GeekPolice
Would you like to react to this message? Create an account in a few clicks or log in to continue.

GeekPoliceLog in

 


descriptionInternet Security 2010 EmptyInternet Security 2010

more_horiz
I also followed the link http://www.geekpolice.net/malware-removal-guides-f12/remove-internet-security-2010-removal-guide-t16909.htm but malwarebytes would not be booted. I was informed that the new form of Internet Security 2010 virus blocked malwarebytes. I have no idea what to do now. HELP!

descriptionInternet Security 2010 EmptyRe: Internet Security 2010

more_horiz
Please download the current version of HijackThis from HERE

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

descriptionInternet Security 2010 EmptyRe: Internet Security 2010

more_horiz
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 오후 4:53:14, on 12/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\ESTsoft\ALYac\AYServiceNt.aye
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\ESTsoft\ALYac\AYAgent.aye
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ESTsoft\ALToolBar\atbsvc.exe
C:\PROGRA~1\GRETECH\GomAudio\Goma.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ALToolBar BHO - {7F1A79F9-78D1-4186-9F60-EE0B63DF042A} - C:\Program Files\ESTsoft\ALToolBar\ALToolBand_1520.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ALToolBar - {38FBE93D-4CA1-4414-AF6A-94920C5BD8DA} - C:\Program Files\ESTsoft\ALToolBar\ALToolBand_1520.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE
O4 - HKLM\..\Run: [ALYac] "C:\Program Files\ESTsoft\ALYac\AYUpdate.exe" /run
O4 - HKLM\..\Run: [negajevoh] Rundll32.exe "c:\windows\system32\nokanoza.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 알툴바 빠른검색(&Q) - res://C:\Program Files\ESTsoft\ALToolBar\ALToolBand_1520.dll/23/SEARCH.HTML
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {2029F1D2-90E4-49EF-9824-F666D238BFF6} (NHNComicViewer Class) - http://jr.naver.com/comic/book/viewer_new/NHNComicViewer.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256691590452
O16 - DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} (CyImage Class) - http://cyimg8.cyworld.com/ImageUpload/CyPictureU1233.cab?20081124
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779} (NaverAXGuide Class) - http://www.puppyred.com/jsp/cooper/inc/NaverAXGuide.cab
O20 - AppInit_DLLs: c:\windows\system32\nanenipu.dll c:\windows\system32\tuhuguhi.dll c:\windows\system32\musesiwo.dll c:\windows\system32\melunule.dll buzuvivu.dll c:\windows\system32\nositinu.dll c:\windows\system32\nanawigi.dll parajami.dll c:\windows\system32\filoloye.dll c:\windows\system32\nokanoza.dll c:\windows\system32\rameleko.dll
O21 - SSODL: hugamunom - {a3b2e072-ca5e-44d1-b6f4-7952034c9a06} - (no file)
O21 - SSODL: yifubunav - {242a7281-b137-49d1-ac9a-ba05ee3d1110} - (no file)
O21 - SSODL: ligebisin - {ef1b4f05-f456-4a14-9b0b-edad2eb9e0e7} - (no file)
O21 - SSODL: kikajekiw - {89df8d99-875a-4e31-b013-771ab440bd66} - (no file)
O21 - SSODL: zuvotefoh - {27c8ca5a-2a6c-410d-b6ab-b4457e5ebc1b} - (no file)
O21 - SSODL: sofegozew - {07198b36-126b-4ab5-94cf-c1c544c1bb5f} - (no file)
O21 - SSODL: hujazinol - {ffd089a6-4357-4a54-8a8e-e1a3cc264954} - (no file)

--
End of file - 6721 bytes




Thank you so much.... :'D

descriptionInternet Security 2010 EmptyRe: Internet Security 2010

more_horiz
Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [negajevoh] Rundll32.exe "c:\windows\system32\nokanoza.dll",a
    O4 - HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe
    O20 - AppInit_DLLs: c:\windows\system32\nanenipu.dll c:\windows\system32\tuhuguhi.dll c:\windows\system32\musesiwo.dll c:\windows\system32\melunule.dll buzuvivu.dll c:\windows\system32\nositinu.dll c:\windows\system32\nanawigi.dll parajami.dll c:\windows\system32\filoloye.dll c:\windows\system32\nokanoza.dll c:\windows\system32\rameleko.dll
    O21 - SSODL: hugamunom - {a3b2e072-ca5e-44d1-b6f4-7952034c9a06} - (no file)
    O21 - SSODL: yifubunav - {242a7281-b137-49d1-ac9a-ba05ee3d1110} - (no file)
    O21 - SSODL: ligebisin - {ef1b4f05-f456-4a14-9b0b-edad2eb9e0e7} - (no file)
    O21 - SSODL: kikajekiw - {89df8d99-875a-4e31-b013-771ab440bd66} - (no file)
    O21 - SSODL: zuvotefoh - {27c8ca5a-2a6c-410d-b6ab-b4457e5ebc1b} - (no file)
    O21 - SSODL: sofegozew - {07198b36-126b-4ab5-94cf-c1c544c1bb5f} - (no file)
    O21 - SSODL: hujazinol - {ffd089a6-4357-4a54-8a8e-e1a3cc264954} - (no file)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionInternet Security 2010 EmptyRe: Internet Security 2010

more_horiz
Malware bytes still would not load... it still says, "unable to execute file" or something. :/ So I felt the need to do another log file after installing malwarebyte.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 오후 10:09:26, on 12/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\ESTsoft\ALYac\AYServiceNt.aye
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\ESTsoft\ALYac\AYAgent.aye
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ESTsoft\ALToolBar\atbsvc.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ALToolBar BHO - {7F1A79F9-78D1-4186-9F60-EE0B63DF042A} - C:\Program Files\ESTsoft\ALToolBar\ALToolBand_1520.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ALToolBar - {38FBE93D-4CA1-4414-AF6A-94920C5BD8DA} - C:\Program Files\ESTsoft\ALToolBar\ALToolBand_1520.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE
O4 - HKLM\..\Run: [ALYac] "C:\Program Files\ESTsoft\ALYac\AYUpdate.exe" /run
O4 - HKLM\..\Run: [negajevoh] Rundll32.exe "c:\windows\system32\ramegige.dll",a
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 알툴바 빠른검색(&Q) - res://C:\Program Files\ESTsoft\ALToolBar\ALToolBand_1520.dll/23/SEARCH.HTML
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {2029F1D2-90E4-49EF-9824-F666D238BFF6} (NHNComicViewer Class) - http://jr.naver.com/comic/book/viewer_new/NHNComicViewer.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256691590452
O16 - DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} (CyImage Class) - http://cyimg8.cyworld.com/ImageUpload/CyPictureU1233.cab?20081124
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779} (NaverAXGuide Class) - http://www.puppyred.com/jsp/cooper/inc/NaverAXGuide.cab
O20 - AppInit_DLLs: c:\windows\system32\mekawiba.dll,jiweyiyi.dll c:\windows\system32\filoloye.dll c:\windows\system32\ramegige.dll c:\windows\system32\nokanoza.dll c:\windows\system32\rameleko.dll
O21 - SSODL: yofupisev - {13b02f55-68c5-4407-bbcc-5b433ebbfd40} - (no file)
O21 - SSODL: verisohol - {575bcee4-2bd4-4946-8133-ecbfd6ceec96} - c:\windows\system32\nokanoza.dll
O21 - SSODL: wasepepij - {8d387045-8cfa-4155-947d-9a7ad2e8737c} - c:\windows\system32\ramegige.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: kupuhivus - {a3b2e072-ca5e-44d1-b6f4-7952034c9a06} - (no file)
O22 - SharedTaskScheduler: gahurihor - {242a7281-b137-49d1-ac9a-ba05ee3d1110} - (no file)
O22 - SharedTaskScheduler: gahurihor - {ef1b4f05-f456-4a14-9b0b-edad2eb9e0e7} - (no file)
O22 - SharedTaskScheduler: gahurihor - {89df8d99-875a-4e31-b013-771ab440bd66} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {27c8ca5a-2a6c-410d-b6ab-b4457e5ebc1b} - (no file)
O22 - SharedTaskScheduler: jugezatag - {07198b36-126b-4ab5-94cf-c1c544c1bb5f} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {ffd089a6-4357-4a54-8a8e-e1a3cc264954} - (no file)
O22 - SharedTaskScheduler: jugezatag - {13b02f55-68c5-4407-bbcc-5b433ebbfd40} - (no file)
O22 - SharedTaskScheduler: mujuzedij - {575bcee4-2bd4-4946-8133-ecbfd6ceec96} - c:\windows\system32\nokanoza.dll
O22 - SharedTaskScheduler: tokatiluy - {8d387045-8cfa-4155-947d-9a7ad2e8737c} - c:\windows\system32\ramegige.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: ALYac_PZSrv - Unknown owner - C:\Program.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 8552 bytes


I really do appriciate it!

descriptionInternet Security 2010 EmptyRe: Internet Security 2010

more_horiz
I did another log after getting treated by Alyac(korean antivirus)

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 오전 9:48:16, on 12/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESTsoft\ALYac\AYServiceNt.aye
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ESTsoft\ALYac\AYAgent.aye
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ESTsoft\ALToolBar\atbsvc.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ALToolBar BHO - {7F1A79F9-78D1-4186-9F60-EE0B63DF042A} - C:\Program Files\ESTsoft\ALToolBar\ALToolBand_1520.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ALToolBar - {38FBE93D-4CA1-4414-AF6A-94920C5BD8DA} - C:\Program Files\ESTsoft\ALToolBar\ALToolBand_1520.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE
O4 - HKLM\..\Run: [ALYac] "C:\Program Files\ESTsoft\ALYac\AYUpdate.exe" /run
O4 - HKLM\..\Run: [negajevoh] Rundll32.exe "c:\windows\system32\mekawiba.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 알툴바 빠른검색(&Q) - res://C:\Program Files\ESTsoft\ALToolBar\ALToolBand_1520.dll/23/SEARCH.HTML
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {2029F1D2-90E4-49EF-9824-F666D238BFF6} (NHNComicViewer Class) - http://jr.naver.com/comic/book/viewer_new/NHNComicViewer.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256691590452
O16 - DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} (CyImage Class) - http://cyimg8.cyworld.com/ImageUpload/CyPictureU1233.cab?20081124
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779} (NaverAXGuide Class) - http://www.puppyred.com/jsp/cooper/inc/NaverAXGuide.cab
O20 - AppInit_DLLs: c:\windows\system32\mekawiba.dll,jiweyiyi.dll c:\windows\system32\filoloye.dll c:\windows\system32\ramegige.dll c:\windows\system32\nokanoza.dll c:\windows\system32\rameleko.dll
O21 - SSODL: yofupisev - {13b02f55-68c5-4407-bbcc-5b433ebbfd40} - (no file)
O21 - SSODL: wasepepij - {8d387045-8cfa-4155-947d-9a7ad2e8737c} - c:\windows\system32\mekawiba.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: kupuhivus - {a3b2e072-ca5e-44d1-b6f4-7952034c9a06} - (no file)
O22 - SharedTaskScheduler: gahurihor - {242a7281-b137-49d1-ac9a-ba05ee3d1110} - (no file)
O22 - SharedTaskScheduler: gahurihor - {ef1b4f05-f456-4a14-9b0b-edad2eb9e0e7} - (no file)
O22 - SharedTaskScheduler: gahurihor - {89df8d99-875a-4e31-b013-771ab440bd66} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {27c8ca5a-2a6c-410d-b6ab-b4457e5ebc1b} - (no file)
O22 - SharedTaskScheduler: jugezatag - {07198b36-126b-4ab5-94cf-c1c544c1bb5f} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {ffd089a6-4357-4a54-8a8e-e1a3cc264954} - (no file)
O22 - SharedTaskScheduler: jugezatag - {13b02f55-68c5-4407-bbcc-5b433ebbfd40} - (no file)
O22 - SharedTaskScheduler: tokatiluy - {8d387045-8cfa-4155-947d-9a7ad2e8737c} - c:\windows\system32\mekawiba.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: ALYac_PZSrv - Unknown owner - C:\Program.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 8273 bytes

