naver\NaverToolbar\juniver\opencast.jpg

h:\program files\Naver\NaverToolbar\juniver\panyroom.ico

h:\program files\Naver\NaverToolbar\juniver\parents.ico

h:\program files\Naver\NaverToolbar\juniver\pcclinic.jpg

h:\program files\Naver\NaverToolbar\juniver\popup.ico

h:\program files\Naver\NaverToolbar\juniver\popup2.ico

h:\program files\Naver\NaverToolbar\juniver\real.ico

h:\program files\Naver\NaverToolbar\juniver\search.ico

h:\program files\Naver\NaverToolbar\juniver\shotcut.ico

h:\program files\Naver\NaverToolbar\juniver\theme.xml

h:\program files\Naver\NaverToolbar\juniver\toolbarcleaner.ico

h:\program files\Naver\NaverToolbar\juniver\toolbarcleaner.jpg

h:\program files\Naver\NaverToolbar\juniver\transjapan.ico

h:\program files\Naver\NaverToolbar\juniver\tv.ico

h:\program files\Naver\NaverToolbar\juniver\virus.ico

h:\program files\Naver\NaverToolbar\juniver\zoom.ico

h:\program files\Naver\NaverToolbar\naver\blog.ico

h:\program files\Naver\NaverToolbar\naver\bookmark.ico

h:\program files\Naver\NaverToolbar\naver\bookmark.JPG

h:\program files\Naver\NaverToolbar\naver\capturebrowser.ico

h:\program files\Naver\NaverToolbar\naver\capturebrowser.jpg

h:\program files\Naver\NaverToolbar\naver\cleaninternet.ico

h:\program files\Naver\NaverToolbar\naver\cleaninternet.jpg

h:\program files\Naver\NaverToolbar\naver\clinic.ico

h:\program files\Naver\NaverToolbar\naver\config.ico

h:\program files\Naver\NaverToolbar\naver\dic.ico

h:\program files\Naver\NaverToolbar\naver\dicdetail.jpg

h:\program files\Naver\NaverToolbar\naver\dicdetail2.jpg

h:\program files\Naver\NaverToolbar\naver\dictionary.jpg

h:\program files\Naver\NaverToolbar\naver\gametalk.ico

h:\program files\Naver\NaverToolbar\naver\gametalk.jpg

h:\program files\Naver\NaverToolbar\naver\login.ico

h:\program files\Naver\NaverToolbar\naver\logo.bmp

h:\program files\Naver\NaverToolbar\naver\logo.png

h:\program files\Naver\NaverToolbar\naver\logout.ico

h:\program files\Naver\NaverToolbar\naver\move.ico

h:\program files\Naver\NaverToolbar\naver\naver.ico

h:\program files\Naver\NaverToolbar\naver\opencast.ico

h:\program files\Naver\NaverToolbar\naver\opencast.jpg

h:\program files\Naver\NaverToolbar\naver\pcclinic.jpg

h:\program files\Naver\NaverToolbar\naver\popup.ico

h:\program files\Naver\NaverToolbar\naver\popup2.ico

h:\program files\Naver\NaverToolbar\naver\real.ico

h:\program files\Naver\NaverToolbar\naver\search.ico

h:\program files\Naver\NaverToolbar\naver\shotcut.ico

h:\program files\Naver\NaverToolbar\naver\theme.xml

h:\program files\Naver\NaverToolbar\naver\toolbarcleaner.ico

h:\program files\Naver\NaverToolbar\naver\toolbarcleaner.jpg

h:\program files\Naver\NaverToolbar\naver\transjapan.ico

h:\program files\Naver\NaverToolbar\naver\virus.ico

h:\program files\Naver\NaverToolbar\naver\zoom.ico

h:\program files\Naver\NaverToolbar\NaverAdminAPI.dll

h:\program files\Naver\NaverToolbar\NaverAdminAPI.exe

h:\program files\Naver\NaverToolbar\NaverSafeGuard\fswq87B

h:\program files\Naver\NaverToolbar\NaverSafeGuard\NaverSafeGuard.exe

h:\program files\Naver\NaverToolbar\NaverSafeGuard\NELO.dll

h:\program files\Naver\NaverToolbar\NaverSafeGuard\NELO_CrashReporter.exe

h:\program files\Naver\NaverToolbar\NaverSafeGuard\nSafeCrash.dll

h:\program files\Naver\NaverToolbar\NaverSafeGuard\nSafeGuard.dat

h:\program files\Naver\NaverToolbar\NaverSafeGuard\nSafeGuard_2011_5_2_1.dll

h:\program files\Naver\NaverToolbar\NaverSafeGuard\nSafeInfo.dat

