11 replies to this topic

[Francis84]

Hi, my computer got recently infected by spywares which forced me to use Total Security anti-virus program (which is a spyware) and turned my wallpaper into a warning message (Warning - You're in danger).
I managed to remove them from my computer using Malwarebytes (thanks to Malwarebytes developers!), but two threats stay persistently in the system. They are Trojan.Vundo.H. and they cannot be completely removed by Malwarebytes.
So, I decided to follow the steps taken by people who had suffered from Trojan.Vundo.H and actually solved using HijackThis and Combofix. I am unable to analyze the logs created by hijackthis and combofix, so if anyone could help me out with this, I'd really appreciate.

The hijackthis log is as following:

----------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:55 AM, on 10/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AhnLab\SiteGuard\SGsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
D:\Essential Utilities\한컴 쪽지\hncnote.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Site Gaurd - {19217B99-F935-4A39-B857-A68A68D5BEBB} - C:\Program Files\AhnLab\SiteGuard\SGAgenti.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [AhnLab V3Lite Tray Process] "C:\Program Files\AhnLab\V3Lite\V3LTray.exe" /logon
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.trigem.co.kr/
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {52DFD4CA-F497-427D-8616-604915CCEA51} (HaninDiskCtrl Control) - http://hanindisk.com...ninDiskCtrl.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: AhnLab SiteGuard Service (SGsvc) - AhnLab, Inc. - C:\Program Files\AhnLab\SiteGuard\SGsvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: V3 Lite Service - AhnLab, Inc. - C:\Program Files\AhnLab\V3Lite\V3LSvc.exe

--
End of file - 4608 bytes

[screen317]

Hi and welcome to Malwarebytes.

Did you run ComboFix already!? If so, post the log from ComboFix.txt

If not, please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

[Francis84]

Hi, Screen317? Thank you very much for your help.
OK, so these are the new hijackthis log and combofix log I got.

-------------------------------------------------------------------------------

Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:48 AM, on 10/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AhnLab\SiteGuard\SGsvc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Site Gaurd - {19217B99-F935-4A39-B857-A68A68D5BEBB} - C:\Program Files\AhnLab\SiteGuard\SGAgenti.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [AhnLab V3Lite Tray Process] "C:\Program Files\AhnLab\V3Lite\V3LTray.exe" /logon
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.trigem.co.kr/
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {52DFD4CA-F497-427D-8616-604915CCEA51} (HaninDiskCtrl Control) - http://hanindisk.com...ninDiskCtrl.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: AhnLab SiteGuard Service (SGsvc) - AhnLab, Inc. - C:\Program Files\AhnLab\SiteGuard\SGsvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: V3 Lite Service - AhnLab, Inc. - C:\Program Files\AhnLab\V3Lite\V3LSvc.exe

--
End of file - 4396 bytes

----------------------------------------------------------------------------------------------

Combofix Log


ComboFix 09-09-09.09 - Owner 10/09/2009 11:30.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.949.82.1042.18.223.118 [GMT -4:00]
Running from: c:\documents and settings\Owner\바탕 화면\ComboFix.exe
AV: V3 Lite *On-access scanning disabled* (Updated) {A5B78720-5B41-4D39-B70F-131ABDA6F977}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))
.