descriptionInternet Security 2010 EmptyRe: Internet Security 2010

more_horiz
Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    Internet Security 2010 CF_download_FF

    Internet Security 2010 CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Internet Security 2010 Cf410

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    Internet Security 2010 Cf510

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionInternet Security 2010 EmptyRe: Internet Security 2010

more_horiz
ComboFix 09-12-21.08 - Admin 12/22/2009 12:35:40.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.949.82.1033.18.1014.507 [GMT -8:00]
Running from: c:\documents and settings\Admin\My Documents\My Pictures\뜸부기\Combo-Fix.exe
AV: 알약 *On-access scanning disabled* (Updated) {B9431E5A-E196-4B6F-843A-10E01DB25461}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\InternetSecurity2010
c:\windows\system32\11478.exe
c:\windows\system32\11942.exe
c:\windows\system32\14604.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\32391.exe
c:\windows\system32\3902.exe
c:\windows\system32\41.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\6to4v32.dll
c:\windows\system32\9961.exe
c:\windows\system32\AVR10.exe
c:\windows\system32\BtwSrv.dll
c:\windows\system32\certstore.dat
c:\windows\system32\dijineho.dll
c:\windows\system32\FastNetSrv.exe
c:\windows\system32\FInstall.sys
c:\windows\system32\fiwegedi.dll
c:\windows\system32\gehotimi.dll
c:\windows\system32\Iasv32.dll
c:\windows\system32\Install.txt
c:\windows\system32\jiweyiyi.dll
c:\windows\system32\kayufegi.dll
c:\windows\system32\kewowupa.dll
c:\windows\system32\kokemabo.dll
c:\windows\system32\lsm32.sys
c:\windows\system32\mozanenu.dll
c:\windows\system32\niyihese.dll
c:\windows\system32\opeia.exe
c:\windows\system32\pehezati.dll
c:\windows\system32\pejanuru.dll
c:\windows\system32\peyeduli.dll
c:\windows\system32\s067odh7hk.dll
c:\windows\system32\tarokuwe.dll
c:\windows\system32\varigisu.dll
c:\windows\system32\winhelper86.dll
c:\windows\system32\winlogon86.exe
c:\windows\system32\winsts.sys
c:\windows\system32\winupdate86.exe
c:\windows\system32\wmdtc.exe
c:\windows\system32\yarewipe.dll
c:\windows\system32\yonugese.dll
c:\windows\Tasks\iazzphxh.job
c:\windows\Tasks\jssttjxl.job
c:\windows\TEMP\mta13187.dll
c:\windows\Temp\tmp3.tmp

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BTWSRV
-------\Legacy_FASTNETSRV
-------\Legacy_IAS
-------\Legacy_WINSTS
-------\Service_BtwSrv
-------\Service_fastnetsrv
-------\Service_Ias
-------\Service_winsts


((((((((((((((((((((((((( Files Created from 2009-11-22 to 2009-12-22 )))))))))))))))))))))))))))))))
.