h:\program files\Naver\NaverToolbar\NaverSafeGuard\nsGuard.dll

h:\program files\Naver\NaverToolbar\NaverSafeGuard\u8ydeB

h:\program files\Naver\NaverToolbar\NaverTB_3_5_8_73.dll

h:\program files\Naver\NaverToolbar\NaverTB_Upgrade.exe

h:\program files\Naver\NaverToolbar\NTC_1_0_0_7.exe

h:\program files\Naver\NaverToolbar\postinst.exe

h:\program files\Naver\NaverToolbar\SearchEngines\bing_com.xml

h:\program files\Naver\NaverToolbar\SearchEngines\daum_net.xml

h:\program files\Naver\NaverToolbar\SearchEngines\nate_com.xml

h:\program files\Naver\NaverToolbar\SearchEngines\naver_com.xml

h:\program files\Naver\NaverToolbar\SearchEngines\paran_com.xml

h:\program files\Naver\NaverToolbar\SearchEngines\yahoo_com.xml

h:\program files\Naver\NaverToolbar\Security\NaverTBSLuncher.exe

h:\program files\Naver\NaverToolbar\Security\NaverTBSLuncher.tmp

h:\program files\Naver\NaverToolbar\TBInfo.ini

h:\windows\EventSystem.log

h:\windows\system32\11st.ico

h:\windows\system32\11sticon.ico

h:\windows\system32\CKAgent.dat

h:\windows\system32\CKSetup32.dat

h:\windows\system32\gotomon.log

h:\windows\system32\muzapp.exe

h:\windows\system32\Nagasoft

h:\windows\system32\service

h:\windows\system32\service\04042009_TIS17_SfFniAU.log

h:\windows\system32\SET9B.tmp

h:\windows\system32\spool\prtprocs\w32x86\GoToPrintProcessor.dll

h:\windows\system32\winlogon.bak

h:\windows\system32\ws2help.dll.dsG.tmp

h:\windows\wininit.ini

.

Infected copy of h:\windows\system32\wshtcpip.dll was found and disinfected

Restored copy from - h:\windows\ServicePackFiles\i386\wshtcpip.dll

.

h:\windows\system32\drivers\i8042prt.sys was missing

Restored copy from - h:\windows\ServicePackFiles\i386\i8042prt.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NATSERVICE

-------\Service_NATService

.

((((((((((((((((((((((((( Files Created from 2013-02-25 to 2013-03-25 )))))))))))))))))))))))))))))))

.

2013-03-24 23:55 . 2008-04-13 19:18 52480 ----a-w- h:\windows\system32\drivers\i8042prt.sys

2013-03-22 18:59 . 2013-03-24 17:24 19456 ----a-w- h:\windows\system32\wshtcptk.dll

2013-03-21 18:29 . 2013-02-12 00:32 12928 -c----w- h:\windows\system32\dllcache\usb8023x.sys

2013-03-21 18:29 . 2013-02-12 00:32 12928 -c----w- h:\windows\system32\dllcache\usb8023.sys

2013-03-15 19:03 . 2013-03-15 19:03 -------- d-----w- h:\program files\windin

2013-03-15 01:28 . 2013-03-15 01:28 35144 ----a-w- h:\windows\system32\drivers\mbamchameleon.sys

2013-03-14 23:03 . 2013-03-14 23:03 -------- d-----w- h:\documents and settings\Sarah\Application Data\Malwarebytes

2013-03-14 23:02 . 2013-03-14 23:02 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware

2013-03-14 23:02 . 2013-03-14 23:02 -------- d-----w- h:\documents and settings\All Users\Application Data\Malwarebytes

2013-03-14 23:02 . 2012-12-14 16:49 21104 ----a-w- h:\windows\system32\drivers\mbam.sys

2013-03-05 20:34 . 2013-03-05 20:34 -------- d-----w- h:\windows\system32\wbem\Repository

2013-02-25 09:51 . 2013-01-31 08:19 181344 ----a-w- h:\windows\system32\drivers\ssudmdm.sys

2013-02-25 09:51 . 2013-01-31 08:19 83168 ----a-w- h:\windows\system32\drivers\ssudbus.sys

2013-02-25 09:46 . 2013-02-05 17:52 821824 ----a-w- h:\windows\system32\dgderapi.dll

2013-02-25 09:46 . 2013-02-05 17:52 20032 ----a-w- h:\windows\system32\drivers\dgderdrv.sys

2013-02-24 16:42 . 2013-02-25 16:35 -------- d-----w- h:\program files\TrustPort

2013-02-24 16:42 . 2013-02-25 16:35 -------- d-----w- h:\program files\Common Files\TrustPort

