Tech Support Guy banner
Cancel
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

Help: Trojan horse "dlm.exe", "dl.exe"

11578 Views 6 Replies 3 Participants Last post by  freekt
Y
My friend's laptop has experienced "Trojan horse - dlm.exe, dl.exe" problem. I helped him to fix this by using Hijackthis, AdAware, and Spybot. After cleaning the computer, I installed "Zone alarm" to prevent further problem. At the moment, it seems to work well except one website. If I tried to connect the site using "Internet explorer", IE generates error messages.

The following is the log file generated by "Hijackthis". It has a lot of "O4 - Startup: xxx_{xxx}.tmp" lines. I deleted most of them and inserted dots since the file size of log file is too big (258kb). Thanks.

>---------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 10:13:35 PM, on 2004-04-13
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SMCTRLW.EXE
C:\WINDOWS\SYSTEM\CTRLVOL.EXE
C:\WINDOWS\SYSTEM\KEYMAP.EXE
C:\PROGRAM FILES\THINKPAD\EASY LAUNCH BUTTONS\TPHKMGR.EXE
C:\PROGRAM FILES\SLEEP MANAGER\SLEEPMGR.EXE
C:\WINDOWS\LTSMMSG.EXE
C:\CFGSAFE\AUTOCHK.EXE
C:\WINDOWS\SYSTEM\DAEMON.EXE
C:\PROGRAM FILES\MDL CROSSFIRE COMMANDER V6\XFDLINK.EXE
C:\PROGRAM FILES\MYLINKER\MYLINKER.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\KEYACC32.EXE
C:\PROGRAM FILES\THINKPAD\EASY LAUNCH BUTTONS\EZICON.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\THINKPAD\EASY LAUNCH BUTTONS\TPONSCR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\UTILITY\HJT\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [·¹Áö½ºÆ®¸® °Ë»ç] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Control Panel] smctrlw.exe
O4 - HKLM\..\Run: [CtrlVolume] C:\WINDOWS\SYSTEM\CtrlVol.exe
O4 - HKLM\..\Run: [Keymap] C:\WINDOWS\SYSTEM\Keymap.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\THINKPAD\EASYLA~1\TPHKMGR.EXE
O4 - HKLM\..\Run: [SleepManager] "C:\Program Files\Sleep Manager\SleepMgr.exe"
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [XfDLink] "C:\PROGRAM FILES\MDL CROSSFIRE COMMANDER V6\XFDLINK.EXE"
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [myLinker] C:\PROGRA~1\MYLINKER\MYLINKER.EXE /B
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [KeyAccess] c:\WINDOWS\keyacc32.exe
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRAM FILES\SYSTEM SOAP PRO\SOAP.exe min
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: ADDLFNPR.REG
O4 - Startup: BLUE10.BMP
O4 - Startup: EPSTPLOG.TXT
O4 - Startup: DEFAULT.WBM
O4 - Startup: DOSSTART.BAT
O4 - Startup: IBM1024R.BMP
O4 - Startup: IBML1024.BMP
O4 - Startup: KIDS10.BMP
O4 - Startup: MANCH10.BMP
O4 - Startup: MARK.GIF
O4 - Startup: MONTAG10.BMP
O4 - Startup: MOUSE.COM
O4 - Startup: NEWGRA10.BMP
O4 - Startup: QUAD10.BMP
O4 - Startup: RUN10.BMP
O4 - Startup: THINK10.BMP
O4 - Startup: WOMAN10.BMP
O4 - Startup: MSDOS.SYS
O4 - Startup: WINSOCK.DLL
O4 - Startup: WIN.INI
