Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Logs Please help


  • This topic is locked This topic is locked
1 reply to this topic

#1 he43200

he43200

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 20 October 2004 - 02:41 PM

Hi! Derf

Thanks for all your help..

I need your help for this HijackThis Logs ASAP.


Logfile of HijackThis v1.98.2
Scan saved at 오후 3:26:24, on 2004-10-20
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\toshiba\ivp\ISM\pinger.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe
C:\PROGRA~1\Ahnlab\V3\MonSysNT.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\MonsterTV\montv.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\AhnLab\Smart Update Utility\Ahnsdsv.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\He43200\My Documents\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [AHNSD] "C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: http://www.gopd.co.kr
O15 - Trusted Zone: http://adrenalin.pdbox.co.kr
O15 - Trusted Zone: http://bbs.pdbox.co.kr
O15 - Trusted Zone: http://bbs2.pdbox.co.kr
O15 - Trusted Zone: http://bbs3.pdbox.co.kr
O15 - Trusted Zone: http://bbs4.pdbox.co.kr
O15 - Trusted Zone: http://client.pdbox.co.kr
O15 - Trusted Zone: http://cp.pdbox.co.kr
O15 - Trusted Zone: http://find.pdbox.co.kr
O15 - Trusted Zone: http://ftp2.pdbox.co.kr
O15 - Trusted Zone: http://gopd.pdbox.co.kr
O15 - Trusted Zone: http://help.pdbox.co.kr
O15 - Trusted Zone: http://mboard.pdbox.co.kr
O15 - Trusted Zone: http://media.cp.pdbox.co.kr
O15 - Trusted Zone: http://mfind.pdbox.co.kr
O15 - Trusted Zone: http://my.pdbox.co.kr
O15 - Trusted Zone: http://point.pdbox.co.kr
O15 - Trusted Zone: http://shop.pdbox.co.kr
O15 - Trusted Zone: http://side.pdbox.co.kr
O15 - Trusted Zone: http://www.pdbox.co.kr
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {021D0DFA-A386-43CC-BF60-C9CDB24D48B9} (FreeBBS Control) - http://pdslist-download.korea.com/Freebbs/...510/BBSList.cab
O16 - DPF: {02F47BAC-7A71-4A36-AD16-6026879353B2} (PersonalVideoManager Control) - http://www.cinewel.com/player/pvm_activex/...ideoManager.cab
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://sbsi.contents.mylinker.co.kr/module/MyLinker.cab
O16 - DPF: {0F1DC5CC-9123-4F19-A560-0308B04F9A93} (HotInstallX Control) - http://www.hotdisk.co.kr/HotDiskX/HotInstallX.cab
O16 - DPF: {1CF034F9-79AC-427B-9A51-9B909EC3CF85} (WebMSN_IEObj Class) - http://blogimgs.naver.com/msg/Webmsn_comp_1_0_0_6.CAB
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.zeromovie.com/obj/zero.CAB
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - https://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {31FA72F5-BE46-4D6D-A10D-857C8D6F4BFA} (OrangeFileSearch Control) - http://www.orangefile.com/ActiveX/OrangeFileSearch.cab
O16 - DPF: {39754900-6FD9-4055-9089-6011A6C05B1A} (TTA Control) - http://pctt.ipop.co.kr/runbin/tta.cab
O16 - DPF: {3EFC2239-B769-469F-A5E6-38693AE0B9DE} (Sysinfo2 Control) - http://speed.nca.or.kr/login/sysinfo2.cab
O16 - DPF: {49EA1597-4149-42FC-A01D-A03E07980D37} (WiseInstaller Class) - http://www.wisebook.com/DownloadFiles/view...seInstaller.dll
O16 - DPF: {50CCFB7C-2BBC-420D-AEF7-BE13599696ED} (ActivePDS Control) - http://www.coolpy.com/program/ActivePDS.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095264712449
O16 - DPF: {642BA26B-F76D-4E0D-8421-B24CA1A82EF0} (ChatClubYahoo Control) - http://kr.talk.club.yahoo.com/OPI/ChatClubYahoo.cab
O16 - DPF: {66B30EA0-C033-4D4B-9F90-EA0AF07363AF} (BugsMediaPlayer Control) - http://starbbs.isp.st/lib/BugsOggPlay_6.CAB
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://member.nate.com/initech/plugin/axINIplugin40.cab
O16 - DPF: {6B5C8E55-A33E-4C27-AACD-C947BA30C379} (NDoc Blog) - http://www.1472.com/NDocCtrl.cab
O16 - DPF: {6F4863C1-482C-4744-8946-4AEA34DF1A16} (FreechalOn Class) - http://login.freechal.com/freechalon/FcOnCtl8.cab
O16 - DPF: {714A816C-00C1-4EB0-BAC7-2602CACC0928} (HotDiskX Control) - http://www.hotdisk.co.kr/HotX/HotDiskX.cab
O16 - DPF: {799BB2EC-572A-42A9-84AD-112806F4F551} (Imweb Control) - http://activexdown.paran.com/paranactivex/data/imweb.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - http://download.softforum.co.kr/XecureObje...w50_install.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {8AE03B06-5BDA-44AA-B4AD-72BB01597451} (DaumQLauncher Control) - http://appupdate.popfolder.co.kr/download/DaumQ/DaumQAx.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab8/dmcc2.cab
O16 - DPF: {97745861-F1A6-45B2-8AD1-0C17334550E6} (YahooCabinet Control) - http://img.yahoo.co.kr/ycabinet/cab/YahooCabinet.cab
O16 - DPF: {9AEBAA67-8B4D-4884-9EB7-8C6BEA20CE5C} (FileManager Control) - http://club.nate.com/NetEditor.cab
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Pmang & SayClub Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab
O16 - DPF: {C193DE20-29F4-4B4F-963B-EB20CB3186C0} (SpeedTest Control) - http://speed.nca.or.kr/speedtest/SpeedTest45.cab
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {D68E9D4E-B2D0-467C-985E-D0D341E554D6} - http://vidr.net/preg/activex/vidrinst.cab
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O16 - DPF: {ED1EEBEE-F0AA-474B-9829-61C482E72644} (PDBox25 Control) - http://www.pdbox.co.kr/filebox/ctrl_down/PDBox25.cab
O16 - DPF: {F480B021-E226-406F-A23D-22118518B736} (Login Control) - http://serverlist.kibs.net/dev/upgrade/vch...tivex/login.cab
O16 - DPF: {F68CACCC-C9A4-4A51-8EE9-694FF8A29248} (HDUpload Control) - http://qbic.hanafos.com/component/HDUpload.cab
O16 - DPF: {FA3543AF-F224-4FB1-BBBA-9794C0122DD0} (EmpasWebMessenger Control) - http://download.messenger.empas.com:8080/kplantwebmsgr.cab
O16 - DPF: {FC9BD724-1F5F-4EA9-BB56-B71C44094455} (CholFC Control) - http://club.chol.com/filectrl/CholFC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{318FB66D-701B-4400-9970-683A54996CF3}: NameServer = 24.95.80.41,24.95.80.49,65.24.0.163
O17 - HKLM\System\CS1\Services\Tcpip\..\{318FB66D-701B-4400-9970-683A54996CF3}: NameServer = 24.95.80.41,24.95.80.49,65.24.0.163