2013-02-24 16:37 . 2013-02-24 16:37 -------- d-----w- h:\documents and settings\Sarah\Local Settings\Application Data\Magentic

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-03-24 17:24 . 2004-08-03 22:56 19456 ----a-w- h:\windows\system32\sfaqouDCou

2013-03-24 17:24 . 2004-08-03 22:56 18944 ----a-w- h:\windows\system32\midimap.dll

2013-03-24 13:59 . 2004-08-03 22:56 19456 ----a-w- h:\windows\system32\TDHeHk3q

2013-03-22 20:33 . 2004-08-03 22:56 19456 ----a-w- h:\windows\system32\yDuquih

2013-03-12 21:17 . 2012-05-09 15:12 693976 ----a-w- h:\windows\system32\FlashPlayerApp.exe

2013-03-12 21:17 . 2011-06-23 14:49 73432 ----a-w- h:\windows\system32\FlashPlayerCPLApp.cpl

2013-03-04 12:49 . 2004-08-03 22:56 19456 ----a-w- h:\windows\system32\LeIsuBDae

2013-03-01 17:42 . 2004-08-03 22:56 19456 ----a-w- h:\windows\system32\ieuinyf

2013-02-26 15:12 . 2008-05-28 22:35 21840 -c--atw- h:\windows\system32\SIntfNT.dll

2013-02-26 15:12 . 2008-05-28 22:35 17212 -c--atw- h:\windows\system32\SIntf32.dll

2013-02-26 15:12 . 2008-05-28 22:35 12067 -c--atw- h:\windows\system32\SIntf16.dll

2013-02-13 09:19 . 2013-02-13 09:19 102008 ----a-w- h:\windows\system32\drivers\RapportKELL.sys

2013-02-12 00:32 . 2008-09-03 15:35 12928 ------w- h:\windows\system32\drivers\usb8023x.sys

2013-02-12 00:32 . 2004-08-03 21:04 12928 ----a-w- h:\windows\system32\drivers\usb8023.sys

2013-02-05 20:05 . 2004-08-03 22:56 916480 ----a-w- h:\windows\system32\wininet.dll

2013-02-05 20:05 . 2004-08-03 22:56 1469440 ------w- h:\windows\system32\inetcpl.cpl

2013-02-05 20:05 . 2004-08-03 22:56 43520 ----a-w- h:\windows\system32\licmgr10.dll

2013-02-05 17:53 . 2011-10-12 13:05 4659712 ----a-w- h:\windows\system32\Redemption.dll

2013-02-05 17:52 . 2013-02-05 17:52 90112 ----a-w- h:\windows\MAMCityDownload.ocx

2013-02-05 17:52 . 2013-02-05 17:52 330240 ----a-w- h:\windows\MASetupCaller.dll

2013-02-05 17:52 . 2013-02-05 17:52 30568 ----a-w- h:\windows\MusiccityDownload.exe

2013-02-05 05:53 . 2004-08-03 20:59 385024 ------w- h:\windows\system32\html.iec

2013-01-31 14:59 . 2011-06-24 16:47 232656 ----a-w- h:\windows\system32\npPMangFX.dll

2013-01-26 03:55 . 2004-08-03 22:56 552448 ----a-w- h:\windows\system32\oleaut32.dll

2013-01-09 11:06 . 2013-01-09 11:06 202240 ----a-w- h:\windows\system32\msnmsgqw.exe

2013-01-07 01:19 . 2004-08-03 21:18 2148864 ----a-w- h:\windows\system32\ntoskrnl.exe

2013-01-07 00:37 . 2004-08-03 22:59 2027520 ----a-w- h:\windows\system32\ntkrnlpa.exe

2013-01-04 01:20 . 2004-08-03 21:17 1867264 ----a-w- h:\windows\system32\win32k.sys

2013-01-02 06:49 . 2004-08-03 22:56 148992 ----a-w- h:\windows\system32\mpg2splt.ax

2013-01-02 06:49 . 2004-08-03 22:56 1292288 ----a-w- h:\windows\system32\quartz.dll

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2013-03-24 . 743CAC2A53BA132D086853141246D7D7 . 18944 . . [5.1.2600.5512] . . h:\windows\system32\midimap.dll

[7] 2008-04-14 . 5C12660A97822F6E61576943B49AAAD6 . 18944 . . [5.1.2600.5512] . . h:\windows\ServicePackFiles\i386\midimap.dll