O4 - Startup: HWINFO.EXE
O4 - Startup: NETDET.INI
O4 - Startup: PIDGEN.DLL
O4 - Startup: MSIMGSIZ.DAT
O4 - Startup: LICENSE.TXT
O4 - Startup: SUPPORT.TXT
O4 - Startup: BILING.SYS
O4 - Startup: MPLAYER.EXE
O4 - Startup: RUNHELP.CAB
O4 - Startup: JAUTOEXP.DAT
O4 - Startup: NDDEAPI.DLL
O4 - Startup: NDDENB.DLL
O4 - Startup: SCRIPT.DOC
O4 - Startup: CLSPACK.EXE
O4 - Startup: DOSREP.EXE
O4 - Startup: DRWATSON.EXE
O4 - Startup: EXPLORER.EXE
O4 - Startup: FONTVIEW.EXE
O4 - Startup: USER.DAT
O4 - Startup: ODBC.INI
O4 - Startup: ISO10646.EXE
O4 - Startup: WININIT.SAV
O4 - Startup: NETDDE.EXE
O4 - Startup: PIDSET.EXE
O4 - Startup: SETDEBUG.EXE
O4 - Startup: SIGVERIF.EXE
O4 - Startup: TUNEUP.EXE
O4 - Startup: UPWIZUN.EXE
O4 - Startup: WINREP.EXE
O4 - Startup: JVIEW.EXE
O4 - Startup: BACKGRND.GIF
O4 - Startup: CLOUD.GIF
O4 - Startup: CONTENT.GIF
O4 - Startup: HLPBELL.GIF
O4 - Startup: HLPCD.GIF
O4 - Startup: HLPGLOBE.GIF
O4 - Startup: HLPLOGO.GIF
O4 - Startup: HLPSTEP1.GIF
O4 - Startup: HLPSTEP2.GIF
O4 - Startup: HLPSTEP3.GIF
O4 - Startup: WINLOGO.GIF
O4 - Startup: IOS.LOG
O4 - Startup: SYSTEM.INI
O4 - Startup: READM_01.HTZ
O4 - Startup: READM_02.HTZ
O4 - Startup: DOSREP.INI
O4 - Startup: HTMLHELP.INI
O4 - Startup: MSDFMAP.INI
O4 - Startup: VPC32.INI
O4 - Startup: OLDOSAPP.INI
O4 - Startup: DELUXECD.MDB
O4 - Startup: DOSPRMPT.PIF
O4 - Startup: EXPLORER.SCF
O4 - Startup: ODBCINST.INI
O4 - Startup: COUNTRY.SYS
O4 - Startup: CONFIG.TXT
O4 - Startup: DISPLAY.TXT
O4 - Startup: FAQ.TXT
O4 - Startup: GENERAL.TXT
O4 - Startup: HARDWARE.TXT
O4 - Startup: MOUSE.TXT
O4 - Startup: MSDOSDRV.TXT
O4 - Startup: NETWORK.TXT
O4 - Startup: PRINTERS.TXT
O4 - Startup: PROGRAMS.TXT
O4 - Startup: RECOVER.TXT
O4 - Startup: TIPS.TXT
O4 - Startup: WSCRIPT.EXE
O4 - Startup: TELEPHON.INI
O4 - Startup: SMARTDRV.EXE
O4 - Startup: HIMEM.SYS
O4 - Startup: RAMDRIVE.SYS
O4 - Startup: LOGOS.SYS
O4 - Startup: LOGOW.SYS
O4 - Startup: 1STBOOT.BMP
O4 - Startup: TWAIN_32.DLL
O4 - Startup: ¹°¹æ¿ï.bmp
O4 - Startup: ½£.bmp
O4 - Startup: ±Ý»ö Á÷¹°.bmp
O4 - Startup: ¼¼·ÎÁÙ.bmp
O4 - Startup: WAVEMIX.INI
O4 - Startup: ŸÀÏ.bmp
O4 - Startup: °ËÁ¤ ½û±â.bmp
O4 - Startup: POWERPNT.INI
O4 - Startup: »¡°£ ºí·Ï.bmp
O4 - Startup: WJVIEW.EXE
O4 - Startup: WIN.COM
O4 - Startup: HWINFO.DAT
O4 - Startup: MORICONS.DLL
O4 - Startup: MSOWS412.DLL
O4 - Startup: NDISLOG.TXT
O4 - Startup: ACCSTAT.EXE
O4 - Startup: ASD.EXE
O4 - Startup: CALC.EXE
O4 - Startup: CLEANMGR.EXE
O4 - Startup: CONTROL.EXE
O4 - Startup: CVT1.EXE
O4 - Startup: CVTAPLOG.EXE
O4 - Startup: DEFRAG.EXE
O4 - Startup: DRVSPACE.EXE
O4 - Startup: EMM386.EXE
O4 - Startup: MM2ENT.EXE
O4 - Startup: NOTEPAD.EXE
O4 - Startup: PACKAGER.EXE
O4 - Startup: PBRUSH.EXE
O4 - Startup: REGEDIT.EXE
O4 - Startup: PROGMAN.EXE
O4 - Startup: RG2CATDB.EXE
O4 - Startup: RUNDLL.EXE
O4 - Startup: RUNDLL32.EXE
O4 - Startup: SCANDSKW.EXE
O4 - Startup: SCANREGW.EXE
O4 - Startup: TB60.INI
O4 - Startup: SNDREC32.EXE
O4 - Startup: SNDVOL32.EXE
O4 - Startup: TASKMAN.EXE
O4 - Startup: TASKMON.EXE
O4 - Startup: VCMUI.EXE
O4 - Startup: WELCOME.EXE
O4 - Startup: WINFILE.EXE
O4 - Startup: WINHELP.EXE
O4 - Startup: WINHLP32.EXE
O4 - Startup: WININIT.EXE
O4 - Startup: WINVER.EXE
O4 - Startup: WRITE.EXE
O4 - Startup: WUPDMGR.EXE
O4 - Startup: WINUPD.ICO
O4 - Startup: DRVSPACE.INF
O4 - Startup: IOS.INI
O4 - Startup: SCANREG.INI
O4 - Startup: µ¾ÀÚ¸®.bmp
O4 - Startup: ASPI2HLP.SYS
O4 - Startup: CMD640X.SYS
O4 - Startup: CMD640X2.SYS
O4 - Startup: DBLBUFF.SYS
O4 - Startup: IFSHLP.SYS
O4 - Startup: SFCSYNC.TXT
O4 - Startup: SLEEPMGR.HLP
O4 - Startup: ACROREAD.INI
O4 - Startup: TWUNK_16.EXE
O4 - Startup: CDPLAYER.EXE
O4 - Startup: CHARMAP.EXE
O4 - Startup: CLIPBRD.EXE
O4 - Startup: DIALER.EXE
O4 - Startup: FREECELL.EXE
O4 - Startup: KODAKIMG.EXE
O4 - Startup: KODAKPRV.EXE
O4 - Startup: MSHEARTS.EXE
O4 - Startup: RSRCMTR.EXE
O4 - Startup: SOL.EXE
O4 - Startup: SYSMON.EXE
O4 - Startup: TOUR98.EXE
O4 - Startup: TWUNK_32.EXE
O4 - Startup: WINMINE.EXE
O4 - Startup: SERVICES.TXT
O4 - Startup: MSBATCH.INF
O4 - Startup: HIDCI.DLL
O4 - Startup: COMMAND.COM
O4 - Startup: brndlog.txt
O4 - Startup: SETVER.EXE
O4 - Startup: QFECHECK.EXE
O4 - Startup: WIN
O4 - Startup: QTW.INI
O4 - Startup: SMCTRLW.HLP
O4 - Startup: CONTROL.INI
O4 - Startup: VPMSMI.INI
O4 - Startup: MSINFO32.INI
O4 - Startup: SYSTEM.CB
O4 - Startup: WIN386.SWP
O4 - Startup: EXTRAC32.EXE
O4 - Startup: DEVMGR9X.EXE
O4 - Startup: PROTOCOL.INI
O4 - Startup: ±âº»°ª.PWL
O4 - Startup: IsUninst.exe
O4 - Startup: GSMU3.EXE
O4 - Startup: PROTOCOL
O4 - Startup: SERVICES
O4 - Startup: SNMPAPI.DLL
O4 - Startup: NETWORKS
O4 - Startup: ARP.EXE
O4 - Startup: FTP.EXE
O4 - Startup: SYSTEM.DAT
O4 - Startup: LMHOSTS.SAM
O4 - Startup: NETSTAT.EXE
O4 - Startup: PING.EXE
O4 - Startup: ROUTE.EXE
O4 - Startup: TELNET.EXE
O4 - Startup: TRACERT.EXE
O4 - Startup: WINIPCFG.EXE
O4 - Startup: LTSMMSG.EXE
O4 - Startup: IPCONFIG.EXE
O4 - Startup: NBTSTAT.EXE
O4 - Startup: INETMIB1.DLL
O4 - Startup: °ÔÀÓ¿ë MS-DOS ¸ðµå.pif
O4 - Startup: °ÔÀÓ¿ë MS-DOS ¸ðµå (EMS ¹× XMS Áö¿ø).pif
O4 - Startup: °ø±â ¹æ¿ï.bmp
O4 - Startup: ÀÌÁýÆ®.bmp
O4 - Startup: Æĵ¿.bmp
O4 - Startup: ¹°¶¼»õ °ÝÀÚ.bmp
O4 - Startup: »ï°¢Çü.bmp
O4 - Startup: ÆĶõ ¸®ºª.bmp
O4 - Startup: ¼³Ä¡.bmp
O4 - Startup: ±¸¸§.bmp
O4 - Startup: ±Ý¼Ó üÀÎ.bmp
O4 - Startup: »ç¾Ï.bmp
O4 - Startup: ¹Ù´Ã¶¡.bmp
O4 - Startup: ä³Î È*¸é º¸È£±â.SCR
O4 - Startup: progman.ini
O4 - Startup: Reg Save Log.txt
O4 - Startup: folder.htt
O4 - Startup: OEWABLog.txt
O4 - Startup: SchedLog.Txt
O4 - Startup: Default.sf0
O4 - Startup: Default.sfc
O4 - Startup: wplog.txt
O4 - Startup: brndlog.bak
O4 - Startup: SOL.INI
O4 - Startup: NAVWNT.MIF
O4 - Startup: IsUn0412.exe
O4 - Startup: smoem.ini
O4 - Startup: Smctrlw.exe
O4 - Startup: NSREX.INI
O4 - Startup: NET.EXE
O4 - Startup: smcp.txt
O4 - Startup: SleepMgr.cnt
O4 - Startup: uninst.exe
