1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

VX2 problem, probably more than that.

Discussion in 'Windows XP' started by intoxicated, Jan 29, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. intoxicated

    intoxicated Thread Starter

    Joined:
    Jan 2, 2004
    Messages:
    34
    When i run Ad-aware i get VX2 malware thingy. When i try to remove it, ad-aware tells me that i have to reboot to remove it, so i reboot and its still there... so.. here is my hijack log

    Logfile of HijackThis v1.99.0
    Scan saved at 오후 7:51:32, on 2005-01-29
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\WINDOWS\System32\zuudzdgu.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\bdsqrbla5.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HijackThis.exe

    R3 - Default URLSearchHook is missing
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: (no name) - {A5BDE44F-1BCD-7BC2-CF4E-C9F5C59F2C13} - C:\WINDOWS\System32\jleylerd.dll
    O2 - BHO: (no name) - {E9D2AC88-9331-0689-288B-A99468B902DB} - C:\WINDOWS\System32\polddmev.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [*windows update] wuaruclt.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [XP firewall Services] FirewallxP.exe
    O4 - HKLM\..\Run: [Microsoft Crash Protection] mcrashprot.exe
    O4 - HKLM\..\Run: [SQL Service] qnhqs.exe
    O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfat34.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [zuudzdgu] C:\WINDOWS\System32\zuudzdgu.exe
    O4 - HKLM\..\RunServices: [*windows update] wuaruclt.exe
    O4 - HKLM\..\RunServices: [XP firewall Services] FirewallxP.exe
    O4 - HKLM\..\RunServices: [Microsoft Crash Protection] mcrashprot.exe
    O4 - HKLM\..\RunServices: [SQL Service] qnhqs.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [*windows update] wuaruclt.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [XP firewall Services] FirewallxP.exe
    O4 - HKCU\..\Run: [Microsoft Crash Protection] mcrashprot.exe
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble.net/game/nmstarter/NMStarter16.cab
    O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
    O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame.com/dist/activex/HanGamePlugin19.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104380461702
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
    O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://download.netmarble.com/nProtect/nprotect/npx.cab
    O23 - Service: MonSvcNT - AhnLab, Inc. - C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: rypbitprpvsn - Unknown - C:\WINDOWS\System32\bdsqrbla5.exe

    thanks!!

    oh another thing, when ever i restart my computer my task bar is messed up... all the task buttons are squished to one side so i adjust it back to normal, but when i reboot again its squished back to the same way. Is there someway to fix this, its not a critical thing, but its a bit annoying.. lol...
     
  2. telecom69

    telecom69 Gone but never forgotten

    Joined:
    Oct 12, 2001
    Messages:
    9,807
  3. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Get the LSP Fix as well: http://www.cexx.org/lspfix.htm

    Launch the application, and click the "I know what I'm doing" checkbox.

    Check all instances of dolsp.dll (and nothing else), and move them to the "Remove" pane.
    Then click Finish.

    Now start your computer in Safe Mode and delete this file:

    C:\windows\system32\dolsp.dll
     
  4. intoxicated

    intoxicated Thread Starter

    Joined:
    Jan 2, 2004
    Messages:
    34
    when i run the vx2 plug in for ad-aware it says my system is clean, but when i run the adaware scan vx2 still shows up... is there soemthing wrong?
     
  5. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    If that's the newest kind of VX2 infection, it usually requires manual removement.

    Did you do the LSP Fix?

    Have you also tried running SpyBot?
    http://majorgeeks.com/download2471.html
    Download it, check for updates, then run it and fix all selected problems.

    Do LSP and SpyBot, then post a new log
     
  6. telecom69

    telecom69 Gone but never forgotten

    Joined:
    Oct 12, 2001
    Messages:
    9,807
    It may be showing it because its in the quarantine list,so open up that and delete the items in there ......
     
  7. intoxicated

    intoxicated Thread Starter

    Joined:
    Jan 2, 2004
    Messages:
    34
    okay, ive done the lsp fix already, and i just ran spybot, several of the items couldnt get fixed and it told me that it would be fixed when i reboot. so i rebooted and ran spybot again and they were still there.

    well here is my hijack log

    Logfile of HijackThis v1.99.0
    Scan saved at 오전 10:47:38, on 2005-01-30
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\WINDOWS\System32\zuudzdgu.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\bdsqrbla5.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\HijackThis.exe

    R3 - Default URLSearchHook is missing
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: (no name) - {A5BDE44F-1BCD-7BC2-CF4E-C9F5C59F2C13} - C:\WINDOWS\System32\jleylerd.dll
    O2 - BHO: (no name) - {E9D2AC88-9331-0689-288B-A99468B902DB} - C:\WINDOWS\System32\polddmev.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [*windows update] wuaruclt.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [XP firewall Services] FirewallxP.exe
    O4 - HKLM\..\Run: [Microsoft Crash Protection] mcrashprot.exe
    O4 - HKLM\..\Run: [SQL Service] qnhqs.exe
    O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfat34.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [zuudzdgu] C:\WINDOWS\System32\zuudzdgu.exe
    O4 - HKLM\..\RunServices: [*windows update] wuaruclt.exe
    O4 - HKLM\..\RunServices: [XP firewall Services] FirewallxP.exe
    O4 - HKLM\..\RunServices: [Microsoft Crash Protection] mcrashprot.exe
    O4 - HKLM\..\RunServices: [SQL Service] qnhqs.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [*windows update] wuaruclt.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [XP firewall Services] FirewallxP.exe
    O4 - HKCU\..\Run: [Microsoft Crash Protection] mcrashprot.exe
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble.net/game/nmstarter/NMStarter16.cab
    O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
    O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame.com/dist/activex/HanGamePlugin19.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104380461702
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
    O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://download.netmarble.com/nProtect/nprotect/npx.cab
    O23 - Service: MonSvcNT - AhnLab, Inc. - C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: rypbitprpvsn - Unknown - C:\WINDOWS\System32\bdsqrbla5.exe

    Thanks so much for putting in your time for me. i really appretiate it ^^
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,041
    Click here: http://www.atribune.org/downloads/l2mfix.exe to download L2mfix.

    Save the file to your desktop and double click l2mfix.exe. Read and Accept the agreement. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
     
  9. intoxicated

    intoxicated Thread Starter

    Joined:
    Jan 2, 2004
    Messages:
    34
    okay, i ran that file and got an error and it gave me two options, close or ignore

    i clicked ignore and i got a notepad up right away, didnt have to wait for even 1 sec (i dunno if its cuase my computer is too fast or really crappy lol)

    so here is the log

    L2MFIX find log 1.02a
    These are the registry keys present
    **********************************************************************************
    Winlogon/notify:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MediaContentIndex]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINDOWS\\system32\\irj8l51u1.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    **********************************************************************************
    useragent:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{EE1764E5-2D52-406C-B8FC-CB552647B736}"=""

    **********************************************************************************
    Shell Extension key:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{00022613-0000-0000-C000-000000000046}"="멀티미디어 파일 속성"
    "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM 스캐너 관리"
    "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS 보안 페이지"
    "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE 문서 파일 속성 쪽"
    "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="공유 용 셸 확장"
    "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
    "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="디스플레이 어댑터 CPL 확장"
    "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="디스플레이 모니터 CPL 확장"
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="디스플레이 패닝 CPL 확장"
    "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
    "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="호환성 페이지"
    "{56117100-C0CD-101B-81E2-00AA004AE837}"="셸 스크랩 데이터 핸들러"
    "{59099400-57FF-11CE-BD94-0020AF85B590}"="디스크 복사 확장명"
    "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Microsoft Windows 네트워크 개체 용 셸 확장"
    "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM 모니터 관리"
    "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM 프린터 관리"
    "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="파일 압축 용 셸 확장"
    "{77597368-7b15-11d0-a0c2-080036af3f03}"="웹 프린터 셸 확장"
    "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
    "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
    "{85BBD920-42A0-1069-A2E4-08002B30309D}"="서류 가방"
    "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
    "{BD84B380-8CA2-1069-AB1D-08000948F534}"="글꼴"
    "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
    "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="프린터 보안 페이지"
    "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="공유 용 셸 확장"
    "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
    "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
    "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
    "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="네트워크 연결"
    "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="네트워크 연결"
    "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="스캐너 및 카메라"
    "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="스캐너 및 카메라"
    "{905667aa-acd6-11d2-8080-00805f6596d2}"="스캐너 및 카메라"
    "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="스캐너 및 카메라"
    "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="스캐너 및 카메라"
    "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
    "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
    "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Windows 스크립트 호스트용 셸 확장"
    "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft 데이터 연결"
    "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
    "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
    "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="예약된 작업"
    "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="작업 표시줄 및 시작 메뉴"
    "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="검색"
    "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="도움말 및 지원"
    "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="도움말 및 지원"
    "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="실행..."
    "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="인터넷"
    "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="전자 메일"
    "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="글꼴"
    "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="관리 도구"
    "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
    "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
    "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
    "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
    "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
    "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
    "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
    "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
    "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
    "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
    "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
    "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
    "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="검색 밴드"
    "{32683183-48a0-441b-a342-7c2a440a9478}"="미디어 밴드"
    "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
    "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
    "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
    "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="주소(&A)"
    "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
    "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
    "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
    "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
    "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
    "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="사용 가능"
    "{acf35015-526e-4230-9596-becbe19f0ac9}"="팝업 표시줄 추적"
    "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="주소 표시줄 파서"
    "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
    "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
    "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
    "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
    "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
    "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
    "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
    "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
    "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
    "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
    "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
    "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
    "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
    "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
    "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL 목록 서비스"
    "{FF393560-C2A7-11CF-BFF4-444553540000}"="열어본 페이지 목록"
    "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="임시 인터넷 파일"
    "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="임시 인터넷 파일"
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft URL 검색 훅"
    "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite 시작 화면"
    "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
    "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
    "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
    "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="인터넷"
    "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
    "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
    "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX 캐시 폴더"
    "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
    "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
    "{F5175861-2688-11d0-9C5E-00AA00A45957}"="가입 폴더"
    "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
    "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
    "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
    "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
    "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
    "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
    "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
    "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
    "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
    "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
    "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
    "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
    "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ 파일 미리 보기 추출기"
    "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="요약 정보 미리 보기 처리기(DOCFILES)"
    "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML 미리 보기 추출기"
    "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
    "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="웹 게시 마법사"
    "{add36aa8-751a-4579-a266-d66f5202ccbb}"="웹을 통해 인쇄 주문"
    "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="셸 게시 마법사 개체"
    "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Passport 마법사 얻기"
    "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
    "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
    "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
    "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="채널 파일"
    "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="채널 바로 가기"
    "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="채널 처리기 개체"
    "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
    "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
    "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
    "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
    "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
    "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
    "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
    "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
    "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
    "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
    "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
    "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
    "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
    "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
    "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
    "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
    "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
    "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
    "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
    "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
    "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="오프라인 파일 폴더"
    "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
    "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
    "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
    "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
    "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
    "{32714800-2E5F-11d0-8B85-00AA0044F941}"="사람 찾기(&P)..."
    "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
    "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
    "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
    "{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
    "{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
    "{597A3F8B-8161-46A7-B8D8-61D89CB2683A}"=""
    "{C0CE8D2F-A10D-473A-A62D-7A08DDABEEF6}"=""
    "{447DB5EF-00EC-40E2-9FF4-FFDCE4441F0A}"=""
    "{503F4DB3-8375-42AA-BDE4-43B3894FA5C9}"=""
    "{5684B96A-3802-4D86-A18C-4E142B06A2DD}"=""

    **********************************************************************************
    HKEY ROOT CLASSIDS:
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{597A3F8B-8161-46A7-B8D8-61D89CB2683A}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{597A3F8B-8161-46A7-B8D8-61D89CB2683A}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{597A3F8B-8161-46A7-B8D8-61D89CB2683A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{597A3F8B-8161-46A7-B8D8-61D89CB2683A}\InprocServer32]
    @="C:\\WINDOWS\\system32\\jzt500.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{C0CE8D2F-A10D-473A-A62D-7A08DDABEEF6}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{C0CE8D2F-A10D-473A-A62D-7A08DDABEEF6}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{C0CE8D2F-A10D-473A-A62D-7A08DDABEEF6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{C0CE8D2F-A10D-473A-A62D-7A08DDABEEF6}\InprocServer32]
    @="C:\\WINDOWS\\system32\\mzapsspc.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{447DB5EF-00EC-40E2-9FF4-FFDCE4441F0A}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{447DB5EF-00EC-40E2-9FF4-FFDCE4441F0A}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{447DB5EF-00EC-40E2-9FF4-FFDCE4441F0A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{447DB5EF-00EC-40E2-9FF4-FFDCE4441F0A}\InprocServer32]
    @="C:\\WINDOWS\\system32\\dmskcopy.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{503F4DB3-8375-42AA-BDE4-43B3894FA5C9}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{503F4DB3-8375-42AA-BDE4-43B3894FA5C9}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{503F4DB3-8375-42AA-BDE4-43B3894FA5C9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{503F4DB3-8375-42AA-BDE4-43B3894FA5C9}\InprocServer32]
    @="C:\\WINDOWS\\system32\\guard.tmp"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{5684B96A-3802-4D86-A18C-4E142B06A2DD}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{5684B96A-3802-4D86-A18C-4E142B06A2DD}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{5684B96A-3802-4D86-A18C-4E142B06A2DD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{5684B96A-3802-4D86-A18C-4E142B06A2DD}\InprocServer32]
    @="C:\\WINDOWS\\system32\\guard.tmp"
    "ThreadingModel"="Apartment"

    **********************************************************************************
    Files Found are not all bad files:
    **********************************************************************************
    Directory Listing of system files:
    C 드라이브의 볼륨: doo-1
    볼륨 일련 번호: FC85-2586

    C:\WINDOWS\System32 디렉터리

    2005-01-30 오전 (AM) 10:41 228,743 fplq0335e.dll
    2005-01-30 오전 (AM) 10:13 228,743 irj8l51u1.dll
    2005-01-30 오전 (AM) 09:53 228,743 en8ql1l51.dll
    2005-01-30 오전 (AM) 09:27 228,743 n42u0ef9eh2.dll
    2005-01-29 오후 (PM) 09:12 228,743 azam09l1e.dll
    2005-01-29 오후 (PM) 07:40 230,730 kt8ul7l91.dll
    2005-01-29 오전 (AM) 08:05 228,743 lv8m09l1e.dll
    2005-01-29 오전 (AM) 07:46 228,743 gp4ml3h11.dll
    2005-01-28 오후 (PM) 08:05 228,743 hrn4055qe.dll
    2005-01-28 오후 (PM) 06:01 228,743 aza2l99o1.dll
    2005-01-28 오후 (PM) 05:54 231,783 mvr2l99o1.dll
    2005-01-28 오전 (AM) 06:26 229,081 lv4209hoe.dll
    2005-01-15 &#50724;&#54980; (PM) 10:43 <DIR> dllcache
    2004-12-30 &#50724;&#54980; (PM) 12:07 1,682 KGyGaAvL.sys
    2004-12-30 &#50724;&#54980; (PM) 12:07 56 71D9E9FDDE.sys
    2004-12-29 &#50724;&#54980; (PM) 07:48 177,664 expiorer.exe
    2004-12-29 &#50724;&#54980; (PM) 07:48 90,112 admdll.dll
    2004-12-29 &#50724;&#54980; (PM) 07:48 29,408 raddrv.dll
    2004-12-29 &#50724;&#54980; (PM) 07:33 <DIR> Microsoft
    17&#44060; &#54028;&#51068; (files) 3,049,203 &#48148;&#51060;&#53944; (bytes)
    2&#44060; &#46356;&#47113;&#53552;&#47532; (2 directories) 17,197,744,128 &#48148;&#51060;&#53944; &#45224;&#51020; (bytes remaining?)
    my computer is korean so some of this is in korean (i barely read korean cause im just another westerner in a korean body)

    hopefully u would understand. i tried to translate some of the last bit. thanks ^^
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,041
    Close any programs you have open since this step requires a reboot.

    From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

    IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!
     
  11. intoxicated

    intoxicated Thread Starter

    Joined:
    Jan 2, 2004
    Messages:
    34
    L2M Log
    ------------------------

    L2Mfix 1.02a

    Running From:
    C:\Documents and Settings\jenny hong.JENNY\&#48148;&#53461; &#54868;&#47732;\l2mfix



    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Read BUILTIN\Power Users
    (ID-IO) ALLOW Read BUILTIN\Power Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER



    Setting registry permissions:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!


    Denying C access for really "Everyone"
    - adding new ACCESS DENY entry


    Registry Permissions set too:

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (CI) DENY --C------- Everyone
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Read BUILTIN\Power Users
    (ID-IO) ALLOW Read BUILTIN\Power Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER



    Setting up for Reboot


    Starting Reboot!

    C:\Documents and Settings\jenny hong.JENNY\&#48148;&#53461; &#54868;&#47732;\l2mfix
    System Rebooted!

    Running From:
    C:\Documents and Settings\jenny hong.JENNY\&#48148;&#53461; &#54868;&#47732;\l2mfix

    killing explorer and rundll32.exe

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'
    Killing PID 1304 'explorer.exe'

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Error, Cannot find a process with an image name of rundll32.exe

    Scanning First Pass. Please Wait!

    First Pass Completed

    Second Pass Scanning

    Second pass Completed!
    Backing Up: C:\WINDOWS\system32\arsnds.dll
    1&#44060; &#54028;&#51068;&#51060; &#48373;&#49324;&#46104;&#50632;&#49845;&#45768;&#45796;.
    Backing Up: C:\WINDOWS\system32\aza2l99o1.dll
    1&#44060; &#54028;&#51068;&#51060; &#48373;&#49324;&#46104;&#50632;&#49845;&#45768;&#45796;.
    Backing Up: C:\WINDOWS\system32\azam09l1e.dll
    1&#44060; &#54028;&#51068;&#51060; &#48373;&#49324;&#46104;&#50632;&#49845;&#45768;&#45796;.
    Backing Up: C:\WINDOWS\system32\dmskcopy.dll
    1&#44060; &#54028;&#51068;&#51060; &#48373;&#49324;&#46104;&#50632;&#49845;&#45768;&#45796;.
    Backing Up: C:\WINDOWS\system32\dvspex.dll
    1&#44060; &#54028;&#51068;&#51060; &#48373;&#49324;&#46104;&#50632;&#49845;&#45768;&#45796;.
    Backing Up: C:\WINDOWS\system32\en8ql1l51.dll
    1&#44060; &#54028;&#51068;&#51060; &#48373;&#49324;&#46104;&#50632;&#49845;&#45768;&#45796;.
    Backing Up: C:\WINDOWS\system32\fplq0335e.dll
    1&#44060; &#54028;&#51068;&#51060; &#48373;&#49324;&#46104;&#50632;&#49845;&#45768;&#45796;.
    Backing Up: C:\WINDOWS\system32\gp4ml3h11.dll
    1&#44060; &#54028;&#51068;&#51060; &#48373;&#49324;&#46104;&#50632;&#49845;&#45768;&#45796;.
    Backing Up: C:\WINDOWS\system32\hrn4055qe.dll
    1&#44060; &#54028;&#51068;&#51060; &#48373;&#49324;&#46104;&#50632;&#49845;&#45768;&#45796;.
    Backing Up: C:\WINDOWS\system32\kcdycl.dll
    1&#44060; &#54028;&#51068;&#51060; &#48373;&#49324;&#46104;&#50632;&#49845;&#45768;&#45796;.
    Backing Up: C:\WINDOWS\system32\kt8ul7l91.dll
    1&#44060; &#54028;&#51068;&#51060; &#48373;&#49324;&#46104;&#50632;&#49845;&#45768;&#45796;.
    Backing Up: C:\WINDOWS\system32\lv4209hoe.dll
    1&#44060; &#54028;&#51068;&#51060; &#48373;&#49324;&#46104;&#50632;&#49845;&#45768;&#45796;.
    Backing Up: C:\WINDOWS\system32\lv8m09l1e.dll
    1&#44060; &#54028;&#51068;&#51060; &#48373;&#49324;&#46104;&#50632;&#49845;&#45768;&#45796;.
    Backing Up: C:\WINDOWS\system32\mvr2l99o1.dll
    1&#44060; &#54028;&#51068;&#51060; &#48373;&#49324;&#46104;&#50632;&#49845;&#45768;&#45796;.
    Backing Up: C:\WINDOWS\system32\mzapsspc.dll
    1&#44060; &#54028;&#51068;&#51060; &#48373;&#49324;&#46104;&#50632;&#49845;&#45768;&#45796;.
    Backing Up: C:\WINDOWS\system32\n42u0ef9eh2.dll
    1&#44060; &#54028;&#51068;&#51060; &#48373;&#49324;&#46104;&#50632;&#49845;&#45768;&#45796;.
    Backing Up: C:\WINDOWS\system32\nbwrsja.dll
    1&#44060; &#54028;&#51068;&#51060; &#48373;&#49324;&#46104;&#50632;&#49845;&#45768;&#45796;.
    Backing Up: C:\WINDOWS\system32\smgina.dll
    1&#44060; &#54028;&#51068;&#51060; &#48373;&#49324;&#46104;&#50632;&#49845;&#45768;&#45796;.
    Backing Up: C:\WINDOWS\system32\wuploc.dll
    1&#44060; &#54028;&#51068;&#51060; &#48373;&#49324;&#46104;&#50632;&#49845;&#45768;&#45796;.
    deleting: C:\WINDOWS\system32\arsnds.dll
    Successfully Deleted: C:\WINDOWS\system32\arsnds.dll
    deleting: C:\WINDOWS\system32\aza2l99o1.dll
    Successfully Deleted: C:\WINDOWS\system32\aza2l99o1.dll
    deleting: C:\WINDOWS\system32\azam09l1e.dll
    Successfully Deleted: C:\WINDOWS\system32\azam09l1e.dll
    deleting: C:\WINDOWS\system32\dmskcopy.dll
    Successfully Deleted: C:\WINDOWS\system32\dmskcopy.dll
    deleting: C:\WINDOWS\system32\dvspex.dll
    Successfully Deleted: C:\WINDOWS\system32\dvspex.dll
    deleting: C:\WINDOWS\system32\en8ql1l51.dll
    Successfully Deleted: C:\WINDOWS\system32\en8ql1l51.dll
    deleting: C:\WINDOWS\system32\fplq0335e.dll
    Successfully Deleted: C:\WINDOWS\system32\fplq0335e.dll
    deleting: C:\WINDOWS\system32\gp4ml3h11.dll
    Successfully Deleted: C:\WINDOWS\system32\gp4ml3h11.dll
    deleting: C:\WINDOWS\system32\hrn4055qe.dll
    Successfully Deleted: C:\WINDOWS\system32\hrn4055qe.dll
    deleting: C:\WINDOWS\system32\kcdycl.dll
    Successfully Deleted: C:\WINDOWS\system32\kcdycl.dll
    deleting: C:\WINDOWS\system32\kt8ul7l91.dll
    Successfully Deleted: C:\WINDOWS\system32\kt8ul7l91.dll
    deleting: C:\WINDOWS\system32\lv4209hoe.dll
    Successfully Deleted: C:\WINDOWS\system32\lv4209hoe.dll
    deleting: C:\WINDOWS\system32\lv8m09l1e.dll
    Successfully Deleted: C:\WINDOWS\system32\lv8m09l1e.dll
    deleting: C:\WINDOWS\system32\mvr2l99o1.dll
    Successfully Deleted: C:\WINDOWS\system32\mvr2l99o1.dll
    deleting: C:\WINDOWS\system32\mzapsspc.dll
    Successfully Deleted: C:\WINDOWS\system32\mzapsspc.dll
    deleting: C:\WINDOWS\system32\n42u0ef9eh2.dll
    Successfully Deleted: C:\WINDOWS\system32\n42u0ef9eh2.dll
    deleting: C:\WINDOWS\system32\nbwrsja.dll
    Successfully Deleted: C:\WINDOWS\system32\nbwrsja.dll
    deleting: C:\WINDOWS\system32\smgina.dll
    Successfully Deleted: C:\WINDOWS\system32\smgina.dll
    deleting: C:\WINDOWS\system32\wuploc.dll
    Successfully Deleted: C:\WINDOWS\system32\wuploc.dll

    Desktop.ini sucessfully removed

    Zipping up files for submission:
    adding: arsnds.dll (164 bytes security) (deflated 4%)
    adding: aza2l99o1.dll (164 bytes security) (deflated 4%)
    adding: azam09l1e.dll (164 bytes security) (deflated 4%)
    adding: dmskcopy.dll (164 bytes security) (deflated 5%)
    adding: dvspex.dll (164 bytes security) (deflated 4%)
    adding: en8ql1l51.dll (164 bytes security) (deflated 4%)
    adding: fplq0335e.dll (164 bytes security) (deflated 4%)
    adding: gp4ml3h11.dll (164 bytes security) (deflated 4%)
    adding: hrn4055qe.dll (164 bytes security) (deflated 4%)
    adding: kcdycl.dll (164 bytes security) (deflated 4%)
    adding: kt8ul7l91.dll (164 bytes security) (deflated 5%)
    adding: lv4209hoe.dll (164 bytes security) (deflated 4%)
    adding: lv8m09l1e.dll (164 bytes security) (deflated 4%)
    adding: mvr2l99o1.dll (164 bytes security) (deflated 5%)
    adding: mzapsspc.dll (164 bytes security) (deflated 5%)
    adding: n42u0ef9eh2.dll (164 bytes security) (deflated 4%)
    adding: nbwrsja.dll (164 bytes security) (deflated 4%)
    adding: smgina.dll (164 bytes security) (deflated 4%)
    adding: wuploc.dll (164 bytes security) (deflated 4%)
    adding: clear.reg (164 bytes security) (deflated 55%)
    adding: echo.reg (164 bytes security) (deflated 4%)
    adding: desktop.ini (164 bytes security) (deflated 14%)
    adding: direct.txt (164 bytes security) (stored 0%)
    adding: lo2.txt (164 bytes security) (deflated 84%)
    adding: readme.txt (164 bytes security) (deflated 49%)
    adding: report.txt (164 bytes security) (deflated 65%)
    adding: test.txt (164 bytes security) (deflated 78%)
    adding: test2.txt (164 bytes security) (deflated 37%)
    adding: test3.txt (164 bytes security) (deflated 37%)
    adding: test5.txt (164 bytes security) (deflated 37%)
    adding: xfind.txt (164 bytes security) (deflated 73%)
    adding: backregs/447DB5EF-00EC-40E2-9FF4-FFDCE4441F0A.reg (164 bytes security) (deflated 70%)
    adding: backregs/503F4DB3-8375-42AA-BDE4-43B3894FA5C9.reg (164 bytes security) (deflated 70%)
    adding: backregs/5684B96A-3802-4D86-A18C-4E142B06A2DD.reg (164 bytes security) (deflated 70%)
    adding: backregs/597A3F8B-8161-46A7-B8D8-61D89CB2683A.reg (164 bytes security) (deflated 70%)
    adding: backregs/C0CE8D2F-A10D-473A-A62D-7A08DDABEEF6.reg (164 bytes security) (deflated 70%)
    adding: backregs/shell.reg (164 bytes security) (deflated 71%)

    Restoring Registry Permissions:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!


    Revoking access for really "Everyone"


    Registry permissions set too:

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Read BUILTIN\Power Users
    (ID-IO) ALLOW Read BUILTIN\Power Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER


    Restoring Sedebugprivilege:

    Granting SeDebugPrivilege to Administrators ... successful

    deleting local copy: arsnds.dll
    deleting local copy: aza2l99o1.dll
    deleting local copy: azam09l1e.dll
    deleting local copy: dmskcopy.dll
    deleting local copy: dvspex.dll
    deleting local copy: en8ql1l51.dll
    deleting local copy: fplq0335e.dll
    deleting local copy: gp4ml3h11.dll
    deleting local copy: hrn4055qe.dll
    deleting local copy: kcdycl.dll
    deleting local copy: kt8ul7l91.dll
    deleting local copy: lv4209hoe.dll
    deleting local copy: lv8m09l1e.dll
    deleting local copy: mvr2l99o1.dll
    deleting local copy: mzapsspc.dll
    deleting local copy: n42u0ef9eh2.dll
    deleting local copy: nbwrsja.dll
    deleting local copy: smgina.dll
    deleting local copy: wuploc.dll

    The following Is the Current Export of the Winlogon notify key:
    ****************************************************************************
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001


    The following are the files found:
    ****************************************************************************
    C:\WINDOWS\system32\arsnds.dll
    C:\WINDOWS\system32\aza2l99o1.dll
    C:\WINDOWS\system32\azam09l1e.dll
    C:\WINDOWS\system32\dmskcopy.dll
    C:\WINDOWS\system32\dvspex.dll
    C:\WINDOWS\system32\en8ql1l51.dll
    C:\WINDOWS\system32\fplq0335e.dll
    C:\WINDOWS\system32\gp4ml3h11.dll
    C:\WINDOWS\system32\hrn4055qe.dll
    C:\WINDOWS\system32\kcdycl.dll
    C:\WINDOWS\system32\kt8ul7l91.dll
    C:\WINDOWS\system32\lv4209hoe.dll
    C:\WINDOWS\system32\lv8m09l1e.dll
    C:\WINDOWS\system32\mvr2l99o1.dll
    C:\WINDOWS\system32\mzapsspc.dll
    C:\WINDOWS\system32\n42u0ef9eh2.dll
    C:\WINDOWS\system32\nbwrsja.dll
    C:\WINDOWS\system32\smgina.dll
    C:\WINDOWS\system32\wuploc.dll

    Registry Entries that were Deleted:
    Please verify that the listing looks ok.
    If there was something deleted wrongly there are backups in the backreg folder.
    ****************************************************************************
    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{597A3F8B-8161-46A7-B8D8-61D89CB2683A}"=-
    "{C0CE8D2F-A10D-473A-A62D-7A08DDABEEF6}"=-
    "{447DB5EF-00EC-40E2-9FF4-FFDCE4441F0A}"=-
    "{503F4DB3-8375-42AA-BDE4-43B3894FA5C9}"=-
    "{5684B96A-3802-4D86-A18C-4E142B06A2DD}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{597A3F8B-8161-46A7-B8D8-61D89CB2683A}]
    [-HKEY_CLASSES_ROOT\CLSID\{C0CE8D2F-A10D-473A-A62D-7A08DDABEEF6}]
    [-HKEY_CLASSES_ROOT\CLSID\{447DB5EF-00EC-40E2-9FF4-FFDCE4441F0A}]
    [-HKEY_CLASSES_ROOT\CLSID\{503F4DB3-8375-42AA-BDE4-43B3894FA5C9}]
    [-HKEY_CLASSES_ROOT\CLSID\{5684B96A-3802-4D86-A18C-4E142B06A2DD}]
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{EE1764E5-2D52-406C-B8FC-CB552647B736}"=-
    ****************************************************************************
    Desktop.ini Contents:
    ****************************************************************************
    [.ShellClassInfo]
    CLSID={645FF040-5081-101B-9F08-00AA002F954E}
    <IDone>{EE1764E5-2D52-406C-B8FC-CB552647B736}</IDone>
    <IDtwo>VT00</IDtwo>
    <VERSION>200</VERSION>
    ****************************************************************************
    

    --------------

    Hijackthis log
    --------------

    Logfile of HijackThis v1.99.0
    Scan saved at &#50724;&#54980; 3:33:02, on 2005-01-30
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\WINDOWS\System32\zuudzdgu.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\System32\conime.exe
    C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\bdsqrbla5.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\HijackThis.exe

    R3 - Default URLSearchHook is missing
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: (no name) - {A5BDE44F-1BCD-7BC2-CF4E-C9F5C59F2C13} - C:\WINDOWS\System32\jleylerd.dll
    O2 - BHO: (no name) - {E9D2AC88-9331-0689-288B-A99468B902DB} - C:\WINDOWS\System32\polddmev.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [*windows update] wuaruclt.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [XP firewall Services] FirewallxP.exe
    O4 - HKLM\..\Run: [Microsoft Crash Protection] mcrashprot.exe
    O4 - HKLM\..\Run: [SQL Service] qnhqs.exe
    O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfat34.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [zuudzdgu] C:\WINDOWS\System32\zuudzdgu.exe
    O4 - HKLM\..\RunServices: [*windows update] wuaruclt.exe
    O4 - HKLM\..\RunServices: [XP firewall Services] FirewallxP.exe
    O4 - HKLM\..\RunServices: [Microsoft Crash Protection] mcrashprot.exe
    O4 - HKLM\..\RunServices: [SQL Service] qnhqs.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [*windows update] wuaruclt.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [XP firewall Services] FirewallxP.exe
    O4 - HKCU\..\Run: [Microsoft Crash Protection] mcrashprot.exe
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble.net/game/nmstarter/NMStarter16.cab
    O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
    O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame.com/dist/activex/HanGamePlugin19.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104380461702
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
    O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://download.netmarble.com/nProtect/nprotect/npx.cab
    O23 - Service: MonSvcNT - AhnLab, Inc. - C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: rypbitprpvsn - Unknown - C:\WINDOWS\System32\bdsqrbla5.exe

    Cookiegal ur a such a devoted worker~

    sorry this reply took some time, i was out for a while thanks ^^
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,041
    Did you reboot before scanning with Hijack This? If not, please do so and post a new HJT log.
     
  13. intoxicated

    intoxicated Thread Starter

    Joined:
    Jan 2, 2004
    Messages:
    34
    umm, that hijack this log is one i took after the #2 step of L2m. But if i had to reboot again to take here is one i jsut took after a reboot:

    Logfile of HijackThis v1.99.0
    Scan saved at &#50724;&#54980; 5:10:57, on 2005-01-30
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\WINDOWS\System32\zuudzdgu.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\bdsqrbla5.exe
    C:\HijackThis.exe
    C:\WINDOWS\System32\svchost.exe

    R3 - Default URLSearchHook is missing
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: (no name) - {A5BDE44F-1BCD-7BC2-CF4E-C9F5C59F2C13} - C:\WINDOWS\System32\jleylerd.dll
    O2 - BHO: (no name) - {E9D2AC88-9331-0689-288B-A99468B902DB} - C:\WINDOWS\System32\polddmev.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [*windows update] wuaruclt.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [XP firewall Services] FirewallxP.exe
    O4 - HKLM\..\Run: [Microsoft Crash Protection] mcrashprot.exe
    O4 - HKLM\..\Run: [SQL Service] qnhqs.exe
    O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfat34.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [zuudzdgu] C:\WINDOWS\System32\zuudzdgu.exe
    O4 - HKLM\..\RunServices: [*windows update] wuaruclt.exe
    O4 - HKLM\..\RunServices: [XP firewall Services] FirewallxP.exe
    O4 - HKLM\..\RunServices: [Microsoft Crash Protection] mcrashprot.exe
    O4 - HKLM\..\RunServices: [SQL Service] qnhqs.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [*windows update] wuaruclt.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [XP firewall Services] FirewallxP.exe
    O4 - HKCU\..\Run: [Microsoft Crash Protection] mcrashprot.exe
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble.net/game/nmstarter/NMStarter16.cab
    O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
    O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame.com/dist/activex/HanGamePlugin19.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104380461702
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
    O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://download.netmarble.com/nProtect/nprotect/npx.cab
    O23 - Service: MonSvcNT - AhnLab, Inc. - C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: rypbitprpvsn - Unknown - C:\WINDOWS\System32\bdsqrbla5.exe
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,041
    Click here: http://forums.techguy.org/attachment.php?attachmentid=46183 to download Find It NT-2K-XP.zip.

    Unzip it and double-click on Find.bat to run it. When the command window first opens, it will say "File not found". Ignore that and let it continue to run until it finishes. It may take it a few minutes. It will open an Output.txt file when it completes. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.

    Download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.

    http://www.downloads.subratam.org/VX2Finder.exe

    Next click here: http://www.downloads.subratam.org/DllCompare.exe to download DLLCompare.zip.

    Save it to your desktop.

    Now run DllCompare and click on the RunLocate.com button. It will scan for the hidden files. When it is finished, you will see in blue Completed the scan, Click Compare to Continue at which time you will click the Compare button.

    It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.

    In a few minutes it will complete then you will see in blue Completed.
    Click the Make a Log of what was Found button. It will ask if you want to view the logfile. Click Yes then copy and paste that log in your next reply.

    After you have posted all that info here, it is very important that you do not restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry needed to remove will change as well as some of the file names will change and we will have to start all over.
     
  15. intoxicated

    intoxicated Thread Starter

    Joined:
    Jan 2, 2004
    Messages:
    34
    The Find it program doesnt seem to work.

    after it says
    "Beginning Strings.exe....."
    in korean it says that something cannot be found.. i dunno wut that something is.. should i continue with the rest of the steps.

    no log poped up
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - problem probably more
  1. Tip1721
    Replies:
    1
    Views:
    322
  2. hurdvialjm
    Replies:
    7
    Views:
    468
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/324800

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice