Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan/addestroyer/winfixer Pop Up/surfsidekick 3/ Virtual Bouncer/ Virtumonde/freeprod


  • Please log in to reply
15 replies to this topic

#1 jkm03

jkm03

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 25 November 2005 - 07:04 AM

I really don't know what I'm doing, I downloaded Ad-Aware and they couldn't delete Surf sidekick 3 or Virtual bouncer so I got HJThis and deleted anything with SSK3 and VB attached with caution (i think). now the volume increase/decrease and mute buttons on my laptop don't work and worst of all I STILL HAVE POP UPS!

Through all of my attempts to fix this problem I've seen all of the following in topic title.

I saved my logfile. can you take a look at it and let me know where the problem is?


Logfile of HijackThis v1.99.1
Scan saved at 오후 12:04:10, on 2005-11-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\진소영\My Documents\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\zd7bjb8.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C56C7728-DA03-FA21-A320-BFB5DA591908} - C:\WINDOWS\Wcxhpgxm.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 라디오(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NPDTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wyaori.exe reg_run
O4 - HKLM\..\RunOnce: [1b07m27.exe] C:\WINDOWS\System32\1b07m27.exe /k
O4 - HKCU\..\RunOnce: [1b07m27.exe] C:\WINDOWS\System32\1b07m27.exe /k
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://imbc.contents.mylinker.co.kr/module/MyLinker.cab
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.conpia.com/0401/component/AlwaysOn.CAB
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall_2005_11_06.cab
O16 - DPF: {474AD63A-9B7E-40FE-8E4E-7067CC0F8D3D} (IB_OnAir.IBOnAir) - http://ionair.sbs.co.kr/new_onair/IB_OnAir.CAB
O16 - DPF: {51C99F40-9E0E-4BF1-A92A-77121CC01AD0} (IMBCClient Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {5C899971-E9D6-4496-8077-98378408E340} (MPControl Control) - http://mplay.sbs.co.kr/players/SBSiMPControl.cab
O16 - DPF: {5D9446DB-E849-4B95-9872-D0C21343ABF0} (MAWizard Class) - http://www.csafer.net/ActiveX/MASetupWizard.cab
O16 - DPF: {858033B9-13BC-4DFE-B62A-78E1FAA0DFD7} (MABugsDownload Control) - http://www.csafer.net/activex/mabugsdownload.cab
O16 - DPF: {85F5F47F-D57F-42D2-B2DD-AFD7BC536DE0} (Zchkrec Control) - http://www.conpia.com/0401/player/zchkrec.cab
O16 - DPF: {87B9BA5F-0028-4CA2-8FC3-E07658AB4D4E} (소리바다 오르골 웹 패키지 설치 컨트롤) - http://download.soribada.com/down/Orgel/SBORGELI.OCX
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/XTools.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.18.194/PopupSh.ocx
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B869F34A-A5AD-47B8-AC46-FF5A614F3D44} (MPIClient Control) - https://mpi.tgcorp.com/mall/MPIClient.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/bugsLoader20041018.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {D8F001C6-43B1-4CFD-9DAF-C8BEAE0E2B6D} (Touch Control) - http://touch.imbc.com/ocx/test/Online.cab
O16 - DPF: {DA54C9C1-8109-43C9-9C80-E4210CEDF147} (EzwonSession Control) - http://wedisk.co.kr/app/EzwonSessionCtl.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Norton AntiVirus 자동 보호 서비스 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:54 AM

Posted 25 November 2005 - 11:42 AM

Hi and Welcome to bleeping computer!! Posted Image

My name is David Posted Image

Please do both of the following before we start if possible!:

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.

There is a bit to do on the log - i can almost guaruntee ewido will remove something - it's also a good free tool to keep in your arsenal! :thumbsup:

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck.
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful") Posted Image
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Post a new HJT log and the ewido log at the end! :flowers:
David

#3 jkm03

jkm03
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 25 November 2005 - 06:43 PM

here's my post instuction log files:


Logfile of HijackThis v1.99.1
Scan saved at 오전 8:28:48, on 2005-11-26
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Documents and Settings\진소영\My Documents\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\92md.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C56C7728-DA03-FA21-A320-BFB5DA591908} - C:\WINDOWS\Wcxhpgxm.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 라디오(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NPDTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wyaori.exe reg_run
O4 - HKLM\..\RunOnce: [lp09a40.exe] C:\WINDOWS\System32\lp09a40.exe /k
O4 - HKCU\..\RunOnce: [lp09a40.exe] C:\WINDOWS\System32\lp09a40.exe /k
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://imbc.contents.mylinker.co.kr/module/MyLinker.cab
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.conpia.com/0401/component/AlwaysOn.CAB
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall_2005_11_06.cab
O16 - DPF: {474AD63A-9B7E-40FE-8E4E-7067CC0F8D3D} (IB_OnAir.IBOnAir) - http://ionair.sbs.co.kr/new_onair/IB_OnAir.CAB
O16 - DPF: {51C99F40-9E0E-4BF1-A92A-77121CC01AD0} (IMBCClient Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {5C899971-E9D6-4496-8077-98378408E340} (MPControl Control) - http://mplay.sbs.co.kr/players/SBSiMPControl.cab
O16 - DPF: {5D9446DB-E849-4B95-9872-D0C21343ABF0} (MAWizard Class) - http://www.csafer.net/ActiveX/MASetupWizard.cab
O16 - DPF: {858033B9-13BC-4DFE-B62A-78E1FAA0DFD7} (MABugsDownload Control) - http://www.csafer.net/activex/mabugsdownload.cab
O16 - DPF: {85F5F47F-D57F-42D2-B2DD-AFD7BC536DE0} (Zchkrec Control) - http://www.conpia.com/0401/player/zchkrec.cab
O16 - DPF: {87B9BA5F-0028-4CA2-8FC3-E07658AB4D4E} (소리바다 오르골 웹 패키지 설치 컨트롤) - http://download.soribada.com/down/Orgel/SBORGELI.OCX
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/XTools.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.18.194/PopupSh.ocx
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B869F34A-A5AD-47B8-AC46-FF5A614F3D44} (MPIClient Control) - https://mpi.tgcorp.com/mall/MPIClient.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/bugsLoader20041018.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {D8F001C6-43B1-4CFD-9DAF-C8BEAE0E2B6D} (Touch Control) - http://touch.imbc.com/ocx/test/Online.cab
O16 - DPF: {DA54C9C1-8109-43C9-9C80-E4210CEDF147} (EzwonSession Control) - http://wedisk.co.kr/app/EzwonSessionCtl.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Norton AntiVirus 자동 보호 서비스 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 오전 8:24:20, 2005-11-26
+ Report-Checksum: B7DF8C95

+ Scan result:

HKLM\SOFTWARE\Classes\AppID\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops\Clsid\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52} -> Spyware.AdDestroyer : Cleaned with backup
[296] C:\WINDOWS\system32\zd7bjb8.dll -> Trojan.Kolweb.f : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@hypertracker[2].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@www.epilot[1].txt -> Spyware.Cookie.Epilot : Cleaned with backup
C:\Documents and Settings\진소영\Cookies\진소영@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\진소영\Local Settings\Temp\aiw576.sys -> Trojan.Kolweb.g : Cleaned with backup
C:\Documents and Settings\진소영\Local Settings\Temp\iC1.tmp -> Spyware.SurfSide : Cleaned with backup
C:\Documents and Settings\진소영\Local Settings\Temp\pcs_0002.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\진소영\Local Settings\Temp\ptf_0002.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\진소영\Local Settings\Temporary Internet Files\Content.IE5\G1YRCXUB\svchost[1].exe -> TrojanSpy.Hangame.v : Cleaned with backup
C:\Documents and Settings\진소영\Local Settings\Temporary Internet Files\Content.IE5\IPN458Z2\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\진소영\Local Settings\Temporary Internet Files\Content.IE5\IV67UTIV\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\진소영\Local Settings\Temporary Internet Files\Content.IE5\NEGVBP8D\svchost[1].exe -> TrojanSpy.Hangame.v : Cleaned with backup
C:\Documents and Settings\진소영\Local Settings\Temporary Internet Files\Content.IE5\O3OBIZSJ\pcs_0002[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\진소영\Local Settings\Temporary Internet Files\Content.IE5\W1O12N0T\mm[1].js -> Spyware.Chitika : Cleaned with backup
C:\Program Files\Common Files\InetGet\mc-110-12-0000122.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\System Files\System.exe -> Spyware.CASClient : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP20\A0002998.exe -> Trojan.Kolweb.g : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP20\A0003170.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP20\A0003236.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP20\A0003238.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP20\A0003240.exe -> TrojanDownloader.Agent.aaf : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP20\A0003247.exe -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP20\A0003250.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP20\A0003251.exe -> Spyware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP20\A0003255.exe -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP20\A0003284.exe -> TrojanDownloader.PurityScan.au : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP51\A0003888.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP51\A0003889.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP51\A0003890.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP51\A0003891.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP51\A0003907.exe -> TrojanDownloader.Qoologic.ai : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP51\A0003908.dll -> TrojanDownloader.Qoologic.ai : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP51\A0003909.dll -> TrojanDownloader.Qoologic.ai : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP51\A0003916.exe -> TrojanDownloader.Qoologic.ai : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP51\A0003917.dll -> TrojanDownloader.Qoologic.ai : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP51\A0003918.dll -> TrojanDownloader.Qoologic.ai : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP52\A0004060.exe -> TrojanDownloader.Qoologic.ai : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP52\A0004061.dll -> TrojanDownloader.Qoologic.ai : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP52\A0004067.exe -> TrojanDownloader.Qoologic.ai : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP52\A0004068.dll -> TrojanDownloader.Qoologic.ai : Cleaned with backup
C:\System Volume Information\_restore{5033A62E-60A3-4A8E-9D3F-81D9D14A8453}\RP52\A0004069.dll -> TrojanDownloader.Qoologic.ai : Cleaned with backup
C:\WINDOWS\aiw576.sys -> Trojan.Kolweb.g : Cleaned with backup
C:\WINDOWS\bsx32 -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3ABSPLAT.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3ACCUQ.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3AMERS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3ASKNOW2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3CARQ.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3CARQ2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3CCB.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3CHOCPBMM.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3CHRISMORT.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3CREDITCARD.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3DIRTYH.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3ENDOMET.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3FREECS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3FREEIPOD.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3FREEIPOD2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3FREEXBOX.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3HAIRLOSS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3HYDRO.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN10.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN11.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN12.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN6.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN7.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3LEXREPAIR.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3LMORON.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3LOWRATE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3MYDISH.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3MYINKS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3NETFLIX2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3ODYSSEY.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3PARTYPOKER.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3PASSION.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3PCHSWEEPS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3POP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3SPORTSINT.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3SUPERIOR.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3WEIGHTL.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASICLRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIEPRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIPP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIRCPRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASISS2RE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASISSRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\SPECAUTO.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\SPECENTER.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPC.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPD.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPF.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPFAM.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPFI.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPFIN.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPG.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPH.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPHL.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPJ.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPM.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPMTV.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPN.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPR.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPSHOP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPSP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPW.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\rk.exe -> Spyware.MarketScore : Cleaned with backup
C:\WINDOWS\system32\1b07m27.exe -> Trojan.Kolweb.g : Cleaned with backup
C:\WINDOWS\system32\aiw576.sys -> Trojan.Kolweb.g : Cleaned with backup
C:\WINDOWS\system32\dist001.exe -> TrojanDownloader.Agent.aaf : Cleaned with backup
C:\WINDOWS\system32\f1ltm.exe -> Trojan.Kolweb.g : Cleaned with backup
C:\WINDOWS\system32\mc-110-12-0000122.exe -> Spyware.Maxifiles : Cleaned with backup
C:\WINDOWS\system32\PLSRemote.exe -> Not-A-Virus.RiskWare.RemoteAdmin.PLSRemot : Cleaned with backup
C:\WINDOWS\system32\pquyb.dat -> TrojanDownloader.Qoologic.ai : Cleaned with backup
C:\WINDOWS\system32\SSK3.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\WINDOWS\system32\vgactl.cpl -> TrojanDownloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\system32\wuauclt.dll -> TrojanDownloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\system32\zd7bjb8.dll -> Trojan.Kolweb.f : Cleaned with backup
C:\WINDOWS\Wcxhpgxm.dll -> Adware.BookedSpace : Cleaned with backup


::Report End


I still have pop-ups. What's next?

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:54 AM

Posted 26 November 2005 - 04:04 AM

Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

#5 jkm03

jkm03
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 26 November 2005 - 11:13 AM

here's the trackqoo text:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"NPDTRAY"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\NPDTray.exe"
"TPTRAY"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\TP98TRAY.EXE"
"winsync"="C:\\WINDOWS\\System32\\wyaori.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- fgyktnng
{ea52656b-e86a-4b68-9ab0-435659fa80b7}
C:\WINDOWS\System32\fgmkr.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton AntiVirus\NavShExt.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
시작 메뉴 추가
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\시작 메뉴\프로그램\시작프로그램

desktop.ini
==============================
C:\Documents and Settings\진소영\시작 메뉴\프로그램\시작프로그램

desktop.ini
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
tp4ex.cpl IBM Corporation
TP98.CPL IBM Corp.
wuaucpl.cpl Microsoft Corporation


AND.... the winPfind:


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

뻣뻣뻣뻣뻣뻣뻣뻣?Windows OS and Versions 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣?
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

뻣뻣뻣뻣뻣뻣뻣뻣?Checking Selected Standard Folders 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PEC2 2005-11-26 오전 8:26:16 RHS 306861 C:\WINDOWS\8zht.sys
PECompact2 2005-11-26 오전 8:26:16 RHS 306861 C:\WINDOWS\8zht.sys