2009-09-10 07:42 . 2009-09-10 07:42 -------- d-----w- c:\program files\Trend Micro
2009-09-10 01:26 . 2009-06-21 21:43 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-09 16:13 . 2009-09-09 16:13 -------- d-----w- c:\windows\Sun
2009-09-09 16:04 . 2009-09-09 16:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-09 16:01 . 2009-09-09 16:01 -------- d-----w- c:\program files\Java
2009-09-08 17:14 . 2009-09-08 17:14 -------- d-----w- c:\temp\AUtempR
2009-09-08 16:39 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 16:39 . 2009-09-08 16:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 16:39 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 16:33 . 2009-09-08 16:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-09-08 16:33 . 2009-09-08 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-08 15:51 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-09-08 15:51 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-09-03 04:10 . 2009-09-05 16:54 120 ----a-w- c:\windows\Xjamahalafunan.dat
2009-09-03 01:29 . 2009-09-03 01:29 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{562650E0-CC74-46E5-AF3C-9E4692C038E3}
2009-08-30 18:58 . 2009-08-30 18:58 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-08-17 23:45 . 2009-08-17 23:45 -------- d-----w- c:\program files\XviD
2009-08-17 23:45 . 2009-08-17 23:45 -------- d-----w- c:\program files\AviSynth 2.5
2009-08-17 23:45 . 2009-08-17 23:45 -------- d-----w- c:\program files\Gabest
2009-08-13 06:23 . 2009-07-10 13:26 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 10:37 . 2009-05-16 20:03 1646896 ----a-w- c:\windows\system32\drivers\v3engine.sys
2009-09-10 10:37 . 2009-05-16 20:03 1282736 ----a-w- c:\windows\system32\drivers\ahnsze.sys
2009-09-10 05:52 . 2009-06-15 04:55 18 ----a-w- c:\windows\system32\lastdo.dat
2009-09-10 01:46 . 2009-09-10 01:46 1910 ----a-w- c:\program files\agkukam.txt
2009-08-05 08:59 . 2004-08-05 16:00 202752 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-21 01:13 . 2009-05-16 19:53 19616 ----a-w- c:\windows\system32\drivers\CdmDrvNt.sys
2009-07-17 19:02 . 2004-08-05 16:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 06:56 . 2009-05-16 19:53 52416 ----a-w- c:\windows\system32\drivers\AhnRghNt.sys
2009-07-12 16:21 . 2004-08-05 16:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 15:56 . 2004-08-05 16:00 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 15:56 . 2004-08-05 16:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 15:55 . 2004-08-05 16:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:39 . 2004-08-05 16:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:39 . 2004-08-05 16:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 10:44 . 2004-08-05 16:00 87552 ----a-w- c:\windows\system32\telnet.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . D9F19E78F98834CB411D6AD3C68D181A . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2004-08-05 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-06 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-06 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-06 455168]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-09-02 249856]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-03 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-03 536576]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 507904]
"AhnLab V3Lite Tray Process"="c:\program files\AhnLab\V3Lite\V3LTray.exe" [2009-08-26 318136]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-09 149280]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2004-09-02 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Owner\시작 메뉴\프로그램\시작프로그램\
hncnote의 바로 가기.lnk - d:\essential utilities\한컴 쪽지\hncnote.exe [2006-2-23 143360]

c:\documents and settings\All Users\시작 메뉴\프로그램\시작프로그램\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2009-5-15 331776]
WlanUtility.lnk - c:\program files\MicroStar\WLANUtility\WlanUtility.exe [2004-4-2 143360]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli itrsg10.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^시작 메뉴^프로그램^시작프로그램^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^시작 메뉴^프로그램^시작프로그램^WlanUtility.lnk]
backup=c:\windows\pss\WlanUtility.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\CrazyFile\\CrazyFile.exe"=
"d:\\Essential Utilities\\hncnote\\hncnote.exe"=
"c:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"d:\\Essential Utilities\\한컴 쪽지\\hncnote.exe"=
"c:\\Documents and Settings\\Owner\\시작 메뉴\\프로그램\\시작프로그램\\hncnote.exe"=
"c:\\Documents and Settings\\Owner\\바탕 화면\\slsk.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"d:\\Essential Utilities\\CNAA AEAo\\hncnote.exe"=

