1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help: Trojan horse "dlm.exe", "dl.exe"

Discussion in 'Virus & Other Malware Removal' started by yeonseop, Apr 14, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. yeonseop

    yeonseop Thread Starter

    Joined:
    Apr 14, 2004
    Messages:
    3
    My friend's laptop has experienced "Trojan horse - dlm.exe, dl.exe" problem. I helped him to fix this by using Hijackthis, AdAware, and Spybot. After cleaning the computer, I installed "Zone alarm" to prevent further problem. At the moment, it seems to work well except one website. If I tried to connect the site using "Internet explorer", IE generates error messages.

    The following is the log file generated by "Hijackthis". It has a lot of "O4 - Startup: xxx_{xxx}.tmp" lines. I deleted most of them and inserted dots since the file size of log file is too big (258kb). Thanks.

    >---------------------------------------
    Logfile of HijackThis v1.97.7
    Scan saved at 10:13:35 PM, on 2004-04-13
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SMCTRLW.EXE
    C:\WINDOWS\SYSTEM\CTRLVOL.EXE
    C:\WINDOWS\SYSTEM\KEYMAP.EXE
    C:\PROGRAM FILES\THINKPAD\EASY LAUNCH BUTTONS\TPHKMGR.EXE
    C:\PROGRAM FILES\SLEEP MANAGER\SLEEPMGR.EXE
    C:\WINDOWS\LTSMMSG.EXE
    C:\CFGSAFE\AUTOCHK.EXE
    C:\WINDOWS\SYSTEM\DAEMON.EXE
    C:\PROGRAM FILES\MDL CROSSFIRE COMMANDER V6\XFDLINK.EXE
    C:\PROGRAM FILES\MYLINKER\MYLINKER.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\WINDOWS\KEYACC32.EXE
    C:\PROGRAM FILES\THINKPAD\EASY LAUNCH BUTTONS\EZICON.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\THINKPAD\EASY LAUNCH BUTTONS\TPONSCR.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
    C:\UTILITY\HJT\HIJACKTHIS.EXE

