Message,"Detected SPYware! System error #384", is bothering me.

Discussion in 'adware, spyware & hijack cleaning' started by Yoon Keun Ik, Feb 19, 2004.

Thread Status:
Not open for further replies.
  1. Yoon Keun Ik

    Yoon Keun Ik Guest

    Could you give a hand?
    I'm having "Detected SPYware! System error #384" message
    on IE browser everytime I run it and can't change the start-up page.
    So I followed your 3-steps.
    I used ad-aware6 and deleted three spyware it showed as a result.
    Logfile of KIjacnkThis follows below.
    Help me please. It really bothers me.
    I'll look foward to your answer.
    Thank you.


    -------------------------------------------------------------------------------------------------

    Logfile of HijackThis v1.97.7
    Scan saved at 오후 2:59:21, on 2004-02-19
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    D:\matlab\webserver\bin\win32\matlabserver.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe
    C:\WINDOWS\reg32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Ahnlab\V3\MonSvcNT.EXE
    C:\Program Files\Ahnlab\V3\MonSysNT.exe
    C:\WINDOWS\System32\conime.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\yki1\바탕 화면\CWShredder_1.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\ALZip\ALZip.exe
    C:\Documents and Settings\yki1\Local Settings\Temp\_AZTMP0_\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: V3 - {76EAE03C-F2B1-4397-97E8-390920B7C2DC} - C:\Program Files\Ahnlab\V3\V3Bar.dll
    O3 - Toolbar: o_O?? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\Program Files\Ahnlab\V3\V3Bar.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [AHNSD] "C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe"
    O4 - HKLM\..\Run: [imekrmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\imekrmig.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: NTUSER.DAT
    O4 - Startup: NTUSER.DAT.LOG
    O4 - Startup: ntuser.ini
    O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {1CC26E3F-F20A-4074-8BB0-F34242591459} (ReportExpress.Viewer) - http://cupido.snu.ac.kr:8000/rpt/instRE/reportexpress.cab
    O16 - DPF: {2022EE84-1E1F-45B0-8D35-FF9DA75366BC} (ExpressViewer Class) - http://download.softforum.co.kr/XecureExpressI/xei_install2.cab
    O16 - DPF: {5D96BE9C-0687-4195-8E97-13E81202DCB2} (HDNotifyBizCtrl Class) - http://sis.snu.ac.kr/HDNotifyBiz.cab
    O16 - DPF: {66A10D6F-DCAE-4FE7-A151-D7F9EE42BEA6} (RegMisc Class) - http://sis.snu.ac.kr/handyGW/control/RegeMisc.cab
    O16 - DPF: {66B30EA0-C033-4D4B-9F90-EA0AF07363AF} (BugsMediaPlayer Control) - http://so.bugs.co.kr/BugsOggPlay_9.CAB
    O16 - DPF: {7BCFC958-161D-4CC3-ADAD-986B0ADC87F3} (HDNotyCtrl Class) - http://sis.snu.ac.kr/handyGW/control/HDNotyCtrl.cab
    O16 - DPF: {8FA141C5-29D7-4408-A57B-619C463ED7BB} (Cychannel_Club1_10.UserControl1) - http://club.cyworld.nate.com/cychannel_club/Cychannel_Clubmain1_11.CAB
    O16 - DPF: {90115D7E-61CF-4D29-8DE6-C4AE7816BBB8} (HSMenu Class) - http://sis.snu.ac.kr/hsmenu.cab
    O16 - DPF: {90231C0E-765E-4429-8F70-F4E9A0F8D348} (WebCtrl Class) - http://mukebox.com/MukePlayer/p3aodsvr.cab
    O16 - DPF: {97154128-DC4C-4D5B-AF7C-CA7356238EC9} (Hanmail FileUpload Control) - http://wwl66.daum.net/hanmail-ax/HM_fileupload.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37967.1448263889
    O16 - DPF: {BF3B6150-558C-4683-A408-78CCC14F9B68} (BugsMusic.BgmPlayer) - http://cast.kunwi.co.kr/bgm/BugsMusic.CAB
    O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://so.bugs.co.kr/SetGlb.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) - http://map.empas.com/activex/CongnamulMap4Asp.cab
    O16 - DPF: {EBB9A178-05D2-4DBD-A255-45B9A7EC9F7E} (IdiskLauncher Control) - http://idisk.snu.ac.kr/app/IdiskUpdate.cab
    O16 - DPF: {F1390A50-25DB-4361-A7FA-AF8B06C99921} (tvcf_view.media) - http://www.tvcf.co.kr/activx/tvcf_view.CAB
    O16 - DPF: {FE3B2990-3E0A-40C4-BC69-B61E5F2776E6} (FreechalOn Class) - http://login.freechal.com/freechalon/FcOnCtl2.cab
    O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Yoon Keun Ik,

    Bring up TaskManager and stop this process:
    C:\WINDOWS\reg32.exe

    Then please download, unzip and run: CWShredder. If your version is older then 1.49.1 please download a new one and don't use the old one.
    Use the Fix button and follow the instructions you will receive.
    Then reboot, run HijackThis again and post the new log.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.