2 replies to this topic

[Francis84]

Hi, my computer got recently infected by spywares which forced me to use Total Security anti-virus program (which is a spyware) and turned my wallpaper into a warning message (Warning - You're in danger).
I managed to remove them from my computer using Malwarebytes (thanks to Malwarebytes developers!), but two threats stay persistently in the system. They are Trojan.Vundo.H. and they cannot be completely removed by Malwarebytes.
So, I decided to follow the steps taken by people who had suffered from Trojan.Vundo.H and actually solved using HijackThis and Combofix. I am unable to analyze the logs created by hijackthis and combofix, so if somebody could help me out with this, I'd really appreciate.

The initial log I got from Hijackthis is as following:

--------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:55 AM, on 10/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AhnLab\SiteGuard\SGsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
D:\Essential Utilities\한컴 쪽지\hncnote.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Site Gaurd - {19217B99-F935-4A39-B857-A68A68D5BEBB} - C:\Program Files\AhnLab\SiteGuard\SGAgenti.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [AhnLab V3Lite Tray Process] "C:\Program Files\AhnLab\V3Lite\V3LTray.exe" /logon
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.trigem.co.kr/
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {52DFD4CA-F497-427D-8616-604915CCEA51} (HaninDiskCtrl Control) - http://hanindisk.com...ninDiskCtrl.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: AhnLab SiteGuard Service (SGsvc) - AhnLab, Inc. - C:\Program Files\AhnLab\SiteGuard\SGsvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: V3 Lite Service - AhnLab, Inc. - C:\Program Files\AhnLab\V3Lite\V3LSvc.exe

--
End of file - 4608 bytes

------------------------------------------------------------------------------------------



Now, these are the logs created by Hijackthis and Combofix after I used the Combofix scanning tool:

-------------------------------------------------------------------------------------------

Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:48 AM, on 10/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AhnLab\SiteGuard\SGsvc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Site Gaurd - {19217B99-F935-4A39-B857-A68A68D5BEBB} - C:\Program Files\AhnLab\SiteGuard\SGAgenti.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [AhnLab V3Lite Tray Process] "C:\Program Files\AhnLab\V3Lite\V3LTray.exe" /logon
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.trigem.co.kr/
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {52DFD4CA-F497-427D-8616-604915CCEA51} (HaninDiskCtrl Control) - http://hanindisk.com...ninDiskCtrl.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: AhnLab SiteGuard Service (SGsvc) - AhnLab, Inc. - C:\Program Files\AhnLab\SiteGuard\SGsvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: V3 Lite Service - AhnLab, Inc. - C:\Program Files\AhnLab\V3Lite\V3LSvc.exe

--
End of file - 4396 bytes

----------------------------------------------------------------------------------------------

Combofix Log


ComboFix 09-09-09.09 - Owner 10/09/2009 11:30.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.949.82.1042.18.223.118 [GMT -4:00]
Running from: c:\documents and settings\Owner\바탕 화면\ComboFix.exe
AV: V3 Lite *On-access scanning disabled* (Updated) {A5B78720-5B41-4D39-B70F-131ABDA6F977}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))
.

2009-09-10 07:42 . 2009-09-10 07:42 -------- d-----w- c:\program files\Trend Micro
2009-09-10 01:26 . 2009-06-21 21:43 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-09 16:13 . 2009-09-09 16:13 -------- d-----w- c:\windows\Sun
2009-09-09 16:04 . 2009-09-09 16:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-09 16:01 . 2009-09-09 16:01 -------- d-----w- c:\program files\Java
2009-09-08 17:14 . 2009-09-08 17:14 -------- d-----w- c:\temp\AUtempR
2009-09-08 16:39 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 16:39 . 2009-09-08 16:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 16:39 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 16:33 . 2009-09-08 16:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-09-08 16:33 . 2009-09-08 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-08 15:51 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-09-08 15:51 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-09-03 04:10 . 2009-09-05 16:54 120 ----a-w- c:\windows\Xjamahalafunan.dat
2009-09-03 01:29 . 2009-09-03 01:29 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{562650E0-CC74-46E5-AF3C-9E4692C038E3}
2009-08-30 18:58 . 2009-08-30 18:58 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-08-17 23:45 . 2009-08-17 23:45 -------- d-----w- c:\program files\XviD
2009-08-17 23:45 . 2009-08-17 23:45 -------- d-----w- c:\program files\AviSynth 2.5
2009-08-17 23:45 . 2009-08-17 23:45 -------- d-----w- c:\program files\Gabest
2009-08-13 06:23 . 2009-07-10 13:26 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 10:37 . 2009-05-16 20:03 1646896 ----a-w- c:\windows\system32\drivers\v3engine.sys
2009-09-10 10:37 . 2009-05-16 20:03 1282736 ----a-w- c:\windows\system32\drivers\ahnsze.sys
2009-09-10 05:52 . 2009-06-15 04:55 18 ----a-w- c:\windows\system32\lastdo.dat
2009-09-10 01:46 . 2009-09-10 01:46 1910 ----a-w- c:\program files\agkukam.txt
2009-08-05 08:59 . 2004-08-05 16:00 202752 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-21 01:13 . 2009-05-16 19:53 19616 ----a-w- c:\windows\system32\drivers\CdmDrvNt.sys
2009-07-17 19:02 . 2004-08-05 16:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 06:56 . 2009-05-16 19:53 52416 ----a-w- c:\windows\system32\drivers\AhnRghNt.sys
2009-07-12 16:21 . 2004-08-05 16:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 15:56 . 2004-08-05 16:00 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 15:56 . 2004-08-05 16:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 15:55 . 2004-08-05 16:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:39 . 2004-08-05 16:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:39 . 2004-08-05 16:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 10:44 . 2004-08-05 16:00 87552 ----a-w- c:\windows\system32\telnet.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . D9F19E78F98834CB411D6AD3C68D181A . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2004-08-05 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-06 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-06 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-06 455168]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-09-02 249856]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-03 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-03 536576]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 507904]
"AhnLab V3Lite Tray Process"="c:\program files\AhnLab\V3Lite\V3LTray.exe" [2009-08-26 318136]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-09 149280]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2004-09-02 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Owner\시작 메뉴\프로그램\시작프로그램\
hncnote의 바로 가기.lnk - d:\essential utilities\한컴 쪽지\hncnote.exe [2006-2-23 143360]

c:\documents and settings\All Users\시작 메뉴\프로그램\시작프로그램\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2009-5-15 331776]
WlanUtility.lnk - c:\program files\MicroStar\WLANUtility\WlanUtility.exe [2004-4-2 143360]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli itrsg10.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^시작 메뉴^프로그램^시작프로그램^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^시작 메뉴^프로그램^시작프로그램^WlanUtility.lnk]
backup=c:\windows\pss\WlanUtility.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\CrazyFile\\CrazyFile.exe"=
"d:\\Essential Utilities\\hncnote\\hncnote.exe"=
"c:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"d:\\Essential Utilities\\한컴 쪽지\\hncnote.exe"=
"c:\\Documents and Settings\\Owner\\시작 메뉴\\프로그램\\시작프로그램\\hncnote.exe"=
"c:\\Documents and Settings\\Owner\\바탕 화면\\slsk.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"d:\\Essential Utilities\\CNAA AEAo\\hncnote.exe"=

R2 SGsvc;AhnLab SiteGuard Service;c:\program files\AhnLab\SiteGuard\SgSvc.exe [16/05/2009 3:53 PM 412232]
R3 AhnRghNt;AhnRghNt;c:\windows\system32\drivers\AhnRghNt.sys [16/05/2009 3:53 PM 52416]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [15/05/2009 8:50 PM 191092]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [15/05/2009 8:50 PM 6100]
S0 qmokeq;qmokeq;c:\windows\system32\drivers\dswgwov.sys --> c:\windows\system32\drivers\dswgwov.sys [?]
S0 qxnd;qxnd;c:\windows\system32\drivers\guxsuj.sys --> c:\windows\system32\drivers\guxsuj.sys [?]
S0 ssagj;ssagj;c:\windows\system32\drivers\buxk.sys --> c:\windows\system32\drivers\buxk.sys [?]
S0 uxyh;uxyh;c:\windows\system32\drivers\iquysd.sys --> c:\windows\system32\drivers\iquysd.sys [?]
S2 V3 Lite Service;V3 Lite Service;c:\program files\AhnLab\V3Lite\V3LSvc.exe [16/05/2009 3:53 PM 289464]
S3 AhnFlt2k;AhnFlt2k;c:\windows\system32\drivers\AhnFlt2k.sys [16/05/2009 3:53 PM 52672]
S3 AhnRec2k;AhnRec2k;c:\windows\system32\drivers\AhnRec2k.sys [16/05/2009 3:53 PM 20032]
S3 AhnSZE;AhnSZE;c:\windows\system32\drivers\ahnsze.sys [16/05/2009 4:03 PM 1282736]
S3 ASZFltNt;ASZFltNt;c:\progra~1\AhnLab\V3Lite\ASZFltNt.sys [16/05/2009 3:53 PM 124480]
S3 ATamptNt_V3LITE;ATamptNt_V3LITE;c:\progra~1\AhnLab\V3Lite\ATamptNt.sys [29/05/2009 12:04 PM 102272]
S3 CdmDrvNt;CdmDrvNt;c:\windows\system32\drivers\CdmDrvNt.sys [16/05/2009 3:53 PM 19616]
S3 v3engine;v3engine;c:\windows\system32\drivers\v3engine.sys [16/05/2009 4:03 PM 1646896]
S3 V3Flt2K;V3Flt2K;c:\progra~1\AhnLab\V3Lite\V3Flt2K.sys [16/05/2009 3:53 PM 140672]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=13170&l=dis
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: {52DFD4CA-F497-427D-8616-604915CCEA51} - hxxp://hanindisk.com/app/HaninDiskCtrl.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2410kbif.default\
FF - prefs.js: browser.search.selectedEngine - Naver
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL -
FF - HiddenExtension: XUL Cache: {562650E0-CC74-46E5-AF3C-9E4692C038E3} - c:\documents and settings\Owner\Local Settings\Application Data\{562650E0-CC74-46E5-AF3C-9E4692C038E3}
FF - HiddenExtension: XUL Cache: {F5A03B21-46AB-425F-A18F-EA9F44CB03B9} - c:\documents and settings\Administrator\Local Settings\Application Data\{F5A03B21-46AB-425F-A18F-EA9F44CB03B9}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-10 11:37
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(540)
c:\windows\itrsg10.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2844)
c:\windows\system32\WININET.dll
c:\windows\itrsg10.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-09-10 11:39
ComboFix-quarantined-files.txt 2009-09-10 15:39
ComboFix2.txt 2009-09-10 07:27

Pre-Run: 6,724,894,720 바이트 남음
Post-Run: 6,695,813,120 바이트 남음

161 --- E O F --- 2009-09-10 07:07

---------------------------------------------------------------------------------------------------------

Please help me .... I am so afraid that the system will get screwed up again by Trojan.Vundo.H which persistently stayed in the system .... Thank you in advance.

[LonnyRJ]

Member being helped here
http://www.malwareby...showtopic=24179

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.