2009-12-22 20:25 . 2009-12-22 20:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-12-22 18:22 . 2009-12-22 18:22 32768 ----a-w- c:\windows\system32\msaouahn.dll
2009-12-22 18:22 . 2009-12-22 18:22 31232 ----a-w- C:\waxfhosk.exe
2009-12-22 18:22 . 2009-12-22 18:22 50688 ----a-w- C:\haypsixd.exe
2009-12-22 18:22 . 2009-12-22 18:22 156160 ----a-w- C:\oqnqso.exe
2009-12-22 18:22 . 2009-12-22 18:22 52736 ----a-w- C:\uwlwfa.exe
2009-12-21 00:52 . 2009-12-21 00:52 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-21 00:52 . 2009-12-21 00:52 -------- d-----w- c:\program files\TrendMicro
2009-12-19 07:23 . 2009-12-19 22:32 -------- d-----w- C:\UBCD4Win
2009-12-19 06:22 . 2009-12-19 06:22 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2009-12-19 06:16 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-19 06:16 . 2009-12-19 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-19 06:16 . 2009-12-22 06:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 06:16 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-19 06:16 . 2009-12-19 06:16 8322272 ----a-w- c:\documents and settings\Admin\Application Data\ESTsoft\ALUpdate\ALZIP\newfile\TEMP\ALZip80beta1.exe
2009-12-19 05:48 . 2009-12-19 05:48 -------- d-----w- c:\documents and settings\All Users\Application Data\dirupahu
2009-12-19 05:48 . 2009-12-19 05:48 -------- d-----w- c:\documents and settings\All Users\Application Data\tunayiri
2009-12-19 05:48 . 2009-12-19 05:48 -------- d-----w- c:\documents and settings\All Users\Application Data\nominenu
2009-12-17 07:06 . 2009-12-17 07:06 -------- d-----w- c:\documents and settings\Guest\Application Data\Windows Search
2009-12-15 05:41 . 2009-12-15 05:41 -------- d-----w- c:\documents and settings\Guest\Application Data\Nero
2009-11-28 04:27 . 2009-11-28 04:27 96024 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-28 04:26 . 2009-11-28 04:26 -------- d-----w- c:\documents and settings\Guest\Application Data\CyberLink
2009-11-25 05:24 . 2009-12-19 17:14 -------- d-----w- c:\documents and settings\Admin\Tracing
2009-11-25 05:23 . 2009-11-25 05:23 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-25 05:23 . 2006-11-29 21:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-11-25 05:23 . 2009-11-25 05:23 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-25 05:21 . 2009-11-25 05:21 -------- d-----w- c:\program files\Microsoft
2009-11-25 05:21 . 2009-12-19 17:37 -------- d-----w- c:\program files\Windows Live
2009-11-25 05:14 . 2009-11-25 05:14 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-19 17:32 . 2009-10-28 01:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-19 17:31 . 2009-11-11 07:03 -------- d-----w- c:\program files\AIM Toolbar
2009-12-19 17:31 . 2009-11-11 07:02 -------- d-----w- c:\program files\Common Files\AOL
2009-12-15 06:22 . 2009-10-20 12:12 330264 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-11-28 04:34 . 2009-10-28 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-11-22 22:06 . 2009-10-28 01:11 96024 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-19 03:56 . 2009-10-28 17:52 -------- d-----w- c:\documents and settings\Admin\Application Data\ESTsoft
2009-11-19 03:54 . 2009-10-28 17:52 -------- d-----w- c:\program files\ESTsoft
2009-11-18 03:49 . 2009-10-28 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-18 02:10 . 2009-11-17 03:54 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ESTsoft
2009-11-15 05:50 . 2009-11-15 05:50 -------- d-----w- c:\program files\NHN
2009-11-15 05:06 . 2009-11-15 05:06 -------- d-----w- c:\program files\Tri-d
2009-11-13 04:18 . 2009-11-13 04:18 -------- d-----w- c:\documents and settings\Guest\Application Data\EstSoft
2009-11-13 03:56 . 2009-11-13 03:56 -------- d-----w- c:\documents and settings\Admin\Application Data\ACD Systems
2009-11-12 03:15 . 2009-11-12 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\ESTsoft
2009-11-11 07:03 . 2009-11-11 07:03 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-10-28 20:43 . 2009-10-28 01:04 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-28 20:13 . 2009-10-28 19:54 -------- d-----w- c:\documents and settings\Admin\Application Data\GRETECH
2009-10-28 19:54 . 2009-10-28 19:54 -------- d-----w- c:\documents and settings\Admin\Application Data\Hnc
2009-10-28 19:27 . 2009-10-28 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2009-10-28 19:17 . 2009-10-28 19:04 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-28 19:09 . 2009-10-28 19:09 -------- d-----w- c:\program files\Bonjour
2009-10-28 19:05 . 2009-10-28 19:05 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-10-28 18:30 . 2009-10-28 18:30 -------- d-----w- c:\program files\Microsoft Works
2009-10-28 18:30 . 2009-10-28 02:12 -------- d-----w- c:\program files\MSBuild
2009-10-28 18:29 . 2009-10-28 18:29 -------- d-----w- c:\program files\Microsoft.NET
2009-10-28 18:28 . 2009-10-28 18:28 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-28 18:24 . 2009-10-28 18:24 -------- d-----w- c:\program files\Common Files\GRETECH
2009-10-28 18:24 . 2009-10-28 18:24 -------- d-----w- c:\program files\GRETECH
2009-10-28 18:22 . 2009-10-28 18:22 -------- d-----w- c:\documents and settings\Admin\Application Data\Nero
2009-10-28 18:21 . 2009-10-28 18:20 -------- d-----w- c:\program files\Common Files\Nero
2009-10-28 18:20 . 2009-10-28 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-10-28 18:20 . 2009-10-28 18:20 -------- d-----w- c:\program files\Nero
2009-10-28 18:10 . 2009-10-28 18:10 -------- d-----w- c:\documents and settings\Admin\Application Data\CyberLink
2009-10-28 18:09 . 2009-10-28 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-10-28 18:09 . 2009-10-28 18:09 -------- d-----w- c:\program files\CyberLink
2009-10-28 17:59 . 2009-10-28 17:59 -------- d-----w- c:\program files\Common Files\Hnc
2009-10-28 17:59 . 2009-10-28 17:59 -------- d-----w- c:\program files\eps
2009-10-28 17:55 . 2009-10-28 17:55 -------- d-----w- c:\program files\DVD Region-Free
2009-10-28 17:40 . 2009-10-28 17:40 128 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\fusioncache.dat
2009-10-28 17:12 . 2009-10-28 02:08 -------- d-----w- c:\program files\Windows Desktop Search
2009-10-28 02:12 . 2009-10-28 02:12 -------- d-----w- c:\program files\Reference Assemblies
2009-10-28 02:09 . 2009-10-28 02:09 -------- d-----w- c:\documents and settings\Admin\Application Data\Windows Desktop Search
2009-10-28 02:08 . 2009-10-28 02:08 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-28 01:58 . 2009-10-28 01:58 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-10-28 01:58 . 2009-10-28 01:58 -------- d-----w- c:\program files\ACD Systems
2009-10-28 01:58 . 2009-10-28 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2009-10-28 01:56 . 2009-10-28 01:56 -------- d-----w- c:\program files\Marvell
2009-10-28 01:36 . 2009-10-28 01:01 -------- d-----w- c:\program files\TOSHIBA
2009-10-28 01:34 . 2009-10-28 01:34 -------- d-----w- c:\program files\Synaptics
2009-10-28 01:34 . 2009-10-28 01:01 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-28 01:31 . 2009-10-28 01:31 -------- d-----w- c:\program files\ltmoh
2009-10-28 01:21 . 2009-10-28 01:38 -------- d-----w- c:\program files\Intel
2009-10-28 01:21 . 2009-10-28 01:21 -------- d-----w- c:\program files\USB 2.0 Card Reader
2009-10-28 01:19 . 2009-10-28 01:19 315392 ----a-w- c:\windows\HideWin.exe
2009-10-28 01:19 . 2009-10-28 01:19 -------- d-----w- c:\program files\Realtek
2009-10-28 01:04 . 2009-10-28 01:04 -------- d-----w- c:\program files\microsoft frontpage
2009-10-28 01:03 . 2009-10-28 01:03 -------- d-----w- c:\documents and settings\Admin\Application Data\InstallShield
2009-10-28 01:01 . 2009-10-28 01:01 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-28 01:01 . 2009-10-28 01:01 -------- d-----w- c:\documents and settings\Admin\Application Data\WinBatch
2009-10-08 22:57 . 2008-07-30 03:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 22:57 . 2001-08-23 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 22:56 . 2001-08-23 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-22 18:00 . 2009-09-22 18:00 61952 --sha-w- c:\windows\system32\gufudega.dll
2009-09-22 06:00 . 2009-09-22 06:00 51712 --sha-w- c:\windows\system32\wazuloro.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a51e7b09-6688-4397-9db4-5dfa2535c0c2}]
2009-09-22 06:00 51712 --sha-w- c:\windows\system32\wazuloro.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2008-08-30 360448]
"TPSMain"="TPSMain.exe" [2007-10-08 262144]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]
"Korean IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE" [2006-10-26 26400]
"ALYac"="c:\program files\ESTsoft\ALYac\AYUpdate.exe" [2008-11-07 79304]
"tqammy"="c:\windows\system32\msaouahn.dll" [2009-12-22 32768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 1 (0x1)
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2003-08-26 49152]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-11 05:46 624248 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 02:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2007-11-15 06:10 91432 ----a-w- c:\program files\CyberLink\Shared files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-08-03 19:51 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 03:42 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HncUpdate]
2006-07-16 22:00 475136 ----a-w- c:\program files\Common Files\Hnc\HncUtils\HncUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-07-05 00:13 166424 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-07-05 00:13 141848 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
2007-01-09 22:23 191552 ------w- c:\program files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-08-08 16:25 1828136 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 22:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut]
2007-12-14 18:36 50472 ----a-w- c:\program files\CyberLink\PowerDVD8\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-07-05 00:13 137752 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
2008-02-19 01:33 77824 ------w- c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-04-08 00:40 16860672 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Nero\\Lib\\NMIndexingService.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [02/01/2008 오후 4:24 41456]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [03/26/2007 오후 12:22 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [02/19/2007 오후 12:15 134016]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [10/27/2009 오후 5:01 5888]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [10/27/2009 오후 5:00 341376]
S3 AYDrvSP_ALYAC;AYDrvSP_ALYAC;c:\program files\ESTsoft\ALYac\AYDrvSP.sys [02/03/2009 오전 4:49 24312]
S3 ndisdrv;ndisdrv;c:\windows\system32\ndisdrv.sys [04/13/2008 오후 7:41 2304]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys --> c:\windows\system32\Drivers\RTS5121.sys [?]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: 알툴바 빠른검색(&Q) - c:\program files\ESTsoft\ALToolBar\ALToolBand_1520.dll/23/SEARCH.HTML
DPF: {2029F1D2-90E4-49EF-9824-F666D238BFF6} - hxxp://jr.naver.com/comic/book/viewer_new/NHNComicViewer.cab
DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} - hxxp://cyimg8.cyworld.com/ImageUpload/CyPictureU1233.cab?20081124
DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779} - hxxp://www.puppyred.com/jsp/cooper/inc/NaverAXGuide.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKLM-Run-negajevoh - c:\windows\system32\gehotimi.dll
HKLM-Run-raguvebuba - niyihese.dll
SharedTaskScheduler-{a3b2e072-ca5e-44d1-b6f4-7952034c9a06} - (no file)
SharedTaskScheduler-{242a7281-b137-49d1-ac9a-ba05ee3d1110} - (no file)
SharedTaskScheduler-{ef1b4f05-f456-4a14-9b0b-edad2eb9e0e7} - (no file)
SharedTaskScheduler-{89df8d99-875a-4e31-b013-771ab440bd66} - (no file)
SharedTaskScheduler-{27c8ca5a-2a6c-410d-b6ab-b4457e5ebc1b} - (no file)
SharedTaskScheduler-{07198b36-126b-4ab5-94cf-c1c544c1bb5f} - (no file)
SharedTaskScheduler-{ffd089a6-4357-4a54-8a8e-e1a3cc264954} - (no file)
SharedTaskScheduler-{13b02f55-68c5-4407-bbcc-5b433ebbfd40} - (no file)
SharedTaskScheduler-{45ec8c6c-0511-440a-aa97-0f9e9b905101} - c:\windows\system32\gehotimi.dll
SSODL-yofupisev-{13b02f55-68c5-4407-bbcc-5b433ebbfd40} - (no file)
SSODL-gutavibes-{45ec8c6c-0511-440a-aa97-0f9e9b905101} - c:\windows\system32\gehotimi.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-22 12:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...


