Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

lots of problems, where do I start


  • Please log in to reply

#1
pwf

pwf

    Member

  • Member
  • PipPip
  • 11 posts
I just came over here for a short trip about a week ago. And started using my parent's computer. It's frustratingly slow. It's already getting better with all the scan I run(I believe I haven't ran the Clean it! because I'm not sure about the Windows version) but there's still a couple questions.

1)How can I remove the System Doctor stuff permenantly. I still get pop ups in IE and FireFox asking me to "Check your system"
2)Uninviting Pop up pop up every 30 min or so.
3)Startup error, though I don't think you guys are responsible to fix that.
4)Anything else you guys can help me to do to speed up the computer

HiJackThis log
Logfile of HijackThis v1.99.1
Scan saved at 23:10:29, on 2006-8-20
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\STDSB.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hongfu\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\DrvMon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\MobileOffice\即时贴\note2.exe
C:\Hongfu\firefox\firefox.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Hongfu\download\HijackThis.exe

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=C:\PROGRA~1\svhost32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DjbFardt Class - {2C091D78-260B-EF2C-B11C-CD14B614D4FE} - C:\WINDOWS\DOWNLO~1\kpwb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O2 - BHO: (no name) - {85CF4327-68DE-1974-B32E-766E84A9706C} - C:\WINDOWS\wcidBHO.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00311} - C:\WINDOWS\system32\compstuig.dll (file missing)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00322} - C:\WINDOWS\system32\compstuih.dll
O2 - BHO: 百度搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\WINDOWS\DOWNLO~1\BaiDuBar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 百度搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\WINDOWS\DOWNLO~1\BaiDuBar.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [WL] C:\WINDOWS\System32\WL.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [Skype] "C:\Documents and Settings\lenovo\桌面\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [词霸Online自启动] C:\Program Files\Kingsoft\iciba\Iciba.exe
O4 - HKCU\..\Run: [a603d3a3.exe] C:\Documents and Settings\lenovo\Local Settings\Application Data\a603d3a3.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: 即时贴.lnk = ?
O4 - Global Startup: 移动之窗.lnk = C:\Program Files\MobileOffice\bin\mobile.exe
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 百度Flash搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/FLASHSEARCH.HTM
O8 - Extra context menu item: 百度mp3搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUMP3.HTM
O8 - Extra context menu item: 百度信息快递搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIE.HTM
O8 - Extra context menu item: 百度图片搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIMG.HTM
O8 - Extra context menu item: 百度搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUSEARCH.HTM
O8 - Extra context menu item: 百度新闻搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUNEWS.HTM
O8 - Extra context menu item: 访问通用网址 - C:\Program Files\CNNIC\Cdn\cnnic.htm
O9 - Extra button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe
O9 - Extra button: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra 'Tools' menuitem: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra button: 卓越 - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - C:\PROGRA~1\MOBILE~1\CIBA\IEPlugin.dll
O9 - Extra button: 百度搜索伴侣 - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: 金山词霸 - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\MOBILE~1\CIBA\IEPlugin.dll
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - d:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - d:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing
O11 - Options group: [!IESearch] !IESearch
O11 - Options group: [CDNCLIENT] 中文上网
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbc...oad/CMBEdit.cab
O16 - DPF: {3A2B370C-BA0A-11D1-B137-0000F8753F5D} (Microsoft Chart Control 6.0 (SP4) (OLEDB)) - http://www.fangdi.com.cn/mschart.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1156085045082
O16 - DPF: {7FC22A16-79E6-4787-9C96-B6359BB1106D} (DigitalTrafic Control) - http://www.jt.sh.cn/trafficmap/jtj.cab
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://jump.cnnic.cn...nnic/cdn_nt.cab
O16 - DPF: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} - https://pbank.95559....nk/ocx/safe.cab
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com...te/IESearch.cab
O16 - DPF: {C49DD894-C6DE-4910-8C41-BA20F852D8BC} - http://www.5fen.com/toolbar/5fen.cab
O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - http://td.nortonconf...lug-in/WSAS.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://life.ptq.sh.g...r/8/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D76717F-992C-4984-A0AF-664AF22005B5}: NameServer = 192.168.0.11
O18 - Protocol: mp3 - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)
O20 - Winlogon Notify: h618 - C:\WINDOWS\g5091661.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winhfa32 - C:\WINDOWS\SYSTEM32\winhfa32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\hongfu\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus 自动防护服务 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:01:50 2006-8-20

+ Scan result:



C:\Documents and Settings\lenovo\Local Settings\Temp\C\cdnaux.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Documents and Settings\lenovo\Local Settings\Temp\C\cdnup.exe -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Program Files\CNNIC\Cdn\cdnaux.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Program Files\CNNIC\Cdn\cdnup.exe -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Program Files\CNNIC\Cdn\client.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Program Files\CNNIC\Cdn\idnconv.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cdn.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\WINDOWS\g1256396.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\WINDOWS\g14551413.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\WINDOWS\g2519753.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\WINDOWS\g529220.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\WINDOWS\g7248582.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\WINDOWS\g7278445.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\WINDOWS\g7285415.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\WINDOWS\g8557645.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\WINDOWS\system32\compstuih.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\WINDOWS\system32\MDL32.dll -> Downloader.Small.dla : Cleaned with backup (quarantined).
C:\WINDOWS\system32\MDL32.exe -> Downloader.Small.dla : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ismon.exe -> Downloader.Zlob.afd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\alexa.exe -> Hijacker.Delf.eb : Cleaned with backup (quarantined).
:mozilla.172:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.187:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.265:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.267:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.60:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.61:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.62:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.63:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.64:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.65:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.66:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.67:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.68:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.69:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.70:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.71:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.72:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.73:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\lenovo\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\lenovo\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\lenovo\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\lenovo\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.139:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.140:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.141:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.74:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.75:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.77:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.78:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.79:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.36:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.184:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
:mozilla.31:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.32:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.33:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.16:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.117:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.47:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.142:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.143:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\lenovo\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.232:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.233:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.234:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.145:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.181:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.182:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.183:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.300:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.94:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.95:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.96:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.97:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.98:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.99:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.254:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup (quarantined).
:mozilla.133:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.124:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
:mozilla.125:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
:mozilla.191:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.261:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.262:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.263:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.264:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.134:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.135:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.136:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\lenovo\Cookies\[email protected][1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.153:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
:mozilla.154:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
:mozilla.155:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
:mozilla.128:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.129:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.130:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.131:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\lenovo\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.255:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup (quarantined).
:mozilla.243:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\lenovo\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.30:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.284:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.285:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.41:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.43:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.44:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.45:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.240:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.241:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.242:C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\ina58o60.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
D:\sxs.exe -> Trojan.Delf.ln : Cleaned with backup (quarantined).
E:\sxs.exe -> Trojan.Delf.ln : Cleaned with backup (quarantined).
C:\Documents and Settings\lenovo\Local Settings\Temporary Internet Files\Content.IE5\L3D2H90U\bgates[1].exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd9B.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddB5.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddBC.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddC5.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddC7.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddC8.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddCF.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddD7.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddD8.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddDD.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddED.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\Documents and Settings\lenovo\Local Settings\Temporary Internet Files\Content.IE5\L3D2H90U\srvria[1].exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win12.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win14.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win4E.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winB.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winC.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winC5.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).


::Report end



[b]You guys are the best at this, I've been looking around here for a while not(I'm not doing anything bad :whistling: nah, I'm kiddin') and you guys can really stick it to those problems. Thanks in advance

Edited by pwf, 20 August 2006 - 04:54 PM.

  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
hi :whistling:

If you still require help please post a new Hijack log into this thread and we can begin :blink:
  • 0

#3
pwf

pwf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sorry about the delay, appreciate the help very much. I have a new problem after all those cleanup. Everytime my computer starts it says that it can't find a program named: svhost.exe. I have no idea what that is. Also, the Windowns Media Player seems to be deleted...

here's the new log

Logfile of HijackThis v1.99.1
Scan saved at 8:22:39, on 2006-8-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\STDSB.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\hongfu\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\DrvMon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\MobileOffice\即时贴\note2.exe
C:\Program Files\MobileOffice\bin\mobile.exe
C:\Hongfu\firefox\firefox.exe
C:\Hongfu\Trillian\trillian.exe
C:\Hongfu\download\HijackThis.exe

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=C:\PROGRA~1\svhost32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DjbFardt Class - {2C091D78-260B-EF2C-B11C-CD14B614D4FE} - C:\WINDOWS\DOWNLO~1\kpwb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O2 - BHO: (no name) - {85CF4327-68DE-1974-B32E-766E84A9706C} - C:\WINDOWS\wcidBHO.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00311} - C:\WINDOWS\system32\compstuig.dll (file missing)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00322} - C:\WINDOWS\system32\compstuih.dll (file missing)
O2 - BHO: 百度搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\WINDOWS\DOWNLO~1\BaiDuBar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 百度搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\WINDOWS\DOWNLO~1\BaiDuBar.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [WL] C:\WINDOWS\System32\WL.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [Skype] "C:\Documents and Settings\lenovo\桌面\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [词霸Online自启动] C:\Program Files\Kingsoft\iciba\Iciba.exe
O4 - HKCU\..\Run: [a603d3a3.exe] C:\Documents and Settings\lenovo\Local Settings\Application Data\a603d3a3.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: 即时贴.lnk = ?
O4 - Global Startup: 移动之窗.lnk = C:\Program Files\MobileOffice\bin\mobile.exe
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 百度Flash搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/FLASHSEARCH.HTM
O8 - Extra context menu item: 百度mp3搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUMP3.HTM
O8 - Extra context menu item: 百度信息快递搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIE.HTM
O8 - Extra context menu item: 百度图片搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIMG.HTM
O8 - Extra context menu item: 百度搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUSEARCH.HTM
O8 - Extra context menu item: 百度新闻搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUNEWS.HTM
O8 - Extra context menu item: 访问通用网址 - C:\Program Files\CNNIC\Cdn\cnnic.htm
O9 - Extra button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe
O9 - Extra button: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra 'Tools' menuitem: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra button: 卓越 - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - C:\PROGRA~1\MOBILE~1\CIBA\IEPlugin.dll
O9 - Extra button: 百度搜索伴侣 - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: 金山词霸 - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\MOBILE~1\CIBA\IEPlugin.dll
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - d:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - d:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing
O11 - Options group: [!IESearch] !IESearch
O11 - Options group: [CDNCLIENT] 中文上网
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbc...oad/CMBEdit.cab
O16 - DPF: {3A2B370C-BA0A-11D1-B137-0000F8753F5D} (Microsoft Chart Control 6.0 (SP4) (OLEDB)) - http://www.fangdi.com.cn/mschart.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1156085045082
O16 - DPF: {7FC22A16-79E6-4787-9C96-B6359BB1106D} (DigitalTrafic Control) - http://www.jt.sh.cn/trafficmap/jtj.cab
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://jump.cnnic.cn...nnic/cdn_nt.cab
O16 - DPF: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} - https://pbank.95559....nk/ocx/safe.cab
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com...te/IESearch.cab
O16 - DPF: {C49DD894-C6DE-4910-8C41-BA20F852D8BC} - http://www.5fen.com/toolbar/5fen.cab
O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - http://td.nortonconf...lug-in/WSAS.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://life.ptq.sh.g...r/8/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D76717F-992C-4984-A0AF-664AF22005B5}: NameServer = 192.168.0.11
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mp3 - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\System32\msdxm.ocx
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll
O20 - Winlogon Notify: h618 - C:\WINDOWS\g293121.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winhfa32 - C:\WINDOWS\SYSTEM32\winhfa32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\hongfu\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus 自动防护服务 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks

Edited by pwf, 24 August 2006 - 06:25 PM.

  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hiya Pwf

I see you have Tencent installed. I do know this is a very popular Instant messenger program in China. Be aware that it is considered Adware. I am not going to remove it because I assume you use it. If you wish to get rid of it let me know....see here

The same applies to this BaiDuBar...see here

if you wish to remove these just let me know

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
Please run a scan with HijackThis and check the following lines for removal:

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=C:\PROGRA~1\svhost32.exe
O2 - BHO: DjbFardt Class - {2C091D78-260B-EF2C-B11C-CD14B614D4FE} - C:\WINDOWS\DOWNLO~1\kpwb.dll (file missing)
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O2 - BHO: (no name) - {85CF4327-68DE-1974-B32E-766E84A9706C} - C:\WINDOWS\wcidBHO.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00311} - C:\WINDOWS\system32\compstuig.dll (file missing)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00322} - C:\WINDOWS\system32\compstuih.dll (file missing)
O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [WL] C:\WINDOWS\System32\WL.exe
O4 - HKCU\..\Run: [a603d3a3.exe] C:\Documents and Settings\lenovo\Local Settings\Application Data\a603d3a3.exe
20 - Winlogon Notify: h618 - C:\WINDOWS\g293121.dll (file missing)
O20 - Winlogon Notify: winhfa32 - C:\WINDOWS\SYSTEM32\winhfa32.dll

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Now click >>start>>control panel >>add/remove programs and uninstall the following:

CNNIC




Killbox
[*] Please double-click Killbox.exe to run it.
[*] Select:
  • Delete on Reboot
  • then Click on the All Files button.
[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


C:\WINDOWS\SYSTEM32\winhfa32.dll
C:\PROGRA~1\CNNIC
C:\WINDOWS\System32\WL.exe




[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).[/list]
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Let me know about those programs and we can proceed

Thanks :whistling:
  • 0

#5
pwf

pwf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Hiya Pwf

I see you have Tencent installed. I do know this is a very popular Instant messenger program in China. Be aware that it is considered Adware. I am not going to remove it because I assume you use it. If you wish to get rid of it let me know....see here

The same applies to this BaiDuBar...see here

if you wish to remove these just let me know

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.
Please run a scan with HijackThis and check the following lines for removal:

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=C:\PROGRA~1\svhost32.exe
O2 - BHO: DjbFardt Class - {2C091D78-260B-EF2C-B11C-CD14B614D4FE} - C:\WINDOWS\DOWNLO~1\kpwb.dll (file missing)
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O2 - BHO: (no name) - {85CF4327-68DE-1974-B32E-766E84A9706C} - C:\WINDOWS\wcidBHO.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00311} - C:\WINDOWS\system32\compstuig.dll (file missing)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00322} - C:\WINDOWS\system32\compstuih.dll (file missing)

Can't find the file on the list.

O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [WL] C:\WINDOWS\System32\WL.exe
O4 - HKCU\..\Run: [a603d3a3.exe] C:\Documents and Settings\lenovo\Local Settings\Application Data\a603d3a3.exe
20 - Winlogon Notify: h618 - C:\WINDOWS\g293121.dll (file missing)
O20 - Winlogon Notify: winhfa32 - C:\WINDOWS\SYSTEM32\winhfa32.dll

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Now click >>start>>control panel >>add/remove programs and uninstall the following:

CNNIC

Can't find the file from the Add/Remove list.




Killbox
[*] Please double-click Killbox.exe to run it.
[*] Select:
  • Delete on Reboot
  • then Click on the All Files button.
[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


C:\WINDOWS\SYSTEM32\winhfa32.dll
C:\PROGRA~1\CNNIC
C:\WINDOWS\System32\WL.exe


Em, this is going to sound stupid, but I can't seem to add the last one on to the list.





















[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).[/list]
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Let me know about those programs and we can proceed

Thanks :whistling:



Didn't get a message for Pending file rename orperation.

Here's the new Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 15:17:23, on 2006-8-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\STDSB.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hongfu\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\DrvMon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\MobileOffice\即时贴\note2.exe
C:\Program Files\MobileOffice\bin\mobile.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hongfu\firefox\firefox.exe
C:\Hongfu\download\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00322} - C:\WINDOWS\g11966917.dll (file missing)
O2 - BHO: 百度搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\WINDOWS\DOWNLO~1\BaiDuBar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 百度搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\WINDOWS\DOWNLO~1\BaiDuBar.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [Skype] "C:\Documents and Settings\lenovo\桌面\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [词霸Online自启动] C:\Program Files\Kingsoft\iciba\Iciba.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: 即时贴.lnk = ?
O4 - Global Startup: 移动之窗.lnk = C:\Program Files\MobileOffice\bin\mobile.exe
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 百度Flash搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/FLASHSEARCH.HTM
O8 - Extra context menu item: 百度mp3搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUMP3.HTM
O8 - Extra context menu item: 百度信息快递搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIE.HTM
O8 - Extra context menu item: 百度图片搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIMG.HTM
O8 - Extra context menu item: 百度搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUSEARCH.HTM
O8 - Extra context menu item: 百度新闻搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUNEWS.HTM
O8 - Extra context menu item: 访问通用网址 - C:\Program Files\CNNIC\Cdn\cnnic.htm
O9 - Extra button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe
O9 - Extra button: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra 'Tools' menuitem: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra button: 卓越 - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - C:\PROGRA~1\MOBILE~1\CIBA\IEPlugin.dll
O9 - Extra button: 百度搜索伴侣 - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: 金山词霸 - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\MOBILE~1\CIBA\IEPlugin.dll
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - d:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - d:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing
O11 - Options group: [!IESearch] !IESearch
O11 - Options group: [CDNCLIENT] 中文上网
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbc...oad/CMBEdit.cab
O16 - DPF: {3A2B370C-BA0A-11D1-B137-0000F8753F5D} (Microsoft Chart Control 6.0 (SP4) (OLEDB)) - http://www.fangdi.com.cn/mschart.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1156085045082
O16 - DPF: {7FC22A16-79E6-4787-9C96-B6359BB1106D} (DigitalTrafic Control) - http://www.jt.sh.cn/trafficmap/jtj.cab
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://jump.cnnic.cn...nnic/cdn_nt.cab
O16 - DPF: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} - https://pbank.95559....nk/ocx/safe.cab
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com...te/IESearch.cab
O16 - DPF: {C49DD894-C6DE-4910-8C41-BA20F852D8BC} - http://www.5fen.com/toolbar/5fen.cab
O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - http://td.nortonconf...lug-in/WSAS.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://life.ptq.sh.g...r/8/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D76717F-992C-4984-A0AF-664AF22005B5}: NameServer = 192.168.0.11
O18 - Protocol: mp3 - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winhfa32 - winhfa32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\hongfu\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus 自动防护服务 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



And yes, I'd like to remove the QQ(since I use Trillian) and the search bar. Thanks :blink:

Edited by pwf, 25 August 2006 - 01:24 AM.

  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
OK lets continue :whistling:

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Save it to your desktop


Please print these instructions out, or write them down, as you can't read them during the fix.


Please run a scan with HijackThis and check the following lines for removal:

O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00322} - C:\WINDOWS\g11966917.dll (file missing)
O2 - BHO: 百度搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\WINDOWS\DOWNLO~1\BaiDuBar.dll
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 百度Flash搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/FLASHSEARCH.HTM
O8 - Extra context menu item: 百度mp3搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUMP3.HTM
O8 - Extra context menu item: 百度信息快递搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIE.HTM
O8 - Extra context menu item: 百度图片搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIMG.HTM
O8 - Extra context menu item: 百度搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUSEARCH.HTM
O8 - Extra context menu item: 百度新闻搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUNEWS.HTM

O8 - Extra context menu item: 访问通用网址 - C:\Program Files\CNNIC\Cdn\cnnic.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - d:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: ??QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - d:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O11 - Options group: [!IESearch] !IESearch
O11 - Options group: [CDNCLIENT] ????
O20 - Winlogon Notify: winhfa32 - winhfa32.dll (file missing)


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Now click >>start>>control panel >>add/remove programs and uninstall the following if present:

Tencent
BaiDuBar
<<<If present

Please open Notepad, and copy/paste the code in the white box below into a new text file. Save it as "delete.bat" WITH THE QUOTES and save it on your Desktop.

attrib -s -r -h "C:\PROGRA~1\CNNIC\*.*"
rd /q /s "C:\PROGRA~1\CNNIC"
attrib -s -r -h "D:\Program Files\Tencent\*.*"
rd /q /s "D:\Program Files\Tencent"
attrib -s -r -h "C:\WINDOWS\DOWNLO~1\BaiDuBar.dll"
del /q "C:\WINDOWS\DOWNLO~1\BaiDuBar.dll"
quit

after saving as instructed above, please close notepad. You will now have a file on your desktop called delete.bat. Dont do anything with it yet


Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Double click the delete.bat on your desktop


ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
[/list]If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Reboot

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

Edited by loophole, 25 August 2006 - 02:11 AM.

  • 0

#7
pwf

pwf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Well, the Pandasoft's ActiveX won't download properly, I tried it 3 times in different times of the day, not working. Maybe it has something to do with my ISP.

Here's the updated hijack this. Also, if all the problem is fixed and if I install avg. Can I uninstall the Norton Anti-Virus that I have that's expired? Or is it recommanded to keep it?

Logfile of HijackThis v1.99.1
Scan saved at 8:15:20, on 2006-8-27
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\STDSB.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\hongfu\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\DrvMon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\MobileOffice\即时贴\note2.exe
C:\Program Files\MobileOffice\bin\mobile.exe
C:\Hongfu\firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hongfu\Trillian\trillian.exe
C:\Documents and Settings\lenovo\桌面\HijackThis.exe

F3 - REG:win.ini: load=C:\WINDOWS\System32\0fei9ed.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IEMonitor Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:\Program Files\DeskAdTop\deskipn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O2 - BHO: BHelper Class - {F2E37336-BFDB-409B-8D0E-6F013C438B20} - C:\WINDOWS\System32\0feo9ed0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - (no file)
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [CnsMHlp.exe] C:\WINDOWS\Downloaded Program files\CnsMHlp.exe
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [Desktop] C:\WINDOWS\System32\rundll32.exe "C:\Program Files\DeskAdTop\Run.dll" ,Rundll
O4 - HKLM\..\Run: [service] C:\DOCUME~1\lenovo\LOCALS~1\Temp\serviceo.exe
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [Skype] "C:\Documents and Settings\lenovo\桌面\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [词霸Online自启动] C:\Program Files\Kingsoft\iciba\Iciba.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: 即时贴.lnk = ?
O4 - Global Startup: 移动之窗.lnk = C:\Program Files\MobileOffice\bin\mobile.exe
O4 - Global Startup: IE-Bar.lnk = C:\Program Files\Common Files\IE-Bar\iebar.exe
O9 - Extra button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe
O9 - Extra button: Yahoo 3.5G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.c...p;btn=yahoomail (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.c...c...&btn=taobao (file missing)
O9 - Extra button: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra 'Tools' menuitem: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra button: 雅虎助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.c...amp;btn=yassist (file missing)
O9 - Extra button: 卓越 - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - C:\PROGRA~1\MOBILE~1\CIBA\IEPlugin.dll
O9 - Extra button: 金山词霸 - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\MOBILE~1\CIBA\IEPlugin.dll
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.c...mp;btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.c...c...&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.c...c...&btn=repair (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.c...c...s&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.c...c...s&btn=clean (file missing)
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing
O11 - Options group: [!CNS] 网络实名
O11 - Options group: [CDNCLIENT] 中文上网
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbc...oad/CMBEdit.cab
O16 - DPF: {3A2B370C-BA0A-11D1-B137-0000F8753F5D} (Microsoft Chart Control 6.0 (SP4) (OLEDB)) - http://www.fangdi.com.cn/mschart.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1156085045082
O16 - DPF: {7FC22A16-79E6-4787-9C96-B6359BB1106D} (DigitalTrafic Control) - http://www.jt.sh.cn/trafficmap/jtj.cab
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://jump.cnnic.cn...nnic/cdn_nt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} - https://pbank.95559....nk/ocx/safe.cab
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com...te/IESearch.cab
O16 - DPF: {C49DD894-C6DE-4910-8C41-BA20F852D8BC} - http://www.5fen.com/toolbar/5fen.cab
O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - http://td.nortonconf...lug-in/WSAS.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://life.ptq.sh.g...r/8/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D76717F-992C-4984-A0AF-664AF22005B5}: NameServer = 192.168.0.11
O18 - Protocol: mp3 - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: DelayRun - {5A6F2F95-3191-433B-8533-EB0B596A7BAC} - C:\WINDOWS\System32\0fed9ed0.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\hongfu\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus 自动防护服务 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

We'll get you a new anti-virus. Your also on service pack one which you will need to get updated to service pack 2 when we get you clean

It appears we have some new ones

Now click >>start>>control panel >>add/remove programs and uninstall the following if present:

DeskAdTop


Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\System32\0fei9ed.exe
  • Click on the submit button
  • Please post the results in your next reply.
Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.
  • 0

#9
pwf

pwf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Service load:
0% 100%
File: 0fei9ed.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 08a7a9c8c4daf458afc8444a4b29358d
Packers detected:
-
Scanner results
AntiVir
Found Adware-Spyware/IEbar.J.4 adware
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Generic.QDO
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found Adware.Dmad
F-Prot Antivirus
Found nothing
Fortinet
Found W32/DOWNLOAD.EJ!tr
Kaspersky Anti-Virus
Found not-a-virus:AdWare.Win32.Dm.n
NOD32
Found nothing
Norman Virus Control
Found W32/DesktopMedia.AR
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found AdWare.Win32.Dm.n

I'll get the other thing done first thing in the morning. And is there anyway to clean up IE? Or do I have to just re-install IE? My Parents still uses IE. And it's a mess now.
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Ok post the winPfind log when you can. What problem are you having with IE?
  • 0

Advertisements


#11
pwf

pwf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
WinPFind

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

换换换换换换换换?Windows OS and Versions 换换换换换换换换换换换换换换换?
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

换换换换换换换换?Checking Selected Standard Folders 换换换换换换换换换换

Checking %SystemDrive% folder...
UPX! 2001-4-5 10:12:50 644976 C:\Ghost7.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 2006-8-16 20:13:02 51754 C:\WINDOWS\g1258429.dll
UPX! 2006-8-16 21:53:02 51754 C:\WINDOWS\g7263484.dll
UPX! 2006-8-16 23:33:14 51754 C:\WINDOWS\g13271934.dll
UPX! 2006-8-16 19:53:22 70144 C:\WINDOWS\cpblpbc35.log
UPX! 2006-8-20 22:48:48 51754 C:\WINDOWS\g2709906.dll
UPX! 2006-8-17 7:02:26 51754 C:\WINDOWS\g1251068.dll
UPX! 2006-8-17 11:20:26 51754 C:\WINDOWS\g1312347.dll
UPX! 2006-8-17 14:45:22 51754 C:\WINDOWS\g1256256.dll
UPX! 2006-8-17 18:20:06 51754 C:\WINDOWS\g9812559.dll
UPX! 2006-8-18 6:19:20 51754 C:\WINDOWS\g1246422.dll
UPX! 2006-8-18 9:39:30 51754 C:\WINDOWS\g13253757.dll
UPX! 2006-8-18 11:19:34 51754 C:\WINDOWS\g19259754.dll
UPX! 2006-8-18 13:50:58 51754 C:\WINDOWS\g1254533.dll
UPX! 2006-8-19 20:53:04 51754 C:\WINDOWS\g1261023.dll
UPX! 2006-8-31 18:03:12 31232 C:\WINDOWS\v20060830.rar
UPX! 2006-8-23 10:49:58 70186 C:\WINDOWS\g13296299.dll

Checking %System% folder...
PEC2 2003-12-31 16:00:00 41131 C:\WINDOWS\SYSTEM32\dfrg.msc
winsync 2003-12-31 16:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Umonitor 2003-12-31 16:00:00 574464 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 2006-8-19 17:42:14 10752 C:\WINDOWS\SYSTEM32\jhdd.dll
aspack 2006-6-29 17:00:16 329216 C:\WINDOWS\SYSTEM32\CdnCli.exe
UPX! 2006-8-31 18:03:12 31232 C:\WINDOWS\SYSTEM32\Realplayer.exe
PTech 2006-5-17 11:23:38 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
UPX! 2006-8-31 18:50:26 15872 C:\WINDOWS\SYSTEM32\RavMon.dll

Checking %System%\Drivers folder and sub-folders...
PTech 2004-4-9 11:17:04 1293288 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys
UPX! 2006-7-13 15:28:32 87466 C:\WINDOWS\SYSTEM32\drivers\cdnprot.sys
UPX! 2006-7-8 16:10:16 87466 C:\WINDOWS\SYSTEM32\drivers\gijhjjfh.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2006-8-31 19:02:08 S 2048 C:\WINDOWS\bootstat.dat
2006-8-31 19:01:06 H 892928 C:\WINDOWS\system32\config\system.LOG
2006-8-31 19:01:06 H 77824 C:\WINDOWS\system32\config\software.LOG
2006-8-31 19:01:06 H 8192 C:\WINDOWS\system32\config\default.LOG
2006-8-31 19:02:22 H 1024 C:\WINDOWS\system32\config\SAM.LOG
2006-8-31 19:02:10 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
2006-8-20 22:49:26 RHS 13698 C:\WINDOWS\system32\Restore\filelist.xml
2006-8-20 22:49:12 H 0 C:\WINDOWS\inf\oem26.inf
2006-7-14 21:32:12 H 0 C:\WINDOWS\LastGood\INF\wmv9vcm.inf
2006-7-14 21:32:12 H 0 C:\WINDOWS\LastGood\INF\wmv9vcm.PNF
2006-8-15 7:46:32 H 0 C:\WINDOWS\LastGood\INF\MPPRE10.inf
2006-8-15 7:46:32 H 0 C:\WINDOWS\LastGood\INF\MPPRE10.PNF
2006-8-15 7:46:38 H 0 C:\WINDOWS\LastGood\INF\DRM10.inf
2006-8-15 7:46:38 H 0 C:\WINDOWS\LastGood\INF\DRM10.PNF
2006-8-15 7:46:46 H 0 C:\WINDOWS\LastGood\INF\codecs10.inf
2006-8-15 7:46:46 H 0 C:\WINDOWS\LastGood\INF\codecs10.PNF
2006-8-15 7:46:52 H 0 C:\WINDOWS\LastGood\INF\WMFSDK10.inf
2006-8-15 7:46:52 H 0 C:\WINDOWS\LastGood\INF\WMFSDK10.PNF
2006-8-15 7:47:14 H 0 C:\WINDOWS\LastGood\INF\WMDM10.inf
2006-8-15 7:47:14 H 0 C:\WINDOWS\LastGood\INF\WMDM10.PNF
2006-8-15 7:47:28 H 0 C:\WINDOWS\LastGood\INF\WPD10.inf
2006-8-15 7:47:28 H 0 C:\WINDOWS\LastGood\INF\WPD10.PNF
2006-8-15 7:47:34 H 0 C:\WINDOWS\LastGood\INF\wpdmtp.inf
2006-8-15 7:47:34 H 0 C:\WINDOWS\LastGood\INF\wpdmtp.PNF
2006-8-15 7:47:48 H 0 C:\WINDOWS\LastGood\INF\WMP10.inf
2006-8-15 7:47:48 H 0 C:\WINDOWS\LastGood\INF\WMP10.PNF
2006-8-15 7:49:14 H 0 C:\WINDOWS\LastGood\INF\MPCD10.inf
2006-8-15 7:49:14 H 0 C:\WINDOWS\LastGood\INF\MPCD10.PNF
2006-8-15 7:49:16 H 0 C:\WINDOWS\LastGood\INF\MPSTUB10.inf
2006-8-15 7:49:16 H 0 C:\WINDOWS\LastGood\INF\MPSTUB10.PNF
2006-8-15 7:49:18 H 0 C:\WINDOWS\LastGood\INF\WMSET10.inf
2006-8-15 7:49:18 H 0 C:\WINDOWS\LastGood\INF\WMSET10.PNF
2006-8-31 19:00:48 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 2003-12-31 16:00:00 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 2003-12-31 16:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 2003-12-31 16:00:00 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 2003-12-31 16:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 2003-12-31 16:00:00 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 2003-12-31 16:00:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 2003-12-31 16:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 2003-12-31 16:00:00 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 2003-12-31 16:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 2003-12-31 16:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 2003-12-31 16:00:00 122368 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 2003-12-31 16:00:00 566784 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 2003-12-31 16:00:00 252928 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 2003-12-31 16:00:00 290816 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 2003-12-31 16:00:00 112640 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 2003-12-31 16:00:00 62976 C:\WINDOWS\SYSTEM32\joy.cpl
Intel Corporation 2004-4-9 11:17:18 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 2004-1-1 66048 C:\WINDOWS\SYSTEM32\access.cpl
2003-3-24 17:43:32 401408 C:\WINDOWS\SYSTEM32\slcpappl.cpl
Microsoft Corporation 2005-5-26 4:16:36 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Apple Computer, Inc. 2003-12-14 9:20:50 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Sun Microsystems, Inc. 2005-4-13 3:48:52 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 2003-12-31 16:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 2003-12-31 16:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 2003-12-31 16:00:00 566784 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 2004-1-1 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 2003-12-31 16:00:00 122368 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 2003-12-31 16:00:00 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 2003-12-31 16:00:00 290816 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 2003-12-31 16:00:00 112640 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 2003-12-31 16:00:00 62976 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 2003-12-31 16:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 2003-12-31 16:00:00 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 2003-12-31 16:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 2003-12-31 16:00:00 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 2004-1-1 143360 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 2003-12-31 16:00:00 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 2003-12-31 16:00:00 252928 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 2003-12-31 16:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 2003-12-31 16:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

换换换换换换换换?Checking Selected Startup Folders 换换换换换换换换换换?

Checking files in %ALLUSERSPROFILE%\Startup folder...
2004-7-7 11:29:26 HS 84 C:\Documents and Settings\All Users\「开始」菜单\程序\启动\desktop.ini
2006-8-26 19:24:02 702 C:\Documents and Settings\All Users\「开始」菜单\程序\启动\IE-Bar.lnk
2004-7-7 12:21:34 1687 C:\Documents and Settings\All Users\「开始」菜单\程序\启动\InterVideo WinCinema Manager.lnk
2004-7-7 12:19:48 1629 C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Microsoft Office.lnk
2006-7-16 22:56:42 1490 C:\Documents and Settings\All Users\「开始」菜单\程序\启动\即时贴.lnk
2006-7-16 22:56:50 1492 C:\Documents and Settings\All Users\「开始」菜单\程序\启动\移动之窗.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
2004-7-7 11:19:22 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
2006-8-16 7:56:16 892 C:\Documents and Settings\lenovo\「开始」菜单\程序\启动\Adobe Gamma.lnk
2004-7-7 11:29:26 HS 84 C:\Documents and Settings\lenovo\「开始」菜单\程序\启动\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
2004-7-7 11:19:22 HS 62 C:\Documents and Settings\lenovo\Application Data\desktop.ini

换换换换换换换换?Checking Selected Registry Keys 换换换换换换换换换换换?

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
附到「开始」菜单 = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\粉碎文件
{C14F7681-33D8-11D3-A09B-00500402F30B} = C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\ywiper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{08A312BB-5409-49FC-9347-54BB7D069AC6}
IEMonitor Class = C:\Program Files\DeskAdTop\deskipn.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
CdnForIE Class = C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62EED7C6-9F02-42f9-B634-98E2899E147B}
DragSearch BHO = C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}
CnsHook Class = C:\WINDOWS\DOWNLO~1\CnsHook.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F2E37336-BFDB-409B-8D0E-6F013C438B20}
BHelper Class = C:\WINDOWS\System32\0feo9ed0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{1FCA37BA-7259-4BF1-878B-A39FA83BFBBB}
IE-BAR = C:\PROGRA~1\COMMON~1\IE-Bar\dmbar.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
每日提示(&T) = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{B580CF65-E151-49C3-B73F-70B13FCA8E86} = :
{8E718888-423F-11D2-876E-00A0C9082467} = 电台(&R) : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{144FDEB7-A23D-4D39-A00E-AA44195535B6}
ButtonText = Norton Confidence Online : C:\WINDOWS\wcidButton.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{507F9113-CD77-4866-BA92-0E86DA3D0B97}
ButtonText = Yahoo 3.5G电邮 : http://cn.zs.yahoo.c...p;btn=yahoomail
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{59BC54A2-56B3-44a0-93E5-432D58746E26}
ButtonText = 寻宝乐趣多 : http://cn.zs.yahoo.c...c...&btn=taobao
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
ButtonText = 中文上网 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5D73EE86-05F1-49ed-B850-E423120EC338}
ButtonText = 雅虎助手 : http://cn.zs.yahoo.c...amp;btn=yassist
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{8DE0FCD4-5EB5-11D3-AD25-00002100131B}
ButtonText = 卓越 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{C8CE29C5-7589-11D3-B81B-0080C8DC5DC8}
ButtonText = 金山词霸 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
ButtonText = 情景聊天 : http://cn.zs.yahoo.c...mp;btn=yahoomsg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}
MenuText = 修复浏览器 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FD00D911-7529-4084-9946-A29F1BDF4FE5}
MenuText = 清理上网记录 :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{1FCA37BA-7259-4BF1-878B-A39FA83BFBBB}
IE-BAR = C:\PROGRA~1\COMMON~1\IE-Bar\dmbar.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
搜索区 = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
媒体区 = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = 地址(&A) : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = 链接(&L) : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
IMJPMIG8.1 "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
PHIME2002ASync C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
Cmaudio RunDll32 cmicnfg.cpl,CMICtrlWnd
IgfxTray C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
STDSB C:\WINDOWS\System32\STDSB.exe
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
ccApp C:\Program Files\Common Files\Symantec Shared\ccApp.exe
ccRegVfy C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
BigDogPath C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
CdnCtr C:\Program Files\CNNIC\Cdn\cdnup.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
CnsMHlp.exe C:\WINDOWS\Downloaded Program files\CnsMHlp.exe
CnsMin Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
Desktop C:\WINDOWS\System32\rundll32.exe "C:\Program Files\DeskAdTop\Run.dll" ,Rundll
service C:\DOCUME~1\lenovo\LOCALS~1\Temp\serviceo.exe
helper.dll C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
Realplayer.exe C:\WINDOWS\System32\Realplayer.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\System32\ctfmon.exe
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
DrvMon.exe C:\WINDOWS\System32\DrvMon.exe
Skype "C:\Documents and Settings\lenovo\桌面\Skype\Phone\Skype.exe" /nosplash /minimized
词霸Online自启动 C:\Program Files\Kingsoft\iciba\Iciba.exe
Realplayer.exe C:\WINDOWS\System32\Realplayer.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
hx-1 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
KernelFaultCheck C:\WINDOWS\System32\msime.exe
ishost.exe ishost.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 189
NoDrives 0
NoViewOnDrive 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
{8C9993F8-05DB-2052-0209-040421200056} "C:\Program Files\Common Files\{8C9993F8-05DB-2052-0209-040421200056}\Update.exe" mc-110-12-0000272

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
DelayRun {5A6F2F95-3191-433B-8533-EB0B596A7BAC} = C:\WINDOWS\System32\0fed9ed0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


换换换换换换换换换换换换 Scan Complete 换换换换换换换换换换换换换换换换换
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2006-8-31 19:08:50



[b]Well, here's the WinPFind Scan. Now will the system be less infective if I swich to service pack 2(and how) right now instead of after the system is cleaned up. As to the IE problem, we have like 1 x-rated(well, now that I no longer see X-Rated used any more, R-Rated) ads popping up every time you click something. Would it be beneficial to just re-install IE?

Thanks
  • 0

#12
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Dont worry those will go away :blink:

I was under the impression ewido took care of one of the infections, I was wrong :whistling: Should be done in a few steps now. Please dont download SP2 just yet

Download win32delfkil.exe.
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat.
The computer will reboot automatically.
Post the contents of the logfile c\windelf.txt, along with a new hijackhislog.
  • 0

#13
pwf

pwf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
************************
* WIN32DELFKIL LOGFILE *
************************
by Marckie


BEFORE RUNNING WIN32DELFKIL
***************************

File(s) found in Windows directory
----------------------------------
g6157403.dll
g1258429.dll
g7263484.dll
g13271934.dll
g2709906.dll
g1251068.dll
g1312347.dll
g1256256.dll
g9812559.dll
g1246422.dll
g13253757.dll
g19259754.dll
g1254533.dll
g1261023.dll
g13296299.dll

File(s) found in system32 folder
--------------------------------

Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui 预加载程序"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="组件类别缓存程序"
"{259BA022-2005-45E9-A965-10EDB9C00618}"="Windowz Updater"
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00311}"="z"
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}"="g322"


sharedtaskkey: 259BA022-2005-45E9-A965-10EDB9C00618
---------------------------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00618}]
@="C:\\WINDOWS\\g293121.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00618}\InprocServer32]
@="C:\\WINDOWS\\g293121.dll"
"ThreadingModel"="Apartment"


sharedtaskkey: A4F94C0C-54A7-4DB1-9AF3-B22E63D00311
---------------------------------------------------
no keys found

sharedtaskkey: A4F94C0C-54A7-4DB1-9AF3-B22E63D00322
---------------------------------------------------
no keys found


Notify key
----------



AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------
g6157403.dll
g1258429.dll
g7263484.dll
g13271934.dll
g2709906.dll
g1251068.dll
g1312347.dll
g1256256.dll
g9812559.dll
g1246422.dll
g13253757.dll
g19259754.dll
g1254533.dll
g1261023.dll
g13296299.dll

File(s) found in system32 folder
--------------------------------
Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui 预加载程序"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="组件类别缓存程序"



Notify key
----------
  • 0

#14
pwf

pwf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
and hijackthis won't load now.
  • 0

#15
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
OK dont worry about Hijackthis. I have set it to run on reboot. Sometimes it wont, Just post a hijack log if it doesnt or let me know if you still have trouble with it

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
gijhjjfh
cdnprot

Files to delete:

C:\WINDOWS\g6157403.dll
C:\WINDOWS\g1258429.dll
C:\WINDOWS\g7263484.dll
C:\WINDOWS\g13271934.dll
C:\WINDOWS\g2709906.dll
C:\WINDOWS\g1251068.dll
C:\WINDOWS\g1312347.dll
C:\WINDOWS\g1256256.dll
C:\WINDOWS\g9812559.dll
C:\WINDOWS\g1246422.dll
C:\WINDOWS\g13253757.dll
C:\WINDOWS\g19259754.dll
C:\WINDOWS\g1254533.dll
C:\WINDOWS\g1261023.dll
C:\WINDOWS\g13296299.dll
C:\WINDOWS\SYSTEM32\jhdd.dll
C:\WINDOWS\SYSTEM32\CdnCli.exe
C:\WINDOWS\SYSTEM32\drivers\gijhjjfh.sys
C:\WINDOWS\SYSTEM32\drivers\cdnprot.sys
C:\WINDOWS\System32\0fei9ed.exe
C:\WINDOWS\ishost.exe
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\DOWNLO~1\CnsHook.dll

Folders to delete:
C:\Program Files\DeskAdTop
C:\PROGRA~1\CNNIC

Programs to launch on reboot:

C:\Documents and Settings\lenovo\桌面\HijackThis.exe




Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Edited by loophole, 31 August 2006 - 04:15 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP