Can you help me?

Discussion in 'adware, spyware & hijack cleaning' started by Reynold, Feb 14, 2004.

Thread Status:
Not open for further replies.
  1. Reynold

    Reynold Guest

    Logfile of HijackThis v1.97.7
    Scan saved at 21:18:52, on 2004/2/14
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\PGPsdkServ.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\loadqm.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\DeskColor\DeskColor.exe
    C:\Program Files\KKman\KKMAN.exe
    C:\Documents and Settings\Administrator\桌面\HijackThis.exe

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{1B0E7716-898E-48cc-9690-4E338E8DE1D3} - (no file)
    R3 - URLSearchHook: (no name) - _{D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\Net Transport\NTIEHelper.dll
    O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
    O2 - BHO: CCIT Memory Manager - {DF25C5CB-37CF-4634-AB96-6959740AD2B0} - C:\WINNT\DOWNLO~1\cytdcli.dll
    O3 - Toolbar: o_O?? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: NTUSER.DAT
    O4 - Startup: ntuser.dat.LOG
    O4 - Startup: ntuser.ini
    O4 - Startup: lastopen.ini
    O4 - Startup: KKman.ini
    O4 - Startup: AD.html
    O4 - Startup: ntuser.pol
    O4 - Startup: plugin130_02.trace
    O4 - Global Startup: ntuser.pol
    O8 - Extra context menu item: 使用影音傳送帶下載 - C:\PROGRA~1\XI\NETTRA~1\NTAddLink.html
    O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\PROGRA~1\XI\NETTRA~1\NTAddList.html
    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O13 - Home Prefix:
    O13 - Mosaic Prefix:
    O14 - IERESET.INF: START_PAGE_URL=http://tw.yahoo.com
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058623tw.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {6D153D8C-521C-483E-828C-66A72AA7C902} (Cytd Encipherment Memory) - http://61.153.1.34/cytdcli.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {C7BD467B-0B38-442F-840F-3F048E7F6005} (RootKeyDistributor Class) - http://grca.nat.gov.tw/pse/CHTPKI_PSE.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3FE90D3F-E65F-4088-8C15-A69223F5023F}: NameServer = 168.95.192.1 168.95.1.1
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi there,

    Have HijackThis fix the following :

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{1B0E7716-898E-48cc-9690-4E338E8DE1D3} - (no file)
    R3 - URLSearchHook: (no name) - _{D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)

    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O13 - Home Prefix:
    O13 - Mosaic Prefix:

    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058623tw.exe
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

    restart the PC after doing so

    You do recognise these, do you? :

    O2 - BHO: CCIT Memory Manager - {DF25C5CB-37CF-4634-AB96-6959740AD2B0} - C:\WINNT\DOWNLO~1\cytdcli.dll
    O16 - DPF: {6D153D8C-521C-483E-828C-66A72AA7C902} (Cytd Encipherment Memory) - http://61.153.1.34/cytdcli.CAB

    Hope this helps

    Cheers,
     
  3. Reynold

    Reynold Guest

    Yah,it helps very much. Thanks!
    But i don't know what it means

    You do recognise these, do you? :

    O2 - BHO: CCIT Memory Manager - {DF25C5CB-37CF-4634-AB96-6959740AD2B0} - C:\WINNT\DOWNLO~1\cytdcli.dll
    O16 - DPF: {6D153D8C-521C-483E-828C-66A72AA7C902} (Cytd Encipherment Memory) - http://61.153.1.34/cytdcli.CAB


    Should I have Hijackthis fix them?
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Reynold,

    What Unzy meant (I guess) was if you knew where you picked up that BHO.

    IT looks to be from a Chinese Telecom company, but that is hard for us to verify.
    If you don't know, I would indeed advise to Fix those two entries. If you do know, I would appreciate it, if you could tell us.

    Regards,

    Pieter
     
  5. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Pieter and Reynold,

    yep that was what I meant. I wanted to have some more info if the user knew it (installed / or knew where he picked it up) so you and Tony could add it to the BHO list.

    Cheers,
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Good thinking, as usual, Unzy. :)

    Pieter
     
  7. Reynold

    Reynold Guest

    I don't know when or where I download it.
    I even think that I have never been doing so.
    And I can't find the two files in my computer this moment.So,I fixed it.

    Thanks a lot!
     
  8. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi reynold,

    Well, that's OK

    The important thing is that all is well again on your PC

    Take care

    Cheers,
     
Thread Status:
Not open for further replies.