c:\windows\system32\wuapi.dll.wusetup.135140.bak 561688 bytes executable
c:\windows\system32\wuauclt.exe.wusetup.135187.bak 51224 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.135453.bak 1809944 bytes executable

scan completed successfully
hȋdden files: 3

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALYac_PZSrv]
"ImagePath"="c:\program files\ESTsoft\ALYac\AYServiceNt.aye"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5e,68,23,7a,36,8d,ac,4d,9a,fe,c5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5e,68,23,7a,36,8d,ac,4d,9a,fe,c5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\IMKR12.IME

- - - - - - - > 'explorer.exe'(1544)
c:\windows\system32\IMKR12.IME
c:\windows\system32\ieframe.dll
c:\windows\system32\msaouahn.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\TODDSrv.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\conime.exe
c:\windows\system32\TPSMain.exe
c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\windows\system32\TPSBattM.exe
c:\program files\ESTsoft\ALYac\AYAgent.aye
.
**************************************************************************
.
Completion time: 2009-12-22 12:49:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-22 20:49

Pre-Run: 233,903,595,520 bytes free
Post-Run: 234,806,456,320 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - F3CEDCF988A2B4A5793944D3968CB177


I didn't get to read everything of your reply, but combofix did everything by itself. Thank you so much! Is this the end to it?

descriptionInternet Security 2010 EmptyRe: Internet Security 2010

more_horiz
Hello.
Sorry, not yet, still more malware hiding.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\system32\msaouahn.dll
    C:\waxfhosk.exe
    C:\haypsixd.exe
    C:\oqnqso.exe
    C:\uwlwfa.exe
    c:\windows\system32\gufudega.dll
    c:\windows\system32\wazuloro.dll

    Folder::
    c:\documents and settings\All Users\Application Data\dirupahu
    c:\documents and settings\All Users\Application Data\tunayiri
    c:\documents and settings\All Users\Application Data\nominenu

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a51e7b09-6688-4397-9db4-5dfa2535c0c2}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "tqammy"=-

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Internet Security 2010 Cfscriptb4i

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionInternet Security 2010 EmptyRe: Internet Security 2010

more_horiz
ComboFix 09-12-21.08 - Admin 12/22/2009 18:11:32.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.949.82.1033.18.1014.601 [GMT -8:00]
Running from: c:\documents and settings\Admin\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: 알약 *On-access scanning disabled* (Updated) {B9431E5A-E196-4B6F-843A-10E01DB25461}

FILE ::
"C:\haypsixd.exe"
"C:\oqnqso.exe"
"C:\uwlwfa.exe"
"C:\waxfhosk.exe"
"c:\windows\system32\gufudega.dll"
"c:\windows\system32\msaouahn.dll"
"c:\windows\system32\wazuloro.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\dirupahu
c:\documents and settings\All Users\Application Data\dirupahu\dirupahu.dll
c:\documents and settings\All Users\Application Data\nominenu
c:\documents and settings\All Users\Application Data\nominenu\nominenu.dll
c:\documents and settings\All Users\Application Data\tunayiri
c:\documents and settings\All Users\Application Data\tunayiri\tunayiri.dll
C:\haypsixd.exe
C:\oqnqso.exe
C:\uwlwfa.exe
C:\waxfhosk.exe
c:\windows\system32\gufudega.dll
c:\windows\system32\msaouahn.dll
c:\windows\system32\wazuloro.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-23 to 2009-12-23 )))))))))))))))))))))))))))))))
.