R2 SGsvc;AhnLab SiteGuard Service;c:\program files\AhnLab\SiteGuard\SgSvc.exe [16/05/2009 3:53 PM 412232]
R3 AhnRghNt;AhnRghNt;c:\windows\system32\drivers\AhnRghNt.sys [16/05/2009 3:53 PM 52416]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [15/05/2009 8:50 PM 191092]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [15/05/2009 8:50 PM 6100]
S0 qmokeq;qmokeq;c:\windows\system32\drivers\dswgwov.sys --> c:\windows\system32\drivers\dswgwov.sys [?]
S0 qxnd;qxnd;c:\windows\system32\drivers\guxsuj.sys --> c:\windows\system32\drivers\guxsuj.sys [?]
S0 ssagj;ssagj;c:\windows\system32\drivers\buxk.sys --> c:\windows\system32\drivers\buxk.sys [?]
S0 uxyh;uxyh;c:\windows\system32\drivers\iquysd.sys --> c:\windows\system32\drivers\iquysd.sys [?]
S2 V3 Lite Service;V3 Lite Service;c:\program files\AhnLab\V3Lite\V3LSvc.exe [16/05/2009 3:53 PM 289464]
S3 AhnFlt2k;AhnFlt2k;c:\windows\system32\drivers\AhnFlt2k.sys [16/05/2009 3:53 PM 52672]
S3 AhnRec2k;AhnRec2k;c:\windows\system32\drivers\AhnRec2k.sys [16/05/2009 3:53 PM 20032]
S3 AhnSZE;AhnSZE;c:\windows\system32\drivers\ahnsze.sys [16/05/2009 4:03 PM 1282736]
S3 ASZFltNt;ASZFltNt;c:\progra~1\AhnLab\V3Lite\ASZFltNt.sys [16/05/2009 3:53 PM 124480]
S3 ATamptNt_V3LITE;ATamptNt_V3LITE;c:\progra~1\AhnLab\V3Lite\ATamptNt.sys [29/05/2009 12:04 PM 102272]
S3 CdmDrvNt;CdmDrvNt;c:\windows\system32\drivers\CdmDrvNt.sys [16/05/2009 3:53 PM 19616]
S3 v3engine;v3engine;c:\windows\system32\drivers\v3engine.sys [16/05/2009 4:03 PM 1646896]
S3 V3Flt2K;V3Flt2K;c:\progra~1\AhnLab\V3Lite\V3Flt2K.sys [16/05/2009 3:53 PM 140672]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=13170&l=dis
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: {52DFD4CA-F497-427D-8616-604915CCEA51} - hxxp://hanindisk.com/app/HaninDiskCtrl.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2410kbif.default\
FF - prefs.js: browser.search.selectedEngine - Naver
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL -
FF - HiddenExtension: XUL Cache: {562650E0-CC74-46E5-AF3C-9E4692C038E3} - c:\documents and settings\Owner\Local Settings\Application Data\{562650E0-CC74-46E5-AF3C-9E4692C038E3}
FF - HiddenExtension: XUL Cache: {F5A03B21-46AB-425F-A18F-EA9F44CB03B9} - c:\documents and settings\Administrator\Local Settings\Application Data\{F5A03B21-46AB-425F-A18F-EA9F44CB03B9}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-10 11:37
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(540)
c:\windows\itrsg10.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2844)
c:\windows\system32\WININET.dll
c:\windows\itrsg10.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-09-10 11:39
ComboFix-quarantined-files.txt 2009-09-10 15:39
ComboFix2.txt 2009-09-10 07:27

Pre-Run: 6,724,894,720 바이트 남음
Post-Run: 6,695,813,120 바이트 남음

161 --- E O F --- 2009-09-10 07:07

---------------------------------------------------------------------------------------------------------

[screen317]

안녕하세요 Francis84


Download this file and save it to your Desktop:
http://www.microsoft.com/downloads/details...;displaylang=ko




Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, it will ask you whether or not to continue with the malware scan. Select No.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quotebox below into Notepad:

Quote

Driver::
qmokeq
qxnd
uxyh
ssagj
File::
c:\windows\system32\drivers\dswgwov.sys
c:\windows\system32\drivers\guxsuj.sys
c:\windows\system32\drivers\buxk.sys
c:\windows\system32\drivers\iquysd.sys

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


Next, please go to VirusTotal, and upload the following files for analysis:

c:\windows\itrsg10.dll
c:\windows\system32\drivers\o2mmb.sys
c:\windows\system32\drivers\MbxStby.sys
c:\windows\system32\dllcache\triedit.dll


Post the results in your reply.

-screen317

[Francis84]

Hi screen317? Thank you for your previous reply! I really appreciate it.
안녕하세요? lol are you Korean? If you are, 반갑습니다 (nice to meet you in Korean) and 감사합니다 (thank you in Korean)

These are the new logs from hijackthis and combofix.

-----------------------------------------------------------

Hijackthis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:08 AM, on 11/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AhnLab\SiteGuard\SGsvc.exe
C:\Program Files\AhnLab\V3Lite\V3LSvc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\AhnLab\V3Lite\V3LTray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Site Gaurd - {19217B99-F935-4A39-B857-A68A68D5BEBB} - C:\Program Files\AhnLab\SiteGuard\SGAgenti.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [AhnLab V3Lite Tray Process] "C:\Program Files\AhnLab\V3Lite\V3LTray.exe" /logon
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.trigem.co.kr/
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {52DFD4CA-F497-427D-8616-604915CCEA51} (HaninDiskCtrl Control) - http://hanindisk.com...ninDiskCtrl.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: AhnLab SiteGuard Service (SGsvc) - AhnLab, Inc. - C:\Program Files\AhnLab\SiteGuard\SGsvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: V3 Lite Service - AhnLab, Inc. - C:\Program Files\AhnLab\V3Lite\V3LSvc.exe

--
End of file - 4444 bytes

-----------------------------------------------------------------------

Combofix

ComboFix 09-09-09.09 - Owner 11/09/2009 1:43.3.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.949.82.1042.18.223.117 [GMT -4:00]
Running from: c:\documents and settings\Owner\바탕 화면\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\바탕 화면\CFScript.txt
AV: V3 Lite *On-access scanning disabled* (Updated) {A5B78720-5B41-4D39-B70F-131ABDA6F977}

FILE ::
"c:\windows\system32\drivers\buxk.sys"
"c:\windows\system32\drivers\dswgwov.sys"
"c:\windows\system32\drivers\guxsuj.sys"
"c:\windows\system32\drivers\iquysd.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_qmokeq
-------\Service_qxnd
-------\Service_ssagj
-------\Service_uxyh


((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-10 07:42 . 2009-09-10 07:42 -------- d-----w- c:\program files\Trend Micro
2009-09-10 01:26 . 2009-06-21 21:43 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-09 16:13 . 2009-09-09 16:13 -------- d-----w- c:\windows\Sun
2009-09-09 16:04 . 2009-09-09 16:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-09 16:01 . 2009-09-09 16:01 -------- d-----w- c:\program files\Java
2009-09-08 17:14 . 2009-09-08 17:14 -------- d-----w- c:\temp\AUtempR
2009-09-08 16:39 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 16:39 . 2009-09-08 16:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 16:39 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 16:33 . 2009-09-08 16:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-09-08 16:33 . 2009-09-08 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-08 15:51 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-09-08 15:51 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-09-03 04:10 . 2009-09-05 16:54 120 ----a-w- c:\windows\Xjamahalafunan.dat
2009-09-03 01:29 . 2009-09-03 01:29 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{562650E0-CC74-46E5-AF3C-9E4692C038E3}
2009-08-30 18:58 . 2009-08-30 18:58 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-08-17 23:45 . 2009-08-17 23:45 -------- d-----w- c:\program files\XviD
2009-08-17 23:45 . 2009-08-17 23:45 -------- d-----w- c:\program files\AviSynth 2.5
2009-08-17 23:45 . 2009-08-17 23:45 -------- d-----w- c:\program files\Gabest
2009-08-13 06:23 . 2009-07-10 13:26 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 10:37 . 2009-05-16 20:03 1646896 ----a-w- c:\windows\system32\drivers\v3engine.sys
2009-09-10 10:37 . 2009-05-16 20:03 1282736 ----a-w- c:\windows\system32\drivers\ahnsze.sys
2009-09-10 05:52 . 2009-06-15 04:55 18 ----a-w- c:\windows\system32\lastdo.dat
2009-09-10 01:46 . 2009-09-10 01:46 1910 ----a-w- c:\program files\agkukam.txt
2009-08-05 08:59 . 2004-08-05 16:00 202752 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-21 01:13 . 2009-05-16 19:53 19616 ----a-w- c:\windows\system32\drivers\CdmDrvNt.sys
2009-07-17 19:02 . 2004-08-05 16:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 06:56 . 2009-05-16 19:53 52416 ----a-w- c:\windows\system32\drivers\AhnRghNt.sys
2009-07-12 16:21 . 2004-08-05 16:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 15:56 . 2004-08-05 16:00 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 15:56 . 2004-08-05 16:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 15:55 . 2004-08-05 16:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:39 . 2004-08-05 16:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:39 . 2004-08-05 16:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 10:44 . 2004-08-05 16:00 87552 ----a-w- c:\windows\system32\telnet.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . D9F19E78F98834CB411D6AD3C68D181A . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2004-08-05 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-09-10_07.22.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-11 05:58 . 2009-09-11 05:58 16384 c:\windows\Temp\Perflib_Perfdata_5c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-06 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-06 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-06 455168]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-09-02 249856]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-03 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-03 536576]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 507904]
"AhnLab V3Lite Tray Process"="c:\program files\AhnLab\V3Lite\V3LTray.exe" [2009-08-26 318136]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-09 149280]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2004-09-02 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Owner\시작 메뉴\프로그램\시작프로그램\
hncnote의 바로 가기.lnk - d:\essential utilities\한컴 쪽지\hncnote.exe [2006-2-23 143360]

c:\documents and settings\All Users\시작 메뉴\프로그램\시작프로그램\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2009-5-15 331776]
WlanUtility.lnk - c:\program files\MicroStar\WLANUtility\WlanUtility.exe [2004-4-2 143360]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli itrsg10.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^시작 메뉴^프로그램^시작프로그램^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^시작 메뉴^프로그램^시작프로그램^WlanUtility.lnk]
backup=c:\windows\pss\WlanUtility.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\CrazyFile\\CrazyFile.exe"=
"d:\\Essential Utilities\\hncnote\\hncnote.exe"=
"c:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"d:\\Essential Utilities\\한컴 쪽지\\hncnote.exe"=
"c:\\Documents and Settings\\Owner\\시작 메뉴\\프로그램\\시작프로그램\\hncnote.exe"=
"c:\\Documents and Settings\\Owner\\바탕 화면\\slsk.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"d:\\Essential Utilities\\CNAA AEAo\\hncnote.exe"=

R2 SGsvc;AhnLab SiteGuard Service;c:\program files\AhnLab\SiteGuard\SgSvc.exe [16/05/2009 3:53 PM 412232]
R2 V3 Lite Service;V3 Lite Service;c:\program files\AhnLab\V3Lite\V3LSvc.exe [16/05/2009 3:53 PM 289464]
R3 AhnRghNt;AhnRghNt;c:\windows\system32\drivers\AhnRghNt.sys [16/05/2009 3:53 PM 52416]
R3 AhnSZE;AhnSZE;c:\windows\system32\drivers\ahnsze.sys [16/05/2009 4:03 PM 1282736]
R3 ASZFltNt;ASZFltNt;c:\progra~1\AhnLab\V3Lite\ASZFltNt.sys [16/05/2009 3:53 PM 124480]
R3 CdmDrvNt;CdmDrvNt;c:\windows\system32\drivers\CdmDrvNt.sys [16/05/2009 3:53 PM 19616]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [15/05/2009 8:50 PM 191092]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [15/05/2009 8:50 PM 6100]
R3 v3engine;v3engine;c:\windows\system32\drivers\v3engine.sys [16/05/2009 4:03 PM 1646896]
R3 V3Flt2K;V3Flt2K;c:\progra~1\AhnLab\V3Lite\V3Flt2K.sys [16/05/2009 3:53 PM 140672]
S3 AhnFlt2k;AhnFlt2k;c:\windows\system32\drivers\AhnFlt2k.sys [16/05/2009 3:53 PM 52672]
S3 AhnRec2k;AhnRec2k;c:\windows\system32\drivers\AhnRec2k.sys [16/05/2009 3:53 PM 20032]
S3 ATamptNt_V3LITE;ATamptNt_V3LITE;c:\progra~1\AhnLab\V3Lite\ATamptNt.sys [29/05/2009 12:04 PM 102272]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=13170&l=dis
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: {52DFD4CA-F497-427D-8616-604915CCEA51} - hxxp://hanindisk.com/app/HaninDiskCtrl.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2410kbif.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL -
FF - HiddenExtension: XUL Cache: {562650E0-CC74-46E5-AF3C-9E4692C038E3} - c:\documents and settings\Owner\Local Settings\Application Data\{562650E0-CC74-46E5-AF3C-9E4692C038E3}
FF - HiddenExtension: XUL Cache: {F5A03B21-46AB-425F-A18F-EA9F44CB03B9} - c:\documents and settings\Administrator\Local Settings\Application Data\{F5A03B21-46AB-425F-A18F-EA9F44CB03B9}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 01:58
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(548)
c:\windows\itrsg10.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3592)
c:\windows\system32\WININET.dll
c:\windows\itrsg10.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-09-11 2:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-11 06:04
ComboFix2.txt 2009-09-10 15:40
ComboFix3.txt 2009-09-10 07:27

Pre-Run: 6,681,051,136 바이트 남음
Post-Run: 6,652,919,808 바이트 남음

185 --- E O F --- 2009-09-10 07:07

------------------------------------------------------------------------------------------------------------

And these are the results of virus scan from VirusTotal.

c:\windows\itrsg10.dll

http://www.virustotal.com/analisis/4792297...0740-1252649472

-------------------------------------------------------------------

c:\windows\system32\drivers\o2mmb.sys
http://www.virustotal.com/analisis/1f18b4f...43ca-1237317107

--------------------------------------------------------------------

c:\windows\system32\drivers\MbxStby.sys

http://www.virustotal.com/analisis/1da33fa...76d3-1250158728

--------------------------------------------------------------------

c:\windows\system32\dllcache\triedit.dll

I was not able to find this file in the above root you gave me. Through file search, I was able to find this file in the following roots:

C:\WINDOWS\SoftwareDistribution\Download\fcd3f6cd9cf18c1457456e4eed1bc680\SP2GDR
C:\WINDOWS\SoftwareDistribution\Download\fcd3f6cd9cf18c1457456e4eed1bc680\SP3GDR
C:\WINDOWS\SoftwareDistribution\Download\fcd3f6cd9cf18c1457456e4eed1bc680\SP3QFE
C:\WINDOWS\SoftwareDistribution\Download\fcd3f6cd9cf18c1457456e4eed1bc680\SP2QFE
C:\Program Files\Common Files\Microsoft Shared\Triedit
C:\WINDOWS\ServicePackFiles\i386

I don't know which one needs to be scanned.

-----------------------------------------------------------------------

Thank you so much for your help screen317!
I am looking forward to your next reply!

[screen317]

Hi

Francis84, on Sep 10 2009, 11:42 PM, said:

Hi screen317? Thank you for your previous reply! I really appreciate it.
안녕하세요? lol are you Korean? If you are, 반갑습니다 (nice to meet you in Korean) and 감사합니다 (thank you in Korean)

You're welcome. I'm not Korean lol; I just try to know a little bit from most languages.


Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.


Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://www.malwarebytes.org/forums/index.php?showtopic=24179
Collect::
c:\windows\itrsg10.dll
FCOPY::
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
KILLALL::
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

-screen317

[Francis84]

Hi, screen317? Thank you for your previous reply
Since you typed 안녕하세요 (Hello in Korean) in the previous post, i thought you were Korean heheh
It's good thing to learn other languages~!

OK, so this is the new Combofix log:

---------------------------------------------------------------------------------------
ComboFix 09-09-11.01 - Owner 11/09/2009 18:49.4.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.949.82.1042.18.223.121 [GMT -4:00]
Running from: c:\documents and settings\Owner\바탕 화면\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\바탕 화면\CFScript.txt
AV: V3 Lite *On-access scanning disabled* (Updated) {A5B78720-5B41-4D39-B70F-131ABDA6F977}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\itrsg10.dll

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-10 07:42 . 2009-09-10 07:42 -------- d-----w- c:\program files\Trend Micro
2009-09-10 01:26 . 2009-06-21 21:43 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-09 16:13 . 2009-09-09 16:13 -------- d-----w- c:\windows\Sun
2009-09-09 16:04 . 2009-09-09 16:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-09 16:01 . 2009-09-09 16:01 -------- d-----w- c:\program files\Java
2009-09-08 17:14 . 2009-09-08 17:14 -------- d-----w- c:\temp\AUtempR
2009-09-08 16:39 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 16:39 . 2009-09-08 16:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 16:39 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 16:33 . 2009-09-08 16:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-09-08 16:33 . 2009-09-08 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-08 15:51 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-09-08 15:51 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-09-03 04:10 . 2009-09-05 16:54 120 ----a-w- c:\windows\Xjamahalafunan.dat
2009-09-03 01:29 . 2009-09-03 01:29 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{562650E0-CC74-46E5-AF3C-9E4692C038E3}
2009-08-30 18:58 . 2009-08-30 18:58 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-08-17 23:45 . 2009-08-17 23:45 -------- d-----w- c:\program files\XviD
2009-08-17 23:45 . 2009-08-17 23:45 -------- d-----w- c:\program files\AviSynth 2.5
2009-08-17 23:45 . 2009-08-17 23:45 -------- d-----w- c:\program files\Gabest
2009-08-13 06:23 . 2009-07-10 13:26 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 12:34 . 2009-05-16 20:03 1646896 ----a-w- c:\windows\system32\drivers\v3engine.sys
2009-09-11 12:34 . 2009-05-16 20:03 1282736 ----a-w- c:\windows\system32\drivers\ahnsze.sys
2009-09-10 05:52 . 2009-06-15 04:55 18 ----a-w- c:\windows\system32\lastdo.dat
2009-09-10 01:46 . 2009-09-10 01:46 1910 ----a-w- c:\program files\agkukam.txt
2009-08-05 08:59 . 2004-08-05 16:00 202752 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-21 01:13 . 2009-05-16 19:53 19616 ----a-w- c:\windows\system32\drivers\CdmDrvNt.sys
2009-07-17 19:02 . 2004-08-05 16:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 06:56 . 2009-05-16 19:53 52416 ----a-w- c:\windows\system32\drivers\AhnRghNt.sys
2009-07-12 16:21 . 2004-08-05 16:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 15:56 . 2004-08-05 16:00 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 15:56 . 2004-08-05 16:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 15:55 . 2004-08-05 16:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:39 . 2004-08-05 16:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:39 . 2004-08-05 16:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 10:44 . 2004-08-05 16:00 87552 ----a-w- c:\windows\system32\telnet.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-10_07.22.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-11 23:01 . 2009-09-11 23:01 16384 c:\windows\temp\Perflib_Perfdata_59c.dat
+ 2004-08-05 16:00 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\tcpip.sys
- 2008-06-20 11:51 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-06 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-06 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-06 455168]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-09-02 249856]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-03 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-03 536576]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 507904]
"AhnLab V3Lite Tray Process"="c:\program files\AhnLab\V3Lite\V3LTray.exe" [2009-08-26 318136]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-09 149280]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2004-09-02 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Owner\시작 메뉴\프로그램\시작프로그램\
hncnote의 바로 가기.lnk - d:\essential utilities\한컴 쪽지\hncnote.exe [2006-2-23 143360]

c:\documents and settings\All Users\시작 메뉴\프로그램\시작프로그램\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2009-5-15 331776]
WlanUtility.lnk - c:\program files\MicroStar\WLANUtility\WlanUtility.exe [2004-4-2 143360]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^시작 메뉴^프로그램^시작프로그램^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^시작 메뉴^프로그램^시작프로그램^WlanUtility.lnk]
backup=c:\windows\pss\WlanUtility.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\CrazyFile\\CrazyFile.exe"=
"d:\\Essential Utilities\\hncnote\\hncnote.exe"=
"c:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"d:\\Essential Utilities\\한컴 쪽지\\hncnote.exe"=
"c:\\Documents and Settings\\Owner\\시작 메뉴\\프로그램\\시작프로그램\\hncnote.exe"=
"c:\\Documents and Settings\\Owner\\바탕 화면\\slsk.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"d:\\Essential Utilities\\CNAA AEAo\\hncnote.exe"=

R2 SGsvc;AhnLab SiteGuard Service;c:\program files\AhnLab\SiteGuard\SgSvc.exe [16/05/2009 3:53 PM 412232]
R2 V3 Lite Service;V3 Lite Service;c:\program files\AhnLab\V3Lite\V3LSvc.exe [16/05/2009 3:53 PM 289464]
R3 AhnRghNt;AhnRghNt;c:\windows\system32\drivers\AhnRghNt.sys [16/05/2009 3:53 PM 52416]
R3 AhnSZE;AhnSZE;c:\windows\system32\drivers\ahnsze.sys [16/05/2009 4:03 PM 1282736]
R3 ASZFltNt;ASZFltNt;c:\progra~1\AhnLab\V3Lite\ASZFltNt.sys [16/05/2009 3:53 PM 124480]
R3 CdmDrvNt;CdmDrvNt;c:\windows\system32\drivers\CdmDrvNt.sys [16/05/2009 3:53 PM 19616]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [15/05/2009 8:50 PM 191092]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [15/05/2009 8:50 PM 6100]
R3 v3engine;v3engine;c:\windows\system32\drivers\v3engine.sys [16/05/2009 4:03 PM 1646896]
R3 V3Flt2K;V3Flt2K;c:\progra~1\AhnLab\V3Lite\V3Flt2K.sys [16/05/2009 3:53 PM 140672]
S3 AhnFlt2k;AhnFlt2k;c:\windows\system32\drivers\AhnFlt2k.sys [16/05/2009 3:53 PM 52672]
S3 AhnRec2k;AhnRec2k;c:\windows\system32\drivers\AhnRec2k.sys [16/05/2009 3:53 PM 20032]
S3 ATamptNt_V3LITE;ATamptNt_V3LITE;c:\progra~1\AhnLab\V3Lite\ATamptNt.sys [29/05/2009 12:04 PM 102272]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=13170&l=dis
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: {52DFD4CA-F497-427D-8616-604915CCEA51} - hxxp://hanindisk.com/app/HaninDiskCtrl.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2410kbif.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL -
FF - HiddenExtension: XUL Cache: {562650E0-CC74-46E5-AF3C-9E4692C038E3} - c:\documents and settings\Owner\Local Settings\Application Data\{562650E0-CC74-46E5-AF3C-9E4692C038E3}
FF - HiddenExtension: XUL Cache: {F5A03B21-46AB-425F-A18F-EA9F44CB03B9} - c:\documents and settings\Administrator\Local Settings\Application Data\{F5A03B21-46AB-425F-A18F-EA9F44CB03B9}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 19:01
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3256)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\Rundll32.exe
.
**************************************************************************
.
Completion time: 2009-09-11 19:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-11 23:09
ComboFix2.txt 2009-09-11 06:04
ComboFix3.txt 2009-09-10 15:40
ComboFix4.txt 2009-09-10 07:27

Pre-Run: 6,627,442,688 바이트 남음
Post-Run: 6,595,428,352 바이트 남음

165 --- E O F --- 2009-09-10 07:07

--------------------------------------------------------------------------------------------

And this is the new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:37 PM, on 11/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AhnLab\SiteGuard\SGsvc.exe
C:\Program Files\AhnLab\V3Lite\V3LSvc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\AhnLab\V3Lite\V3LTray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Site Gaurd - {19217B99-F935-4A39-B857-A68A68D5BEBB} - C:\Program Files\AhnLab\SiteGuard\SGAgenti.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [AhnLab V3Lite Tray Process] "C:\Program Files\AhnLab\V3Lite\V3LTray.exe" /logon
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.trigem.co.kr/
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {52DFD4CA-F497-427D-8616-604915CCEA51} (HaninDiskCtrl Control) - http://hanindisk.com...ninDiskCtrl.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: AhnLab SiteGuard Service (SGsvc) - AhnLab, Inc. - C:\Program Files\AhnLab\SiteGuard\SGsvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: V3 Lite Service - AhnLab, Inc. - C:\Program Files\AhnLab\V3Lite\V3LSvc.exe

--
End of file - 4546 bytes

------------------------------------------------------------------------------------------------

So, what would be the next step?

[screen317]

Hi,

Things are looking good.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

[Francis84]

Hi, screen317? Thank you for the previous post
It's amazing that you actually developed your own software to check system. I do really admire you.
OK, so these are the results I've got from the F-Secure Online Scanner and your Security Check.

-----------------------------------------------------
F-Secure Online Scanner

7 malware found
TrackingCookie.Atdmt (spyware)

* System (Disinfected)

Trojan.Downloader.Agent.AATA (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{7F15E085-2075-4636-BD99-66F8D8DE3A31}\RP104\A0017926.DLL (Renamed & Submitted)

Trojan.Downloader.Agent.AASR (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{7F15E085-2075-4636-BD99-66F8D8DE3A31}\RP103\A0016224.DLL (Renamed & Submitted)

Trojan-Downloader:W32/Bredolab.gen!C (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{7F15E085-2075-4636-BD99-66F8D8DE3A31}\RP103\A0016225.EXE (Renamed & Submitted)

Trojan-Downloader:W32/Bredolab.gen!C (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{7F15E085-2075-4636-BD99-66F8D8DE3A31}\RP101\A0016016.EXE (Renamed & Submitted)

Trojan.Downloader.Cutwail.L (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{7F15E085-2075-4636-BD99-66F8D8DE3A31}\RP96\A0014590.EXE (Renamed & Submitted)

Trojan.Downloader.Cutwail.L (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{7F15E085-2075-4636-BD99-66F8D8DE3A31}\RP96\A0014588.EXE (Renamed & Submitted)

Statistics
Scanned:

* Files: 32613
* System: 2806
* Not scanned: 6

Actions:

* Disinfected: 1
* Renamed: 6
* Deleted: 0
* Not cleaned: 0
* Submitted: 6

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM

-------------------------------------------------------------

Security Check

Results of screen317's Security Check version 0.98.9
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Live OneCare safety scanner
Windows Live OneCare safety scanner


``````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 16
Adobe Flash Player 10
Adobe Reader 7.0 - Korean
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

Owner LOCALS~1 Temp OnlineScanner\Anti-Virus\fsgk32.exe
Owner LOCALS~1 Temp OnlineScanner\Anti-Virus\fssm32.exe
Owner LOCALS~1 Temp fsonlinescanner.exe

``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

---------------------------------------------------------------------------------------------

OK, so please let me know what I should do next

[screen317]

Hi,

Quote

It's amazing that you actually developed your own software to check system. I do really admire you.

Aww.. Thank you for the kind words; they're appreciated.


Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.


After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Adobe Reader 7.0

Restart your computer.

Get the latest version of Adobe Reader.



If there are no other issues, please take the following steps to help prevent infection in the future:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Kerio
Comodo
Outpost

2) It is imperative that you have an antivirus. You are basically asking for infection without one.
All of the following are excellent free antiviruses. Be sure to only install one.

AVG
AntiVir
avast!.

3) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

4) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

5) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

6) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

7) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
  
• Yellow for caution
  
• Red to stop

WOT has an addon available for both Firefox and IE.

8) Be sure to update your Antivirus and Antispyware programs often!


Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?




Safe surfing,

-screen317

[Francis84]

Hello, screen317? Thanks a million for all your help and great tips!
I have just checked my computer with malwarebytes and, yeah, I cannot detect any single spyware!
I really appreciate your great help and won't forget it!
Now, I should be more concerned about opening email from unknown senders and follow your advice you suggested in your previous post.
I feel I am really lucky to meet you in this forum. You did not just fix my computer, but also gave me wonderful tips which will surely protect the system in the future.

Again, thank you very much!

감사합니다 Gamsa hamnida! (thank you in Korean )

[screen317]

Hi Francis84,

I hope I get this right...

천만에요


Glad we could help.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

-screen317