# Help: Trojan horse "dlm.exe", "dl.exe"



## yeonseop (Apr 14, 2004)

My friend's laptop has experienced "Trojan horse - dlm.exe, dl.exe" problem. I helped him to fix this by using Hijackthis, AdAware, and Spybot. After cleaning the computer, I installed "Zone alarm" to prevent further problem. At the moment, it seems to work well except one website. If I tried to connect the site using "Internet explorer", IE generates error messages.

The following is the log file generated by "Hijackthis". It has a lot of "O4 - Startup: xxx_{xxx}.tmp" lines. I deleted most of them and inserted dots since the file size of log file is too big (258kb). Thanks.

>---------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 10:13:35 PM, on 2004-04-13
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SMCTRLW.EXE
C:\WINDOWS\SYSTEM\CTRLVOL.EXE
C:\WINDOWS\SYSTEM\KEYMAP.EXE
C:\PROGRAM FILES\THINKPAD\EASY LAUNCH BUTTONS\TPHKMGR.EXE
C:\PROGRAM FILES\SLEEP MANAGER\SLEEPMGR.EXE
C:\WINDOWS\LTSMMSG.EXE
C:\CFGSAFE\AUTOCHK.EXE
C:\WINDOWS\SYSTEM\DAEMON.EXE
C:\PROGRAM FILES\MDL CROSSFIRE COMMANDER V6\XFDLINK.EXE
C:\PROGRAM FILES\MYLINKER\MYLINKER.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\KEYACC32.EXE
C:\PROGRAM FILES\THINKPAD\EASY LAUNCH BUTTONS\EZICON.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\THINKPAD\EASY LAUNCH BUTTONS\TPONSCR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\UTILITY\HJT\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [·¹Áö½ºÆ®¸® °Ë»ç] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Control Panel] smctrlw.exe
O4 - HKLM\..\Run: [CtrlVolume] C:\WINDOWS\SYSTEM\CtrlVol.exe
O4 - HKLM\..\Run: [Keymap] C:\WINDOWS\SYSTEM\Keymap.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\THINKPAD\EASYLA~1\TPHKMGR.EXE
O4 - HKLM\..\Run: [SleepManager] "C:\Program Files\Sleep Manager\SleepMgr.exe"
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [XfDLink] "C:\PROGRAM FILES\MDL CROSSFIRE COMMANDER V6\XFDLINK.EXE"
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [myLinker] C:\PROGRA~1\MYLINKER\MYLINKER.EXE /B
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [KeyAccess] c:\WINDOWS\keyacc32.exe
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRAM FILES\SYSTEM SOAP PRO\SOAP.exe min
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: ADDLFNPR.REG
O4 - Startup: BLUE10.BMP
O4 - Startup: EPSTPLOG.TXT
O4 - Startup: DEFAULT.WBM
O4 - Startup: DOSSTART.BAT
O4 - Startup: IBM1024R.BMP
O4 - Startup: IBML1024.BMP
O4 - Startup: KIDS10.BMP
O4 - Startup: MANCH10.BMP
O4 - Startup: MARK.GIF
O4 - Startup: MONTAG10.BMP
O4 - Startup: MOUSE.COM
O4 - Startup: NEWGRA10.BMP
O4 - Startup: QUAD10.BMP
O4 - Startup: RUN10.BMP
O4 - Startup: THINK10.BMP
O4 - Startup: WOMAN10.BMP
O4 - Startup: MSDOS.SYS
O4 - Startup: WINSOCK.DLL
O4 - Startup: WIN.INI
O4 - Startup: HWINFO.EXE
O4 - Startup: NETDET.INI
O4 - Startup: PIDGEN.DLL
O4 - Startup: MSIMGSIZ.DAT
O4 - Startup: LICENSE.TXT
O4 - Startup: SUPPORT.TXT
O4 - Startup: BILING.SYS
O4 - Startup: MPLAYER.EXE
O4 - Startup: RUNHELP.CAB
O4 - Startup: JAUTOEXP.DAT
O4 - Startup: NDDEAPI.DLL
O4 - Startup: NDDENB.DLL
O4 - Startup: SCRIPT.DOC
O4 - Startup: CLSPACK.EXE
O4 - Startup: DOSREP.EXE
O4 - Startup: DRWATSON.EXE
O4 - Startup: EXPLORER.EXE
O4 - Startup: FONTVIEW.EXE
O4 - Startup: USER.DAT
O4 - Startup: ODBC.INI
O4 - Startup: ISO10646.EXE
O4 - Startup: WININIT.SAV
O4 - Startup: NETDDE.EXE
O4 - Startup: PIDSET.EXE
