Please review Hijackthis log (Pop-ups)

shnikes · 18th February 2005

First of all, thank god for a website like this.

I downloaded and installed a program called PortFlash, and somewhere along the
way I must have picked up a Trojan virus. That was fixed.

After installation, however, there were also popups, adwares, hijackers. I used several programs to detect and get rid of them. Some of the files that the programs was unable to erase or had erased but were there again after reboot, I erased manually in safe mode.

I still have popups (example: popuppers advertisement window64) and files running that have weird names.

Also, nothing works when I log-on to Windows for the first time. I can't open a file or a program without making it "freeze", and the web browser won't work. Only after I log-off (and this takes a long time) and log-on again will everything work. Last time I rebooted the computer rearranged my icons by itself!

Logfile of HijackThis v1.99.1
Scan saved at 오전 3:15:40, on 2005-02-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahnlab\Smart Update Utility\AhnSDsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\SAMSUNG\Keydefin\KeyDefin.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\a64sddd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\JW\Application Data\tsnc.exe
C:\WINDOWS\system32\nνsvc32.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\JW\바탕 화면\HijackThis.exe

R3 - URLSearchHook: (no name) - {183D5161-0C62-4295-896C-44E7442CD6F2} - (no file)
O2 - BHO: (no name) - {4EFA6E35-FF87-8457-D2EC-F30A0778F7C5} - C:\WINDOWS\system32\pyqhlor.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\Program Files\Ahnlab\V3\V3Bar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SAMSUNG Keydefin] C:\Program Files\SAMSUNG\Keydefin\KeyDefin.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [imekrmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [mlr] C:\Program Files\uvoi\rbkc.exe
O4 - HKLM\..\Run: [czq] C:\Program Files\vzj\hzbxbr.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [popuppers64] C:\WINDOWS\a64sddd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Abwp] C:\Documents and Settings\JW\Application Data\tsnc.exe
O4 - HKCU\..\Run: [Aiign] C:\WINDOWS\system32\nνsvc32.exe
O4 - HKCU\..\Run: [joinsland] "C:\Program Files\CoolAgent\avachat-joinsland.exe" -env http://rss.joinsland.com/env.xml
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java 콘솔 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://*.sbs.co.kr
O15 - Trusted Zone: http://*.shinhan.com
O15 - Trusted Zone: http://*.shinhancard.com
O15 - Trusted Zone: http://*.buddybuddy.co.kr (HKLM)
O15 - Trusted Zone: http://www.lgqls.co.kr (HKLM)
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0846A65F-F551-4FB6-B396-83E65D8C0609} (TvOnline Control) - http://www.everyzone.com/SpyVaccine/SpyVaccine.cab
O16 - DPF: {11FCE3E9-23B0-11D5-AE62-00A0C9394212} (Yessign Control) - http://www.yessign.or.kr/yessignCert/yessign.cab
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/...n/AlwaysOn.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2712EB12-3BD3-4003-8113-D23B30FACC62} (P3BugsLoad Class) - http://player.bugs.co.kr/player/cab/...er20040625.cab
O16 - DPF: {27E4B2A9-D554-40DE-B6CD-F11E9B44FBD0} (SimFileControl Control) - http://simfile.chol.com/down/SimFileControl.cab
O16 - DPF: {2882C368-D508-11D4-A2AB-000102598CE4} (LProtect Control) - http://update.nprotect.net/livecall2/livecall.cab
O16 - DPF: {2978B15B-B8A0-4966-B601-B72514958D9D} (Brunx Control) - http://rss.joinsland.com/brunx.cab
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - http://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {2C520C08-1ADA-4CEC-AFFD-D0D1BD268D60} (PDUpdate Control) - http://www.pdbox.co.kr/filebox/ctrl_down/PDUpdate.cab
O16 - DPF: {39A32A43-9D99-43E9-B0C9-D01BFF3C115B} (PrintManager Control) - http://image.shinhancard.com/shcard/...intManager.exe
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK3 Control) - http://image.shinhan.com/bank/etc/ke...4043/SCSK4.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/Activ...veLauncher.cab
O16 - DPF: {45FC3433-CC83-4D62-991A-BAE9F68EF710} (CrinityUpload Class) - http://mail.khu.ac.kr/activex/CrinityUpload.cab
O16 - DPF: {49233226-72EC-11D6-918E-0050DA8B1AD6} (AnyGuide Control) - http://www.sdsgis.co.kr/web/anyGuide...x/anyGuide.ocx
O16 - DPF: {56F41A0F-59D1-49B1-9C68-8A54EEF76AFD} (YessignIO Control) - http://www.yessign.or.kr/yessignCert/yessignIO.cab
O16 - DPF: {5FDB1043-B796-4216-861E-116DECC932C1} (SlotMachine Control) - http://www25.hompy.buddybuddy.co.kr/...HompyEvent.cab
O16 - DPF: {662B4974-EE36-426D-BD11-E75122E6BE18} (EasyPlugX Control) - http://info.anycert.com/c.wtz?i=96
O16 - DPF: {66B30EA0-C033-4D4B-9F90-EA0AF07363AF} (BugsMediaPlayer Control) - http://so.bugs.co.kr/BugsOggPlay_11.CAB
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://image.shinhan.com/initech/plu...NIplugin40.cab
O16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler Class) - http://emailimg.sktelecom.com/inimas...iMasPlugin.cab
O16 - DPF: {72ED8878-6E16-4EA1-BDD6-3B21EF676E45} (CVTrace Control) - http://www.seevideo.co.kr/pub/cvideox/trace/cvtrace.cab