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [·¹Áö½ºÆ®¸® °Ë»ç] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Control Panel] smctrlw.exe
    O4 - HKLM\..\Run: [CtrlVolume] C:\WINDOWS\SYSTEM\CtrlVol.exe
    O4 - HKLM\..\Run: [Keymap] C:\WINDOWS\SYSTEM\Keymap.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\THINKPAD\EASYLA~1\TPHKMGR.EXE
    O4 - HKLM\..\Run: [SleepManager] "C:\Program Files\Sleep Manager\SleepMgr.exe"
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
    O4 - HKLM\..\Run: [XfDLink] "C:\PROGRAM FILES\MDL CROSSFIRE COMMANDER V6\XFDLINK.EXE"
    O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [myLinker] C:\PROGRA~1\MYLINKER\MYLINKER.EXE /B
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O4 - HKCU\..\Run: [KeyAccess] c:\WINDOWS\keyacc32.exe
    O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRAM FILES\SYSTEM SOAP PRO\SOAP.exe min
    O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: ADDLFNPR.REG
    O4 - Startup: BLUE10.BMP
    O4 - Startup: EPSTPLOG.TXT
    O4 - Startup: DEFAULT.WBM
    O4 - Startup: DOSSTART.BAT
    O4 - Startup: IBM1024R.BMP
    O4 - Startup: IBML1024.BMP
    O4 - Startup: KIDS10.BMP
    O4 - Startup: MANCH10.BMP
    O4 - Startup: MARK.GIF
    O4 - Startup: MONTAG10.BMP
    O4 - Startup: MOUSE.COM
    O4 - Startup: NEWGRA10.BMP
    O4 - Startup: QUAD10.BMP
    O4 - Startup: RUN10.BMP
    O4 - Startup: THINK10.BMP
    O4 - Startup: WOMAN10.BMP
    O4 - Startup: MSDOS.SYS
    O4 - Startup: WINSOCK.DLL
    O4 - Startup: WIN.INI
    O4 - Startup: HWINFO.EXE
    O4 - Startup: NETDET.INI
    O4 - Startup: PIDGEN.DLL
    O4 - Startup: MSIMGSIZ.DAT
    O4 - Startup: LICENSE.TXT
    O4 - Startup: SUPPORT.TXT
    O4 - Startup: BILING.SYS
    O4 - Startup: MPLAYER.EXE
    O4 - Startup: RUNHELP.CAB
    O4 - Startup: JAUTOEXP.DAT
    O4 - Startup: NDDEAPI.DLL
    O4 - Startup: NDDENB.DLL
    O4 - Startup: SCRIPT.DOC
    O4 - Startup: CLSPACK.EXE
    O4 - Startup: DOSREP.EXE
    O4 - Startup: DRWATSON.EXE
    O4 - Startup: EXPLORER.EXE
    O4 - Startup: FONTVIEW.EXE
    O4 - Startup: USER.DAT
    O4 - Startup: ODBC.INI
    O4 - Startup: ISO10646.EXE
    O4 - Startup: WININIT.SAV
    O4 - Startup: NETDDE.EXE
    O4 - Startup: PIDSET.EXE
    O4 - Startup: SETDEBUG.EXE
    O4 - Startup: SIGVERIF.EXE
    O4 - Startup: TUNEUP.EXE
    O4 - Startup: UPWIZUN.EXE
    O4 - Startup: WINREP.EXE
    O4 - Startup: JVIEW.EXE
    O4 - Startup: BACKGRND.GIF
    O4 - Startup: CLOUD.GIF
    O4 - Startup: CONTENT.GIF
    O4 - Startup: HLPBELL.GIF
    O4 - Startup: HLPCD.GIF
    O4 - Startup: HLPGLOBE.GIF
    O4 - Startup: HLPLOGO.GIF
    O4 - Startup: HLPSTEP1.GIF
    O4 - Startup: HLPSTEP2.GIF
    O4 - Startup: HLPSTEP3.GIF
    O4 - Startup: WINLOGO.GIF
    O4 - Startup: IOS.LOG
    O4 - Startup: SYSTEM.INI
    O4 - Startup: READM_01.HTZ
    O4 - Startup: READM_02.HTZ
    O4 - Startup: DOSREP.INI
    O4 - Startup: HTMLHELP.INI
    O4 - Startup: MSDFMAP.INI
    O4 - Startup: VPC32.INI
    O4 - Startup: OLDOSAPP.INI
    O4 - Startup: DELUXECD.MDB
    O4 - Startup: DOSPRMPT.PIF
    O4 - Startup: EXPLORER.SCF
    O4 - Startup: ODBCINST.INI
    O4 - Startup: COUNTRY.SYS
    O4 - Startup: CONFIG.TXT
    O4 - Startup: DISPLAY.TXT
    O4 - Startup: FAQ.TXT
    O4 - Startup: GENERAL.TXT
    O4 - Startup: HARDWARE.TXT
    O4 - Startup: MOUSE.TXT
    O4 - Startup: MSDOSDRV.TXT
    O4 - Startup: NETWORK.TXT
    O4 - Startup: PRINTERS.TXT
    O4 - Startup: PROGRAMS.TXT
    O4 - Startup: RECOVER.TXT
    O4 - Startup: TIPS.TXT
    O4 - Startup: WSCRIPT.EXE
    O4 - Startup: TELEPHON.INI
    O4 - Startup: SMARTDRV.EXE
    O4 - Startup: HIMEM.SYS
    O4 - Startup: RAMDRIVE.SYS
    O4 - Startup: LOGOS.SYS
    O4 - Startup: LOGOW.SYS
    O4 - Startup: 1STBOOT.BMP
    O4 - Startup: TWAIN_32.DLL
    O4 - Startup: ¹°¹æ¿ï.bmp
    O4 - Startup: ½£.bmp
    O4 - Startup: ±Ý»ö Á÷¹°.bmp
    O4 - Startup: ¼¼·ÎÁÙ.bmp
    O4 - Startup: WAVEMIX.INI
    O4 - Startup: ŸÀÏ.bmp
    O4 - Startup: °ËÁ¤ ½û±â.bmp
    O4 - Startup: POWERPNT.INI
    O4 - Startup: »¡°£ ºí·Ï.bmp
    O4 - Startup: WJVIEW.EXE
    O4 - Startup: WIN.COM
    O4 - Startup: HWINFO.DAT
    O4 - Startup: MORICONS.DLL
    O4 - Startup: MSOWS412.DLL
    O4 - Startup: NDISLOG.TXT