O4 - Startup: SETDEBUG.EXE
O4 - Startup: SIGVERIF.EXE
O4 - Startup: TUNEUP.EXE
O4 - Startup: UPWIZUN.EXE
O4 - Startup: WINREP.EXE
O4 - Startup: JVIEW.EXE
O4 - Startup: BACKGRND.GIF
O4 - Startup: CLOUD.GIF
O4 - Startup: CONTENT.GIF
O4 - Startup: HLPBELL.GIF
O4 - Startup: HLPCD.GIF
O4 - Startup: HLPGLOBE.GIF
O4 - Startup: HLPLOGO.GIF
O4 - Startup: HLPSTEP1.GIF
O4 - Startup: HLPSTEP2.GIF
O4 - Startup: HLPSTEP3.GIF
O4 - Startup: WINLOGO.GIF
O4 - Startup: IOS.LOG
O4 - Startup: SYSTEM.INI
O4 - Startup: READM_01.HTZ
O4 - Startup: READM_02.HTZ
O4 - Startup: DOSREP.INI
O4 - Startup: HTMLHELP.INI
O4 - Startup: MSDFMAP.INI
O4 - Startup: VPC32.INI
O4 - Startup: OLDOSAPP.INI
O4 - Startup: DELUXECD.MDB
O4 - Startup: DOSPRMPT.PIF
O4 - Startup: EXPLORER.SCF
O4 - Startup: ODBCINST.INI
O4 - Startup: COUNTRY.SYS
O4 - Startup: CONFIG.TXT
O4 - Startup: DISPLAY.TXT
O4 - Startup: FAQ.TXT
O4 - Startup: GENERAL.TXT
O4 - Startup: HARDWARE.TXT
O4 - Startup: MOUSE.TXT
O4 - Startup: MSDOSDRV.TXT
O4 - Startup: NETWORK.TXT
O4 - Startup: PRINTERS.TXT
O4 - Startup: PROGRAMS.TXT
O4 - Startup: RECOVER.TXT
O4 - Startup: TIPS.TXT
O4 - Startup: WSCRIPT.EXE
O4 - Startup: TELEPHON.INI
O4 - Startup: SMARTDRV.EXE
O4 - Startup: HIMEM.SYS
O4 - Startup: RAMDRIVE.SYS
O4 - Startup: LOGOS.SYS
O4 - Startup: LOGOW.SYS
O4 - Startup: 1STBOOT.BMP
O4 - Startup: TWAIN_32.DLL
O4 - Startup: ¹°¹æ¿ï.bmp
O4 - Startup: ½£.bmp
O4 - Startup: ±Ý»ö Á÷¹°.bmp
O4 - Startup: ¼¼·ÎÁÙ.bmp
O4 - Startup: WAVEMIX.INI
O4 - Startup: Å¸ÀÏ.bmp
O4 - Startup: °ËÁ¤ ½û±â.bmp
O4 - Startup: POWERPNT.INI
O4 - Startup: »¡°£ ºí·Ï.bmp
O4 - Startup: WJVIEW.EXE
O4 - Startup: WIN.COM
O4 - Startup: HWINFO.DAT
O4 - Startup: MORICONS.DLL
O4 - Startup: MSOWS412.DLL
O4 - Startup: NDISLOG.TXT
O4 - Startup: ACCSTAT.EXE
O4 - Startup: ASD.EXE
O4 - Startup: CALC.EXE
O4 - Startup: CLEANMGR.EXE
O4 - Startup: CONTROL.EXE
O4 - Startup: CVT1.EXE
O4 - Startup: CVTAPLOG.EXE
O4 - Startup: DEFRAG.EXE
O4 - Startup: DRVSPACE.EXE
O4 - Startup: EMM386.EXE
O4 - Startup: MM2ENT.EXE
O4 - Startup: NOTEPAD.EXE
O4 - Startup: PACKAGER.EXE
O4 - Startup: PBRUSH.EXE
O4 - Startup: REGEDIT.EXE
O4 - Startup: PROGMAN.EXE
O4 - Startup: RG2CATDB.EXE
O4 - Startup: RUNDLL.EXE
O4 - Startup: RUNDLL32.EXE
O4 - Startup: SCANDSKW.EXE
O4 - Startup: SCANREGW.EXE
O4 - Startup: TB60.INI
O4 - Startup: SNDREC32.EXE
O4 - Startup: SNDVOL32.EXE
O4 - Startup: TASKMAN.EXE
O4 - Startup: TASKMON.EXE
O4 - Startup: VCMUI.EXE
O4 - Startup: WELCOME.EXE
O4 - Startup: WINFILE.EXE
O4 - Startup: WINHELP.EXE
O4 - Startup: WINHLP32.EXE
O4 - Startup: WININIT.EXE
O4 - Startup: WINVER.EXE
O4 - Startup: WRITE.EXE
O4 - Startup: WUPDMGR.EXE
O4 - Startup: WINUPD.ICO
O4 - Startup: DRVSPACE.INF
O4 - Startup: IOS.INI
O4 - Startup: SCANREG.INI
O4 - Startup: µ¾ÀÚ¸®.bmp
O4 - Startup: ASPI2HLP.SYS
O4 - Startup: CMD640X.SYS
O4 - Startup: CMD640X2.SYS
O4 - Startup: DBLBUFF.SYS
O4 - Startup: IFSHLP.SYS
O4 - Startup: SFCSYNC.TXT
O4 - Startup: SLEEPMGR.HLP
O4 - Startup: ACROREAD.INI
O4 - Startup: TWUNK_16.EXE
O4 - Startup: CDPLAYER.EXE
O4 - Startup: CHARMAP.EXE
O4 - Startup: CLIPBRD.EXE
O4 - Startup: DIALER.EXE
O4 - Startup: FREECELL.EXE
O4 - Startup: KODAKIMG.EXE
O4 - Startup: KODAKPRV.EXE
O4 - Startup: MSHEARTS.EXE
O4 - Startup: RSRCMTR.EXE
O4 - Startup: SOL.EXE
O4 - Startup: SYSMON.EXE
O4 - Startup: TOUR98.EXE
O4 - Startup: TWUNK_32.EXE
O4 - Startup: WINMINE.EXE
O4 - Startup: SERVICES.TXT
O4 - Startup: MSBATCH.INF
O4 - Startup: HIDCI.DLL
O4 - Startup: COMMAND.COM
O4 - Startup: brndlog.txt
O4 - Startup: SETVER.EXE
O4 - Startup: QFECHECK.EXE
O4 - Startup: WIN
O4 - Startup: QTW.INI
O4 - Startup: SMCTRLW.HLP
O4 - Startup: CONTROL.INI
O4 - Startup: VPMSMI.INI
O4 - Startup: MSINFO32.INI
O4 - Startup: SYSTEM.CB
O4 - Startup: WIN386.SWP
O4 - Startup: EXTRAC32.EXE
O4 - Startup: DEVMGR9X.EXE
O4 - Startup: PROTOCOL.INI
O4 - Startup: ±âº»°ª.PWL
O4 - Startup: IsUninst.exe
O4 - Startup: GSMU3.EXE
O4 - Startup: PROTOCOL
O4 - Startup: SERVICES
O4 - Startup: SNMPAPI.DLL
O4 - Startup: NETWORKS
O4 - Startup: ARP.EXE
O4 - Startup: FTP.EXE
O4 - Startup: SYSTEM.DAT
O4 - Startup: LMHOSTS.SAM
O4 - Startup: NETSTAT.EXE
O4 - Startup: PING.EXE
O4 - Startup: ROUTE.EXE
O4 - Startup: TELNET.EXE
O4 - Startup: TRACERT.EXE
O4 - Startup: WINIPCFG.EXE
O4 - Startup: LTSMMSG.EXE
O4 - Startup: IPCONFIG.EXE
O4 - Startup: NBTSTAT.EXE
O4 - Startup: INETMIB1.DLL
O4 - Startup: °ÔÀÓ¿ë MS-DOS ¸ðµå.pif
O4 - Startup: °ÔÀÓ¿ë MS-DOS ¸ðµå (EMS ¹× XMS Áö¿ø).pif
O4 - Startup: °ø±â ¹æ¿ï.bmp
O4 - Startup: ÀÌÁýÆ®.bmp
O4 - Startup: ÆÄµ¿.bmp
O4 - Startup: ¹°¶¼»õ °ÝÀÚ.bmp
O4 - Startup: »ï°¢Çü.bmp
O4 - Startup: ÆÄ¶õ ¸®ºª.bmp
O4 - Startup: ¼³Ä¡.bmp
O4 - Startup: ±¸¸§.bmp
O4 - Startup: ±Ý¼Ó Ã¼ÀÎ.bmp
O4 - Startup: »ç¾Ï.bmp
O4 - Startup: ¹Ù´Ã¶¡.bmp
O4 - Startup: Ã¤³Î È*¸é º¸È£±â.SCR
O4 - Startup: progman.ini
O4 - Startup: Reg Save Log.txt
O4 - Startup: folder.htt
O4 - Startup: OEWABLog.txt
O4 - Startup: SchedLog.Txt
O4 - Startup: Default.sf0
O4 - Startup: Default.sfc
O4 - Startup: wplog.txt
O4 - Startup: brndlog.bak
O4 - Startup: SOL.INI
O4 - Startup: NAVWNT.MIF
O4 - Startup: IsUn0412.exe
O4 - Startup: smoem.ini
O4 - Startup: Smctrlw.exe
O4 - Startup: NSREX.INI
O4 - Startup: NET.EXE
O4 - Startup: smcp.txt
O4 - Startup: SleepMgr.cnt
O4 - Startup: uninst.exe
O4 - Startup: tmpdelis.bat
O4 - Startup: UNWISE.EXE
O4 - Startup: NET.MSG
O4 - Startup: Sti_Trace.log
O4 - Startup: ILUNINST.EXE
O4 - Startup: REGTLIB.EXE
O4 - Startup: unwise.ini
O4 - Startup: fffe12ab_{6A98F2E0-E96B-11D7-95C6-444553540001}.tmp
O4 - Startup: EPIRPE10.INI
O4 - Startup: winhelp.ini
O4 - Startup: ipxtrn32.dll
O4 - Startup: msshlib2.log
O4 - Startup: twain_16.dll
O4 - Startup: STMMAIN.INI
O4 - Startup: vbaddin.ini
O4 - Startup: WKW16A.EXE
O4 - Startup: Active Setup Log.txt
O4 - Startup: Active Setup Log.BAK
O4 - Startup: NETH.MSG
O4 - Startup: hh.exe
O4 - Startup: mdm.ini
O4 - Startup: vgalusr1.vr
O4 - Startup: LOADQM.EXE
O4 - Startup: WINPOPUP.EXE
O4 - Startup: fffec77d_{FBB47500-9BF8-11D5-95C3-0002DD700EE1}.tmp
..
O4 - Startup: WPXERROR.LOG
O4 - Startup: fffe07fb_{D18C6A21-9BF9-11D5-95C3-0002DD700EE1}.tmp
..
O4 - Startup: hh.dat
O4 - Startup: SYMAPPS.INI
O4 - Startup: $014D4FD.WPX
O4 - Startup: fffe1d47_{EE50BF60-9C00-11D5-95C3-0002DD700EE1}.tmp
O4 - Startup: HARDLOCK.VXD
O4 - Startup: fffe5efd_{7A1B2820-9C04-11D5-95C3-0002DD700EE1}.tmp
O4 - Startup: KOOKMIN.BMP
O4 - Startup: Xecure.bmp
O4 - Startup: DAEGU.BMP
O4 - Startup: fffe5efd_{7A1B2821-9C04-11D5-95C3-0002DD700EE1}.tmp
..
O4 - Startup: ca.db
O4 - Startup: unin0412.exe
O4 - Startup: hdinfo.ini
O4 - Startup: Lucent Technologies Soft Modem AMR.log
O4 - Startup: fffe50cf_{964D2B00-9C64-11D5-95C3-90BE51C10000}.tmp
..
O4 - Startup: hjimesv.ini
O4 - Startup: fffe1e6f_{4D9A7E40-9C68-11D5-95C3-50B751C10000}.tmp
O4 - Startup: BUSAN.BMP
O4 - Startup: fffe1e6f_{4D9A7E41-9C68-11D5-95C3-50B751C10000}.tmp
