need help with aurora popups

Hi im a new member so if you could tell me where to download HJT and post results here that would be great.

Now my problem is that I have the aurora popup and on task manager there is a process with a random name like xlkdfh.exe and when i end process, another one with a random name comes up. its properties say like TODOS product or something. I read on a different thread that someone had the exact problem i had so i started this one and i assume u guys know the problem im talking about. The things ive tried are i saw what someone told that other person to run ewido scan in safe mode and i cleaned everything except this one "worm.something.something" in my D drive cuz my D drive is my recovery drive or w/e. So when i rebooted, the random name process was gone but aurora was still there and then the name changing thing came back. I just ran Ad aware and i looked at the quarantine list and Aurora was there but i dont think it worked.

So if you could help me get rid of aurora, that would be awesome.

ysb21189

Newbie Poster

24 posts since May 2005

Reputation Points: 10

Solved Threads: 0

7 Years Ago

Post your log right here.

Download HijackThis selfextracting zip version from here. Once downloaded, double click on the file & it will install into it's own, permanent folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

crunchie

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

7 Years Ago

OK here is my log. can i just ask where the folder is?

Logfile of HijackThis v1.99.1
Scan saved at 6:00:53 PM, on 5/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\Owner\My Documents\bryan\edwido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\conime.exe
c:\windows\system32\zokmva.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Local Settings\Temp\_AZTMP0_\HijackThis.exe

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C18517DA-CA70-46CE-86F4-882F6B62E975} - C:\PROGRA~1\UBIZNA~1\MyKey\bms.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: (no name) - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - (no file)
O3 - Toolbar: ¸¶AIA°¿oμa(&K) - {46D387E9-41FC-4F71-A7C3-B0BEB3568F00} - C:\PROGRA~1\UBIZNA~1\MyKey\keyband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe
O4 - HKLM\..\Run: [scvhost] scvhost.exe
O4 - HKLM\..\Run: [Microsoft Update] Microsoft.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE"
O4 - HKLM\..\Run: [NS] ns.exe
O4 - HKLM\..\Run: [IMJPMIG8.3] IMJPMIG8_3.exe
O4 - HKLM\..\Run: [ikanap] c:\windows\system32\zokmva.exe
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe
O4 - HKLM\..\RunServices: [scvhost] scvhost.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoft.exe
O4 - HKLM\..\RunServices: [NS] ns.exe
O4 - HKLM\..\RunServices: [IMJPMIG8.3] IMJPMIG8_3.exe
O4 - HKLM\..\RunServices: [Windows Helpers] windowhelpers.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [kbdur] C:\WINDOWS\system32\kbdur.exe
O4 - HKCU\..\Run: [rate.exe] C:\WINDOWS\System32\i11r54n4.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: ¸®¼A¡ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.gopd.co.kr
O15 - Trusted Zone: http://*.gopd.co.kr
O15 - Trusted Zone: http://cfolder.nownuri.net
O15 - Trusted Zone: http://client.nownuri.net
O15 - Trusted Zone: http://club.nownuri.net
O15 - Trusted Zone: http://help.nownuri.net
O15 - Trusted Zone: http://helpdesk.nownuri.net
O15 - Trusted Zone: http://join.nownuri.net
O15 - Trusted Zone: http://mplug.nownuri.net
O15 - Trusted Zone: http://pdsfind1.nownuri.net
O15 - Trusted Zone: http://www.nownuri.net
O15 - Trusted Zone: http://*.nownuri.net
O15 - Trusted Zone: http://adrenalin.pdbox.co.kr
O15 - Trusted Zone: http://bbs.pdbox.co.kr
O15 - Trusted Zone: http://bbs2.pdbox.co.kr
O15 - Trusted Zone: http://bbs3.pdbox.co.kr
O15 - Trusted Zone: http://bbs4.pdbox.co.kr
O15 - Trusted Zone: http://client.pdbox.co.kr
O15 - Trusted Zone: http://cp.pdbox.co.kr
O15 - Trusted Zone: http://find.pdbox.co.kr
O15 - Trusted Zone: http://ftp2.pdbox.co.kr
O15 - Trusted Zone: http://gopd.pdbox.co.kr
O15 - Trusted Zone: http://help.pdbox.co.kr
O15 - Trusted Zone: http://mboard.pdbox.co.kr
O15 - Trusted Zone: http://media.cp.pdbox.co.kr
O15 - Trusted Zone: http://mfind.pdbox.co.kr
O15 - Trusted Zone: http://my.pdbox.co.kr
O15 - Trusted Zone: http://point.pdbox.co.kr
O15 - Trusted Zone: http://shop.pdbox.co.kr
O15 - Trusted Zone: http://side.pdbox.co.kr
O15 - Trusted Zone: http://www.pdbox.co.kr
O15 - Trusted Zone: http://*.pdbox.co.kr
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: 799BB2EC-572A-42A9-84AD-112806F4F551 -
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble.net/game/nmstarter/NMStarter16.cab
O16 - DPF: {2AE5077E-2BCD-4B77-9D19-237C882BD6AF} - http://www.monario.com/ActiveX/monariofiledownload.cab
O16 - DPF: {35B93CED-4B24-4FA7-B143-B4F5BBBA9F7A} (BugsPatcher Control) - http://gamepatch.bugs.co.kr/BugsPatcher.cab
O16 - DPF: {48ED5A74-A5A6-4EDE-AAC5-42D697FC3F19} (cyberX Control) - http://www.cyberoro.com/download/cyber.cab
O16 - DPF: {48FE89A0-486C-48DF-9DEC-BED22BDC6057} (XIsOro Control) - http://www.cyberoro.com/download/OroCheck.cab
O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame.com/dist/activex/HanGamePlugin19.cab
O16 - DPF: {799BB2EC-572A-42A9-84AD-112806F4F551} (Imweb Control) - http://activexdown.paran.com/paranactivex/data/imweb.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} - http://ahnlabdownload.nefficient.co.kr/plugin/myfirewall/myfirewall20.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040811.cab
O16 - DPF: {B2AEC562-9C98-459D-A596-6850EB2CE623} - http://www.omi.co.kr/search/chart_package/comparison4.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary/ZIntro.cab27571.cab
O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA￠¼OCA·I±×·￥) - http://cdn.hangame.com/hangame/messenger/hani/webmsg/HanWebMsg.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - http://messenger.zone.msn.com/binary/Bankshot.cab27591.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/bugsLoader20041018.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://gameguard.nefficient.co.kr/grigon/gamegard/nProtect/keycrypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B194D895-CE3A-40D7-8D35-A58D582028FD}: NameServer = 4.2.2.1 4.2.2.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Owner\My Documents\bryan\edwido\security suite\ewidoctrl.exe
O23 - Service: IMJPMIG8.3 - Unknown owner - C:\WINDOWS\System32\IMJPMIG8_3.exe" -service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NS (MSLLR) - Unknown owner - C:\WINDOWS\System32\ns.exe" -service (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

ysb21189

Newbie Poster

24 posts since May 2005

Reputation Points: 10

Solved Threads: 0

7 Years Ago

Hi ysb21189, welcome to DaniWeb :D

You've got HijackThis in a Temp folder (C:\Documents and Settings\Owner\Local Settings\Temp\_AZTMP0_\HijackThis.exe) and it needs to be in it's own permanent folder, like c:\HJT\hijackthis.exe, so it -- and the backups it will create -- don't get accidently deleted.

After you've moved it, close any open browser windows, scan with hijackthis and post a new log please.

dlh6213

Posting Maven

Team Colleague

3,117 posts since Jul 2004

Reputation Points: 63

Solved Threads: 214

7 Years Ago

Can I ask how you managed to get hijackthis into a temporary folder using a self-extracting zip file that unzips the .exe into C:\Program Files\HijackThis? :)

crunchie

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

7 Years Ago

ok i downloaded it to a permanent folder after uninstalling it. heh i dont know what i did the first time....

Logfile of HijackThis v1.99.1
Scan saved at 5:20:12 PM, on 5/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
c:\windows\system32\kxfmgol.exe
C:\WINDOWS\System32\conime.exe
C:\Documents and Settings\Owner\My Documents\bryan\edwido\security

suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no

file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no

file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:

\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c

:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C18517DA-CA70-46CE-86F4-882F6B62E975} - C:\PROGRA~

1\UBIZNA~1\MyKey\bms.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:

\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: (no name) - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - (no file)
O3 - Toolbar: ¸¶AIA°¿oμa(&K) - {46D387E9-41FC-4F71-A7C3-B0BEB3568F00} - C:

\PROGRA~1\UBIZNA~1\MyKey\keyband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common

Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon

2k.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver

3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program

Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program

Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04

\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32

\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /

Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32

\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32

\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32

\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe
O4 - HKLM\..\Run: [scvhost] scvhost.exe
O4 - HKLM\..\Run: [Microsoft Update] Microsoft.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft

Shared\IME\IMKR7\IMEKRMIG.EXE"
O4 - HKLM\..\Run: [NS] ns.exe
O4 - HKLM\..\Run: [IMJPMIG8.3] IMJPMIG8_3.exe
O4 - HKLM\..\Run: [hojwrl] c:\windows\system32\kxfmgol.exe
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe
O4 - HKLM\..\RunServices: [scvhost] scvhost.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoft.exe
O4 - HKLM\..\RunServices: [NS] ns.exe
O4 - HKLM\..\RunServices: [IMJPMIG8.3] IMJPMIG8_3.exe
O4 - HKLM\..\RunServices: [Windows Helpers] windowhelpers.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [kbdur] C:\WINDOWS\system32\kbdur.exe
O4 - HKCU\..\Run: [rate.exe] C:\WINDOWS\System32\i11r54n4.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI

1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program

files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:

\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C

608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: ¸®¼A¡ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:

\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:

\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.gopd.co.kr
O15 - Trusted Zone: http://*.gopd.co.kr
O15 - Trusted Zone: http://cfolder.nownuri.net
O15 - Trusted Zone: http://client.nownuri.net
O15 - Trusted Zone: http://club.nownuri.net
O15 - Trusted Zone: http://help.nownuri.net
O15 - Trusted Zone: http://helpdesk.nownuri.net
O15 - Trusted Zone: http://join.nownuri.net
O15 - Trusted Zone: http://mplug.nownuri.net
O15 - Trusted Zone: http://pdsfind1.nownuri.net
O15 - Trusted Zone: http://www.nownuri.net
O15 - Trusted Zone: http://*.nownuri.net
O15 - Trusted Zone: http://adrenalin.pdbox.co.kr
O15 - Trusted Zone: http://bbs.pdbox.co.kr
O15 - Trusted Zone: http://bbs2.pdbox.co.kr
O15 - Trusted Zone: http://bbs3.pdbox.co.kr
O15 - Trusted Zone: http://bbs4.pdbox.co.kr
O15 - Trusted Zone: http://client.pdbox.co.kr
O15 - Trusted Zone: http://cp.pdbox.co.kr
O15 - Trusted Zone: http://find.pdbox.co.kr
O15 - Trusted Zone: http://ftp2.pdbox.co.kr
O15 - Trusted Zone: http://gopd.pdbox.co.kr
O15 - Trusted Zone: http://help.pdbox.co.kr
O15 - Trusted Zone: http://mboard.pdbox.co.kr
O15 - Trusted Zone: http://media.cp.pdbox.co.kr
O15 - Trusted Zone: http://mfind.pdbox.co.kr
O15 - Trusted Zone: http://my.pdbox.co.kr
O15 - Trusted Zone: http://point.pdbox.co.kr
O15 - Trusted Zone: http://shop.pdbox.co.kr
O15 - Trusted Zone: http://side.pdbox.co.kr
O15 - Trusted Zone: http://www.pdbox.co.kr
O15 - Trusted Zone: http://*.pdbox.co.kr
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: 799BB2EC-572A-42A9-84AD-112806F4F551 -
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) -

http://www.netmarble.net/game/nmstarter/NMStarter16.cab
O16 - DPF: {2AE5077E-2BCD-4B77-9D19-237C882BD6AF} - http://www.monario.com

/ActiveX/monariofiledownload.cab
O16 - DPF: {35B93CED-4B24-4FA7-B143-B4F5BBBA9F7A} (BugsPatcher Control) - http

://gamepatch.bugs.co.kr/BugsPatcher.cab
O16 - DPF: {48ED5A74-A5A6-4EDE-AAC5-42D697FC3F19} (cyberX Control) - http://

www.cyberoro.com/download/cyber.cab
O16 - DPF: {48FE89A0-486C-48DF-9DEC-BED22BDC6057} (XIsOro Control) - http://

www.cyberoro.com/download/OroCheck.cab
O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) -

http://down.hangame.com/dist/activex/HanGamePlugin19.cab
O16 - DPF: {799BB2EC-572A-42A9-84AD-112806F4F551} (Imweb Control) - http://

activexdown.paran.com/paranactivex/data/imweb.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://

download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://

cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} - http://ahnlabdownload .

nefficient.co.kr/plugin/myfirewall/myfirewall20.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://

player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://

player.bugs.co.kr/install/bugsLoader20040811.cab
O16 - DPF: {B2AEC562-9C98-459D-A596-6850EB2CE623} - http://www.omi.co.kr/

search/chart_package/comparison4.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone .

msn.com/binary/ZIntro.cab27571.cab
O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA￠¼OCA·I±×·￥

) - http://cdn.hangame.com/hangame/messenger/hani/webmsg/HanWebMsg.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - http://messenger.zone .

msn.com/binary/Bankshot.cab27591.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://

player.bugs.co.kr/install/bugsLoader20041018.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://gameguard .

nefficient.co.kr/grigon/gamegard/nProtect/keycrypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B194D895-CE3A-40D7-8D35-A58D

582028FD}: NameServer = 4.2.2.1 4.2.2.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2

evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and

Settings\Owner\My Documents\bryan\edwido\security suite\ewidoctrl.exe
O23 - Service: IMJPMIG8.3 - Unknown owner - C:\WINDOWS\System32\IMJPMIG8_

3.exe" -service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: NS (MSLLR) - Unknown owner - C:\WINDOWS\System32\ns.exe" -

service (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.

exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:

\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:

\WINDOWS\svcproc.exe

ysb21189

Newbie Poster

24 posts since May 2005

Reputation Points: 10

Solved Threads: 0

7 Years Ago

Hi ysb21189,

The formatting of the last HJT log you posted came out a bit weird in terms of line breaks and spacings, making it rather difficult to read. Could you try to repost that log so that it appears like your your first log formatting-wise?

Thanks.

DMR

Wombat At Large

Team Colleague

7,229 posts since Dec 2003

Reputation Points: 221

Solved Threads: 370

7 Years Ago

Logfile of HijackThis v1.99.1
Scan saved at 9:30:10 PM, on 5/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Owner\My Documents\bryan\edwido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system32\dvkvlum.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C18517DA-CA70-46CE-86F4-882F6B62E975} - C:\PROGRA~1\UBIZNA~1\MyKey\bms.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: (no name) - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - (no file)
O3 - Toolbar: ¸¶AIA°¿oμa(&K) - {46D387E9-41FC-4F71-A7C3-B0BEB3568F00} - C:\PROGRA~1\UBIZNA~1\MyKey\keyband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe
O4 - HKLM\..\Run: [scvhost] scvhost.exe
O4 - HKLM\..\Run: [Microsoft Update] Microsoft.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE"
O4 - HKLM\..\Run: [NS] ns.exe
O4 - HKLM\..\Run: [IMJPMIG8.3] IMJPMIG8_3.exe
O4 - HKLM\..\Run: [fgpsge] c:\windows\system32\dvkvlum.exe
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe
O4 - HKLM\..\RunServices: [scvhost] scvhost.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoft.exe
O4 - HKLM\..\RunServices: [NS] ns.exe
O4 - HKLM\..\RunServices: [IMJPMIG8.3] IMJPMIG8_3.exe
O4 - HKLM\..\RunServices: [Windows Helpers] windowhelpers.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [kbdur] C:\WINDOWS\system32\kbdur.exe
O4 - HKCU\..\Run: [rate.exe] C:\WINDOWS\System32\i11r54n4.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: ¸®¼A¡ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.gopd.co.kr
O15 - Trusted Zone: http://*.gopd.co.kr
O15 - Trusted Zone: http://cfolder.nownuri.net
O15 - Trusted Zone: http://client.nownuri.net
O15 - Trusted Zone: http://club.nownuri.net
O15 - Trusted Zone: http://help.nownuri.net
O15 - Trusted Zone: http://helpdesk.nownuri.net
O15 - Trusted Zone: http://join.nownuri.net
O15 - Trusted Zone: http://mplug.nownuri.net
O15 - Trusted Zone: http://pdsfind1.nownuri.net
O15 - Trusted Zone: http://www.nownuri.net
O15 - Trusted Zone: http://*.nownuri.net
O15 - Trusted Zone: http://adrenalin.pdbox.co.kr
O15 - Trusted Zone: http://bbs.pdbox.co.kr
O15 - Trusted Zone: http://bbs2.pdbox.co.kr
O15 - Trusted Zone: http://bbs3.pdbox.co.kr
O15 - Trusted Zone: http://bbs4.pdbox.co.kr
O15 - Trusted Zone: http://client.pdbox.co.kr
O15 - Trusted Zone: http://cp.pdbox.co.kr
O15 - Trusted Zone: http://find.pdbox.co.kr
O15 - Trusted Zone: http://ftp2.pdbox.co.kr
O15 - Trusted Zone: http://gopd.pdbox.co.kr
O15 - Trusted Zone: http://help.pdbox.co.kr
O15 - Trusted Zone: http://mboard.pdbox.co.kr
O15 - Trusted Zone: http://media.cp.pdbox.co.kr
O15 - Trusted Zone: http://mfind.pdbox.co.kr
O15 - Trusted Zone: http://my.pdbox.co.kr
O15 - Trusted Zone: http://point.pdbox.co.kr
O15 - Trusted Zone: http://shop.pdbox.co.kr
O15 - Trusted Zone: http://side.pdbox.co.kr
O15 - Trusted Zone: http://www.pdbox.co.kr
O15 - Trusted Zone: http://*.pdbox.co.kr
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: 799BB2EC-572A-42A9-84AD-112806F4F551 -
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble.net/game/nmstarter/NMStarter16.cab
O16 - DPF: {2AE5077E-2BCD-4B77-9D19-237C882BD6AF} - http://www.monario.com/ActiveX/monariofiledownload.cab
O16 - DPF: {35B93CED-4B24-4FA7-B143-B4F5BBBA9F7A} (BugsPatcher Control) - http://gamepatch.bugs.co.kr/BugsPatcher.cab
O16 - DPF: {48ED5A74-A5A6-4EDE-AAC5-42D697FC3F19} (cyberX Control) - http://www.cyberoro.com/download/cyber.cab
O16 - DPF: {48FE89A0-486C-48DF-9DEC-BED22BDC6057} (XIsOro Control) - http://www.cyberoro.com/download/OroCheck.cab
O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame.com/dist/activex/HanGamePlugin19.cab
O16 - DPF: {799BB2EC-572A-42A9-84AD-112806F4F551} (Imweb Control) - http://activexdown.paran.com/paranactivex/data/imweb.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} - http://ahnlabdownload.nefficient.co.kr/plugin/myfirewall/myfirewall20.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040811.cab
O16 - DPF: {B2AEC562-9C98-459D-A596-6850EB2CE623} - http://www.omi.co.kr/search/chart_package/comparison4.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary/ZIntro.cab27571.cab
O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA￠¼OCA·I±×·￥) - http://cdn.hangame.com/hangame/messenger/hani/webmsg/HanWebMsg.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - http://messenger.zone.msn.com/binary/Bankshot.cab27591.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/bugsLoader20041018.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://gameguard.nefficient.co.kr/grigon/gamegard/nProtect/keycrypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B194D895-CE3A-40D7-8D35-A58D582028FD}: NameServer = 4.2.2.1 4.2.2.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Owner\My Documents\bryan\edwido\security suite\ewidoctrl.exe
O23 - Service: IMJPMIG8.3 - Unknown owner - C:\WINDOWS\System32\IMJPMIG8_3.exe" -service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NS (MSLLR) - Unknown owner - C:\WINDOWS\System32\ns.exe" -service (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

ysb21189

Newbie Poster

24 posts since May 2005

Reputation Points: 10

Solved Threads: 0

7 Years Ago

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please run Notepad and copy the following text into a new file:
@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit
Save the file to the desktop asremove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Post the log from the scan here for me.

Then please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

crunchie

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

7 Years Ago

ok i did exactly as u told me(even printed the directions...)

here is the Ewido report:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:42:39 PM, 5/14/2005
+ Report-Checksum: B77E2EC

+ Date of database: 5/14/2005
+ Version of scan engine: v3.0

+ Duration: 57 min
+ Scanned Files: 145110
+ Speed: 42.33 Files/Second
+ Infected files: 13
+ Removed files: 13
+ Files put in quarantine: 13
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\Owner\Cookies\owner@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ehg-stampsdotcom.hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@www.myaffiliateprogram[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\temp.frE7E1 -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\cwcvfskqtvc.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\system32\urknvwv.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\xvimhpx.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\tool1.exe -> Trojan.LowZones.y -> Cleaned with backup
C:\WINDOWS\zipped.tmp/your_details.doc .exe -> Worm.NetSky.x -> Cleaned with backup

::Report End

and here is the HJT log after restarting:
Logfile of HijackThis v1.99.1
Scan saved at 12:50:43 PM, on 5/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\conime.exe
C:\Documents and Settings\Owner\My Documents\bryan\edwido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C18517DA-CA70-46CE-86F4-882F6B62E975} - C:\PROGRA~1\UBIZNA~1\MyKey\bms.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: (no name) - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - (no file)
O3 - Toolbar: ¸¶AIA°¿oμa(&K) - {46D387E9-41FC-4F71-A7C3-B0BEB3568F00} - C:\PROGRA~1\UBIZNA~1\MyKey\keyband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe
O4 - HKLM\..\Run: [scvhost] scvhost.exe
O4 - HKLM\..\Run: [Microsoft Update] Microsoft.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE"
O4 - HKLM\..\Run: [NS] ns.exe
O4 - HKLM\..\Run: [IMJPMIG8.3] IMJPMIG8_3.exe
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe
O4 - HKLM\..\RunServices: [scvhost] scvhost.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoft.exe
O4 - HKLM\..\RunServices: [NS] ns.exe
O4 - HKLM\..\RunServices: [IMJPMIG8.3] IMJPMIG8_3.exe
O4 - HKLM\..\RunServices: [Windows Helpers] windowhelpers.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [kbdur] C:\WINDOWS\system32\kbdur.exe
O4 - HKCU\..\Run: [rate.exe] C:\WINDOWS\System32\i11r54n4.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: ¸®¼A¡ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.gopd.co.kr
O15 - Trusted Zone: http://*.gopd.co.kr
O15 - Trusted Zone: http://cfolder.nownuri.net
O15 - Trusted Zone: http://client.nownuri.net
O15 - Trusted Zone: http://club.nownuri.net
O15 - Trusted Zone: http://help.nownuri.net
O15 - Trusted Zone: http://helpdesk.nownuri.net
O15 - Trusted Zone: http://join.nownuri.net
O15 - Trusted Zone: http://mplug.nownuri.net
O15 - Trusted Zone: http://pdsfind1.nownuri.net
O15 - Trusted Zone: http://www.nownuri.net
O15 - Trusted Zone: http://*.nownuri.net
O15 - Trusted Zone: http://adrenalin.pdbox.co.kr
O15 - Trusted Zone: http://bbs.pdbox.co.kr
O15 - Trusted Zone: http://bbs2.pdbox.co.kr
O15 - Trusted Zone: http://bbs3.pdbox.co.kr
O15 - Trusted Zone: http://bbs4.pdbox.co.kr
O15 - Trusted Zone: http://client.pdbox.co.kr
O15 - Trusted Zone: http://cp.pdbox.co.kr
O15 - Trusted Zone: http://find.pdbox.co.kr
O15 - Trusted Zone: http://ftp2.pdbox.co.kr
O15 - Trusted Zone: http://gopd.pdbox.co.kr
O15 - Trusted Zone: http://help.pdbox.co.kr
O15 - Trusted Zone: http://mboard.pdbox.co.kr
O15 - Trusted Zone: http://media.cp.pdbox.co.kr
O15 - Trusted Zone: http://mfind.pdbox.co.kr
O15 - Trusted Zone: http://my.pdbox.co.kr
O15 - Trusted Zone: http://point.pdbox.co.kr
O15 - Trusted Zone: http://shop.pdbox.co.kr
O15 - Trusted Zone: http://side.pdbox.co.kr
O15 - Trusted Zone: http://www.pdbox.co.kr
O15 - Trusted Zone: http://*.pdbox.co.kr
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: 799BB2EC-572A-42A9-84AD-112806F4F551 -
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble.net/game/nmstarter/NMStarter16.cab
O16 - DPF: {2AE5077E-2BCD-4B77-9D19-237C882BD6AF} - http://www.monario.com/ActiveX/monariofiledownload.cab
O16 - DPF: {35B93CED-4B24-4FA7-B143-B4F5BBBA9F7A} (BugsPatcher Control) - http://gamepatch.bugs.co.kr/BugsPatcher.cab
O16 - DPF: {48ED5A74-A5A6-4EDE-AAC5-42D697FC3F19} (cyberX Control) - http://www.cyberoro.com/download/cyber.cab
O16 - DPF: {48FE89A0-486C-48DF-9DEC-BED22BDC6057} (XIsOro Control) - http://www.cyberoro.com/download/OroCheck.cab
O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame.com/dist/activex/HanGamePlugin19.cab
O16 - DPF: {799BB2EC-572A-42A9-84AD-112806F4F551} (Imweb Control) - http://activexdown.paran.com/paranactivex/data/imweb.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} - http://ahnlabdownload.nefficient.co.kr/plugin/myfirewall/myfirewall20.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040811.cab
O16 - DPF: {B2AEC562-9C98-459D-A596-6850EB2CE623} - http://www.omi.co.kr/search/chart_package/comparison4.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary/ZIntro.cab27571.cab
O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA￠¼OCA·I±×·￥) - http://cdn.hangame.com/hangame/messenger/hani/webmsg/HanWebMsg.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - http://messenger.zone.msn.com/binary/Bankshot.cab27591.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/bugsLoader20041018.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://gameguard.nefficient.co.kr/grigon/gamegard/nProtect/keycrypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B194D895-CE3A-40D7-8D35-A58D582028FD}: NameServer = 4.2.2.1 4.2.2.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Owner\My Documents\bryan\edwido\security suite\ewidoctrl.exe
O23 - Service: IMJPMIG8.3 - Unknown owner - C:\WINDOWS\System32\IMJPMIG8_3.exe" -service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NS (MSLLR) - Unknown owner - C:\WINDOWS\System32\ns.exe" -service (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

ysb21189

Newbie Poster

24 posts since May 2005

Reputation Points: 10

Solved Threads: 0

7 Years Ago

uhhh i just went to my internet and i saw aurora come up for just a second then disappear...

ysb21189

Newbie Poster

24 posts since May 2005

Reputation Points: 10

Solved Threads: 0

7 Years Ago

Your log is still a mess. Please do the following to (hopefully) get some it cleaned up:

A) Run a full anti-virus scan, making sure that your anti-virus program is using the most current virus definition updates.
If you do not have an anti-virus program installed, do at least two of following free online virus scans:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

B) Download and run Ad Aware and SpyBot Search & Destroy (download links are in my sig below).

Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"):

1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of days

2) Click on the ‘Scanning’ button on the left and select in green :

Under Driver, Folders & Files:
*Scan Within Archives

Under Select drives & folders to scan -
*choose all hard drives

Under Memory & Registry: all green
*Scan Active Processes
*Scan Registry
*Deep Scan Registry
*Scan my IE favorites for banned URL’s
*Scan my Hosts file

3) Click on the ‘Advanced’ button on the left and select in green:

Under Shell Integration:
*Move deleted files to recycle bin

Under Logfile Detail Level: (all green)
*include addtional object information
*DESELECT - include negligible objects information
*include environment information

Under Alternate Data Streams:
*Don't log streams smaller than 0 bytes
*Don't log ADS with the following names: CA_INOCULATEIT

4) Click the ‘Tweak’ button and select in green:

Under the ‘Scanning Engine’:
*Unload recognized processes during scanning
*Scan registry for all users instead of current user only

Under the ‘Cleaning Engine’:
*Let Windows remove files in use at next reboot

Under the Log Files:
*Include basic Ad-aware SE settings in logfile
*Include additional Ad-aware SE settings in logfile
*Please do not check or make green: Include Module list in logfile

5. Click on ‘Proceed’ to save the settings.

6. Click ‘Start’

*Choose:'Perform Full System Scan'
*DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

7. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.

8. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window. Right-click on any of the entries and choose "Select All"; then click the "Finish" button to have Ad Aware complete its fixes.

9. Save the log file when it asks and then click ‘finish’

10. REBOOT to complete the removal of what Ad-Aware SE found

* Run SpyBot.

When you first run SpyBot, it will walk you through a Wizard which will perform a few critical functions (making a registry backup, getting the latest updates, etc.).

1. Perform all of the Wizard's tasks.
2. Run the program. Once it completes, have it fix everything it finds.
3. Reboot.

D) Download and install Microsoft AntiSpyware beta . Open the program, check online for updates, and run a full system scan. When it completes, accept the recommended actions the pprogram presents for the items it found, have it fix them, and then close the program.

E) Reboot. Once the system is restarted, run HJT again and post a fresh log.

DMR

Wombat At Large

Team Colleague

7,229 posts since Dec 2003

Reputation Points: 221

Solved Threads: 370

7 Years Ago

uhhh when i ran the second scan http://housecall.trendmicro.com/ it asked me if i wanted to install nail.exe. i had to fix that earlier with HJT so i wasnt sure and pressed cancel. Then it exited my windows and then it said the scan removed some worm malware w/ a really long name...im now running the third scan and the first website doesnt work. can u tell me what im supposed to do w/ the second scan and nail.exe?

ysb21189

Newbie Poster

24 posts since May 2005

Reputation Points: 10

Solved Threads: 0

7 Years Ago

uhhh when i ran the second scan http://housecall.trendmicro.com/ it asked me if i wanted to install nail.exe... and the first website doesnt work

That's all a bit weird, but just complete as many of the steps as you can and then get back to us with the results and a new HijackThis log; we'll take it from there.

DMR

Wombat At Large

Team Colleague

7,229 posts since Dec 2003

Reputation Points: 221

Solved Threads: 370

7 Years Ago

ok i was able to run the 3rd,5th and 6th virus scans that u gave me (even thought the 6th didnt detect anything)

i ran adaware with all the settings and when the scan was done, it said it had to reboot to delete C:\WINDOWS\system32/DrPMon.dll and when i rebooted the adaware program came up but nothing else but my background so i had to exit the adaware.

i ran spybot and the only error was msjava.dll could not be found

the microsoft antispyware located aurora as one of the problems and fixed it so heres hoping it worked

finally my HJT log after rebooting:

Logfile of HijackThis v1.99.1
Scan saved at 10:25:30 PM, on 5/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
c:\windows\system32\ornmcu.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Owner\My Documents\bryan\edwido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C18517DA-CA70-46CE-86F4-882F6B62E975} - C:\PROGRA~1\UBIZNA~1\MyKey\bms.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: (no name) - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - (no file)
O3 - Toolbar: ¸¶AIA°¿oμa(&K) - {46D387E9-41FC-4F71-A7C3-B0BEB3568F00} - C:\PROGRA~1\UBIZNA~1\MyKey\keyband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE"
O4 - HKLM\..\Run: [NS] ns.exe
O4 - HKLM\..\Run: [IMJPMIG8.3] IMJPMIG8_3.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [cgsrgj] c:\windows\system32\ornmcu.exe
O4 - HKLM\..\RunServices: [NS] ns.exe
O4 - HKLM\..\RunServices: [IMJPMIG8.3] IMJPMIG8_3.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [kbdur] C:\WINDOWS\system32\kbdur.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: ¸®¼A¡ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.gopd.co.kr
O15 - Trusted Zone: http://*.gopd.co.kr
O15 - Trusted Zone: http://cfolder.nownuri.net
O15 - Trusted Zone: http://client.nownuri.net
O15 - Trusted Zone: http://club.nownuri.net
O15 - Trusted Zone: http://help.nownuri.net
O15 - Trusted Zone: http://helpdesk.nownuri.net
O15 - Trusted Zone: http://join.nownuri.net
O15 - Trusted Zone: http://mplug.nownuri.net
O15 - Trusted Zone: http://pdsfind1.nownuri.net
O15 - Trusted Zone: http://www.nownuri.net
O15 - Trusted Zone: http://*.nownuri.net
O15 - Trusted Zone: http://adrenalin.pdbox.co.kr
O15 - Trusted Zone: http://bbs.pdbox.co.kr
O15 - Trusted Zone: http://bbs2.pdbox.co.kr
O15 - Trusted Zone: http://bbs3.pdbox.co.kr
O15 - Trusted Zone: http://bbs4.pdbox.co.kr
O15 - Trusted Zone: http://client.pdbox.co.kr
O15 - Trusted Zone: http://cp.pdbox.co.kr
O15 - Trusted Zone: http://find.pdbox.co.kr
O15 - Trusted Zone: http://ftp2.pdbox.co.kr
O15 - Trusted Zone: http://gopd.pdbox.co.kr
O15 - Trusted Zone: http://help.pdbox.co.kr
O15 - Trusted Zone: http://mboard.pdbox.co.kr
O15 - Trusted Zone: http://media.cp.pdbox.co.kr
O15 - Trusted Zone: http://mfind.pdbox.co.kr
O15 - Trusted Zone: http://my.pdbox.co.kr
O15 - Trusted Zone: http://point.pdbox.co.kr
O15 - Trusted Zone: http://shop.pdbox.co.kr
O15 - Trusted Zone: http://side.pdbox.co.kr
O15 - Trusted Zone: http://www.pdbox.co.kr
O15 - Trusted Zone: http://*.pdbox.co.kr
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: 799BB2EC-572A-42A9-84AD-112806F4F551 -
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble.net/game/nmstarter/NMStarter16.cab
O16 - DPF: {2AE5077E-2BCD-4B77-9D19-237C882BD6AF} - http://www.monario.com/ActiveX/monariofiledownload.cab
O16 - DPF: {35B93CED-4B24-4FA7-B143-B4F5BBBA9F7A} (BugsPatcher Control) - http://gamepatch.bugs.co.kr/BugsPatcher.cab
O16 - DPF: {48ED5A74-A5A6-4EDE-AAC5-42D697FC3F19} (cyberX Control) - http://www.cyberoro.com/download/cyber.cab
O16 - DPF: {48FE89A0-486C-48DF-9DEC-BED22BDC6057} (XIsOro Control) - http://www.cyberoro.com/download/OroCheck.cab
O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame.com/dist/activex/HanGamePlugin19.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {799BB2EC-572A-42A9-84AD-112806F4F551} (Imweb Control) - http://activexdown.paran.com/paranactivex/data/imweb.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} - http://ahnlabdownload.nefficient.co.kr/plugin/myfirewall/myfirewall20.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040811.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B2AEC562-9C98-459D-A596-6850EB2CE623} - http://www.omi.co.kr/search/chart_package/comparison4.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary/ZIntro.cab27571.cab
O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA￠¼OCA·I±×·￥) - http://cdn.hangame.com/hangame/messenger/hani/webmsg/HanWebMsg.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - http://messenger.zone.msn.com/binary/Bankshot.cab27591.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/bugsLoader20041018.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://gameguard.nefficient.co.kr/grigon/gamegard/nProtect/keycrypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B194D895-CE3A-40D7-8D35-A58D582028FD}: NameServer = 4.2.2.1 4.2.2.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Owner\My Documents\bryan\edwido\security suite\ewidoctrl.exe
O23 - Service: IMJPMIG8.3 - Unknown owner - C:\WINDOWS\System32\IMJPMIG8_3.exe" -service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NS (MSLLR) - Unknown owner - C:\WINDOWS\System32\ns.exe" -service (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

ysb21189

Newbie Poster

24 posts since May 2005

Reputation Points: 10

Solved Threads: 0

7 Years Ago

after i rebooted and posted the HJT log i went into a website (NBA.com) and aurora came up again. after i exited the microsoft antispyware gave me a alert that aurora was trying to install. then i ran a scan and deleted 2 traces of Transponder.ABetterInternet.AuroraSpyware
and 1 trace of
Transponder.ABetterInternet.DrPMonSpyware
i guess this means we're not done...

ysb21189

Newbie Poster

24 posts since May 2005

Reputation Points: 10

Solved Threads: 0

7 Years Ago

Please download Nailfix from here:
http://users.pandora.be/bluepatchy/nailfix.zip
Unzip it to the desktop but please do NOT run it yet.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please double-click on Nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run Ewido, and run a full scan. Post the log from the scan here for me later when in a normal windows mode.

Then run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and post a new HijackThis log, as well as the log from the Ewido scan.

crunchie

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

7 Years Ago

when i extracted the zip file a folder appeared on my desktop named "nailfix" and inside there is nailfix.bat and process.exe
so i moved nailfix.bat to the desktop and when i ran it in safe mode, teh samll window appeared and disappeared but my desktop didnt disappear and my documents came up.
sorry but i just wanted to make sure that this was ok.

ysb21189

Newbie Poster

24 posts since May 2005

Reputation Points: 10

Solved Threads: 0

7 Years Ago

Yes, thats right. Just complete all the above, then post the new logs :).

crunchie

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

7 Years Ago

when i reboot in safe mode, does it matter whether im in administrator or owner?

anyways here is the ewido report:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:45:11 AM, 5/15/2005
+ Report-Checksum: 6A0484D3

+ Date of database: 5/14/2005
+ Version of scan engine: v3.0

+ Duration: 56 min
+ Scanned Files: 143222
+ Speed: 42.25 Files/Second
+ Infected files: 10
+ Removed files: 10
+ Files put in quarantine: 10
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\Owner\Cookies\owner@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@stat.onestat[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@www.myaffiliateprogram[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr08AE -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\650768B2-4F43-49F3-B79B-F12419\D20C1EA2-6809-4818-A126-290750 -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\8FD627BF-8DD0-4856-B314-48B5D5\1F055D0F-044F-491B-82C9-23B0AF -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\cwcvfskqtvc.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\system32\tixdsf.exe -> Trojan.Agent.cp -> Cleaned with backup

::Report End

and the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:48:58 AM, on 5/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\conime.exe
C:\Documents and Settings\Owner\My Documents\bryan\edwido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C18517DA-CA70-46CE-86F4-882F6B62E975} - C:\PROGRA~1\UBIZNA~1

\MyKey\bms.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.

ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: (no name) - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - (no file)
O3 - Toolbar: ¸¶AIA°¿oμa(&K) - {46D387E9-41FC-4F71-A7C3-B0BEB3568F00} - C:\PROGRA~1\UBIZNA~

1\MyKey\keyband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -

osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3

\hpztsb08.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /

Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /

SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /

IMEName
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7

\IMEKRMIG.EXE"
O4 - HKLM\..\Run: [NS] ns.exe
O4 - HKLM\..\Run: [IMJPMIG8.3] IMJPMIG8_3.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [NS] ns.exe
O4 - HKLM\..\RunServices: [IMJPMIG8.3] IMJPMIG8_3.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [kbdur] C:\WINDOWS\system32\kbdur.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/

cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/

cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.

dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11

\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/

cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/

cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2

re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: ¸®¼A¡ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1

\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.gopd.co.kr
O15 - Trusted Zone: http://*.gopd.co.kr
O15 - Trusted Zone: http://cfolder.nownuri.net
O15 - Trusted Zone: http://client.nownuri.net
O15 - Trusted Zone: http://club.nownuri.net
O15 - Trusted Zone: http://help.nownuri.net
O15 - Trusted Zone: http://helpdesk.nownuri.net
O15 - Trusted Zone: http://join.nownuri.net
O15 - Trusted Zone: http://mplug.nownuri.net
O15 - Trusted Zone: http://pdsfind1.nownuri.net
O15 - Trusted Zone: http://www.nownuri.net
O15 - Trusted Zone: http://*.nownuri.net
O15 - Trusted Zone: http://adrenalin.pdbox.co.kr
O15 - Trusted Zone: http://bbs.pdbox.co.kr
O15 - Trusted Zone: http://bbs2.pdbox.co.kr
O15 - Trusted Zone: http://bbs3.pdbox.co.kr
O15 - Trusted Zone: http://bbs4.pdbox.co.kr
O15 - Trusted Zone: http://client.pdbox.co.kr
O15 - Trusted Zone: http://cp.pdbox.co.kr
O15 - Trusted Zone: http://find.pdbox.co.kr
O15 - Trusted Zone: http://ftp2.pdbox.co.kr
O15 - Trusted Zone: http://gopd.pdbox.co.kr
O15 - Trusted Zone: http://help.pdbox.co.kr
O15 - Trusted Zone: http://mboard.pdbox.co.kr
O15 - Trusted Zone: http://media.cp.pdbox.co.kr
O15 - Trusted Zone: http://mfind.pdbox.co.kr
O15 - Trusted Zone: http://my.pdbox.co.kr
O15 - Trusted Zone: http://point.pdbox.co.kr
O15 - Trusted Zone: http://shop.pdbox.co.kr
O15 - Trusted Zone: http://side.pdbox.co.kr
O15 - Trusted Zone: http://www.pdbox.co.kr
O15 - Trusted Zone: http://*.pdbox.co.kr
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: 799BB2EC-572A-42A9-84AD-112806F4F551 -
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble

.net/game/nmstarter/NMStarter16.cab
O16 - DPF: {2AE5077E-2BCD-4B77-9D19-237C882BD6AF} - http://www.monario.com/ActiveX/

monariofiledownload.cab
O16 - DPF: {35B93CED-4B24-4FA7-B143-B4F5BBBA9F7A} (BugsPatcher Control) - http://gamepatch.bugs.co .

kr/BugsPatcher.cab
O16 - DPF: {48ED5A74-A5A6-4EDE-AAC5-42D697FC3F19} (cyberX Control) - http://www.cyberoro.com/

download/cyber.cab
O16 - DPF: {48FE89A0-486C-48DF-9DEC-BED22BDC6057} (XIsOro Control) - http://www.cyberoro.com/

download/OroCheck.cab
O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame .

com/dist/activex/HanGamePlugin19.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/

840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {799BB2EC-572A-42A9-84AD-112806F4F551} (Imweb Control) - http://activexdown.paran.com/

paranactivex/data/imweb.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender .

com/scan/Msie/bitdefender.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble .

com/NMChatX/NMTransX.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/

dmcc2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www .

pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} - http://ahnlabdownload.nefficient.co.kr/plugin/

myfirewall/myfirewall20.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/

mv/XTools.cab
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/

bugsLoader20040811.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com

/scan/ravonline.cab
O16 - DPF: {B2AEC562-9C98-459D-A596-6850EB2CE623} - http://www.omi.co.kr/search/chart_package/

comparison4.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary/ZIntro .

cab27571.cab
O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA￠¼OCA·I±×·￥) - http://cdn.hangame .

com/hangame/messenger/hani/webmsg/HanWebMsg.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - http://messenger.zone.msn.com/binary/Bankshot .

cab27591.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/

bugsLoader20041018.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://gameguard.nefficient.co.kr/grigon/

gamegard/nProtect/keycrypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B194D895-CE3A-40D7-8D35-A58D582028FD}:

NameServer = 4.2.2.1 4.2.2.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Owner\My

Documents\bryan\edwido\security suite\ewidoctrl.exe
O23 - Service: IMJPMIG8.3 - Unknown owner - C:\WINDOWS\System32\IMJPMIG8_3.exe" -service (file

missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: NS (MSLLR) - Unknown owner - C:\WINDOWS\System32\ns.exe" -service (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32

\nvsvc32.exe

ysb21189

Newbie Poster

24 posts since May 2005

Reputation Points: 10

Solved Threads: 0

This article has been dead for over three months

You