    O4 - Startup: ACCSTAT.EXE
    O4 - Startup: ASD.EXE
    O4 - Startup: CALC.EXE
    O4 - Startup: CLEANMGR.EXE
    O4 - Startup: CONTROL.EXE
    O4 - Startup: CVT1.EXE
    O4 - Startup: CVTAPLOG.EXE
    O4 - Startup: DEFRAG.EXE
    O4 - Startup: DRVSPACE.EXE
    O4 - Startup: EMM386.EXE
    O4 - Startup: MM2ENT.EXE
    O4 - Startup: NOTEPAD.EXE
    O4 - Startup: PACKAGER.EXE
    O4 - Startup: PBRUSH.EXE
    O4 - Startup: REGEDIT.EXE
    O4 - Startup: PROGMAN.EXE
    O4 - Startup: RG2CATDB.EXE
    O4 - Startup: RUNDLL.EXE
    O4 - Startup: RUNDLL32.EXE
    O4 - Startup: SCANDSKW.EXE
    O4 - Startup: SCANREGW.EXE
    O4 - Startup: TB60.INI
    O4 - Startup: SNDREC32.EXE
    O4 - Startup: SNDVOL32.EXE
    O4 - Startup: TASKMAN.EXE
    O4 - Startup: TASKMON.EXE
    O4 - Startup: VCMUI.EXE
    O4 - Startup: WELCOME.EXE
    O4 - Startup: WINFILE.EXE
    O4 - Startup: WINHELP.EXE
    O4 - Startup: WINHLP32.EXE
    O4 - Startup: WININIT.EXE
    O4 - Startup: WINVER.EXE
    O4 - Startup: WRITE.EXE
    O4 - Startup: WUPDMGR.EXE
    O4 - Startup: WINUPD.ICO
    O4 - Startup: DRVSPACE.INF
    O4 - Startup: IOS.INI
    O4 - Startup: SCANREG.INI
    O4 - Startup: µ¾ÀÚ¸®.bmp
    O4 - Startup: ASPI2HLP.SYS
    O4 - Startup: CMD640X.SYS
    O4 - Startup: CMD640X2.SYS
    O4 - Startup: DBLBUFF.SYS
    O4 - Startup: IFSHLP.SYS
    O4 - Startup: SFCSYNC.TXT
    O4 - Startup: SLEEPMGR.HLP
    O4 - Startup: ACROREAD.INI
    O4 - Startup: TWUNK_16.EXE
    O4 - Startup: CDPLAYER.EXE
    O4 - Startup: CHARMAP.EXE
    O4 - Startup: CLIPBRD.EXE
    O4 - Startup: DIALER.EXE
    O4 - Startup: FREECELL.EXE
    O4 - Startup: KODAKIMG.EXE
    O4 - Startup: KODAKPRV.EXE
    O4 - Startup: MSHEARTS.EXE
    O4 - Startup: RSRCMTR.EXE
    O4 - Startup: SOL.EXE
    O4 - Startup: SYSMON.EXE
    O4 - Startup: TOUR98.EXE
    O4 - Startup: TWUNK_32.EXE
    O4 - Startup: WINMINE.EXE
    O4 - Startup: SERVICES.TXT
    O4 - Startup: MSBATCH.INF
    O4 - Startup: HIDCI.DLL
    O4 - Startup: COMMAND.COM
    O4 - Startup: brndlog.txt
    O4 - Startup: SETVER.EXE
    O4 - Startup: QFECHECK.EXE
    O4 - Startup: WIN
    O4 - Startup: QTW.INI
    O4 - Startup: SMCTRLW.HLP
    O4 - Startup: CONTROL.INI
    O4 - Startup: VPMSMI.INI
    O4 - Startup: MSINFO32.INI
    O4 - Startup: SYSTEM.CB
    O4 - Startup: WIN386.SWP
    O4 - Startup: EXTRAC32.EXE
    O4 - Startup: DEVMGR9X.EXE
    O4 - Startup: PROTOCOL.INI
    O4 - Startup: ±âº»°ª.PWL
    O4 - Startup: IsUninst.exe
    O4 - Startup: GSMU3.EXE
    O4 - Startup: PROTOCOL
    O4 - Startup: SERVICES
    O4 - Startup: SNMPAPI.DLL
    O4 - Startup: NETWORKS
    O4 - Startup: ARP.EXE
    O4 - Startup: FTP.EXE
    O4 - Startup: SYSTEM.DAT
    O4 - Startup: LMHOSTS.SAM
    O4 - Startup: NETSTAT.EXE
    O4 - Startup: PING.EXE
    O4 - Startup: ROUTE.EXE
    O4 - Startup: TELNET.EXE
    O4 - Startup: TRACERT.EXE
    O4 - Startup: WINIPCFG.EXE
    O4 - Startup: LTSMMSG.EXE
    O4 - Startup: IPCONFIG.EXE
    O4 - Startup: NBTSTAT.EXE
    O4 - Startup: INETMIB1.DLL
    O4 - Startup: °ÔÀÓ¿ë MS-DOS ¸ðµå.pif
    O4 - Startup: °ÔÀÓ¿ë MS-DOS ¸ðµå (EMS ¹× XMS Áö¿ø).pif
    O4 - Startup: °ø±â ¹æ¿ï.bmp
    O4 - Startup: ÀÌÁýÆ®.bmp
    O4 - Startup: Æĵ¿.bmp
    O4 - Startup: ¹°¶¼»õ °ÝÀÚ.bmp
    O4 - Startup: »ï°¢Çü.bmp
    O4 - Startup: ÆĶõ ¸®ºª.bmp
    O4 - Startup: ¼³Ä¡.bmp
    O4 - Startup: ±¸¸§.bmp
    O4 - Startup: ±Ý¼Ó üÀÎ.bmp
    O4 - Startup: »ç¾Ï.bmp
    O4 - Startup: ¹Ù´Ã¶¡.bmp
    O4 - Startup: ä³Î È*¸é º¸È£±â.SCR
    O4 - Startup: progman.ini
    O4 - Startup: Reg Save Log.txt
    O4 - Startup: folder.htt
    O4 - Startup: OEWABLog.txt
    O4 - Startup: SchedLog.Txt
    O4 - Startup: Default.sf0
    O4 - Startup: Default.sfc
    O4 - Startup: wplog.txt
    O4 - Startup: brndlog.bak
    O4 - Startup: SOL.INI
    O4 - Startup: NAVWNT.MIF
    O4 - Startup: IsUn0412.exe
    O4 - Startup: smoem.ini
    O4 - Startup: Smctrlw.exe
    O4 - Startup: NSREX.INI
    O4 - Startup: NET.EXE
    O4 - Startup: smcp.txt
    O4 - Startup: SleepMgr.cnt
    O4 - Startup: uninst.exe
    O4 - Startup: tmpdelis.bat
    O4 - Startup: UNWISE.EXE
    O4 - Startup: NET.MSG
    O4 - Startup: Sti_Trace.log
    O4 - Startup: ILUNINST.EXE
    O4 - Startup: REGTLIB.EXE
