Pop-up www.jcwz.net [HJT log]

shnikes · 2005/11/05

Pop-up www.jcwz.net

I was reading a post and there was a link to this Chinese website. Before I clicked on the link I didn't know it was in Chinese, which I don't understand, but oh well.

So after I viewed the website, my computer caught a Trojan virus, which mysteriously installed a program called s.exe on my computer, but I think this virus was taken care of.

I went back to surfing the web when suddenly the explorer windows were shut down and a new window popped up to the page www.jcwz.net. Also, while I'm viewing a page, I keep getting redirected suddenly to www.jcwz.net, which is very annoying.

I checked my computer with ad-aware and microsoft antispyware but neither one would detect anything. I searched for registry with the search name jcwz, and 3 results showed, but I erased just one of them with the name jcwz since I wasn't sure if 2 others were important or not.

Please help me get rid of this annoyance. Thanks in advance.

Also, other pop ups keep showing up, http://www.winfixer.com/pages/scanner/index.php?aid=vm_sv_wfx5h_5&p=6&ed=2&ex=1&ax=2
http://202.67.220.230/alert/?aid=vm_sv_sc2waskw_2&ax=1&ex=1&lid=shield+ad
and winviruspro.com or something like that.

help me!!

PeteC · 2005/11/06

Download Hijackthis through Quicklinks in my signature, save it to a folder on your drive, say C:\HJT, not to the Desktop or a temporary location as backup files are created when HJT is run. Run HJT and post the log here.

shnikes · 2005/11/06

hello

here is the log

Logfile of HijackThis v1.99.1
Scan saved at 오후 9:33:58, on 2005-11-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchsot.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\SAMSUNG\Keydefin\KeyDefin.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ahnlab\Smart Update Utility\AhnSDsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\fscagent.exe
C:\Program Files\GRETECH\PING\PingMain.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\eMule\eMule.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\PdBoxUpload.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

F3 - REG:win.ini: load=C:\WINDOWS\system32\svchsot.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\system32\byxur.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\Program Files\Ahnlab\V3\V3Bar.dll
O3 - Toolbar: 올인올 통합사전 - {DD9C9488-0B2F-435A-8E94-359CED492F64} - C:\Program Files\YBM\AllinAll\ToolBar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SAMSUNG Keydefin] C:\Program Files\SAMSUNG\Keydefin\KeyDefin.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [imekrmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe "
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [ClubBox] "C:\WINDOWS\system32\clubbox.exe" -l
O4 - HKLM\..\Run: [KIWI] C:\WINDOWS\system32\ntctl.exe
O4 - HKLM\..\Run: [Shell API32] svcnet.exe
O4 - HKLM\..\Run: [Samsung Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\smstsb10.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [X-Ray Keyword Service] C:\WINDOWS\XRayWatcher.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RavUpter] C:\WINDOWS\system32\ravsetoie.exe
O4 - HKLM\..\Run: [rundll32] C:\WINDOWS\system32\SHELLEXT\svchs0t.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [joinsland] "C:\Program Files\CoolAgent\avachat-joinsland.exe" -env http://rss.joinsland.com/env.xml
O4 - HKCU\..\Run: [Shell API32] svcnet.exe
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java 콘솔 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.shinhan.com
O15 - Trusted Zone: http://*.shinhancard.com
O15 - Trusted Zone: *.unitel.co.kr
O15 - Trusted Zone: http://*.buddybuddy.co.kr (HKLM)
O15 - Trusted Zone: http://www.khu.ac.kr (HKLM)
O15 - Trusted Zone: http://www.lgqls.co.kr (HKLM)
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {317642DD-AF52-11D4-BC2A-0050DA8AEE6F} (FileMng Control) - http://mail.epis.ewha.ac.kr:8884/local/cabs/FileWiz.cab
O16 - DPF: {5DAEF053-DEF0-4752-A963-CCE9B49B0B79} (Gogs Class) - http://app.ipop.co.kr/gogsweb/gogsweb.cab
O16 - DPF: {79E81BD1-2549-4625-8B70-3D55B1DAF971} (File Class) - http://www.pdbox.co.kr/filebox/ctrl_up/FileUtil.cab
O16 - DPF: {8FA141C5-29D7-4408-A57B-619C463ED7BB} (Cychannel_Club1_10.UserControl1) - http://club.cyworld.nate.com/cychannel_club/Cychannel_Clubmain1_11.CAB
O16 - DPF: {9D67EBF0-AF1A-4BCE-BAC9-C84A9383E0B3} (SSOCheck Class) - http://epis.ewha.ac.kr:8880/EP/web/common/cabfiles/UniSSOCheck.cab
O16 - DPF: {9EE27E66-DF92-4E13-B348-459CCA350A34} (AxEduSessionConfig Control) - http://cyber.ewha.ac.kr/edutrack/AxEduSessionConfig.ocx
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {DA3F9206-FDFF-4079-B5AA-E5361051EB3C} (PDBOXUploadCtrl Control) - http://www.pdbox.co.kr/filebox/ctrl_up/PdBoxUpload.cab
O16 - DPF: {DA54C9C1-8109-43C9-9C80-E4210CEDF147} (EzwonSession Control) - http://wedisk.co.kr/app/EzwonSessionCtl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: byxur - C:\WINDOWS\system32\byxur.dll
O23 - Service: AhnLab Task Scheduler - AhnLab, Inc. - C:\Program Files\Ahnlab\Smart Update Utility\AhnSDsv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MonSvcNT - Ahnlab, Inc. - C:\Program Files\Ahnlab\V3\MonSvcNT.EXE
O23 - Service: Norton AntiVirus 자동 보호 서비스 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

PeteC · 2005/11/06

I've moved your thread to the Removing Spyware & Viruses form - standard procedure on the Board for threads with HJT logs.

shnikes · 2005/11/09

ok

so what seems to be the problem?
I keep getting these pop-ups although I blocked pop-ups on my browser.

PeteC · 2005/11/09

Seems that the HJT specialists are thin on the ground right now.

shnikes · 2005/11/18

help!

should i make a new post?
someone please help me

PeteC · 2005/11/19

Bumped

TonyT · 2005/11/19

run hjt again, check these and press Fix button:

F3 - REG:win.ini: load=C:\WINDOWS\system32\svchsot.exe
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\system32\byxur.dll
O4 - HKLM\..\Run: [ClubBox] "C:\WINDOWS\system32\clubbox.exe" -l
O4 - HKLM\..\Run: [KIWI] C:\WINDOWS\system32\ntctl.exe
O4 - HKLM\..\Run: [Shell API32] svcnet.exe ( see http://securityresponse.symantec.com/avcenter/venc/data/w32.tibick.html )
O4 - HKLM\..\Run: [X-Ray Keyword Service] C:\WINDOWS\XRayWatcher.exe
O4 - HKLM\..\Run: [RavUpter] C:\WINDOWS\system32\ravsetoie.exe
O4 - HKLM\..\Run: [rundll32] C:\WINDOWS\system32\SHELLEXT\svchs0t.exe
O4 - HKCU\..\Run: [joinsland] "C:\Program Files\CoolAgent\avachat-joinsland.exe" -env http://rss.joinsland.com/env.xml
O4 - HKCU\..\Run: [Shell API32] svcnet.exe

check these IF you did not put them there:
O15 - Trusted Zone: http://*.shinhan.com
O15 - Trusted Zone: http://*.shinhancard.com
O15 - Trusted Zone: *.unitel.co.kr
O15 - Trusted Zone: http://*.buddybuddy.co.kr (HKLM)
O15 - Trusted Zone: http://www.khu.ac.kr (HKLM)
O15 - Trusted Zone: http://www.lgqls.co.kr (HKLM)
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {317642DD-AF52-11D4-BC2A-0050DA8AEE6F} (FileMng Control) - http://mail.epis.ewha.ac.kr:8884/local/cabs/FileWiz.cab
O16 - DPF: {5DAEF053-DEF0-4752-A963-CCE9B49B0B79} (Gogs Class) - http://app.ipop.co.kr/gogsweb/gogsweb.cab
O16 - DPF: {79E81BD1-2549-4625-8B70-3D55B1DAF971} (File Class) - http://www.pdbox.co.kr/filebox/ctrl_up/FileUtil.cab
O16 - DPF: {8FA141C5-29D7-4408-A57B-619C463ED7BB} (Cychannel_Club1_10.UserControl1) - http://club.cyworld.nate.com/cychan...lubmain1_11.CAB
O16 - DPF: {9D67EBF0-AF1A-4BCE-BAC9-C84A9383E0B3} (SSOCheck Class) - http://epis.ewha.ac.kr:8880/EP/web/...UniSSOCheck.cab
O16 - DPF: {9EE27E66-DF92-4E13-B348-459CCA350A34} (AxEduSessionConfig Control) - http://cyber.ewha.ac.kr/edutrack/AxEduSessionConfig.ocx
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymu...e/skcbgmset.cab
O16 - DPF: {DA3F9206-FDFF-4079-B5AA-E5361051EB3C} (PDBOXUploadCtrl Control) - http://www.pdbox.co.kr/filebox/ctrl_up/PdBoxUpload.cab
O16 - DPF: {DA54C9C1-8109-43C9-9C80-E4210CEDF147} (EzwonSession Control) - http://wedisk.co.kr/app/EzwonSessionCtl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: byxur - C:\WINDOWS\system32\byxur.dll

shnikes · 2005/11/19

Thank you

Thanks to both of you

I checked and fixed all the ones you mentioned
this is the new log
I'm not sure if the problematic popups will persist as they are random
but I will post again if they do.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchsot.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\SAMSUNG\Keydefin\KeyDefin.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\foxsvjx.exe
C:\WINDOWS\system32\vschosts.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ahnlab\Smart Update Utility\AhnSDsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\fscagent.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\vschosts.exe
C:\Program Files\eMule\eMule.exe
C:\Hijackthis\HijackThis.exe
C:\WINDOWS\explorer.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\system32\byxur.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\Program Files\Ahnlab\V3\V3Bar.dll
O3 - Toolbar: 올인올 통합사전 - {DD9C9488-0B2F-435A-8E94-359CED492F64} - C:\Program Files\YBM\AllinAll\ToolBar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SAMSUNG Keydefin] C:\Program Files\SAMSUNG\Keydefin\KeyDefin.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [imekrmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe "
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [ClubBox] "C:\WINDOWS\system32\clubbox.exe" -l
O4 - HKLM\..\Run: [Samsung Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\smstsb10.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [foxjx] C:\WINDOWS\system32\foxsvjx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [vschost] C:\WINDOWS\system32\vschosts.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java 콘솔 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.unitel.co.kr
O15 - Trusted Zone: http://*.buddybuddy.co.kr (HKLM)
O15 - Trusted Zone: http://www.khu.ac.kr (HKLM)
O15 - Trusted Zone: http://www.lgqls.co.kr (HKLM)
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll
O20 - Winlogon Notify: byxur - C:\WINDOWS\system32\byxur.dll
O23 - Service: AhnLab Task Scheduler - AhnLab, Inc. - C:\Program Files\Ahnlab\Smart Update Utility\AhnSDsv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MonSvcNT - Ahnlab, Inc. - C:\Program Files\Ahnlab\V3\MonSvcNT.EXE
O23 - Service: Norton AntiVirus 자동 보호 서비스 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

shnikes · 2005/11/22

pop ups again

only this time they're **** sites
so it is a different problem from the ones before

A few days ago a spyware was installed automatically on the computer so that could be a reason for this. I did uninstall that spyware, though.

this is one of the sites that pop up out of nowhere
http://adultfriendfinder.com/go/g674873.subadlt
also some of the old sites pop up but they don't show the site itself apparently because the computer must have blocked them or something.

oh and this is the log

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\SAMSUNG\Keydefin\KeyDefin.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\foxsvjx.exe
C:\WINDOWS\system32\vschosts.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ahnlab\Smart Update Utility\AhnSDsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\fscagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\GRETECH\PING\PingMain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\skcbgm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\system32\byxur.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\Program Files\Ahnlab\V3\V3Bar.dll
O3 - Toolbar: 올인올 통합사전 - {DD9C9488-0B2F-435A-8E94-359CED492F64} - C:\Program Files\YBM\AllinAll\ToolBar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SAMSUNG Keydefin] C:\Program Files\SAMSUNG\Keydefin\KeyDefin.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [imekrmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe "
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [ClubBox] "C:\WINDOWS\system32\clubbox.exe" -l
O4 - HKLM\..\Run: [Samsung Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\smstsb10.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [foxjx] C:\WINDOWS\system32\foxsvjx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [vschost] C:\WINDOWS\system32\vschosts.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java 콘솔 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.unitel.co.kr
O15 - Trusted Zone: http://*.buddybuddy.co.kr (HKLM)
O15 - Trusted Zone: http://www.khu.ac.kr (HKLM)
O15 - Trusted Zone: http://www.lgqls.co.kr (HKLM)
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall_2005_11_06.cab
O16 - DPF: {5DAEF053-DEF0-4752-A963-CCE9B49B0B79} (Gogs Class) - http://app.ipop.co.kr/gogsweb/gogsweb.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://ebank.keb.co.kr/XecureObject/xw_install.cab
O16 - DPF: {8FA141C5-29D7-4408-A57B-619C463ED7BB} (Cychannel_Club1_10.UserControl1) - http://club.cyworld.nate.com/cychannel_club/Cychannel_Clubmain1_11.CAB
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/XTools.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {E1CDC08F-F464-4682-AE6A-7689451387C0} (CAFE multiupload control) - http://cafeimg.hanmail.net/activex/dmcm.cab?Version=1,0,0,21
O16 - DPF: {F976CFC6-496E-4BCB-BEDC-4DE672FE9C34} - http://218.38.56.30/~rubitoolbar/rubibank.cab
O20 - Winlogon Notify: byxur - C:\WINDOWS\system32\byxur.dll
O23 - Service: AhnLab Task Scheduler - AhnLab, Inc. - C:\Program Files\Ahnlab\Smart Update Utility\AhnSDsv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MonSvcNT - Ahnlab, Inc. - C:\Program Files\Ahnlab\V3\MonSvcNT.EXE
O23 - Service: Norton AntiVirus 자동 보호 서비스 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

shnikes · 2005/11/25

trojan vundo

byxur.dll seems to be the problem since i can't get rid of it
it was infected with a trojan virus but I can't erase it even in safe mode.
how can i get rid of this file?

PeteC · 2005/11/25

Try MoveOnBoot

shnikes · 2005/11/26

thanks but it didn't work
waah

PeteC · 2005/11/26

byxur.dll - are you sure of the spelling on that? The only hit for byxur.dll which comes up on Google is this thread

Try another approach - download the trial of Ewido, update it and run it - or try their online scan. Let us know the results.

Log in or Sign up

Pop-up www.jcwz.net [HJT log]

shnikes Inactive Thread Starter

PeteC SuperGeek Staff

shnikes Inactive Thread Starter

PeteC SuperGeek Staff

shnikes Inactive Thread Starter

PeteC SuperGeek Staff

shnikes Inactive Thread Starter

PeteC SuperGeek Staff

TonyT SuperGeek Staff

shnikes Inactive Thread Starter

shnikes Inactive Thread Starter

shnikes Inactive Thread Starter

PeteC SuperGeek Staff

shnikes Inactive Thread Starter

PeteC SuperGeek Staff

Share This Page

Log in or Sign up

Pop-up www.jcwz.net [HJT log]

shnikes Inactive Thread Starter

PeteC SuperGeek Staff

shnikes Inactive Thread Starter

PeteC SuperGeek Staff

shnikes Inactive Thread Starter

PeteC SuperGeek Staff

shnikes Inactive Thread Starter

PeteC SuperGeek Staff

TonyT SuperGeek Staff

shnikes Inactive Thread Starter

shnikes Inactive Thread Starter

shnikes Inactive Thread Starter

PeteC SuperGeek Staff

shnikes Inactive Thread Starter

PeteC SuperGeek Staff

Share This Page

Useful Searches