Tech Support Guy banner
Status
Not open for further replies.
1 - 18 of 18 Posts

·
Registered
Joined
·
34 Posts
Discussion Starter · #1 ·
When i run Ad-aware i get VX2 malware thingy. When i try to remove it, ad-aware tells me that i have to reboot to remove it, so i reboot and its still there... so.. here is my hijack log

Logfile of HijackThis v1.99.0
Scan saved at 오후 7:51:32, on 2005-01-29
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\zuudzdgu.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\bdsqrbla5.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {A5BDE44F-1BCD-7BC2-CF4E-C9F5C59F2C13} - C:\WINDOWS\System32\jleylerd.dll
O2 - BHO: (no name) - {E9D2AC88-9331-0689-288B-A99468B902DB} - C:\WINDOWS\System32\polddmev.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [*windows update] wuaruclt.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [XP firewall Services] FirewallxP.exe
O4 - HKLM\..\Run: [Microsoft Crash Protection] mcrashprot.exe
O4 - HKLM\..\Run: [SQL Service] qnhqs.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfat34.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [zuudzdgu] C:\WINDOWS\System32\zuudzdgu.exe
O4 - HKLM\..\RunServices: [*windows update] wuaruclt.exe
O4 - HKLM\..\RunServices: [XP firewall Services] FirewallxP.exe
O4 - HKLM\..\RunServices: [Microsoft Crash Protection] mcrashprot.exe
O4 - HKLM\..\RunServices: [SQL Service] qnhqs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [*windows update] wuaruclt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [XP firewall Services] FirewallxP.exe
O4 - HKCU\..\Run: [Microsoft Crash Protection] mcrashprot.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble.net/game/nmstarter/NMStarter16.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame.com/dist/activex/HanGamePlugin19.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104380461702
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://download.netmarble.com/nProtect/nprotect/npx.cab
O23 - Service: MonSvcNT - AhnLab, Inc. - C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: rypbitprpvsn - Unknown - C:\WINDOWS\System32\bdsqrbla5.exe

thanks!!

oh another thing, when ever i restart my computer my task bar is messed up... all the task buttons are squished to one side so i adjust it back to normal, but when i reboot again its squished back to the same way. Is there someway to fix this, its not a critical thing, but its a bit annoying.. lol...
 

·
Gone but never forgotten
Joined
·
9,803 Posts
It may be showing it because its in the quarantine list,so open up that and delete the items in there ......
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #7 ·
okay, ive done the lsp fix already, and i just ran spybot, several of the items couldnt get fixed and it told me that it would be fixed when i reboot. so i rebooted and ran spybot again and they were still there.

well here is my hijack log

Logfile of HijackThis v1.99.0
Scan saved at 오전 10:47:38, on 2005-01-30
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\zuudzdgu.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\bdsqrbla5.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {A5BDE44F-1BCD-7BC2-CF4E-C9F5C59F2C13} - C:\WINDOWS\System32\jleylerd.dll
O2 - BHO: (no name) - {E9D2AC88-9331-0689-288B-A99468B902DB} - C:\WINDOWS\System32\polddmev.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [*windows update] wuaruclt.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [XP firewall Services] FirewallxP.exe
O4 - HKLM\..\Run: [Microsoft Crash Protection] mcrashprot.exe
O4 - HKLM\..\Run: [SQL Service] qnhqs.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfat34.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [zuudzdgu] C:\WINDOWS\System32\zuudzdgu.exe
O4 - HKLM\..\RunServices: [*windows update] wuaruclt.exe
O4 - HKLM\..\RunServices: [XP firewall Services] FirewallxP.exe
O4 - HKLM\..\RunServices: [Microsoft Crash Protection] mcrashprot.exe
O4 - HKLM\..\RunServices: [SQL Service] qnhqs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [*windows update] wuaruclt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [XP firewall Services] FirewallxP.exe
O4 - HKCU\..\Run: [Microsoft Crash Protection] mcrashprot.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble.net/game/nmstarter/NMStarter16.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame.com/dist/activex/HanGamePlugin19.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104380461702
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://download.netmarble.com/nProtect/nprotect/npx.cab
O23 - Service: MonSvcNT - AhnLab, Inc. - C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: rypbitprpvsn - Unknown - C:\WINDOWS\System32\bdsqrbla5.exe

Thanks so much for putting in your time for me. i really appretiate it ^^
 

·
Administrator
Joined
·
123,547 Posts
Click here: http://www.atribune.org/downloads/l2mfix.exe to download L2mfix.

Save the file to your desktop and double click l2mfix.exe. Read and Accept the agreement. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #9 ·
okay, i ran that file and got an error and it gave me two options, close or ignore

i clicked ignore and i got a notepad up right away, didnt have to wait for even 1 sec (i dunno if its cuase my computer is too fast or really crappy lol)

so here is the log

L2MFIX find log 1.02a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MediaContentIndex]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\irj8l51u1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{EE1764E5-2D52-406C-B8FC-CB552647B736}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="멀티미디어 파일 속성"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM 스캐너 관리"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS 보안 페이지"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE 문서 파일 속성 쪽"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="공유 용 셸 확장"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="디스플레이 어댑터 CPL 확장"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="디스플레이 모니터 CPL 확장"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="디스플레이 패닝 CPL 확장"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="호환성 페이지"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="셸 스크랩 데이터 핸들러"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="디스크 복사 확장명"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Microsoft Windows 네트워크 개체 용 셸 확장"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM 모니터 관리"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM 프린터 관리"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="파일 압축 용 셸 확장"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="웹 프린터 셸 확장"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="서류 가방"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="글꼴"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="프린터 보안 페이지"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="공유 용 셸 확장"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="네트워크 연결"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="네트워크 연결"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="스캐너 및 카메라"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="스캐너 및 카메라"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="스캐너 및 카메라"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="스캐너 및 카메라"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="스캐너 및 카메라"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Windows 스크립트 호스트용 셸 확장"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft 데이터 연결"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="예약된 작업"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="작업 표시줄 및 시작 메뉴"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="검색"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="도움말 및 지원"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="도움말 및 지원"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="실행..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="인터넷"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="전자 메일"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="글꼴"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="관리 도구"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="검색 밴드"
"{32683183-48a0-441b-a342-7c2a440a9478}"="미디어 밴드"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="주소(&A)"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="사용 가능"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="팝업 표시줄 추적"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="주소 표시줄 파서"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL 목록 서비스"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="열어본 페이지 목록"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="임시 인터넷 파일"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="임시 인터넷 파일"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft URL 검색 훅"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite 시작 화면"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="인터넷"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX 캐시 폴더"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="가입 폴더"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ 파일 미리 보기 추출기"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="요약 정보 미리 보기 처리기(DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML 미리 보기 추출기"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="웹 게시 마법사"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="웹을 통해 인쇄 주문"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="셸 게시 마법사 개체"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Passport 마법사 얻기"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="채널 파일"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="채널 바로 가기"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="채널 처리기 개체"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="오프라인 파일 폴더"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="사람 찾기(&P)..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{597A3F8B-8161-46A7-B8D8-61D89CB2683A}"=""
"{C0CE8D2F-A10D-473A-A62D-7A08DDABEEF6}"=""
"{447DB5EF-00EC-40E2-9FF4-FFDCE4441F0A}"=""
"{503F4DB3-8375-42AA-BDE4-43B3894FA5C9}"=""
"{5684B96A-3802-4D86-A18C-4E142B06A2DD}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{597A3F8B-8161-46A7-B8D8-61D89CB2683A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{597A3F8B-8161-46A7-B8D8-61D89CB2683A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{597A3F8B-8161-46A7-B8D8-61D89CB2683A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{597A3F8B-8161-46A7-B8D8-61D89CB2683A}\InprocServer32]
@="C:\\WINDOWS\\system32\\jzt500.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C0CE8D2F-A10D-473A-A62D-7A08DDABEEF6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C0CE8D2F-A10D-473A-A62D-7A08DDABEEF6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C0CE8D2F-A10D-473A-A62D-7A08DDABEEF6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C0CE8D2F-A10D-473A-A62D-7A08DDABEEF6}\InprocServer32]
@="C:\\WINDOWS\\system32\\mzapsspc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{447DB5EF-00EC-40E2-9FF4-FFDCE4441F0A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{447DB5EF-00EC-40E2-9FF4-FFDCE4441F0A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{447DB5EF-00EC-40E2-9FF4-FFDCE4441F0A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{447DB5EF-00EC-40E2-9FF4-FFDCE4441F0A}\InprocServer32]
@="C:\\WINDOWS\\system32\\dmskcopy.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{503F4DB3-8375-42AA-BDE4-43B3894FA5C9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{503F4DB3-8375-42AA-BDE4-43B3894FA5C9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{503F4DB3-8375-42AA-BDE4-43B3894FA5C9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{503F4DB3-8375-42AA-BDE4-43B3894FA5C9}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5684B96A-3802-4D86-A18C-4E142B06A2DD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5684B96A-3802-4D86-A18C-4E142B06A2DD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5684B96A-3802-4D86-A18C-4E142B06A2DD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5684B96A-3802-4D86-A18C-4E142B06A2DD}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
**********************************************************************************
Directory Listing of system files:
C 드라이브의 볼륨: doo-1
볼륨 일련 번호: FC85-2586

C:\WINDOWS\System32 디렉터리

2005-01-30 오전 (AM) 10:41 228,743 fplq0335e.dll
2005-01-30 오전 (AM) 10:13 228,743 irj8l51u1.dll
2005-01-30 오전 (AM) 09:53 228,743 en8ql1l51.dll
2005-01-30 오전 (AM) 09:27 228,743 n42u0ef9eh2.dll
2005-01-29 오후 (PM) 09:12 228,743 azam09l1e.dll
2005-01-29 오후 (PM) 07:40 230,730 kt8ul7l91.dll
2005-01-29 오전 (AM) 08:05 228,743 lv8m09l1e.dll
2005-01-29 오전 (AM) 07:46 228,743 gp4ml3h11.dll
2005-01-28 오후 (PM) 08:05 228,743 hrn4055qe.dll
2005-01-28 오후 (PM) 06:01 228,743 aza2l99o1.dll
2005-01-28 오후 (PM) 05:54 231,783 mvr2l99o1.dll
2005-01-28 오전 (AM) 06:26 229,081 lv4209hoe.dll
2005-01-15 오후 (PM) 10:43 dllcache
2004-12-30 오후 (PM) 12:07 1,682 KGyGaAvL.sys
2004-12-30 오후 (PM) 12:07 56 71D9E9FDDE.sys
2004-12-29 오후 (PM) 07:48 177,664 expiorer.exe
2004-12-29 오후 (PM) 07:48 90,112 admdll.dll
2004-12-29 오후 (PM) 07:48 29,408 raddrv.dll
2004-12-29 오후 (PM) 07:33 Microsoft
17개 파일 (files) 3,049,203 바이트 (bytes)
2개 디렉터리 (2 directories) 17,197,744,128 바이트 남음 (bytes remaining?)
my computer is korean so some of this is in korean (i barely read korean cause im just another westerner in a korean body)

hopefully u would understand. i tried to translate some of the last bit. thanks ^^
 

·
Administrator
Joined
·
123,547 Posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #11 ·
L2M Log
------------------------

L2Mfix 1.02a

Running From:
C:\Documents and Settings\jenny hong.JENNY\바탕 화면\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C access for really "Everyone"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\jenny hong.JENNY\바탕 화면\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\jenny hong.JENNY\바탕 화면\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Pea****@beyondlogic.org
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Pea****@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\arsnds.dll
1개 파일이 복사되었습니다.
Backing Up: C:\WINDOWS\system32\aza2l99o1.dll
1개 파일이 복사되었습니다.
Backing Up: C:\WINDOWS\system32\azam09l1e.dll
1개 파일이 복사되었습니다.
Backing Up: C:\WINDOWS\system32\dmskcopy.dll
1개 파일이 복사되었습니다.
Backing Up: C:\WINDOWS\system32\dvspex.dll
1개 파일이 복사되었습니다.
Backing Up: C:\WINDOWS\system32\en8ql1l51.dll
1개 파일이 복사되었습니다.
Backing Up: C:\WINDOWS\system32\fplq0335e.dll
1개 파일이 복사되었습니다.
Backing Up: C:\WINDOWS\system32\gp4ml3h11.dll
1개 파일이 복사되었습니다.
Backing Up: C:\WINDOWS\system32\hrn4055qe.dll
1개 파일이 복사되었습니다.
Backing Up: C:\WINDOWS\system32\kcdycl.dll
1개 파일이 복사되었습니다.
Backing Up: C:\WINDOWS\system32\kt8ul7l91.dll
1개 파일이 복사되었습니다.
Backing Up: C:\WINDOWS\system32\lv4209hoe.dll
1개 파일이 복사되었습니다.
Backing Up: C:\WINDOWS\system32\lv8m09l1e.dll
1개 파일이 복사되었습니다.
Backing Up: C:\WINDOWS\system32\mvr2l99o1.dll
1개 파일이 복사되었습니다.
Backing Up: C:\WINDOWS\system32\mzapsspc.dll
1개 파일이 복사되었습니다.
Backing Up: C:\WINDOWS\system32\n42u0ef9eh2.dll
1개 파일이 복사되었습니다.
Backing Up: C:\WINDOWS\system32\nbwrsja.dll
1개 파일이 복사되었습니다.
Backing Up: C:\WINDOWS\system32\smgina.dll
1개 파일이 복사되었습니다.
Backing Up: C:\WINDOWS\system32\wuploc.dll
1개 파일이 복사되었습니다.
deleting: C:\WINDOWS\system32\arsnds.dll
Successfully Deleted: C:\WINDOWS\system32\arsnds.dll
deleting: C:\WINDOWS\system32\aza2l99o1.dll
Successfully Deleted: C:\WINDOWS\system32\aza2l99o1.dll
deleting: C:\WINDOWS\system32\azam09l1e.dll
Successfully Deleted: C:\WINDOWS\system32\azam09l1e.dll
deleting: C:\WINDOWS\system32\dmskcopy.dll
Successfully Deleted: C:\WINDOWS\system32\dmskcopy.dll
deleting: C:\WINDOWS\system32\dvspex.dll
Successfully Deleted: C:\WINDOWS\system32\dvspex.dll
deleting: C:\WINDOWS\system32\en8ql1l51.dll
Successfully Deleted: C:\WINDOWS\system32\en8ql1l51.dll
deleting: C:\WINDOWS\system32\fplq0335e.dll
Successfully Deleted: C:\WINDOWS\system32\fplq0335e.dll
deleting: C:\WINDOWS\system32\gp4ml3h11.dll
Successfully Deleted: C:\WINDOWS\system32\gp4ml3h11.dll
deleting: C:\WINDOWS\system32\hrn4055qe.dll
Successfully Deleted: C:\WINDOWS\system32\hrn4055qe.dll
deleting: C:\WINDOWS\system32\kcdycl.dll
Successfully Deleted: C:\WINDOWS\system32\kcdycl.dll
deleting: C:\WINDOWS\system32\kt8ul7l91.dll
Successfully Deleted: C:\WINDOWS\system32\kt8ul7l91.dll
deleting: C:\WINDOWS\system32\lv4209hoe.dll
Successfully Deleted: C:\WINDOWS\system32\lv4209hoe.dll
deleting: C:\WINDOWS\system32\lv8m09l1e.dll
Successfully Deleted: C:\WINDOWS\system32\lv8m09l1e.dll
deleting: C:\WINDOWS\system32\mvr2l99o1.dll
Successfully Deleted: C:\WINDOWS\system32\mvr2l99o1.dll
deleting: C:\WINDOWS\system32\mzapsspc.dll
Successfully Deleted: C:\WINDOWS\system32\mzapsspc.dll
deleting: C:\WINDOWS\system32\n42u0ef9eh2.dll
Successfully Deleted: C:\WINDOWS\system32\n42u0ef9eh2.dll
deleting: C:\WINDOWS\system32\nbwrsja.dll
Successfully Deleted: C:\WINDOWS\system32\nbwrsja.dll
deleting: C:\WINDOWS\system32\smgina.dll
Successfully Deleted: C:\WINDOWS\system32\smgina.dll
deleting: C:\WINDOWS\system32\wuploc.dll
Successfully Deleted: C:\WINDOWS\system32\wuploc.dll

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: arsnds.dll (164 bytes security) (deflated 4%)
adding: aza2l99o1.dll (164 bytes security) (deflated 4%)
adding: azam09l1e.dll (164 bytes security) (deflated 4%)
adding: dmskcopy.dll (164 bytes security) (deflated 5%)
adding: dvspex.dll (164 bytes security) (deflated 4%)
adding: en8ql1l51.dll (164 bytes security) (deflated 4%)
adding: fplq0335e.dll (164 bytes security) (deflated 4%)
adding: gp4ml3h11.dll (164 bytes security) (deflated 4%)
adding: hrn4055qe.dll (164 bytes security) (deflated 4%)
adding: kcdycl.dll (164 bytes security) (deflated 4%)
adding: kt8ul7l91.dll (164 bytes security) (deflated 5%)
adding: lv4209hoe.dll (164 bytes security) (deflated 4%)
adding: lv8m09l1e.dll (164 bytes security) (deflated 4%)
adding: mvr2l99o1.dll (164 bytes security) (deflated 5%)
adding: mzapsspc.dll (164 bytes security) (deflated 5%)
adding: n42u0ef9eh2.dll (164 bytes security) (deflated 4%)
adding: nbwrsja.dll (164 bytes security) (deflated 4%)
adding: smgina.dll (164 bytes security) (deflated 4%)
adding: wuploc.dll (164 bytes security) (deflated 4%)
adding: clear.reg (164 bytes security) (deflated 55%)
adding: echo.reg (164 bytes security) (deflated 4%)
adding: desktop.ini (164 bytes security) (deflated 14%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 84%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 65%)
adding: test.txt (164 bytes security) (deflated 78%)
adding: test2.txt (164 bytes security) (deflated 37%)
adding: test3.txt (164 bytes security) (deflated 37%)
adding: test5.txt (164 bytes security) (deflated 37%)
adding: xfind.txt (164 bytes security) (deflated 73%)
adding: backregs/447DB5EF-00EC-40E2-9FF4-FFDCE4441F0A.reg (164 bytes security) (deflated 70%)
adding: backregs/503F4DB3-8375-42AA-BDE4-43B3894FA5C9.reg (164 bytes security) (deflated 70%)
adding: backregs/5684B96A-3802-4D86-A18C-4E142B06A2DD.reg (164 bytes security) (deflated 70%)
adding: backregs/597A3F8B-8161-46A7-B8D8-61D89CB2683A.reg (164 bytes security) (deflated 70%)
adding: backregs/C0CE8D2F-A10D-473A-A62D-7A08DDABEEF6.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 71%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for really "Everyone"

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: arsnds.dll
deleting local copy: aza2l99o1.dll
deleting local copy: azam09l1e.dll
deleting local copy: dmskcopy.dll
deleting local copy: dvspex.dll
deleting local copy: en8ql1l51.dll
deleting local copy: fplq0335e.dll
deleting local copy: gp4ml3h11.dll
deleting local copy: hrn4055qe.dll
deleting local copy: kcdycl.dll
deleting local copy: kt8ul7l91.dll
deleting local copy: lv4209hoe.dll
deleting local copy: lv8m09l1e.dll
deleting local copy: mvr2l99o1.dll
deleting local copy: mzapsspc.dll
deleting local copy: n42u0ef9eh2.dll
deleting local copy: nbwrsja.dll
deleting local copy: smgina.dll
deleting local copy: wuploc.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\arsnds.dll
C:\WINDOWS\system32\aza2l99o1.dll
C:\WINDOWS\system32\azam09l1e.dll
C:\WINDOWS\system32\dmskcopy.dll
C:\WINDOWS\system32\dvspex.dll
C:\WINDOWS\system32\en8ql1l51.dll
C:\WINDOWS\system32\fplq0335e.dll
C:\WINDOWS\system32\gp4ml3h11.dll
C:\WINDOWS\system32\hrn4055qe.dll
C:\WINDOWS\system32\kcdycl.dll
C:\WINDOWS\system32\kt8ul7l91.dll
C:\WINDOWS\system32\lv4209hoe.dll
C:\WINDOWS\system32\lv8m09l1e.dll
C:\WINDOWS\system32\mvr2l99o1.dll
C:\WINDOWS\system32\mzapsspc.dll
C:\WINDOWS\system32\n42u0ef9eh2.dll
C:\WINDOWS\system32\nbwrsja.dll
C:\WINDOWS\system32\smgina.dll
C:\WINDOWS\system32\wuploc.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{597A3F8B-8161-46A7-B8D8-61D89CB2683A}"=-
"{C0CE8D2F-A10D-473A-A62D-7A08DDABEEF6}"=-
"{447DB5EF-00EC-40E2-9FF4-FFDCE4441F0A}"=-
"{503F4DB3-8375-42AA-BDE4-43B3894FA5C9}"=-
"{5684B96A-3802-4D86-A18C-4E142B06A2DD}"=-
[-HKEY_CLASSES_ROOT\CLSID\{597A3F8B-8161-46A7-B8D8-61D89CB2683A}]
[-HKEY_CLASSES_ROOT\CLSID\{C0CE8D2F-A10D-473A-A62D-7A08DDABEEF6}]
[-HKEY_CLASSES_ROOT\CLSID\{447DB5EF-00EC-40E2-9FF4-FFDCE4441F0A}]
[-HKEY_CLASSES_ROOT\CLSID\{503F4DB3-8375-42AA-BDE4-43B3894FA5C9}]
[-HKEY_CLASSES_ROOT\CLSID\{5684B96A-3802-4D86-A18C-4E142B06A2DD}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{EE1764E5-2D52-406C-B8FC-CB552647B736}"=-
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{EE1764E5-2D52-406C-B8FC-CB552647B736}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
****************************************************************************


--------------

Hijackthis log
--------------

Logfile of HijackThis v1.99.0
Scan saved at 오후 3:33:02, on 2005-01-30
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\zuudzdgu.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\conime.exe
C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\bdsqrbla5.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\HijackThis.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {A5BDE44F-1BCD-7BC2-CF4E-C9F5C59F2C13} - C:\WINDOWS\System32\jleylerd.dll
O2 - BHO: (no name) - {E9D2AC88-9331-0689-288B-A99468B902DB} - C:\WINDOWS\System32\polddmev.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [*windows update] wuaruclt.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [XP firewall Services] FirewallxP.exe
O4 - HKLM\..\Run: [Microsoft Crash Protection] mcrashprot.exe
O4 - HKLM\..\Run: [SQL Service] qnhqs.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfat34.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [zuudzdgu] C:\WINDOWS\System32\zuudzdgu.exe
O4 - HKLM\..\RunServices: [*windows update] wuaruclt.exe
O4 - HKLM\..\RunServices: [XP firewall Services] FirewallxP.exe
O4 - HKLM\..\RunServices: [Microsoft Crash Protection] mcrashprot.exe
O4 - HKLM\..\RunServices: [SQL Service] qnhqs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [*windows update] wuaruclt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [XP firewall Services] FirewallxP.exe
O4 - HKCU\..\Run: [Microsoft Crash Protection] mcrashprot.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble.net/game/nmstarter/NMStarter16.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame.com/dist/activex/HanGamePlugin19.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104380461702
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://download.netmarble.com/nProtect/nprotect/npx.cab
O23 - Service: MonSvcNT - AhnLab, Inc. - C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: rypbitprpvsn - Unknown - C:\WINDOWS\System32\bdsqrbla5.exe

Cookiegal ur a such a devoted worker~

sorry this reply took some time, i was out for a while thanks ^^
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #13 ·
umm, that hijack this log is one i took after the #2 step of L2m. But if i had to reboot again to take here is one i jsut took after a reboot:

Logfile of HijackThis v1.99.0
Scan saved at 오후 5:10:57, on 2005-01-30
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\zuudzdgu.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\bdsqrbla5.exe
C:\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {A5BDE44F-1BCD-7BC2-CF4E-C9F5C59F2C13} - C:\WINDOWS\System32\jleylerd.dll
O2 - BHO: (no name) - {E9D2AC88-9331-0689-288B-A99468B902DB} - C:\WINDOWS\System32\polddmev.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [*windows update] wuaruclt.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [XP firewall Services] FirewallxP.exe
O4 - HKLM\..\Run: [Microsoft Crash Protection] mcrashprot.exe
O4 - HKLM\..\Run: [SQL Service] qnhqs.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfat34.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [zuudzdgu] C:\WINDOWS\System32\zuudzdgu.exe
O4 - HKLM\..\RunServices: [*windows update] wuaruclt.exe
O4 - HKLM\..\RunServices: [XP firewall Services] FirewallxP.exe
O4 - HKLM\..\RunServices: [Microsoft Crash Protection] mcrashprot.exe
O4 - HKLM\..\RunServices: [SQL Service] qnhqs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [*windows update] wuaruclt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [XP firewall Services] FirewallxP.exe
O4 - HKCU\..\Run: [Microsoft Crash Protection] mcrashprot.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble.net/game/nmstarter/NMStarter16.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame.com/dist/activex/HanGamePlugin19.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104380461702
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://download.netmarble.com/nProtect/nprotect/npx.cab
O23 - Service: MonSvcNT - AhnLab, Inc. - C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: rypbitprpvsn - Unknown - C:\WINDOWS\System32\bdsqrbla5.exe
 

·
Administrator
Joined
·
123,547 Posts
Click here: http://forums.techguy.org/attachment.php?attachmentid=46183 to download Find It NT-2K-XP.zip.

Unzip it and double-click on Find.bat to run it. When the command window first opens, it will say "File not found". Ignore that and let it continue to run until it finishes. It may take it a few minutes. It will open an Output.txt file when it completes. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.

Download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.

http://www.downloads.subratam.org/VX2Finder.exe

Next click here: http://www.downloads.subratam.org/DllCompare.exe to download DLLCompare.zip.

Save it to your desktop.

Now run DllCompare and click on the RunLocate.com button. It will scan for the hidden files. When it is finished, you will see in blue Completed the scan, Click Compare to Continue at which time you will click the Compare button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.

In a few minutes it will complete then you will see in blue Completed.
Click the Make a Log of what was Found button. It will ask if you want to view the logfile. Click Yes then copy and paste that log in your next reply.

After you have posted all that info here, it is very important that you do not restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry needed to remove will change as well as some of the file names will change and we will have to start all over.
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #15 ·
The Find it program doesnt seem to work.

after it says
"Beginning Strings.exe....."
in korean it says that something cannot be found.. i dunno wut that something is.. should i continue with the rest of the steps.

no log poped up
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #17 ·
no, no i ignored that one, but after i let it run it said that if cant find a file, (not a pop up msg) it tells me on on the dos window. It says: "Beginning strings.exe....please let it run untill log appears.".. then underneath that it says something in korean that i cant find something...

sorry it can be more specific
 

·
Administrator
Joined
·
123,547 Posts
Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

R3 - Default URLSearchHook is missing

O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 search.netscape.com

O1 - Hosts: 69.20.16.183 ieautosearch

O1 - Hosts: 69.20.16.183 ieautosearch

O2 - BHO: (no name) - {A5BDE44F-1BCD-7BC2-CF4E-C9F5C59F2C13} - C:\WINDOWS\System32\jleylerd.dll

O2 - BHO: (no name) - {E9D2AC88-9331-0689-288B-A99468B902DB} - C:\WINDOWS\System32\polddmev.dll

O4 - HKLM\..\Run: [*windows update] wuaruclt.exe

O4 - HKLM\..\Run: [Microsoft Crash Protection] mcrashprot.exe

O4 - HKLM\..\Run: [XP firewall Services] FirewallxP.exe

O4 - HKLM\..\Run: [SQL Service] qnhqs.exe

O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfat34.exe

O4 - HKLM\..\Run: [zuudzdgu] C:\WINDOWS\System32\zuudzdgu.exe

O4 - HKLM\..\RunServices: [*windows update] wuaruclt.exe

O4 - HKLM\..\RunServices: [XP firewall Services] FirewallxP.exe

O4 - HKLM\..\RunServices: [Microsoft Crash Protection] mcrashprot.exe

O4 - HKLM\..\RunServices: [SQL Service] qnhqs.exe

O4 - HKCU\..\Run: [*windows update] wuaruclt.exe

O4 - HKCU\..\Run: [XP firewall Services] FirewallxP.exe

O4 - HKCU\..\Run: [Microsoft Crash Protection] mcrashprot.exe

O23 - Service: rypbitprpvsn - Unknown - C:\WINDOWS\System32\bdsqrbla5.exe


Then boot to safe mode (see how below), locate and delete these files and/or folders:

wuaruclt.exe - file
mcrashprot.exe - file
FirewallxP.exe - file
qnhqs.exe - file
C:\WINDOWS\system32\defragfat34.exe - file
C:\WINDOWS\System32\zuudzdgu.exe - file
C:\WINDOWS\System32\bdsqrbla5.exe - file

How to restart to safe mode:
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
Click "Apply" then "OK"

Reboot and post another Hijack This log please.
 
1 - 18 of 18 Posts
Status
Not open for further replies.
Top