    O4 - Startup: unwise.ini
    O4 - Startup: fffe12ab_{6A98F2E0-E96B-11D7-95C6-444553540001}.tmp
    O4 - Startup: EPIRPE10.INI
    O4 - Startup: winhelp.ini
    O4 - Startup: ipxtrn32.dll
    O4 - Startup: msshlib2.log
    O4 - Startup: twain_16.dll
    O4 - Startup: STMMAIN.INI
    O4 - Startup: vbaddin.ini
    O4 - Startup: WKW16A.EXE
    O4 - Startup: Active Setup Log.txt
    O4 - Startup: Active Setup Log.BAK
    O4 - Startup: NETH.MSG
    O4 - Startup: hh.exe
    O4 - Startup: mdm.ini
    O4 - Startup: vgalusr1.vr
    O4 - Startup: LOADQM.EXE
    O4 - Startup: WINPOPUP.EXE
    O4 - Startup: fffec77d_{FBB47500-9BF8-11D5-95C3-0002DD700EE1}.tmp
    ..
    O4 - Startup: WPXERROR.LOG
    O4 - Startup: fffe07fb_{D18C6A21-9BF9-11D5-95C3-0002DD700EE1}.tmp
    ..
    O4 - Startup: hh.dat
    O4 - Startup: SYMAPPS.INI
    O4 - Startup: $014D4FD.WPX
    O4 - Startup: fffe1d47_{EE50BF60-9C00-11D5-95C3-0002DD700EE1}.tmp
    O4 - Startup: HARDLOCK.VXD
    O4 - Startup: fffe5efd_{7A1B2820-9C04-11D5-95C3-0002DD700EE1}.tmp
    O4 - Startup: KOOKMIN.BMP
    O4 - Startup: Xecure.bmp
    O4 - Startup: DAEGU.BMP
    O4 - Startup: fffe5efd_{7A1B2821-9C04-11D5-95C3-0002DD700EE1}.tmp
    ..
    O4 - Startup: ca.db
    O4 - Startup: unin0412.exe
    O4 - Startup: hdinfo.ini
    O4 - Startup: Lucent Technologies Soft Modem AMR.log
    O4 - Startup: fffe50cf_{964D2B00-9C64-11D5-95C3-90BE51C10000}.tmp
    ..
    O4 - Startup: hjimesv.ini
    O4 - Startup: fffe1e6f_{4D9A7E40-9C68-11D5-95C3-50B751C10000}.tmp
    O4 - Startup: BUSAN.BMP
    O4 - Startup: fffe1e6f_{4D9A7E41-9C68-11D5-95C3-50B751C10000}.tmp
    O4 - Startup: yessignCA.pub
    O4 - Startup: MODEMDET.TXT
    O4 - Startup: winmine.ini
    O4 - Startup: fffe18ab_{DD538CE0-9C98-11D5-95C3-60B451C10000}.tmp
    ...
    O4 - Startup: TWAIN.LOG
    O4 - Startup: fffe5133_{4DC12780-A518-11D5-95C3-A0BD51C10000}.tmp
    ...
    O4 - Startup: IE4 Error Log.txt
    O4 - Startup: fffe562f_{4DBF45C0-A5A7-11D5-95C3-F0C451C10000}.tmp
    ..
    O4 - Startup: Twain001.Mtx
    O4 - Startup: CSMOPAC.INI
    O4 - Startup: fffe5689_{537D5140-A5D0-11D5-95C3-50B051C10000}.tmp
    ...
    O4 - Startup: _detmp.1
    O4 - Startup: CFW.INI
    O4 - Startup: fffe5029_{84E8E4A1-A8B5-11D5-95C3-A0B651C10000}.tmp
    ...
    O4 - Startup: ChemDraw.INI
    O4 - Startup: fffe1ed3_{E6153D40-A8BB-11D5-95C3-A0B351C10000}.tmp
    ..
    O4 - Startup: C3DPREFS.DAT
    O4 - Startup: fffe502d_{671DF701-A8BD-11D5-95C3-B0B651C10000}.tmp
    .
    O4 - Startup: IMBXVT32.DLL
    O4 - Startup: fffe1f61_{D1D4C5E1-A8BF-11D5-95C3-A0AA51C10000}.tmp
    ...
    O4 - Startup: Chem3D.INI
    O4 - Startup: CSGaussian.INI
    O4 - Startup: HPLJPS5P.PCL
    O4 - Startup: fffe52f1_{4D3BED40-A8CE-11D5-95C3-E0B651C10000}.tmp
    ...
    O4 - Startup: wmsetup.log
    O4 - Startup: Adobereg.db
    O4 - Startup: WMSysPrx.prx
    O4 - Startup: fffe5dff_{D0539F40-AC50-11D5-95C4-90E451C10000}.tmp
    .
    O4 - Startup: udptrn32.dll
    O4 - Startup: FS5GLPT1.PCL
    O4 - Startup: HPPCL5MS.X10
    O4 - Startup: TWUNK003.MTX
    O4 - Startup: fffe13dd_{E95B4200-AC54-11D5-95C4-90C155C10000}.tmp
    ...
    O4 - Startup: Twunk002.MTX
    O4 - Startup: fffe5163_{079C6D00-AD3D-11D5-95C4-309855C10000}.tmp
    ...
    O4 - Startup: ACDILab.INI
    O4 - Startup: KGOLESRV.INI
    O4 - Startup: fffe5e1d_{5BD909C0-C01E-11D5-95C4-209455C10000}.tmp
    ...
    O4 - Startup: HncIme.ini
    O4 - Startup: unvise32.exe
    O4 - Startup: fffe5dd3_{9D9BB420-C717-11D5-95C4-509955C10000}.tmp
    ...
    O4 - Startup: DreamLoad.exe
    O4 - Startup: fffe5ef9_{96E31E00-DF42-11D5-95C4-809755C10000}.tmp
    ...
    O4 - Startup: DOS·Î ³ª°¨.PIF
    O4 - Startup: fffe11b5_{599335E0-4AEE-11D6-95C4-807455C10000}.tmp
    .
    O4 - Startup: GRAMSCNV.INI
    O4 - Startup: fffe12f1_{F2CB9960-EE63-11D5-95C4-206555C10000}.tmp
    ...
    O4 - Startup: MOUSE.INI
    O4 - Startup: fffe1635_{9AFF29E0-0C7C-11D6-95C4-F07755C10000}.tmp
    ...
    O4 - Startup: SAMSUNGCARD.BMP
    O4 - Startup: fffea04d_{C4D198C0-354E-11D6-95C4-D09C55C10000}.tmp
    ...
    O4 - Startup: DELETE.EXE
    O4 - Startup: MATHTYPE.LOG
    O4 - Startup: fffe1005_{DA6D1B60-554B-11D6-95C4-709155C10000}.tmp
    ...
    O4 - Startup: MATHTYPE.INI