Also I have this error note from my notebook.

c:\windows\system32\autoexec.nt. the system file is not suitable for running ms-dos and microdoft windows applications

I try to install some program from CD.
Course, it didn't work.

Again, Thanks for all your help..

Gloria

BC AdBot (Login to Remove)

 


#2 CalamityKen

CalamityKen

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Location:Whitby. Ont.
  • Local time:01:03 AM

Posted 20 October 2004 - 03:06 PM

he43200, welcome.

Please print this out and follow ALL these directions carefully.

The use of MSCONFIG as a Startup Manager is not recommended.

In each autostarted application (the O4 entries) go Tools or Options and uncheck the Start with Windows function.

If you really must use a Startup Manager then Mike Lin's Startup Control Panel is very good.
http://www.mlin.net/StartupCPL.shtml

As I do not know what is in c:\windows\system32\autoexec.nt I do not know what to recommend. Post its contents here.

Make sure 'show all files' is enabled:
http://service1.symantec.com/SUPPORT/tsgen...=&osv=&osv_lvl=

Boot into Safe Mode by tapping F8 key repeatedly at bootup.
More detailed instructions here:
http://service1.symantec.com/SUPPORT/tsgen...001052409420406

Start HijackThis and tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked" if still present.

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Reboot and Install the prevention protection below and help your friends from being infected on the Internet.

Empty the Recycle Bin.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.
Index.dat Suite helps with this.
http://support.it-mate.co.uk/?mode=Products&p=index.datsuite

Insure that Index.dat Suite is Setup to empty the Temp folders especially
C:\Documents and Settings\{user}\Local Settings\Temp
then run the Find and create the run.bat and reboot to have it remove what it finds.

{user} is the He43200 User Account ID.
Removal of infections and prevention protection should be installed on ALL User Account IDS.

Download and install WinPatrol.
http://www.winpatrol.com

Browser settings for increased security:
http://bshagnasty.home.att.net/browsersettings.htm

Install IE-SPYAD then run the install.bat in the ie-spyad folder and SpywareBlaster then keep them up to date as today's Internet is full of nasty infections.
https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
http://www.javacoolsoftware.com/spywareblaster.html

Install WinXP Service Pack 2 and All Critical Updates.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users