Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware, Slowsystem, Win32/cnsmin


  • This topic is locked This topic is locked
10 replies to this topic

#1 archantis

archantis

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 25 July 2007 - 02:32 AM

My computer is very slow at loading the windows and after scanning with windows defender it says i have win32/cnsmin and i can't seem to remove it.


Logfile of HijackThis v1.99.1
Scan saved at 15:10:04, on 2007-7-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - F:\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: ThunderBHO - {11F09AFC-75AD-4E51-AB43-E09E9351CE16} - F:\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: yPhtb - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yphtb.dll
O2 - BHO: Anti Fish - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yangling.dll
O2 - BHO: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL
O2 - BHO: (no name) - {669751ED-D558-49AE-B01A-3B374CC7910E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O3 - Toolbar: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O4 - HKLM\..\Run: [stup.exe] Rundll32.exe C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll,Rundll32 R
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c Combobatch.bat
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [CnsM.dll] Rundll32.exe C:\PROGRA~1\3721\CnsM.dll,Rundll32
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [yassistse] "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: QQ游戏启动加速程序.lnk = C:\Program Files\TENCENT\QQGAME\Accel.exe
O8 - Extra context menu item: 使用迅雷下载 - F:\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - F:\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\QQ2006\AddEmotion.htm
O8 - Extra context menu item: 添加到雅虎订阅(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
O8 - Extra context menu item: 解霸实时播放 - C:\Program Files\HEROSOFT\Hero3000\MPURLGET.HTM
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246
O9 - Extra button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - F:\HF\浩方对战平台\GameClient.exe
O9 - Extra button: Yahoo 3.5G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?sourc...p;btn=yahoomail (file missing)
O9 - Extra button: 名品折扣 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.allyes.com/main/adfclick?d...?allyesPara=816 (file missing)
O9 - Extra button: 雅虎助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?sourc...amp;btn=yassist (file missing)
O9 - Extra button: 雅虎WIDGET - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?sourc...mp;btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?sourc...&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?sourc...&btn=repair (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?sourc...s&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?sourc...s&btn=clean (file missing)
O11 - Options group: [!CNS] 网络实名
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E787FD25-8D7C-4693-AE67-9406BC6E22DF} (PasswordEditCtrl Class) - https://www.tenpay.com/download/qqedit.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{752F7144-0A59-4738-91BB-3C44DA4F64A0}: NameServer = 202.96.128.68 202.96.128.166
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - E:\KUGOO\KuGoo2\InExtend\KuGoo3DownXControl.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: SysTime - {724C75F1-B757-408D-A50A-4CF99DA35D73} - C:\PROGRA~1\WinKld\WinKld.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 25 July 2007 - 06:28 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum archantis :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

--------------------------------------------------------

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Also post a fresh Hijackthis log.
Posted Image
Posted Image

#3 archantis

archantis
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 26 July 2007 - 01:21 AM

wow thanks for replying was wondering if anyone would help me =) here is a fresh HJT log after i used sd fix and Drweb - cureit, oh just a little more info if need, i have 4 harddrives also after the scans i windows defender still says i have win/cnsmin.


Logfile of HijackThis v1.99.1
Scan saved at 14:19:20, on 2007-7-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TT\TTraveler.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - F:\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: ThunderBHO - {11F09AFC-75AD-4E51-AB43-E09E9351CE16} - F:\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: yPhtb - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yphtb.dll
O2 - BHO: Anti Fish - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yangling.dll
O2 - BHO: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL
O2 - BHO: (no name) - {669751ED-D558-49AE-B01A-3B374CC7910E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O3 - Toolbar: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O4 - HKLM\..\Run: [stup.exe] Rundll32.exe C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll,Rundll32 R
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c Combobatch.bat
O4 - HKLM\..\Run: [CnsM.dll] Rundll32.exe C:\PROGRA~1\3721\CnsM.dll,Rundll32
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: QQ游戏启动加速程序.lnk = C:\Program Files\TENCENT\QQGAME\Accel.exe
O8 - Extra context menu item: 使用迅雷下载 - F:\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - F:\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\QQ2006\AddEmotion.htm
O8 - Extra context menu item: 添加到雅虎订阅(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
O8 - Extra context menu item: 解霸实时播放 - C:\Program Files\HEROSOFT\Hero3000\MPURLGET.HTM
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246
O9 - Extra button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - F:\HF\浩方对战平台\GameClient.exe
O9 - Extra button: 雅虎WIDGET - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?sourc...mp;btn=yahoomsg (file missing)
O11 - Options group: [!CNS] 网络实名
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E787FD25-8D7C-4693-AE67-9406BC6E22DF} (PasswordEditCtrl Class) - https://www.tenpay.com/download/qqedit.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{752F7144-0A59-4738-91BB-3C44DA4F64A0}: NameServer = 202.96.128.68 202.96.128.166
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - E:\KUGOO\KuGoo2\InExtend\KuGoo3DownXControl.ocx (file missing)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: SysTime - {724C75F1-B757-408D-A50A-4CF99DA35D73} - C:\PROGRA~1\WinKld\WinKld.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



here is the SD fix report.


SDFix: Version 1.94

Run by Administrator on ??? 2007-07-26 at 14:06

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"d:\\My Documents\\演示图片\\skype\\Phone\\Skype.exe"="d:\\My Documents\\演示图片\\skype\\Phone\\Skype.exe:*:Enabled:Skype"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\\KUGOO\\KuGoo2\\KuGoo.exe"="E:\\KUGOO\\KuGoo2\\KuGoo.exe:*:Disabled:专业音乐P2P传输软件"
"F:\\Thunder Network\\Thunder\\Program\\Thunder5.exe"="F:\\Thunder Network\\Thunder\\Program\\Thunder5.exe:*:Disabled:Thunder"
"F:\\HF\\浩方对战平台\\GameClient.exe"="F:\\HF\\浩方对战平台\\GameClient.exe:*:Enabled:浩方对战平台"
"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"="C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe:*:Enabled:Messenger"
"C:\\Program Files\\QQ2006\\QQ.exe"="C:\\Program Files\\QQ2006\\QQ.exe:*:Enabled:QQ"
"C:\\Program Files\\QQ2006\\QQUpdateCenter.exe"="C:\\Program Files\\QQ2006\\QQUpdateCenter.exe:*:Enabled:QQUpdate"
"F:\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe"="F:\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe:*:Enabled:Kaspersky Anti-Virus"
"C:\\Program Files\\TENCENT\\QQGAME\\QQGameDl.exe"="C:\\Program Files\\TENCENT\\QQGAME\\QQGameDl.exe:*:Enabled:QQGameDl"
"C:\\Program Files\\qq2006\\Qzone\\Qzone.exe"="C:\\Program Files\\qq2006\\Qzone\\Qzone.exe:*:Enabled:QzoneClient1.3Beta02 V01.3.102.015"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------


Files with Hidden Attributes:

C:\COMMAND.COM
C:\System Volume Information\_restore{953639C2-F3D0-4A9B-A034-D81EC1D0215C}\RP10\A0016479.sys
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\SOFTWARE.tmp.LOG
C:\WINDOWS\system32\config\SYSTEM.tmp.LOG
C:\WINDOWS\system32\config\DEFAULT.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG

Finished

#4 archantis

archantis
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 26 July 2007 - 01:23 AM

and this is the drweb cureit log . is there anything else i can do to clean my computer?
i appreciate your assistence.

cnsmin.dll;c:\windows\downloaded program files;Adware.Cdn;Incurable.Moved.;
cnsminkp.sys;c:\windows\system32\drivers;Adware.Cdn;Incurable.Moved.;
cns.exe;C:\WINDOWS\system32;Adware.Cdn;Incurable.Moved.;
CnsMinKP.sys;C:\WINDOWS\system32\drivers;Adware.Cdn;Incurable.Moved.;
cnsmin.dll;C:\WINDOWS\Downloaded Program Files;Adware.Cdn;Incurable.Moved.;
CnsMin.dll;C:\WINDOWS\Downloaded Program Files\3721;Adware.Cdn;Incurable.Moved.;
A0016496.exe;C:\System Volume Information\_restore{953639C2-F3D0-4A9B-A034-D81EC1D0215C}\RP10;Tool.Prockill;Incurable.Moved.;
A0022587.dll;C:\System Volume Information\_restore{953639C2-F3D0-4A9B-A034-D81EC1D0215C}\RP12;Adware.Newweb;Incurable.Moved.;
A0022589.sys;C:\System Volume Information\_restore{953639C2-F3D0-4A9B-A034-D81EC1D0215C}\RP12;Adware.Cdn;Incurable.Moved.;
A0022590.exe;C:\System Volume Information\_restore{953639C2-F3D0-4A9B-A034-D81EC1D0215C}\RP12;Adware.Cdn;Incurable.Moved.;
A0022591.dll;C:\System Volume Information\_restore{953639C2-F3D0-4A9B-A034-D81EC1D0215C}\RP12;Adware.Cdn;Incurable.Moved.;
A0023579.DLL;C:\System Volume Information\_restore{953639C2-F3D0-4A9B-A034-D81EC1D0215C}\RP12;Adware.Cdn;Incurable.Moved.;
A0023582.dll;C:\System Volume Information\_restore{953639C2-F3D0-4A9B-A034-D81EC1D0215C}\RP12;Adware.Yassist;Incurable.Moved.;
A0023583.exe;C:\System Volume Information\_restore{953639C2-F3D0-4A9B-A034-D81EC1D0215C}\RP12;Adware.Yassist;Incurable.Moved.;
A0023646.dll;C:\System Volume Information\_restore{953639C2-F3D0-4A9B-A034-D81EC1D0215C}\RP12;Adware.Newweb;Incurable.Moved.;
A0031037.exe;C:\System Volume Information\_restore{953639C2-F3D0-4A9B-A034-D81EC1D0215C}\RP18;Adware.Cdn;Incurable.Moved.;
A0031041.dll;C:\System Volume Information\_restore{953639C2-F3D0-4A9B-A034-D81EC1D0215C}\RP18;Adware.Cdn;Incurable.Moved.;
A0031042.dll;C:\System Volume Information\_restore{953639C2-F3D0-4A9B-A034-D81EC1D0215C}\RP18;Adware.Cdn;Incurable.Moved.;
A0031043.dll;C:\System Volume Information\_restore{953639C2-F3D0-4A9B-A034-D81EC1D0215C}\RP18;Adware.Newweb;Incurable.Moved.;
A0031883.dll;C:\System Volume Information\_restore{953639C2-F3D0-4A9B-A034-D81EC1D0215C}\RP18;Adware.Newweb;Incurable.Moved.;
A0031885.dll;C:\System Volume Information\_restore{953639C2-F3D0-4A9B-A034-D81EC1D0215C}\RP18;Adware.Newweb;Incurable.Moved.;
A0032885.exe;C:\System Volume Information\_restore{953639C2-F3D0-4A9B-A034-D81EC1D0215C}\RP20;Win32.HLLP.ZloyFly;Deleted.;
A0032886.exe;C:\System Volume Information\_restore{953639C2-F3D0-4A9B-A034-D81EC1D0215C}\RP20;Tool.ShutDown.11;Incurable.Moved.;
QuickReboot.exe;C:\Ghost;Tool.ShutDown.11;Incurable.Moved.;
FILE0000.CHK;C:\FOUND.006;Trojan.Winkld;Deleted.;
ssup[1].dll;D:\Documents and Settings\tabo\Local Settings\Temporary Internet Files\Content.IE5\EL181VJK;Adware.Tbh;Incurable.Moved.;

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 26 July 2007 - 05:34 AM

It appears you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

-----------------------------------------------

Disable Windows Defender's real-time protection,as it will interfere.
* Open Microsoft Windows Defender. Click Start>All Programs>Windows Defender.
* Click on 'Tools'>'Options'.
* Under 'Real-time protection options', unselect the 'Turn on real-time protection' check box
* Click 'Save'.

-----------------------------------------------

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {669751ED-D558-49AE-B01A-3B374CC7910E} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O4 - HKLM\..\Run: [CnsM.dll] Rundll32.exe C:\PROGRA~1\3721\CnsM.dll,Rundll32
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O9 - Extra button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - F:\HF\浩方对战平台\GameClient.exe
O9 - Extra button: 雅虎WIDGET - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?sourc...mp;btn=yahoomsg (file missing)
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - E:\KUGOO\KuGoo2\InExtend\KuGoo3DownXControl.ocx (file missing)
O21 - SSODL: SysTime - {724C75F1-B757-408D-A50A-4CF99DA35D73} - C:\PROGRA~1\WinKld\WinKld.dll (file missing)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

----------------------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a fresh Hijackthis log.
Posted Image
Posted Image

#6 archantis

archantis
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 27 July 2007 - 01:24 AM

ok ive scanned with SAP and here is the log, by the way for some reason my computer's screen goes blank at random times, but the computer is still running.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/27/2007 at 01:40 PM

Application Version : 3.9.1008

Core Rules Database Version : 3275
Trace Rules Database Version: 1286

Scan type : Complete Scan
Total Scan Time : 00:54:42

Memory items scanned : 326
Memory threats detected : 0
Registry items scanned : 4172
Registry threats detected : 0
File items scanned : 25390
File threats detected : 32

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.ak.facebook[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@a[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@perf.overture[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.adbrite[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atwola[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@videoegg.adbureau[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adinterax[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@247realmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@metacafe.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
D:\Documents and Settings\tabo\Cookies\tabo@adbrite[2].txt
D:\Documents and Settings\tabo\Cookies\tabo@ad.zanox[1].txt
D:\Documents and Settings\tabo\Cookies\tabo@2o7[1].txt
D:\Documents and Settings\tabo\Cookies\tabo@atdmt[2].txt
D:\Documents and Settings\tabo\Cookies\tabo@thinkmedia[1].txt
D:\Documents and Settings\tabo\Cookies\tabo@doubleclick[2].txt
D:\Documents and Settings\tabo\Cookies\tabo@fastclick[2].txt
D:\Documents and Settings\tabo\Cookies\tabo@v1.textclick[1].txt
D:\Documents and Settings\tabo\Cookies\tabo@ehzu.t2click[2].txt
D:\Documents and Settings\tabo\Cookies\tabo@astats[2].txt
D:\Documents and Settings\tabo\Cookies\tabo@sex.flash920[2].txt
D:\Documents and Settings\tabo\Cookies\tabo@msnportal.112.2o7[1].txt

Trojan.Downloader-CNS
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DOCTORWEB\QUARANTINE\A0022590.EXE

#7 archantis

archantis
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 27 July 2007 - 01:26 AM

here is the long combo fix log =)


"Administrator" - 2007-07-26 21:20:17 [GMT 8:00] - ComboFix 07-07-24.5 - Service Pack 2 FAT32
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0HYBKPUB\CnsMinM[1].ini
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0HYBKPUB\CnsMinUp[1].ini
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0PSVWFWB\CnsMinIO[1].cab
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CDIJKLEN\CnsMinUp[1].ini
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CL2FOLAN\CnsMinAL[1].cab
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CL2FOLAN\CnsMinDT[1].cab
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CL2FOLAN\CnsMinExM[1].cab
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CL2FOLAN\CnsMinHK[1].cab
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CPMNK927\CnsMinCgM[1].ini
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CPMNK927\CnsMinExM[1].ini
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\G9AJ8D23\CnsMinExM[1].ini
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin10.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin11.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin12.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin13.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin14.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin15.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin16.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin17.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin18.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin19.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin20.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin21.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin22.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin23.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin24.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin25.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin26.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin27.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin28.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin29.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin30.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin31.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin32.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin33.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin34.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin35.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin36.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin37.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin38.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin39.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin40.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin41.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin42.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin43.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin44.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin45.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin46.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin47.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin48.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin49.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin50.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin51.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin52.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin53.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin54.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin55.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin56.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin57.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin58.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin59.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin6.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin60.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin61.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin62.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin7.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin8.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin9.zip
C:\Program Files\3721\3721\AutoLive.dll
C:\Program Files\3721\3721\Helper.dll
C:\Program Files\3721\alliveex.dll
C:\Program Files\3721\alrex.dll
C:\Program Files\3721\autolive.dll
C:\Program Files\3721\autolive.ini
C:\Program Files\3721\autolvsw.ini
C:\Program Files\3721\cns01.dat
C:\Program Files\3721\cns03.dat
C:\Program Files\3721\cnsm.dll
C:\Program Files\3721\CNSMIN.DAT
C:\Program Files\3721\Helper.dll
C:\Program Files\3721\notifier.dll
C:\Program Files\3721\windex.dat
C:\Program Files\3721\winhex.dat
C:\Program Files\ad4all
C:\Program Files\ad4all\Install.exe
C:\Program Files\ad4all\install.ini
C:\Program Files\ad4all\link1\ebaylink.htm
C:\Program Files\ad4all\link1\ebaylink.ico
C:\Program Files\ad4all\link1\install.ini
C:\Program Files\ad4all\link2\install.ini
C:\Program Files\ad4all\link2\phone.htm
C:\Program Files\ad4all\link2\phone.ico
C:\Program Files\yahoo!\assist~1
C:\Program Files\yahoo!\assist~1\Assist\CoolBar\prodef.ini
C:\Program Files\yahoo!\assist~1\Assist\CoolBar\profile.ini
C:\Program Files\yahoo!\assist~1\Assist\float.gif
C:\Program Files\yahoo!\assist~1\Assist\Images\adkiller.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\alert.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\alertnew.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\anitvirus.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\assist.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\clear.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\custheme.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\gouwu.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\hilight.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\iefix.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\logo.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\music.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\musiclink.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\musictop.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\picture.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\search.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\searchtop.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\settings.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\Thumbs.db
C:\Program Files\yahoo!\assist~1\Assist\Images\yphtb.bmp
C:\Program Files\yahoo!\assist~1\Assist\Images\yrss.bmp
C:\Program Files\yahoo!\assist~1\Assist\myrss.xml
C:\Program Files\yahoo!\assist~1\Assist\SearchBar\prodef.ini
C:\Program Files\yahoo!\assist~1\Assist\SearchBar\profile.ini
C:\Program Files\yahoo!\assist~1\Assist\SecurityBar\prodef.ini
C:\Program Files\yahoo!\assist~1\Assist\SecurityBar\profile.ini
C:\Program Files\yahoo!\assist~1\Assist\sound.wav
C:\Program Files\yahoo!\assist~1\Assist\Update\yxpstyle.dll
C:\Program Files\yahoo!\assist~1\Assist\yadfilter.dll
C:\Program Files\yahoo!\assist~1\Assist\yadwreg.dll
C:\Program Files\yahoo!\assist~1\Assist\yangling.dll
C:\Program Files\yahoo!\assist~1\Assist\yasbar.dll
C:\Program Files\yahoo!\assist~1\Assist\yascenter.exe
C:\Program Files\yahoo!\assist~1\Assist\yasierres.dll
C:\Program Files\yahoo!\assist~1\Assist\yasiesec.dll
C:\Program Files\yahoo!\assist~1\Assist\yaskpsec.dat
C:\Program Files\yahoo!\assist~1\Assist\yasnoad.dll
C:\Program Files\yahoo!\assist~1\Assist\yassecblk.dll
C:\Program Files\yahoo!\assist~1\Assist\yassisres.dll
C:\Program Files\yahoo!\assist~1\Assist\yassist.dll
C:\Program Files\yahoo!\assist~1\Assist\yassistex.dll
C:\Program Files\yahoo!\assist~1\Assist\yassistn.ini
C:\Program Files\yahoo!\assist~1\Assist\yassistnsw.ini
C:\Program Files\yahoo!\assist~1\Assist\yaswiper.dll
C:\Program Files\yahoo!\assist~1\Assist\ydragsearch.dll
C:\Program Files\yahoo!\assist~1\Assist\yeheocx.dll
C:\Program Files\yahoo!\assist~1\Assist\ykeepmain.dll
C:\Program Files\yahoo!\assist~1\Assist\yoptimum.dll
C:\Program Files\yahoo!\assist~1\Assist\yphishbrule.dat
C:\Program Files\yahoo!\assist~1\Assist\yphishrule.dat
C:\Program Files\yahoo!\assist~1\Assist\yphotoseasy.dll
C:\Program Files\yahoo!\assist~1\Assist\yphtb.dll
C:\Program Files\yahoo!\assist~1\Assist\yrepair.dll
C:\Program Files\yahoo!\assist~1\Assist\yrss.dll
C:\Program Files\yahoo!\assist~1\Assist\ysettings.dll
C:\Program Files\yahoo!\assist~1\Assist\yuninst.dll
C:\Program Files\yahoo!\assist~1\Assist\ywiper.dll
C:\Program Files\yahoo!\assist~1\Assist\yxpstyle.dll
C:\Program Files\yahoo!\assist~1\Assist\yzsnetproto.dll
C:\Program Files\yahoo!\assist~1\Shell\yAsMenu.dll
C:\Program Files\yahoo!\assist~1\Shell\yAssecblk.dll
C:\Program Files\yahoo!\assist~1\Shell\yIEAngel.dll
C:\Program Files\yahoo!\assist~1\Shell\yMenuInfo.dll
C:\Program Files\yahoo!\assist~1\Update\yscrblock.dll
C:\Program Files\yahoo!\assist~1\yal01.dat
C:\Program Files\yahoo!\assist~1\YAlive.dll
C:\Program Files\yahoo!\assist~1\yalive.dll.1.log
C:\Program Files\yahoo!\assist~1\yalive.dll.2.log
C:\Program Files\yahoo!\assist~1\yalive.ini
C:\Program Files\yahoo!\assist~1\yalliveex.dll
C:\Program Files\yahoo!\assist~1\yalvsw.ini
C:\Program Files\yahoo!\assist~1\yassistse.exe
C:\Program Files\yahoo!\assist~1\yhelper.dll
C:\Program Files\yahoo!\assist~1\ylive.exe
C:\Program Files\yahoo!\assist~1\ynotifier.dll
C:\Program Files\yahoo!\assist~1\yscrblock.dll
C:\WINDOWS\DOWNLO~1.\3721
C:\WINDOWS\DOWNLO~1.\keepmain.dll
C:\WINDOWS\DOWNLO~1.\keepmainm.cab
C:\WINDOWS\DOWNLO~1.\sms.ico
C:\WINDOWS\DOWNLO~1.\taobao.ico
C:\WINDOWS\DOWNLO~1.\yahoomsg.ico
C:\WINDOWS\DOWNLO~1.\ymail.ico
C:\WINDOWS\DOWNLO~1\CnsHint.cab
C:\WINDOWS\DOWNLO~1\cnshint.dll
C:\WINDOWS\DOWNLO~1\CnsHook.dll
C:\WINDOWS\DOWNLO~1\CnsHook.dll.1.log
C:\WINDOWS\DOWNLO~1\CnsHook.dll.2.log
C:\WINDOWS\DOWNLO~1\cnsio.dll
C:\WINDOWS\DOWNLO~1\CnsMin.dll
C:\WINDOWS\DOWNLO~1\CnsMin.ini
C:\WINDOWS\DOWNLO~1\CnsMinAL.cab
C:\WINDOWS\DOWNLO~1\CnsMinCg.ini
C:\WINDOWS\DOWNLO~1\CnsMinDT.cab
C:\WINDOWS\DOWNLO~1\CnsMinDT.dll
C:\WINDOWS\DOWNLO~1\CnsMinEx.cab
C:\WINDOWS\DOWNLO~1\CnsMinEx.dll
C:\WINDOWS\DOWNLO~1\CnsMinEx.ini
C:\WINDOWS\DOWNLO~1\CnsMinHK.cab
C:\WINDOWS\DOWNLO~1\CnsMinIO.cab
C:\WINDOWS\DOWNLO~1\CnsMinIO.dll
C:\WINDOWS\DOWNLO~1\CnsMinUp.cab
C:\WINDOWS\DOWNLO~1\CnsPlus.cab
C:\WINDOWS\DOWNLO~1\cnsplus.dll
C:\WINDOWS\DOWNLO~1\CnsUp.ini
C:\WINDOWS\system32\cns.dat
C:\WINDOWS\system32\cns.dll
C:\WINDOWS\system32\cns.exe
C:\WINDOWS\system32\drivers\CnsMinKP.sys


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CNSMINKP
-------\CnsMinKP


((((((((((((((((((((((((( Files Created from 2007-06-26 to 2007-07-26 )))))))))))))))))))))))))))))))


2007-07-26 21:27 <DIR> d--hs---- C:\FOUND.023
2007-07-26 20:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-26 20:43 <DIR> d--hs---- C:\FOUND.022
2007-07-26 16:50 49,152 --a------ C:\WINDOWS\system32\drivers\memepcr.sys
2007-07-25 18:32 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-07-25 17:21 <DIR> d--hs---- C:\FOUND.021
2007-07-25 15:53 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-25 15:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-25 15:46 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-25 15:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-07-25 15:06 <DIR> d--hs---- C:\FOUND.020
2007-07-25 13:07 <DIR> d-------- C:\Program Files\Windows Defender
2007-07-25 13:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-24 12:26 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-24 12:22 1,482,752 --ah----- C:\DOCUME~1\TEMP\NTUSER.DAT
2007-07-24 12:22 <DIR> dr------- C:\DOCUME~1\TEMP\「开始」菜单
2007-07-24 12:22 <DIR> d---s---- C:\DOCUME~1\TEMP\UserData
2007-07-24 12:22 <DIR> d-------- C:\DOCUME~1\TEMP\桌面
2007-07-24 12:22 <DIR> d-------- C:\DOCUME~1\TEMP\APPLIC~1\Real
2007-07-24 12:22 <DIR> d-------- C:\DOCUME~1\TEMP\APPLIC~1\Media Player Classic
2007-07-24 12:22 <DIR> d-------- C:\DOCUME~1\TEMP\APPLIC~1\Help
2007-07-24 10:34 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2007-07-24 10:33 94,000 --a------ C:\WINDOWS\system32\drivers\ss_mdm.sys
2007-07-24 10:33 8,304 --a------ C:\WINDOWS\system32\drivers\ss_mdfl.sys
2007-07-24 10:33 6,144 --a------ C:\WINDOWS\system32\drivers\ss_cmnt.sys
2007-07-24 10:33 6,144 --a------ C:\WINDOWS\system32\drivers\ss_cm.sys
2007-07-24 10:33 58,320 --a------ C:\WINDOWS\system32\drivers\ss_bus.sys
2007-07-24 10:33 5,808 --a------ C:\WINDOWS\system32\drivers\ss_whnt.sys
2007-07-24 10:33 5,808 --a------ C:\WINDOWS\system32\drivers\ss_wh.sys
2007-07-24 10:33 <DIR> d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2007-07-24 10:31 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2007-07-24 10:30 <DIR> d-------- C:\Program Files\Samsung
2007-07-24 06:48 <DIR> d-------- C:\WINDOWS\system32\3721
2007-07-24 06:47 5 --a------ C:\WINDOWS\ycns.dat
2007-07-24 06:47 <DIR> d-------- C:\Program Files\Yahoo!
2007-07-24 04:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-23 19:55 <DIR> d--hs---- C:\FOUND.019
2007-07-23 14:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-23 14:04 <DIR> d--hs---- C:\FOUND.018
2007-07-23 13:42 57,126,642 --a------ C:\20070528085713781_Samsung_PC_Studio_312_GEA.exe
2007-07-23 11:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-07-22 23:06 <DIR> d--hs---- C:\FOUND.017
2007-07-22 10:33 <DIR> d--hs---- C:\FOUND.016
2007-07-21 19:09 <DIR> d--hs---- C:\FOUND.015
2007-07-21 17:00 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-07-21 17:00 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-07-21 16:59 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-07-21 14:43 <DIR> d-------- C:\Program Files\Comprozard
2007-07-21 14:42 65,536 --a------ C:\WINDOWS\IFinst27.exe
2007-07-21 12:31 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-21 12:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-21 12:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-21 12:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-21 11:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-21 10:58 <DIR> d--hs---- C:\FOUND.014
2007-07-20 18:50 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Contacts
2007-07-20 18:49 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2007-07-20 18:49 <DIR> d-------- C:\Program Files\MSN Messenger
2007-07-19 10:16 <DIR> d--hs---- C:\FOUND.013
2007-07-19 00:46 <DIR> d--hs---- C:\FOUND.012
2007-07-14 04:38 <DIR> d--hs---- C:\FOUND.011
2007-07-12 11:50 <DIR> d--hs---- C:\FOUND.010
2007-07-11 04:00 <DIR> d-------- C:\TDDOWNLOAD
2007-07-11 04:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\thunder_vod_cache
2007-07-11 03:48 <DIR> d-------- C:\Program Files\Chinagames
2007-07-10 02:42 153,088 --a------ C:\WINDOWS\system32\UNWISE.EXE
2007-07-09 10:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic Foundry
2007-07-09 10:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Publish Providers
2007-07-09 10:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\NetMedia Providers
2007-07-09 10:41 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2007-07-09 10:41 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2007-07-09 10:41 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-07-09 10:41 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2007-07-09 09:11 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Tencent
2007-07-06 08:54 <DIR> d--hs---- C:\FOUND.009
2007-07-06 08:18 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\QQDoctor
2007-07-04 09:23 <DIR> d--hs---- C:\FOUND.008
2007-07-01 12:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Skype
2007-07-01 12:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-06-30 17:32 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-26 12:54:14 1,300 ----a-w C:\WINDOWS\system32\cid_store.dat
2007-07-26 08:46:06 8,672 ----a-w C:\WINDOWS\mslistenido.dat
2007-07-26 08:46:06 5,256 ----a-w C:\WINDOWS\LoginUsers.dat
2007-07-21 14:54:58 42,234 ----a-w C:\WINDOWS\system32\prfc0804.dat
2007-07-21 14:54:58 119,958 ----a-w C:\WINDOWS\system32\prfh0804.dat
2007-06-13 01:58:54 147,456 ----a-w C:\WINDOWS\system32\Scrax.dll
2007-05-16 15:13:34 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11F09AFC-75AD-4E51-AB43-E09E9351CE16}]
2007-06-08 17:49 100056 --a------ F:\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"stup.exe"="C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll" [2007-07-16 10:15]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-23 06:13]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-26 20:59]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 12:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\
QQ游戏启动加速程序.lnk - C:\Program Files\TENCENT\QQGAME\Accel.exe [2007-01-12 12:01:27]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^「开始」菜单^程序^启动^腾讯QQ.lnk]
path=C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\腾讯QQ.lnk
backup=C:\WINDOWS\pss\腾讯QQ.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HF_GameClient]
F:\HF\浩方对战平台\gameclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R0 uagp35;Microsoft AGPv3.5 Filter;C:\WINDOWS\system32\DRIVERS\uagp35.sys
R1 FsVga;FsVga;C:\WINDOWS\system32\DRIVERS\fsvga.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 StarOpen;StarOpen;C:\WINDOWS\system32\drivers\StarOpen.sys
R3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
S1 ADProt;ADProt;C:\WINDOWS\system32\drivers\ADProt.sys
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\C:\WINDOWS\system32\drivers\NSDriver.sys
S3 AmdK8;AMD K8 Processor Driver;C:\WINDOWS\system32\DRIVERS\amdk8.sys
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
S3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\system32\drivers\msmpu401.sys
S3 npkycryp;npkycryp;\??\C:\Program Files\QQ2006\npkycryp.sys
S3 sermouse;Serial Mouse Driver;C:\WINDOWS\system32\drivers\sermouse.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys


Contents of the 'Scheduled Tasks' folder
2007-07-26 12:54:26 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-26 21:28:10
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-26 21:30:48 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-26 21:30

--- E O F ---

#8 archantis

archantis
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 27 July 2007 - 02:06 AM

And finally here is the new HJT log whats next then?

Logfile of HijackThis v1.99.1
Scan saved at 15:06:33, on 2007-7-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\winhlp32.exe
C:\Program Files\TT\TTraveler.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - F:\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: ThunderBHO - {11F09AFC-75AD-4E51-AB43-E09E9351CE16} - F:\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [stup.exe] Rundll32.exe C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll,Rundll32 R
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: QQ游戏启动加速程序.lnk = C:\Program Files\TENCENT\QQGAME\Accel.exe
O8 - Extra context menu item: 使用迅雷下载 - F:\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - F:\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\QQ2006\AddEmotion.htm
O8 - Extra context menu item: 解霸实时播放 - C:\Program Files\HEROSOFT\Hero3000\MPURLGET.HTM
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246
O9 - Extra button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - F:\HF\浩方对战平台\GameClient.exe
O9 - Extra button: 雅虎WIDGET - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E787FD25-8D7C-4693-AE67-9406BC6E22DF} (PasswordEditCtrl Class) - https://www.tenpay.com/download/qqedit.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{752F7144-0A59-4738-91BB-3C44DA4F64A0}: NameServer = 202.96.128.68 202.96.128.166
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 27 July 2007 - 03:52 AM

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
SDFix.exe
Combofix.exe

C:\SDFix
C:\QOOBOX
C:\Documents and Settings\userprofile\DoctorWeb

---------------------------------------------

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

--------------------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

by the way for some reason my computer's screen goes blank at random times, but the computer is still running.

This problem sounds like a possible hardware issue.
Start a new topic at the link below,giving as much detail as possible.
Hardware:
http://www.bleepingcomputer.com/forums/f/7/internal-hardware/
Posted Image
Posted Image

#10 archantis

archantis
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 27 July 2007 - 04:13 AM

thanks for all your help i'll be back if theres any more problems =) thank you!!!

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 27 July 2007 - 08:44 AM

You're welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users