O16 - DPF: {77771304-7777-1000-8000-080009AC61A9} (PowerBuilder Window Control) - http://prtsrv.khu.ac.kr/khuweb/PBRun.../PBRuntime.CAB
O16 - DPF: {79E81BD1-2549-4625-8B70-3D55B1DAF971} (File Class) - http://www.pdbox.co.kr/filebox/ctrl_up/FileUtil.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://img.kbstar.com/xecure/xw_install_v5410.cab
O16 - DPF: {85772DF6-C593-4AB6-A231-E87D3459FE00} (myPhotalDownload.ctrlDownLoad) - http://www.realog.net/activex/myPhotalDownload.CAB
O16 - DPF: {85AF9A98-3423-45E4-8BAD-85645F16AC31} (P3 Bugs VoD Loader Class) - http://player.bugs.co.kr/install/mv/p3bvset.cab
O16 - DPF: {8FA141C5-29D7-4408-A57B-619C463ED7BB} (Cychannel_Club1_10.UserControl1) - http://club.cyworld.nate.com/cychann...ubmain1_11.CAB
O16 - DPF: {92D0D610-A6FA-48D8-94CB-BD47FDF68655} (Launcher Class) - http://app.ipop.co.kr/ipop/ipopx.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {957F8EA8-8F82-4220-AC1D-00B2DC19A98A} (Ibcd_kbsCtrl Class) - http://img.kbs.co.kr/ib/ibcd_kbs.cab
O16 - DPF: {98FBBB0F-9736-4B91-B926-31F4A5EE443C} (btpgClientCM Class) - https://pg.banktown.com/wallet/plugin/ibtpgClientCM.cab
O16 - DPF: {9B3D28D5-6A56-4BE4-9FAB-C79305D5C88D} (myPhotalFileUpload.ctrlUpload) - http://www.realog.net/activex/myPhotalFileUpload.CAB
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - http://plugin.inicis.com/wallet50/INIwallet50.cab
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040811.cab
O16 - DPF: {A2A4336A-E49E-44E8-B152-E98E841CFA24} (Update Control) - http://www.chzero.com/urimap/urimap_...oMapUpdate.cab
O16 - DPF: {AD435D31-ED5C-4148-9DD8-92211F9DAC34} (RSA Class) - http://pointsok.okcashbag.com/skmpp/SKMPPClient2.cab
O16 - DPF: {AD906BA4-9679-4A50-94C6-D677526BB92A} (CyImageCtl Class) - http://cyimg2.cyworld.nate.com/Image...mageUpload.cab
O16 - DPF: {AE3F74F8-DD6C-4EA3-817F-99CD0F0EF478} (BBLauncher Class) - http://www.buddybuddy.co.kr/cab/bblauncher.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {BF22698D-3BED-4CB0-BA3A-64534FBC32B1} (SVWebPlayer Control) - http://www.seevideo.co.kr/pub/seevid...VWebPlayer.cab
O16 - DPF: {C70B3202-68C6-11D4-B317-000086551DF6} (CPS_WEB Class) - http://etax.seoul.go.kr/download_new/ps_xtive.cab
O16 - DPF: {CB817A2F-4C2D-4994-A1B1-36952E9AC181} (MPIPI00 Control) - http://plugin.inicis.com/INImpi/MPIPI00.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://touch.imbc.com/ocx/SetGlb.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/samsungcard/npx.cab
O16 - DPF: {D44C7CBF-FB35-41CF-8D6C-C0A2143EB46C} (Yessign3 Control) - http://www.yessign.or.kr/yessignCert/yessign3.cab
O16 - DPF: {D4BD4AF6-0CEC-4E22-AD44-ECBCE0233620} (P3MaxLoad Class) - http://www.maxmp3.co.kr/use/juke/p2p.../p3maxload.cab
O16 - DPF: {D4DCB587-AC09-4BE1-A13A-CF9F4FB8F168} (MAWS_SUHB Class) - http://samsungcard.com/markany/MAOnFPS_SC.cab
O16 - DPF: {D5722E4F-2BA0-11D6-A114-00D0591CC9BB} (HanaClient Class) - http://www.hanabank.co.kr/portal/webcall/HanaClient.cab
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {D6D424E5-DE1C-4E91-8B59-00F5D860E3BF} (KillRecord Control) - http://wmpdownload.nefficient.co.kr/...KillRecord.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/keycrypt/...card/npkcx.cab
O16 - DPF: {D8F001C6-43B1-4CFD-9DAF-C8BEAE0E2B6D} (Touch Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {DA3F9206-FDFF-4079-B5AA-E5361051EB3C} (PDBOXUploadCtrl Control) - http://www.pdbox.co.kr/filebox/ctrl_up/PdBoxUpload.cab
O16 - DPF: {DDB3CA41-B472-4EC4-BE10-90B470D06295} (Nexapi2 Control) - http://www.buddybuddy.co.kr/cab/bbmmgr.cab
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O16 - DPF: {E5A02FD2-A8EF-4E5B-80C1-CB386F95E049} (BtPmntClient Class) - https://pg.banktown.com/wallet/plugin/BtPmntClient.cab
O16 - DPF: {E831AA9C-C980-4F16-B252-09AAF40D0E9B} (Kdfense9 Control) - http://kings.cachenet.com/kdf9209/kdfense9.cab
O16 - DPF: {E8580BEA-BC7D-40BC-AA2E-E2A44E12CED8} (MCInfoOCX Control) - http://img.megastudy.net/InfoOcx.Cab
O16 - DPF: {E9702169-AFE2-477A-A79D-32151006E547} (IBSiteSigning.SiteSigning) - http://www.sbs.co.kr/new/sp2/SiteSigning.CAB
O16 - DPF: {EA0995BF-45DD-4DB0-ADD5-A39C37397841} (ShbAutoTrustSite Control) - http://image.shinhan.com/bank/etc/Tr...TrustSiteX.cab
O16 - DPF: {ED1EEBEE-F0AA-474B-9829-61C482E72644} (PDBox25 Control) - http://www.pdbox.co.kr/filebox/ctrl_down/PDBox25.cab
O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} (WebCtl Class) - http://image.shinhan.com/initech/plu...ISafeWeb50.cab
O16 - DPF: {F62ECE4D-217F-475A-A8F8-71160342C46B} (GCAXEXT Control) - http://www.rcnt.net/cab/svc/gcaxext.cab
O16 - DPF: {F684B4EA-0F0A-4AE3-9C7B-EEB60DA575F8} (MPICtl Class) - https://mpi.dacom.net/XPayMPI/Xecure...te_XPayMPI.cab
O23 - Service: AhnLab Task Scheduler - AhnLab, Inc. - C:\Program Files\Ahnlab\Smart Update Utility\AhnSDsv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: bfjhwoliaxrj (kjsxlgqo6) - Unknown owner - C:\WINDOWS\system32\bczhrhpy6.exe (file missing)
O23 - Service: MonSvcNT - Ahnlab, Inc. - C:\Program Files\Ahnlab\V3\MonSvcNT.EXE
O23 - Service: Norton AntiVirus 자동 보호 서비스 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

It would be greatly appreciated if you could help me.

Thanks!

noahdfear · 18th February 2005

Welcome to WindowsBBS shnikes

Scan again with HijackThis and place a check next to the following entries. Close all other windows and click fix.

R3 - URLSearchHook: (no name) - {183D5161-0C62-4295-896C-44E7442CD6F2} - (no file)
O2 - BHO: (no name) - {4EFA6E35-FF87-8457-D2EC-F30A0778F7C5} - C:\WINDOWS\system32\pyqhlor.dll
O4 - HKLM\..\Run: [mlr] C:\Program Files\uvoi\rbkc.exe
O4 - HKLM\..\Run: [czq] C:\Program Files\vzj\hzbxbr.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [Abwp] C:\Documents and Settings\JW\Application Data\tsnc.exe
O4 - HKLM\..\Run: [popuppers64] C:\WINDOWS\a64sddd.exe
O4 - HKCU\..\Run: [Aiign] C:\WINDOWS\system32\nνsvc32.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com

Any of the following you did not set as trusted sites.
O15 - Trusted Zone: http://*.sbs.co.kr
O15 - Trusted Zone: http://*.shinhan.com
O15 - Trusted Zone: http://*.shinhancard.com
O15 - Trusted Zone: http://*.buddybuddy.co.kr (HKLM)
O15 - Trusted Zone: http://www.lgqls.co.kr (HKLM)
ALL 016 entries. Good ones will be re-installed as you need them.
O23 - Service: bfjhwoliaxrj (kjsxlgqo6) - Unknown owner - C:\WINDOWS\system32\bczhrhpy6.exe (file missing)

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode. Logon to your user account.

Now in safe mode, you will need to show hidden files and folders, as well as system files and extensions for known file types.

Delete all files/folders in bold.
Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Prefetch, select all and delete.
Open C:\Documents and Settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content. Close Internet Options.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

Run another HijackThis scan and post the log.

shnikes · 19th February 2005

There was an error on the page so I couldn't report the results from RAV,
but here's the information. I'll scan it again and post it later.

Scan started at 2005-02-18 오후 9:39:34

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\WINDOWS\system32\HyperLinker3.exe - Trojan:Win32/SecondThought.R.dr -> Infected
C:\WINDOWS\system32\drivers\user\keymon.dll - Backdoor:Win32/TDS.SE.30 -> Suspicious

Scanned
============================
Objects: 56450
Directories: 3636
Archives: 1126
Size(Kb): 2050963
Infected files: 1

Found
============================
Viruses found: 1
Suspicious files: 1
Disinfected files: 0
Mail files: 69

This is the new hijackthis log, I've never heard of http://www.lgqls.co.kr
and I checked it last time but it's still there after reboot.

Logfile of HijackThis v1.99.1
Scan saved at 오후 10:29:16, on 2005-02-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahnlab\Smart Update Utility\AhnSDsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\SAMSUNG\Keydefin\KeyDefin.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\JW\바탕 화면\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\Program Files\Ahnlab\V3\V3Bar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SAMSUNG Keydefin] C:\Program Files\SAMSUNG\Keydefin\KeyDefin.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [imekrmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [joinsland] "C:\Program Files\CoolAgent\avachat-joinsland.exe" -env http://rss.joinsland.com/env.xml
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java 콘솔 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.sbs.co.kr
O15 - Trusted Zone: http://*.shinhan.com
O15 - Trusted Zone: http://*.shinhancard.com
O15 - Trusted Zone: http://*.buddybuddy.co.kr (HKLM)
O15 - Trusted Zone: http://www.lgqls.co.kr (HKLM)
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: AhnLab Task Scheduler - AhnLab, Inc. - C:\Program Files\Ahnlab\Smart Update Utility\AhnSDsv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: bfjhwoliaxrj (kjsxlgqo6) - Unknown owner - C:\WINDOWS\system32\bczhrhpy6.exe (file missing)
O23 - Service: MonSvcNT - Ahnlab, Inc. - C:\Program Files\Ahnlab\V3\MonSvcNT.EXE
O23 - Service: Norton AntiVirus 자동 보호 서비스 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

noahdfear · 19th February 2005

Delete the HyperLinker3.exe file from C:\Windows\Sysstem32
Fix this entry with HJT.
O23 - Service: bfjhwoliaxrj (kjsxlgqo6) - Unknown owner - C:\WINDOWS\system32\bczhrhpy6.exe (file missing)

Close all IE windows and open Internet options in the control panel. Click the security tab, then highlight Trusted Sites and click the Sites button. Remove the www.lgqls.co.kr entry. Close and reboot. Scan again and let me know if those two entries are still present.

Copy the text in the quote box below to notepad, then save it to the desktop as Export.bat Make sure to change the file type to All files. Now double click it to run. It will open a text file named Drivers.txt. Save it and post the contents.

Quote:

cd "%windir%\system32\drivers\users"
dir /s /a >Drivers.txt
Start notepad Drivers.txt
echo %systemroot%
cls

shnikes · 19th February 2005

Under Trusted Sites the www.lgqls.co.kr entry doesn't exist, there are just three entries instead of four. They are still there after reboot.

Here is the Drivers.txt.
C 드라이브의 볼륨에는 이름이 없습니다.
볼륨 일련 번호: F897-471A

C:\Documents and Settings\JW\바탕 화면 디렉터리

2005-02-19 오전 08:48 <DIR> .
2005-02-19 오전 08:48 <DIR> ..
2005-02-19 오전 08:49 0 Drivers.txt
2005-02-19 오전 08:48 113 Export.bat
2005-02-19 오전 08:40 4,099 for me.txt
2005-02-16 오전 11:06 218,112 HijackThis.exe
2005-02-19 오전 08:48 <DIR> new
2005-02-10 오후 04:17 65,024 Thumbs.db
2004-12-11 오후 04:21 592 ?　.lnk
2005-02-17 오후 11:45 776 　.lnk
2005-02-18 오전 01:28 2,307 　　　.lnk
2005-02-16 오후 11:43 638 　　　　.lnk
2005-02-17 오후 11:45 <DIR> 사용하지 않는 바탕 화면 바로 가기
9개 파일 291,661 바이트

C:\Documents and Settings\JW\바탕 화면\new 디렉터리

2005-02-19 오전 08:48 <DIR> .
2005-02-19 오전 08:48 <DIR> ..
2005-02-16 오전 01:03 90,545 16294609.jpg
2005-02-02 오전 08:56 5,662 al.txt
2005-02-18 오전 12:51 1,216 dothis.txt
2005-02-18 오전 12:57 38,911 dothis2.txt
2005-02-18 오전 12:45 38 erase.txt
2005-02-18 오전 02:25 503,919 error.jpg
2005-02-15 오후 02:37 49,664 February 13.doc
2005-02-19 오전 08:29 4,059 for me.txt
2005-02-19 오전 08:34 5,988 hijackthis.log
2005-02-18 오후 02:51 1,843 my situation.txt
2005-01-16 오후 04:08 819 order.txt
2005-02-18 오후 02:22 1,204 popuppers.txt
2005-02-18 오후 02:59 23,989 popuppersremove.txt
2005-02-17 오전 01:04 134 port.txt
2005-02-18 오전 01:29 71,168 Printable Version of Topic.doc
2005-02-09 오후 10:37 113,436 pyramid.jpg
2005-01-16 오후 04:12 1,372 rock countdown.txt
2005-02-19 오전 08:48 18,944 Thumbs.db
2005-02-14 오후 11:29 159 uconn ice cream flavor.txt
2005-02-18 오후 02:47 2,208 viewremove.txt
20개 파일 935,278 바이트

C:\Documents and Settings\JW\바탕 화면\사용하지 않는 바탕 화면 바로 가기 디렉터리

2005-02-17 오후 11:45 <DIR> .
2005-02-17 오후 11:45 <DIR> ..
2004-06-17 오전 12:59 882 Acrobat Reader 5.0.lnk
2004-12-24 오후 12:47 1,740 Adobe Reader 6.0.lnk
2004-09-21 오후 04:46 685 DAEMON Tools.lnk
2004-10-23 오후 08:18 2,105 Hangul 2002.lnk
2004-09-13 오후 04:35 713 HP Deskjet 3840 Series 사용 설명서.lnk
2004-09-13 오후 04:35 828 HP 사진 인쇄.lnk
2004-06-17 오전 12:59 1,684 Java Web Start.lnk
2004-10-31 오전 09:42 <DIR> Microsoft Outlook.{00020D75-0000-0000-C000-000000000046}
2004-11-19 오후 02:49 1,766 NBA LIVE 2005.lnk
2004-06-17 오전 01:08 1,684 PowerDVD.lnk
2004-09-12 오후 05:30 803 RealPlayer.lnk
2005-01-08 오후 01:23 679 SBC Yahoo! DSL.lnk
2004-06-17 오전 01:00 1,680 매직인터넷 자이젠.lnk
2005-02-17 오후 01:03 814 조인스랜드 뉴스알리미.lnk
13개 파일 16,063 바이트

C:\Documents and Settings\JW\바탕 화면\사용하지 않는 바탕 화면 바로 가기\Microsoft Outlook.{00020D75-0000-0000-C000-000000000046} 디렉터리

2004-10-31 오전 09:42 <DIR> .
2004-10-31 오전 09:42 <DIR> ..
0개 파일 0 바이트

전체 파일:
42개 파일 1,243,002 바이트
11개 디렉터리 2,898,051,072 바이트 남음

This is the new RAV scan report.

Scan started at 2005-02-19 오전 9:06:35

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\WINDOWS\system32\drivers\user\keymon.dll - Backdoor:Win32/TDS.SE.30 -> Suspicious

Scanned
============================
Objects: 57617
Directories: 3627
Archives: 1110
Size(Kb): 1796345
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 1
Disinfected files: 0
Mail files: 70

noahdfear · 19th February 2005

That didn't come out right. Right click the bat file and choose edit. Remove \user so that it says;

cd "%windir%\system32\drivers"
dir /s /a >Drivers.txt
Start notepad Drivers.txt
echo %systemroot%
cls

Save the changes and exit. Run it again.

shnikes · 19th February 2005

I did as you told and did a new scan, here it is.

C 드라이브의 볼륨에는 이름이 없습니다.
볼륨 일련 번호: F897-471A

C:\WINDOWS\system32\drivers 디렉터리

2005-02-19 오후 04:01 <DIR> .
2005-02-19 오후 04:01 <DIR> ..
2004-08-04 오전 01:10 53,248 1394bus.sys
2004-08-04 오전 02:36 186,240 acpi.sys
2003-04-09 오전 07:00 11,648 acpiec.sys
2004-08-04 오전 02:53 4,255 adv01nt5.dll
2004-08-04 오전 02:53 3,967 adv02nt5.dll
2004-08-04 오전 02:53 3,615 adv05nt5.dll
2004-08-04 오전 02:53 3,647 adv07nt5.dll
2004-08-04 오전 02:53 3,135 adv08nt5.dll
2004-08-04 오전 02:53 3,711 adv09nt5.dll
2004-08-04 오전 02:53 3,775 adv11nt5.dll
2004-08-04 오전 12:39 142,464 aec.sys
2004-08-04 오전 01:14 138,496 afd.sys
2004-08-04 오전 01:07 42,368 agp440.sys
2004-08-04 오전 01:07 44,928 agpcpq.sys
2003-06-10 오전 06:37 1,164,576 AGRSM.sys
2004-08-18 오후 02:21 43,904 ahnflt2k.sys
2004-08-18 오후 02:22 45,320 ahnfltnt.sys
2003-02-28 오전 10:11 13,568 ahnrec2k.sys
2003-02-28 오전 10:12 13,480 ahnrecnt.sys
2004-08-04 오전 01:07 42,752 alim1541.sys
2004-08-04 오전 01:07 43,008 amdagp.sys
2004-08-04 오전 02:36 40,064 amdk6.sys
2004-08-04 오전 02:36 40,448 amdk7.sys
2004-08-04 오전 12:58 60,800 arp1394.sys
2004-08-04 오전 01:05 14,336 asyncmac.sys
2004-08-04 오전 12:59 95,360 atapi.sys
2004-08-04 오전 12:29 56,623 ati1btxx.sys
2004-08-04 오전 12:29 11,615 ati1mdxx.sys
2004-08-04 오전 12:29 12,047 ati1pdxx.sys
2004-08-04 오전 12:29 30,671 ati1raxx.sys
2004-08-04 오전 12:29 63,663 ati1rvxx.sys
2004-08-04 오전 12:29 26,367 ati1snxx.sys
2004-08-04 오전 12:29 21,343 ati1ttxx.sys
2004-08-04 오전 12:29 36,463 ati1tuxx.sys
2004-08-04 오전 12:29 29,455 ati1xbxx.sys
2004-08-04 오전 12:29 34,735 ati1xsxx.sys
2004-08-04 오전 12:29 327,040 ati2mtaa.sys
2003-06-10 오전 06:37 631,936 ati2mtag.sys
2004-08-04 오전 12:29 57,856 atinbtxx.sys
2004-08-04 오전 12:29 13,824 atinmdxx.sys
2004-08-04 오전 12:29 14,336 atinpdxx.sys
2004-08-04 오전 12:29 52,224 atinraxx.sys
2004-08-04 오전 12:29 104,960 atinrvxx.sys
2004-08-04 오전 12:29 28,672 atinsnxx.sys
2004-08-04 오전 12:29 13,824 atinttxx.sys
2004-08-04 오전 12:29 73,216 atintuxx.sys
2004-08-04 오전 12:29 31,744 atinxbxx.sys
2004-08-04 오전 12:29 63,488 atinxsxx.sys
2004-07-17 오후 01:36 64,352 ativmc20.cod
2003-09-08 오전 02:02 5,786 ATKACPI.sys
2004-08-04 오전 12:58 59,904 atmarpc.sys
2003-04-09 오전 07:00 31,360 atmepvc.sys
2004-08-04 오전 12:58 55,936 atmlane.sys
2003-04-09 오전 07:00 352,256 atmuni.sys
2004-08-04 오전 02:53 21,183 atv01nt5.dll
2004-08-04 오전 02:53 11,359 atv02nt5.dll
2004-08-04 오전 02:53 25,471 atv04nt5.dll
2004-08-04 오전 02:53 14,143 atv06nt5.dll
2004-08-04 오전 02:53 17,279 atv10nt5.dll
2001-08-16 오후 11:59 3,072 audstub.sys
2001-08-27 오전 01:04 16,128 battc.sys
2004-08-04 오전 01:10 11,776 bdasup.sys
2003-04-09 오전 07:00 4,224 beep.sys
2004-08-04 오전 12:59 71,552 bridge.sys
2004-08-04 오전 01:10 17,024 bthenum.sys
2004-08-04 오전 01:10 38,016 bthmodem.sys
2004-08-04 오전 12:58 100,992 bthpan.sys
2004-08-04 오전 02:39 272,512 bthport.sys
2004-08-04 오전 01:10 35,456 bthprint.sys
2004-08-04 오전 01:10 18,944 bthusb.sys
2003-04-09 오전 07:00 13,952 cbidf2k.sys
2004-08-04 오전 01:10 17,024 ccdecode.sys
2003-04-09 오전 07:00 18,688 cdaudio.sys
2004-08-04 오전 01:14 63,744 cdfs.sys
2004-08-04 오전 12:59 49,536 cdrom.sys
2005-01-01 오전 07:27 7,604 CDSpace.cfg
2004-08-04 오전 02:53 15,423 ch7xxnt5.dll
2003-04-09 오전 07:00 262,528 cinemst2.sys
2004-08-04 오전 01:14 49,664 classpnp.sys
2004-08-04 오전 01:07 14,080 cmbatt.sys
2001-08-16 오후 11:58 9,344 compbatt.sys
2003-04-09 오전 07:00 11,776 cpqdap01.sys
2004-08-04 오전 02:42 39,552 crusoe.sys
2004-07-18 오전 12:55 129,045 cxthsfs2.cty
2004-08-22 오후 03:31 155,136 d347bus.sys
2004-08-22 오후 03:31 5,248 d347prt.sys
2005-02-16 오후 07:52 7,359 dgtsys.sys
2004-06-17 오전 09:15 <DIR> disdn
2004-08-04 오전 12:59 36,352 disk.sys
2004-08-04 오전 12:59 14,208 diskdump.sys
2004-08-04 오전 02:44 799,488 dmboot.sys
2004-08-04 오전 02:44 152,448 dmio.sys
2003-04-09 오전 07:00 5,888 dmload.sys
2004-08-04 오전 01:07 52,864 dmusic.sys
2005-02-19 오후 04:01 0 Drivers.txt
2004-08-04 오전 01:07 60,288 drmk.sys
2004-08-04 오전 01:07 2,944 drmkaud.sys
2003-04-09 오전 07:00 10,496 dxapi.sys
2004-08-04 오전 01:00 71,040 dxg.sys
2003-04-09 오전 07:00 3,328 dxgthk.sys
2001-08-16 오후 11:46 6,400 enum1394.sys
2005-02-17 오후 11:56 <DIR> etc
2004-08-04 오전 01:14 143,360 fastfat.sys
2004-08-04 오전 12:59 27,392 fdc.sys
2003-04-09 오전 07:00 34,944 fips.sys
2004-08-04 오전 12:59 20,480 flpydisk.sys
2004-08-04 오전 01:01 124,800 fltmgr.sys
2003-04-09 오전 07:00 12,160 fsvga.sys
2003-04-09 오전 07:00 7,936 fs_rec.sys
2003-04-09 오전 07:00 125,056 ftdisk.sys
2004-08-04 오전 01:07 46,464 gagp30kx.sys
2003-04-09 오전 07:00 3,440,660 gm.dls
2003-04-09 오전 07:00 646 gmreadme.txt
2002-11-17 오후 06:20 30,976 gv3.sys
2004-08-04 오전 02:39 25,344 hidbth.sys
2004-08-04 오전 01:08 36,224 hidclass.sys
2004-08-04 오전 01:08 15,104 hidir.sys
2004-08-04 오전 01:08 24,960 hidparse.sys
2004-08-04 오전 12:41 220,032 hsfbs2s2.sys
2004-08-04 오전 12:41 685,056 hsfcxts2.sys
2004-08-04 오전 12:41 1,041,536 hsfdpsp2.sys
2004-08-04 오전 01:00 263,040 http.sys
2004-08-04 오전 02:40 49,152 i8042prt.sys
2004-03-29 오후 05:28 14,531 Ifp1000.sys
2004-03-29 오후 05:28 14,531 ifp300.sys
2004-03-29 오후 05:28 14,531 Ifp500.sys
2004-03-29 오후 05:28 14,531 Ifp700.sys
2004-03-29 오후 05:28 14,531 Ifp800.sys
2004-03-29 오후 05:28 14,531 Ifp900.sys
2004-03-29 오후 05:28 14,531 ifpusb.sys
2003-03-29 오후 03:45 89,184 imagedrv.sys
2004-08-04 오전 01:00 41,856 imapi.sys
2004-08-04 오전 02:42 5,504 intelide.sys
2004-08-04 오전 02:42 39,168 intelppm.sys
2004-08-04 오전 01:00 29,056 ip6fw.sys
2003-04-09 오전 07:00 32,896 ipfltdrv.sys
2004-08-04 오전 01:04 20,992 ipinip.sys
2004-09-29 오후 05:28 134,912 ipnat.sys
2004-08-04 오전 01:14 74,752 ipsec.sys
2003-07-14 오후 02:30 95,884 ipvnmon.sys
2004-08-04 오전 01:08 40,832 irbus.sys
2004-08-04 오전 01:00 11,264 irenum.sys
2001-08-27 오전 01:04 35,840 isapnp.sys
2001-08-17 오전 12:55 6,144 kbd101a.dll
2004-08-04 오전 02:44 23,808 kbdclass.sys
2001-08-17 오전 08:36 8,192 kbdkor.dll
2004-08-04 오전 01:07 171,776 kmixer.sys
2004-08-04 오전 01:15 140,928 ks.sys
2004-08-04 오전 12:59 92,032 ksecdd.sys
2001-12-10 오후 11:21 20,551 LIKECDN2.sys
2003-07-09 오후 03:22 20,780 MagerKey.sys
2003-04-09 오전 07:00 7,680 mcd.sys
2004-04-13 오후 07:20 15,781 mdc8021x.sys
2004-08-04 오전 12:41 11,868 mdmxsdk.sys
2004-08-04 오전 01:07 63,744 mf.sys
2003-04-09 오전 07:00 4,224 mnmdd.sys
2004-08-04 오전 02:36 29,824 modem.sys
2004-08-04 오전 02:37 22,272 mouclass.sys
2004-08-04 오전 12:58 42,240 mountmgr.sys
2004-08-04 오전 01:10 15,360 mpe.sys
2004-08-04 오전 12:58 72,960 mqac.sys
2004-08-04 오전 01:00 181,248 mrxdav.sys
2005-01-18 오후 11:26 451,584 mrxsmb.sys
2004-08-04 오전 01:09 51,328 msdv.sys
2004-08-04 오전 01:00 19,072 msfs.sys
2004-08-04 오전 01:04 35,072 msgpc.sys
2004-08-04 오전 12:58 7,552 mskssrv.sys
2004-08-04 오전 12:58 5,376 mspclock.sys
2004-08-04 오전 12:58 4,992 mspqm.sys
2003-07-14 오후 02:30 158,496 msscript.ocx
2004-08-04 오전 01:07 15,488 mssmbios.sys
2004-08-04 오전 12:58 5,504 mstee.sys
2004-08-04 오전 12:41 126,686 mtlmnt5.sys
2004-08-04 오전 12:41 1,309,184 mtlstrm.sys
2004-08-04 오전 12:29 452,736 mtxparhm.sys
2004-08-04 오전 01:15 107,904 mup.sys
2004-08-04 오전 01:04 12,672 mutohpen.sys
2004-03-29 오후 05:28 14,531 N10.SYS
2004-08-04 오전 01:10 85,376 nabtsfec.sys
2001-12-08 오전 01:00 183,872 NAVAP.SYS
2004-08-04 오전 01:14 182,912 ndis.sys
2004-08-04 오전 01:10 10,880 ndisip.sys
2003-04-09 오전 07:00 9,600 ndistapi.sys
2004-08-04 오전 01:03 12,928 ndisuio.sys
2004-08-04 오전 01:14 91,776 ndiswan.sys
2003-04-09 오전 07:00 38,016 ndproxy.sys
2004-08-04 오전 01:03 34,560 netbios.sys
2004-08-04 오전 01:14 162,816 netbt.sys
2004-06-27 오전 02:55 22,912 NetkFlt.sys
2002-04-15 오후 08:11 67,866 netwlan5.img
2004-08-04 오전 12:58 61,824 nic1394.sys
2003-04-09 오전 07:00 12,032 nikedrv.sys
2004-08-04 오전 12:59 40,320 nmnt.sys
2004-08-04 오전 01:00 30,848 npfs.sys
2004-08-04 오전 01:15 574,592 ntfs.sys
2004-08-04 오전 12:41 180,360 ntmtlfax.sys
2003-04-09 오전 07:00 2,944 null.sys
2004-08-04 오전 12:29 1,897,408 nv4_mini.sys
2003-04-09 오전 07:00 12,416 nwlnkflt.sys
2003-04-09 오전 07:00 32,512 nwlnkfwd.sys
2004-08-04 오전 01:03 88,448 nwlnkipx.sys
2003-04-09 오전 07:00 63,232 nwlnknb.sys
2003-04-09 오전 07:00 55,936 nwlnkspx.sys
2004-08-04 오전 01:02 163,584 nwrdr.sys
2004-08-04 오전 01:10 61,056 ohci1394.sys
2003-04-09 오전 07:00 3,456 oprghdlr.sys
2004-08-04 오전 02:36 45,568 p3.sys
2004-08-04 오전 02:36 79,488 parport.sys
2003-04-09 오전 07:00 18,688 partmgr.sys
2003-04-09 오전 07:00 6,784 parvdm.sys
2004-08-04 오전 02:36 66,688 pci.sys
2001-08-27 오전 01:19 3,328 pciide.sys
2004-08-04 오전 12:59 25,088 pciidex.sys
2004-08-04 오전 02:36 119,168 pcmcia.sys
2004-08-04 오전 01:15 145,792 portcls.sys
2004-08-04 오전 02:38 38,400 processr.sys
2004-08-04 오전 01:04 69,120 psched.sys
2003-04-09 오전 07:00 17,792 ptilink.sys
2003-10-28 오전 05:02 20,016 pxhelp20.sys
2002-06-12 오후 09:37 45,568 R8139n51.sys
2003-04-09 오전 07:00 8,832 rasacd.sys
2004-08-04 오전 01:14 51,328 rasl2tp.sys
2004-08-04 오전 01:05 41,472 raspppoe.sys
2004-08-04 오전 01:14 48,384 raspptp.sys
2003-04-09 오전 07:00 16,512 raspti.sys
2003-04-09 오전 07:00 34,432 rawwan.sys
2004-10-27 오후 08:13 174,592 rdbss.sys
2003-04-09 오전 07:00 4,224 rdpcdd.sys
2004-08-04 오전 01:01 196,864 rdpdr.sys
2004-08-04 오전 02:54 139,400 rdpwd.sys
2004-08-04 오전 12:41 13,776 recagent.sys
2004-08-04 오전 02:39 55,552 redbook.sys
2004-08-04 오전 01:10 59,648 rfcomm.sys
2003-04-09 오전 07:00 12,032 rio8drv.sys
2003-04-09 오전 07:00 12,032 riodrv.sys
2003-04-09 오전 07:00 200,064 RMCast.sys
2002-12-24 오전 05:52 59,520 Rmedia.sys
2004-08-04 오전 01:04 30,080 rndismp.sys
2004-08-04 오전 01:04 30,080 rndismpx.sys
2003-04-09 오전 07:00 5,888 rootmdm.sys
2004-08-04 오전 12:31 20,992 rtl8139.sys
2004-08-04 오전 12:29 166,912 s3gnbm.sys
2004-08-04 오전 12:59 96,256 scsiport.sys
2005-02-14 오전 11:38 7,168 scsk4.sys
2005-02-14 오전 11:38 19,760 scskusbf.sys
2005-02-14 오전 11:38 84,556 scskusbs.sys
2004-08-04 오전 01:07 67,584 sdbus.sys
2004-10-15 오후 10:29 12,400 secdrv.sys
2003-07-09 오후 03:22 21,990 SecurKey.sys
2004-08-04 오전 12:59 15,488 serenum.sys
2004-08-04 오전 02:41 61,568 serial.sys
2004-08-04 오전 12:59 11,136 sffdisk.sys
2004-08-04 오전 12:59 10,240 sffp_sd.sys
2004-08-04 오전 12:59 11,392 sfloppy.sys
2004-08-04 오전 02:53 3,901 siint5.dll
2004-08-04 오전 01:07 41,088 sisagp.sys
2004-08-04 오전 01:10 11,136 slip.sys
2004-08-04 오전 12:41 129,535 slnt7554.sys
2004-08-04 오전 12:41 404,990 slntamr.sys
2004-08-04 오전 12:41 95,424 slnthal.sys
2004-08-04 오전 12:41 13,240 slwdmsup.sys
2004-08-04 오전 01:07 6,016 smbali.sys
2003-04-09 오전 07:00 14,592 smclib.sys
2004-08-04 오전 01:09 25,472 sonydcam.sys
2004-08-04 오전 01:07 6,400 splitter.sys
2004-08-04 오전 02:39 73,344 sr.sys
2004-08-04 오전 01:14 336,256 srv.sys
2003-05-16 오전 08:16 220,048 STAC97.sys
2004-08-04 오전 01:08 48,640 stream.sys
2004-08-04 오전 01:10 15,360 streamip.sys
2004-08-04 오전 12:58 4,352 swenum.sys
2001-08-17 오전 12:00 54,272 swmidi.sys
2005-01-21 오후 10:31 11,544 symdns.sys
2002-03-06 오후 07:25 58,224 SYMEVENT.SYS
2005-01-21 오후 10:31 172,216 symfw.sys
2005-01-21 오후 10:31 35,000 symids.sys
2004-06-29 오전 02:13 170,208 SymIDSCo.sys
2005-01-21 오후 10:31 46,808 symndis.sys
2005-01-21 오후 09:31 20 SymRedir.cat
2005-01-21 오후 09:31 1,133 SymRedir.inf
2005-01-21 오후 10:31 26,424 symredrv.sys
2005-01-21 오후 10:31 267,384 symtdi.sys
2003-06-16 오후 08:40 264,528 SynTP.sys
2004-08-04 오전 01:15 60,800 sysaudio.sys
2004-08-04 오전 12:59 14,976 tape.sys
2004-08-04 오전 01:14 359,040 tcpip.sys
2004-08-04 오전 01:07 223,616 tcpip6.sys
2004-08-04 오전 01:07 18,560 tdi.sys
2004-08-04 오전 02:54 12,040 tdpipe.sys
2004-08-04 오전 02:54 21,896 tdtcp.sys
2004-08-04 오전 02:54 40,840 termdd.sys
2003-04-09 오전 07:00 51,712 tosdvd.sys
2003-04-09 오전 07:00 21,376 tsbvcap.sys
2004-08-04 오전 01:03 12,416 tunmp.sys
2004-08-04 오전 01:07 44,672 uagp35.sys
2004-08-04 오전 01:00 66,176 udfs.sys
2004-08-04 오전 12:58 209,408 update.sys
2004-08-04 오전 01:04 12,672 usb8023.sys
2004-08-04 오전 01:04 12,672 usb8023x.sys
2003-04-09 오전 07:00 23,808 usbcamd.sys
2003-04-09 오전 07:00 23,936 usbcamd2.sys
2003-04-09 오전 07:00 4,736 usbd.sys
2004-08-04 오전 01:08 26,624 usbehci.sys
2004-08-04 오전 01:08 57,600 usbhub.sys
2004-08-04 오전 01:08 16,000 usbintel.sys
2004-08-04 오전 01:08 142,976 usbport.sys
2004-08-04 오전 01:01 25,856 usbprint.sys
2004-08-04 오전 01:08 26,496 usbstor.sys
2004-08-04 오전 01:08 20,480 usbuhci.sys
2004-08-04 오전 01:10 78,464 usbvideo.sys
2004-09-09 오전 09:19 <DIR> user
2005-01-03 오후 12:40 1,006,189 v3engine.sys
2004-08-04 오전 02:53 11,325 vchnt5.dll
2003-04-09 오전 07:00 58,112 vdmindvd.sys
2004-08-04 오전 01:07 20,992 vga.sys
2004-08-04 오전 01:07 42,240 viaagp.sys
2004-08-04 오전 01:07 79,744 videoprt.sys
2004-08-04 오전 02:43 50,048 volsnap.sys
2004-11-15 오후 03:41 30,336 VSHOOK.sys
2003-03-15 오후 11:55 2,390,528 w70n51.sys
2004-08-04 오전 01:04 13,568 wacompen.sys
2004-08-04 오전 12:29 11,807 wadv07nt.sys
2004-08-04 오전 12:29 11,295 wadv08nt.sys
2004-08-04 오전 12:29 11,871 wadv09nt.sys
2004-08-04 오전 12:29 11,935 wadv11nt.sys
2004-08-04 오전 01:04 34,560 wanarp.sys
2004-08-04 오전 12:29 22,271 watv06nt.sys
2004-08-04 오전 12:29 25,471 watv10nt.sys
2004-08-04 오전 01:15 82,944 wdmaud.sys
2003-04-09 오전 07:00 4,352 wmilib.sys
2003-04-09 오전 07:00 12,032 ws2ifsl.sys
2004-08-04 오전 01:10 19,328 wstcodec.sys
2004-09-29 오후 01:47 6,646 xprtect.sys
2001-12-10 오후 08:46 3,524 XSpaceWG.sys
331개 파일 33,028,800 바이트

C:\WINDOWS\system32\drivers\disdn 디렉터리

2004-06-17 오전 09:15 <DIR> .
2004-06-17 오전 09:15 <DIR> ..
0개 파일 0 바이트

C:\WINDOWS\system32\drivers\etc 디렉터리

2005-02-17 오후 11:56 <DIR> .
2005-02-17 오후 11:56 <DIR> ..
2005-02-17 오후 11:56 734 hosts
2005-02-17 오전 12:33 734 hosts.bho
2005-02-19 오후 02:17 442 hosts.ics
2003-04-09 오전 07:00 3,683 lmhosts.sam
2003-04-09 오전 07:00 407 networks
2003-04-09 오전 07:00 799 protocol
2003-04-09 오전 07:00 7,116 services
7개 파일 13,915 바이트

C:\WINDOWS\system32\drivers\user 디렉터리

2004-09-09 오전 09:19 <DIR> .
2004-09-09 오전 09:19 <DIR> ..
2004-09-09 오전 09:19 313,856 bms.dll
2004-08-26 오후 02:12 6,436 dic.db
2004-08-14 오후 10:34 304,128 keybox.exe
2004-08-18 오전 10:56 1,796 keydic3.db
2004-08-14 오후 10:34 13,312 keymon.dll
2004-09-09 오전 09:19 129,536 keyservice.exe
2004-09-09 오전 09:19 256 keyword.idx
2004-09-09 오전 09:19 140,800 mygaurd.exe
2004-09-08 오후 09:39 686 search.db
9개 파일 910,806 바이트

전체 파일:
347개 파일 33,953,521 바이트
11개 디렉터리 2,699,251,712 바이트 남음

noahdfear · 19th February 2005

Open C:\Windows\System32\drivers and delete the folder named user.
Empty the recycle bin.

Download this zip file and extract to it's own folder. Open the folder, close all IE windows and double click the RemoveDomains.reg Allow it to merge to the registry, then run the ResetDomains.reg allowing it to merge. **This will remove ALL sites from the trusted zone.

Reboot and post a new HJT log.

Scan again with RAV.

shnikes · 19th February 2005

Should I rename the file to .zip?
because it's a php file...and I don't know what you mean by "its own folder."

noahdfear · 19th February 2005

Hmmmm

I've attached another to this post. Right click after downloading and select extract. Click OK on the following prompts and you will end up with a folder the same name, with the files inside.

shnikes · 19th February 2005

Here's the new hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 오후 4:59:20, on 2005-02-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahnlab\Smart Update Utility\AhnSDsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\SAMSUNG\Keydefin\KeyDefin.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\JW\바탕 화면\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\Program Files\Ahnlab\V3\V3Bar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SAMSUNG Keydefin] C:\Program Files\SAMSUNG\Keydefin\KeyDefin.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [imekrmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [joinsland] "C:\Program Files\CoolAgent\avachat-joinsland.exe" -env http://rss.joinsland.com/env.xml
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java 콘솔 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {AD906BA4-9679-4A50-94C6-D677526BB92A} (CyImageCtl Class) - http://cyimg2.cyworld.nate.com/Image...mageUpload.cab
O16 - DPF: {ED1EEBEE-F0AA-474B-9829-61C482E72644} (PDBox28 Control) - http://www.pdbox.co.kr/filebox/ctrl_down/PDBox25.cab
O23 - Service: AhnLab Task Scheduler - AhnLab, Inc. - C:\Program Files\Ahnlab\Smart Update Utility\AhnSDsv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: bfjhwoliaxrj (kjsxlgqo6) - Unknown owner - C:\WINDOWS\system32\bczhrhpy6.exe (file missing)
O23 - Service: MonSvcNT - Ahnlab, Inc. - C:\Program Files\Ahnlab\V3\MonSvcNT.EXE
O23 - Service: Norton AntiVirus 자동 보호 서비스 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

This is the RAV info..

Scan started at 2005-02-19 오후 5:01:17

Scanning memory...
Scanning boot sectors...
Scanning files...

Scanned
============================
Objects: 53857
Directories: 3636
Archives: 1112
Size(Kb): -1923868
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 0
Disinfected files: 0
Mail files: 66

noahdfear · 20th February 2005

Only problem I see now is the lingering 023 service.
Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in bfjhwoliaxrj, wait, hit ok. Then when wordpad opens, copy that back here please. (If you're comfortable with regedit, you could just delete the corresponding entries/keys found.)

Go ahead and re-enable system restore and create a manual restore point.

Also recommend you open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install, enable all protection and update. Check for updates regularly. Then, still in Spybot, click tools button, then IE tweaks and at least lock the HOSTS file.
Then download and install IESpyad.

That will give you some added layers of protection against unwanted parasites.

shnikes · 21st February 2005

When I hit enter on the search program, I just kept getting runtime errors.
So I wasn't able to erase the registry...
Is this a big problem and can it be solved?

noahdfear · 21st February 2005

It may be that your Norton Script Blocking service may be preventing the script from running. Disconnect from the internet and click start>run, then type services.msc and hit enter. Locate ScriptBlocking Service and right click>stop. Then try running the script. Restart the service when done.

shnikes · 22nd February 2005

it still won't work...Norton didn't let it run at first, but I turned that off..
I did as you told me but I guess something else needs to be done?