O4 - Startup: yessignCA.pub
O4 - Startup: MODEMDET.TXT
O4 - Startup: winmine.ini
O4 - Startup: fffe18ab_{DD538CE0-9C98-11D5-95C3-60B451C10000}.tmp
...
O4 - Startup: TWAIN.LOG
O4 - Startup: fffe5133_{4DC12780-A518-11D5-95C3-A0BD51C10000}.tmp
...
O4 - Startup: IE4 Error Log.txt
O4 - Startup: fffe562f_{4DBF45C0-A5A7-11D5-95C3-F0C451C10000}.tmp
..
O4 - Startup: Twain001.Mtx
O4 - Startup: CSMOPAC.INI
O4 - Startup: fffe5689_{537D5140-A5D0-11D5-95C3-50B051C10000}.tmp
...
O4 - Startup: _detmp.1
O4 - Startup: CFW.INI
O4 - Startup: fffe5029_{84E8E4A1-A8B5-11D5-95C3-A0B651C10000}.tmp
...
O4 - Startup: ChemDraw.INI
O4 - Startup: fffe1ed3_{E6153D40-A8BB-11D5-95C3-A0B351C10000}.tmp
..
O4 - Startup: C3DPREFS.DAT
O4 - Startup: fffe502d_{671DF701-A8BD-11D5-95C3-B0B651C10000}.tmp
.
O4 - Startup: IMBXVT32.DLL
O4 - Startup: fffe1f61_{D1D4C5E1-A8BF-11D5-95C3-A0AA51C10000}.tmp
...
O4 - Startup: Chem3D.INI
O4 - Startup: CSGaussian.INI
O4 - Startup: HPLJPS5P.PCL
O4 - Startup: fffe52f1_{4D3BED40-A8CE-11D5-95C3-E0B651C10000}.tmp
...
O4 - Startup: wmsetup.log
O4 - Startup: Adobereg.db
O4 - Startup: WMSysPrx.prx
O4 - Startup: fffe5dff_{D0539F40-AC50-11D5-95C4-90E451C10000}.tmp
.
O4 - Startup: udptrn32.dll
O4 - Startup: FS5GLPT1.PCL
O4 - Startup: HPPCL5MS.X10
O4 - Startup: TWUNK003.MTX
O4 - Startup: fffe13dd_{E95B4200-AC54-11D5-95C4-90C155C10000}.tmp
...
O4 - Startup: Twunk002.MTX
O4 - Startup: fffe5163_{079C6D00-AD3D-11D5-95C4-309855C10000}.tmp
...
O4 - Startup: ACDILab.INI
O4 - Startup: KGOLESRV.INI
O4 - Startup: fffe5e1d_{5BD909C0-C01E-11D5-95C4-209455C10000}.tmp
...
O4 - Startup: HncIme.ini
O4 - Startup: unvise32.exe
O4 - Startup: fffe5dd3_{9D9BB420-C717-11D5-95C4-509955C10000}.tmp
...
O4 - Startup: DreamLoad.exe
O4 - Startup: fffe5ef9_{96E31E00-DF42-11D5-95C4-809755C10000}.tmp
...
O4 - Startup: DOS·Î ³ª°¨.PIF
O4 - Startup: fffe11b5_{599335E0-4AEE-11D6-95C4-807455C10000}.tmp
.
O4 - Startup: GRAMSCNV.INI
O4 - Startup: fffe12f1_{F2CB9960-EE63-11D5-95C4-206555C10000}.tmp
...
O4 - Startup: MOUSE.INI
O4 - Startup: fffe1635_{9AFF29E0-0C7C-11D6-95C4-F07755C10000}.tmp
...
O4 - Startup: SAMSUNGCARD.BMP
O4 - Startup: fffea04d_{C4D198C0-354E-11D6-95C4-D09C55C10000}.tmp
...
O4 - Startup: DELETE.EXE
O4 - Startup: MATHTYPE.LOG
O4 - Startup: fffe1005_{DA6D1B60-554B-11D6-95C4-709155C10000}.tmp
...
O4 - Startup: MATHTYPE.INI
O4 - Startup: FONTSDIR.MFD
O4 - Startup: fffe516d_{66938280-67F5-11D6-95C4-709855C10000}.tmp
...
O4 - Startup: ADA6C650.MFD
O4 - Startup: WIN.BAK
O4 - Startup: MT.DLL
O4 - Startup: fffe447d_{A89A76E0-0289-11D8-95C6-444553540001}.tmp
...
O4 - Startup: MT32.DLL
O4 - Startup: MTMACROS.PRE
O4 - Startup: fffe4ccd_{792F8800-F001-11D6-95C5-A08655C104C6}.tmp
..
O4 - Startup: GRPCONV.EXE
O4 - Startup: fffe461b_{88025801-F03B-11D6-95C5-409155C10000}.tmp
...
O4 - Startup: cadkasdeinst01e.exe
O4 - Startup: fffe094b_{9D39C7E0-F6ED-11D6-95C5-309255C10000}.tmp
...
O4 - Startup: kisa.der
O4 - Startup: fffe60d5_{00A3DC60-134C-11D7-95C5-109855C10000}.tmp
...
O4 - Startup: keyacc.ini
O4 - Startup: fffe0973_{48F0C2C0-2CC0-11D7-95C5-609855C10000}.tmp
...
O4 - Startup: keyacc32.exe
O4 - Startup: fffe39ad_{8E27D440-8AA9-11D7-95C5-0002DD700EE1}.tmp
..
O4 - Startup: DjVuDoc.ico
O4 - Startup: fffe1ccd_{048B7560-8B72-11D7-95C5-0002DD700EE1}.tmp
..
O4 - Startup: IE Setup Log.Txt
O4 - Startup: fffe31bf_{39EFED20-91CC-11D7-95C5-0002DD700EE1}.tmp
O4 - Startup: ieuninst.exe
O4 - Startup: keyacc.exe
O4 - Startup: fffe31bf_{39EFED21-91CC-11D7-95C5-0002DD700EE1}.tmp
O4 - Startup: RunOnceEx Log.txt
O4 - Startup: fffe305b_{4E1638E0-91E0-11D7-95C5-0002DD700EE1}.tmp
...
O4 - Startup: kalib32.dll
O4 - Startup: fffe3009_{D37799E0-982D-11D7-95C5-0002DD700EE1}.tmp
...
O4 - Startup: katrack.dll
O4 - Startup: unvise.exe
O4 - Startup: unvise32.dll
O4 - Startup: fffe3d89_{031E6780-9A7E-11D7-95C5-0002DD700EE1}.tmp
.
O4 - Startup: WMSysPr9.prx
O4 - Startup: fffe3e3f_{97D287C0-9A7F-11D7-95C5-0002DD700EE1}.tmp
.
O4 - Startup: wmplibrary_v_0_12.db
O4 - Startup: fffef693_{7FD5AC60-9ACA-11D7-95C5-708456C10000}.tmp
...
O4 - Startup: uneng.exe
O4 - Startup: fffe7df9_{B62F67C0-ACE4-11D7-95C5-607556C10000}.tmp
...
O4 - Startup: DefaultStore_59R.bin
O4 - Startup: UserMigratedStore_59R.bin
O4 - Startup: fffe137f_{2ADE67C0-BE87-11D7-95C5-0002DD700EE1}.tmp
O4 - Startup: nsreg.dat
..
O4 - Startup: fffe14b9_{13E781C0-C0E2-11D7-95C5-0002DD700EE1}.tmp
..
O4 - Startup: Windows Update.log
O4 - Startup: Q330994.exe
O4 - Startup: ttfCache
O4 - Startup: DirectX.log
O4 - Startup: dxwinini.bak
O4 - Startup: vminst.log
O4 - Startup: dahotfix.log
O4 - Startup: fffed567_{D6FC21A0-C13E-11D7-95C5-0002DD700EE1}.tmp
...
O4 - Startup: twain.dll
O4 - Startup: fffe3c1d_{4BB73860-D4CA-11D7-95C6-0002DD700EE1}.tmp
..
O4 - Startup: iun6002.exe
O4 - Startup: fffe136f_{60B7E560-D6DD-11D7-95C6-0002DD700EE1}.tmp
..
O4 - Startup: opuc.dll
O4 - Startup: fffe074b_{2691C660-DDF6-11D7-95C6-0002DD700EE1}.tmp
...
O4 - Startup: aolback.exe.lnk
O4 - Startup: fffe08b7_{CCDCE500-E3EA-11D7-95C6-444553540001}.tmp
...
O4 - Startup: msoffice.ini
O4 - Startup: SleepMgr.GID
O4 - Startup: fffe1ddd_{EC6E2960-E935-11D7-95C6-0002DD700EE1}.tmp
..
O4 - Startup: onkb2.ico
O4 - Startup: fffe12ab_{6A98F2E1-E96B-11D7-95C6-444553540001}.tmp
..
O4 - Startup: offkb2.ico
O4 - Startup: fffe3fdb_{55DF3060-E9BD-11D7-95C6-0002DD700EE1}.tmp
..
O4 - Startup: .plugin141_01.trace
O4 - Startup: MLUninst.exe
O4 - Startup: fffe1813_{1A401B80-EB7C-11D7-95C6-0002DD700EE1}.tmp
...
O4 - Startup: Fix IE Log.txt
O4 - Startup: IE Uninstall Log.Txt
O4 - Startup: IEPatchUninstall.log
O4 - Startup: IEPatchUninstall.BAK
O4 - Startup: fffe6ab5_{0A3D4C20-1143-11D8-95C6-0002DD700EE1}.tmp
...
O4 - Startup: _delis32.ini
O4 - Startup: fffe0401_{AD02BF60-5A33-11D8-95C6-444553540001}.tmp
...
O4 - Startup: ShellIconCache
O4 - Startup: fffe3a79_{6D0E7120-5FD7-11D8-95C6-0002DD700EE1}.tmp
...
O4 - Startup: ScanErrors.log
O4 - Startup: fffefea7_{FA37DDE0-7484-11D8-95C6-444553540001}.tmp
...
O4 - Startup: securea.html
O4 - Startup: secureb.html
O4 - Startup: test
O4 - Startup: dl.exe
O4 - Startup: dl.html
O4 - Startup: dlm.exe
O4 - Startup: toffel32.exe
O4 - Startup: consol32.exe
O4 - Startup: msstasks.exe
O4 - Startup: mstaskss.exe
O4 - Startup: WININIT.BAK
O4 - Startup: hosts.sam
O4 - Startup: fffec2c7_{64540400-8BEC-11D8-95C6-444553540001}.tmp
...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {8CFE8500-6604-11D4-B26D-00C04F7A67C8} (XecureWeb Control 3.5 HCB) - http://www.hncbworld.com/XecureObject/XecureSSL35HCB.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/samsungcard/npx.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.softforum.co.kr/Published/XecureWeb/v5.3.0.1/xw_install.cab
O16 - DPF: {DF1B804F-084B-4D24-A9E3-32BB9DAD87A4} (AxINIplugin30 Control) - http://banking.nonghyup.com/plugin/client/axINIplugin30.cab
O16 - DPF: {D13BA040-C349-11D3-87C2-00C04F4ABC61} (XecureWeb Control 3.0) - http://www.samsungcard.co.kr/XecureDemo/XecureObject/XecureSSL30.cab
O16 - DPF: ISSAC-WebSE - http://paygate.dacom.co.kr/penta/IssacWebInst.cab
O16 - DPF: {06228E75-DEB1-11D3-B702-00001CD5DA14} (AxINIplugin20 Control) - http://www.bccard.co.kr/initech/plugin/axINIplugin20.cab
O16 - DPF: {3267EA0D-B5D8-11D2-A4F9-00608CEBEE49} (ToinbWData Class) - http://ndsl.or.kr/toinbocx/toinbdata.cab
O16 - DPF: {0A2233AD-E771-11D2-973D-00104B15E56F} (ToinbWTR Class) - http://ndsl.or.kr/toinbocx/toinbtr.cab
O16 - DPF: {91B0A4F0-3206-4564-9BB4-AF9055DEF8A1} (ToinbWTextArea Class) - http://ndsl.or.kr/toinbocx/toinbtextarea.cab
O16 - DPF: {1F57AEAD-DB12-11D2-A4F9-00608CEBEE49} (ToinbWGrid Class) - http://ndsl.or.kr/toinbocx/toinbgrid.cab
O16 - DPF: {FD4C6571-DD20-11D2-973D-00104B15E56F} (ToInbWCCombo Class) - http://ndsl.or.kr/toinbocx/toinbccombo.cab
O16 - DPF: {9C9AB433-EA85-11D2-A4F9-00608CEBEE49} (ToinbWBind Class) - http://ndsl.or.kr/toinbocx/toinbbind.cab
O16 - DPF: {3694F19D-ED4D-4DA8-BECD-26FB830753D1} (DCLinker Class) - http://www.norazo.com/dcdownload/dreamlinker.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plugin/myfirewall/myfirewall20.cab
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://banking.nonghyup.com/plugin/client/axINIplugin40.cab
O16 - DPF: {EADBDB84-2341-4AD0-9FAF-4F1F31CF4A46} (LoginForm Class) - http://pointsok.okcashbag.com/skmpp/SKMPPClient2.cab
O16 - DPF: {D5ACE9FC-9CCC-4FB6-9A63-19ED6A3AA489} (ReaderChecker Control) - http://drm.snu.ac.kr/pdfdrm/webbroker/ReaderChecker.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.djvu.com/plugins/en_US/DjVuControl.cab
O16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler Class) - http://www.kookmincard.co.kr/images/sendmail/IniMasPlugin.cab
O16 - DPF: {83682BF2-2351-45C1-963C-9BB635A05178} (IssacWebSE2 Class) - http://paygate.dacom.co.kr/penta/ISSACWebSE2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37869.4675694444
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - ftp://ftp.ca.com/pub/Opal/plugins/x_plugin/opalplayerx5.cab
O16 - DPF: {8E64F05B-76CF-40EA-AD6B-6741F02BDC46} (MagicInstaller Class) - http://www.americanexpress.co.kr/common/ML/MagicInstaller.cab
O16 - DPF: {93F83364-58E3-43C6-BE34-DE1252B26307} (Cruzbill Control) - http://image.em4s.com/sbill/cruzbill.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553546800} - http://active.macromedia.com/flash4/cabs/swflash.cab
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - http://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-3.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) - 
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) - 
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {D2A4C311-F608-4E0E-BBFE-6B25E31AC15B} (Kdfense5 Control) - http://kings.cachenet.com/kdf5078/kdfense5.cab
O16 - DPF: {97154128-DC4C-4D5B-AF7C-CA7356238EC9} (Hanmail FileUpload Control) - http://wwl270.daum.net/hanmail-ax/HM_fileupload.cab
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://dizzo.contents.mylinker.co.kr/module/MyLinker.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory 
O16 - DPF: {124250DD-E2CC-4B5B-AE7E-C9AC8A11DF43} (StreamNote2 Control) - http://nsi.snu.ac.kr/onlinenano/Lecture/Device Physics/Device Physics0302/StreamNote2.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dl/dmitriy/x.chm::/load.exe

<-----------------------


----------



## Rollin' Rog (Dec 9, 2000)

I can't believe the computer starts at all if everything I see there is trying to load.

Go to the Startup Menu > Programs > Startup folder and delete EVERYTHING there. They are all the

04 startup:

entries you see in the Scanlog. Then reboot and post another Scanlog.

Strangely, none of them seem to be showing as "Running Processes", so conceivably this is some anomally produced by the Scanlog.

Also, what is this? O4 - HKLM\..\Run: [myLinker] C:\PROGRA~1\MYLINKER\MYLINKER.EXE /B

I would also check and "fix" ALL the 016 entries except those from legitimate, trusted sites you recognize, such as Macromedia, microsoft, banking and others.


----------



## yeonseop (Apr 14, 2004)

Thanks Rollin' Rog.

1) I checked the Startup folder but it does not have such files. Actually, all files in the "04 startup:" are located under the "C:\windows" directory.
2) "MYLINKER.EXE" is a file supplied by a newspaper website. I think it is credible, but am going to remove it.
3) I looked over the "C:\windows" directory, and found some suspicious files such as "securea.html", "secureb.html", "dl.html", and "dl.exe". All these files were deleted in the safe mode. In the case of usual web browsing, IE works well. However at some websites, it generates an error message. Especially when I tried to post a message to a certain bulletin board, it generates an error message. After that "outlook express" also gives an error message if I press "deliver" button.

Please help me with this. Thanks again.


----------



## Rollin' Rog (Dec 9, 2000)

Well that's the strangest thing I've ever seen in HijackThis; I wonder if there is some language configuration it is having problems with.

Anyway for the IE error, let us know what the error message says and on what site it is happening. Also try running the IE Repair Tool:

http://help.att.net/docs/howto/othe...ustomercontent=customer_browser&platform=none

And when testing such issues it is a good idea to temporarily disable the firewall. I don't see ZA in the startups though, did you disable it? You may have to do this using *msconfig* to ensure it is not interfering.

I also recommend having an alternate browser installed to test whether such issues are specfically browser related and to have a backup. I like Opera7 myself and use as my defacto browser even with the advertising:

www.opera.com

If you haven't already done so, it would probably be a good idea to give the Coolwebshredder, CWShredder.exe a run. You can get it here:

http://www.spywareinfo.com/~merijn/downloads.html

Have it fix any known problems it finds and then reboot.


----------



## yeonseop (Apr 14, 2004)

Thank Rollin' Rog for your help. Unfortunately I still have the same problem. I tried the repair of IE, and even tried to reinstall IE. I also installed "Opera" but found some difficulty with using different web browser due to the language support (Korean).

My IE usually works well except some web sites. For example, when I connect the "windows update" site, and scan updates, IE generates an error message if I click "windows 98 ... (?)" part in "Pick updates to install" section.
I might delete some system files when I deleted the suspicious files. Here is the HijackThis log file. I excluded all entries starting with "O4 - Startup: ..." except one "O4 - Startup: DIALER.EXE" since it seems that HJT just shows all files under "C:\windows".

>--------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 10:11:38 PM, on 2004-04-19
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SMCTRLW.EXE
C:\WINDOWS\SYSTEM\CTRLVOL.EXE
C:\WINDOWS\SYSTEM\KEYMAP.EXE
C:\PROGRAM FILES\THINKPAD\EASY LAUNCH BUTTONS\TPHKMGR.EXE
C:\PROGRAM FILES\SLEEP MANAGER\SLEEPMGR.EXE
C:\WINDOWS\LTSMMSG.EXE
C:\CFGSAFE\AUTOCHK.EXE
C:\WINDOWS\SYSTEM\DAEMON.EXE
C:\PROGRAM FILES\MDL CROSSFIRE COMMANDER V6\XFDLINK.EXE
C:\PROGRAM FILES\THINKPAD\EASY LAUNCH BUTTONS\EZICON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\THINKPAD\EASY LAUNCH BUTTONS\TPONSCR.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\KEYACC32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UTILITY\HJT\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [·¹Áö½ºÆ®¸® °Ë»ç] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Control Panel] smctrlw.exe
O4 - HKLM\..\Run: [CtrlVolume] C:\WINDOWS\SYSTEM\CtrlVol.exe
O4 - HKLM\..\Run: [Keymap] C:\WINDOWS\SYSTEM\Keymap.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\THINKPAD\EASYLA~1\TPHKMGR.EXE
O4 - HKLM\..\Run: [SleepManager] "C:\Program Files\Sleep Manager\SleepMgr.exe"
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [XfDLink] "C:\PROGRAM FILES\MDL CROSSFIRE COMMANDER V6\XFDLINK.EXE"
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [KeyAccess] c:\WINDOWS\keyacc32.exe
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRAM FILES\SYSTEM SOAP PRO\SOAP.exe min
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
.....
O4 - Startup: DIALER.EXE
.....
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {8CFE8500-6604-11D4-B26D-00C04F7A67C8} (XecureWeb Control 3.5 HCB) - http://www.hncbworld.com/XecureObject/XecureSSL35HCB.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/samsungcard/npx.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.softforum.co.kr/Published/XecureWeb/v5.3.0.1/xw_install.cab
O16 - DPF: {DF1B804F-084B-4D24-A9E3-32BB9DAD87A4} (AxINIplugin30 Control) - http://banking.nonghyup.com/plugin/client/axINIplugin30.cab
O16 - DPF: {D13BA040-C349-11D3-87C2-00C04F4ABC61} (XecureWeb Control 3.0) - http://www.samsungcard.co.kr/XecureDemo/XecureObject/XecureSSL30.cab
O16 - DPF: ISSAC-WebSE - http://paygate.dacom.co.kr/penta/IssacWebInst.cab
O16 - DPF: {06228E75-DEB1-11D3-B702-00001CD5DA14} (AxINIplugin20 Control) - http://www.bccard.co.kr/initech/plugin/axINIplugin20.cab
O16 - DPF: {3267EA0D-B5D8-11D2-A4F9-00608CEBEE49} (ToinbWData Class) - http://ndsl.or.kr/toinbocx/toinbdata.cab
O16 - DPF: {0A2233AD-E771-11D2-973D-00104B15E56F} (ToinbWTR Class) - http://ndsl.or.kr/toinbocx/toinbtr.cab
O16 - DPF: {91B0A4F0-3206-4564-9BB4-AF9055DEF8A1} (ToinbWTextArea Class) - http://ndsl.or.kr/toinbocx/toinbtextarea.cab
O16 - DPF: {1F57AEAD-DB12-11D2-A4F9-00608CEBEE49} (ToinbWGrid Class) - http://ndsl.or.kr/toinbocx/toinbgrid.cab
O16 - DPF: {FD4C6571-DD20-11D2-973D-00104B15E56F} (ToInbWCCombo Class) - http://ndsl.or.kr/toinbocx/toinbccombo.cab
O16 - DPF: {9C9AB433-EA85-11D2-A4F9-00608CEBEE49} (ToinbWBind Class) - http://ndsl.or.kr/toinbocx/toinbbind.cab
O16 - DPF: {3694F19D-ED4D-4DA8-BECD-26FB830753D1} (DCLinker Class) - http://www.norazo.com/dcdownload/dreamlinker.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plugin/myfirewall/myfirewall20.cab
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://banking.nonghyup.com/plugin/client/axINIplugin40.cab
O16 - DPF: {EADBDB84-2341-4AD0-9FAF-4F1F31CF4A46} (LoginForm Class) - http://pointsok.okcashbag.com/skmpp/SKMPPClient2.cab
O16 - DPF: {D5ACE9FC-9CCC-4FB6-9A63-19ED6A3AA489} (ReaderChecker Control) - http://drm.snu.ac.kr/pdfdrm/webbroker/ReaderChecker.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.djvu.com/plugins/en_US/DjVuControl.cab
O16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler Class) - http://www.kookmincard.co.kr/images/sendmail/IniMasPlugin.cab
O16 - DPF: {83682BF2-2351-45C1-963C-9BB635A05178} (IssacWebSE2 Class) - http://paygate.dacom.co.kr/penta/ISSACWebSE2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37869.4675694444
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - ftp://ftp.ca.com/pub/Opal/plugins/x_plugin/opalplayerx5.cab
O16 - DPF: {8E64F05B-76CF-40EA-AD6B-6741F02BDC46} (MagicInstaller Class) - http://www.americanexpress.co.kr/common/ML/MagicInstaller.cab
O16 - DPF: {93F83364-58E3-43C6-BE34-DE1252B26307} (Cruzbill Control) - http://image.em4s.com/sbill/cruzbill.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553546800} - http://active.macromedia.com/flash4/cabs/swflash.cab
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} (KVPplugin00 Control) - http://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-3.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {D2A4C311-F608-4E0E-BBFE-6B25E31AC15B} (Kdfense5 Control) - http://kings.cachenet.com/kdf5078/kdfense5.cab
O16 - DPF: {97154128-DC4C-4D5B-AF7C-CA7356238EC9} (Hanmail FileUpload Control) - http://wwl270.daum.net/hanmail-ax/HM_fileupload.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory 
O16 - DPF: {124250DD-E2CC-4B5B-AE7E-C9AC8A11DF43} (StreamNote2 Control) - http://nsi.snu.ac.kr/onlinenano/Lecture/Device Physics/Device Physics0302/StreamNote2.cab
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\SYSTEM\urlmon.dll
<--------------------------------------------------------------


----------



## Rollin' Rog (Dec 9, 2000)

I don't see much in the Scanlog now, but why did you "exclude" this item?

O4 - Startup: DIALER.EXE

I'm not sure what it is, but it is not a "standard" startup and could be hijacking the dialup connection.

You should also check and "fix" this:

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\SYSTEM\urlmon.dll
<--------------------------------------------------------------

>> have you tried disabling ZoneAlarm and testing?

And you aren't really giving much detail on the Windows Update problem; what error message do you receive?

There is a general troubleshooting page here, perhaps you can find it listed:

http://v4.windowsupdate.microsoft.com/troubleshoot/


----------



## freekt (Apr 30, 2004)

These are the obvious problems I see with this post. 
O4 - HKLM\..\Run: [internat.exe] internat.exe this is a virus the link below is how you fix it.
http://securityresponse.symantec.com/avcenter/venc/data/w32.ghotex.a.html
O4 - HKLM\..\Run: [·¹Áö½ºÆ®¸® °Ë»ç] c:\windows\scanregw.exe /autorun this is a virus the link below is how to fix it. 
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.gwghost.html
O4 - Startup: DIALER.EXE this just shouldn't be there probably spyware.


----------

