Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

lots of problems, where do I start

Started by pwf , Aug 20 2006 09:13 AM

  • Please log in to reply

#16
pwf
Posted 31 August 2006 - 08:48 PM

pwf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Avenger
/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /

A v e n g e r P r e - P r o c e s s o r l o g

/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /



E r r o r : l i n e p r o c e s s i n g f a i l e d .

E r r o r c o d e : 0

L i n e : C : \ D o c u m e n t s a n d S e t t i n g s \ l e n o v o \ Lhb梊 H i j a c k T h i s . e x e





/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /





L o g f i l e o f T h e A v e n g e r v e r s i o n 1 , b y S w a n d o g 4 6

R u n n i n g f r o m r e g i s t r y k e y :

\ R e g i s t r y \ M a c h i n e \ S y s t e m \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ a t a m o d s t



* * * * * * * * * * * * * * * * * * *



S c r i p t f i l e l o c a t e d a t : \ ? ? \ C : \ W I N D O W S \ k d x o h y o x . t x t

S c r i p t f i l e o p e n e d s u c c e s s f u l l y .



S c r i p t f i l e r e a d s u c c e s s f u l l y



B a c k u p s d i r e c t o r y o p e n e d s u c c e s s f u l l y a t C : \ A v e n g e r



* * * * * * * * * * * * * * * * * * *



B e g i n n i n g t o p r o c e s s s c r i p t f i l e :







R e g i s t r y k e y \ R e g i s t r y \ M a c h i n e \ S y s t e m \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ g i j h j j f h n o t f o u n d !

U n l o a d o f d r i v e r g i j h j j f h f a i l e d !



C o u l d n o t p r o c e s s l i n e :

g i j h j j f h

S t a t u s : 0 x c 0 0 0 0 0 3 4



D r i v e r c d n p r o t u n l o a d e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ g 6 1 5 7 4 0 3 . d l l d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ g 1 2 5 8 4 2 9 . d l l d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ g 7 2 6 3 4 8 4 . d l l d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ g 1 3 2 7 1 9 3 4 . d l l d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ g 2 7 0 9 9 0 6 . d l l d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ g 1 2 5 1 0 6 8 . d l l d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ g 1 3 1 2 3 4 7 . d l l d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ g 1 2 5 6 2 5 6 . d l l d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ g 9 8 1 2 5 5 9 . d l l d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ g 1 2 4 6 4 2 2 . d l l d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ g 1 3 2 5 3 7 5 7 . d l l d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ g 1 9 2 5 9 7 5 4 . d l l d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ g 1 2 5 4 5 3 3 . d l l d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ g 1 2 6 1 0 2 3 . d l l d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ g 1 3 2 9 6 2 9 9 . d l l d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S Y S T E M 3 2 \ j h d d . d l l d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S Y S T E M 3 2 \ C d n C l i . e x e d e l e t e d s u c c e s s f u l l y .





F i l e C : \ W I N D O W S \ S Y S T E M 3 2 \ d r i v e r s \ g i j h j j f h . s y s n o t f o u n d !

D e l e t i o n o f f i l e C : \ W I N D O W S \ S Y S T E M 3 2 \ d r i v e r s \ g i j h j j f h . s y s f a i l e d !



C o u l d n o t p r o c e s s l i n e :

C : \ W I N D O W S \ S Y S T E M 3 2 \ d r i v e r s \ g i j h j j f h . s y s

S t a t u s : 0 x c 0 0 0 0 0 3 4



F i l e C : \ W I N D O W S \ S Y S T E M 3 2 \ d r i v e r s \ c d n p r o t . s y s d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ 0 f e i 9 e d . e x e d e l e t e d s u c c e s s f u l l y .





F i l e C : \ W I N D O W S \ i s h o s t . e x e n o t f o u n d !

D e l e t i o n o f f i l e C : \ W I N D O W S \ i s h o s t . e x e f a i l e d !



C o u l d n o t p r o c e s s l i n e :

C : \ W I N D O W S \ i s h o s t . e x e

S t a t u s : 0 x c 0 0 0 0 0 3 4







F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ i s h o s t . e x e n o t f o u n d !

D e l e t i o n o f f i l e C : \ W I N D O W S \ S y s t e m 3 2 \ i s h o s t . e x e f a i l e d !



C o u l d n o t p r o c e s s l i n e :

C : \ W I N D O W S \ S y s t e m 3 2 \ i s h o s t . e x e

S t a t u s : 0 x c 0 0 0 0 0 3 4







F i l e C : \ W I N D O W S \ D O W N L O ~ 1 \ C n s H o o k . d l l n o t f o u n d !

D e l e t i o n o f f i l e C : \ W I N D O W S \ D O W N L O ~ 1 \ C n s H o o k . d l l f a i l e d !



C o u l d n o t p r o c e s s l i n e :

C : \ W I N D O W S \ D O W N L O ~ 1 \ C n s H o o k . d l l

S t a t u s : 0 x c 0 0 0 0 0 3 4



F o l d e r C : \ P r o g r a m F i l e s \ D e s k A d T o p d e l e t e d s u c c e s s f u l l y .





F o l d e r C : \ P R O G R A ~ 1 \ C N N I C n o t f o u n d !

D e l e t i o n o f f o l d e r C : \ P R O G R A ~ 1 \ C N N I C f a i l e d !



C o u l d n o t p r o c e s s l i n e :

C : \ P R O G R A ~ 1 \ C N N I C

S t a t u s : 0 x c 0 0 0 0 0 3 4





C o m p l e t e d s c r i p t p r o c e s s i n g .



* * * * * * * * * * * * * * * * * * *



F i n i s h e d ! T e r m i n a t e .

Wow, that looked a whole lot worse in MS Notebook

^_^

HiJackthis

Logfile of HijackThis v1.99.1
Scan saved at 10:47:21, on 2006-9-1
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\STDSB.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\Realplayer.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hongfu\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\DrvMon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\MobileOffice\即时贴\note2.exe
C:\Program Files\MobileOffice\bin\mobile.exe
C:\Documents and Settings\lenovo\Local Settings\Temp\AutoRun.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hongfu\firefox\firefox.exe
C:\Documents and Settings\lenovo\桌面\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IEMonitor Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:\Program Files\DeskAdTop\deskipn.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll (file missing)
O2 - BHO: BHelper Class - {F2E37336-BFDB-409B-8D0E-6F013C438B20} - C:\WINDOWS\System32\0feo9ed0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - (no file)
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [CnsMHlp.exe] C:\WINDOWS\Downloaded Program files\CnsMHlp.exe
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [Desktop] C:\WINDOWS\System32\rundll32.exe "C:\Program Files\DeskAdTop\Run.dll" ,Rundll
O4 - HKLM\..\Run: [service] C:\DOCUME~1\lenovo\LOCALS~1\Temp\serviceo.exe
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [Realplayer.exe] C:\WINDOWS\System32\Realplayer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [Skype] "C:\Documents and Settings\lenovo\桌面\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [词霸Online自启动] C:\Program Files\Kingsoft\iciba\Iciba.exe
O4 - HKCU\..\Run: [Realplayer.exe] C:\WINDOWS\System32\Realplayer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: 即时贴.lnk = ?
O4 - Global Startup: 移动之窗.lnk = C:\Program Files\MobileOffice\bin\mobile.exe
O4 - Global Startup: IE-Bar.lnk = C:\Program Files\Common Files\IE-Bar\iebar.exe
O9 - Extra button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe
O9 - Extra button: Yahoo 3.5G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.c...p;btn=yahoomail (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.c...c...&btn=taobao (file missing)
O9 - Extra button: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra 'Tools' menuitem: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra button: 雅虎助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.c...amp;btn=yassist (file missing)
O9 - Extra button: 卓越 - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - C:\PROGRA~1\MOBILE~1\CIBA\IEPlugin.dll
O9 - Extra button: 金山词霸 - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\MOBILE~1\CIBA\IEPlugin.dll
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.c...mp;btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.c...c...&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.c...c...&btn=repair (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.c...c...s&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.c...c...s&btn=clean (file missing)
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing
O11 - Options group: [!CNS] 网络实名
O11 - Options group: [CDNCLIENT] 中文上网
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbc...oad/CMBEdit.cab
O16 - DPF: {3A2B370C-BA0A-11D1-B137-0000F8753F5D} (Microsoft Chart Control 6.0 (SP4) (OLEDB)) - http://www.fangdi.com.cn/mschart.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1156085045082
O16 - DPF: {7FC22A16-79E6-4787-9C96-B6359BB1106D} (DigitalTrafic Control) - http://www.jt.sh.cn/trafficmap/jtj.cab
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://jump.cnnic.cn...nnic/cdn_nt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} - https://pbank.95559....nk/ocx/safe.cab
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com...te/IESearch.cab
O16 - DPF: {C49DD894-C6DE-4910-8C41-BA20F852D8BC} - http://www.5fen.com/toolbar/5fen.cab
O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - http://td.nortonconf...lug-in/WSAS.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://life.ptq.sh.g...r/8/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D76717F-992C-4984-A0AF-664AF22005B5}: NameServer = 192.168.0.11
O18 - Protocol: mp3 - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: DelayRun - {5A6F2F95-3191-433B-8533-EB0B596A7BAC} - C:\WINDOWS\System32\0fed9ed0.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\hongfu\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus 自动防护服务 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#17
loophole
Posted 31 August 2006 - 10:13 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Great :whistling:

Please run a scan with HijackThis and check the following lines for removal:

O2 - BHO: IEMonitor Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:\Program Files\DeskAdTop\deskipn.dll (file missing)
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll (file missing)
O2 - BHO: BHelper Class - {F2E37336-BFDB-409B-8D0E-6F013C438B20} - C:\WINDOWS\System32\0feo9ed0.dll
O4 - HKLM\..\Run: [CnsMHlp.exe] C:\WINDOWS\Downloaded Program files\CnsMHlp.exe
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O11 - Options group: [!CNS] 网络实名
O11 - Options group: [CDNCLIENT] 中文上网
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com...te/IESearch.cab
O21 - SSODL: DelayRun - {5A6F2F95-3191-433B-8533-EB0B596A7BAC} - C:\WINDOWS\System32\0fed9ed0.dll

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.


Open HiJackThis. It should open to a "New users quickstart" menu
Click "Open the Misc Tools section"
Click "Delete a file on reboot..."
In the "Enter file to delete on reboot..." window, navigate to:

C:\WINDOWS\System32

And select the file

0fed9ed0.dll

Then click Open. After you click Open, HiJackThis will ask you if you want to restart your computer now. You do, so click Yes.


Post a hijack log and let me know how the computer is running

Edited by loophole, 31 August 2006 - 10:14 PM.

  • 0

#18
pwf
Posted 01 September 2006 - 01:27 AM

pwf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I have 2 errors popping up when windows starts.

They are about file C:\Progra~1\3721\helper.dll
and
C:\Program Files\DeskAdTop\Run.dll

new hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 15:25:18, on 2006-9-1
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\STDSB.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\Realplayer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\hongfu\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\DrvMon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\MobileOffice\即时贴\note2.exe
C:\Program Files\MobileOffice\bin\mobile.exe
C:\WINDOWS\System32\rundll32.exe
C:\Hongfu\firefox\firefox.exe
C:\Documents and Settings\lenovo\桌面\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - (no file)
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [Desktop] C:\WINDOWS\System32\rundll32.exe "C:\Program Files\DeskAdTop\Run.dll" ,Rundll
O4 - HKLM\..\Run: [service] C:\DOCUME~1\lenovo\LOCALS~1\Temp\serviceo.exe
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [Realplayer.exe] C:\WINDOWS\System32\Realplayer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [Skype] "C:\Documents and Settings\lenovo\桌面\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [词霸Online自启动] C:\Program Files\Kingsoft\iciba\Iciba.exe
O4 - HKCU\..\Run: [Realplayer.exe] C:\WINDOWS\System32\Realplayer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: 即时贴.lnk = ?
O4 - Global Startup: 移动之窗.lnk = C:\Program Files\MobileOffice\bin\mobile.exe
O4 - Global Startup: IE-Bar.lnk = C:\Program Files\Common Files\IE-Bar\iebar.exe
O9 - Extra button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe
O9 - Extra button: Yahoo 3.5G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.c...p;btn=yahoomail (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.c...c...&btn=taobao (file missing)
O9 - Extra button: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra 'Tools' menuitem: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra button: 雅虎助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.c...amp;btn=yassist (file missing)
O9 - Extra button: 卓越 - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - C:\PROGRA~1\MOBILE~1\CIBA\IEPlugin.dll
O9 - Extra button: 金山词霸 - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\MOBILE~1\CIBA\IEPlugin.dll
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.c...mp;btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.c...c...&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.c...c...&btn=repair (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.c...c...s&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.c...c...s&btn=clean (file missing)
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing
O11 - Options group: [!CNS] 网络实名
O11 - Options group: [CDNCLIENT] 中文上网
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbc...oad/CMBEdit.cab
O16 - DPF: {3A2B370C-BA0A-11D1-B137-0000F8753F5D} (Microsoft Chart Control 6.0 (SP4) (OLEDB)) - http://www.fangdi.com.cn/mschart.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1156085045082
O16 - DPF: {7FC22A16-79E6-4787-9C96-B6359BB1106D} (DigitalTrafic Control) - http://www.jt.sh.cn/trafficmap/jtj.cab
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://jump.cnnic.cn...nnic/cdn_nt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} - https://pbank.95559....nk/ocx/safe.cab
O16 - DPF: {C49DD894-C6DE-4910-8C41-BA20F852D8BC} - http://www.5fen.com/toolbar/5fen.cab
O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - http://td.nortonconf...lug-in/WSAS.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://life.ptq.sh.g...r/8/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D76717F-992C-4984-A0AF-664AF22005B5}: NameServer = 192.168.0.11
O18 - Protocol: mp3 - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\hongfu\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus 自动防护服务 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#19
loophole
Posted 02 September 2006 - 02:40 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Download LSPFix.exe to a convenient location.

please double-click LSPFix.exe that you downloaded earlier. Check the "I know what I'm doing" button. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>"

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.


Please run a scan with HijackThis and check the following lines for removal:

O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O3 - Toolbar: (no name) - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - (no file)
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [Desktop] C:\WINDOWS\System32\rundll32.exe "C:\Program Files\DeskAdTop\Run.dll" ,Rundll
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O11 - Options group: [!CNS] 网络实名
O11 - Options group: [CDNCLIENT] 中文上网

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Reboot and post a new log and let me know how the computer is running

Thanks

Edited by loophole, 02 September 2006 - 02:41 PM.

  • 0

#20
pwf
Posted 02 September 2006 - 07:34 PM

pwf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
well, I'll be on another computer for a week. I'll do it when I come back. Thanks
  • 0

#21
loophole
Posted 02 September 2006 - 07:59 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
OK
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP