Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
4 replies to this topic

#1 he43200

he43200

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 12 October 2004 - 11:44 PM

Hi! Sir
I need your help for this diagnosis.


Logfile of HijackThis v1.98.2
Scan saved at 오전 12:26:43, on 2004-10-13
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\toshiba\ivp\ISM\pinger.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AhnLab\Smart Update Utility\Ahnsdsv.exe
C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\He43200\My Documents\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [AHNSD] "C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: http://www.gopd.co.kr
O15 - Trusted Zone: http://cfolder.nownuri.net
O15 - Trusted Zone: http://client.nownuri.net
O15 - Trusted Zone: http://club.nownuri.net
O15 - Trusted Zone: http://help.nownuri.net
O15 - Trusted Zone: http://helpdesk.nownuri.net
O15 - Trusted Zone: http://join.nownuri.net
O15 - Trusted Zone: http://mplug.nownuri.net
O15 - Trusted Zone: http://pdsfind1.nownuri.net
O15 - Trusted Zone: http://www.nownuri.net
O15 - Trusted Zone: http://adrenalin.pdbox.co.kr
O15 - Trusted Zone: http://bbs.pdbox.co.kr
O15 - Trusted Zone: http://bbs2.pdbox.co.kr
O15 - Trusted Zone: http://bbs3.pdbox.co.kr
O15 - Trusted Zone: http://bbs4.pdbox.co.kr
O15 - Trusted Zone: http://client.pdbox.co.kr
O15 - Trusted Zone: http://cp.pdbox.co.kr
O15 - Trusted Zone: http://find.pdbox.co.kr
O15 - Trusted Zone: http://ftp2.pdbox.co.kr
O15 - Trusted Zone: http://gopd.pdbox.co.kr
O15 - Trusted Zone: http://help.pdbox.co.kr
O15 - Trusted Zone: http://mboard.pdbox.co.kr
O15 - Trusted Zone: http://media.cp.pdbox.co.kr
O15 - Trusted Zone: http://mfind.pdbox.co.kr
O15 - Trusted Zone: http://my.pdbox.co.kr
O15 - Trusted Zone: http://point.pdbox.co.kr
O15 - Trusted Zone: http://shop.pdbox.co.kr
O15 - Trusted Zone: http://side.pdbox.co.kr
O15 - Trusted Zone: http://www.pdbox.co.kr
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {021D0DFA-A386-43CC-BF60-C9CDB24D48B9} (FreeBBS Control) - http://pdslist-download.korea.com/Freebbs/...510/BBSList.cab
O16 - DPF: {02F47BAC-7A71-4A36-AD16-6026879353B2} (PersonalVideoManager Control) - http://www.cinewel.com/player/pvm_activex/...ideoManager.cab
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://sbsi.contents.mylinker.co.kr/module/MyLinker.cab
O16 - DPF: {0F1DC5CC-9123-4F19-A560-0308B04F9A93} (HotInstallX Control) - http://www.hotdisk.co.kr/HotDiskX/HotInstallX.cab
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.pcflashbang.com/statistics/inst.exe
O16 - DPF: {1CF034F9-79AC-427B-9A51-9B909EC3CF85} (WebMSN_IEObj Class) - http://blogimgs.naver.com/msg/Webmsn_comp_1_0_0_6.CAB
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.zeromovie.com/obj/zero.CAB
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - https://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {31FA72F5-BE46-4D6D-A10D-857C8D6F4BFA} (OrangeFileSearch Control) - http://www.orangefile.com/ActiveX/OrangeFileSearch.cab
O16 - DPF: {49EA1597-4149-42FC-A01D-A03E07980D37} (WiseInstaller Class) - http://www.wisebook.com/DownloadFiles/view...seInstaller.dll
O16 - DPF: {50CCFB7C-2BBC-420D-AEF7-BE13599696ED} (ActivePDS Control) - http://www.coolpy.com/program/ActivePDS.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095264712449
O16 - DPF: {642BA26B-F76D-4E0D-8421-B24CA1A82EF0} (ChatClubYahoo Control) - http://kr.talk.club.yahoo.com/OPI/ChatClubYahoo.cab
O16 - DPF: {66B30EA0-C033-4D4B-9F90-EA0AF07363AF} (BugsMediaPlayer Control) - http://starbbs.isp.st/lib/BugsOggPlay_6.CAB
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://member.nate.com/initech/plugin/axINIplugin40.cab
O16 - DPF: {6B5C8E55-A33E-4C27-AACD-C947BA30C379} (NDoc Blog) - http://www.1472.com/NDocCtrl.cab
O16 - DPF: {6F4863C1-482C-4744-8946-4AEA34DF1A16} (FreechalOn Class) - http://login.freechal.com/freechalon/FcOnCtl8.cab
O16 - DPF: {714A816C-00C1-4EB0-BAC7-2602CACC0928} (HotDiskX Control) - http://www.hotdisk.co.kr/HotX/HotDiskX.cab
O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} (AcontiX Control) - http://secure.aconti.net/acontix/goodthinxx.cab
O16 - DPF: {799BB2EC-572A-42A9-84AD-112806F4F551} (Imweb Control) - http://activexdown.paran.com/paranactivex/data/imweb.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - http://download.softforum.co.kr/XecureObje...w50_install.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {8AE03B06-5BDA-44AA-B4AD-72BB01597451} (DaumQLauncher Control) - http://appupdate.popfolder.co.kr/download/DaumQ/DaumQAx.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab8/dmcc2.cab
O16 - DPF: {97745861-F1A6-45B2-8AD1-0C17334550E6} (YahooCabinet Control) - http://img.yahoo.co.kr/ycabinet/cab/YahooCabinet.cab
O16 - DPF: {9AEBAA67-8B4D-4884-9EB7-8C6BEA20CE5C} (FileManager Control) - http://club.nate.com/NetEditor.cab
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Pmang & SayClub Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab
O16 - DPF: {D68E9D4E-B2D0-467C-985E-D0D341E554D6} - http://vidr.net/preg/activex/vidrinst.cab
O16 - DPF: {ED1EEBEE-F0AA-474B-9829-61C482E72644} (PDBox25 Control) - http://www.pdbox.co.kr/filebox/ctrl_down/PDBox25.cab
O16 - DPF: {F480B021-E226-406F-A23D-22118518B736} (Login Control) - http://serverlist.kibs.net/dev/upgrade/vch...tivex/login.cab
O16 - DPF: {FA3543AF-F224-4FB1-BBBA-9794C0122DD0} (EmpasWebMessenger Control) - http://download.messenger.empas.com:8080/kplantwebmsgr.cab
O16 - DPF: {FC9BD724-1F5F-4EA9-BB56-B71C44094455} (CholFC Control) - http://club.chol.com/filectrl/CholFC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{318FB66D-701B-4400-9970-683A54996CF3}: NameServer = 24.95.80.41,24.95.80.49
O17 - HKLM\System\CS1\Services\Tcpip\..\{318FB66D-701B-4400-9970-683A54996CF3}: NameServer = 24.95.80.41,24.95.80.49