O4 - Startup: tmpdelis.bat
O4 - Startup: UNWISE.EXE
O4 - Startup: NET.MSG
O4 - Startup: Sti_Trace.log
O4 - Startup: ILUNINST.EXE
O4 - Startup: REGTLIB.EXE
O4 - Startup: unwise.ini
O4 - Startup: fffe12ab_{6A98F2E0-E96B-11D7-95C6-444553540001}.tmp
O4 - Startup: EPIRPE10.INI
O4 - Startup: winhelp.ini
O4 - Startup: ipxtrn32.dll
O4 - Startup: msshlib2.log
O4 - Startup: twain_16.dll
O4 - Startup: STMMAIN.INI
O4 - Startup: vbaddin.ini
O4 - Startup: WKW16A.EXE
O4 - Startup: Active Setup Log.txt
O4 - Startup: Active Setup Log.BAK
O4 - Startup: NETH.MSG
O4 - Startup: hh.exe
O4 - Startup: mdm.ini
O4 - Startup: vgalusr1.vr
O4 - Startup: LOADQM.EXE
O4 - Startup: WINPOPUP.EXE
O4 - Startup: fffec77d_{FBB47500-9BF8-11D5-95C3-0002DD700EE1}.tmp
..
O4 - Startup: WPXERROR.LOG
O4 - Startup: fffe07fb_{D18C6A21-9BF9-11D5-95C3-0002DD700EE1}.tmp
..
O4 - Startup: hh.dat
O4 - Startup: SYMAPPS.INI
O4 - Startup: $014D4FD.WPX
O4 - Startup: fffe1d47_{EE50BF60-9C00-11D5-95C3-0002DD700EE1}.tmp
O4 - Startup: HARDLOCK.VXD
O4 - Startup: fffe5efd_{7A1B2820-9C04-11D5-95C3-0002DD700EE1}.tmp
O4 - Startup: KOOKMIN.BMP
O4 - Startup: Xecure.bmp
O4 - Startup: DAEGU.BMP
O4 - Startup: fffe5efd_{7A1B2821-9C04-11D5-95C3-0002DD700EE1}.tmp
..
O4 - Startup: ca.db
O4 - Startup: unin0412.exe
O4 - Startup: hdinfo.ini
O4 - Startup: Lucent Technologies Soft Modem AMR.log
O4 - Startup: fffe50cf_{964D2B00-9C64-11D5-95C3-90BE51C10000}.tmp
..
O4 - Startup: hjimesv.ini
O4 - Startup: fffe1e6f_{4D9A7E40-9C68-11D5-95C3-50B751C10000}.tmp
O4 - Startup: BUSAN.BMP
O4 - Startup: fffe1e6f_{4D9A7E41-9C68-11D5-95C3-50B751C10000}.tmp
O4 - Startup: yessignCA.pub
O4 - Startup: MODEMDET.TXT
O4 - Startup: winmine.ini
O4 - Startup: fffe18ab_{DD538CE0-9C98-11D5-95C3-60B451C10000}.tmp
...
O4 - Startup: TWAIN.LOG
O4 - Startup: fffe5133_{4DC12780-A518-11D5-95C3-A0BD51C10000}.tmp
...
O4 - Startup: IE4 Error Log.txt
O4 - Startup: fffe562f_{4DBF45C0-A5A7-11D5-95C3-F0C451C10000}.tmp
..
O4 - Startup: Twain001.Mtx
O4 - Startup: CSMOPAC.INI
O4 - Startup: fffe5689_{537D5140-A5D0-11D5-95C3-50B051C10000}.tmp
...
O4 - Startup: _detmp.1
O4 - Startup: CFW.INI
O4 - Startup: fffe5029_{84E8E4A1-A8B5-11D5-95C3-A0B651C10000}.tmp
...
O4 - Startup: ChemDraw.INI
O4 - Startup: fffe1ed3_{E6153D40-A8BB-11D5-95C3-A0B351C10000}.tmp
..
O4 - Startup: C3DPREFS.DAT
O4 - Startup: fffe502d_{671DF701-A8BD-11D5-95C3-B0B651C10000}.tmp
.
O4 - Startup: IMBXVT32.DLL
O4 - Startup: fffe1f61_{D1D4C5E1-A8BF-11D5-95C3-A0AA51C10000}.tmp
...
O4 - Startup: Chem3D.INI
O4 - Startup: CSGaussian.INI
O4 - Startup: HPLJPS5P.PCL
O4 - Startup: fffe52f1_{4D3BED40-A8CE-11D5-95C3-E0B651C10000}.tmp
...
O4 - Startup: wmsetup.log
O4 - Startup: Adobereg.db
O4 - Startup: WMSysPrx.prx
O4 - Startup: fffe5dff_{D0539F40-AC50-11D5-95C4-90E451C10000}.tmp
.
O4 - Startup: udptrn32.dll
O4 - Startup: FS5GLPT1.PCL
O4 - Startup: HPPCL5MS.X10
O4 - Startup: TWUNK003.MTX
O4 - Startup: fffe13dd_{E95B4200-AC54-11D5-95C4-90C155C10000}.tmp
...
O4 - Startup: Twunk002.MTX
O4 - Startup: fffe5163_{079C6D00-AD3D-11D5-95C4-309855C10000}.tmp
...
O4 - Startup: ACDILab.INI
O4 - Startup: KGOLESRV.INI
O4 - Startup: fffe5e1d_{5BD909C0-C01E-11D5-95C4-209455C10000}.tmp
...
O4 - Startup: HncIme.ini
O4 - Startup: unvise32.exe
O4 - Startup: fffe5dd3_{9D9BB420-C717-11D5-95C4-509955C10000}.tmp
...
O4 - Startup: DreamLoad.exe
O4 - Startup: fffe5ef9_{96E31E00-DF42-11D5-95C4-809755C10000}.tmp
...
O4 - Startup: DOS·Î ³ª°¨.PIF
O4 - Startup: fffe11b5_{599335E0-4AEE-11D6-95C4-807455C10000}.tmp
.
O4 - Startup: GRAMSCNV.INI
O4 - Startup: fffe12f1_{F2CB9960-EE63-11D5-95C4-206555C10000}.tmp
...
O4 - Startup: MOUSE.INI
O4 - Startup: fffe1635_{9AFF29E0-0C7C-11D6-95C4-F07755C10000}.tmp
...
O4 - Startup: SAMSUNGCARD.BMP
O4 - Startup: fffea04d_{C4D198C0-354E-11D6-95C4-D09C55C10000}.tmp
...
O4 - Startup: DELETE.EXE
O4 - Startup: MATHTYPE.LOG
O4 - Startup: fffe1005_{DA6D1B60-554B-11D6-95C4-709155C10000}.tmp
...
O4 - Startup: MATHTYPE.INI
O4 - Startup: FONTSDIR.MFD
O4 - Startup: fffe516d_{66938280-67F5-11D6-95C4-709855C10000}.tmp
...
O4 - Startup: ADA6C650.MFD
O4 - Startup: WIN.BAK
O4 - Startup: MT.DLL
O4 - Startup: fffe447d_{A89A76E0-0289-11D8-95C6-444553540001}.tmp
...
O4 - Startup: MT32.DLL
O4 - Startup: MTMACROS.PRE
O4 - Startup: fffe4ccd_{792F8800-F001-11D6-95C5-A08655C104C6}.tmp
..
O4 - Startup: GRPCONV.EXE
O4 - Startup: fffe461b_{88025801-F03B-11D6-95C5-409155C10000}.tmp
...
O4 - Startup: cadkasdeinst01e.exe
O4 - Startup: fffe094b_{9D39C7E0-F6ED-11D6-95C5-309255C10000}.tmp
...
O4 - Startup: kisa.der
O4 - Startup: fffe60d5_{00A3DC60-134C-11D7-95C5-109855C10000}.tmp
...
O4 - Startup: keyacc.ini
O4 - Startup: fffe0973_{48F0C2C0-2CC0-11D7-95C5-609855C10000}.tmp
...
O4 - Startup: keyacc32.exe
O4 - Startup: fffe39ad_{8E27D440-8AA9-11D7-95C5-0002DD700EE1}.tmp
..
O4 - Startup: DjVuDoc.ico
O4 - Startup: fffe1ccd_{048B7560-8B72-11D7-95C5-0002DD700EE1}.tmp
..
O4 - Startup: IE Setup Log.Txt
O4 - Startup: fffe31bf_{39EFED20-91CC-11D7-95C5-0002DD700EE1}.tmp
O4 - Startup: ieuninst.exe
O4 - Startup: keyacc.exe
O4 - Startup: fffe31bf_{39EFED21-91CC-11D7-95C5-0002DD700EE1}.tmp
O4 - Startup: RunOnceEx Log.txt
O4 - Startup: fffe305b_{4E1638E0-91E0-11D7-95C5-0002DD700EE1}.tmp
...
O4 - Startup: kalib32.dll
O4 - Startup: fffe3009_{D37799E0-982D-11D7-95C5-0002DD700EE1}.tmp
...
O4 - Startup: katrack.dll
O4 - Startup: unvise.exe
O4 - Startup: unvise32.dll
O4 - Startup: fffe3d89_{031E6780-9A7E-11D7-95C5-0002DD700EE1}.tmp
.
O4 - Startup: WMSysPr9.prx
O4 - Startup: fffe3e3f_{97D287C0-9A7F-11D7-95C5-0002DD700EE1}.tmp
.
O4 - Startup: wmplibrary_v_0_12.db
O4 - Startup: fffef693_{7FD5AC60-9ACA-11D7-95C5-708456C10000}.tmp
...
O4 - Startup: uneng.exe
O4 - Startup: fffe7df9_{B62F67C0-ACE4-11D7-95C5-607556C10000}.tmp
...
O4 - Startup: DefaultStore_59R.bin
O4 - Startup: UserMigratedStore_59R.bin
O4 - Startup: fffe137f_{2ADE67C0-BE87-11D7-95C5-0002DD700EE1}.tmp
O4 - Startup: nsreg.dat
..
O4 - Startup: fffe14b9_{13E781C0-C0E2-11D7-95C5-0002DD700EE1}.tmp
..
O4 - Startup: Windows Update.log
O4 - Startup: Q330994.exe
O4 - Startup: ttfCache
O4 - Startup: DirectX.log
O4 - Startup: dxwinini.bak
O4 - Startup: vminst.log
O4 - Startup: dahotfix.log
O4 - Startup: fffed567_{D6FC21A0-C13E-11D7-95C5-0002DD700EE1}.tmp
...
O4 - Startup: twain.dll
O4 - Startup: fffe3c1d_{4BB73860-D4CA-11D7-95C6-0002DD700EE1}.tmp
..
O4 - Startup: iun6002.exe
O4 - Startup: fffe136f_{60B7E560-D6DD-11D7-95C6-0002DD700EE1}.tmp
..
O4 - Startup: opuc.dll
O4 - Startup: fffe074b_{2691C660-DDF6-11D7-95C6-0002DD700EE1}.tmp
...
O4 - Startup: aolback.exe.lnk
O4 - Startup: fffe08b7_{CCDCE500-E3EA-11D7-95C6-444553540001}.tmp
...
O4 - Startup: msoffice.ini
O4 - Startup: SleepMgr.GID
O4 - Startup: fffe1ddd_{EC6E2960-E935-11D7-95C6-0002DD700EE1}.tmp
..
O4 - Startup: onkb2.ico
O4 - Startup: fffe12ab_{6A98F2E1-E96B-11D7-95C6-444553540001}.tmp
..
O4 - Startup: offkb2.ico
O4 - Startup: fffe3fdb_{55DF3060-E9BD-11D7-95C6-0002DD700EE1}.tmp
..
O4 - Startup: .plugin141_01.trace
O4 - Startup: MLUninst.exe
O4 - Startup: fffe1813_{1A401B80-EB7C-11D7-95C6-0002DD700EE1}.tmp
...
O4 - Startup: Fix IE Log.txt
O4 - Startup: IE Uninstall Log.Txt
O4 - Startup: IEPatchUninstall.log
O4 - Startup: IEPatchUninstall.BAK
O4 - Startup: fffe6ab5_{0A3D4C20-1143-11D8-95C6-0002DD700EE1}.tmp
...
O4 - Startup: _delis32.ini
O4 - Startup: fffe0401_{AD02BF60-5A33-11D8-95C6-444553540001}.tmp
...
O4 - Startup: ShellIconCache
O4 - Startup: fffe3a79_{6D0E7120-5FD7-11D8-95C6-0002DD700EE1}.tmp
...
O4 - Startup: ScanErrors.log
O4 - Startup: fffefea7_{FA37DDE0-7484-11D8-95C6-444553540001}.tmp
...
O4 - Startup: securea.html
O4 - Startup: secureb.html
O4 - Startup: test
O4 - Startup: dl.exe
O4 - Startup: dl.html
O4 - Startup: dlm.exe
O4 - Startup: toffel32.exe
O4 - Startup: consol32.exe
O4 - Startup: msstasks.exe
O4 - Startup: mstaskss.exe
O4 - Startup: WININIT.BAK
O4 - Startup: hosts.sam
O4 - Startup: fffec2c7_{64540400-8BEC-11D8-95C6-444553540001}.tmp
...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {8CFE8500-6604-11D4-B26D-00C04F7A67C8} (XecureWeb Control 3.5 HCB) - http://www.hncbworld.com/XecureObject/XecureSSL35HCB.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/samsungcard/npx.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.softforum.co.kr/Published/XecureWeb/v5.3.0.1/xw_install.cab
O16 - DPF: {DF1B804F-084B-4D24-A9E3-32BB9DAD87A4} (AxINIplugin30 Control) - http://banking.nonghyup.com/plugin/client/axINIplugin30.cab
O16 - DPF: {D13BA040-C349-11D3-87C2-00C04F4ABC61} (XecureWeb Control 3.0) - http://www.samsungcard.co.kr/XecureDemo/XecureObject/XecureSSL30.cab
O16 - DPF: ISSAC-WebSE - http://paygate.dacom.co.kr/penta/IssacWebInst.cab
O16 - DPF: {06228E75-DEB1-11D3-B702-00001CD5DA14} (AxINIplugin20 Control) - http://www.bccard.co.kr/initech/plugin/axINIplugin20.cab