    O4 - Startup: FONTSDIR.MFD
    O4 - Startup: fffe516d_{66938280-67F5-11D6-95C4-709855C10000}.tmp
    ...
    O4 - Startup: ADA6C650.MFD
    O4 - Startup: WIN.BAK
    O4 - Startup: MT.DLL
    O4 - Startup: fffe447d_{A89A76E0-0289-11D8-95C6-444553540001}.tmp
    ...
    O4 - Startup: MT32.DLL
    O4 - Startup: MTMACROS.PRE
    O4 - Startup: fffe4ccd_{792F8800-F001-11D6-95C5-A08655C104C6}.tmp
    ..
    O4 - Startup: GRPCONV.EXE
    O4 - Startup: fffe461b_{88025801-F03B-11D6-95C5-409155C10000}.tmp
    ...
    O4 - Startup: cadkasdeinst01e.exe
    O4 - Startup: fffe094b_{9D39C7E0-F6ED-11D6-95C5-309255C10000}.tmp
    ...
    O4 - Startup: kisa.der
    O4 - Startup: fffe60d5_{00A3DC60-134C-11D7-95C5-109855C10000}.tmp
    ...
    O4 - Startup: keyacc.ini
    O4 - Startup: fffe0973_{48F0C2C0-2CC0-11D7-95C5-609855C10000}.tmp
    ...
    O4 - Startup: keyacc32.exe
    O4 - Startup: fffe39ad_{8E27D440-8AA9-11D7-95C5-0002DD700EE1}.tmp
    ..
    O4 - Startup: DjVuDoc.ico
    O4 - Startup: fffe1ccd_{048B7560-8B72-11D7-95C5-0002DD700EE1}.tmp
    ..
    O4 - Startup: IE Setup Log.Txt
    O4 - Startup: fffe31bf_{39EFED20-91CC-11D7-95C5-0002DD700EE1}.tmp
    O4 - Startup: ieuninst.exe
    O4 - Startup: keyacc.exe
    O4 - Startup: fffe31bf_{39EFED21-91CC-11D7-95C5-0002DD700EE1}.tmp
    O4 - Startup: RunOnceEx Log.txt
    O4 - Startup: fffe305b_{4E1638E0-91E0-11D7-95C5-0002DD700EE1}.tmp
    ...
    O4 - Startup: kalib32.dll
    O4 - Startup: fffe3009_{D37799E0-982D-11D7-95C5-0002DD700EE1}.tmp
    ...
    O4 - Startup: katrack.dll
    O4 - Startup: unvise.exe
    O4 - Startup: unvise32.dll
    O4 - Startup: fffe3d89_{031E6780-9A7E-11D7-95C5-0002DD700EE1}.tmp
    .
    O4 - Startup: WMSysPr9.prx
    O4 - Startup: fffe3e3f_{97D287C0-9A7F-11D7-95C5-0002DD700EE1}.tmp
    .
    O4 - Startup: wmplibrary_v_0_12.db
    O4 - Startup: fffef693_{7FD5AC60-9ACA-11D7-95C5-708456C10000}.tmp
    ...
    O4 - Startup: uneng.exe
    O4 - Startup: fffe7df9_{B62F67C0-ACE4-11D7-95C5-607556C10000}.tmp
    ...
    O4 - Startup: DefaultStore_59R.bin
    O4 - Startup: UserMigratedStore_59R.bin
    O4 - Startup: fffe137f_{2ADE67C0-BE87-11D7-95C5-0002DD700EE1}.tmp
    O4 - Startup: nsreg.dat
    ..
    O4 - Startup: fffe14b9_{13E781C0-C0E2-11D7-95C5-0002DD700EE1}.tmp
    ..
    O4 - Startup: Windows Update.log
    O4 - Startup: Q330994.exe
    O4 - Startup: ttfCache
    O4 - Startup: DirectX.log
    O4 - Startup: dxwinini.bak
    O4 - Startup: vminst.log
    O4 - Startup: dahotfix.log
    O4 - Startup: fffed567_{D6FC21A0-C13E-11D7-95C5-0002DD700EE1}.tmp
    ...
    O4 - Startup: twain.dll
    O4 - Startup: fffe3c1d_{4BB73860-D4CA-11D7-95C6-0002DD700EE1}.tmp
    ..
    O4 - Startup: iun6002.exe
    O4 - Startup: fffe136f_{60B7E560-D6DD-11D7-95C6-0002DD700EE1}.tmp
    ..
    O4 - Startup: opuc.dll
    O4 - Startup: fffe074b_{2691C660-DDF6-11D7-95C6-0002DD700EE1}.tmp
    ...
    O4 - Startup: aolback.exe.lnk
    O4 - Startup: fffe08b7_{CCDCE500-E3EA-11D7-95C6-444553540001}.tmp
    ...
    O4 - Startup: msoffice.ini
    O4 - Startup: SleepMgr.GID
    O4 - Startup: fffe1ddd_{EC6E2960-E935-11D7-95C6-0002DD700EE1}.tmp
    ..
    O4 - Startup: onkb2.ico
    O4 - Startup: fffe12ab_{6A98F2E1-E96B-11D7-95C6-444553540001}.tmp
    ..
    O4 - Startup: offkb2.ico
    O4 - Startup: fffe3fdb_{55DF3060-E9BD-11D7-95C6-0002DD700EE1}.tmp
    ..
    O4 - Startup: .plugin141_01.trace
    O4 - Startup: MLUninst.exe
    O4 - Startup: fffe1813_{1A401B80-EB7C-11D7-95C6-0002DD700EE1}.tmp
    ...
    O4 - Startup: Fix IE Log.txt
    O4 - Startup: IE Uninstall Log.Txt
    O4 - Startup: IEPatchUninstall.log
    O4 - Startup: IEPatchUninstall.BAK
    O4 - Startup: fffe6ab5_{0A3D4C20-1143-11D8-95C6-0002DD700EE1}.tmp
    ...
    O4 - Startup: _delis32.ini
    O4 - Startup: fffe0401_{AD02BF60-5A33-11D8-95C6-444553540001}.tmp
    ...
    O4 - Startup: ShellIconCache
    O4 - Startup: fffe3a79_{6D0E7120-5FD7-11D8-95C6-0002DD700EE1}.tmp
    ...
    O4 - Startup: ScanErrors.log
    O4 - Startup: fffefea7_{FA37DDE0-7484-11D8-95C6-444553540001}.tmp
    ...
    O4 - Startup: securea.html
    O4 - Startup: secureb.html
    O4 - Startup: test
    O4 - Startup: dl.exe
    O4 - Startup: dl.html
    O4 - Startup: dlm.exe
    O4 - Startup: toffel32.exe
    O4 - Startup: consol32.exe
    O4 - Startup: msstasks.exe
    O4 - Startup: mstaskss.exe
    O4 - Startup: WININIT.BAK
    O4 - Startup: hosts.sam
    O4 - Startup: fffec2c7_{64540400-8BEC-11D8-95C6-444553540001}.tmp
    ...
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {8CFE8500-6604-11D4-B26D-00C04F7A67C8} (XecureWeb Control 3.5 HCB) - http://www.hncbworld.com/XecureObject/XecureSSL35HCB.cab
    O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/samsungcard/npx.cab
    O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.softforum.co.kr/Published/XecureWeb/v5.3.0.1/xw_install.cab
    O16 - DPF: {DF1B804F-084B-4D24-A9E3-32BB9DAD87A4} (AxINIplugin30 Control) - http://banking.nonghyup.com/plugin/client/axINIplugin30.cab
    O16 - DPF: {D13BA040-C349-11D3-87C2-00C04F4ABC61} (XecureWeb Control 3.0) - http://www.samsungcard.co.kr/XecureDemo/XecureObject/XecureSSL30.cab
    O16 - DPF: ISSAC-WebSE - http://paygate.dacom.co.kr/penta/IssacWebInst.cab
    O16 - DPF: {06228E75-DEB1-11D3-B702-00001CD5DA14} (AxINIplugin20 Control) - http://www.bccard.co.kr/initech/plugin/axINIplugin20.cab
    O16 - DPF: {3267EA0D-B5D8-11D2-A4F9-00608CEBEE49} (ToinbWData Class) - http://ndsl.or.kr/toinbocx/toinbdata.cab
    O16 - DPF: {0A2233AD-E771-11D2-973D-00104B15E56F} (ToinbWTR Class) - http://ndsl.or.kr/toinbocx/toinbtr.cab
    O16 - DPF: {91B0A4F0-3206-4564-9BB4-AF9055DEF8A1} (ToinbWTextArea Class) - http://ndsl.or.kr/toinbocx/toinbtextarea.cab
    O16 - DPF: {1F57AEAD-DB12-11D2-A4F9-00608CEBEE49} (ToinbWGrid Class) - http://ndsl.or.kr/toinbocx/toinbgrid.cab
    O16 - DPF: {FD4C6571-DD20-11D2-973D-00104B15E56F} (ToInbWCCombo Class) - http://ndsl.or.kr/toinbocx/toinbccombo.cab
    O16 - DPF: {9C9AB433-EA85-11D2-A4F9-00608CEBEE49} (ToinbWBind Class) - http://ndsl.or.kr/toinbocx/toinbbind.cab
    O16 - DPF: {3694F19D-ED4D-4DA8-BECD-26FB830753D1} (DCLinker Class) - http://www.norazo.com/dcdownload/dreamlinker.cab
    O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plugin/myfirewall/myfirewall20.cab
    O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://banking.nonghyup.com/plugin/client/axINIplugin40.cab
    O16 - DPF: {EADBDB84-2341-4AD0-9FAF-4F1F31CF4A46} (LoginForm Class) - http://pointsok.okcashbag.com/skmpp/SKMPPClient2.cab
    O16 - DPF: {D5ACE9FC-9CCC-4FB6-9A63-19ED6A3AA489} (ReaderChecker Control) - http://drm.snu.ac.kr/pdfdrm/webbroker/ReaderChecker.cab
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.djvu.com/plugins/en_US/DjVuControl.cab
    O16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler Class) - http://www.kookmincard.co.kr/images/sendmail/IniMasPlugin.cab
    O16 - DPF: {83682BF2-2351-45C1-963C-9BB635A05178} (IssacWebSE2 Class) - http://paygate.dacom.co.kr/penta/ISSACWebSE2.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37869.4675694444
    O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - ftp://ftp.ca.com/pub/Opal/plugins/x_plugin/opalplayerx5.cab
    O16 - DPF: {8E64F05B-76CF-40EA-AD6B-6741F02BDC46} (MagicInstaller Class) - http://www.americanexpress.co.kr/common/ML/MagicInstaller.cab
    O16 - DPF: {93F83364-58E3-43C6-BE34-DE1252B26307} (Cruzbill Control) - http://image.em4s.com/sbill/cruzbill.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553546800} - http://active.macromedia.com/flash4/cabs/swflash.cab
    O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - http://www.vpay.co.kr/KVPplugin01.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-3.ibm.com/pc/support/IbmEgath.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {D2A4C311-F608-4E0E-BBFE-6B25E31AC15B} (Kdfense5 Control) - http://kings.cachenet.com/kdf5078/kdfense5.cab
    O16 - DPF: {97154128-DC4C-4D5B-AF7C-CA7356238EC9} (Hanmail FileUpload Control) - http://wwl270.daum.net/hanmail-ax/HM_fileupload.cab
    O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://dizzo.contents.mylinker.co.kr/module/MyLinker.cab
    O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory
    O16 - DPF: {124250DD-E2CC-4B5B-AE7E-C9AC8A11DF43} (StreamNote2 Control) - http://nsi.snu.ac.kr/onlinenano/Lecture/Device Physics/Device Physics0302/StreamNote2.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dl/dmitriy/x.chm::/load.exe