Checking %System% folder...
PEC2 2005-11-26 오전 8:26:16 RHS 212070 C:\WINDOWS\SYSTEM32\8zht.sys
PECompact2 2005-11-26 오전 8:26:16 RHS 212070 C:\WINDOWS\SYSTEM32\8zht.sys
PEC2 2002-08-31 오후 9:00:00 41128 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 2005-11-26 오전 8:26:16 RHS 245531 C:\WINDOWS\SYSTEM32\lp09a40.exe
PECompact2 2005-11-26 오전 8:26:16 RHS 245531 C:\WINDOWS\SYSTEM32\lp09a40.exe
PECompact2 2005-11-10 오후 9:17:20 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 2005-11-10 오후 9:17:20 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
PEC2 2003-02-03 오후 3:01:02 186368 C:\WINDOWS\SYSTEM32\msaud32_divx.acm
UPX! 2005-10-21 오전 9:53:16 67584 C:\WINDOWS\SYSTEM32\nsz47.dll
Umonitor 2002-08-31 오후 9:00:00 591872 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 2002-08-31 오후 9:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2005-11-26 오전 8:26:16 RHS 306861 C:\WINDOWS\8zht.sys
2005-11-27 오전 12:35:26 S 2048 C:\WINDOWS\bootstat.dat
2005-11-22 오전 1:02:30 HS 67072 C:\WINDOWS\Thumbs.db
2005-10-30 오후 2:02:54 HS 32 C:\WINDOWS\{02D5158D-E893-4C57-BDB1-168CE5178AAF}.dat
2005-11-20 오후 8:20:44 H 10819 C:\WINDOWS\Help\nocontnt.GID
2005-11-11 오전 1:34:32 H 0 C:\WINDOWS\inf\oem16.inf
2005-11-11 오전 1:36:12 H 0 C:\WINDOWS\inf\oem17.inf
2005-11-22 오전 1:02:24 HS 6144 C:\WINDOWS\ShellNew\Thumbs.db
2005-11-26 오전 8:26:16 RHS 212070 C:\WINDOWS\system32\8zht.sys
2005-11-26 오전 8:26:16 RHS 518659 C:\WINDOWS\system32\92md.dll
2005-11-26 오전 8:26:16 RHS 245531 C:\WINDOWS\system32\lp09a40.exe
2005-11-26 오전 8:27:54 HS 8704 C:\WINDOWS\system32\Thumbs.db
2005-11-26 오전 8:31:36 RHS 163279 C:\WINDOWS\system32\uo721.exe
2005-10-30 오후 2:02:54 HS 32 C:\WINDOWS\system32\{2E0528F8-07F5-43D7-85B4-8BE22063B020}.dat
2005-10-05 오후 8:33:32 S 12849 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
2005-10-04 오후 1:16:48 S 20086 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688-IE6SP1-20051004.130236.cat
2005-09-28 오전 11:53:24 S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
2005-11-27 오전 12:35:16 H 8192 C:\WINDOWS\system32\config\default.LOG
2005-11-27 오전 12:36:30 H 1024 C:\WINDOWS\system32\config\SAM.LOG
2005-11-27 오전 12:35:28 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
2005-11-27 오전 12:36:36 H 73728 C:\WINDOWS\system32\config\software.LOG
2005-11-27 오전 12:35:32 H 978944 C:\WINDOWS\system32\config\system.LOG
2005-11-23 오전 10:54:34 H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
2005-10-30 오후 2:10:02 HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
2005-10-30 오후 2:14:20 H 1407514 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IconCache.db
2005-10-30 오후 2:17:42 H 262144 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
2005-10-30 오후 2:17:42 H 1024 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
2005-10-30 오후 1:55:02 RH 0 C:\WINDOWS\system32\drivers\IBM_2722_KK1_TP.MRK
2005-10-30 오후 2:19:14 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\2ad67727-5895-498a-8fa9-deac67534f14
2005-10-30 오후 2:19:14 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\81507f2e-4c4d-4da9-9090-551b80ea88ad
2005-10-30 오후 2:19:14 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\99f222a3-89d8-49b3-be31-4072a5d4ea84
2005-10-30 오후 2:19:14 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
2005-11-11 오전 1:34:38 RHS 13698 C:\WINDOWS\system32\Restore\filelist.xml
2005-11-27 오전 12:27:30 H 6 C:\WINDOWS\Tasks\SA.DAT
2005-10-30 오후 10:16:02 HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
2005-10-30 오후 10:16:02 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
2005-10-30 오후 10:16:02 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\09MNO1Y7\desktop.ini
2005-10-30 오후 10:16:02 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CDAFCHQF\desktop.ini
2005-10-30 오후 10:16:02 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OX6JKHQR\desktop.ini
2005-10-30 오후 10:16:02 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\SXUZO5MB\desktop.ini
2005-11-22 오전 1:02:30 HS 9216 C:\WINDOWS\Web\Thumbs.db

Checking for CPL files...
Microsoft Corporation 2002-08-31 오후 9:00:00 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 570880 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 124416 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 2002-09-24 오후 1:30:16 151040 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 291840 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 114688 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 2002-11-22 오후 2:48:08 111104 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 63488 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 257024 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
IBM Corporation 2002-09-04 오전 1:05:00 61440 C:\WINDOWS\SYSTEM32\tp4ex.cpl
IBM Corp. 2002-11-01 오전 1:31:00 34816 C:\WINDOWS\SYSTEM32\TP98.CPL
Microsoft Corporation 2005-05-26 오전 4:16:34 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

뻣뻣뻣뻣뻣뻣뻣뻣?Checking Selected Startup Folders 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣?

Checking files in %ALLUSERSPROFILE%\Startup folder...
2002-11-22 오후 5:46:40 HS 84 C:\Documents and Settings\All Users\시작 메뉴\프로그램\시작프로그램\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
2002-11-22 오후 5:36:12 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
2002-11-22 오후 5:46:40 HS 84 C:\Documents and Settings\진소영\시작 메뉴\프로그램\시작프로그램\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
2002-11-22 오후 5:36:12 HS 62 C:\Documents and Settings\진소영\Application Data\desktop.ini
2005-11-24 오전 7:48:22 477848 C:\Documents and Settings\진소영\Application Data\Sskknwrd.dll
2005-11-24 오전 8:35:58 46 C:\Documents and Settings\진소영\Application Data\Sskuknwrd.dll

뻣뻣뻣뻣뻣뻣뻣뻣?Checking Selected Registry Keys 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣?

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
FreeprodTB =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fgyktnng
{ea52656b-e86a-4b68-9ab0-435659fa80b7} = C:\WINDOWS\System32\fgmkr.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
시작 메뉴 추가 = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2296428D-C133-4928-B76A-A200FF409572}
XBTP07618 Class = C:\PROGRA~1\FREEPR~1\freeprod.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}
DriveLetterAccess = C:\WINDOWS\system32\dla\tfswshx.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3}
= C:\WINDOWS\system32\92md.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C56C7728-DA03-FA21-A320-BFB5DA591908}
= C:\WINDOWS\Wcxhpgxm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
잠깐만(&T) = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{8E718888-423F-11D2-876E-00A0C9082467} = 라디오(&R) : C:\WINDOWS\System32\msdxm.ocx
{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} = Freeprod Toolbar : C:\Program Files\Freeprod Toolbar\freeprod.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F}
ButtonText = Freeprod Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
미디어 밴드 = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
파일 검색 탐색기 밴드 = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = 주소(&A) : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = 연결(&L) : %SystemRoot%\system32\SHELL32.dll
{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} = Freeprod Toolbar : C:\Program Files\Freeprod Toolbar\freeprod.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
NPDTRAY C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
TPTRAY C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
winsync C:\WINDOWS\System32\wyaori.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
ctfmon.exe C:\WINDOWS\System32\ctfmon.exe /k

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
ctfmon.exe C:\WINDOWS\System32\ctfmon.exe /k

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^시작 메뉴^프로그램^시작프로그램^Microsoft Office.lnk
path C:\Documents and Settings\All Users\시작 메뉴\프로그램\시작프로그램\Microsoft Office.lnk
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
item Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AGRSMMSG
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AGRSMMSG
hkey HKLM
command AGRSMMSG.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AGRSMMSG
hkey HKLM
command AGRSMMSG.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIModeChange
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Ati2mdxx
hkey HKLM
command Ati2mdxx.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Ati2mdxx
hkey HKLM
command Ati2mdxx.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIPTA
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item atiptaxx
hkey HKLM
command C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item atiptaxx
hkey HKLM
command C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BluetoothAuthenticationAgent
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item rundll32
hkey HKLM
command rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item rundll32
hkey HKLM
command rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BMMGAG
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item pwrmonit
hkey HKLM
command RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item pwrmonit
hkey HKLM
command RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CAS2
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item System
hkey HKCU
command "C:\Program Files\System Files\System.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item System
hkey HKCU
command "C:\Program Files\System Files\System.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ccApp
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccApp
hkey HKLM
command "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccApp
hkey HKLM
command "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ccRegVfy
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccRegVfy
hkey HKLM
command "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccRegVfy
hkey HKLM
command "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dla
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tfswctrl
hkey HKLM
command C:\WINDOWS\system32\dla\tfswctrl.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tfswctrl
hkey HKLM
command C:\WINDOWS\system32\dla\tfswctrl.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\EZEJMNAP
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EzEjMnAp
hkey HKLM
command C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EzEjMnAp
hkey HKLM
command C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Hrtu
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item eers
hkey HKCU
command "C:\Program Files\rdrr\eers.exe" -vt yazr
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item eers
hkey HKCU
command "C:\Program Files\rdrr\eers.exe" -vt yazr
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ibmmessages
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ibmmessages
hkey HKLM
command C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ibmmessages
hkey HKLM
command C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\imekrmig
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item imekrmig
hkey HKLM
command C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\imekrmig.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item imekrmig
hkey HKLM
command C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\imekrmig.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IMEKRMIG6.1
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IMEKRMIG
hkey HKLM
command C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IMEKRMIG
hkey HKLM
command C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IMJPMIG8.1
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IMJPMIG
hkey HKLM
command "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IMJPMIG
hkey HKLM
command "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MAAgent
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MAAgent
hkey HKLM
command C:\Program Files\MarkAny\ContentSAFER\MAAgent.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MAAgent
hkey HKLM
command C:\Program Files\MarkAny\ContentSAFER\MAAgent.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSPY2002
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ImScInst
hkey HKLM
command C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ImScInst
hkey HKLM
command C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NBJ
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NBJ
hkey HKCU
command "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NBJ
hkey HKCU
command "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NPDTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NPDTray
hkey HKLM
command C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NPDTray
hkey HKLM
command C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002A
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TINTSETP
hkey HKLM
command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TINTSETP
hkey HKLM
command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002ASync
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TINTSETP
hkey HKLM
command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TINTSETP
hkey HKLM
command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Plook
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Plook
hkey HKLM
command C:\Program Files\PLook\Plook.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Plook
hkey HKLM
command C:\Program Files\PLook\Plook.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QCWLICON
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item QCWLICON
hkey HKLM
command C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item QCWLICON
hkey HKLM
command C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\S3TRAY2
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item S3Tray2
hkey HKLM
command S3Tray2.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item S3Tray2
hkey HKLM
command S3Tray2.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\services32
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mc-110-12-0000122
hkey HKCU
command C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mc-110-12-0000122
hkey HKCU
command C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\snss Launcher
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item snss
hkey HKLM
command "C:\Program Files\snss\snss.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item snss
hkey HKLM
command "C:\Program Files\snss\snss.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\StorageGuard
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sgtray
hkey HKLM
command "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sgtray
hkey HKLM
command "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SurfSideKick 3
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Ssk
hkey HKLM
command C:\Program Files\SurfSideKick 3\Ssk.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Ssk
hkey HKLM
command C:\Program Files\SurfSideKick 3\Ssk.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SNDMon
hkey HKLM
command C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SNDMon
hkey HKLM
command C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SynTPEnh
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SynTPEnh
hkey HKLM
command C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SynTPEnh
hkey HKLM
command C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SynTPLpr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SynTPLpr
hkey HKLM
command C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SynTPLpr
hkey HKLM
command C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TP4EX
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tp4ex
hkey HKLM
command tp4ex.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tp4ex
hkey HKLM
command tp4ex.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TPHOTKEY
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TPHKMGR
hkey HKLM
command C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TPHKMGR
hkey HKLM
command C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TPKMAPMN
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TpKmapMn
hkey HKLM
command C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TpKmapMn
hkey HKLM
command C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TPTRAY
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TP98TRAY
hkey HKLM
command C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TP98TRAY
hkey HKLM
command C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winsync
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wyaori
hkey HKLM
command C:\WINDOWS\System32\wyaori.exe reg_run
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wyaori
hkey HKLM
command C:\WINDOWS\System32\wyaori.exe reg_run
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 Scan Complete 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2005-11-27 오전 12:46:46




Dude this stuff looks soooooooo confusing. Wish I understood like you guys.

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:54 AM

Posted 27 November 2005 - 10:39 AM

Please do both of the following before we start if possible!:

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
At the moment you may feel like you battling with your computer to keep it running smoothly, but doing the following things should most certainly help getting it back to how it was
_____________________

Download KillBox here: http://www.downloads.subratam.org/KillBox.zip
Save it to your desktop.
DO NOT run it yet.
_____________________

With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wyaori.exe reg_run
O4 - HKLM\..\RunOnce: [lp09a40.exe] C:\WINDOWS\System32\lp09a40.exe /k
O4 - HKCU\..\RunOnce: [lp09a40.exe] C:\WINDOWS\System32\lp09a40.exe /k
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)

_____________________

Boot into Safe Mode

Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\8zht.sys
C:\WINDOWS\SYSTEM32\lp09a40.exe
C:\WINDOWS\SYSTEM32\msaud32_divx.acm
C:\WINDOWS\SYSTEM32\nsz47.dll
C:\WINDOWS\system32\92md.dll
C:\WINDOWS\system32\uo721.exe
C:\WINDOWS\System32\fgmkr.dll
C:\WINDOWS\system32\92md.dll
C:\Program Files\Freeprod Toolbar\freeprod.dll
C:\WINDOWS\System32\wyaori.exe
C:\Program Files\System Files\System.exe
C:\Program Files\rdrr\eers.exe
C:\Program Files\PLook\Plook.exe
C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
C:\Program Files\snss\snss.exe
C:\Program Files\SurfSideKick 3\Ssk.exe


Killbox this file also:

C:\Documents and Settings\진소영\ApplicationData\Sskknwrd.dll

If it doesn;t work then, find and manually delete the file

_____________________

Manually delete this folder:

C:\Program Files\Freeprod Toolbar
C:\Program Files\System Files
C:\Program Files\rdrr
C:\Program Files\PLook
C:\Program Files\snss
C:\Program Files\SurfSideKick 3

_____________________

Please Navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. (if you cannot delete some items it's fine!)
_____________________

Then go to Start > Run and type %temp% in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
_____________________

Finally go to Control Panel > Internet Options. m
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.
_____________________

Empty the Recycle Bin.
_____________________

Reboot to normal mode and post a new HJT log
David

#7 jkm03

jkm03
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 27 November 2005 - 06:44 PM

Here's the new logfile:


Logfile of HijackThis v1.99.1
Scan saved at 오전 8:35:18, on 2005-11-28
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\진소영\My Documents\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\92md.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C56C7728-DA03-FA21-A320-BFB5DA591908} - C:\WINDOWS\Wcxhpgxm.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 라디오(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NPDTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wyaori.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://imbc.contents.mylinker.co.kr/module/MyLinker.cab
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.conpia.com/0401/component/AlwaysOn.CAB
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall_2005_11_06.cab
O16 - DPF: {474AD63A-9B7E-40FE-8E4E-7067CC0F8D3D} (IB_OnAir.IBOnAir) - http://ionair.sbs.co.kr/new_onair/IB_OnAir.CAB
O16 - DPF: {51C99F40-9E0E-4BF1-A92A-77121CC01AD0} (IMBCClient Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {5C899971-E9D6-4496-8077-98378408E340} (MPControl Control) - http://mplay.sbs.co.kr/players/SBSiMPControl.cab
O16 - DPF: {5D9446DB-E849-4B95-9872-D0C21343ABF0} (MAWizard Class) - http://www.csafer.net/ActiveX/MASetupWizard.cab
O16 - DPF: {858033B9-13BC-4DFE-B62A-78E1FAA0DFD7} (MABugsDownload Control) - http://www.csafer.net/activex/mabugsdownload.cab
O16 - DPF: {85F5F47F-D57F-42D2-B2DD-AFD7BC536DE0} (Zchkrec Control) - http://www.conpia.com/0401/player/zchkrec.cab
O16 - DPF: {87B9BA5F-0028-4CA2-8FC3-E07658AB4D4E} (소리바다 오르골 웹 패키지 설치 컨트롤) - http://download.soribada.com/down/Orgel/SBORGELI.OCX
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/XTools.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.18.194/PopupSh.ocx
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B869F34A-A5AD-47B8-AC46-FF5A614F3D44} (MPIClient Control) - https://mpi.tgcorp.com/mall/MPIClient.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/bugsLoader20041018.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {D8F001C6-43B1-4CFD-9DAF-C8BEAE0E2B6D} (Touch Control) - http://touch.imbc.com/ocx/test/Online.cab
O16 - DPF: {DA54C9C1-8109-43C9-9C80-E4210CEDF147} (EzwonSession Control) - http://wedisk.co.kr/app/EzwonSessionCtl.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Norton AntiVirus 자동 보호 서비스 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:54 AM

Posted 28 November 2005 - 11:55 AM

Hmm....that didnt work - can i have a new Winpfind log and a new TrackQoo log

Thanks

David :thumbsup:

#9 jkm03

jkm03
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 29 November 2005 - 01:06 AM

here you go:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

뻣뻣뻣뻣뻣뻣뻣뻣?Windows OS and Versions 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣?
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

뻣뻣뻣뻣뻣뻣뻣뻣?Checking Selected Standard Folders 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 2005-11-26 오전 8:26:16 RHS 212070 C:\WINDOWS\SYSTEM32\8zht.sys
PECompact2 2005-11-26 오전 8:26:16 RHS 212070 C:\WINDOWS\SYSTEM32\8zht.sys
PEC2 2002-08-31 오후 9:00:00 41128 C:\WINDOWS\SYSTEM32\dfrg.msc
PECompact2 2005-11-10 오후 9:17:20 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 2005-11-10 오후 9:17:20 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 2002-08-31 오후 9:00:00 591872 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 2002-08-31 오후 9:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2005-11-29 오후 2:40:00 S 2048 C:\WINDOWS\bootstat.dat
2005-11-22 오전 1:02:30 HS 67072 C:\WINDOWS\Thumbs.db
2005-10-30 오후 2:02:54 HS 32 C:\WINDOWS\{02D5158D-E893-4C57-BDB1-168CE5178AAF}.dat
2005-11-20 오후 8:20:44 H 10819 C:\WINDOWS\Help\nocontnt.GID
2005-11-11 오전 1:34:32 H 0 C:\WINDOWS\inf\oem16.inf
2005-11-11 오전 1:36:12 H 0 C:\WINDOWS\inf\oem17.inf
2005-11-22 오전 1:02:24 HS 6144 C:\WINDOWS\ShellNew\Thumbs.db
2005-11-26 오전 8:26:16 RHS 212070 C:\WINDOWS\system32\8zht.sys
2005-11-26 오전 8:27:54 HS 8704 C:\WINDOWS\system32\Thumbs.db
2005-10-30 오후 2:02:54 HS 32 C:\WINDOWS\system32\{2E0528F8-07F5-43D7-85B4-8BE22063B020}.dat
2005-10-05 오후 8:33:32 S 12849 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
2005-10-04 오후 1:16:48 S 20086 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688-IE6SP1-20051004.130236.cat
2005-11-29 오후 2:39:48 H 8192 C:\WINDOWS\system32\config\default.LOG
2005-11-29 오후 2:40:16 H 1024 C:\WINDOWS\system32\config\SAM.LOG
2005-11-29 오후 2:40:02 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
2005-11-29 오후 2:41:12 H 77824 C:\WINDOWS\system32\config\software.LOG
2005-11-29 오후 2:40:06 H 974848 C:\WINDOWS\system32\config\system.LOG
2005-11-23 오전 10:54:34 H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
2005-10-30 오후 2:10:02 HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
2005-10-30 오후 2:14:20 H 1407514 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IconCache.db
2005-10-30 오후 2:17:42 H 262144 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
2005-10-30 오후 2:17:42 H 1024 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
2005-10-30 오후 1:55:02 RH 0 C:\WINDOWS\system32\drivers\IBM_2722_KK1_TP.MRK
2005-10-30 오후 2:19:14 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\2ad67727-5895-498a-8fa9-deac67534f14
2005-10-30 오후 2:19:14 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\81507f2e-4c4d-4da9-9090-551b80ea88ad
2005-10-30 오후 2:19:14 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\99f222a3-89d8-49b3-be31-4072a5d4ea84
2005-10-30 오후 2:19:14 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
2005-11-11 오전 1:34:38 RHS 13698 C:\WINDOWS\system32\Restore\filelist.xml
2005-11-29 오후 2:39:08 H 6 C:\WINDOWS\Tasks\SA.DAT
2005-11-22 오전 1:02:30 HS 9216 C:\WINDOWS\Web\Thumbs.db

Checking for CPL files...
Microsoft Corporation 2002-08-31 오후 9:00:00 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 570880 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 124416 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 2002-09-24 오후 1:30:16 151040 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 291840 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 114688 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 2002-11-22 오후 2:48:08 111104 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 63488 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 257024 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 2002-08-31 오후 9:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
IBM Corporation 2002-09-04 오전 1:05:00 61440 C:\WINDOWS\SYSTEM32\tp4ex.cpl
IBM Corp. 2002-11-01 오전 1:31:00 34816 C:\WINDOWS\SYSTEM32\TP98.CPL
Microsoft Corporation 2005-05-26 오전 4:16:34 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

뻣뻣뻣뻣뻣뻣뻣뻣?Checking Selected Startup Folders 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣?

Checking files in %ALLUSERSPROFILE%\Startup folder...
2002-11-22 오후 5:46:40 HS 84 C:\Documents and Settings\All Users\시작 메뉴\프로그램\시작프로그램\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
2002-11-22 오후 5:36:12 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
2002-11-22 오후 5:46:40 HS 84 C:\Documents and Settings\진소영\시작 메뉴\프로그램\시작프로그램\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
2002-11-22 오후 5:36:12 HS 62 C:\Documents and Settings\진소영\Application Data\desktop.ini
2005-11-24 오전 7:48:22 477848 C:\Documents and Settings\진소영\Application Data\Sskknwrd.dll
2005-11-24 오전 8:35:58 46 C:\Documents and Settings\진소영\Application Data\Sskuknwrd.dll

뻣뻣뻣뻣뻣뻣뻣뻣?Checking Selected Registry Keys 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣?

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
FreeprodTB =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fgyktnng
{ea52656b-e86a-4b68-9ab0-435659fa80b7} = C:\WINDOWS\System32\fgmkr.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
시작 메뉴 추가 = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2296428D-C133-4928-B76A-A200FF409572}
XBTP07618 Class = C:\PROGRA~1\FREEPR~1\freeprod.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}
DriveLetterAccess = C:\WINDOWS\system32\dla\tfswshx.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3}
= C:\WINDOWS\system32\92md.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C56C7728-DA03-FA21-A320-BFB5DA591908}
= C:\WINDOWS\Wcxhpgxm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
잠깐만(&T) = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{8E718888-423F-11D2-876E-00A0C9082467} = 라디오(&R) : C:\WINDOWS\System32\msdxm.ocx
{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} = Freeprod Toolbar : C:\Program Files\Freeprod Toolbar\freeprod.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
미디어 밴드 = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
파일 검색 탐색기 밴드 = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = 주소(&A) : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = 연결(&L) : %SystemRoot%\system32\SHELL32.dll
{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} = Freeprod Toolbar : C:\Program Files\Freeprod Toolbar\freeprod.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NPDTRAY C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
TPTRAY C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
winsync C:\WINDOWS\System32\wyaori.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\System32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^시작 메뉴^프로그램^시작프로그램^Microsoft Office.lnk
path C:\Documents and Settings\All Users\시작 메뉴\프로그램\시작프로그램\Microsoft Office.lnk
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
item Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AGRSMMSG
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AGRSMMSG
hkey HKLM
command AGRSMMSG.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AGRSMMSG
hkey HKLM
command AGRSMMSG.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIModeChange
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Ati2mdxx
hkey HKLM
command Ati2mdxx.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Ati2mdxx
hkey HKLM
command Ati2mdxx.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIPTA
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item atiptaxx
hkey HKLM
command C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item atiptaxx
hkey HKLM
command C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BluetoothAuthenticationAgent
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item rundll32
hkey HKLM
command rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item rundll32
hkey HKLM
command rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BMMGAG
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item pwrmonit
hkey HKLM
command RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item pwrmonit
hkey HKLM
command RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CAS2
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item System
hkey HKCU
command "C:\Program Files\System Files\System.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item System
hkey HKCU
command "C:\Program Files\System Files\System.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ccApp
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccApp
hkey HKLM
command "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccApp
hkey HKLM
command "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ccRegVfy
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccRegVfy
hkey HKLM
command "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccRegVfy
hkey HKLM
command "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dla
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tfswctrl
hkey HKLM
command C:\WINDOWS\system32\dla\tfswctrl.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tfswctrl
hkey HKLM
command C:\WINDOWS\system32\dla\tfswctrl.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\EZEJMNAP
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EzEjMnAp
hkey HKLM
command C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EzEjMnAp
hkey HKLM
command C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Hrtu
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item eers
hkey HKCU
command "C:\Program Files\rdrr\eers.exe" -vt yazr
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item eers
hkey HKCU
command "C:\Program Files\rdrr\eers.exe" -vt yazr
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ibmmessages
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ibmmessages
hkey HKLM
command C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ibmmessages
hkey HKLM
command C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\imekrmig
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item imekrmig
hkey HKLM
command C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\imekrmig.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item imekrmig
hkey HKLM
command C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\imekrmig.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IMEKRMIG6.1
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IMEKRMIG
hkey HKLM
command C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IMEKRMIG
hkey HKLM
command C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IMJPMIG8.1
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IMJPMIG
hkey HKLM
command "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IMJPMIG
hkey HKLM
command "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MAAgent
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MAAgent
hkey HKLM
command C:\Program Files\MarkAny\ContentSAFER\MAAgent.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MAAgent
hkey HKLM
command C:\Program Files\MarkAny\ContentSAFER\MAAgent.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSPY2002
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ImScInst
hkey HKLM
command C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ImScInst
hkey HKLM
command C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NBJ
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NBJ
hkey HKCU
command "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NBJ
hkey HKCU
command "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NPDTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NPDTray
hkey HKLM
command C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NPDTray
hkey HKLM
command C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002A
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TINTSETP
hkey HKLM
command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TINTSETP
hkey HKLM
command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002ASync
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TINTSETP
hkey HKLM
command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TINTSETP
hkey HKLM
command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Plook
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Plook
hkey HKLM
command C:\Program Files\PLook\Plook.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Plook
hkey HKLM
command C:\Program Files\PLook\Plook.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QCWLICON
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item QCWLICON
hkey HKLM
command C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item QCWLICON
hkey HKLM
command C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\S3TRAY2
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item S3Tray2
hkey HKLM
command S3Tray2.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item S3Tray2
hkey HKLM
command S3Tray2.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\services32
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mc-110-12-0000122
hkey HKCU
command C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mc-110-12-0000122
hkey HKCU
command C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\snss Launcher
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item snss
hkey HKLM
command "C:\Program Files\snss\snss.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item snss
hkey HKLM
command "C:\Program Files\snss\snss.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\StorageGuard
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sgtray
hkey HKLM
command "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sgtray
hkey HKLM
command "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SurfSideKick 3
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Ssk
hkey HKLM
command C:\Program Files\SurfSideKick 3\Ssk.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Ssk
hkey HKLM
command C:\Program Files\SurfSideKick 3\Ssk.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SNDMon
hkey HKLM
command C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SNDMon
hkey HKLM
command C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SynTPEnh
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SynTPEnh
hkey HKLM
command C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SynTPEnh
hkey HKLM
command C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SynTPLpr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SynTPLpr
hkey HKLM
command C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SynTPLpr
hkey HKLM
command C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TP4EX
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tp4ex
hkey HKLM
command tp4ex.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tp4ex
hkey HKLM
command tp4ex.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TPHOTKEY
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TPHKMGR
hkey HKLM
command C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TPHKMGR
hkey HKLM
command C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TPKMAPMN
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TpKmapMn
hkey HKLM
command C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TpKmapMn
hkey HKLM
command C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TPTRAY
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TP98TRAY
hkey HKLM
command C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TP98TRAY
hkey HKLM
command C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winsync
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wyaori
hkey HKLM
command C:\WINDOWS\System32\wyaori.exe reg_run
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wyaori
hkey HKLM
command C:\WINDOWS\System32\wyaori.exe reg_run
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 Scan Complete 뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2005-11-29 오후 2:50:12



Trackqoo:



REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NPDTRAY"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\NPDTray.exe"
"TPTRAY"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\TP98TRAY.EXE"
"winsync"="C:\\WINDOWS\\System32\\wyaori.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- fgyktnng
{ea52656b-e86a-4b68-9ab0-435659fa80b7}
C:\WINDOWS\System32\fgmkr.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton AntiVirus\NavShExt.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
시작 메뉴 추가
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\시작 메뉴\프로그램\시작프로그램

desktop.ini
==============================
C:\Documents and Settings\진소영\시작 메뉴\프로그램\시작프로그램

desktop.ini
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
tp4ex.cpl IBM Corporation
TP98.CPL IBM Corp.
wuaucpl.cpl Microsoft Corporation

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:54 AM

Posted 30 November 2005 - 03:32 PM

Boot into Safe Mode

Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.


C:\WINDOWS\SYSTEM32\8zht.sys
C:\WINDOWS\System32\fgmkr.dll
C:\WINDOWS\Wcxhpgxm.dll
C:\Program Files\Freeprod Toolbar\freeprod.dll
C:\WINDOWS\System32\wyaori.exe


Make sure that you can see hidden files (Windows XP).
  • Click "Start".
  • Click "My Computer".
  • Select the "Tools" menu and click "Folder Options".
  • Select the "View" tab.
  • Under the "Hidden files and folders" heading, select "Show hidden files and folders".
  • Uncheck the "Hide protected operating system files (recommended)" option.
  • Click "Yes" to confirm.
  • Uncheck the "Hide file extensions for known file types".
  • Click "OK".

Search for these two files:

Sskuknwrd.dll
Sskknwrd.dll

Delete if found! :thumbsup:

Reboot and post a new HJT log

David

#11 jkm03

jkm03
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 30 November 2005 - 08:44 PM

Hi David, I tried deleting the list of programs you told me to however all but one said "file doesn't exist"

i also searched for the sskknwrd, sskuknwrd and couldn't find them.

any suggestions?

here's my hjt logfile:

Logfile of HijackThis v1.99.1
Scan saved at 오전 10:37:15, on 2005-12-01
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\진소영\My Documents\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\92md.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C56C7728-DA03-FA21-A320-BFB5DA591908} - C:\WINDOWS\Wcxhpgxm.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 라디오(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O4 - HKLM\..\Run: [NPDTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wyaori.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://imbc.contents.mylinker.co.kr/module/MyLinker.cab
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.conpia.com/0401/component/AlwaysOn.CAB
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall_2005_11_06.cab
O16 - DPF: {474AD63A-9B7E-40FE-8E4E-7067CC0F8D3D} (IB_OnAir.IBOnAir) - http://ionair.sbs.co.kr/new_onair/IB_OnAir.CAB
O16 - DPF: {51C99F40-9E0E-4BF1-A92A-77121CC01AD0} (IMBCClient Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {5C899971-E9D6-4496-8077-98378408E340} (MPControl Control) - http://mplay.sbs.co.kr/players/SBSiMPControl.cab
O16 - DPF: {5D9446DB-E849-4B95-9872-D0C21343ABF0} (MAWizard Class) - http://www.csafer.net/ActiveX/MASetupWizard.cab
O16 - DPF: {858033B9-13BC-4DFE-B62A-78E1FAA0DFD7} (MABugsDownload Control) - http://www.csafer.net/activex/mabugsdownload.cab
O16 - DPF: {85F5F47F-D57F-42D2-B2DD-AFD7BC536DE0} (Zchkrec Control) - http://www.conpia.com/0401/player/zchkrec.cab
O16 - DPF: {87B9BA5F-0028-4CA2-8FC3-E07658AB4D4E} (소리바다 오르골 웹 패키지 설치 컨트롤) - http://download.soribada.com/down/Orgel/SBORGELI.OCX
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/XTools.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.18.194/PopupSh.ocx
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B869F34A-A5AD-47B8-AC46-FF5A614F3D44} (MPIClient Control) - https://mpi.tgcorp.com/mall/MPIClient.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/bugsLoader20041018.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {D8F001C6-43B1-4CFD-9DAF-C8BEAE0E2B6D} (Touch Control) - http://touch.imbc.com/ocx/test/Online.cab
O16 - DPF: {DA54C9C1-8109-43C9-9C80-E4210CEDF147} (EzwonSession Control) - http://wedisk.co.kr/app/EzwonSessionCtl.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Norton AntiVirus 자동 보호 서비스 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:54 AM

Posted 01 December 2005 - 01:17 PM

Ok, we'll try this way once more, then we'll have to try a different approach as this isnt working! :thumbsup:

With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll (file missing)
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\92md.dll (file missing)
O2 - BHO: (no name) - {C56C7728-DA03-FA21-A320-BFB5DA591908} - C:\WINDOWS\Wcxhpgxm.dll (file missing)
O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wyaori.exe reg_run
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://imbc.contents.mylinker.co.kr/module/MyLinker.cab
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.conpia.com/0401/component/AlwaysOn.CAB
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall_2005_11_06.cab
O16 - DPF: {474AD63A-9B7E-40FE-8E4E-7067CC0F8D3D} (IB_OnAir.IBOnAir) - http://ionair.sbs.co.kr/new_onair/IB_OnAir.CAB
O16 - DPF: {858033B9-13BC-4DFE-B62A-78E1FAA0DFD7} (MABugsDownload Control) - http://www.csafer.net/activex/mabugsdownload.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.18.194/PopupSh.ocx
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/bugsLoader20041018.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {D8F001C6-43B1-4CFD-9DAF-C8BEAE0E2B6D} (Touch Control) - http://touch.imbc.com/ocx/test/Online.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll

_____________________

Boot into Safe Mode

Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\System32\wyaori.exe
C:\Program Files\System Files\plugin.dll


Reboot to normal mode and post a new log

David

#13 jkm03

jkm03
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 03 December 2005 - 11:09 PM

There's this folder called "!KillBox" that has a subfolder called logs and then some icons with names I recall deleting. some of the icons are named as: 8zht.sys, fgmkr.dll, 92md.dll, snss.exe, wyaori. exe, lp09a40.exe,....etc. should I delete these icons? Are they back ups? do I need them?

here's the kill box log:

Pocket Killbox version 2.0.0.473
Running on Windows XP As an Administrator
was started @ Monday, November 28, 2005, 7:56 AM

# 1 [Files to Delete]
Path = C:\WINDOWS\8zht.sys
*File Was Deleted

# 2 [Files to Delete]
Path = C:\WINDOWS\SYSTEM32\lp09a40.exe
*File Was Deleted

# 3 [Files to Delete]
Path = C:\WINDOWS\SYSTEM32\msaud32_divx.acm
*File Was Deleted

# 4 [Files to Delete]
Path = C:\WINDOWS\SYSTEM32\nsz47.dll
*File Was Deleted

# 5 [Files to Delete]
Path = C:\WINDOWS\system32\92md.dll
*File Was Deleted

# 6 [Files to Delete]
Path = C:\WINDOWS\system32\uo721.exe
*File Was Deleted

# 7 [Files to Delete]
Path = C:\WINDOWS\System32\fgmkr.dll
*File Was Deleted

# 8 [Files to Delete]
Path = C:\WINDOWS\system32\92md.dll
*This file does not seem to exist

# 9 [Files to Delete]
Path = C:\WINDOWS\system32\92md.dll
*This file does not seem to exist

# 10 [Files to Delete]
Path = C:\Program Files\Freeprod
*This file does not seem to exist

# 11 [Files to Delete]
Path = C:\Program Files\Freeprod Toolbar\freeprod.dll
*This file does not seem to exist

# 12 [Files to Delete]
Path = C:\Program Files\Freeprod Toolbar\freeprod.dll
*This file does not seem to exist

# 13 [Files to Delete]
Path = C:\WINDOWS\System32\wyaori.exe
*File Was Deleted

# 14 [Files to Delete]
Path = C:\Program Files\System Files\System.exe
*This file does not seem to exist

# 15 [Files to Delete]
Path = C:\Program Files\rdrr\eers.exe
*This file does not seem to exist

# 16 [Files to Delete]
Path = C:\Program Files\rdrr\eers.exe
*This file does not seem to exist

# 17 [Files to Delete]
Path = C:\Program Files\PLook\Plook.exe
*This file does not seem to exist

# 18 [Files to Delete]
Path = C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
*This file does not seem to exist

# 19 [Files to Delete]
Path = C:\Program Files\snss\snss.exe
*File Was Deleted

# 20 [Files to Delete]
Path = C:\Program Files\SurfSideKick 3\Ssk
*This file does not seem to exist

# 21 [Files to Delete]
Path = C:\Documents and Settings\진소영\ApplicationData\Sskknwrd.dll
*This file does not seem to exist

Killbox Closed(Exit) @ 8:07:39 AM
__________________________________________________

Pocket Killbox version 2.0.0.473
Running on Windows XP As an Administrator
was started @ Thursday, December 01, 2005, 9:27 AM

# 1 [Files to Delete]
Path = C:\WINDOWS\SYSTEM32\8zht.sys
*File Was Deleted

# 2 [Files to Delete]
Path = C:\WINDOWS\System32\fgmkr.dll
*This file does not seem to exist

# 3 [Files to Delete]
Path = C:\WINDOWS\System32\fgmkr.dll
*This file does not seem to exist

# 4 [Files to Delete]
Path = C:\WINDOWS\Wcxhpgxm.dll
*This file does not seem to exist

# 5 [Files to Delete]
Path = C:\Program Files\Freeprod Toolbar\freeprod.dll
*This file does not seem to exist

Killbox Closed(Exit) @ 9:31:31 AM
__________________________________________________

Pocket Killbox version 2.0.0.473
Running on Windows XP As an Administrator
was started @ Thursday, December 01, 2005, 9:35 AM

# 1 [Files to Delete]
Path = C:\WINDOWS\System32\fgmkr.dll
*This file does not seem to exist

# 2 [Files to Delete]
Path = C:\WINDOWS\System32\wyaori.exe
*This file does not seem to exist

Killbox Closed(Exit) @ 9:36:43 AM
__________________________________________________

Pocket Killbox version 2.0.0.473
Running on Windows XP As an Administrator
was started @ Thursday, December 01, 2005, 9:40 AM

# 1 [Files to Delete]
Path = C:\WINDOWS\Wcxhpgxm.dll
*This file does not seem to exist

Killbox Closed(Exit) @ 9:44:28 AM
__________________________________________________

Pocket Killbox version 2.0.0.473
Running on Windows XP As an Administrator
was started @ Sunday, December 04, 2005, 12:48 PM

# 1 [Files to Delete]
Path = C:\WINDOWS\System32\wyaori.exe
*This file does not seem to exist

# 2 [Files to Delete]
Path = C:\Program Files\System Files\plugin.dll
*File Was Deleted

# 3 [Files to Delete]
Path = C:\WINDOWS\System32\wyaori.exe
*This file does not seem to exist

Killbox Closed(Exit) @ 12:50:01 PM
__________________________________________________


Logfile of HijackThis v1.99.1
Scan saved at 오후 12:57:41, on 2005-12-04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\진소영\My Documents\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 라디오(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NPDTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {51C99F40-9E0E-4BF1-A92A-77121CC01AD0} (IMBCClient Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {5C899971-E9D6-4496-8077-98378408E340} (MPControl Control) - http://mplay.sbs.co.kr/players/SBSiMPControl.cab
O16 - DPF: {5D9446DB-E849-4B95-9872-D0C21343ABF0} (MAWizard Class) - http://www.csafer.net/ActiveX/MASetupWizard.cab
O16 - DPF: {85F5F47F-D57F-42D2-B2DD-AFD7BC536DE0} (Zchkrec Control) - http://www.conpia.com/0401/player/zchkrec.cab
O16 - DPF: {87B9BA5F-0028-4CA2-8FC3-E07658AB4D4E} (소리바다 오르골 웹 패키지 설치 컨트롤) - http://download.soribada.com/down/Orgel/SBORGELI.OCX
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/XTools.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B869F34A-A5AD-47B8-AC46-FF5A614F3D44} (MPIClient Control) - https://mpi.tgcorp.com/mall/MPIClient.cab
O16 - DPF: {DA54C9C1-8109-43C9-9C80-E4210CEDF147} (EzwonSession Control) - http://wedisk.co.kr/app/EzwonSessionCtl.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Norton AntiVirus 자동 보호 서비스 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:54 AM

Posted 04 December 2005 - 09:57 AM

Good Job! :thumbsup:

I see a clean log! :flowers: :trumpet:

Empty this folder:

C:\!KillBox
C:\!Submit
____________

How's everything running?

David

#15 jkm03

jkm03
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 07 December 2005 - 10:18 PM

:thumbsup: :bike: :idea: :woot: :flowers: :trumpet: :inlove: :cool:

hey thanks david. :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users