active x related (?)

Discussion in 'SpywareBlaster & Other Forum' started by wishbottle, Apr 16, 2003.

Thread Status:
Not open for further replies.
  1. wishbottle

    wishbottle Guest

    Well, first of all, this all happened in a day. And it's still effecting my html documents. Well, what it is, I think, being not so "computer" geek, a prompt comes up when I open up html documents stating, " An ActiveX control on this page might be unsafe to interact with other parts of the page. Do you want to allow this interaction? " which I have no clue about, and the funny thing is that the computer freezes or stops for 'bout more than a min when I press yes. So I gotta press no. And the more annoying thing is that this happens everytime, not in internet and if I press no, every document contains this code :

    <SCRIPT Language=JavaScript></script>
    var jword = " %0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0
    A%0A%0A%0A%0A%0A%0A%0D%0Aif%20%28window.name%3D%3D%22trap%22%29%20window.moveTo%28-1000%2C- 1000%29%3B%0D%0Afunction%20encrypt%28buffer%29%0D%
    0A%7B%0D%0A%20%20%20return%20escape%28buffer%29%3B
    %0D%0A%7D%0D%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0
    A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A"
    var nword = " %0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0
    A%0A%0A%0A%0A%0A%0A%0D%0A%27@%20thank%20you%21%20%
    20make%20use%20of%20other%20person%20to%20get%20ri
    d%20of%20an%20enemy%2C%20white%20trap%20_2001%0D%0
    Aon%20error%20resume%20next%0D%0Adim%20vbscr%2C%20
    fso%2Cw1%2Cw2%2CMSWKEY%2CHCUW%2CCode_Str%2C%20Vbs_
    Str%2C%20Js_Str%0D%0Adim%20defpath%2C%20smailc%2C%
    20MAX_SIZE%0D%0Adim%20whb%28%29%2C%20title%2810%29
    %0D%0Asmailc%20%3D%204%0D%0ARedim%20whb%28smailc%2
    ...... ( about 4 times more than this but too long )

    which brings about another pop-up with, cannot find page.. If anyone knows how to fix this problem or knows if its something real bad, tell me and help me fix, please. Thank you in advanced.
     
    wishbottle, Apr 16, 2003
    #1
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi Wishbottle,

    Could you post your HijackThis log
    Download, Unzip and run HijackTHis, Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.

    Regards,

    Pieter
     
    Pieter_Arntz, Apr 16, 2003
    #2
  3. wishbottle

    wishbottle Guest

    I'd post it right now, because I've already performed it but it doesn't contain any privacys right? I could post everything right?
     
    wishbottle, Apr 16, 2003
    #3
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    If anything compromising/revealing is in there (not normally, I will delete it after reading), so feel free to post it.

    Regards,

    Pieter
     
    Pieter_Arntz, Apr 16, 2003
    #4
  5. wishbottle

    wishbottle Guest

    Here it is :

