trojan, adware, etc.
Hello, all ~ ^^
I'm writing this from the main computer in a classroom, and it might be connected to twenty other computers in here... But I think not? We never use them anyway. It is hooked up to a touchscreen. I have had the IT guy in here, but he apparently didn't really remove the issues, so I'm asking you all for assistance.
The previous user appears to have downloaded all sorts of garbage, and I'm only now coming to figure out what it is and how to get rid of it. The system is running on a Korean language version of Windows (I'm in Korea), so I'm a little hazy on how to wade through things (I only read a little Korean.) That, and lots of the junk programs are Korean. I ran spybot a while ago and it found and removed a lot of stuff. Then I ran AVG free - it also found and removed a lot (viruses, etc.) I have manually (via add/remove program) uninstalled some adware. One thing did not uninstall all the way (KTHOpensearch) and that appears to be because kosguide.dll is active and preventing me fixing things easily. I think there are probably other issues I don't know about - you'll be able to tell from the log. Windows cannot update. I may have more than one anti-virus program loaded on this computer. I know a couple were bogus, but there could be some legitimate (but ineffective) Korean program operating. I downloaded and ran AVG.
Thank you in advance for your help and time.
---
DDS (Ver_10-12-05.01) - NTFSx86
Run by Administrator at 9:32:38.22 on 12/06/2010 Mon
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.949.1.1042.18.1790.1041 [GMT 9:00]
AV: V3 Internet Security *On-access scanning enabled* (Outdated) {D881C1F7-6566-4C80-82F8-BA5258DDD50E}
AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: V3 Internet Security *disabled* {6CBF11B7-327F-4AB6-BBD3-AE8650A9D64C}
============== Running Processes ===============
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
C:\Program Files\AhnLab\V3IS2007\MSProxy.ahn
C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\InciterInstaller\ICService.exe
C:\Program Files\NEXIO\iNexio IR Touch Driver\XYNTService.exe
C:\Program Files\NEXIO\iNexio IR Touch Driver\SerialTouchService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NetClass Magic Manager\QDNTSrv.exe
C:\Program Files\NEXIO\iNexio IR Touch Driver\UsbTouchService.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe
C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\LiveEnglish\Server\Server.exe
C:\Program Files\SmartKeyword\SkeyAgent.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\InciterInstaller\ICAgent30.exe
C:\Program Files\SoftRun\Inciter2006\ICNotify.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\Danielle\dds\dds.scr
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
BHO: onplus2 Class: {0c13445a-91a4-4ab5-a39b-025fd36dc428} - c:\program files\onplus2\onplusrw.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: 탭브라우징: {34fc7b59-c254-4fc5-bdf8-660b242d601b} - c:\progra~1\tabbro~1\TABBRO~1.DLL
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: WinSmartTop: {41d8604f-e6e6-4ef5-bb3e-6eda19561209} - c:\program files\smartkeyword\WinSmartTop.dll
BHO: KOSGuide: {435ae613-e699-4f6d-aeb0-f92510c8d100} - c:\progra~1\kthope~1\kosguide.dll
BHO: &Ohbingo Toolkit: {67421a26-71f2-4e57-89b2-e49c6fd90da1} - c:\program files\greenopen2\OhToolkit.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SmartKeywordBHO Class: {bc92c53e-a5c1-4d33-995c-ab7bb869e0e6} - c:\program files\smartkeyword\SmartKeyword.dll
BHO: {C9EC89B6-5BA9-45C7-9B07-9E7B5DB09A25} - No File
BHO: td: {cc01fc6c-f5e8-882e-5166-c67af3aa2f88} - c:\docume~1\admini~1\applic~1\SNYGWEOT.dll
TB: 탭브라우징: {34fc7b59-c254-4fc5-bdf8-660b242d601b} - c:\progra~1\tabbro~1\TABBRO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CoolMessenger] "c:\program files\cool messenger 5.6\CoolMessenger.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [AHNSD] "c:\program files\ahnlab\smart update utility\AhnSD.exe"
mRun: [AhnLab Session Process] "c:\progra~1\common~1\ahnlab\aca\ACASP.exe"
mRun: [Korean IME Migration] c:\progra~1\common~1\micros~1\ime12\imekr\IMKRMIG.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [LiveEnglishServer] c:\liveenglish\server\Server.exe
mRun: [PFGStart] "c:\documents and settings\administrator\application data\pandora_download\autogetupgrade.exe"
mRun: [SmartKeyword] c:\program files\smartkeyword\SkeyAgent.exe
mRun: [tabbrowsing] c:\program files\tabbrowsing\tabbrowsingnapp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [cleanscanS] c:\program files\cleanscan\cleanscanU.exe
mRun: [PowerCom] "c:\program files\powercom\pwcup.exe" boot
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
dRun: [ctfmon.exe] ctfmon.exe
StartupFolder: c:\docume~1\admini~1\썬珹뫼~1\詣룽그램\썬珹詣~1\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: Microsoft Excel로 내보내기(&X) - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0376AE42-F9FD-4FBF-BB8F-685C10A2A695} - hxxp://lefedu.ken.go.kr/cab/markany/MaWebSAFER_KERIS.cab
DPF: {0DFA67D7-B78C-40A7-B583-E7090D5F38C6} - hxxp://lefedu.ken.go.kr/cab/TrustForm/TFBroker.cab
DPF: {2ECE445A-56C3-47C5-8E76-F035A2C3AD33} - hxxp://www.on-plus.net/ocx/pcboan2009x.ocx
DPF: {3D2CF5AA-6D92-4784-8BDA-20EE9098854F} - hxxp://www.nrsoft.net/Offistor.cab
DPF: {3D87CA07-45F6-4961-8FCF-425F1F5DB5C6} - hxxp://lef.ken.go.kr/cab/TrustForm/TFStarter.cab
DPF: {779002E4-B41E-49F4-91A3-60188A236AAE} - hxxp://lefedu.ken.go.kr/cab/EWS/BTWSSOClientForItg.cab
DPF: {8218BB3D-2D62-4719-B6EC-FEBE7A079CBD} - hxxp://imgcdn.pandora.tv/pan_img/app/FirstLoad1.0.0.3.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://lefedu.ken.go.kr/cab/EWS/msxml4.cab
DPF: {970E1B88-8AC1-4E31-86D6-BFA769CEF7A6} - hxxp://ebse.co.kr/ebs/ActiveX/eGEBS.cab
DPF: {9FC84F7D-D177-4A75-A7BB-429DA5BD0A3E}
DPF: {BBB0FC2D-1D95-45CA-BDCF-03B53F247FCC} - hxxp://lefedu.ken.go.kr/cab/EWS/ewsinstaller_full.cab
DPF: {C7C7225A-9476-47AC-B0B0-FF3B79D55E67} - hxxp://lefedu.ken.go.kr/cab/oz_report/ZTransferX.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - hxxp://update.nprotect.net/keycrypt/lef/npkcx_090924.cab
DPF: {DA33B535-768B-4A72-BEDE-82DA7D5094FA} - hxxp://122.153.79.92/InciterX.cab
DPF: {DC4207CE-C03E-4449-ACB1-032CA4137053} - hxxp://update.nprotect.net/nprotect2007/lef/npz.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779} - hxxp://file.naver.com/activex/test/NaverAXGuide.cab
TCP: {F0E1A06C-4AD5-4470-83A5-64DB49B57505} = 210.220.16.7
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 AMonTDnt;AMonTDnt;c:\windows\system32\drivers\AMonTDnt.sys [2009-2-11 94712]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
R2 AhnLab Application Service;AhnLab Application Service;c:\program files\common files\ahnlab\aca\ACAAS.exe [2009-2-11 32936]
R2 AhnLab Guarantee Service;AhnLab Guarantee Service;c:\program files\common files\ahnlab\aca\ACAEGMgr.exe [2009-2-11 47792]
R2 AhnLab Information Service;AhnLab Information Service;c:\program files\common files\ahnlab\aca\ACAIS.exe [2009-2-11 32936]
R2 AhnLab Task Scheduler;AhnLab Task Scheduler;c:\program files\ahnlab\smart update utility\AhnSDsv.exe [2009-2-11 174792]
R2 AMonHKnt;AMonHKnt;c:\windows\system32\drivers\AMonHKnt.sys [2009-2-11 53272]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 ICService;Inciter Agent Control Service;c:\windows\inciterinstaller\icservice.exe -r --> c:\windows\inciterinstaller\ICService.exe -r [?]
R2 iNexioTouchDriverService;iNexioTouchDriverService;c:\program files\nexio\inexio ir touch driver\XYNTService.exe [2009-11-16 57344]
R2 Query_Service;QueryServer;c:\program files\netclass magic manager\QDNTSrv.exe [2009-10-31 502784]
R3 AhnFlt2k;AhnFlt2k;c:\windows\system32\drivers\AhnFlt2k.sys [2009-2-11 52592]
R3 AhnRec2k;AhnRec2k;c:\windows\system32\drivers\AhnRec2k.sys [2009-2-11 20456]
R3 AhnRghNt;AhnRghNt;c:\windows\system32\drivers\AhnRghNt.sys [2009-2-11 35432]
R3 AhnSZE;AhnSZE;c:\windows\system32\drivers\AhnSZE.sys [2009-2-11 1434064]
R3 ASZFltNt;ASZFltNt;c:\progra~1\ahnlab\v3is2007\ASZFltNt.sys [2009-2-11 112616]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
R3 CdmDrvNt;CdmDrvNt;c:\windows\system32\drivers\CdmDrvNT.sys [2009-2-11 19640]
R3 ISFWEnt;ISFWEnt;c:\program files\ahnlab\v3is2007\ISFWENt.sys [2009-2-11 143952]
R3 ISIPSEnt;ISIPSEnt;c:\program files\ahnlab\v3is2007\ISIPSENt.sys [2009-2-11 139464]
R3 ISPIBEnt;ISPIBEnt;c:\program files\ahnlab\v3is2007\ISPIBENt.sys [2009-2-11 128360]
R3 ISPrxEnt;ISPrxEnt;c:\program files\ahnlab\v3is2007\ISPrxENT.sys [2009-2-11 77136]
R3 ISTrkEnt;ISTrkEnt;c:\program files\ahnlab\v3is2007\ISTrkENt.sys [2009-2-11 90936]
R3 RndPlusMouse;iNexio Class TouchController Driver;c:\windows\system32\drivers\RndPlusMouse.sys [2009-11-2 17152]
R3 v3engine;v3engine;c:\windows\system32\drivers\V3Engine.sys [2009-2-11 1908304]
R3 V3Flt2K;V3Flt2K;c:\progra~1\ahnlab\v3is2007\V3Flt2K.sys [2009-2-11 126840]
R3 V3IFt2K;V3IFt2K;c:\progra~1\ahnlab\v3is2007\V3IFt2K.sys [2009-2-11 77560]
S2 NS_Backup;NSBackup;c:\program files\netclass magic manager\bkntsrv.exe --> c:\program files\netclass magic manager\BKNTSrv.exe [?]
S3 ArfMonNt;ArfMonNt;c:\program files\ahnlab\v3is2007\ArfMonNt.sys [2009-2-11 118768]
S3 atm6124;iNexio IR Touch Device Driver;c:\windows\system32\drivers\atm6124.sys [2009-11-2 15244]
S3 NPFWFLT;NPFWFLT;c:\windows\system32\npfwflt.sys [2009-11-19 41216]
S3 NPIDS;NPIDS;c:\windows\system32\npids.sys [2009-11-19 48384]
=============== Created Last 30 ================
2010-11-17 06:01:57 -------- d--h--w- C:\$AVG
2010-11-17 05:52:38 -------- d-----w- c:\docume~1\admini~1\applic~1\AVG10
2010-11-17 05:51:40 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-11-17 05:50:51 -------- d-----w- c:\windows\system32\drivers\AVG
2010-11-17 05:50:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-11-17 05:50:33 -------- d-----w- c:\program files\AVG
2010-11-17 05:47:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-11-17 00:09:15 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Adobe
2010-11-17 00:05:00 -------- d-----w- c:\program files\tabbrowsing
2010-11-17 00:05:00 -------- d-----w- c:\program files\KTHOpenSearch
==================== Find3M ====================
2010-11-26 11:44:00 1871440 ----a-w- c:\windows\system32\btscan.exe
2010-10-13 00:54:04 90112 ----a-w- c:\windows\DUMP32b8.tmp
2010-09-18 06:52:54 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:52:54 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:52:54 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 03:22:56 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-10 05:47:59 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:47:50 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:47:50 1469440 ------w- c:\windows\system32\inetcpl.cpl
============= FINISH: 9:33:08.06 ===============
Originally Posted by kpress