2009-12-22 20:25 . 2009-12-22 20:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-12-21 00:52 . 2009-12-21 00:52 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-21 00:52 . 2009-12-21 00:52 -------- d-----w- c:\program files\TrendMicro
2009-12-19 07:23 . 2009-12-19 22:32 -------- d-----w- C:\UBCD4Win
2009-12-19 06:22 . 2009-12-19 06:22 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2009-12-19 06:16 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-19 06:16 . 2009-12-19 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-19 06:16 . 2009-12-22 06:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 06:16 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-19 06:16 . 2009-12-19 06:16 8322272 ----a-w- c:\documents and settings\Admin\Application Data\ESTsoft\ALUpdate\ALZIP\newfile\TEMP\ALZip80beta1.exe
2009-12-17 07:06 . 2009-12-17 07:06 -------- d-----w- c:\documents and settings\Guest\Application Data\Windows Search
2009-12-15 05:41 . 2009-12-15 05:41 -------- d-----w- c:\documents and settings\Guest\Application Data\Nero
2009-11-28 04:27 . 2009-11-28 04:27 96024 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-28 04:26 . 2009-11-28 04:26 -------- d-----w- c:\documents and settings\Guest\Application Data\CyberLink
2009-11-25 05:24 . 2009-12-19 17:14 -------- d-----w- c:\documents and settings\Admin\Tracing
2009-11-25 05:23 . 2009-11-25 05:23 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-25 05:23 . 2006-11-29 21:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-11-25 05:23 . 2009-11-25 05:23 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-25 05:21 . 2009-11-25 05:21 -------- d-----w- c:\program files\Microsoft
2009-11-25 05:21 . 2009-12-19 17:37 -------- d-----w- c:\program files\Windows Live
2009-11-25 05:14 . 2009-11-25 05:14 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-19 17:32 . 2009-10-28 01:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-19 17:31 . 2009-11-11 07:03 -------- d-----w- c:\program files\AIM Toolbar
2009-12-19 17:31 . 2009-11-11 07:02 -------- d-----w- c:\program files\Common Files\AOL
2009-12-15 06:22 . 2009-10-20 12:12 330264 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-11-28 04:34 . 2009-10-28 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-11-22 22:06 . 2009-10-28 01:11 96024 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-19 03:56 . 2009-10-28 17:52 -------- d-----w- c:\documents and settings\Admin\Application Data\ESTsoft
2009-11-19 03:54 . 2009-10-28 17:52 -------- d-----w- c:\program files\ESTsoft
2009-11-18 03:49 . 2009-10-28 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-18 02:10 . 2009-11-17 03:54 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ESTsoft
2009-11-15 05:50 . 2009-11-15 05:50 -------- d-----w- c:\program files\NHN
2009-11-15 05:06 . 2009-11-15 05:06 -------- d-----w- c:\program files\Tri-d
2009-11-13 04:18 . 2009-11-13 04:18 -------- d-----w- c:\documents and settings\Guest\Application Data\EstSoft
2009-11-13 03:56 . 2009-11-13 03:56 -------- d-----w- c:\documents and settings\Admin\Application Data\ACD Systems
2009-11-12 03:15 . 2009-11-12 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\ESTsoft
2009-11-11 07:03 . 2009-11-11 07:03 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-10-28 20:43 . 2009-10-28 01:04 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-28 20:13 . 2009-10-28 19:54 -------- d-----w- c:\documents and settings\Admin\Application Data\GRETECH
2009-10-28 19:54 . 2009-10-28 19:54 -------- d-----w- c:\documents and settings\Admin\Application Data\Hnc
2009-10-28 19:27 . 2009-10-28 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2009-10-28 19:17 . 2009-10-28 19:04 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-28 19:09 . 2009-10-28 19:09 -------- d-----w- c:\program files\Bonjour
2009-10-28 19:05 . 2009-10-28 19:05 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-10-28 18:30 . 2009-10-28 18:30 -------- d-----w- c:\program files\Microsoft Works
2009-10-28 18:30 . 2009-10-28 02:12 -------- d-----w- c:\program files\MSBuild
2009-10-28 18:29 . 2009-10-28 18:29 -------- d-----w- c:\program files\Microsoft.NET
2009-10-28 18:28 . 2009-10-28 18:28 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-28 18:24 . 2009-10-28 18:24 -------- d-----w- c:\program files\Common Files\GRETECH
2009-10-28 18:24 . 2009-10-28 18:24 -------- d-----w- c:\program files\GRETECH
2009-10-28 18:22 . 2009-10-28 18:22 -------- d-----w- c:\documents and settings\Admin\Application Data\Nero
2009-10-28 18:21 . 2009-10-28 18:20 -------- d-----w- c:\program files\Common Files\Nero
2009-10-28 18:20 . 2009-10-28 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-10-28 18:20 . 2009-10-28 18:20 -------- d-----w- c:\program files\Nero
2009-10-28 18:10 . 2009-10-28 18:10 -------- d-----w- c:\documents and settings\Admin\Application Data\CyberLink
2009-10-28 18:09 . 2009-10-28 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-10-28 18:09 . 2009-10-28 18:09 -------- d-----w- c:\program files\CyberLink
2009-10-28 17:59 . 2009-10-28 17:59 -------- d-----w- c:\program files\Common Files\Hnc
2009-10-28 17:59 . 2009-10-28 17:59 -------- d-----w- c:\program files\eps
2009-10-28 17:55 . 2009-10-28 17:55 -------- d-----w- c:\program files\DVD Region-Free
2009-10-28 17:40 . 2009-10-28 17:40 128 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\fusioncache.dat
2009-10-28 17:12 . 2009-10-28 02:08 -------- d-----w- c:\program files\Windows Desktop Search
2009-10-28 02:12 . 2009-10-28 02:12 -------- d-----w- c:\program files\Reference Assemblies
2009-10-28 02:09 . 2009-10-28 02:09 -------- d-----w- c:\documents and settings\Admin\Application Data\Windows Desktop Search
2009-10-28 02:08 . 2009-10-28 02:08 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-28 01:58 . 2009-10-28 01:58 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-10-28 01:58 . 2009-10-28 01:58 -------- d-----w- c:\program files\ACD Systems
2009-10-28 01:58 . 2009-10-28 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2009-10-28 01:56 . 2009-10-28 01:56 -------- d-----w- c:\program files\Marvell
2009-10-28 01:36 . 2009-10-28 01:01 -------- d-----w- c:\program files\TOSHIBA
2009-10-28 01:34 . 2009-10-28 01:34 -------- d-----w- c:\program files\Synaptics
2009-10-28 01:34 . 2009-10-28 01:01 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-28 01:31 . 2009-10-28 01:31 -------- d-----w- c:\program files\ltmoh
2009-10-28 01:21 . 2009-10-28 01:38 -------- d-----w- c:\program files\Intel
2009-10-28 01:21 . 2009-10-28 01:21 -------- d-----w- c:\program files\USB 2.0 Card Reader
2009-10-28 01:19 . 2009-10-28 01:19 315392 ----a-w- c:\windows\HideWin.exe
2009-10-28 01:19 . 2009-10-28 01:19 -------- d-----w- c:\program files\Realtek
2009-10-28 01:04 . 2009-10-28 01:04 -------- d-----w- c:\program files\microsoft frontpage
2009-10-28 01:03 . 2009-10-28 01:03 -------- d-----w- c:\documents and settings\Admin\Application Data\InstallShield
2009-10-28 01:01 . 2009-10-28 01:01 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-28 01:01 . 2009-10-28 01:01 -------- d-----w- c:\documents and settings\Admin\Application Data\WinBatch
2009-10-08 22:57 . 2008-07-30 03:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 22:57 . 2001-08-23 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 22:56 . 2001-08-23 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-12-22_20.45.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-16 22:09 . 2009-08-07 03:24 44768 c:\windows\system32\wups2.dll
+ 2009-10-28 01:02 . 2009-08-07 03:24 35552 c:\windows\system32\wups.dll
+ 2009-10-28 01:02 . 2009-08-07 03:24 53472 c:\windows\system32\wuauclt.exe
+ 2009-12-22 20:46 . 2009-08-07 03:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2009-12-22 20:46 . 2009-08-07 03:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2009-10-28 01:02 . 2009-08-07 03:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2009-10-28 01:02 . 2009-08-07 03:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2008-04-14 03:41 . 2009-08-07 03:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2008-04-14 03:41 . 2009-08-07 03:24 96480 c:\windows\system32\cdm.dll
+ 2009-10-28 01:02 . 2009-08-07 03:24 209632 c:\windows\system32\wuweb.dll
+ 2009-10-28 01:02 . 2009-08-07 03:24 327896 c:\windows\system32\wucltui.dll
+ 2009-10-28 01:02 . 2009-08-07 03:23 575704 c:\windows\system32\wuapi.dll
+ 2009-10-28 01:02 . 2009-08-07 03:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2009-10-28 01:02 . 2009-08-07 03:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2009-10-28 01:02 . 2009-08-07 03:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2009-10-28 01:02 . 2009-08-07 03:23 1929952 c:\windows\system32\wuaueng.dll
+ 2009-10-28 01:02 . 2009-08-07 03:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2008-08-30 360448]
"TPSMain"="TPSMain.exe" [2007-10-08 262144]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]
"Korean IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE" [2006-10-26 26400]
"ALYac"="c:\program files\ESTsoft\ALYac\AYUpdate.exe" [2008-11-07 79304]
"raguvebuba"="niyihese.dll" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 1 (0x1)
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2003-08-26 49152]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-11 05:46 624248 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 02:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2007-11-15 06:10 91432 ----a-w- c:\program files\CyberLink\Shared files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-08-03 19:51 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 03:42 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HncUpdate]
2006-07-16 22:00 475136 ----a-w- c:\program files\Common Files\Hnc\HncUtils\HncUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-07-05 00:13 166424 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-07-05 00:13 141848 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
2007-01-09 22:23 191552 ------w- c:\program files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-08-08 16:25 1828136 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 22:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut]
2007-12-14 18:36 50472 ----a-w- c:\program files\CyberLink\PowerDVD8\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-07-05 00:13 137752 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
2008-02-19 01:33 77824 ------w- c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-04-08 00:40 16860672 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Nero\\Lib\\NMIndexingService.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\conime.exe"=
"c:\\WINDOWS\\system32\\TPSBattM.exe"=

R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [02/01/2008 오후 4:24 41456]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [03/26/2007 오후 12:22 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [02/19/2007 오후 12:15 134016]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [10/27/2009 오후 5:01 5888]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [10/27/2009 오후 5:00 341376]
S3 AYDrvSP_ALYAC;AYDrvSP_ALYAC;c:\program files\ESTsoft\ALYac\AYDrvSP.sys [02/03/2009 오전 4:49 24312]
S3 ndisdrv;ndisdrv;c:\windows\system32\ndisdrv.sys [04/13/2008 오후 7:41 2304]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys --> c:\windows\system32\Drivers\RTS5121.sys [?]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: 알툴바 빠른검색(&Q) - c:\program files\ESTsoft\ALToolBar\ALToolBand_1520.dll/23/SEARCH.HTML
DPF: {2029F1D2-90E4-49EF-9824-F666D238BFF6} - hxxp://jr.naver.com/comic/book/viewer_new/NHNComicViewer.cab
DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} - hxxp://cyimg8.cyworld.com/ImageUpload/CyPictureU1233.cab?20081124
DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779} - hxxp://www.puppyred.com/jsp/cooper/inc/NaverAXGuide.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-22 18:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALYac_PZSrv]
"ImagePath"="c:\program files\ESTsoft\ALYac\AYServiceNt.aye"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5e,68,23,7a,36,8d,ac,4d,9a,fe,c5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5e,68,23,7a,36,8d,ac,4d,9a,fe,c5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\IMKR12.IME

- - - - - - - > 'explorer.exe'(3172)
c:\windows\system32\IMKR12.IME
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\conime.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\TODDSrv.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\TPSMain.exe
c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\windows\system32\TPSBattM.exe
c:\program files\ESTsoft\ALYac\AYAgent.aye
.
**************************************************************************
.
Completion time: 2009-12-22 18:21:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-23 02:21
ComboFix2.txt 2009-12-22 20:49

Pre-Run: 234,667,134,976 bytes free
Post-Run: 234,683,994,112 bytes free

- - End Of File - - 761B0AA9D10816F6E2DD0D2DC3410D61







Thank You!

descriptionInternet Security 2010 EmptyRe: Internet Security 2010

more_horiz
Okay, that looks like it took care of the malware problem, but a few issues still remain.

What AV are you using, did you have one installed before and it didn't work?

descriptionInternet Security 2010 EmptyRe: Internet Security 2010

more_horiz
Nope, my antivirus is Alyac, and it is Korean. It takes care of internationally common viruses, and my mom downloaded it for me. :]

I think my AV isn't strong/smart enough to find hiding malwares. It is an AV that JUST became international, and I used to use it in Korea.

So it is all finished? No more?

descriptionInternet Security 2010 EmptyRe: Internet Security 2010

more_horiz
Ah, no wonder. Combofix log says you have an antivirus installed, but just shows me it as weird symbols.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

descriptionInternet Security 2010 EmptyRe: Internet Security 2010

more_horiz
The machine works as good as new. Thanks! I uninstalled the ComboFix. This site helped alot! I'm going to beg my mom to donate to this site. :]

descriptionInternet Security 2010 EmptyNeed help

more_horiz
Moderated Message: Hello, your comment has been removed. Please do not post in another member's topic. If you need help, please read this over and click here to open a new topic.

descriptionInternet Security 2010 EmptyRe: Internet Security 2010

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum