Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

se.dll


  • This topic is locked This topic is locked
20 replies to this topic

#1 billhunsaker

billhunsaker

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 20 February 2005 - 08:47 PM

I have read through several different posts on getting rid of aboutblank and se.dll hijacker, but to no avail. After installing spybot, I can at least keep aboutblank from taking over the startup page, but the popups from se.dll never stop. I have tried to unregister the dll but it gets caught up in an error message. Below is my log from hijackthis. Your help would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 오전 10:12:43, on 2005-02-21
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHNLAB\SMART UPDATE UTILITY\AHNSD.EXE
C:\PROGRAM FILES\INKLINE GLOBAL\PC BOOSTER\PCBOOSTER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\INCITERINSTALLER\ICAGENT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\HPJETDSC.EXE
C:\PROGRAM FILES\POPUP GUARD\PG.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\AHNLAB\V3\V3P3AT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\SOFTFORUM\XECUREWEB\ACTIVEX\CLIENTSM.EXE
C:\PROGRAM FILES\AHNLAB\V3\MONSYS32.EXE
C:\PROGRAM FILES\AHNLAB\V3\MONSYSNT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS1\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CIEIntegrator Object - {562C1A20-72E7-4ED8-A26D-0DC57415FE92} - C:\PROGRAM FILES\POPUP GUARD\PGI.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\PROGRAM FILES\AHNLAB\V3\V3BAR.DLL
O3 - Toolbar: 라디오(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [레지스트리 검사] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AHNSD] "C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe"
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Inciter Inspector] C:\WINDOWS\INCITERINSTALLER\ICAGENT.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - HKCU\..\Run: [Vantage Popup Guard] C:\Program Files\Popup Guard\PG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\RunServices: [HP JetDiscovery] HPJETDSC.EXE
O4 - HKCU\..\RunServices: [Vantage Popup Guard] C:\Program Files\Popup Guard\PG.exe
O4 - HKCU\..\RunServices: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040708.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://portal.korea.ac.kr/XecureObject/xw_install.cab
O16 - DPF: {EBB9A178-05D2-4DBD-A255-45B9A7EC9F7E} (IdiskLauncher Control) - http://idisk.korea.ac.kr/app/IdiskUpdate.cab
O16 - DPF: {124968E3-A145-40C7-8912-5432EB4908BC} (Project1.LocalExecute) - http://portal.korea.ac.kr/Download/kupid/Project1.CAB
O16 - DPF: {976B9142-EA25-4143-85BD-6E1D544D8AA8} (ChangjoEditor.WebEditor) - http://mail.korea.ac.kr:2001/webeditor/WebEditor.cab
O16 - DPF: {45FC3433-CC83-4D62-991A-BAE9F68EF710} (CrinityUpload Class) - http://mail.korea.ac.kr:2001/activex/CrinityUpload.cab
O16 - DPF: {2E68BEE5-A640-11D2-AEA4-00AA006E5B34} (HnwActiv Control) - http://intranet.korea.ac.kr:8001/allgenact...tiv_3_3_0_3.cab
O16 - DPF: {EA0995BF-45DD-4DB0-ADD5-A39C37397841} (ShbAutoTrustSite Control) - http://image.shinhan.com/bank/etc/TrustSit...oTrustSiteX.cab
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://image.shinhan.com/initech/plugin/ve...INIplugin40.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK3 Control) - http://image.shinhan.com/bank/etc/keyStrok.../4043/SCSK4.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {1514EB38-3F47-4DB9-B295-21209446CC1A} (SecureSession Class) - http://www.samsunglife.com/cab/SecuiBohumIE.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plu...yfirewall20.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/13b97ed345e403...RdxIE601_ko.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - https://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {21463B59-2B2E-4BC6-8F2F-A8D80E6B628D} (WebEditorParser.WEParser) - http://intranet.korea.ac.kr:8002/webeditor/WEViewer.cab
O16 - DPF: {8AE03B06-5BDA-44AA-B4AD-72BB01597451} (DaumQLauncher Control) - http://appupdate.popfolder.co.kr/download/DaumQ/DaumQAx.cab
O16 - DPF: {61823E19-C838-4A32-ADDB-950B590BE069} (AxOrgTree Control) - http://groupware.korea.ac.kr/AXOrgTree.cab
O16 - DPF: {C6B89053-6E47-41DB-91A8-EDFE12B56EAF} (AXFileUp Control) - http://groupware.korea.ac.kr/AXFileUp.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {DA33B535-768B-4A72-BEDE-82DA7D5094FA} (InciterX Control) - http://163.152.7.107/InciterX.cab
O16 - DPF: {83896843-E656-4DE7-96BD-88E2885B555D} (yessignSM ActiveX Control) - http://trusbill.korea.ac.kr/files/yessignSM.cab
O16 - DPF: {57FA6402-0B12-448F-A58C-6E8AF6921A12} (ListCtrl Class) - http://intranet.korea.ac.kr:8002/crinity/C...tyDocUpload.cab
O16 - DPF: {7C65E65F-5ACA-409E-9D44-79AD833919F8} (ExpressViewer Class) - http://download.softforum.co.kr/XecureExpr...xei_install.cab
O16 - DPF: {0CD2EC08-3CF6-4BC4-BF48-824F4C1994F1} (SecureSession Class) - http://www.samsungfn.com/contents/trustnet...oolkitForIE.cab
O16 - DPF: {EC5D5118-9FDE-4A3E-84F3-C2B711740E70} (SKCommAX Control) - http://www.samsungfn.com/skcab/SKCommAX.cab
O16 - DPF: {5E582BD1-6FAA-40F2-87A8-130AD325DABB} (Kdfense7 Control) - http://www.samsungfn.com/contents/kdefense...01/kdfense7.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = korea.ac.kr
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 163.152.1.1,163.152.11.6

BC AdBot (Login to Remove)

 


#2 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:07:55 AM

Posted 22 February 2005 - 07:11 AM

Hi billhunsaker,


There are a number of steps you need to take in order to clean your machine. Please carry out the steps in the order they are given. You may find it helpful to print these instructions out as you will not have access to the Internet whilst you are running in Safe mode.

I notice that you have Inciter Inspector installed on your machine. I cannot find any information about this software. Did you knowingly install it and what does it do?
  • Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
    How to see hidden files in Windows

  • Download System Security Suite here:
    System Security Suite Download & Tutorial. Unzip it to your desktop.
    Install the program. Don't use it yet.

  • Before we use HijackThis to fix entries in your log, I notice you are running TeaTimer. It could interfere with the removal of some items, so please follow these instructions to disable it temporarily. Disable TeaTimer.

  • Reboot your computer into Safe Mode.

  • Run HijackThis
    Click on the Scan button and when complete
    Put a check beside all of the items listed belowClose all open Explorer windows and browsers
    Click on the "Fix Checked" button
    When complete and all files removed, close the application.

  • Please delete the following files or folders (delete item in bold). Please do not be concerned if
    any of the items are not found as they may have been automatically removed by actions I had
    you take earlier in the cleaning process.C:\WINDOWS\TEMP\SE.DLL >>> file
  • Close all windows and browsers that are open.
    Clean out Temporary Folders and Temporary Internet Files as follows:
    • Open the System Security Suite that I had you download earlier.
    • In the Items to Clear tab check:
      - Internet Explorer (left pane): Cookies & Temporary files
      - My Computer (right pane): Temporary files & Recycle Bin
    Click the Clear Selected Items button.
    Close the program.

  • Reboot your machine in normal mode, run HijackThis and post a new log here using the Add Reply button. Please include information about Inciter Inspector and how your machine is now.


#3 billhunsaker

billhunsaker
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 22 February 2005 - 09:05 PM

Hi,

After following the advice posted, everything as returned to normal. I found that I still had pieces of aboutblank left in the system, but after running ad-aware in safe mode, the system seems to have no bugs.

As per the Inciter Inspector, it seems to be a program attached with a something I ran in Korea. There is not much written on various Korean chat sites explaining what it does, other than complaints about it being on the system. I took the liberty of deleting it out of the system with a backup and nothing seems to be out of order.

Thanks again; you got rid of a major headache.

Logfile of HijackThis v1.99.1
Scan saved at 오전 10:55:57, on 2005-02-23
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHNLAB\SMART UPDATE UTILITY\AHNSD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\HPJETDSC.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\AHNLAB\V3\MONSYSNT.EXE
C:\PROGRAM FILES\AHNLAB\V3\V3P3AT.EXE
C:\PROGRAM FILES\AHNLAB\V3\MONSYS32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS1\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CIEIntegrator Object - {562C1A20-72E7-4ED8-A26D-0DC57415FE92} - C:\PROGRAM FILES\POPUP GUARD\PGI.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\PROGRAM FILES\AHNLAB\V3\V3BAR.DLL
O3 - Toolbar: 라디오(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [레지스트리 검사] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AHNSD] "C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: SpySubtract.lnk.disabled
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040708.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://portal.korea.ac.kr/XecureObject/xw_install.cab
O16 - DPF: {EBB9A178-05D2-4DBD-A255-45B9A7EC9F7E} (IdiskLauncher Control) - http://idisk.korea.ac.kr/app/IdiskUpdate.cab
O16 - DPF: {124968E3-A145-40C7-8912-5432EB4908BC} (Project1.LocalExecute) - http://portal.korea.ac.kr/Download/kupid/Project1.CAB
O16 - DPF: {976B9142-EA25-4143-85BD-6E1D544D8AA8} (ChangjoEditor.WebEditor) - http://mail.korea.ac.kr:2001/webeditor/WebEditor.cab
O16 - DPF: {45FC3433-CC83-4D62-991A-BAE9F68EF710} (CrinityUpload Class) - http://mail.korea.ac.kr:2001/activex/CrinityUpload.cab
O16 - DPF: {2E68BEE5-A640-11D2-AEA4-00AA006E5B34} (HnwActiv Control) - http://intranet.korea.ac.kr:8001/allgenact...tiv_3_3_0_3.cab
O16 - DPF: {EA0995BF-45DD-4DB0-ADD5-A39C37397841} (ShbAutoTrustSite Control) - http://image.shinhan.com/bank/etc/TrustSit...oTrustSiteX.cab
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://image.shinhan.com/initech/plugin/ve...INIplugin40.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK3 Control) - http://image.shinhan.com/bank/etc/keyStrok.../4043/SCSK4.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {1514EB38-3F47-4DB9-B295-21209446CC1A} (SecureSession Class) - http://www.samsunglife.com/cab/SecuiBohumIE.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plu...yfirewall20.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - https://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {21463B59-2B2E-4BC6-8F2F-A8D80E6B628D} (WebEditorParser.WEParser) - http://intranet.korea.ac.kr:8002/webeditor/WEViewer.cab
O16 - DPF: {8AE03B06-5BDA-44AA-B4AD-72BB01597451} (DaumQLauncher Control) - http://appupdate.popfolder.co.kr/download/DaumQ/DaumQAx.cab
O16 - DPF: {61823E19-C838-4A32-ADDB-950B590BE069} (AxOrgTree Control) - http://groupware.korea.ac.kr/AXOrgTree.cab
O16 - DPF: {C6B89053-6E47-41DB-91A8-EDFE12B56EAF} (AXFileUp Control) - http://groupware.korea.ac.kr/AXFileUp.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {83896843-E656-4DE7-96BD-88E2885B555D} (yessignSM ActiveX Control) - http://trusbill.korea.ac.kr/files/yessignSM.cab
O16 - DPF: {57FA6402-0B12-448F-A58C-6E8AF6921A12} (ListCtrl Class) - http://intranet.korea.ac.kr:8002/crinity/C...tyDocUpload.cab
O16 - DPF: {7C65E65F-5ACA-409E-9D44-79AD833919F8} (ExpressViewer Class) - http://download.softforum.co.kr/XecureExpr...xei_install.cab
O16 - DPF: {0CD2EC08-3CF6-4BC4-BF48-824F4C1994F1} (SecureSession Class) - http://www.samsungfn.com/contents/trustnet...oolkitForIE.cab
O16 - DPF: {EC5D5118-9FDE-4A3E-84F3-C2B711740E70} (SKCommAX Control) - http://www.signkorea.com/SKCommAX.cab
O16 - DPF: {5E582BD1-6FAA-40F2-87A8-130AD325DABB} (Kdfense7 Control) - http://www.samsungfn.com/contents/kdefense...01/kdfense7.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = korea.ac.kr
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 163.152.1.1,163.152.11.6

#4 billhunsaker

billhunsaker
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 22 February 2005 - 09:15 PM

A followup on software...

I have tried several times to download spywareblaster and after installing, I get the following critical error message telling me I have a bad sector on the hard drive or a virus, and to reinstall, but to no success. I have downloaded from links posted on bleepingcomputer.

Also, you requested that I download system security suite, but when I installed and ran, I also got a critical error related to the SSS upon trying to run kernel32.dll.

Any help would be appreciated.

#5 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:07:55 AM

Posted 23 February 2005 - 04:56 AM

Hi billhunsaker,

It's good that we've cured the Desktop problem but I think you have some things lingering on your system connected with the se.dll infection and that could be why you are having problems downloading and running software. Please do the following and post back the results with a new log.
  • Download: StartDreck from: http://www.niksoft.at/download/startdreck.htm
    Extract the file into c:\startdreck.
    Navigate to c:\startdreck and double-click on Startdreck.exe
    When the program opens click on the Config button.
    Then click on the unmark all button.
    Put checkmarks in the following checkboxes:
    • Under Registry put a checkmark in the Run Keys checkbox.
      Under System/Drivers put a check in the Running Proccess checkbox.
    Press the OK button.
    Press the Save button. Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

  • Run HijackThis and post a new log here using the Add Reply button. Please include a copy of the contents of the StartDrek log as well.


#6 billhunsaker

billhunsaker
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 23 February 2005 - 09:07 PM

Hi,

Here's the info requested. Note that later in the day both se.dll and aboutblank tried to access my system. I went through the process you provided and cleaned the system. For now, it is clean with no problems.

Logfile of HijackThis v1.99.1
Scan saved at 오전 11:02:03, on 2005-02-24
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHNLAB\SMART UPDATE UTILITY\AHNSD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\HPJETDSC.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\AHNLAB\V3\V3P3AT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\SOFTFORUM\XECUREWEB\ACTIVEX\CLIENTSM.EXE
C:\PROGRAM FILES\AHNLAB\V3\MONSYS32.EXE
C:\PROGRAM FILES\AHNLAB\V3\MONSYSNT.EXE
C:\UNZIPPED\HIJACKTHIS1\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CIEIntegrator Object - {562C1A20-72E7-4ED8-A26D-0DC57415FE92} - C:\PROGRAM FILES\POPUP GUARD\PGI.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\PROGRAM FILES\AHNLAB\V3\V3BAR.DLL
O3 - Toolbar: 라디오(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [레지스트리 검사] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AHNSD] "C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040708.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://portal.korea.ac.kr/XecureObject/xw_install.cab
O16 - DPF: {EBB9A178-05D2-4DBD-A255-45B9A7EC9F7E} (IdiskLauncher Control) - http://idisk.korea.ac.kr/app/IdiskUpdate.cab
O16 - DPF: {124968E3-A145-40C7-8912-5432EB4908BC} (Project1.LocalExecute) - http://portal.korea.ac.kr/Download/kupid/Project1.CAB
O16 - DPF: {976B9142-EA25-4143-85BD-6E1D544D8AA8} (ChangjoEditor.WebEditor) - http://mail.korea.ac.kr:2001/webeditor/WebEditor.cab
O16 - DPF: {45FC3433-CC83-4D62-991A-BAE9F68EF710} (CrinityUpload Class) - http://mail.korea.ac.kr:2001/activex/CrinityUpload.cab
O16 - DPF: {2E68BEE5-A640-11D2-AEA4-00AA006E5B34} (HnwActiv Control) - http://intranet.korea.ac.kr:8001/allgenact...tiv_3_3_0_3.cab
O16 - DPF: {EA0995BF-45DD-4DB0-ADD5-A39C37397841} (ShbAutoTrustSite Control) - http://image.shinhan.com/bank/etc/TrustSit...oTrustSiteX.cab
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://image.shinhan.com/initech/plugin/ve...INIplugin40.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK3 Control) - http://image.shinhan.com/bank/etc/keyStrok.../4043/SCSK4.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {1514EB38-3F47-4DB9-B295-21209446CC1A} (SecureSession Class) - http://www.samsunglife.com/cab/SecuiBohumIE.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plu...yfirewall20.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - https://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {21463B59-2B2E-4BC6-8F2F-A8D80E6B628D} (WebEditorParser.WEParser) - http://intranet.korea.ac.kr:8002/webeditor/WEViewer.cab
O16 - DPF: {8AE03B06-5BDA-44AA-B4AD-72BB01597451} (DaumQLauncher Control) - http://appupdate.popfolder.co.kr/download/DaumQ/DaumQAx.cab
O16 - DPF: {61823E19-C838-4A32-ADDB-950B590BE069} (AxOrgTree Control) - http://groupware.korea.ac.kr/AXOrgTree.cab
O16 - DPF: {C6B89053-6E47-41DB-91A8-EDFE12B56EAF} (AXFileUp Control) - http://groupware.korea.ac.kr/AXFileUp.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {83896843-E656-4DE7-96BD-88E2885B555D} (yessignSM ActiveX Control) - http://trusbill.korea.ac.kr/files/yessignSM.cab
O16 - DPF: {57FA6402-0B12-448F-A58C-6E8AF6921A12} (ListCtrl Class) - http://intranet.korea.ac.kr:8002/crinity/C...tyDocUpload.cab
O16 - DPF: {7C65E65F-5ACA-409E-9D44-79AD833919F8} (ExpressViewer Class) - http://download.softforum.co.kr/XecureExpr...xei_install.cab
O16 - DPF: {0CD2EC08-3CF6-4BC4-BF48-824F4C1994F1} (SecureSession Class) - http://www.samsungfn.com/contents/trustnet...oolkitForIE.cab
O16 - DPF: {EC5D5118-9FDE-4A3E-84F3-C2B711740E70} (SKCommAX Control) - http://www.signkorea.com/SKCommAX.cab
O16 - DPF: {5E582BD1-6FAA-40F2-87A8-130AD325DABB} (Kdfense7 Control) - http://www.samsungfn.com/contents/kdefense...01/kdfense7.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = korea.ac.kr
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 163.152.1.1,163.152.11.6

And the startdreck log:

StartDreck (build 2.1.7 public stable) - 2005-02-24 @ 11:00:40 (GMT +09:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2600.0000
Logged in as Bill Hunsaker at BILL HUNSAKER

≫Registry
≫Run Keys
≫Current User
≫Run
*ctfmon.exe=ctfmon.exe
*HP JetDiscovery=HPJETDSC.EXE
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
≫RunOnce
≫Default User
≫Run
*ctfmon.exe=ctfmon.exe
*HP JetDiscovery=HPJETDSC.EXE
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
≫RunOnce
≫Local Machine
≫Run
*레지스트리 검사=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*AHNSD="C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe"
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
≫RunOnce
≫RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
≫RunServicesOnce
**rxk=rundll32 C:\WINDOWS\PRINTEKS.TXT,DllGetClassObject
≫RunOnceEx
≫RunServicesOnceEx
≫Files
≫System/Drivers
≫Running Processes
+FFEF6671=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFA97D=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFBAAD=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE9449=C:\WINDOWS\RUNDLL32.EXE
+FFFE508D=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFEAA89=C:\WINDOWS\EXPLORER.EXE
+FFFD7455=C:\WINDOWS\TASKMON.EXE
+FFFD316D=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD3FE1=C:\PROGRAM FILES\AHNLAB\SMART UPDATE UTILITY\AHNSD.EXE
+FFFD89C1=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFFD9805=C:\WINDOWS\SYSTEM\CTFMON.EXE
+FFFDFC05=C:\WINDOWS\SYSTEM\HPJETDSC.EXE
+FFFEC911=C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
+FFFCCEA5=C:\PROGRAM FILES\AHNLAB\V3\V3P3AT.EXE
+FFFB8911=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF9E5A1=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF8D265=C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
+FFFA0331=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF7DDC5=C:\PROGRAM FILES\SOFTFORUM\XECUREWEB\ACTIVEX\CLIENTSM.EXE
+FFFA34F9=C:\PROGRAM FILES\AHNLAB\V3\MONSYS32.EXE
+FFFB7571=C:\PROGRAM FILES\AHNLAB\V3\MONSYSNT.EXE
+FFFCFD11=C:\STARTDRECK\STARTDRECK.EXE
≫Application specific

#7 billhunsaker

billhunsaker
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 24 February 2005 - 02:21 AM

Hi,

As I mentioned in my previous post, se.dll and aboutblank came back, and they both showed up again today. I think they must be on some sort of timer to hit my computer in the afternoon. Attached is the most recent hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 오후 4:19:09, on 2005-02-24
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHNLAB\SMART UPDATE UTILITY\AHNSD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\HPJETDSC.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\AHNLAB\V3\V3P3AT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\PROGRAM FILES\AHNLAB\V3\MONSYS32.EXE
C:\PROGRAM FILES\AHNLAB\V3\MONSYSNT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SOFTFORUM\XECUREWEB\ACTIVEX\CLIENTSM.EXE
C:\UNZIPPED\HIJACKTHIS1\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CIEIntegrator Object - {562C1A20-72E7-4ED8-A26D-0DC57415FE92} - C:\PROGRAM FILES\POPUP GUARD\PGI.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\PROGRAM FILES\AHNLAB\V3\V3BAR.DLL
O3 - Toolbar: 라디오(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [레지스트리 검사] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AHNSD] "C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040708.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://portal.korea.ac.kr/XecureObject/xw_install.cab
O16 - DPF: {EBB9A178-05D2-4DBD-A255-45B9A7EC9F7E} (IdiskLauncher Control) - http://idisk.korea.ac.kr/app/IdiskUpdate.cab
O16 - DPF: {124968E3-A145-40C7-8912-5432EB4908BC} (Project1.LocalExecute) - http://portal.korea.ac.kr/Download/kupid/Project1.CAB
O16 - DPF: {976B9142-EA25-4143-85BD-6E1D544D8AA8} (ChangjoEditor.WebEditor) - http://mail.korea.ac.kr:2001/webeditor/WebEditor.cab
O16 - DPF: {45FC3433-CC83-4D62-991A-BAE9F68EF710} (CrinityUpload Class) - http://mail.korea.ac.kr:2001/activex/CrinityUpload.cab
O16 - DPF: {2E68BEE5-A640-11D2-AEA4-00AA006E5B34} (HnwActiv Control) - http://intranet.korea.ac.kr:8001/allgenact...tiv_3_3_0_3.cab
O16 - DPF: {EA0995BF-45DD-4DB0-ADD5-A39C37397841} (ShbAutoTrustSite Control) - http://image.shinhan.com/bank/etc/TrustSit...oTrustSiteX.cab
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://image.shinhan.com/initech/plugin/ve...INIplugin40.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK3 Control) - http://image.shinhan.com/bank/etc/keyStrok.../4043/SCSK4.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {1514EB38-3F47-4DB9-B295-21209446CC1A} (SecureSession Class) - http://www.samsunglife.com/cab/SecuiBohumIE.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plu...yfirewall20.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - https://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {21463B59-2B2E-4BC6-8F2F-A8D80E6B628D} (WebEditorParser.WEParser) - http://intranet.korea.ac.kr:8002/webeditor/WEViewer.cab
O16 - DPF: {8AE03B06-5BDA-44AA-B4AD-72BB01597451} (DaumQLauncher Control) - http://appupdate.popfolder.co.kr/download/DaumQ/DaumQAx.cab
O16 - DPF: {61823E19-C838-4A32-ADDB-950B590BE069} (AxOrgTree Control) - http://groupware.korea.ac.kr/AXOrgTree.cab
O16 - DPF: {C6B89053-6E47-41DB-91A8-EDFE12B56EAF} (AXFileUp Control) - http://groupware.korea.ac.kr/AXFileUp.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {83896843-E656-4DE7-96BD-88E2885B555D} (yessignSM ActiveX Control) - http://trusbill.korea.ac.kr/files/yessignSM.cab
O16 - DPF: {57FA6402-0B12-448F-A58C-6E8AF6921A12} (ListCtrl Class) - http://intranet.korea.ac.kr:8002/crinity/C...tyDocUpload.cab
O16 - DPF: {7C65E65F-5ACA-409E-9D44-79AD833919F8} (ExpressViewer Class) - http://download.softforum.co.kr/XecureExpr...xei_install.cab
O16 - DPF: {0CD2EC08-3CF6-4BC4-BF48-824F4C1994F1} (SecureSession Class) - http://www.samsungfn.com/contents/trustnet...oolkitForIE.cab
O16 - DPF: {EC5D5118-9FDE-4A3E-84F3-C2B711740E70} (SKCommAX Control) - http://www.signkorea.com/SKCommAX.cab
O16 - DPF: {5E582BD1-6FAA-40F2-87A8-130AD325DABB} (Kdfense7 Control) - http://www.samsungfn.com/contents/kdefense...01/kdfense7.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = korea.ac.kr
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 163.152.1.1,163.152.11.6
O18 - Filter: text/html - {42060681-867F-11D9-9C7C-00D025CC0822} - C:\WINDOWS\SYSTEM\IDGMHD.DLL
O18 - Filter: text/plain - {42060681-867F-11D9-9C7C-00D025CC0822} - C:\WINDOWS\SYSTEM\IDGMHD.DLL

#8 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:07:55 AM

Posted 24 February 2005 - 02:05 PM

Hi billhunsaker,

I just need to double check a couple of things. Please follow these steps:

Step 1:
  • Click on Start, then Run and type msinfo32 and press the OK button.

  • Expand the Software Environment section.

  • Expand the System Hooks Section.

  • Look for an entry which may be listed As:

    -Hook type: Window Procedure
    -Hooked by: XXXXX.dll
    -Application: RUNDLL32.EXE
    -Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
    -Application path: C:\WINDOWS\RUNDLL32.EXE

    Where XXXXX.dll is the file name we are concerned with.

    If you find that file, write down its name.

  • Continue to Step 2.
Step 2:
  • Navigate to c:\startdreck that you downloaded before and double-click on Startdreck.exe

  • When the program opens click on the Config button.

  • Then click on the unmark all button.

  • Then put checkmarks in the following checkboxes:


    Under Registry put a checkmark in the Run Keys checkbox.

    Under System/Drivers put a check in the Running Proccess checkbox.

  • Press the OK button.

  • Press the Save button. Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

  • Post a copy of the log as a reply to this post along with the filename found in the first step using msinfo.


#9 billhunsaker

billhunsaker
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 25 February 2005 - 01:11 AM

Hi,

As per your request, the filename for the system hook was not given as a DLL file. The DLL path was C:\windows\printeks.txt for the window procedure. So far today, the se.dll has not turned on, but it has usually turned on at around 16:00. I have to go now or I would wait and check the situation.

Thanks for everything.



StartDreck (build 2.1.7 public stable) - 2005-02-25 @ 15:05:01 (GMT +09:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2600.0000
Logged in as Bill Hunsaker at BILL HUNSAKER

≫Registry
≫Run Keys
≫Current User
≫Run
*ctfmon.exe=ctfmon.exe
*HP JetDiscovery=HPJETDSC.EXE
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
≫RunOnce
≫Default User
≫Run
*ctfmon.exe=ctfmon.exe
*HP JetDiscovery=HPJETDSC.EXE
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
≫RunOnce
≫Local Machine
≫Run
*레지스트리 검사=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*AHNSD="C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe"
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
≫RunOnce
≫RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
≫RunServicesOnce
**f=rundll32 C:\WINDOWS\PRINTEKS.TXT,DllGetClassObject
≫RunOnceEx
≫RunServicesOnceEx
≫Files
≫System/Drivers
≫Running Processes
+FFEF6607=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFA90B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFBADB=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE91D7=C:\WINDOWS\RUNDLL32.EXE
+FFFE5CF7=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFEBC73=C:\WINDOWS\EXPLORER.EXE
+FFFD7B47=C:\WINDOWS\TASKMON.EXE
+FFFD4CEB=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD1BF7=C:\PROGRAM FILES\AHNLAB\SMART UPDATE UTILITY\AHNSD.EXE
+FFFD96DB=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFFC30A7=C:\WINDOWS\SYSTEM\CTFMON.EXE
+FFFDC737=C:\WINDOWS\SYSTEM\HPJETDSC.EXE
+FFFC34DB=C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
+FFFCF54B=C:\PROGRAM FILES\AHNLAB\V3\V3P3AT.EXE
+FFFB6753=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFDEEA3=C:\PROGRAM FILES\AHNLAB\V3\MONSYS32.EXE
+FFF74797=C:\PROGRAM FILES\AHNLAB\V3\MONSYSNT.EXE
+FFFC74A7=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFC407B=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFFCF867=C:\PROGRAM FILES\SOFTFORUM\XECUREWEB\ACTIVEX\CLIENTSM.EXE
+FFF97D5F=C:\STARTDRECK\STARTDRECK.EXE
≫Application specific

#10 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:07:55 AM

Posted 25 February 2005 - 02:20 PM

Hello billhunsaker,

Thanks for doing those two runs, it's confirmed the file that is causing the re-infection of your machine. Please follow these steps to remove the file and clean your machine. Safe mode applies in these fixes so you may want to print these instructions:
  • Goto the site : http://www10.brinkster.com/expl0iter/freeatlast/Win98Fix.zip
    • Download Win98Fix.zip and extract it into c:\win98fix.
      Navigate to the c:\win98fix folder and double-click on the RunFix.reg. If it prompts you to allow it run, say Yes.
      When that is done reboot your computer.
      Now find C:\windows\printeks.txt which should now be visible and delete the file.
  • Download the stand-alone version of CWShredder from Download Link The Intermute website will open and in the box in the center of the page there is another hyperlink named Download the stand-alone version of CWShredder. Click on that and you will be asked where you wish to save it. Choose a suitable folder and the program will be saved there. When the download has finished close that web page. Don't run it just yet.

  • Download Ad-Aware from the following link Ad-Aware SE Personal 1.05 Install the software and from the opening page click on the Check for update now link. Install any updates that are available the close Ad-Aware. Full instructions for configuring and running Ad-Aware can be found here Don't run it now, we will do a full scan later.

  • REBOOT into SafeMode: Starting your computer in Safe mode, use the F8 method.

  • Make sure all browser windows are closed, go to the folder where you saved cwshredder and double click on cwshredder.exe to start the program. Then click on the FIX button (not the "Scan only" button) and let it scan and fix your computer.

  • Run Ad-Aware, Click on the Start button, check the Perform full system scan radio button, Click on the Next button to start the scan. When the scan has finished it will list any infections that it finds. Right click on the screen and select all items, click next to remove the infected entries.

  • Run HijackThis
    Click on the Scan button and when complete
    Put a check beside all of the item listed below if it is present.
    O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

    Close all open Explorer windows and browsers
    Click on the "Fix Checked" button
    When complete and all files removed, close the application.

  • Close all windows and browsers that are open.
    Clean out Temporary Folders and Temporary Internet Files as follows:
    • Open the System Security Suite that I had you download earlier.
    • In the Items to Clear tab check:
      - Internet Explorer (left pane): Cookies & Temporary files
      - My Computer (right pane): Temporary files & Recycle Bin
    Click the Clear Selected Items button.
    Close the program.

  • Reboot your machine in normal mode, run HijackThis and post a new log here using the Add Reply button. Let me know how you went on and how things are running now.


#11 billhunsaker

billhunsaker
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 27 February 2005 - 08:39 PM

I appreciate your help on this. After a struggle, I finally was able to access a site to download the win98fix.zip. I ran the zip, it added something to the registry, but the printekt.txt file still does not show up as hoped for. I ran startdreck again and the file still shows up in runservicesonce. Why is it so difficult to download the win98fix.zip? Every site I tried sent me to some form of error page or another.

Help

#12 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:07:55 AM

Posted 28 February 2005 - 03:28 AM

Hi billhunsaker,

I'm really not sure why you were having problems with the downloads, it's possible that there is another hidden infection on your machine. To save us some time with this, could you always post a new log when you reply. Because the removal is being problematic, I need to see what, if anything, has changed since the last run and to know what the current symptoms are.

I notice that you have TeaTimer enabled and it is possible that this may be interfering with the fixes that we are trying to make. Please follow these instructions to disable it temporarily. Disable TeaTimer.. If you are using the machine between fixes then it would be wise to re-enable TeaTimer after you have produced your log for posting then disable it prior to the next set of fixes.

Once you have TeaTimer disabled could you try the Win98Fix.zip run again and then try to delete the printeks.txt file if it shows. If you are successful with that then follow the other steps and post back with a new log. What ever happens post back with a new log, letting me know how you went on and how the machine is running.


Thanks,
Peter

#13 billhunsaker

billhunsaker
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 28 February 2005 - 10:38 PM

Hi,
Sorry for not posting a log last time. I turned of teatimer and tried the process of getting rid of the printeks file but it still does not appear. I have cleaned the system as you directed before and give you a before and after post of the startdreck log, plus a new hijackthis log.

Thanks

Prior startdreck log:

StartDreck (build 2.1.7 public stable) - 2005-03-01 @ 11:50:45 (GMT +09:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2600.0000
Logged in as Bill Hunsaker at BILL HUNSAKER

≫Registry
≫Run Keys
≫Current User
≫Run
*ctfmon.exe=ctfmon.exe
*HP JetDiscovery=HPJETDSC.EXE
≫RunOnce
≫Default User
≫Run
*ctfmon.exe=ctfmon.exe
*HP JetDiscovery=HPJETDSC.EXE
≫RunOnce
≫Local Machine
≫Run
*레지스트리 검사=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*AHNSD="C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe"
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*Inciter Inspector=C:\WINDOWS\INCITERINSTALLER\ICAGENT.EXE
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
≫RunOnce
≫RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
≫RunServicesOnce
**wuac=rundll32 C:\WINDOWS\PRINTEKS.TXT,DllGetClassObject
≫RunOnceEx
≫RunServicesOnceEx
≫Internet Explorer
≫Current User
*HomeOldSP=about:blank
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Search Bar=res://c:\windows\TEMP\se.dll/sp.html
*Search Page=about:blank
*Start Page=about:blank
*SearchAssistant=about:blank
+SearchUrl
*provider=
≫Default User
*HomeOldSP=about:blank
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Search Bar=res://c:\windows\TEMP\se.dll/sp.html
*Search Page=about:blank
*Start Page=about:blank
*SearchAssistant=about:blank
+SearchUrl
*provider=
≫Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*HomeOldSP=about:blank
*Local Page=c:\windows\SYSTEM\blank.htm
*Search Bar=res://c:\windows\TEMP\se.dll/sp.html
*Search Page=about:blank
*Start Page=about:blank
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=about:blank
≫Files
≫System/Drivers
≫Running Processes
+FFEF62C3=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFADCF=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFBE1F=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE90DF=C:\WINDOWS\RUNDLL32.EXE
+FFFE59F7=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFEB417=C:\WINDOWS\EXPLORER.EXE
+FFFD4003=C:\WINDOWS\TASKMON.EXE
+FFFD40CB=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFDB5C7=C:\PROGRAM FILES\AHNLAB\SMART UPDATE UTILITY\AHNSD.EXE
+FFFD90C3=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFFD9D3B=C:\WINDOWS\INCITERINSTALLER\ICAGENT.EXE
+FFFDCBDF=C:\WINDOWS\SYSTEM\CTFMON.EXE
+FFFC269F=C:\WINDOWS\SYSTEM\HPJETDSC.EXE
+FFFC028B=C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
+FFFD8667=C:\PROGRAM FILES\AHNLAB\V3\V3P3AT.EXE
+FFFA2657=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFA444F=C:\WINDOWS\RUNDLL32.EXE
+FFFB03FB=C:\PROGRAM FILES\AHNLAB\V3\MONSYS32.EXE
+FFF8B4D3=C:\PROGRAM FILES\AHNLAB\V3\MONSYSNT.EXE
+FFFAE0C3=C:\STARTDRECK\STARTDRECK.EXE

Later log:

StartDreck (build 2.1.7 public stable) - 2005-03-01 @ 12:30:34 (GMT +09:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2600.0000
Logged in as Bill Hunsaker at BILL HUNSAKER

≫Registry
≫Run Keys
≫Current User
≫Run
*ctfmon.exe=ctfmon.exe
*HP JetDiscovery=HPJETDSC.EXE
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
≫RunOnce
≫Default User
≫Run
*ctfmon.exe=ctfmon.exe
*HP JetDiscovery=HPJETDSC.EXE
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
≫RunOnce
≫Local Machine
≫Run
*레지스트리 검사=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*AHNSD="C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe"
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*Inciter Inspector=C:\WINDOWS\INCITERINSTALLER\ICAGENT.EXE
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
≫RunOnce
≫RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
≫RunServicesOnce
**nme=rundll32 C:\WINDOWS\PRINTEKS.TXT,DllGetClassObject
≫RunOnceEx
≫RunServicesOnceEx
≫Internet Explorer
≫Current User
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Search Page=about:blank
*Start Page=http://portal.korea.ac.kr/
+SearchUrl
*provider=
≫Default User
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Search Page=about:blank
*Start Page=http://portal.korea.ac.kr/
+SearchUrl
*provider=
≫Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=c:\windows\SYSTEM\blank.htm
*Search Bar=
*Search Page=about:blank
*Start Page=about:blank
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=about:blank
≫Files
≫System/Drivers
≫Running Processes
+FFEF6C4F=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFA343=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFB093=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE9D47=C:\WINDOWS\RUNDLL32.EXE
+FFFE994B=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFEA71F=C:\WINDOWS\EXPLORER.EXE
+FFFD781F=C:\WINDOWS\TASKMON.EXE
+FFFD41F7=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD4C03=C:\PROGRAM FILES\AHNLAB\SMART UPDATE UTILITY\AHNSD.EXE
+FFFD9DA3=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFFD9FCF=C:\WINDOWS\INCITERINSTALLER\ICAGENT.EXE
+FFFC31C3=C:\WINDOWS\SYSTEM\CTFMON.EXE
+FFFC2A83=C:\WINDOWS\SYSTEM\HPJETDSC.EXE
+FFFDCE13=C:\PROGRAM FILES\AHNLAB\V3\MONSYSNT.EXE
+FFFC4A57=C:\PROGRAM FILES\AHNLAB\V3\V3P3AT.EXE
+FFFCD1C7=C:\PROGRAM FILES\AHNLAB\V3\MONSYS32.EXE
+FFFB8AC3=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF97AFB=C:\STARTDRECK\STARTDRECK.EXE

hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 오후 12:30:58, on 2005-03-01
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHNLAB\SMART UPDATE UTILITY\AHNSD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\INCITERINSTALLER\ICAGENT.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\HPJETDSC.EXE
C:\PROGRAM FILES\AHNLAB\V3\MONSYSNT.EXE
C:\PROGRAM FILES\AHNLAB\V3\V3P3AT.EXE
C:\PROGRAM FILES\AHNLAB\V3\MONSYS32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS1\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CIEIntegrator Object - {562C1A20-72E7-4ED8-A26D-0DC57415FE92} - C:\PROGRAM FILES\POPUP GUARD\PGI.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\PROGRAM FILES\AHNLAB\V3\V3BAR.DLL
O3 - Toolbar: 라디오(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [레지스트리 검사] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AHNSD] "C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Inciter Inspector] C:\WINDOWS\INCITERINSTALLER\ICAGENT.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: SpySubtract.lnk.disabled
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040708.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://portal.korea.ac.kr/XecureObject/xw_install.cab
O16 - DPF: {EBB9A178-05D2-4DBD-A255-45B9A7EC9F7E} (IdiskLauncher Control) - http://idisk.korea.ac.kr/app/IdiskUpdate.cab
O16 - DPF: {124968E3-A145-40C7-8912-5432EB4908BC} (Project1.LocalExecute) - http://portal.korea.ac.kr/Download/kupid/Project1.CAB
O16 - DPF: {976B9142-EA25-4143-85BD-6E1D544D8AA8} (ChangjoEditor.WebEditor) - http://mail.korea.ac.kr:2001/webeditor/WebEditor.cab
O16 - DPF: {45FC3433-CC83-4D62-991A-BAE9F68EF710} (CrinityUpload Class) - http://mail.korea.ac.kr:2001/activex/CrinityUpload.cab
O16 - DPF: {2E68BEE5-A640-11D2-AEA4-00AA006E5B34} (HnwActiv Control) - http://intranet.korea.ac.kr:8001/allgenact...tiv_3_3_0_3.cab
O16 - DPF: {EA0995BF-45DD-4DB0-ADD5-A39C37397841} (ShbAutoTrustSite Control) - http://image.shinhan.com/bank/etc/TrustSit...oTrustSiteX.cab
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://image.shinhan.com/initech/plugin/ve...INIplugin40.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK3 Control) - http://image.shinhan.com/bank/etc/keyStrok.../4043/SCSK4.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {1514EB38-3F47-4DB9-B295-21209446CC1A} (SecureSession Class) - http://www.samsunglife.com/cab/SecuiBohumIE.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plu...yfirewall20.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - https://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {21463B59-2B2E-4BC6-8F2F-A8D80E6B628D} (WebEditorParser.WEParser) - http://intranet.korea.ac.kr:8002/webeditor/WEViewer.cab
O16 - DPF: {8AE03B06-5BDA-44AA-B4AD-72BB01597451} (DaumQLauncher Control) - http://appupdate.popfolder.co.kr/download/DaumQ/DaumQAx.cab
O16 - DPF: {61823E19-C838-4A32-ADDB-950B590BE069} (AxOrgTree Control) - http://groupware.korea.ac.kr/AXOrgTree.cab
O16 - DPF: {C6B89053-6E47-41DB-91A8-EDFE12B56EAF} (AXFileUp Control) - http://groupware.korea.ac.kr/AXFileUp.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {83896843-E656-4DE7-96BD-88E2885B555D} (yessignSM ActiveX Control) - http://trusbill.korea.ac.kr/files/yessignSM.cab
O16 - DPF: {57FA6402-0B12-448F-A58C-6E8AF6921A12} (ListCtrl Class) - http://intranet.korea.ac.kr:8002/crinity/C...tyDocUpload.cab
O16 - DPF: {7C65E65F-5ACA-409E-9D44-79AD833919F8} (ExpressViewer Class) - http://download.softforum.co.kr/XecureExpr...xei_install.cab
O16 - DPF: {0CD2EC08-3CF6-4BC4-BF48-824F4C1994F1} (SecureSession Class) - http://www.samsungfn.com/contents/trustnet...oolkitForIE.cab
O16 - DPF: {EC5D5118-9FDE-4A3E-84F3-C2B711740E70} (SKCommAX Control) - http://www.signkorea.com/SKCommAX.cab
O16 - DPF: {5E582BD1-6FAA-40F2-87A8-130AD325DABB} (Kdfense7 Control) - http://www.samsungfn.com/contents/kdefense...01/kdfense7.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = korea.ac.kr
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 163.152.1.1,163.152.11.6

#14 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:07:55 AM

Posted 01 March 2005 - 02:10 PM

Hi billhunsaker,

That's a real stubborn file so let's try these steps.
  • Download Killbox here:

    KillBox

    Unzip the folder to your desktop.

    Start Killbox.exe

    When it is open, enter C:\WINDOWS\PRINTEKS.TXT into the field labeled "Full path of file to delete".

    Select the Delete on reboot option.

    Then press the button that looks like a red circle with a white X in it.

    Your computer will reboot.

  • Close all windows and browsers that are open.
    Clean out Temporary Folders and Temporary Internet Files as follows:
    • Open the System Security Suite that I had you download earlier.
    • In the Items to Clear tab check:
      - Internet Explorer (left pane): Cookies & Temporary files
      - My Computer (right pane): Temporary files & Recycle Bin
    Click the Clear Selected Items button.
    Close the program.

  • Reboot your machine, run StartDreck and HijackThis and post both logs here. Please let me know how things are running now.


#15 billhunsaker

billhunsaker
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 01 March 2005 - 10:22 PM

Hi,

No good news to report. I ran killbox as explained, but nothing changed, so I tried a standard deletion, and got a message stating that such a file does not exist. Here are my logs after I did a standard cleanup as explained a long time ago:

Logfile of HijackThis v1.99.1
Scan saved at 오후 12:14:52, on 2005-03-02
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHNLAB\SMART UPDATE UTILITY\AHNSD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\INCITERINSTALLER\ICAGENT.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\HPJETDSC.EXE
C:\PROGRAM FILES\AHNLAB\V3\MONSYSNT.EXE
C:\PROGRAM FILES\AHNLAB\V3\V3P3AT.EXE
C:\PROGRAM FILES\AHNLAB\V3\MONSYS32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS1\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CIEIntegrator Object - {562C1A20-72E7-4ED8-A26D-0DC57415FE92} - C:\PROGRAM FILES\POPUP GUARD\PGI.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\PROGRAM FILES\AHNLAB\V3\V3BAR.DLL
O3 - Toolbar: 라디오(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [레지스트리 검사] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AHNSD] "C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Inciter Inspector] C:\WINDOWS\INCITERINSTALLER\ICAGENT.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: SpySubtract.lnk.disabled
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040708.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://portal.korea.ac.kr/XecureObject/xw_install.cab
O16 - DPF: {EBB9A178-05D2-4DBD-A255-45B9A7EC9F7E} (IdiskLauncher Control) - http://idisk.korea.ac.kr/app/IdiskUpdate.cab
O16 - DPF: {124968E3-A145-40C7-8912-5432EB4908BC} (Project1.LocalExecute) - http://portal.korea.ac.kr/Download/kupid/Project1.CAB
O16 - DPF: {976B9142-EA25-4143-85BD-6E1D544D8AA8} (ChangjoEditor.WebEditor) - http://mail.korea.ac.kr:2001/webeditor/WebEditor.cab
O16 - DPF: {45FC3433-CC83-4D62-991A-BAE9F68EF710} (CrinityUpload Class) - http://mail.korea.ac.kr:2001/activex/CrinityUpload.cab
O16 - DPF: {2E68BEE5-A640-11D2-AEA4-00AA006E5B34} (HnwActiv Control) - http://intranet.korea.ac.kr:8001/allgenact...tiv_3_3_0_3.cab
O16 - DPF: {EA0995BF-45DD-4DB0-ADD5-A39C37397841} (ShbAutoTrustSite Control) - http://image.shinhan.com/bank/etc/TrustSit...oTrustSiteX.cab
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://image.shinhan.com/initech/plugin/ve...INIplugin40.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK3 Control) - http://image.shinhan.com/bank/etc/keyStrok.../4043/SCSK4.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {1514EB38-3F47-4DB9-B295-21209446CC1A} (SecureSession Class) - http://www.samsunglife.com/cab/SecuiBohumIE.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plu...yfirewall20.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - https://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {21463B59-2B2E-4BC6-8F2F-A8D80E6B628D} (WebEditorParser.WEParser) - http://intranet.korea.ac.kr:8002/webeditor/WEViewer.cab
O16 - DPF: {8AE03B06-5BDA-44AA-B4AD-72BB01597451} (DaumQLauncher Control) - http://appupdate.popfolder.co.kr/download/DaumQ/DaumQAx.cab
O16 - DPF: {61823E19-C838-4A32-ADDB-950B590BE069} (AxOrgTree Control) - http://groupware.korea.ac.kr/AXOrgTree.cab
O16 - DPF: {C6B89053-6E47-41DB-91A8-EDFE12B56EAF} (AXFileUp Control) - http://groupware.korea.ac.kr/AXFileUp.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {83896843-E656-4DE7-96BD-88E2885B555D} (yessignSM ActiveX Control) - http://trusbill.korea.ac.kr/files/yessignSM.cab
O16 - DPF: {57FA6402-0B12-448F-A58C-6E8AF6921A12} (ListCtrl Class) - http://intranet.korea.ac.kr:8002/crinity/C...tyDocUpload.cab
O16 - DPF: {7C65E65F-5ACA-409E-9D44-79AD833919F8} (ExpressViewer Class) - http://download.softforum.co.kr/XecureExpr...xei_install.cab
O16 - DPF: {0CD2EC08-3CF6-4BC4-BF48-824F4C1994F1} (SecureSession Class) - http://www.samsungfn.com/contents/trustnet...oolkitForIE.cab
O16 - DPF: {EC5D5118-9FDE-4A3E-84F3-C2B711740E70} (SKCommAX Control) - http://www.signkorea.com/SKCommAX.cab
O16 - DPF: {5E582BD1-6FAA-40F2-87A8-130AD325DABB} (Kdfense7 Control) - http://www.samsungfn.com/contents/kdefense...01/kdfense7.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = korea.ac.kr
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 163.152.1.1,163.152.11.6

StartDreck (build 2.1.7 public stable) - 2005-03-02 @ 12:14:32 (GMT +09:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2600.0000
Logged in as Bill Hunsaker at BILL HUNSAKER

≫Registry
≫Run Keys
≫Current User
≫Run
*ctfmon.exe=ctfmon.exe
*HP JetDiscovery=HPJETDSC.EXE
≫RunOnce
≫Default User
≫Run
*ctfmon.exe=ctfmon.exe
*HP JetDiscovery=HPJETDSC.EXE
≫RunOnce
≫Local Machine
≫Run
*레지스트리 검사=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*AHNSD="C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe"
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*Inciter Inspector=C:\WINDOWS\INCITERINSTALLER\ICAGENT.EXE
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
≫RunOnce
≫RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
≫RunServicesOnce
**ubn=rundll32 C:\WINDOWS\PRINTEKS.TXT,DllGetClassObject
≫RunOnceEx
≫RunServicesOnceEx
≫Internet Explorer
≫Current User
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Search Page=about:blank
*Start Page=http://portal.korea.ac.kr/
+SearchUrl
*provider=
≫Default User
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Search Page=about:blank
*Start Page=http://portal.korea.ac.kr/
+SearchUrl
*provider=
≫Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=c:\windows\SYSTEM\blank.htm
*Search Bar=
*Search Page=about:blank
*Start Page=about:blank
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=about:blank
≫Files
≫System/Drivers
≫Running Processes
+FFEF6F3B=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFA037=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFB3E7=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE9E77=C:\WINDOWS\RUNDLL32.EXE
+FFFE57AF=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFEB66F=C:\WINDOWS\EXPLORER.EXE
+FFFD4AEF=C:\WINDOWS\TASKMON.EXE
+FFFDE963=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFDB067=C:\PROGRAM FILES\AHNLAB\SMART UPDATE UTILITY\AHNSD.EXE
+FFFD8793=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFFC3EFF=C:\WINDOWS\INCITERINSTALLER\ICAGENT.EXE
+FFFDD9B7=C:\WINDOWS\SYSTEM\CTFMON.EXE
+FFFDCAF3=C:\WINDOWS\SYSTEM\HPJETDSC.EXE
+FFFDA10B=C:\PROGRAM FILES\AHNLAB\V3\MONSYSNT.EXE
+FFFC63D3=C:\PROGRAM FILES\AHNLAB\V3\V3P3AT.EXE
+FFFB3B57=C:\PROGRAM FILES\AHNLAB\V3\MONSYS32.EXE
+FFFBEB7F=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFA9E0F=C:\STARTDRECK\STARTDRECK.EXE
≫Application specific




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users