1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

nail [nail.exe infection - HJT log posted]

Discussion in 'Malware and Virus Removal Archive' started by bravo, 2005/06/05.

Thread Status:
Not open for further replies.
  1. 2005/06/05
    bravo

    bravo Inactive Thread Starter

    Joined:
    2005/06/05
    Messages:
    6
    Likes Received:
    0
    HI there
    I found on my computer a file called nail.exe
    I know its a virus coz it made my comp startup repeatedly
    one file named randomly with unknown purpose also appear(in system32)
    my norton antivirus program cannot function
    and recently my comp even shut down by itself

    following the instruction in some of the previous threads i succeed in getting rid of this virus, but it just come up again probably bcoz I have disabled my firewall several times(I did it coz I had to)I dunno how I got infected or how to avoid getting it,plz tell me

    here is my HJT log file
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\WINDOWS\system32\mmc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\conime.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\PROGRA~1\NORTON~1\navw32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\windows\system32\cvbjshg.exe
    C:\Documents and Settings\use\桌面\KillBox.exe
    C:\Documents and Settings\use\桌面\HijackThis.exe

    R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: CShowKuroBar Class - {59062B7A-61BD-4A26-A7A6-6A213F2601F7} - C:\Program Files\KuroM7\CallToolBar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\W
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe "
    O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [0l6l2S] C:\WINDOWS\skwqe.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [System Updates Dll] syst32.exe
    O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
    O4 - HKLM\..\Run: [Configuration] tftphelp.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [?聘0?C
    弓嬼z?[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\skwqe.exe
    O4 - HKLM\..\Run: [^確??Z蟷 T詆:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\skwqe.exe
    O4 - HKLM\..\Run: [?y?輸趴ZlXz5顉羥C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\skwqe.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [dkshmlt] c:\windows\system32\cvbjshg.exe
    O4 - HKLM\..\RunServices: [System Updates Dll] syst32.exe
    O4 - HKLM\..\RunServices: [MSN Message Background loader] msnmesg.exe
    O4 - HKLM\..\RunServices: [Configuration] tftphelp.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
    O4 - HKCU\..\Run: [System Updates Dll] syst32.exe
    O4 - HKCU\..\RunServices: [System Updates Dll] syst32.exe
    O4 - HKCU\..\RunServices: [MSN Message Background loader] msnmesg.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
    O8 - Extra context menu item: Kuro刲坰mp3 - res://C:\Program Files\KuroM7\KuroBar.dll/MENUSEARCH.HTM
    O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: 反向連結 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: 網頁的快取快照 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: 類似網頁 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .midi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c1.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {A2979615-DC81-4AE4-A153-912E3C227058} (Yahoo! 相簿輕鬆上載工具 Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3hk.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {BE9D5F13-40C1-44CA-9950-B9211E4B60DD} (MeChatU Class) - http://www.hkwewet.com:5000/video/MeChatUser.cab
    O16 - DPF: {CF85459D-DFA7-4028-A065-3C6D1356DCC8} (CertInstall Control) - http://gd.chinavnet.com/CertInstall.cab
    O16 - DPF: {ED5896AC-7F1A-4095-87A8-08206DE7835C} (WingCtl Class) - http://web.spaceillusion.com/mysprite/install/Wings2.cab
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus 自動防護服務 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    as you can see, I m also infected with istsvc.exe

    plz help me
     
    bravo,
    #1
  2. 2005/06/05
    bravo

    bravo Inactive Thread Starter

    Joined:
    2005/06/05
    Messages:
    6
    Likes Received:
    0
    Moreover, I have disabled system startup service, so u wont find it in this log
     
    bravo,
    #2


  3. to hide this advert.

  4. 2005/06/05
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    PeteC,
    #3
  5. 2005/06/05
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS bravo :)

    You should print this out and/or save it to text where you can access it in safe mode.

    Download the stand-alone CWShredder 2.15 from here. Save it to the desktop.

    Please download the trial version of ewido security suite.
    Install ewido security suite and start the program from the icon on your desktop, then check for and download updates. Close for now.

    Please download Nailfix from here:
    http://www.noidea.us/easyfile/file.php?download=20050515010747824
    Extract the files to a folder of their own on the desktop but please do NOT run it yet.

    Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe "
    O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [0l6l2S] C:\WINDOWS\skwqe.exe
    O4 - HKLM\..\Run: [System Updates Dll] syst32.exe
    O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
    O4 - HKLM\..\Run: [Configuration] tftphelp.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [?聘0?C
    弓嬼z?[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\skwqe.exe
    O4 - HKLM\..\Run: [^確??Z蟷 T詆:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\skwqe.exe
    O4 - HKLM\..\Run: [?y?輸趴ZlXz5顉羥C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\skwqe.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [dkshmlt] c:\windows\system32\cvbjshg.exe
    O4 - HKLM\..\RunServices: [System Updates Dll] syst32.exe
    O4 - HKLM\..\RunServices: [MSN Message Background loader] msnmesg.exe
    O4 - HKLM\..\RunServices: [Configuration] tftphelp.exe
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...e/bridge-c1.cab


    Either reboot and repeatedly tap F8 to enable the start menu and select safe mode, or go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and click OK. Click yes to restart. This will restart your computer in safe mode. Logon to your user account.

    Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

    Delete the following files in bold if present.
    C:\WINDOWS\skwqe.exe
    c:\windows\system32\syst32.exe
    c:\windows\system32\tftphelp.exe
    c:\windows\system32\cvbjshg.exe
    c:\windows\system32\msnmesg.exe

    Delete the following folders in bold if present.
    C:\Program Files\Internet Optimizer
    C:\Program Files\ISTsvc
    C:\Program Files\Ebates_MoeMoneyMaker
    C:\Program Files\Media Access
    C:\Program Files\Power Scan

    Open Ewido Security Suite
    • Click on scanner
    • Make sure the following boxes are checked before scanning:
      • Binder
      • Crypter
      • Archives
    • Click on Start Scan
    • Let the program scan the machine
    While the scan is in progress you will be prompted to clean files, click OK

    Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report
    • Save the report to your desktop

    Open CWShredder, close all other windows and click fix.

    Open C:\Temp if present, select all and delete.
    Open C:\Windows\Temp, select all and delete.
    Open C:\Windows\Prefetch, select all and delete.
    Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content.
    Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.

    If you used msconfig, uncheck the /safeboot box and click ok to reboot. Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK. If you used F8, just reboot back into Windows.

    Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

    Please post a new HijackThis log, as well as the log from the Ewido scan.
     
    noahdfear,
    #4
  6. 2005/06/06
    bravo

    bravo Inactive Thread Starter

    Joined:
    2005/06/05
    Messages:
    6
    Likes Received:
    0
    Sorry I didnt read the rules coz I was in a hurry.

    noahdfear, here you are, my ewido report(sorry its in chinese)


    ---------------------------------------------------------
    ewido security suite - 扫描记录
    ---------------------------------------------------------

    + 创建于: 20:44:30, 6/6/2005
    + 记录-校验码: B57E9E52

    + 数据库日期: 6/6/2005
    + 扫描器版本: v3.0

    + 持续时间: 46 min
    + 已扫描的文件: 84354
    + 速度: 30.14 文件/秒
    + 感染的文件: 128
    + 删除的文件: 128
    + 隔离的文件: 128
    + 无法打开的文件: 0
    + 无法清除的文件: 0

    + 合并: 是
    + 加密: 是
    + 文件库: 是

    + 已扫描的项目:
    C:\

    + 扫描结果:
    C:\Documents and Settings\use\Cookies\use@0[11].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@0[12].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@0[13].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@11.rtcode[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@12339856[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@1[10].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@1[11].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@1[5].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@2[5].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@2[6].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@36758665[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@4[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@4[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@561[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@598[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@635[3].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@674[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@737[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@7search[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@a.as-us.falkag[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@ad4.lbn[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@ad6.bannerbank[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@ad7.bannerbank[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@ad9.bannerbank[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@adrevolver[3].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@ads.adsag[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@ads.targetnet[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@ads.tripod.lycos.co[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@ads.x10[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@advertising[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@as1.falkag[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@atdmt[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@bfast[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@bluestreak[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@bravenet[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@burstnet[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@cgi-bin[12].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@cgi-bin[14].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@cgi-bin[16].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@citi.bridgetrack[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@clickagents[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@cnsmin.3721[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@com[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@counter2.sextracker[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@counter5.sextracker[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@counter6.sextracker[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@counter7.sextracker[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@counter8.sextracker[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@dcsh1crh7pifwzr6ntat26nr5_8u7n[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@dcspmxiuwf9xjy0rch86gos1s_9v5f[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@dcszvdi9hoifwzj8z5nosjjah_6i9k[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@doubleclick[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@download.com[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@ehg-capitalgroup.hitbox[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@ehg-mtv.hitbox[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@ehg-sonypictures.hitbox[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@ehg-warnerbrothers.hitbox[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@fastclick[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@fl01.ct2.comclick[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@geocities.co[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@geocities[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@hc2.humanclick[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@hg1.hitbox[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@hitbox[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@hk.geocities[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@hotlog[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@image.masterstats[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@landing.domainsponsor[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@linkexchange[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@linksynergy[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@list[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@match.msn.com[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@mediamgr.ugo[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@mediaplex[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@myway[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@netpoll[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@overture[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@perf.overture[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@programs.wegcash[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@rb4.worldsex[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@realmedia[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@real[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@S005-01-3-21-233869-62030[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@S009-00-12-20-203449-44541[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@S009-00-12-20-203449-44547[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@S119579[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@S148462[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@S152488[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@sdc.shockwave[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@search.msn.com[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@search.msn[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@servedby.netshelter[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@server.iad.liveperson[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@sexlist[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@sextracker[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@spylog[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@stat.onestat[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@statse.webtrendslive[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@targetnet[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@valueclick.ne[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@valueclick[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@web4.realtracker[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@www.ebates[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@www.slotch[2].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@www.smartadserver[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@www.xxxtoolbar[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@www.xzoomy[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@xiti[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@xxxcounter[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@zedo[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@zsbbs.3721[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\Cookies\use@zwsw.3721[1].txt -> Spyware.Tracking-Cookie -> 可恢复的删除
    C:\Documents and Settings\use\桌面\backups\backup-20050529-211927-851.dll -> TrojanDownloader.Dyfuca.dc -> 可恢复的删除
    C:\Documents and Settings\use\桌面\backups\backup-20050606-193105-957.dll -> Spyware.WinAD -> 可恢复的删除
    C:\psvec.exe -> Backdoor.Wisdoor.ag -> 可恢复的删除
    C:\RECYCLER\S-1-5-21-2533415628-52553444-2088266155-1006\Dc5.exe -> TrojanDownloader.IstBar.go -> 可恢复的删除
    C:\RECYCLER\S-1-5-21-2533415628-52553444-2088266155-1006\Dc6.exe -> Backdoor.RBot.Generic -> 可恢复的删除
    C:\RECYCLER\S-1-5-21-2533415628-52553444-2088266155-1006\Dc7.exe -> Trojan.Agent.cp -> 可恢复的删除
    C:\RECYCLER\S-1-5-21-2533415628-52553444-2088266155-1006\Dc8\istsvc.exe -> TrojanDownloader.IstBar -> 可恢复的删除
    C:\WINDOWS\conscorr.exe -> Spyware.ConsCorr -> 可恢复的删除
    C:\WINDOWS\preInsln.exe -> Spyware.BiSpy.o -> 可恢复的删除
    C:\WINDOWS\system32\ide21201.vxd -> Spyware.MediaPass -> 可恢复的删除
    C:\WINDOWS\system32\ln_reco.exe -> Spyware.BetterInternet -> 可恢复的删除


    ::报告结束
     
    bravo,
    #5
  7. 2005/06/06
    bravo

    bravo Inactive Thread Starter

    Joined:
    2005/06/05
    Messages:
    6
    Likes Received:
    0
    and my HJT log

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\InterMute\SpySubtract\SpySub.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Winamp\winamp.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\use\桌面\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: CShowKuroBar Class - {59062B7A-61BD-4A26-A7A6-6A213F2601F7} - C:\Program Files\KuroM7\CallToolBar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\W
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [ndvran] c:\windows\system32\qaswhz.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
    O4 - HKCU\..\Run: [System Updates Dll] syst32.exe
    O4 - HKCU\..\RunServices: [System Updates Dll] syst32.exe
    O4 - HKCU\..\RunServices: [MSN Message Background loader] msnmesg.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
    O8 - Extra context menu item: Kuro刲坰mp3 - res://C:\Program Files\KuroM7\KuroBar.dll/MENUSEARCH.HTM
    O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: 反向連結 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: 網頁的快取快照 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: 類似網頁 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .midi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {A2979615-DC81-4AE4-A153-912E3C227058} (Yahoo! 相簿輕鬆上載工具 Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3hk.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {BE9D5F13-40C1-44CA-9950-B9211E4B60DD} (MeChatU Class) - http://www.hkwewet.com:5000/video/MeChatUser.cab
    O16 - DPF: {CF85459D-DFA7-4028-A065-3C6D1356DCC8} (CertInstall Control) - http://gd.chinavnet.com/CertInstall.cab
    O16 - DPF: {ED5896AC-7F1A-4095-87A8-08206DE7835C} (WingCtl Class) - http://web.spaceillusion.com/mysprite/install/Wings2.cab
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus 自動防護服務 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    I cannot scan with RAV bcoz of this:

    Please wait to update the virus definitions...
    Updating from: http://www.rav.ro
    Updating from: ftp://ftp.ro.ravantivirus.com
    Updating from: http://www.ravantivirus.com
    Updating from: ftp://ftp.us.ravantivirus.com
    Updating from: ftp://ftp.ravantivirus.com
    Updating from: ftp://ftp.us.ravantivirus.com
    Updating from: http://ftp.us.ravantivirus.com
    Updating from: ftp://ftp.ro.ravantivirus.com
    Updating from: http://ftp.ro.ravantivirus.com
    Update failed !
    undefined
     
    bravo,
    #6
  8. 2005/06/07
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Scan again with HijackThis and fix the following entries.

    O4 - HKLM\..\Run: [ScanRegistry] C:\W
    O4 - HKLM\..\Run: [ndvran] c:\windows\system32\qaswhz.exe
    O4 - HKCU\..\Run: [System Updates Dll] syst32.exe
    O4 - HKCU\..\RunServices: [System Updates Dll] syst32.exe
    O4 - HKCU\..\RunServices: [MSN Message Background loader] msnmesg.exe

    Delete the files in bold if present. Empty the recycle bin and reboot. Create and post a new HijackThis log. **Note - All of your past logs are missing the top portion. Please post the entire log!
     
    noahdfear,
    #7
  9. 2005/06/07
    bravo

    bravo Inactive Thread Starter

    Joined:
    2005/06/05
    Messages:
    6
    Likes Received:
    0
    HJT log

    Logfile of HijackThis v1.99.1
    Scan saved at 23:27:45, on 7/6/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\InterMute\SpySubtract\SpySub.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\use\桌面\HijackThis.exe
    C:\Program Files\Winamp\winamp.exe
    C:\WINDOWS\System32\wuauclt.exe

    R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: CShowKuroBar Class - {59062B7A-61BD-4A26-A7A6-6A213F2601F7} - C:\Program Files\KuroM7\CallToolBar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
    O8 - Extra context menu item: Kuro刲坰mp3 - res://C:\Program Files\KuroM7\KuroBar.dll/MENUSEARCH.HTM
    O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: 反向連結 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: 網頁的快取快照 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: 類似網頁 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .midi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {A2979615-DC81-4AE4-A153-912E3C227058} (Yahoo! 相簿輕鬆上載工具 Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3hk.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {BE9D5F13-40C1-44CA-9950-B9211E4B60DD} (MeChatU Class) - http://www.hkwewet.com:5000/video/MeChatUser.cab
    O16 - DPF: {CF85459D-DFA7-4028-A065-3C6D1356DCC8} (CertInstall Control) - http://gd.chinavnet.com/CertInstall.cab
    O16 - DPF: {ED5896AC-7F1A-4095-87A8-08206DE7835C} (WingCtl Class) - http://web.spaceillusion.com/mysprite/install/Wings2.cab
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus 自動防護服務 (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
    bravo,
    #8
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...