• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 903
  • Last Modified:

Analyzing log file

Hi Experts,

my friends computer is acting up since after installing a program according to her. So, she tried to uninstall, but from the add/remove program section, but he got something like executable file corrupted error message.

Here is the log file by using the following link:

http://www.download.com/HijackThis/3000-8022_4-10379544.html

++++++++++++
Logfile of HijackThis v1.99.1
Scan saved at ¿ÀÀü 2:49:03, on 2007-10-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\System32\Ati2evxx.exe
c:\Program Files\Codec Pack\v13\codecsnd.exe
c:\Program Files\Adapte\bin\v13\cdrv13.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\FASOOD~1\fph.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\booster.exe
C:\Program Files\Adapte\bin\v13\cdrv13.exe
C:\WINDOWS\system32\2048\dconcnfg.exe
C:\WINDOWS\Wsync.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\DOWNLO~1\CONFLICT.3\mysprun.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\rhfh.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\PExtService\ppext.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\musafir\Local Settings\Temp\Temporary Internet Files\Content.IE5\8TIJ6ZCD\hijackthis[1]\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WebDC - {4AAA2F98-2D2F-4938-AFB1-3EC1B51C41D9} - C:\Program Files\Fasoo DRM\f_webdc.dll
O2 - BHO: Windows IExplorer7 - {6CD1CD02-5DC1-4117-AF32-87B26783B5F0} - C:\WINDOWS\system32\scro.dll
O2 - BHO: ppext - {CE52C857-01EB-4FA2-996E-52C8D6879632} - C:\PROGRA~1\PEXTSE~1\ppext.dll
O2 - BHO: BHOster Class - {F64C2181-0062-4ED8-B6B0-72BB47BA711C} - C:\Program Files\IBS\Boos.dll
O3 - Toolbar: ³×À̹ö Åø¹Ù(&N) - {D09CFF09-A42A-4EDC-9804-E61224F59CA1} - C:\Program Files\NHN\NaverToolbar\NaverTB_0_1_20.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ibooster - {ECC9289B-F12B-4495-9F43-DD5117016035} - C:\Program Files\ibooster\iboosterbar.dll
O3 - Toolbar: iBooster - {911B96F6-B36E-4862-AA9A-AA410E540089} - C:\Program Files\IBS\CBooster.dll
O4 - HKLM\..\Run: [SpeedUp] "C:\WINDOWS\DOWNLO~1\CONFLICT.3\SpeedUp2.exe"
O4 - HKLM\..\Run: [Dr.Fasoo] "C:\Program Files\Fasoo DRM\f_drscan.exe"
O4 - HKLM\..\Run: [FPH Exe] "C:\PROGRA~1\FASOOD~1\fph.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Opti_Regi] C:\Program Files\Opti_Regi\Opti_Regi.exe b
O4 - HKLM\..\Run: [ILJPL] C:\WINDOWS\booster.exe
O4 - HKLM\..\Run: [mfree] C:\Program Files\Internet Explorer\PLUGINS\mfree.exe
O4 - HKLM\..\Run: [cdrv13] c:\Program Files\Adapte\bin\v13\cdrv13.exe
O4 - HKLM\..\Run: [hpctl13] c:\Program Files\Common Files\LGT\Engine\v13\hpctl13.exe
O4 - HKLM\..\Run: [UIOE] C:\WINDOWS\system32\Ukum\Uspss.exe
O4 - HKLM\..\Run: [SRIL] C:\WINDOWS\system32\2048\dconcnfg.exe
O4 - HKLM\..\Run: [booSync] C:\WINDOWS\Wsync.exe
O4 - HKLM\..\Run: [windefend] C:\Program Files\windefend.exe
O4 - HKLM\..\Run: [XProtect] C:\Program Files\Common Files\Microsoft Shared\MSInfo\XProtect.exe
O4 - HKLM\..\Run: [AntiSpyware SpyxPro] C:\Program Files\SpyxPro\spsvc.exe /run
O4 - HKLM\..\Run: [PPService] c:\program files\pextservice\ppextup.exe start
O4 - HKLM\..\Run: [NProtects] C:\Windows\Config\NProtects.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [KWSGuide] C:\Program Files\KWSSolution\KWSGuide.exe
O4 - HKCU\..\Run: [rhfh] c:\rhfh.exe
O4 - HKCU\..\Run: [Ahnup] C:\Program Files\Internet Explorer\SIGNUP\Ahnup.exe
O8 - Extra context menu item: Microsoft Excel·Î ³»º¸³»±â(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: ³×À̹ö °Ë»ö - res://C:\Program Files\NHN\NaverToolbar\NaverTB_0_1_20.dll /SEARCH.HTML
O8 - Extra context menu item: ³×À̹ö »çÀü °Ë»ö - res://C:\Program Files\NHN\NaverToolbar\NaverTB_0_1_20.dll /DIC.HTML
O8 - Extra context menu item: ³×À̹ö ÀÏÇÑ ¹ø¿ª - res://C:\Program Files\NHN\NaverToolbar\NaverTB_0_1_20.dll /JKTRANS.HTML
O9 - Extra button: ¸®¼­Ä¡ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.allthegate.com
O15 - Trusted Zone: http://*.auction.co.kr
O15 - Trusted Zone: http://*.ddm.com
O15 - Trusted Zone: http://*.ddmclub.co.kr
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr
O15 - Trusted Zone: http://*.yessign.or.kr
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg7.cyworld.com/ImageUpload/CyImageUpload_10217.cab
O16 - DPF: {08AC405D-A4A0-448B-8AAF-9D2903CC4A51} (EmpasSM Control) - http://download.empas.com/rel/note/x1_0_7_3/empassm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18771CED-CFBF-48CD-A673-C36327B48A6C} (Recorder2.UCRecorder) - http://academy.winglish.com/academy/recorders/recorder2/Recorder2.CAB
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.cgntv.net/ActiveX/AlwaysOn.CAB
O16 - DPF: {2A8C9C77-DA27-4D81-BBC9-873A892CEE38} (CHZERO REMOTE CTRL) - http://www.chzero.com/urimap/urimap_activex/OCX/IMAPOCX_WEB/IMAPOCX_WEB.CAB
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - https://acs2.hanabank.com/visa3d/SCObject/scsk4.cab
O16 - DPF: {6066F243-425A-4AD8-A2AE-6BD1DE56FAEE} (PCID Class) - http://webclinic.ahnlab.com/webcomponent/speedup_plus/plugin/speedup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123484748101
O16 - DPF: {6531D99C-0D0E-4293-B3CB-A3E1D0D41847} (AhnASP Control) - http://ahnlabdownload.nefficient.co.kr/asp/cab/AhnASP.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.softforum.co.kr/Published/XecureWeb/v7.0.9.2/xw_install.cab
O16 - DPF: {8C99859C-05D9-4CA5-B7DB-BCE80E4185BC} (AGSWallet Control) - http://www.allthegate.com/plugin/AGSWallet.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab
O16 - DPF: {9675ABBF-8D0B-4956-868C-934B5A7928D4} - https://acs1.lottecard.co.kr/visa3d/kdfense/npv.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://webclinic.ahnlab.com/webcomponent/speedup_plus/plugin/speedup.cab
O16 - DPF: {9CDD57AC-CA86-464C-B920-3228A388CC78} (NaverFileControl Control) - http://file.naver.com/down/NaverFile.cab
O16 - DPF: {ADBB74A2-C368-4C58-B065-0BA3247019D1} (JwEditor Pro for HMC groupware system) - http://autoway.hmc.co.kr/AutowayDotNet_Hmc/Base/OCX/JwEditorPro_HMCGW.cab
O16 - DPF: {C16EE000-B9F5-42FF-8ABA-A87D38264B42} (JwUpdown2_Unicode for HMC) - http://autoway.hmc.co.kr/AutowayDotNet_Hmc/Base/OCX/JwUpdown2Uni_HMCGW.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://update.nprotect.net/keycrypt/police/npkcx.cab
O16 - DPF: {E7D2B321-435E-4037-BCCB-6694459B1DBE} (Mfile File Share Control7) - http://mfile.co.kr/mmsv/MfileWebControl2.CAB
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: codecsnd13 - Unknown owner - c:\Program Files\Codec Pack\v13\codecsnd.exe
O23 - Service: dliesvcs - Unknown owner - C:\WINDOWS\system32\dliesvcs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver OEM12 - HP - C:\WINDOWS\system32\OEMipm12.exe

++++++++++++++++++

Please let me know if you see anything suspicious.

thx
0
dkim18
Asked:
dkim18
3 Solutions
 
SheharyaarSaahilCommented:
lots of crap there!

Please run an Online Virus Scan first to remove any possible viruses/trojans
http://housecall.trendmicro.com/

then get SuperAntiSpyware, install and update it
http://www.superantispyware.com/

Run a full system scan from safemode, and let it to clean everything it finds
then post back a fresh hijackthis log and we can remove the remaining infections....
0
 
Adam LeinssCommented:
I would remove these (pretty much everything you have listed there):

O2 - BHO: Windows IExplorer7 - {6CD1CD02-5DC1-4117-AF32-87B26783B5F0} - C:\WINDOWS\system32\scro.dll
O2 - BHO: ppext - {CE52C857-01EB-4FA2-996E-52C8D6879632} - C:\PROGRA~1\PEXTSE~1\ppext.dll
O2 - BHO: BHOster Class - {F64C2181-0062-4ED8-B6B0-72BB47BA711C} - C:\Program Files\IBS\Boos.dll
O3 - Toolbar: ³×À̹ö Åø¹Ù(&N) - {D09CFF09-A42A-4EDC-9804-E61224F59CA1} - C:\Program Files\NHN\NaverToolbar\NaverTB_0_1_20.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ibooster - {ECC9289B-F12B-4495-9F43-DD5117016035} - C:\Program Files\ibooster\iboosterbar.dll
O3 - Toolbar: iBooster - {911B96F6-B36E-4862-AA9A-AA410E540089} - C:\Program Files\IBS\CBooster.dll
O4 - HKLM\..\Run: [SpeedUp] "C:\WINDOWS\DOWNLO~1\CONFLICT.3\SpeedUp2.exe"
O4 - HKLM\..\Run: [Dr.Fasoo] "C:\Program Files\Fasoo DRM\f_drscan.exe"
O4 - HKLM\..\Run: [FPH Exe] "C:\PROGRA~1\FASOOD~1\fph.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Opti_Regi] C:\Program Files\Opti_Regi\Opti_Regi.exe b
O4 - HKLM\..\Run: [ILJPL] C:\WINDOWS\booster.exe
O4 - HKLM\..\Run: [mfree] C:\Program Files\Internet Explorer\PLUGINS\mfree.exe
O4 - HKLM\..\Run: [cdrv13] c:\Program Files\Adapte\bin\v13\cdrv13.exe
O4 - HKLM\..\Run: [UIOE] C:\WINDOWS\system32\Ukum\Uspss.exe
O4 - HKLM\..\Run: [SRIL] C:\WINDOWS\system32\2048\dconcnfg.exe
O4 - HKLM\..\Run: [booSync] C:\WINDOWS\Wsync.exe
O4 - HKLM\..\Run: [windefend] C:\Program Files\windefend.exe
O4 - HKLM\..\Run: [XProtect] C:\Program Files\Common Files\Microsoft Shared\MSInfo\XProtect.exe
O4 - HKLM\..\Run: [AntiSpyware SpyxPro] C:\Program Files\SpyxPro\spsvc.exe /run
O4 - HKLM\..\Run: [PPService] c:\program files\pextservice\ppextup.exe start
O4 - HKLM\..\Run: [NProtects] C:\Windows\Config\NProtects.exe
O4 - HKCU\..\Run: [KWSGuide] C:\Program Files\KWSSolution\KWSGuide.exe
O4 - HKCU\..\Run: [rhfh] c:\rhfh.exe
O4 - HKCU\..\Run: [Ahnup] C:\Program Files\Internet Explorer\SIGNUP\Ahnup.exe
O15 - Trusted Zone: http://*.allthegate.com
O15 - Trusted Zone: http://*.auction.co.kr
O15 - Trusted Zone: http://*.ddm.com
O15 - Trusted Zone: http://*.ddmclub.co.kr
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr
O15 - Trusted Zone: http://*.yessign.or.kr
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg7.cyworld.com/ImageUpload/CyImageUpload_10217.cab
O16 - DPF: {08AC405D-A4A0-448B-8AAF-9D2903CC4A51} (EmpasSM Control) - http://download.empas.com/rel/note/x1_0_7_3/empassm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18771CED-CFBF-48CD-A673-C36327B48A6C} (Recorder2.UCRecorder) - http://academy.winglish.com/academy/recorders/recorder2/Recorder2.CAB
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.cgntv.net/ActiveX/AlwaysOn.CAB
O16 - DPF: {2A8C9C77-DA27-4D81-BBC9-873A892CEE38} (CHZERO REMOTE CTRL) - http://www.chzero.com/urimap/urimap_activex/OCX/IMAPOCX_WEB/IMAPOCX_WEB.CAB
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - https://acs2.hanabank.com/visa3d/SCObject/scsk4.cab
O16 - DPF: {6066F243-425A-4AD8-A2AE-6BD1DE56FAEE} (PCID Class) - http://webclinic.ahnlab.com/webcomponent/speedup_plus/plugin/speedup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123484748101
O16 - DPF: {6531D99C-0D0E-4293-B3CB-A3E1D0D41847} (AhnASP Control) - http://ahnlabdownload.nefficient.co.kr/asp/cab/AhnASP.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.softforum.co.kr/Published/XecureWeb/v7.0.9.2/xw_install.cab
O16 - DPF: {8C99859C-05D9-4CA5-B7DB-BCE80E4185BC} (AGSWallet Control) - http://www.allthegate.com/plugin/AGSWallet.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab
O16 - DPF: {9675ABBF-8D0B-4956-868C-934B5A7928D4} - https://acs1.lottecard.co.kr/visa3d/kdfense/npv.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://webclinic.ahnlab.com/webcomponent/speedup_plus/plugin/speedup.cab
O16 - DPF: {9CDD57AC-CA86-464C-B920-3228A388CC78} (NaverFileControl Control) - http://file.naver.com/down/NaverFile.cab
O16 - DPF: {ADBB74A2-C368-4C58-B065-0BA3247019D1} (JwEditor Pro for HMC groupware system) - http://autoway.hmc.co.kr/AutowayDotNet_Hmc/Base/OCX/JwEditorPro_HMCGW.cab
O16 - DPF: {C16EE000-B9F5-42FF-8ABA-A87D38264B42} (JwUpdown2_Unicode for HMC) - http://autoway.hmc.co.kr/AutowayDotNet_Hmc/Base/OCX/JwUpdown2Uni_HMCGW.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://update.nprotect.net/keycrypt/police/npkcx.cab
O16 - DPF: {E7D2B321-435E-4037-BCCB-6694459B1DBE} (Mfile File Share Control7) - http://mfile.co.kr/mmsv/MfileWebControl2.CAB
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: dliesvcs - Unknown owner - C:\WINDOWS\system32\dliesvcs.exe
0
 
rpggamergirlCommented:
Run these 2 tools and show us a fresh hijackthis log please.

1.  Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back


2.  Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now