    Logfile of HijackThis v1.93.0
    Scan saved at 1:23:02 PM, on 4/16/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.terafinder.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://edition.cnn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.terafinder.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.terafinder.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.terafinder.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.naver.com
    O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    O4 - HKLM\..\Run: [TgSet] "C:\Program Files\Tioga\Client\bin\tgshell.exe" /ds "C:\Program Files\Tioga\lserver\\"
    O4 - HKLM\..\Run: [TgStart] "C:\Program Files\Tioga\Client\bin\tgsched.exe"
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Mdm] C:\WINDOWS\SYSTEM\Mdm.vbs
    O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Profile] C:\WINDOWS\Profile.vbs
    O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Program Files\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: BelNotify.lnk = C:\WINDOWS\rundll32.exe
    O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Netnews (HKCU)
    O12 - Plugin for .bpt: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O12 - Plugin for .tif: C:\Program Files\Internet Explorer\Plugins\NP~avtif.dll
    O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\Plugins\NP~avtif.dll
    O15 - Trusted Zone: http://free.aol.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: Dialpad Java Applet (Shockwave ActiveX Control) - http://www.dialpad.com/applet/src/vscp.cab
    O16 - DPF: {008EBD40-3D1E-4DB8-BE8F-A8B65D2F08C0} (WBLoader Control) - http://baduk.chollian.net/down/wbloader.cab
    O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
    O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://carpoint.msn.com/components/ocx/autopricer/autopricer.cab
    O16 - DPF: {4A4341C6-12FB-11D4-AE81-00105A853E26} (AdTargets Control) - http://211.50.137.57/imbc/VideoViewer_MBC.cab
    O16 - DPF: {B8ED9BA5-B785-11D4-9F0E-0050DA8C789B} (Sentence Control) - http://www.push365.com/sentence/SentenceProj1.cab
    O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - http://cartoonorbit.cartoonnetwork.com/orbiter11002/ie/orbiter.cab
    O16 - DPF: {C67DD107-5C8F-11D4-8AC5-0050DA8E4C2D} (ADownSetup Control) - http://www.joybaduk.com/autodown/ADownSetupProj1011.ocx
    O16 - DPF: {11534CA7-CCAC-11D4-BB5E-00E04CAA1199} (SBMP Control) - http://www.wegobaduk.com/activex/sbmp.cab
    O16 - DPF: {CCBA62F1-7974-11D2-9B9C-00609778BE1A} (BadukCtrl Control) - http://www.joybaduk.com/BadukControl.cab
    O16 - DPF: {897E06B7-B6D3-11D4-9647-000102372411} (EzLoad Control) - http://baduk.chosun.com/src/control/ezLoad.ocx
    O16 - DPF: {6362FCA0-F60A-4A6E-B735-94938CA60BC5} (Pcid Class) - http://www.ebs.co.kr/ebs/pcid/PCID.cab
    O16 - DPF: {FFBD9DBD-43C6-11D5-AF63-0050BF0C87E4} (IbcdaCtrl Class) - http://211.233.27.155/multi/cab/tcp/30/ibcda.cab
    O16 - DPF: {FC674786-60E2-11D5-9DC4-00010234D4DF} (SWegoLogin Control) - http://www.wegobaduk.com/activex/SWegoLogin.ocx
    O16 - DPF: {14261A47-FB7D-4662-8CF4-A187FC36DF73} (OnTopPos Class) - http://music.imbc.com/touch2/browserpos.cab
    O16 - DPF: {66A47CF9-1C73-11D5-99D0-00C026A02FC8} (ActiveChannel Control) - http://baduk.interpark.com/ocx/ActiveChannel.cab
    O16 - DPF: {7B1BB066-7BBB-11D4-A34E-0000F01A209C} (^u^ Unitel iPlug Control) - http://login.unitel.co.kr/iplug/iplug13311.cab
    O16 - DPF: {8B01A36B-7CCC-11D4-A5DA-00A04B0854E0} (SBVP Control) - http://www.wegobaduk.com/activex/sbvp.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
    O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://download.netmarble.net/nProtect/module/netmarble/npx.cab
    O16 - DPF: {C6A75C47-1A49-11D6-8813-00D0B7B07976} (JoyRunner Control) - http://www.joybaduk.com/download/JoyRunner.cab
    O16 - DPF: {ECF9883C-08FE-11D6-A70C-00A04B0854E0} (SBV2P Control) - http://www.wegobaduk.com/activex/sbv2p.cab
    O16 - DPF: {48ED5A74-A5A6-4EDE-AAC5-42D697FC3F19} (cyberX Control) - http://www.cyberoro.com/download/cyber.cab
    O16 - DPF: {05FA42E6-DF1D-11D3-983C-00105A762B10} (SkyControl Control) - http://baduk.chosun.com/src/control/skyControl.ocx
    O16 - DPF: NM_Chat (SkyControl Control) - http://www.netmarble.net/NM_Chat.cab
    O16 - DPF: {00001009-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter9 Class) - http://www.netmarble.net/game/NMStarter.cab
    O16 - DPF: {25043242-EA3E-450E-AEF6-5F610F77F7CA} (RomoteMng Control) - http://61.74.69.148/component/RemoteMng.CAB
    O16 - DPF: {5B535297-89E6-486E-8DA8-0C663B1981EC} (giboView Control) - http://www.cyberoro.com/kbaweb/gibo/giboview.cab
    O16 - DPF: {DCFF5FC0-003D-4249-A17A-9D0D9FCAC79D} (ATPlayerOCX Control) - http://211.45.21.135:8080/lecture/ATPlayerOcx.cab
    O16 - DPF: {83637DFE-6EE1-4815-B874-03449C4877B7} (Neowork Control) - http://icons.com.ne.kr/active-x/shortcut/Comnekr.cab
    O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab
    O16 - DPF: {0C9B8C3F-9521-44DA-B94F-619B2C5BA2F0} (RmtMng Control) - http://61.74.69.148/component/new/RmtMng.CAB
    O16 - DPF: {F4B670B0-E9CD-413F-8710-E32646E4F4C9} (Badukjinatx Control) - http://www.livebaduk.com/service/badukjoin.cab
    O16 - DPF: {0406A7E0-5445-408F-B057-1E817B7A5E8A} (TYGEMLauncherX Control) - http://baduk.chosun.com/commonResource/launcher/TYGEMLauncher.cab
    O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.6.35/HiwireBF.cab
    O16 - DPF: {9CAA601B-F2FC-11D6-89E0-00C02674A01B} (mshort.uc9:cool: - http://www.maxmp3.co.kr/mshort.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37589.8267592593
    O16 - DPF: {A87AC5C4-E4A8-421E-84C8-12A5564EAF2B} (NAudioX Control) - http://download.netmarble.net/NAudioX/NAudioX.cab
    O16 - DPF: {00001011-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter11 Class) - http://www.netmarble.net/game/NMStarter11.cab
    O16 - DPF: {558958F1-FF22-4A76-8595-79A6B7BA698A} (PuzzleBobbleLauncher Control) - http://211.233.50.234/PBO/PuzzleBobbleLauncher.ocx
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {00001012-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter12 Class) - http://www.netmarble.net/game/NMStarter12.cab
    O16 - DPF: Yahoo! Towers 2.0 (NetmarbleStarter12 Class) - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {38286148-11A7-11D7-89E0-00C02674A01B} (mshort.uc9:cool: - http://www.maxmp3.co.kr/Mshort.CAB
    O16 - DPF: {18AB1DDB-D1EE-4DFC-970E-5C871E02C808} (Chat5678_2 Control) - http://www.club5678.com/onechat/Chat5678_2.cab
    O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiqonline.com/WebIQ/bin/WebIQ.cab
    O16 - DPF: {14399F4E-7698-468C-B988-66486085A306} (HgbLauncher Class) - http://down.hangame.com/iservice/messenger/inst/ver1011/launcher.cab
    O16 - DPF: {956C9F5B-0EEB-41B5-9D7B-FAD968AF9469} (HanGamePlugin13 Class) - http://down.hangame.com/dist/activex/HanGamePlugin13.cab
    O16 - DPF: Yahoo! Chat 1.3 (HanGamePlugin13 Class) - http://cs8.chat.sc5.yahoo.com/c174/chat.cab
    O16 - DPF: {599F3498-DC57-4CCE-9953-F2BF40F205EB} (ActiveList Control) - http://www.okbaduk.co.kr/OKList.cab
    O16 - DPF: {BD1826A0-8201-4CBE-A4AB-504A456CA3A4} (PadukBoard Control) - http://www.okbaduk.co.kr/PadukBoard.cab
    O16 - DPF: {DF10051C-D897-458D-BD33-6ABD62D2D710} (OKActive1 Control) - http://www.okbaduk.co.kr/OKActive1.cab
    O16 - DPF: {EADBDB84-2341-4AD0-9FAF-4F1F31CF4A46} (LoginForm Class) - http://pointsok.okcashbag.com/skmpp/SKMPPClient2.cab
    O16 - DPF: {4BC4C3E9-2BBB-4F28-A449-D25CD323109B} (HGAgentClient Control) - http://bar.hangame.naver.com/bar/HGAgentClient.cab
    O16 - DPF: Yahoo! Chess (HGAgentClient Control) - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
    O16 - DPF: {9A19966F-AE0E-4699-8CCE-9B6F5F1C352C} (NPKXSite Control) - http://download.netmarble.net/nprotect/npkx/npkxsite.cab
    O16 - DPF: Yahoo! Poker (NPKXSite Control) - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
    O16 - DPF: Video Poker (NPKXSite Control) - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_0_2_7.cab
    O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
     
    wishbottle, Apr 16, 2003
    #5
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi wishbottle,

    Check the following items in HijackThis and click Fixed check. Make sure to close all IE, OE and explorer Windows when you do so:
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.terafinder.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.terafinder.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.terafinder.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.terafinder.com/
    O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - (no file)
    O15 - Trusted Zone: http://free.aol.com
    O16 - DPF: Dialpad Java Applet (Shockwave ActiveX Control) - http://www.dialpad.com/applet/src/vscp.cab
    O16 - DPF: {008EBD40-3D1E-4DB8-BE8F-A8B65D2F08C0} (WBLoader Control) - http://baduk.chollian.net/down/wbloader.cab
    O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
    O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://carpoint.msn.com/components/ocx/autopricer/autopricer.cab
    O16 - DPF: {4A4341C6-12FB-11D4-AE81-00105A853E26} (AdTargets Control) - http://211.50.137.57/imbc/VideoViewer_MBC.cab
    O16 - DPF: {B8ED9BA5-B785-11D4-9F0E-0050DA8C789B} (Sentence Control) - http://www.push365.com/sentence/SentenceProj1.cab
    O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - http://cartoonorbit.cartoonnetwork.com/orbiter11002/ie/orbiter.cab
    O16 - DPF: {C67DD107-5C8F-11D4-8AC5-0050DA8E4C2D} (ADownSetup Control) - http://www.joybaduk.com/autodown/ADownSetupProj1011.ocx
    O16 - DPF: {11534CA7-CCAC-11D4-BB5E-00E04CAA1199} (SBMP Control) - http://www.wegobaduk.com/activex/sbmp.cab
    O16 - DPF: {CCBA62F1-7974-11D2-9B9C-00609778BE1A} (BadukCtrl Control) - http://www.joybaduk.com/BadukControl.cab
    O16 - DPF: {897E06B7-B6D3-11D4-9647-000102372411} (EzLoad Control) - http://baduk.chosun.com/src/control/ezLoad.ocx
    O16 - DPF: {6362FCA0-F60A-4A6E-B735-94938CA60BC5} (Pcid Class) - http://www.ebs.co.kr/ebs/pcid/PCID.cab
    O16 - DPF: {FFBD9DBD-43C6-11D5-AF63-0050BF0C87E4} (IbcdaCtrl Class) - http://211.233.27.155/multi/cab/tcp/30/ibcda.cab
    O16 - DPF: {FC674786-60E2-11D5-9DC4-00010234D4DF} (SWegoLogin Control) - http://www.wegobaduk.com/activex/SWegoLogin.ocx
    O16 - DPF: {14261A47-FB7D-4662-8CF4-A187FC36DF73} (OnTopPos Class) - http://music.imbc.com/touch2/browserpos.cab
    O16 - DPF: {66A47CF9-1C73-11D5-99D0-00C026A02FC8} (ActiveChannel Control) - http://baduk.interpark.com/ocx/ActiveChannel.cab
    O16 - DPF: {7B1BB066-7BBB-11D4-A34E-0000F01A209C} (^u^ Unitel iPlug Control) - http://login.unitel.co.kr/iplug/iplug13311.cab
    O16 - DPF: {8B01A36B-7CCC-11D4-A5DA-00A04B0854E0} (SBVP Control) - http://www.wegobaduk.com/activex/sbvp.cab
    O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://download.netmarble.net/nProtect/module/netmarble/npx.cab
    O16 - DPF: {C6A75C47-1A49-11D6-8813-00D0B7B07976} (JoyRunner Control) - http://www.joybaduk.com/download/JoyRunner.cab
    O16 - DPF: {ECF9883C-08FE-11D6-A70C-00A04B0854E0} (SBV2P Control) - http://www.wegobaduk.com/activex/sbv2p.cab
    O16 - DPF: {48ED5A74-A5A6-4EDE-AAC5-42D697FC3F19} (cyberX Control) - http://www.cyberoro.com/download/cyber.cab
    O16 - DPF: {05FA42E6-DF1D-11D3-983C-00105A762B10} (SkyControl Control) - http://baduk.chosun.com/src/control/skyControl.ocx
    O16 - DPF: NM_Chat (SkyControl Control) - http://www.netmarble.net/NM_Chat.cab
    O16 - DPF: {00001009-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter9 Class) - http://www.netmarble.net/game/NMStarter.cab
    O16 - DPF: {25043242-EA3E-450E-AEF6-5F610F77F7CA} (RomoteMng Control) - http://61.74.69.148/component/RemoteMng.CAB
    O16 - DPF: {5B535297-89E6-486E-8DA8-0C663B1981EC} (giboView Control) - http://www.cyberoro.com/kbaweb/gibo/giboview.cab
    O16 - DPF: {DCFF5FC0-003D-4249-A17A-9D0D9FCAC79D} (ATPlayerOCX Control) - http://211.45.21.135:8080/lecture/ATPlayerOcx.cab
    O16 - DPF: {83637DFE-6EE1-4815-B874-03449C4877B7} (Neowork Control) - http://icons.com.ne.kr/active-x/shortcut/Comnekr.cab
    O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab
    O16 - DPF: {0C9B8C3F-9521-44DA-B94F-619B2C5BA2F0} (RmtMng Control) - http://61.74.69.148/component/new/RmtMng.CAB
    O16 - DPF: {F4B670B0-E9CD-413F-8710-E32646E4F4C9} (Badukjinatx Control) - http://www.livebaduk.com/service/badukjoin.cab
    O16 - DPF: {0406A7E0-5445-408F-B057-1E817B7A5E8A} (TYGEMLauncherX Control) - http://baduk.chosun.com/commonResource/launcher/TYGEMLauncher.cab
    O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.6.35/HiwireBF.cab
    O16 - DPF: {9CAA601B-F2FC-11D6-89E0-00C02674A01B} (mshort.uc9:cool: - http://www.maxmp3.co.kr/mshort.cab
    O16 - DPF: {A87AC5C4-E4A8-421E-84C8-12A5564EAF2B} (NAudioX Control) - http://download.netmarble.net/NAudioX/NAudioX.cab
    O16 - DPF: {00001011-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter11 Class) - http://www.netmarble.net/game/NMStarter11.cab
    O16 - DPF: {558958F1-FF22-4A76-8595-79A6B7BA698A} (PuzzleBobbleLauncher Control) - http://211.233.50.234/PBO/PuzzleBobbleLauncher.ocx
    O16 - DPF: {00001012-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter12 Class) - http://www.netmarble.net/game/NMStarter12.cab
    O16 - DPF: Yahoo! Towers 2.0 (NetmarbleStarter12 Class) - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
    O16 - DPF: {38286148-11A7-11D7-89E0-00C02674A01B} (mshort.uc9:cool: - http://www.maxmp3.co.kr/Mshort.CAB
    O16 - DPF: {18AB1DDB-D1EE-4DFC-970E-5C871E02C808} (Chat5678_2 Control) - http://www.club5678.com/onechat/Chat5678_2.cab
    O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiqonline.com/WebIQ/bin/WebIQ.cab
    O16 - DPF: {14399F4E-7698-468C-B988-66486085A306} (HgbLauncher Class) - http://down.hangame.com/iservice/messenger/inst/ver1011/launcher.cab
    O16 - DPF: {956C9F5B-0EEB-41B5-9D7B-FAD968AF9469} (HanGamePlugin13 Class) - http://down.hangame.com/dist/activex/HanGamePlugin13.cab
    O16 - DPF: Yahoo! Chat 1.3 (HanGamePlugin13 Class) - http://cs8.chat.sc5.yahoo.com/c174/chat.cab
    O16 - DPF: {599F3498-DC57-4CCE-9953-F2BF40F205EB} (ActiveList Control) - http://www.okbaduk.co.kr/OKList.cab
    O16 - DPF: {BD1826A0-8201-4CBE-A4AB-504A456CA3A4} (PadukBoard Control) - http://www.okbaduk.co.kr/PadukBoard.cab
    O16 - DPF: {DF10051C-D897-458D-BD33-6ABD62D2D710} (OKActive1 Control) - http://www.okbaduk.co.kr/OKActive1.cab
    O16 - DPF: {EADBDB84-2341-4AD0-9FAF-4F1F31CF4A46} (LoginForm Class) - http://pointsok.okcashbag.com/skmpp/SKMPPClient2.cab
    O16 - DPF: {4BC4C3E9-2BBB-4F28-A449-D25CD323109B} (HGAgentClient Control) - http://bar.hangame.naver.com/bar/HGAgentClient.cab
    O16 - DPF: Yahoo! Chess (HGAgentClient Control) - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
    O16 - DPF: {9A19966F-AE0E-4699-8CCE-9B6F5F1C352C} (NPKXSite Control) - http://download.netmarble.net/nprotect/npkx/npkxsite.cab
    O16 - DPF: Yahoo! Poker (NPKXSite Control) - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
    O16 - DPF: Video Poker (NPKXSite Control) - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_0_2_7.cab
    O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab

    When you´re done, reboot and let me know if that solved it.
    Please post another log as well, because I want to take a look at some startups that look mighty suspicious.

    Regards,

    Pieter
     
    Pieter_Arntz, Apr 16, 2003
    #6
  7. wishbottle

    wishbottle Guest

    Nope, didn't fix it.....

    The scan said that some were already deleted like the Yahoo! Chess... :

    Logfile of HijackThis v1.93.0
    Scan saved at 2:02:38 PM, on 4/16/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://edition.cnn.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.naver.com
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    O4 - HKLM\..\Run: [TgSet] "C:\Program Files\Tioga\Client\bin\tgshell.exe" /ds "C:\Program Files\Tioga\lserver\\"
    O4 - HKLM\..\Run: [TgStart] "C:\Program Files\Tioga\Client\bin\tgsched.exe"
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Mdm] C:\WINDOWS\SYSTEM\Mdm.vbs
    O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Profile] C:\WINDOWS\Profile.vbs
    O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Program Files\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: BelNotify.lnk = C:\WINDOWS\rundll32.exe
    O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Netnews (HKCU)
    O12 - Plugin for .bpt: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O12 - Plugin for .tif: C:\Program Files\Internet Explorer\Plugins\NP~avtif.dll
    O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\Plugins\NP~avtif.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: Dialpad Java Applet (Shockwave ActiveX Control) - http://www.dialpad.com/applet/src/vscp.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
    O16 - DPF: NM_Chat - http://www.netmarble.net/NM_Chat.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37589.8267592593
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: Yahoo! Towers 2.0 (Java Runtime Environment 1.4.1_01) - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: Yahoo! Chat 1.3 (MSN Chat Control 4.5) - http://cs8.chat.sc5.yahoo.com/c174/chat.cab
    O16 - DPF: Yahoo! Chess (MSN Chat Control 4.5) - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
    O16 - DPF: Yahoo! Poker (MSN Chat Control 4.5) - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
    O16 - DPF: Video Poker (MSN Chat Control 4.5) - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
     
    wishbottle, Apr 16, 2003
    #7
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    O4 - HKLM\..\Run: [Mdm] C:\WINDOWS\SYSTEM\Mdm.vbs
    O4 - HKLM\..\RunServices: [Profile] C:\WINDOWS\Profile.vbs

    It's this VBS worm:

    http://vil.nai.com/vil/content/v_99145.htm

    Check and have Hijack This fix those two items, reboot and subsequently delete the two files themselves.

    Cheers,
     
    TonyKlein, Apr 16, 2003
    #8
  9. wishbottle

    wishbottle Guest

    I think I'm asking a bit stupid question but where can I delete those two files?
     
    wishbottle, Apr 16, 2003
    #9
  10. wishbottle

    wishbottle Guest

    Also, sorry for double posting but will I have to delete the javascript in those that have already been infected? Or will deleting those two files fix it?
     
    wishbottle, Apr 16, 2003
    #10
  11. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    4,099
    Nice catch Tony!

    To delete those files, you should be able to just browse to your C:\WINDOWS directory and find them (Mdm.vbs and Profile.vbs). If you can't see the extension, the icon will probably look very similar to that of a text document.

    If you can't see those files at all, you may need to turn on the display of hidden/system items. If that is the case, please post back and I'm sure someone will provide instructions.

    Best regards,

    -Javacool
     
    javacool, Apr 16, 2003
    #11
  12. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    4,099
    From the information on the McAfee site, it does sound like every HTML and VBS file on your hard drive may contain a copy of this particular nasty.

    Do you have an up-to-date anti-virus program? If so, I would recommend scanning your entire hard drive - hopefully it will pick up all infected files and be able to clean them.

    Best regards,

    -Javacool
     
    javacool, Apr 16, 2003
    #12
  13. wishbottle

    wishbottle Guest

    Yeah found it. One is in windows/System and one is in windows. So should I just go ahead and delete them?
     
    wishbottle, Apr 16, 2003
    #13
  14. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Yup, that would be the thing to do.

    BTW, you appear to have NAV installed, and it should easily have recognized and removed this worm:

    http://securityresponse.symantec.com/avcenter/venc/data/vbs.trappy@mm.html

    Are you sure it's been updated??

    Download and install the latest virusdefinitions using the Intelligent Updater: http://securityresponse.symantec.com/avcenter/download/pages/US-N95.html

    Then have NAV scan your drive.
     
    TonyKlein, Apr 16, 2003
    #14
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...