Jump to content

Keep getting this RUNDLL error pop-up after boot


kmac

Recommended Posts

Hello,

2 days ago, I started to get pop-up ads out of nowhere. Since then I downloaded Spybot S&D and managed to get rid of some of them.

When I boot up Windows XP, I get this RUNDLL nuwuzeku.dll error. I can't seem to get rid of this from Registry Editor either.

Any help would be much appreciated!

Here are my scans.

1. MBAM scan

Malwarebytes' Anti-Malware 1.30

Database version: 1412

Windows 5.1.2600 Service Pack 3

2008-11-19 오후 9:44:52

mbam-log-2008-11-19 (21-44-52).txt

Scan type: Quick Scan

Objects scanned: 52171

Time elapsed: 2 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tatijepoge (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

2. Panda Active Scan

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-11-19 22:33:50

PROTECTIONS: 1

MALWARE: 9

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

v1.13 No Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@atdmt[2].txt

00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@adtech[1].txt

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@overture[1].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@questionmarket[2].txt

00447513 Adware/AdRotator Adware No 0 Yes No C:\WINDOWS\system32\crigmdzoscjqogn.exe

00456418 Trj/Clicker.AMU Virus/Trojan No 1 Yes No C:\WINDOWS\system32\g52.exe

01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@adserver.easyad[1].txt

02980790 Trj/Lineage.BZE Virus/Trojan No 1 Yes No C:\Program Files\mIRC\download\ACDSEE_8.0_builid_39_With_Crack\ACDSEE 8.0 builid 39\Crack\ACDSee8.exe

02980790 Trj/Lineage.BZE Virus/Trojan No 1 Yes No C:\Program Files\ACD Systems\ACDSee\8.0\ACDSee8.exe

02980790 Trj/Lineage.BZE Virus/Trojan No 1 No No C:\Program Files\mIRC\download\ACDSEE_8.0_builid_39_With_Crack.rar[ACDSEE 8.0 builid 39\Crack\ACDSee8.exe]

03548697 Trj/Clicker.ALY Virus/Trojan No 1 No No C:\WINDOWS\system32\g52.exe[■%%\

Link to post
Share on other sites

Have you downloaded some cracked software? Your Panda log seems to indicate that you have. Uninstall those, update mbam and run it again, download the latest version of HijackThis Here, then post back the latest mbam log, and a fresh HijackThis log. Thanks!

Link to post
Share on other sites

First of all, thank you for helping me out :huh:

Here are newest logs you requested.

1.mbam

Malwarebytes' Anti-Malware 1.30

Database version: 1414

Windows 5.1.2600 Service Pack 3

2008-11-20 오후 7:15:54

mbam-log-2008-11-20 (19-15-54).txt

Scan type: Quick Scan

Objects scanned: 52590

Time elapsed: 3 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tatijepoge (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

2. HijackThis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 오후 7:18:20, on 2008-11-20

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Nexon\Mabinogi\npkcmsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\Program Files\TVersity\Media Server\MediaServer.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Windows Media Player\nvmontz.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

C:\Program Files\D-Link\AirPlus XtremeG DWL-G520\AirPlusCFG.exe

C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\QuickTime\QTTask.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\SEC\Natural Color Pro\NCProTray.exe

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {0ff1c00e-0f18-425c-8d7c-a19c8daa0857} - C:\WINDOWS\system32\wepekigi.dll

O2 - BHO: realconnect - {51351DDA-02A4-4919-AB1F-8C4307A889FA} - C:\Program Files\rconnect\realconnect.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll

O3 - Toolbar: 바로가기(&D) - {08C906B4-AE61-40C1-A1E8-4A6D4BBEAD23} - C:\Program Files\directgo\directgo.dll

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe

O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Maxp2p] "C:\Program Files\maxp2p\update_check.exe" /start

O4 - HKLM\..\Run: [nvmondm] C:\Program Files\Windows Media Player\nvmontz.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [D-Link AirPlus XtremeG DWL-G520] C:\Program Files\D-Link\AirPlus XtremeG DWL-G520\AirPlusCFG.exe

O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [webfavoritesite] "C:\Program Files\webfavoritesite\webfavoritesite.exe" /start

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [realconnect] "C:\Program Files\rconnect\realconnect.exe" /check

O4 - HKLM\..\Run: [matchinfo] "C:\Program Files\matchinfo\matchinfo.exe"

O4 - HKLM\..\Run: [pgo.exe] C:\Program Files\pointgo\pgo.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [tatijepoge] Rundll32.exe "C:\WINDOWS\system32\nuwuzeku.dll",s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: NCProTray.lnk = ?ProgramFiles%\SEC\Natural Color Pro\NCProTray.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: 바른연결 - {2F773DA0-DBB5-4EB2-9C4E-7A432DBC0328} - C:\Program Files\rconnect\realconnectopt.exe

O9 - Extra 'Tools' menuitem: 바른연결 - {2F773DA0-DBB5-4EB2-9C4E-7A432DBC0328} - C:\Program Files\rconnect\realconnectopt.exe

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {92D0D610-A6FA-48D8-94CB-BD47FDF68655} (Launcher Class) - http://dl.ipop.co.kr/ipop/ipopx.cab

O16 - DPF: {BD6BB450-7C69-43B8-96F3-689CAE57AB51} (SBSWebPlayer Class) - http://netv.sbs.co.kr/object/player/SBSWebPlayer.cab

O16 - DPF: {CE109CEF-E299-4DAF-9FCB-9C030A32C546} - http://up.uccc.co.kr/ucccplay/cab2/launchucccplay.cab

O16 - DPF: {D56B9D70-E57F-4779-AD84-4247CB8012CB} (1004Disk File Share Control 5) - http://www.1004disk.com/mmsv/1004DiskControl.CAB

O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} - http://www.hmall.com/initech/plugin/INISafeWeb50.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab

O20 - AppInit_DLLs: C:\WINDOWS\system32\wenihubi.dll ktfsmz.dll

O23 - Service: ALYac_PZSrv - Unknown owner - C:\Program.exe (file missing)

O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

O23 - Service: Apple 모바일 장비 (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour 서비스 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: Service Updater (servejkce) - Unknown owner - C:\WINDOWS\servejkce.exe (file missing)

O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 10857 bytes

Link to post
Share on other sites

Please uninstall the following:

Viewpoint Manger Service

Viewpoint Toolbar If present

Viewpoint Media Player if present

java jre1.6.0_06

Adobe Reader 8.0 Download the latest version Here.

Please select and install One of these free antivirus applications:

AVG Free for Windows

AntiVir Personal Edition Classic

Avast! 4 Home Edition

After successful installation, please reboot the computer.

Please select and install one of these free Firewall applications:

ZoneAlarm Free Version

Outpost Free

Kerio

Comodo

When the installation completes successfully, reboot the computer.

When the system comes back up, open your newly installed antivirus application and run a manual update. when the update completes, run the update again. Continue in that manner until the updater finds no more updates.

Next, please click start-->run

type:

msconfig

...then click "ok". When the System Configuration Utility opens, click the "Startup" tab. Please check the box next to every program that is listed there. Reboot the system and when the system comes back up, please check the box "Do not show this again" that pops up on your screen.

Wait a few minutes until the system is stable and then reboot the computer into Safe mode. Once in safe mode and logged on as Administrator, please use your antivirus scanner to run a complete system scan.

When the scan completes, allow the software to quarantine whatever it complains about. Reboot the computer when finished and post back a fresh HijackThis log. Thanks!

Link to post
Share on other sites

Here are updated log,

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 오후 9:08:02, on 2008-11-21

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Nexon\Mabinogi\npkcmsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\Program Files\TVersity\Media Server\MediaServer.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Windows Media Player\nvmontz.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program Files\D-Link\AirPlus XtremeG DWL-G520\AirPlusCFG.exe

C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\SEC\Natural Color Pro\NCProTray.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {0ff1c00e-0f18-425c-8d7c-a19c8daa0857} - C:\WINDOWS\system32\wepekigi.dll (file missing)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: realconnect - {51351DDA-02A4-4919-AB1F-8C4307A889FA} - C:\Program Files\rconnect\realconnect.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll

O3 - Toolbar: 바로가기(&D) - {08C906B4-AE61-40C1-A1E8-4A6D4BBEAD23} - C:\Program Files\directgo\directgo.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe

O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [Maxp2p] "C:\Program Files\maxp2p\update_check.exe" /start

O4 - HKLM\..\Run: [nvmondm] C:\Program Files\Windows Media Player\nvmontz.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [D-Link AirPlus XtremeG DWL-G520] C:\Program Files\D-Link\AirPlus XtremeG DWL-G520\AirPlusCFG.exe

O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [webfavoritesite] "C:\Program Files\webfavoritesite\webfavoritesite.exe" /start

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [realconnect] "C:\Program Files\rconnect\realconnect.exe" /check

O4 - HKLM\..\Run: [matchinfo] "C:\Program Files\matchinfo\matchinfo.exe"

O4 - HKLM\..\Run: [tatijepoge] Rundll32.exe "C:\WINDOWS\system32\nuwuzeku.dll",s

O4 - HKLM\..\Run: [CPM9f391eb0] Rundll32.exe "c:\windows\system32\fohajifu.dll",a I still get these two RUNDLL error pop-ups after the boot

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: NCProTray.lnk = ?ProgramFiles%\SEC\Natural Color Pro\NCProTray.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: 바른연결 - {2F773DA0-DBB5-4EB2-9C4E-7A432DBC0328} - C:\Program Files\rconnect\realconnectopt.exe

O9 - Extra 'Tools' menuitem: 바른연결 - {2F773DA0-DBB5-4EB2-9C4E-7A432DBC0328} - C:\Program Files\rconnect\realconnectopt.exe

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {92D0D610-A6FA-48D8-94CB-BD47FDF68655} (Launcher Class) - http://dl.ipop.co.kr/ipop/ipopx.cab

O16 - DPF: {BD6BB450-7C69-43B8-96F3-689CAE57AB51} (SBSWebPlayer Class) - http://netv.sbs.co.kr/object/player/SBSWebPlayer.cab

O16 - DPF: {CE109CEF-E299-4DAF-9FCB-9C030A32C546} - http://up.uccc.co.kr/ucccplay/cab2/launchucccplay.cab

O16 - DPF: {D56B9D70-E57F-4779-AD84-4247CB8012CB} (1004Disk File Share Control 5) - http://www.1004disk.com/mmsv/1004DiskControl.CAB

O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} - http://www.hmall.com/initech/plugin/INISafeWeb50.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: C:\WINDOWS\system32\wenihubi.dll,ktfsmz.dll,c:\windows\system32\fohajifu.dll,avgrsstx.dll C:\WINDOWS\system32\guard32.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fohajifu.dll (file missing)

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fohajifu.dll (file missing)

O23 - Service: ALYac_PZSrv - Unknown owner - C:\Program.exe (file missing)

O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

O23 - Service: Apple 모바일 장비 (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour 서비스 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: Service Updater (servejkce) - Unknown owner - C:\WINDOWS\servejkce.exe (file missing)

O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--

End of file - 11732 bytes

Link to post
Share on other sites

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***

Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post back the following on your next reply:

C:\ComboFix.txt

New HijackThis log.

Link to post
Share on other sites

ComboFix 08-11-22.01 - user 2008-11-23 15:37:49.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.949.1.1033.18.1525 [GMT -8:00]

Running from: c:\documents and settings\user\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\user\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\documents and settings\user\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML

c:\documents and settings\user\Local Settings\Temporary Internet Files\fbk.sts

.

((((((((((((((((((((((((( Files Created from 2008-10-23 to 2008-11-23 )))))))))))))))))))))))))))))))

.

2008-11-22 23:04 . 2008-11-22 23:04 98,304 --a------ c:\windows\system32\CmdLineExt.dll

2008-11-22 22:51 . 2008-11-22 22:53 <DIR> d-------- c:\program files\GTASAConsole

2008-11-22 22:51 . 2004-03-09 01:00 224,016 --a------ c:\windows\system32\TabCtl32.ocx

2008-11-22 21:50 . 2008-11-22 21:50 <DIR> d-------- c:\windows\system32\URTTEMP

2008-11-22 21:47 . 2008-11-22 21:47 <DIR> d-------- c:\windows\San Andreas Mod Installer

2008-11-22 21:47 . 2008-11-22 21:48 <DIR> d-------- c:\program files\San Andreas Mod Installer

2008-11-22 17:27 . 2008-11-22 17:27 <DIR> d-------- c:\program files\Common Files\Mediafour

2008-11-22 17:27 . 2008-11-22 17:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Mediafour

2008-11-22 17:25 . 2008-11-22 17:25 <DIR> d-------- c:\program files\Mediafour

2008-11-22 00:45 . 2008-11-22 00:45 8,704 --ahs---- c:\windows\Thumbs.db

2008-11-21 19:32 . 2008-11-21 19:32 <DIR> d-------- c:\program files\COMODO

2008-11-21 19:32 . 2008-11-21 19:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\comodo

2008-11-21 19:32 . 2008-11-21 19:32 143,096 --a------ c:\windows\system32\guard32.dll

2008-11-21 19:32 . 2008-11-21 19:32 99,216 --a------ c:\windows\system32\drivers\cmdguard.sys

2008-11-21 19:32 . 2008-11-21 19:32 31,504 --a------ c:\windows\system32\drivers\cmdhlp.sys

2008-11-21 19:21 . 2008-11-23 10:31 <DIR> d--h----- C:\$AVG8.VAULT$

2008-11-21 19:15 . 2008-11-23 15:18 <DIR> d-------- c:\windows\system32\drivers\Avg

2008-11-21 19:15 . 2008-11-21 19:15 <DIR> d-------- c:\program files\AVG

2008-11-21 19:15 . 2008-11-21 19:15 <DIR> d-------- c:\documents and settings\user\Application Data\AVGTOOLBAR

2008-11-21 19:15 . 2008-11-21 19:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2008-11-21 19:15 . 2008-11-21 19:15 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys

2008-11-21 19:15 . 2008-11-21 19:15 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys

2008-11-21 19:15 . 2008-11-21 19:15 10,520 --a------ c:\windows\system32\avgrsstx.dll

2008-11-21 19:08 . 2008-11-21 19:08 <DIR> d-------- c:\program files\Common Files\Adobe AIR

2008-11-21 19:08 . 2008-11-21 19:08 <DIR> d-------- c:\program files\Common Files\Adobe

2008-11-21 19:05 . 2008-11-21 19:20 <DIR> d-------- c:\program files\NOS

2008-11-21 19:05 . 2008-11-21 19:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

2008-11-21 18:56 . 2008-11-21 18:56 120 ---hs---- c:\windows\system32\apekumal.ini

2008-11-20 19:17 . 2008-11-20 19:17 <DIR> d-------- c:\program files\Trend Micro

2008-11-19 21:47 . 2008-11-19 21:47 <DIR> d-------- c:\program files\Panda Security

2008-11-19 21:47 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-11-18 20:59 . 2008-11-18 20:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-11-18 20:59 . 2008-11-18 20:59 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes

2008-11-18 20:59 . 2008-11-18 20:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-11-18 20:59 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-11-18 20:59 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-11-17 23:51 . 2008-11-18 18:30 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-11-17 23:51 . 2008-11-18 19:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-11-17 21:18 . 2008-11-17 22:23 <DIR> d-------- c:\windows\system32\TX

2008-11-17 21:18 . 2008-11-17 21:18 <DIR> d-------- c:\windows\system32\hex

2008-11-17 21:18 . 2008-11-19 19:45 <DIR> d-------- c:\windows\system32\fas

2008-11-17 21:18 . 2008-11-19 19:45 <DIR> d-------- c:\windows\system32\cs2

2008-11-17 21:18 . 2008-11-17 22:23 <DIR> d--hs---- c:\windows\dXNlcg

2008-11-17 21:18 . 2008-11-18 00:14 <DIR> d-------- C:\Temp

2008-11-17 21:18 . 2008-11-17 21:18 153,484 --a------ c:\windows\system32\g52.exe

2008-11-17 21:18 . 2008-11-17 21:18 79,094 --a------ c:\windows\system32\crigmdzoscjqogn.exe

2008-11-17 09:53 . 2008-11-17 09:53 1,572,864 -ra------ c:\windows\system32\clubbox.exe

2008-11-13 04:45 . 2008-11-13 04:45 15,104 -ra------ c:\windows\system32\nowmemdf.sys

2008-11-13 04:36 . 2008-11-13 04:36 155,648 -ra------ c:\windows\system32\downengine.dll

2008-11-12 23:00 . 2008-11-12 23:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Age of Empires 3

2008-11-12 20:09 . 2008-11-12 20:09 <DIR> d-------- c:\documents and settings\user\Application Data\Logitech

2008-11-12 20:08 . 2008-11-12 20:08 <DIR> d-------- c:\program files\Common Files\LogiShared

2008-11-12 20:07 . 2008-11-12 20:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Logitech

2008-11-12 20:07 . 2007-04-11 15:33 1,419,024 --a------ c:\windows\system32\WdfCoInstaller01005.dll

2008-11-12 20:07 . 2007-04-23 04:00 163,840 --a------ c:\windows\system32\kemutb.dll

2008-11-12 20:07 . 2007-04-23 04:00 135,168 --a------ c:\windows\system32\KemUtil.dll

2008-11-12 20:07 . 2007-04-23 04:00 110,592 --a------ c:\windows\system32\KemWnd.dll

2008-11-12 20:07 . 2007-04-23 04:00 69,632 --a------ c:\windows\system32\KemXML.dll

2008-11-12 20:07 . 2007-04-11 15:32 56,080 --a------ c:\windows\KHALMNPR.Exe

2008-11-12 20:07 . 2007-04-11 15:32 36,112 --a------ c:\windows\system32\drivers\LMouFilt.Sys

2008-11-12 20:07 . 2007-04-11 15:32 34,832 --a------ c:\windows\system32\drivers\LHidFilt.Sys

2008-11-12 20:07 . 2008-11-12 20:07 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2008-11-12 20:07 . 2008-11-12 20:07 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf

2008-11-12 20:05 . 2008-11-12 20:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\LogiShrd

2008-11-11 15:29 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

2008-11-11 15:29 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2008-11-11 00:24 . 2008-11-11 00:24 <DIR> d-------- c:\program files\QuickTime

2008-11-11 00:24 . 2008-11-11 00:24 <DIR> d-------- c:\program files\Bonjour

2008-11-11 00:24 . 2008-11-11 00:24 <DIR> d-------- c:\program files\Apple Software Update

2008-11-11 00:23 . 2008-11-11 00:24 <DIR> d-------- c:\program files\Common Files\Apple

2008-11-11 00:23 . 2008-11-11 00:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple

2008-11-01 14:59 . 2008-11-01 14:59 <DIR> d-------- c:\documents and settings\user\Shaders

2008-11-01 12:35 . 2008-11-22 23:06 <DIR> d-------- c:\program files\Rockstar Games

2008-10-26 09:50 . 2008-10-26 09:50 <DIR> d-------- c:\documents and settings\user\Application Data\2K Sports

2008-10-26 08:36 . 2008-10-26 09:53 <DIR> d-------- c:\program files\NBA 2K9

2008-10-24 17:37 . 2008-10-15 08:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-23 18:30 --------- d-----w c:\program files\pointgo

2008-11-23 06:59 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-23 01:23 --------- d-----w c:\documents and settings\user\Application Data\uTorrent

2008-11-22 05:51 --------- d-----w c:\program files\Winamp

2008-11-22 04:19 --------- d-----w c:\program files\matchinfo

2008-11-22 03:03 --------- d-----w c:\program files\Java

2008-11-22 03:01 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2008-11-21 02:43 --------- d-----w c:\program files\Common Files\ACD Systems

2008-11-18 04:58 --------- d-----w c:\program files\Mafia

2008-11-15 17:46 --------- d-----w c:\program files\FlashGet

2008-11-15 07:28 --------- d-----w c:\program files\mIRC

2008-11-13 04:07 --------- d-----w c:\program files\Common Files\Logitech

2008-11-13 04:06 --------- d-----w c:\program files\Logitech

2008-11-12 05:20 --------- d-----w c:\program files\Microsoft Games

2008-11-11 06:56 --------- d-----w c:\documents and settings\user\Application Data\OpenOffice.org2

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-19 02:38 --------- d-----w c:\program files\MSN Messenger

2008-10-10 05:35 --------- d-----w c:\documents and settings\user\Application Data\temp

2008-09-27 20:00 --------- d-----w c:\program files\Atari

2008-09-26 03:37 --------- d-----w c:\program files\OpenOffice.org 2.4

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0ff1c00e-0f18-425c-8d7c-a19c8daa0857}]

c:\windows\system32\wepekigi.dll [bU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51351DDA-02A4-4919-AB1F-8C4307A889FA}]

2007-04-16 11:34 132624 --a------ c:\program files\rconnect\realconnect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]

"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]

"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2006-02-28 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-06-01 257088]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]

"Maxp2p"="c:\program files\maxp2p\update_check.exe" [2007-11-10 43536]

"nvmondm"="c:\program files\Windows Media Player\nvmontz.exe" [2008-02-26 73728]

"D-Link AirPlus XtremeG DWL-G520"="c:\program files\D-Link\AirPlus XtremeG DWL-G520\AirPlusCFG.exe" [2007-06-21 1327104]

"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]

"webfavoritesite"="c:\program files\webfavoritesite\webfavoritesite.exe" [bU]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"realconnect"="c:\program files\rconnect\realconnect.exe" [bU]

"matchinfo"="c:\program files\matchinfo\matchinfo.exe" [bU]

"tatijepoge"="c:\windows\system32\nuwuzeku.dll" [bU]

"CPM9f391eb0"="c:\windows\system32\fohajifu.dll" [bU]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-21 1234712]

"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="c:\program files\Mediafour\MacDrive 7\MacDrive.exe" [2007-07-12 179288]

"MDGetStarted.exe"="c:\program files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-06-13 139264]

"pgo.exe"="c:\program files\pointgo\pgo.exe" [2008-11-23 229888]

"ClubBox"="" [bU]

"CTHelper"="CTHELPER.EXE" [2008-02-20 c:\windows\system32\CtHelper.exe]

"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-20 c:\windows\system32\Ctxfihlp.exe]

"nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-12 692224]

NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2008-07-22 49220]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=

"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=

"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=

"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"c:\\Program Files\\FlashGet\\flashget.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\uTorrent\\utorrent.exe"=

"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

"c:\\Program Files\\CyberLink\\Shared files\\RichVideo.exe"=

"c:\\Program Files\\Common Files\\Ahead\\Lib\\NMIndexingService.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\WINDOWS\\system32\\fscagent.exe"=

"c:\\WINDOWS\\system32\\clubbox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"25051:TCP"= 25051:TCP:*:Disabled:a

R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.sys [2007-09-05 277888]

R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.sys [2007-02-28 19072]

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-11-19 28544]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-21 97928]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-11-21 99216]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-11-21 31504]

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\c:\program files\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51:58 13560]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-21 875288]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-21 231704]

R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-21 76040]

R2 CTAudSvcService;Creative Audio Service;c:\program files\Creative\Shared Files\CTAudSvc.exe [2008-06-02 417792]

R2 MacDriveService;MacDriveService;"c:\program files\Mediafour\MacDrive 7\MacDriveService.exe" [2007-05-01 143360]

R2 npkcmsvc;npkcmsvc;c:\nexon\Mabinogi\npkcmsvc.exe [2008-03-06 80528]

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3AB.sys [2005-03-22 472832]

R3 ha20x2k;Creative 20X HAL Driver;c:\windows\system32\drivers\ha20x2k.sys [2008-02-25 1172504]

S2 ALYac_PZSrv;ALYac_PZSrv;c:\program files\ESTsoft\ALYac\AYServiceNt.aye [2008-03-20 779720]

S2 servejkce;Service Updater;c:\windows\servejkce.exe []

S3 AYDrvNT_ALYAC;AYDrvNT_ALYAC;\??\c:\program files\ESTsoft\ALYac\AYDrvNT.sys [2008-03-18 20424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - E:\nba2k9setup.exe

.

Contents of the 'Scheduled Tasks' folder

2008-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-MacDrive Volume Icons - (no file)

.

------- Supplementary Scan -------

.

FireFox -: Profile - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\dbdy3bgb.default\

FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll

FF -: plugin - c:\program files\Mozilla Firefox\plugins\np_gp.dll

FF -: plugin - c:\program files\Mozilla Firefox\plugins\npitunes.dll

FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-23 15:41:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALYac_PZSrv]

"ImagePath"="c:\program files\ESTsoft\ALYac\AYServiceNt.aye"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\COMODO\COMODO Internet Security\cmdagent.exe

c:\windows\system32\CTSVCCDA.EXE

c:\program files\Executive Software\Diskeeper\DkService.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\PnkBstrA.exe

c:\program files\CyberLink\Shared files\RichVideo.exe

c:\program files\TVersity\Media Server\MediaServer.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\windows\system32\conime.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\CTxfispi.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe

c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe

.

**************************************************************************

.

Completion time: 2008-11-23 15:45:25 - machine was rebooted [user]

ComboFix-quarantined-files.txt 2008-11-23 23:45:19

Pre-Run: 202,255,007,744 bytes free

Post-Run: 202,238,976,000 bytes free

281 --- E O F --- 2008-11-13 07:07:35

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 오후 3:51:56, on 2008-11-23

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe

C:\Nexon\Mabinogi\npkcmsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\Program Files\TVersity\Media Server\MediaServer.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\conime.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Windows Media Player\nvmontz.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\D-Link\AirPlus XtremeG DWL-G520\AirPlusCFG.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\QuickTime\QTTask.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\SEC\Natural Color Pro\NCProTray.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {0ff1c00e-0f18-425c-8d7c-a19c8daa0857} - C:\WINDOWS\system32\wepekigi.dll (file missing)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: realconnect - {51351DDA-02A4-4919-AB1F-8C4307A889FA} - C:\Program Files\rconnect\realconnect.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe

O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [Maxp2p] "C:\Program Files\maxp2p\update_check.exe" /start

O4 - HKLM\..\Run: [nvmondm] C:\Program Files\Windows Media Player\nvmontz.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [D-Link AirPlus XtremeG DWL-G520] C:\Program Files\D-Link\AirPlus XtremeG DWL-G520\AirPlusCFG.exe

O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [webfavoritesite] "C:\Program Files\webfavoritesite\webfavoritesite.exe" /start

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [realconnect] "C:\Program Files\rconnect\realconnect.exe" /check

O4 - HKLM\..\Run: [matchinfo] "C:\Program Files\matchinfo\matchinfo.exe"

O4 - HKLM\..\Run: [tatijepoge] Rundll32.exe "C:\WINDOWS\system32\nuwuzeku.dll",s

O4 - HKLM\..\Run: [CPM9f391eb0] Rundll32.exe "c:\windows\system32\fohajifu.dll",a

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"

O4 - HKLM\..\Run: [MDGetStarted.exe] "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto

O4 - HKLM\..\Run: [pgo.exe] C:\Program Files\pointgo\pgo.exe

O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: NCProTray.lnk = ?ProgramFiles%\SEC\Natural Color Pro\NCProTray.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: 바른연결 - {2F773DA0-DBB5-4EB2-9C4E-7A432DBC0328} - C:\Program Files\rconnect\realconnectopt.exe

O9 - Extra 'Tools' menuitem: 바른연결 - {2F773DA0-DBB5-4EB2-9C4E-7A432DBC0328} - C:\Program Files\rconnect\realconnectopt.exe

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {92D0D610-A6FA-48D8-94CB-BD47FDF68655} (Launcher Class) - http://dl.ipop.co.kr/ipop/ipopx.cab

O16 - DPF: {BD6BB450-7C69-43B8-96F3-689CAE57AB51} (SBSWebPlayer Class) - http://netv.sbs.co.kr/object/player/SBSWebPlayer.cab

O16 - DPF: {CE109CEF-E299-4DAF-9FCB-9C030A32C546} - http://up.uccc.co.kr/ucccplay/cab2/launchucccplay.cab

O16 - DPF: {D56B9D70-E57F-4779-AD84-4247CB8012CB} (1004Disk File Share Control 5) - http://www.1004disk.com/mmsv/1004DiskControl.CAB

O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} - http://www.hmall.com/initech/plugin/INISafeWeb50.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O23 - Service: ALYac_PZSrv - Unknown owner - C:\Program.exe (file missing)

O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

O23 - Service: Apple 모바일 장비 (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour 서비스 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MacDriveService - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: Service Updater (servejkce) - Unknown owner - C:\WINDOWS\servejkce.exe (file missing)

O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--

End of file - 11775 bytes

Link to post
Share on other sites

First run failed because when it finished installing, it rebooted the pc with a loud beep.

After the restart, and back on Windows XP, it started scanning for malware. (At this time, COMODO was not turned off, which I assume hindered the scanning and caused it to hang.)

I had to do it again properly with COMODO turned off.

Link to post
Share on other sites

First run failed because when it finished installing, it rebooted the pc with a loud beep.

After the restart, and back on Windows XP, it started scanning for malware. (At this time, COMODO was not turned off, which I assume hindered the scanning and caused it to hang.)

I had to do it again properly with COMODO turned off.

Your explanation is a bit confusing. What is it that you installed? Combofix requires no installation...it's an executable file that you downloaded and needed only to be executed by double-clicking on the icon.

Open Office is out of date. Uninstall what you have and download the latest version Here.

Open notepad and copy/paste the text in the quotebox below into it:

http://www.malwarebytes.org/forums/index.p...amp;#entry36398

Collect::

c:\windows\system32\g52.exe

File::

c:\windows\system32\crigmdzoscjqogn.exe

c:\windows\system32\wepekigi.dll

c:\windows\system32\nuwuzeku.dll

c:\windows\system32\fohajifu.dll

c:\windows\servejkce.exe

c:\windows\system32\apekumal.ini

Folder::

c:\program files\Viewpoint

c:\windows\system32\TX

c:\windows\system32\hex

c:\windows\system32\fas

c:\windows\system32\cs2

c:\windows\dXNlcg

c:\documents and settings\user\Application Data\uTorrent

c:\documents and settings\All Users\Application Data\Viewpoint

c:\program files\rconnect

c:\program files\maxp2p

c:\program files\webfavoritesite

c:\Program Files\uTorrent

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0ff1c00e-0f18-425c-8d7c-a19c8daa0857}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51351DDA-02A4-4919-AB1F-8C4307A889FA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Maxp2p"=-

"webfavoritesite"=-

"realconnect"=-

"tatijepoge"=-

"CPM9f391eb0"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\Program Files\uTorrent\utorrent.exe"=-

Save this as CFScript.txt. Change "Save as type" to All Files and save it to your Desktop.

Next, please drag the CFScript.txt into the ComboFix.exe icon on your Desktop. Combofix will scan again automatically.

When finished, it shall produce a log for you. Post that log in your next reply.

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

Link to post
Share on other sites

Due to the lack of feedback this Topic is closed to prevent others

from posting here. If you need this topic reopened, please send a

Private Message to any one of the moderating team members. Please

include a link to this thread with your request. This applies only

to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for

this machine only. Do not apply the instructions from this thread to

your own machine. Please start a new thread describing your issue

and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.