Thanks for all your help.

Gloria

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:07:44 AM

Posted 13 October 2004 - 12:19 AM

Looking it over. Be back with you soon.
Derfram
~~~~~~

#3 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:07:44 AM

Posted 13 October 2004 - 08:38 AM

Hello he43200 and welcome to Bleeping Computer.

Start HJT and click on the SCAN button. Put a check mark in front of the following lines:

You have many pages listed in the 'Trusted Zone'. Unless you specifically placed these there yourself, select for removal:

O15 - Trusted Zone: http://www.gopd.co.kr
O15 - Trusted Zone: http://cfolder.nownuri.net
O15 - Trusted Zone: http://client.nownuri.net
O15 - Trusted Zone: http://club.nownuri.net
O15 - Trusted Zone: http://help.nownuri.net
O15 - Trusted Zone: http://helpdesk.nownuri.net
O15 - Trusted Zone: http://join.nownuri.net
O15 - Trusted Zone: http://mplug.nownuri.net
O15 - Trusted Zone: http://pdsfind1.nownuri.net
O15 - Trusted Zone: http://www.nownuri.net
O15 - Trusted Zone: http://adrenalin.pdbox.co.kr
O15 - Trusted Zone: http://bbs.pdbox.co.kr
O15 - Trusted Zone: http://bbs2.pdbox.co.kr
O15 - Trusted Zone: http://bbs3.pdbox.co.kr
O15 - Trusted Zone: http://bbs4.pdbox.co.kr
O15 - Trusted Zone: http://client.pdbox.co.kr
O15 - Trusted Zone: http://cp.pdbox.co.kr
O15 - Trusted Zone: http://find.pdbox.co.kr
O15 - Trusted Zone: http://ftp2.pdbox.co.kr
O15 - Trusted Zone: http://gopd.pdbox.co.kr
O15 - Trusted Zone: http://help.pdbox.co.kr
O15 - Trusted Zone: http://mboard.pdbox.co.kr
O15 - Trusted Zone: http://media.cp.pdbox.co.kr
O15 - Trusted Zone: http://mfind.pdbox.co.kr
O15 - Trusted Zone: http://my.pdbox.co.kr
O15 - Trusted Zone: http://point.pdbox.co.kr
O15 - Trusted Zone: http://shop.pdbox.co.kr
O15 - Trusted Zone: http://side.pdbox.co.kr
O15 - Trusted Zone: http://www.pdbox.co.kr

Definitely mark these for removal:

O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.pcflashbang.com/statistics/inst.exe
O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} (AcontiX Control) - http://secure.aconti.net/acontix/goodthinxx.cab

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.

Reboot and post a new log.

Is there a particular problem you are having?
Derfram
~~~~~~

#4 he43200

he43200
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 13 October 2004 - 07:28 PM

Hi! Derf

Thanks for all your help. I did what you taught me.
Actually, I don't have any problem now. Thanks.
However, if I downloaded from the webhard, download speed was very slow.
I don't know why..
Do you have any idea for that?
Also, I got some security warning note from Virus scan.
I put it on here what I got.

Security Warning Report - 2004-10-13 오후 8:07:08

Critical Middle Weakness in Windows Messenger Service remote code execution Please run the patch from 'Related information' to resolve this vulnerability.
Critical Middle Weakness for buffer overflow in Windows Help and support center Please run the patch from 'Related information' to resolve this vulnerability.
Critical High Checking for the shared folder SharedDocs(C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS) Viruses may be spread through shared folders. Please disable file/folder sharing or set it for read-only access.
Critical High Cumulative Security Update for Internet Explorer (832894) Please run the patch from 'Related information' to resolve this vulnerability.
Critical High Cumulative Patch for Microsoft Internet Explorer Please run the patch from 'Related information' to resolve this vulnerability.
Critical High Weakness for Windows Authenticode confirmation Please run the patch from 'Related information' to resolve this vulnerability.
Critical High Checking for the shared folder print$(C:\WINDOWS\System32\spool\drivers) Viruses may be spread through shared folders. Please disable file/folder sharing or set it for read-only access.
Safe Low Checking for vulnerabilities of a changed UpnP (Win XP) Additional information can be obtained from 'Related information.'
Safe High Weakness in RPCSS service code execution Additional information can be obtained from 'Related information.'
Safe High Checking for vulnerabilities caused by DOS attacks using Buffer Overrun of SMB Additional information can be obtained from 'Related information.'
Safe High Checking for vulnerabilities of Windows Help function buffer overrun. Additional information can be obtained from 'Related information.'
Safe High Checking for vulnerabilities of Parsing in Outlook Express S/MIME Additional information can be obtained from 'Related information.'
Safe Middle Checking for vulnerabilities in MS Windows XP Help Additional information can be obtained from 'Related information.'
Safe High ASN.1 Vulnerability Could Allow Code Execution (828028) Additional information can be obtained from 'Related information.'

What should I do for this warninig..
Please, help me.
Thanks.

he43200

#5 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:07:44 AM

Posted 13 October 2004 - 11:04 PM

Hello again he43200.

Many things can affect the rate at which you can download from the internet. I do not believe any continuing slowdown is virus or malware related.

I'm not familiar with Ahnlabs antivirus, but it appears to be warning you of possible Windows security vulnerabilities. You have Service Pack 1 (SP1) installed, which is good, but there have been a large number of critical Windows Updates made available since SP1 and I have no way to tell if you have them all installed from your HJT log.

In fact Service Pack 2 (SP2) is now available for WindowsXP, but it is important that your machine is clear of all viruses and malware before installing it.

Please post a new HJT log and if it's clear I'll give you the go-ahead for SP2.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users