O16 - DPF: {3267EA0D-B5D8-11D2-A4F9-00608CEBEE49} (ToinbWData Class) - http://ndsl.or.kr/toinbocx/toinbdata.cab
O16 - DPF: {0A2233AD-E771-11D2-973D-00104B15E56F} (ToinbWTR Class) - http://ndsl.or.kr/toinbocx/toinbtr.cab
O16 - DPF: {91B0A4F0-3206-4564-9BB4-AF9055DEF8A1} (ToinbWTextArea Class) - http://ndsl.or.kr/toinbocx/toinbtextarea.cab
O16 - DPF: {1F57AEAD-DB12-11D2-A4F9-00608CEBEE49} (ToinbWGrid Class) - http://ndsl.or.kr/toinbocx/toinbgrid.cab
O16 - DPF: {FD4C6571-DD20-11D2-973D-00104B15E56F} (ToInbWCCombo Class) - http://ndsl.or.kr/toinbocx/toinbccombo.cab
O16 - DPF: {9C9AB433-EA85-11D2-A4F9-00608CEBEE49} (ToinbWBind Class) - http://ndsl.or.kr/toinbocx/toinbbind.cab
O16 - DPF: {3694F19D-ED4D-4DA8-BECD-26FB830753D1} (DCLinker Class) - http://www.norazo.com/dcdownload/dreamlinker.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plugin/myfirewall/myfirewall20.cab
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://banking.nonghyup.com/plugin/client/axINIplugin40.cab
O16 - DPF: {EADBDB84-2341-4AD0-9FAF-4F1F31CF4A46} (LoginForm Class) - http://pointsok.okcashbag.com/skmpp/SKMPPClient2.cab
O16 - DPF: {D5ACE9FC-9CCC-4FB6-9A63-19ED6A3AA489} (ReaderChecker Control) - http://drm.snu.ac.kr/pdfdrm/webbroker/ReaderChecker.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.djvu.com/plugins/en_US/DjVuControl.cab
O16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler Class) - http://www.kookmincard.co.kr/images/sendmail/IniMasPlugin.cab
O16 - DPF: {83682BF2-2351-45C1-963C-9BB635A05178} (IssacWebSE2 Class) - http://paygate.dacom.co.kr/penta/ISSACWebSE2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37869.4675694444
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - ftp://ftp.ca.com/pub/Opal/plugins/x_plugin/opalplayerx5.cab
O16 - DPF: {8E64F05B-76CF-40EA-AD6B-6741F02BDC46} (MagicInstaller Class) - http://www.americanexpress.co.kr/common/ML/MagicInstaller.cab
O16 - DPF: {93F83364-58E3-43C6-BE34-DE1252B26307} (Cruzbill Control) - http://image.em4s.com/sbill/cruzbill.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553546800} - http://active.macromedia.com/flash4/cabs/swflash.cab
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - http://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-3.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {D2A4C311-F608-4E0E-BBFE-6B25E31AC15B} (Kdfense5 Control) - http://kings.cachenet.com/kdf5078/kdfense5.cab
O16 - DPF: {97154128-DC4C-4D5B-AF7C-CA7356238EC9} (Hanmail FileUpload Control) - http://wwl270.daum.net/hanmail-ax/HM_fileupload.cab
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://dizzo.contents.mylinker.co.kr/module/MyLinker.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory
O16 - DPF: {124250DD-E2CC-4B5B-AE7E-C9AC8A11DF43} (StreamNote2 Control) - http://nsi.snu.ac.kr/onlinenano/Lecture/Device Physics/Device Physics0302/StreamNote2.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dl/dmitriy/x.chm::/load.exe

<-----------------------
See less See more
Save
Like
Status
Not open for further replies.
1 - 3 of 7 Posts
Rollin' Rog
I can't believe the computer starts at all if everything I see there is trying to load.

Go to the Startup Menu > Programs > Startup folder and delete EVERYTHING there. They are all the

04 startup:

entries you see in the Scanlog. Then reboot and post another Scanlog.

Strangely, none of them seem to be showing as "Running Processes", so conceivably this is some anomally produced by the Scanlog.

Also, what is this? O4 - HKLM\..\Run: [myLinker] C:\PROGRA~1\MYLINKER\MYLINKER.EXE /B

I would also check and "fix" ALL the 016 entries except those from legitimate, trusted sites you recognize, such as Macromedia, microsoft, banking and others.
See less See more
Save
Like
Rollin' Rog
Well that's the strangest thing I've ever seen in HijackThis; I wonder if there is some language configuration it is having problems with.

Anyway for the IE error, let us know what the error message says and on what site it is happening. Also try running the IE Repair Tool:

http://help.att.net/docs/howto/othe...ustomercontent=customer_browser&platform=none

And when testing such issues it is a good idea to temporarily disable the firewall. I don't see ZA in the startups though, did you disable it? You may have to do this using msconfig to ensure it is not interfering.

I also recommend having an alternate browser installed to test whether such issues are specfically browser related and to have a backup. I like Opera7 myself and use as my defacto browser even with the advertising:

www.opera.com

If you haven't already done so, it would probably be a good idea to give the Coolwebshredder, CWShredder.exe a run. You can get it here:

http://www.spywareinfo.com/~merijn/downloads.html

Have it fix any known problems it finds and then reboot.
See less See more
Save
Like
Rollin' Rog
I don't see much in the Scanlog now, but why did you "exclude" this item?

O4 - Startup: DIALER.EXE

I'm not sure what it is, but it is not a "standard" startup and could be hijacking the dialup connection.

You should also check and "fix" this:

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\SYSTEM\urlmon.dll
<--------------------------------------------------------------

>> have you tried disabling ZoneAlarm and testing?

And you aren't really giving much detail on the Windows Update problem; what error message do you receive?

There is a general troubleshooting page here, perhaps you can find it listed:

http://v4.windowsupdate.microsoft.com/troubleshoot/
See less See more
Save
Like
1 - 3 of 7 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top