Can you help me?

Discussion in 'adware, spyware & hijack cleaning' started by Reynold, Feb 14, 2004.

Thread Status:
Not open for further replies.
  1. Reynold

    Reynold Guest

    Logfile of HijackThis v1.97.7
    Scan saved at 21:18:52, on 2004/2/14
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\PGPsdkServ.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\loadqm.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\DeskColor\DeskColor.exe
    C:\Program Files\KKman\KKMAN.exe
    C:\Documents and Settings\Administrator\桌面\HijackThis.exe

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{1B0E7716-898E-48cc-9690-4E338E8DE1D3} - (no file)
    R3 - URLSearchHook: (no name) - _{D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\Net Transport\NTIEHelper.dll
    O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
    O2 - BHO: CCIT Memory Manager - {DF25C5CB-37CF-4634-AB96-6959740AD2B0} - C:\WINNT\DOWNLO~1\cytdcli.dll
    O3 - Toolbar: o_O?? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: NTUSER.DAT
    O4 - Startup: ntuser.dat.LOG
    O4 - Startup: ntuser.ini
    O4 - Startup: lastopen.ini
    O4 - Startup: KKman.ini
    O4 - Startup: AD.html
    O4 - Startup: ntuser.pol
    O4 - Startup: plugin130_02.trace
    O4 - Global Startup: ntuser.pol
    O8 - Extra context menu item: 使用影音傳送帶下載 - C:\PROGRA~1\XI\NETTRA~1\NTAddLink.html
    O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\PROGRA~1\XI\NETTRA~1\NTAddList.html
    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O13 - Home Prefix:
    O13 - Mosaic Prefix:
    O14 - IERESET.INF: START_PAGE_URL=http://tw.yahoo.com
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058623tw.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {6D153D8C-521C-483E-828C-66A72AA7C902} (Cytd Encipherment Memory) - http://61.153.1.34/cytdcli.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {C7BD467B-0B38-442F-840F-3F048E7F6005} (RootKeyDistributor Class) - http://grca.nat.gov.tw/pse/CHTPKI_PSE.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3FE90D3F-E65F-4088-8C15-A69223F5023F}: NameServer = 168.95.192.1 168.95.1.1
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi there,

    Have HijackThis fix the following :

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{1B0E7716-898E-48cc-9690-4E338E8DE1D3} - (no file)
    R3 - URLSearchHook: (no name) - _{D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)

    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O13 - Home Prefix:
    O13 - Mosaic Prefix:

    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058623tw.exe
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

    restart the PC after doing so

    You do recognise these, do you? :

    O2 - BHO: CCIT Memory Manager - {DF25C5CB-37CF-4634-AB96-6959740AD2B0} - C:\WINNT\DOWNLO~1\cytdcli.dll
    O16 - DPF: {6D153D8C-521C-483E-828C-66A72AA7C902} (Cytd Encipherment Memory) - http://61.153.1.34/cytdcli.CAB

    Hope this helps

    Cheers,
     
  3. Reynold

    Reynold Guest

    Yah,it helps very much. Thanks!
    But i don't know what it means

    You do recognise these, do you? :

    O2 - BHO: CCIT Memory Manager - {DF25C5CB-37CF-4634-AB96-6959740AD2B0} - C:\WINNT\DOWNLO~1\cytdcli.dll
    O16 - DPF: {6D153D8C-521C-483E-828C-66A72AA7C902} (Cytd Encipherment Memory) - http://61.153.1.34/cytdcli.CAB


    Should I have Hijackthis fix them?
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi Reynold,

    What Unzy meant (I guess) was if you knew where you picked up that BHO.

    IT looks to be from a Chinese Telecom company, but that is hard for us to verify.
    If you don't know, I would indeed advise to Fix those two entries. If you do know, I would appreciate it, if you could tell us.

    Regards,

    Pieter
     
  5. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Pieter and Reynold,

    yep that was what I meant. I wanted to have some more info if the user knew it (installed / or knew where he picked it up) so you and Tony could add it to the BHO list.

    Cheers,
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Good thinking, as usual, Unzy. :)

    Pieter
     
  7. Reynold

    Reynold Guest

    I don't know when or where I download it.
    I even think that I have never been doing so.
    And I can't find the two files in my computer this moment.So,I fixed it.

    Thanks a lot!
     
  8. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi reynold,

    Well, that's OK

    The important thing is that all is well again on your PC

    Take care

    Cheers,
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.