    <-----------------------
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I can't believe the computer starts at all if everything I see there is trying to load.

    Go to the Startup Menu > Programs > Startup folder and delete EVERYTHING there. They are all the

    04 startup:

    entries you see in the Scanlog. Then reboot and post another Scanlog.

    Strangely, none of them seem to be showing as "Running Processes", so conceivably this is some anomally produced by the Scanlog.

    Also, what is this? O4 - HKLM\..\Run: [myLinker] C:\PROGRA~1\MYLINKER\MYLINKER.EXE /B

    I would also check and "fix" ALL the 016 entries except those from legitimate, trusted sites you recognize, such as Macromedia, microsoft, banking and others.
     
  3. yeonseop

    yeonseop Thread Starter

    Joined:
    Apr 14, 2004
    Messages:
    3
    Thanks Rollin' Rog.

    1) I checked the Startup folder but it does not have such files. Actually, all files in the "04 startup:" are located under the "C:\windows" directory.
    2) "MYLINKER.EXE" is a file supplied by a newspaper website. I think it is credible, but am going to remove it.
    3) I looked over the "C:\windows" directory, and found some suspicious files such as "securea.html", "secureb.html", "dl.html", and "dl.exe". All these files were deleted in the safe mode. In the case of usual web browsing, IE works well. However at some websites, it generates an error message. Especially when I tried to post a message to a certain bulletin board, it generates an error message. After that "outlook express" also gives an error message if I press "deliver" button.

    Please help me with this. Thanks again.
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Well that's the strangest thing I've ever seen in HijackThis; I wonder if there is some language configuration it is having problems with.

    Anyway for the IE error, let us know what the error message says and on what site it is happening. Also try running the IE Repair Tool:

    http://help.att.net/docs/howto/othe...ustomercontent=customer_browser&platform=none

    And when testing such issues it is a good idea to temporarily disable the firewall. I don't see ZA in the startups though, did you disable it? You may have to do this using msconfig to ensure it is not interfering.

    I also recommend having an alternate browser installed to test whether such issues are specfically browser related and to have a backup. I like Opera7 myself and use as my defacto browser even with the advertising:

    www.opera.com

    If you haven't already done so, it would probably be a good idea to give the Coolwebshredder, CWShredder.exe a run. You can get it here:

    http://www.spywareinfo.com/~merijn/downloads.html

    Have it fix any known problems it finds and then reboot.
     
  5. yeonseop

    yeonseop Thread Starter

    Joined:
    Apr 14, 2004
    Messages:
    3
    Thank Rollin' Rog for your help. Unfortunately I still have the same problem. I tried the repair of IE, and even tried to reinstall IE. I also installed "Opera" but found some difficulty with using different web browser due to the language support (Korean).

    My IE usually works well except some web sites. For example, when I connect the "windows update" site, and scan updates, IE generates an error message if I click "windows 98 ... (?)" part in "Pick updates to install" section.
    I might delete some system files when I deleted the suspicious files. Here is the HijackThis log file. I excluded all entries starting with "O4 - Startup: ..." except one "O4 - Startup: DIALER.EXE" since it seems that HJT just shows all files under "C:\windows".

    >--------------------------------------------------
    Logfile of HijackThis v1.97.7
    Scan saved at 10:11:38 PM, on 2004-04-19
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SMCTRLW.EXE
    C:\WINDOWS\SYSTEM\CTRLVOL.EXE
    C:\WINDOWS\SYSTEM\KEYMAP.EXE
    C:\PROGRAM FILES\THINKPAD\EASY LAUNCH BUTTONS\TPHKMGR.EXE
    C:\PROGRAM FILES\SLEEP MANAGER\SLEEPMGR.EXE
    C:\WINDOWS\LTSMMSG.EXE
    C:\CFGSAFE\AUTOCHK.EXE
    C:\WINDOWS\SYSTEM\DAEMON.EXE
    C:\PROGRAM FILES\MDL CROSSFIRE COMMANDER V6\XFDLINK.EXE
    C:\PROGRAM FILES\THINKPAD\EASY LAUNCH BUTTONS\EZICON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\THINKPAD\EASY LAUNCH BUTTONS\TPONSCR.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\WINDOWS\KEYACC32.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\UTILITY\HJT\HIJACKTHIS.EXE

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [·¹Áö½ºÆ®¸® °Ë»ç] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Control Panel] smctrlw.exe
    O4 - HKLM\..\Run: [CtrlVolume] C:\WINDOWS\SYSTEM\CtrlVol.exe
    O4 - HKLM\..\Run: [Keymap] C:\WINDOWS\SYSTEM\Keymap.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\THINKPAD\EASYLA~1\TPHKMGR.EXE
    O4 - HKLM\..\Run: [SleepManager] "C:\Program Files\Sleep Manager\SleepMgr.exe"
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
    O4 - HKLM\..\Run: [XfDLink] "C:\PROGRAM FILES\MDL CROSSFIRE COMMANDER V6\XFDLINK.EXE"
    O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [KeyAccess] c:\WINDOWS\keyacc32.exe
    O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRAM FILES\SYSTEM SOAP PRO\SOAP.exe min
    O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    .....
    O4 - Startup: DIALER.EXE
    .....
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {8CFE8500-6604-11D4-B26D-00C04F7A67C8} (XecureWeb Control 3.5 HCB) - http://www.hncbworld.com/XecureObject/XecureSSL35HCB.cab
    O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/samsungcard/npx.cab
    O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.softforum.co.kr/Published/XecureWeb/v5.3.0.1/xw_install.cab
    O16 - DPF: {DF1B804F-084B-4D24-A9E3-32BB9DAD87A4} (AxINIplugin30 Control) - http://banking.nonghyup.com/plugin/client/axINIplugin30.cab
    O16 - DPF: {D13BA040-C349-11D3-87C2-00C04F4ABC61} (XecureWeb Control 3.0) - http://www.samsungcard.co.kr/XecureDemo/XecureObject/XecureSSL30.cab
    O16 - DPF: ISSAC-WebSE - http://paygate.dacom.co.kr/penta/IssacWebInst.cab
    O16 - DPF: {06228E75-DEB1-11D3-B702-00001CD5DA14} (AxINIplugin20 Control) - http://www.bccard.co.kr/initech/plugin/axINIplugin20.cab
    O16 - DPF: {3267EA0D-B5D8-11D2-A4F9-00608CEBEE49} (ToinbWData Class) - http://ndsl.or.kr/toinbocx/toinbdata.cab
    O16 - DPF: {0A2233AD-E771-11D2-973D-00104B15E56F} (ToinbWTR Class) - http://ndsl.or.kr/toinbocx/toinbtr.cab
    O16 - DPF: {91B0A4F0-3206-4564-9BB4-AF9055DEF8A1} (ToinbWTextArea Class) - http://ndsl.or.kr/toinbocx/toinbtextarea.cab
    O16 - DPF: {1F57AEAD-DB12-11D2-A4F9-00608CEBEE49} (ToinbWGrid Class) - http://ndsl.or.kr/toinbocx/toinbgrid.cab
    O16 - DPF: {FD4C6571-DD20-11D2-973D-00104B15E56F} (ToInbWCCombo Class) - http://ndsl.or.kr/toinbocx/toinbccombo.cab
    O16 - DPF: {9C9AB433-EA85-11D2-A4F9-00608CEBEE49} (ToinbWBind Class) - http://ndsl.or.kr/toinbocx/toinbbind.cab
    O16 - DPF: {3694F19D-ED4D-4DA8-BECD-26FB830753D1} (DCLinker Class) - http://www.norazo.com/dcdownload/dreamlinker.cab
    O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plugin/myfirewall/myfirewall20.cab
    O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://banking.nonghyup.com/plugin/client/axINIplugin40.cab
    O16 - DPF: {EADBDB84-2341-4AD0-9FAF-4F1F31CF4A46} (LoginForm Class) - http://pointsok.okcashbag.com/skmpp/SKMPPClient2.cab
    O16 - DPF: {D5ACE9FC-9CCC-4FB6-9A63-19ED6A3AA489} (ReaderChecker Control) - http://drm.snu.ac.kr/pdfdrm/webbroker/ReaderChecker.cab
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.djvu.com/plugins/en_US/DjVuControl.cab
    O16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler Class) - http://www.kookmincard.co.kr/images/sendmail/IniMasPlugin.cab
    O16 - DPF: {83682BF2-2351-45C1-963C-9BB635A05178} (IssacWebSE2 Class) - http://paygate.dacom.co.kr/penta/ISSACWebSE2.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37869.4675694444
    O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - ftp://ftp.ca.com/pub/Opal/plugins/x_plugin/opalplayerx5.cab
    O16 - DPF: {8E64F05B-76CF-40EA-AD6B-6741F02BDC46} (MagicInstaller Class) - http://www.americanexpress.co.kr/common/ML/MagicInstaller.cab
    O16 - DPF: {93F83364-58E3-43C6-BE34-DE1252B26307} (Cruzbill Control) - http://image.em4s.com/sbill/cruzbill.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553546800} - http://active.macromedia.com/flash4/cabs/swflash.cab
    O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - http://www.vpay.co.kr/KVPplugin01.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-3.ibm.com/pc/support/IbmEgath.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {D2A4C311-F608-4E0E-BBFE-6B25E31AC15B} (Kdfense5 Control) - http://kings.cachenet.com/kdf5078/kdfense5.cab
    O16 - DPF: {97154128-DC4C-4D5B-AF7C-CA7356238EC9} (Hanmail FileUpload Control) - http://wwl270.daum.net/hanmail-ax/HM_fileupload.cab
    O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory
    O16 - DPF: {124250DD-E2CC-4B5B-AE7E-C9AC8A11DF43} (StreamNote2 Control) - http://nsi.snu.ac.kr/onlinenano/Lecture/Device Physics/Device Physics0302/StreamNote2.cab
    O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\SYSTEM\urlmon.dll
    <--------------------------------------------------------------
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I don't see much in the Scanlog now, but why did you "exclude" this item?

    O4 - Startup: DIALER.EXE

    I'm not sure what it is, but it is not a "standard" startup and could be hijacking the dialup connection.

    You should also check and "fix" this:

    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

    O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\SYSTEM\urlmon.dll
    <--------------------------------------------------------------

    >> have you tried disabling ZoneAlarm and testing?

    And you aren't really giving much detail on the Windows Update problem; what error message do you receive?

    There is a general troubleshooting page here, perhaps you can find it listed:

    http://v4.windowsupdate.microsoft.com/troubleshoot/
     
  7. freekt

    freekt

    Joined:
    Apr 30, 2004
    Messages:
    1
    These are the obvious problems I see with this post.
    O4 - HKLM\..\Run: [internat.exe] internat.exe this is a virus the link below is how you fix it.
    http://securityresponse.symantec.com/avcenter/venc/data/w32.ghotex.a.html
    O4 - HKLM\..\Run: [·¹Áö½ºÆ®¸® °Ë»ç] c:\windows\scanregw.exe /autorun this is a virus the link below is how to fix it.
    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.gwghost.html
    O4 - Startup: DIALER.EXE this just shouldn't be there probably spyware.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/220306

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice