PDA

View Full Version : Yet another Smitfreud



Pandabear Man
2008-10-14, 19:45
One of those keylogger/trojan/virus posters on the WoW forums finally got me. Most up-to-date Spybot said it's the Smitfreud-C.gp variant. Tried deleting it in safe mode but it still popping up while being scanned. It kills my Firefox right as it launches and right now if I try to block it with my firewall it kills my connection. I know there's a few threads but it seems each case is unique so pardon me if I'm wrong

Here's my HiJacK log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:59 AM, on 10/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\Program Files\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201608964296
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - D:\Program Files\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 4742 bytes

peku006
2008-10-14, 20:41
Hello and Welcome to the forums!

My name is peku006 and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"
If you follow these instructions, everything should go smoothly.

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Pandabear Man
2008-10-15, 01:39
Sorry about the wait, fell asleep on the couch by accident. Anyways I've done what you've asked. The first time I may have screwed up, it said Resident AV was active I thought I disabled the damned thing too.... It still found svchost.exe as infected, and deleted it. This time it changed from Smitfraud and ESET was saying it was PSW.WOW.NES trojan. Next time I made sure everything was disabled and it just went through the stages without deleting anything. If that causes another headache that's my bad :oops:.

Here's the new logs.

COMBO

ComboFix 08-10-14.03 - Go Nagai 2008-10-14 15:25:15.4 - NTFSx86
Running from: C:\Documents and Settings\Go Nagai\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-09-14 to 2008-10-14 )))))))))))))))))))))))))))))))
.

2008-10-14 14:33 . 2008-10-14 14:33 37,695 --a------ C:\WINDOWS\system32\atlsystem330326.exe
2008-10-14 09:17 . 2008-10-14 09:17 39,424 --a------ C:\WINDOWS\system32\atlsystem66813.exe
2008-10-14 09:13 . 2008-10-14 09:13 <DIR> d-------- C:\Program Files\Linksys Wireless-G Wireless Network Monitor
2008-10-14 09:13 . 2004-12-22 01:32 1,396,831 --a------ C:\WINDOWS\system32\AegisE5.dll
2008-10-14 09:13 . 2003-11-20 22:03 651,264 --a------ C:\WINDOWS\system32\libeay32.dll
2008-10-14 09:13 . 2004-12-22 01:32 369,024 --a------ C:\WINDOWS\system32\drivers\bcmwl5.sys
2008-10-14 09:13 . 2003-11-20 22:03 147,456 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-10-14 09:13 . 2005-03-04 03:13 71,520 --a------ C:\WINDOWS\system32\drivers\WMP54GS.inf
2008-10-14 09:13 . 2008-10-14 09:13 17,801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-10-14 09:13 . 2005-03-07 11:50 7,986 --a------ C:\WINDOWS\system32\drivers\WMP54GS.cat
2008-10-14 09:06 . 2003-10-13 15:30 94,208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2008-10-14 09:06 . 2003-09-25 23:28 31,930 --a------ C:\WINDOWS\system32\GTNDIS3.VXD
2008-10-14 09:06 . 2005-02-01 18:18 17,992 --a------ C:\WINDOWS\system32\bcm42rly.sys
2008-10-14 09:06 . 2003-09-25 22:15 15,872 --a------ C:\WINDOWS\system32\GTNDIS5.sys
2008-10-14 09:03 . 2008-10-14 09:13 4,200 --a------ C:\WINDOWS\system32\WLAN.INI
2008-10-14 08:54 . 2008-10-14 08:54 <DIR> d-------- C:\Documents and Settings\Go Nagai\Application Data\Malwarebytes
2008-10-14 08:54 . 2008-10-14 08:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-14 08:37 . 2008-10-14 08:37 39,424 --a------ C:\WINDOWS\system32\atlsystem83224.exe
2008-10-14 08:26 . 2008-10-14 09:37 2,504 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-14 08:20 . 2008-10-12 21:22 <DIR> d-------- C:\SDFix
2008-10-14 08:05 . 2008-10-14 08:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-14 07:37 . 2008-10-14 07:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-14 07:37 . 2008-10-14 08:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-14 07:04 . 2008-10-14 07:04 <DIR> d-------- C:\Documents and Settings\Go Nagai\Application Data\ESET
2008-10-14 07:03 . 2008-10-14 07:03 39,424 --a------ C:\WINDOWS\system32\atlsystem11430.exe
2008-10-14 06:45 . 2008-10-14 06:45 <DIR> d-------- C:\Program Files\Uniblue
2008-10-14 06:43 . 2008-10-14 06:56 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-10-14 06:42 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-10-14 06:42 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-10-14 06:38 . 2008-10-14 06:38 39,424 --a------ C:\WINDOWS\system32\atlsystem352722.exe
2008-10-14 06:35 . 2008-10-14 06:35 21 --a------ C:\WINDOWS\download1
2008-10-14 06:35 . 2008-10-14 06:35 20 --a------ C:\WINDOWS\syscheck
2008-10-14 04:33 . 2008-10-14 04:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Blizzard
2008-10-11 05:08 . 2008-10-11 05:08 <DIR> d-------- C:\Program Files\directx
2008-10-11 05:08 . 2008-10-11 05:08 0 --a------ C:\WINDOWS\DXTFE1.tmp
2008-10-11 05:08 . 2008-10-11 05:08 0 --a------ C:\WINDOWS\DXTFE0.tmp
2008-10-11 05:08 . 2008-10-11 05:08 0 --a------ C:\WINDOWS\DXTFDF.tmp
2008-10-11 05:08 . 2008-10-11 05:08 0 --a------ C:\WINDOWS\DXTFDE.tmp
2008-10-10 23:57 . 2008-10-10 23:57 <DIR> d-------- C:\Program Files\Haali
2008-10-10 23:57 . 2008-10-10 23:57 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2008-10-10 23:55 . 2008-10-10 23:55 <DIR> d-------- C:\Program Files\CoreCodec
2008-10-08 03:33 . 2008-10-08 03:34 <DIR> d-------- C:\Program Files\Winamp
2008-10-08 03:33 . 2008-10-08 03:34 <DIR> d-------- C:\Documents and Settings\Go Nagai\Application Data\Winamp
2008-10-08 03:22 . 2008-10-08 03:22 <DIR> d-------- C:\Program Files\ASCII
2008-10-08 03:22 . 2000-03-07 00:00 473,600 --a------ C:\WINDOWS\system32\Harmony.dll
2008-10-08 03:22 . 2000-03-07 00:00 237,568 --a------ C:\WINDOWS\system32\Unlha32.dll
2008-10-08 03:22 . 2000-05-16 10:40 83,968 --a------ C:\WINDOWS\UnGins.exe
2008-10-07 01:21 . 2008-10-07 01:21 <DIR> d-------- C:\Program Files\Seagate
2008-10-04 22:27 . 2008-10-04 22:27 <DIR> d-------- C:\Documents and Settings\Go Nagai\Application Data\fltk.org
2008-10-04 22:17 . 2008-10-04 22:17 <DIR> d-------- C:\Logs
2008-10-03 18:36 . 2008-10-04 21:09 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-14 16:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-14 14:03 --------- d-----w C:\Program Files\ESET
2008-10-14 14:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-10-13 09:33 --------- d-----w C:\Documents and Settings\Go Nagai\Application Data\Azureus
2008-10-10 15:58 82,944 ----a-w C:\WINDOWS\system32\o4Patch.exe
2008-10-10 15:58 82,944 ----a-w C:\WINDOWS\system32\IEDFix.C.exe
2008-10-08 10:31 --------- d-----w C:\Program Files\DivX
2008-10-07 08:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-04 02:53 --------- d-----w C:\Program Files\Download Manager
2008-10-01 22:51 87,552 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-09-09 06:38 88,576 ----a-w C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-08-18 20:27 71,688 ----a-w C:\WINDOWS\system32\drivers\epfw.sys
2008-08-18 20:27 54,280 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys
2008-08-18 20:27 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys
2008-08-18 20:19 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-08-18 20:18 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-08-18 19:19 82,432 ----a-w C:\WINDOWS\system32\404Fix.exe
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-01-29 11:04 556 ----a-w C:\Program Files\Shortcut to mplayerc.exe.lnk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2008-08-01 1103216]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 221568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-08-18 1447168]
"nwiz"="nwiz.exe" [2007-12-05 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.divxa32"= msaud32_divx.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 npkcmsvc;npkcmsvc;D:\Program Files\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 80528]
S2 download02;Remote Access;C:\WINDOWS\System32\svchost.exe [2004-08-03 14336]
S2 wowsystemcode;Remote TCP/IPv6;C:\WINDOWS\System32\svchost.exe [2004-08-03 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
download02
wowsystemcode
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Go Nagai\Application Data\Mozilla\Firefox\Profiles\ha3pq5fs.default\
FF -: plugin - C:\Program Files\Download Manager\npfpdlm.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-14 15:26:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-14 15:26:37
ComboFix-quarantined-files.txt 2008-10-14 22:26:33