[7] 2004-08-03 . 3B4702155BB2AE9DC00C06A68834BDFA . 18944 . . [5.1.2600.2180] . . h:\windows\$NtServicePackUninstall$\midimap.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NATEON"="h:\program files\nateon\bin\nateon.exe" [2012-02-22 3108216]

"WindowsLivePhone"="h:\program files\Windows Live\Device Manager\msgrdvmn.exe" [2008-12-22 787816]

"WMPNSCFG"="h:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

"Skype"="h:\program files\Skype\Phone\Skype.exe" [2013-01-08 18705664]

"KiesPreload"="h:\program files\Samsung\Kies\Kies.exe" [2013-02-13 1509232]

"swg"="h:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-11 39408]

"windin"="h:\program files\windin\WindInC.exe" [2013-03-04 821336]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344]

"MaAgent"="h:\program files\MarkAny\ContentSAFER\MaAgent.exe" [2008-12-02 66896]

"LifeChat"="h:\program files\Microsoft LifeChat\LifeChat.exe" [2009-09-28 264040]

"WindowsLivePhone"="h:\program files\Windows Live\Device Manager\msgrdvmn.exe" [2008-12-22 787816]

"Adobe ARM"="h:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]

"WinxpendUP_nshe"="h:\program files\WinExpand_nshe\WinxpendUP_nshe.exe" [2013-02-13 286832]

"KiesTrayAgent"="h:\program files\Samsung\Kies\KiesTrayAgent.exe" [2013-02-13 310128]

"QuickTime Task"="h:\program files\QuickTime\qttask.exe" [2010-11-16 98304]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="h:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

h:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - h:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

NCProTray.lnk - h:\program files\SEC\Natural Color Pro\NCProTray.exe [2009-6-17 49220]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0tpnative

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\_ishieldA.sys]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\_ishieldB.sys]

@=""

.

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]

path=h:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk

backup=h:\windows\pss\NCProTray.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-16 19:51 98304 ----a-w- h:\program files\QuickTime\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2006-10-18 19:05 204288 ------w- h:\program files\Windows Media Player\wmpnscfg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Digital Imaging\\bin\\hpqnrs08.exe"=

"h:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"h:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"h:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"h:\\WINDOWS\\system32\\jukeon_e.exe"=

"h:\\WINDOWS\\system32\\BugsSvr.exe"=

"h:\\Program Files\\Spotify\\spotify.exe"=

"h:\\Documents and Settings\\Sarah\\Desktop\\comic books\\에이지오브엠파이어2\\EMPIRES2.EXE"=

"h:\\WINDOWS\\system32\\mnetasvr.exe"=

"h:\\WINDOWS\\system32\\mnetvsvr.exe"=

"h:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"h:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"h:\\Documents and Settings\\Sarah\\My Documents\\comic books\\에이지오브엠파이어2\\EMPIRES2.EXE"=

"h:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"h:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"h:\\Program Files\\Skype\\Phone\\Skype.exe"=

"h:\\Documents and Settings\\Sarah\\My Documents\\comic books\\¿¡AIAo¿Aºe¿￥ÆAAI¾i2\\EMPIRES2.EXE"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"20521:TCP"= 20521:TCP:BitComet 20521 TCP

"20521:UDP"= 20521:UDP:BitComet 20521 UDP

.

R1 RapportCerberus_50414;RapportCerberus_50414;h:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_50414.sys [2013-02-22 316984]

R1 RapportEI;RapportEI;h:\program files\Trusteer\Rapport\bin\RapportEI.sys [2013-02-13 102680]

R1 RapportPG;RapportPG;h:\program files\Trusteer\Rapport\bin\RapportPG.sys [2013-02-13 173880]

R2 MBAMScheduler;MBAMScheduler;h:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-03-14 398184]

R2 MBAMService;MBAMService;h:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-03-14 682344]

R2 RapportMgmtService;Rapport Management Service;h:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2013-02-13 1124184]

R2 Skype C2C Service;Skype C2C Service;h:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-01-31 3289208]

R3 JRSUKD25;JRSUKD25;h:\windows\system32\JRSUKD25.SYS [2012-05-11 22480]

R3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [2013-03-14 21104]

R3 RapportIaso;RapportIaso;h:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\baseline\RapportIaso.sys [2011-09-25 55448]

S0 sptd;sptd;h:\windows\system32\Drivers\sptd.sys --> h:\windows\system32\Drivers\sptd.sys [?]

S1 _ishieldA;_ishieldA;\??\h:\windows\system32\drivers\_ishieldA.sys --> h:\windows\system32\drivers\_ishieldA.sys [?]

S1 _ishieldB;_ishieldB;\??\h:\windows\system32\drivers\_ishieldB.sys --> h:\windows\system32\drivers\_ishieldB.sys [?]

S1 0bfabc15;0bfabc15;\??\h:\windows\system32\drivers\0bfabc15.sys --> h:\windows\system32\drivers\0bfabc15.sys [?]

S1 77518993;77518993;\??\h:\windows\system32\drivers\77518993.sys --> h:\windows\system32\drivers\77518993.sys [?]

S1 RapportBuka;RapportBuka;\??\h:\windows\system32\drivers\RapportBuka.sys --> h:\windows\system32\drivers\RapportBuka.sys [?]

S2 encnsvc;Security Inernet Bank Service;h:\windows\system32\svchost.exe -k encnsvc [2004-08-03 14336]

S2 gupdate1c98c9d2d860322;Google Update Service (gupdate1c98c9d2d860322);h:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 133104]

S2 SkypeUpdate;Skype Updater;h:\program files\Skype\Updater\Updater.exe [2013-01-08 161536]

S3 AhnFlt2k;AhnFlt2k;h:\windows\system32\drivers\AhnFlt2k.sys [2012-05-11 52960]

S3 AhnRec2k;AhnRec2k;h:\windows\system32\drivers\AhnRec2k.sys [2012-05-11 20320]

S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);h:\windows\system32\drivers\ssudbus.sys [2013-02-25 83168]

S3 dgderdrv;dgderdrv;h:\windows\system32\drivers\dgderdrv.sys [2013-02-25 20032]

S3 JRSKD24;JRSKD24;\??\h:\windows\system32\JRSKD24.SYS --> h:\windows\system32\JRSKD24.SYS [?]

S3 JRSUKD24;JRSUKD24;\??\h:\windows\system32\JRSUKD24.SYS --> h:\windows\system32\JRSUKD24.SYS [?]

S3 kcrtx86;kcrtx86;h:\windows\system32\kcrtx86.sys [2010-02-11 126048]

S3 mbamchameleon;mbamchameleon;h:\windows\system32\drivers\mbamchameleon.sys [2013-03-15 35144]

S3 MEMSWEEP2;MEMSWEEP2;\??\h:\windows\system32\23.tmp --> h:\windows\system32\23.tmp [?]

S3 NPFWFLT;NPFWFLT;h:\windows\system32\npfwflt.sys [2010-02-11 41600]

S3 npggsvc;nProtect GameGuard Service;h:\windows\system32\GameMon.des -service --> h:\windows\system32\GameMon.des -service [?]

S3 NPIDS;NPIDS;h:\windows\system32\npids.sys [2010-02-11 48384]

S3 scskusbf;USB SCSK Filter Driver Service;h:\windows\system32\drivers\scskusbf.sys --> h:\windows\system32\drivers\scskusbf.sys [?]

S3 scskusbs;USB SCSK Driver Service;h:\windows\system32\drivers\scskusbs.sys --> h:\windows\system32\drivers\scskusbs.sys [?]

S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);h:\windows\system32\drivers\ssudmdm.sys [2013-02-25 181344]

S3 VPDrvNt;VPDrvNt;\??\h:\program files\AhnLab\V3Lite\VPDrvNt.sys --> h:\program files\AhnLab\V3Lite\VPDrvNt.sys [?]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

encnsvc REG_MULTI_SZ encnsvc

.

Contents of the 'Scheduled Tasks' folder

.

2013-03-24 h:\windows\Tasks\Adobe Flash Player Updater.job

- h:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-09 21:17]

.

2013-03-02 h:\windows\Tasks\AppleSoftwareUpdate.job

- h:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:57]

.

2013-03-19 h:\windows\Tasks\Google Software Updater.job

- h:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-11 22:50]

.

2013-03-24 h:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- h:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 23:04]

.

2013-03-24 h:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- h:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 23:04]

.

2013-03-24 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-602609370-839522115-1003Core.job

- h:\documents and settings\Sarah\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-25 21:25]

.

2013-03-24 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-602609370-839522115-1003UA.job

- h:\documents and settings\Sarah\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-25 21:25]

.

2013-03-24 h:\windows\Tasks\OGALogon.job

- h:\windows\system32\OGAEXEC.exe [2009-08-03 15:07]

.

2013-03-25 h:\windows\Tasks\WinExpandUpdate_nshe.job

- h:\program files\WinExpand_nshe\WinxpendUP_nshe.exe [2013-03-12 15:56]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

uDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://sharebox.co.kr/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: hangame.com\www

Trusted Zone: pmang.com\www

TCP: DhcpNameServer = 194.168.4.100 194.168.8.100

DPF: {106A43C6-DB9A-483F-80AD-5ACE8BA41D6F} - hxxp://pino.peeringportal.co.kr/pino/install/package/nppcubeinst100225.cab

DPF: {1219B6C3-CD4D-4243-9A4F-4C9F12FCC6E7} - hxxp://ck.softforum.co.kr/CKKeyPro/yessign/CKKeyProInst.cab

DPF: {180C8380-22BA-4A62-A0E8-79F8DCE56B19} - hxxp://sub.sharebox.co.kr/ShareBoxCtrl.cab

DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} - hxxps://mpi.dacom.net/XMPI/js/LGUplus_XMPI_20110503.cab

DPF: {270EC7A6-4096-469B-865C-F9678A2C742B} - hxxp://www.payzone.co.kr/EasyPayX/EasyPayX.cab

DPF: {29A84C9B-9AC0-4A18-B0D7-60571B0E88CE} - hxxp://www.11st.co.kr/ocx/SKSCmaker.cab

DPF: {29BC57E0-018D-46D2-B233-338B779C169C} - hxxp://www.mrblue.com/webcube/control/WebShell.cab

DPF: {2DCB00FB-3485-486B-BD41-C49AD605264D} - hxxp://www.epost.go.kr/comm/easykeytec/easykeytec.cab

DPF: {2EE4AED0-B8D5-4FCB-B4EB-75D5D20B55E5} - hxxp://download.zfile.co.kr/ZFileWebControl.cab

DPF: {307BAC15-8BF2-4ECE-99DC-0793E0F8B31D} - hxxp://update.downs.co.kr/mmsv/DownsCtrl.cab

DPF: {37D91428-0E1B-4154-9771-D977CE193864} - hxxp://download.softforum.com/Published/KSCertRlayW/v1.0.1.3/KSCertRelayW.cab

DPF: {3F68E1C3-39EC-4990-85E3-ABFE61AB86C5} - hxxp://dl.bugsm.co.kr/install/BugsInstaller.cab

DPF: {45091AA2-1574-4EC8-B520-4C27E29CF889} - hxxp://www.gmarket.co.kr/challenge/neo_goods/dlls/gifFreezer.cab

DPF: {477D5B9A-6479-44F8-9718-9340119B0308} - hxxp://www.hanabank.com/resource/download/veraport/down/veraport20.cab

DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} - hxxps://mpi.dacom.net/XPayMPI/XPayMPI.cab

DPF: {4D390092-2A93-4E4D-BE7F-12E7C8C245EB} - hxxp://www.muonline.co.kr/Support/BugReport/ocx/Bugreport.cab

DPF: {5C1B293E-DA77-4AFF-8B52-63DEF8C8A071} - hxxp://download.netmarble.net/ActiveX/NMAutoUpdateX/NMAutoUpdateX_1.0.1.1_20091109.cab

DPF: {62076E39-043C-4A5A-BF17-D8A2128ACD93} - hxxp://pib.wooribank.com/com/installer/interezen/WRebw.cab

DPF: {692141E8-D3D1-49E0-BB94-2C8FBB1D69DE} - hxxp://www.mrblue.com/viewer_comics/control/ComicsViewer.CAB

DPF: {7D71E87E-FF6D-45D6-813F-BDFD10A355A8} - hxxp://momodisk.com/mmsv/momodiskWebControl.CAB

DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - hxxps://yescardacs.keb.co.kr/XecureObject/xw_install.cab

DPF: {89F434A7-4A49-4394-AC02-007480331AE2} - hxxp://download.netmarble.net/ActiveX/NMAutoUpdateX/SystemIDInfo/NMSystemIDInfo_1.0.0.1.cab

DPF: {8C165CC2-E50D-4D99-9D32-DAF6AB15AA32} - hxxp://patch.mnet.com/Ver2/App/totalApp/mnethelper/MnetHelper2_20090923.cab

DPF: {8C4F5093-2E8B-491C-A2A3-74AFCEEE5378} - hxxp://ziofile.com/setver/ZioFileControl.cab

DPF: {93C449FA-ECFB-402F-A8C7-37E4F8D60E49} - hxxp://dl.pmang.com/common/pmangctl/pmangax.cab

DPF: {967386A1-409E-431A-A93A-FB5FEFF86A58} - hxxp://fx.keb.co.kr/veraport/veraport.cab

DPF: {9963FACF-7618-417B-B6DD-AB8B65AF8CD1} - hxxps://pgdownload.dacom.net/lgdacom/LGDacomXPayUpdater.cab

DPF: {99806ADD-C5EF-4632-A3D0-3E778B051F94} - hxxp://www.csafer.net/ActiveX/MASetupWizard_vista.cab

DPF: {A1830188-679E-4A67-B121-570F37F18ACC} - hxxp://cafe.naver.com/common/activex/nbgm.cab

DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} - hxxp://ahnlabdownload.nefficient.co.kr/asp/cab/mkdplus.cab

DPF: {A2561EA5-D4C6-4C3D-97C7-67F2C12416AD} - hxxp://download.softforum.co.kr/Published/kscertrelay/v2.0.0.6/KSCertRelay.cab

DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - hxxp://kings.nefficient.co.kr/kings/kdfx/kdfx237/kdfense8.cab

DPF: {A977FF0C-8757-4E76-8533-482F91946233} - hxxp://dl.sayclub.com/sayclub/sayctl/sayax.cab

DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://dist.cdnetworks.co.kr/cdndist/neffynew/NeffyLauncher.cab

DPF: {B0A75875-3622-48BA-B5FF-45AD77AC2D0E} - hxxps://www.bankpay.or.kr/BankPayEFT.cab

DPF: {B128EFF9-0B1C-4C65-A162-28165A3A0A18} - hxxp://ssl.makeshop.co.kr/ssl/MSecure.cab

DPF: {B1F38AB3-D8C7-49A2-B09C-8055D2128BC6} - hxxp://www.vpay.co.kr/kvpfiles/KVPLoginCTLD.cab

DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} - hxxp://mail.daum.net/hanmail-ax/DaumActiveX/2_0_0_4/DaumActiveX.cab?ver=2,0,0,4

DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} - hxxp://cdn.hangame.com/hangame/messenger/hani/webmsg/HanWebMsg.cab

DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} - hxxp://install.bugs.co.kr/install/BugsInstallerEx.cab

DPF: {C021A4D6-173F-4BF4-B38C-B12CAA20E518} - hxxp://www.mgoon.com/launcher.cab

DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} - hxxp://id.hangame.com/common/activex/HanSetup1040.cab

DPF: {C56763D2-8B6E-4CF2-A33A-BD59A7F2E653} - hxxp://filemon.co.kr/mmsv/FilemonWebControl.CAB

DPF: {C8F15B27-13FA-416A-BB96-736BB3372506} - hxxp://gamepack.game.daum.net/cab/NBWEBX.cab

DPF: {D96365C6-ACCB-4546-A878-E16178C48FF0} - hxxp://www.chzero.com:8000/zeromap/ZeroMap2009.CAB

DPF: {DFBBCB52-4D9F-4D0E-BF4A-A51223FC2541} - hxxp://patch.mnet.com/Ver2/App/totalApp/mnethelper/MnetHelper2_20100303.cab

DPF: {E3FA6DAA-04BF-4AEF-9612-341B2B7A25FC} - hxxps://pay.kcp.co.kr/plugin/file/payplus.cab

DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} - hxxps://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab

DPF: {F0B421DD-19FA-494A-9044-AAA4994A3217} - hxxp://toolbar.imbc.com/toolbar/setup/MBCXeb.cab

DPF: {FC1FEB1F-DB67-49C2-9AA1-83BFD60F992A} - hxxp://i-plus.jssearch.net/ActiveX/IPlusInstall.cab

DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779} - hxxp://file.naver.com/activex/NaverAXGuide.cab

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-NaverAgent - h:\program files\naver\NaverAgent\NaverAgent.exe

HKCU-Run-pinomate - h:\documents and settings\Sarah\Local Settings\Application Data\PeeringPortal\Pino\pinomate.exe

HKCU-Run-KiesAirMessage - h:\program files\Samsung\Kies\KiesAirMessage.exe

ShellExecuteHooks-{88485281-8b4b-4f8d-9ede-82e29a064277} - h:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL

MSConfigStartUp-CTFMON - (no file)

MSConfigStartUp-Magentic - h:\progra~1\Magentic\bin\Magentic.exe

MSConfigStartUp-PC Suite Tray - h:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

MSConfigStartUp-PCSuiteTrayApplication - h:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

AddRemove-Amazon MP3 Downloader - h:\documents and settings\Sarah\My Documents\music\music\piano\bob acri\Uninstall.exe

AddRemove-keywordfind - h:\program files\Keyword Find\uninstall.exe

AddRemove-Mnet P3Modules - h:\program files\Mnet P3Modules\UnWebPlayerSetup(v2.0).exe

AddRemove-{CA6C4F90-F1C1-4CE9-AF2E-B09CD2939671}_is1 - h:\program files\NAT Service\unins000.exe

AddRemove-01_Simmental - h:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe

AddRemove-02_Siberian - h:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe

AddRemove-03_Swallowtail - h:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe

AddRemove-04_semseyite - h:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe

AddRemove-07_Schorl - h:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe

AddRemove-09_Hsp - h:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe

AddRemove-11_HSP_Plus_Default - h:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe

AddRemove-16_Shrewsbury - h:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe

AddRemove-20_NXP_Driver - h:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe

AddRemove-24_flashusbdriver - h:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe

AddRemove-25_escape - h:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe

AddRemove-우리 가계부2001 - c:\woorigage\DeIsL1.isu

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-03-25 00:01

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET]

"ImagePath"=""

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\h:\windows\system32\23.tmp"

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="h:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2152)

h:\windows\system32\WININET.dll

h:\program files\MarkAny\ContentSAFER\MaCSProHook.DLL

h:\program files\GRETECH\GomAudio\MiniBand.dll

h:\windows\system32\ieframe.dll

h:\windows\system32\webcheck.dll

h:\windows\system32\WPDShServiceObj.dll

h:\windows\system32\PortableDeviceTypes.dll

h:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

h:\windows\system32\WgaTray.exe

h:\windows\system32\conime.exe

h:\program files\Google\Update\1.3.21.135\GoogleCrashHandler.exe

h:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

h:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

h:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

h:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

h:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

h:\windows\RTHDCPL.EXE

h:\windows\system32\HPZipm12.exe

h:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

h:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

h:\windows\system32\UAService7.exe

h:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

h:\program files\Windows Media Player\WMPNetwk.exe

h:\program files\windin\WindInD.exe

h:\program files\windin\WindInSe.exe

h:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

.

**************************************************************************

.

Completion time: 2013-03-25 00:08:35 - machine was rebooted

ComboFix-quarantined-files.txt 2013-03-25 00:08

.

Pre-Run: 7,536,295,936 bytes free

Post-Run: 15,749,939,200 bytes free

.

- - End Of File - - 36A921D3F1CA1582FBA15539CEA29139

CatByte · March 25, 2013

Please do the following:

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:

Press the WinKey + R to open a run box, type Notepad > click OK.

This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')


http://forums.malwarebytes.org/index.php?showtopic=124236&pid=660576&st=0entry660576

Collect::
h:\windows\system32\wshtcptk.dll
h:\windows\system32\sfaqouDCou
h:\windows\system32\TDHeHk3q
h:\windows\system32\yDuquih
h:\windows\system32\LeIsuBDae
h:\windows\system32\ieuinyf

FCopy::
h:\windows\ServicePackFiles\i386\midimap.dll | h:\windows\system32\midimap.dll

driver::
0bfabc15

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix may request an update; please allow it.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

NEXT

Please download Junkware Removal Tool to your desktop.

Shutdown your antivirus to avoid any conflicts.
Right-mouse click JRT.exe and select Run as administrator
The tool will open and start scanning your system.
Please be patient as this can take a while to complete.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message

NEXT

Download AdwCleaner from here and save it to your desktop.

Run AdwCleaner and select Delete
Once done it will ask to reboot, allow the reboot
On reboot a log will be produced, please attach the content of the log to your next reply

NEXT

Please open your MalwareBytes AntiMalware Program
Click the Update Tab and search for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <-- very important
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT

Go here to run an online scanner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activeX control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
When the scan completes, press the LIST OF THREATS FOUND button
Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
Include the contents of this report in your next reply.
Press the BACK button.
Press Finish

lidosara · March 26, 2013

ComboFix 13-03-25.01 - Sarah 2013-03-26 12:57:39.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.949.82.1033.18.2036.1285 [GMT 0:00]

Running from: h:\documents and settings\Sarah\Desktop\ComboFix.exe

Command switches used :: h:\documents and settings\Sarah\Desktop\CFScript.txt

.

file zipped: h:\windows\system32\ieuinyf

file zipped: h:\windows\system32\LeIsuBDae

file zipped: h:\windows\system32\sfaqouDCou

file zipped: h:\windows\system32\TDHeHk3q

file zipped: h:\windows\system32\wshtcptk.dll

file zipped: h:\windows\system32\yDuquih

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

h:\windows\system32\ieuinyf

h:\windows\system32\LeIsuBDae

h:\windows\system32\sfaqouDCou

h:\windows\system32\TDHeHk3q

h:\windows\system32\wshtcptk.dll

h:\windows\system32\yDuquih

.

--------------- FCopy ---------------

.

h:\windows\ServicePackFiles\i386\midimap.dll --> h:\windows\system32\midimap.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_0bfabc15

.

((((((((((((((((((((((((( Files Created from 2013-02-26 to 2013-03-26 )))))))))))))))))))))))))))))))