Pre-Run: 3,267,153,920 bytes free
Post-Run: 3,260,391,424 bytes free

148 --- E O F --- 2008-10-14 13:49:28


HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:31:02 PM, on 10/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\Program Files\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201608964296
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - D:\Program Files\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 4898 bytes

peku006
2008-10-15, 09:18
Hi Pandabear Man

1 - Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

2 - Update Java

Please download JavaRa (http://prm753.bchea.org/click/click.php?id=9) and unzip it to your desktop.

Double-click on JavaRa.exe to start the program.
Click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a log file has been produced. Click OK.
A log file will pop up. Please save it to a convenient location.


Download the latest version of Java Runtime Environment (JRE) 6 Update 7 (http://java.sun.com/javase/downloads/index.jsp).

Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Then from your desktop double-click on the download to install the newest version.


3 - Upload a file to Jotti for scanning
Go to Jotti's Malware Scan (http://virusscan.jotti.org/)
Copy the below file path and paste it into the text box next to the Browse button at the top of the page

C:\WINDOWS\system32\atlsystem330326.exe
Click the Submit button and wait for the scan to finish
Copy everything under Service and Scanner results, and paste this into your next reply

4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

5 - Status Check
Please reply with


1. the Jotti/Virustotal results
2. the Malwarebytes' Anti-Malware Log
3. the JavaRa log
4. a fresh HijackThis log

Thanks peku006

peku006
2008-10-20, 14:19
Hello!

Do you still need help

It has been five days since my last post.

Do you still need help with this?
Do you need more time?
Are you having problems following my instructions?

Note: If after 48hrs you have not replied to this thread then it will have to be CLOSED!