 |  |  |  |  |  |  |  |
hjt logs for hacktool.rootkit
Thread Solved |
Logfile of HijackThis v1.99.1
Scan saved at 20:21:08, on 2006-4-7
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\acstp\icserv.exe
C:\WINDOWS\system32\acstp\wake_up.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\System\sdlss.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
D:\05 Temp\hijackthis\HijackThis.exe
C:\WINDOWS\system32\acstp\upgragnt.exe
O1 - Hosts: 134.96.33.102 crmud01
O1 - Hosts: 134.96.33.103 crmud02
O1 - Hosts: 134.96.33.105 crmud04
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QQBrowserHelperObject Class - {54EBD53A-9BC1-480B-966A-843A333CA162} - D:\04 Other\qqlite_06rc\QQIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?ProgramFiles%\Network ICE\BlackICE\blackice.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm...&btn=yahoomail (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm...cns&btn=taobao (file missing)
O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm...ns&btn=yassist (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra 'Tools' menuitem: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\04 Other\qqlite_06rc\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\04 Other\qqlite_06rc\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\04 Other\qqlite_06rc\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具�设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\04 Other\qqlite_06rc\QQIEHelper.dll
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm...s&btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm...cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm...cns&btn=repair (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm...=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm...=cns&btn=clean (file missing)
O11 - Options group: [!CNS] Chinese keywords
O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com/
O15 - Trusted Zone: *.accenture.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://supportapj.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CF3B659-FA43-436F-92FE-09DAFDF681FF} (Siebel High Interactivity Framework) - http://bpo-4brsr1x-mob.accenture.com..._HI_Client.cab
O16 - DPF: {1416D7C8-8A28-11CF-9236-444553540000} (Infragistics Data Explorer Control) - https://mylearning-lms6.accenture.co.../pvxplore8.cab
O16 - DPF: {252D8B73-FEEF-454D-97EB-F6BCF54DE48C} (Siebel High Interactivity Framework) - http://134.96.33.102/ecommunications..._HI_Client.cab
O16 - DPF: {28EE9D9D-1A80-4BFF-B464-0E6B69E26B05} (Printer Class) - http://134.96.37.147:6001/CTZJPGWeb/ocx/printatl.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E07E152B-A291-4701-9C4D-AFD62B2ED430} (ClipboardAccess Class) - https://mylearning-lms6.accenture.co...SClipboard.cab
O16 - DPF: {FCEFD5DD-7152-4317-ABC1-16682376EE7A} (dddolsp Class) - http://ddddl.dudu.com/ddd/update/plugin/dddol.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\Software\..\Telephony: DomainName = accenture.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8163D00F-2B2A-4179-9381-D994345F559F}: NameServer = 202.101.172.35,202.101.172.36
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Gray_Pigeon_Server (GrayPigeonServer) - Unknown owner - C:\WINDOWS\G_Server.exe
O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe
O23 - Service: Accenture Media Viewer (MediaViewer) - - c:\program files\firm applications\media viewer\services\streamviewerservice.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Scan saved at 20:21:08, on 2006-4-7
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\acstp\icserv.exe
C:\WINDOWS\system32\acstp\wake_up.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\System\sdlss.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
D:\05 Temp\hijackthis\HijackThis.exe
C:\WINDOWS\system32\acstp\upgragnt.exe
O1 - Hosts: 134.96.33.102 crmud01
O1 - Hosts: 134.96.33.103 crmud02
O1 - Hosts: 134.96.33.105 crmud04
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QQBrowserHelperObject Class - {54EBD53A-9BC1-480B-966A-843A333CA162} - D:\04 Other\qqlite_06rc\QQIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?ProgramFiles%\Network ICE\BlackICE\blackice.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm...&btn=yahoomail (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm...cns&btn=taobao (file missing)
O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm...ns&btn=yassist (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra 'Tools' menuitem: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\04 Other\qqlite_06rc\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\04 Other\qqlite_06rc\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\04 Other\qqlite_06rc\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具�设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\04 Other\qqlite_06rc\QQIEHelper.dll
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm...s&btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm...cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm...cns&btn=repair (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm...=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm...=cns&btn=clean (file missing)
O11 - Options group: [!CNS] Chinese keywords
O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com/
O15 - Trusted Zone: *.accenture.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://supportapj.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CF3B659-FA43-436F-92FE-09DAFDF681FF} (Siebel High Interactivity Framework) - http://bpo-4brsr1x-mob.accenture.com..._HI_Client.cab
O16 - DPF: {1416D7C8-8A28-11CF-9236-444553540000} (Infragistics Data Explorer Control) - https://mylearning-lms6.accenture.co.../pvxplore8.cab
O16 - DPF: {252D8B73-FEEF-454D-97EB-F6BCF54DE48C} (Siebel High Interactivity Framework) - http://134.96.33.102/ecommunications..._HI_Client.cab
O16 - DPF: {28EE9D9D-1A80-4BFF-B464-0E6B69E26B05} (Printer Class) - http://134.96.37.147:6001/CTZJPGWeb/ocx/printatl.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E07E152B-A291-4701-9C4D-AFD62B2ED430} (ClipboardAccess Class) - https://mylearning-lms6.accenture.co...SClipboard.cab
O16 - DPF: {FCEFD5DD-7152-4317-ABC1-16682376EE7A} (dddolsp Class) - http://ddddl.dudu.com/ddd/update/plugin/dddol.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\Software\..\Telephony: DomainName = accenture.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8163D00F-2B2A-4179-9381-D994345F559F}: NameServer = 202.101.172.35,202.101.172.36
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Gray_Pigeon_Server (GrayPigeonServer) - Unknown owner - C:\WINDOWS\G_Server.exe
O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe
O23 - Service: Accenture Media Viewer (MediaViewer) - - c:\program files\firm applications\media viewer\services\streamviewerservice.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
•
•
Join Date: Jul 2005
Posts: 1,542
Reputation: 
Solved Threads: 98
Hi, please run HJT again, select Do system scan only and check the following.
O1 - Hosts: 134.96.33.102 crmud01
O1 - Hosts: 134.96.33.103 crmud02
O1 - Hosts: 134.96.33.105 crmud04
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\04 Other\qqlite_06rc\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\04 Other\qqlite_06rc\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\04 Other\qqlite_06rc\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具�设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\04 Other\qqlite_06rc\QQIEHelper.dll
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.ht...ns&btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.ht...=cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.ht...=cns&btn=repair (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.ht...e=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.ht...e=cns&btn=clean (file missing)
Close all browsers and click Fix Checked
------------------------------------------------------------------------
There are still more infections, but we are going to have the scanners knock them out for us.
Download the Free trial version of Spysweeper
http://www.webroot.com/consumer/pro...&rc=4129&ac=tsg
Update the defintions and run it, let it remove whatever it finds.
Then download ewido
www.ewido.net - Install. Update. Scan. Remove anything it finds.
-------------------------------------------------------------------------
Post new HJT log, and the ewido log
O1 - Hosts: 134.96.33.102 crmud01
O1 - Hosts: 134.96.33.103 crmud02
O1 - Hosts: 134.96.33.105 crmud04
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\04 Other\qqlite_06rc\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\04 Other\qqlite_06rc\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\04 Other\qqlite_06rc\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具�设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\04 Other\qqlite_06rc\QQIEHelper.dll
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.ht...ns&btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.ht...=cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.ht...=cns&btn=repair (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.ht...e=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.ht...e=cns&btn=clean (file missing)
Close all browsers and click Fix Checked
------------------------------------------------------------------------
There are still more infections, but we are going to have the scanners knock them out for us.
Download the Free trial version of Spysweeper
http://www.webroot.com/consumer/pro...&rc=4129&ac=tsg
Update the defintions and run it, let it remove whatever it finds.
Then download ewido
www.ewido.net - Install. Update. Scan. Remove anything it finds.
-------------------------------------------------------------------------
Post new HJT log, and the ewido log
Firefox
Ewido
Tune up windows
Get detailed system information
My Fixes
Member - Alliance of Security Analysis Professionals - Since 2006
Ewido
Tune up windows
Get detailed system information
My Fixes
Member - Alliance of Security Analysis Professionals - Since 2006
after executing the steps, HJT logs and ewido log are as follow:
Logfile of HijackThis v1.99.1
Scan saved at 18:01:26, on 2006-4-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\CCProxy\CCProxy.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
D:\05 Temp\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QQBrowserHelperObject Class - {54EBD53A-9BC1-480B-966A-843A333CA162} - D:\04 Other\qqlite_06rc\QQIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm...&btn=yahoomail (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm...cns&btn=taobao (file missing)
O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com/
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://supportapj.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CF3B659-FA43-436F-92FE-09DAFDF681FF} (Siebel High Interactivity Framework) - http://bpo-4brsr1x-mob.accenture.com..._HI_Client.cab
O16 - DPF: {1416D7C8-8A28-11CF-9236-444553540000} (Infragistics Data Explorer Control) - https://mylearning-lms6.accenture.co.../pvxplore8.cab
O16 - DPF: {252D8B73-FEEF-454D-97EB-F6BCF54DE48C} (Siebel High Interactivity Framework) - http://134.96.33.102/ecommunications..._HI_Client.cab
O16 - DPF: {28EE9D9D-1A80-4BFF-B464-0E6B69E26B05} (Printer Class) - http://134.96.37.147:6001/CTZJPGWeb/ocx/printatl.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E07E152B-A291-4701-9C4D-AFD62B2ED430} (ClipboardAccess Class) - https://mylearning-lms6.accenture.co...SClipboard.cab
O16 - DPF: {FCEFD5DD-7152-4317-ABC1-16682376EE7A} (dddolsp Class) - http://ddddl.dudu.com/ddd/update/plugin/dddol.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\Software\..\Telephony: DomainName = accenture.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
ewido logs:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 17:42:08, 2006-4-11
+ Report-Checksum: 56F245F9
+ Scan result:
HKLM\SOFTWARE\3721 -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\3721\Assist -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\3721\Assist\Modules -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\3721\AutoLive -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\3721\AutoLive\scrblock -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\3721\CnsMin -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\3721\CnsMin\CnsMinEx -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\3721\CnsMin\Variant -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\3721\CnsMinCg -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\AutoLive.Live.1 -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\CnsMinHK.CnsHook -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\CnsMinHK.CnsHook\CLSID -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\CnsMinHK.CnsHook\CurVer -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\CnsMinHK.CnsHook.1 -> Adware.CnsMin : Cleaned with backup
C:\WINDOWS\system32\AdCache -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_445900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_446000.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_1_0_448500.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_1_0_448600.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_1_0_448600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_1_0_453800.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_0_814200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_0_815600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_0_815900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\mmm.dat -> Backdoor.GrayBird.eh : Cleaned with backup
:mozilla.8
:\Documents and Settings\f.zhu\Application Data\Mozilla\Firefox\Profiles\i9zwi37y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.9:\Documents and Settings\f.zhu\Application Data\Mozilla\Firefox\Profiles\i9zwi37y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.10:\Documents and Settings\f.zhu\Application Data\Mozilla\Firefox\Profiles\i9zwi37y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.11:\Documents and Settings\f.zhu\Application Data\Mozilla\Firefox\Profiles\i9zwi37y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.12:\Documents and Settings\f.zhu\Application Data\Mozilla\Firefox\Profiles\i9zwi37y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.17:\Documents and Settings\f.zhu\Application Data\Mozilla\Firefox\Profiles\i9zwi37y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
D:\Documents and Settings\f.zhu\Cookies\f.zhu@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
D:\Documents and Settings\f.zhu\Cookies\f.zhu@ehg-siebel.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
D:\Documents and Settings\f.zhu\Cookies\f.zhu@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
D:\Documents and Settings\f.zhu\Local Settings\Temp\Cookies\f.zhu@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
D:\Documents and Settings\f.zhu\Local Settings\Temp\Cookies\f.zhu@elong.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 18:01:26, on 2006-4-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\CCProxy\CCProxy.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
D:\05 Temp\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QQBrowserHelperObject Class - {54EBD53A-9BC1-480B-966A-843A333CA162} - D:\04 Other\qqlite_06rc\QQIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm...&btn=yahoomail (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm...cns&btn=taobao (file missing)
O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com/
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://supportapj.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CF3B659-FA43-436F-92FE-09DAFDF681FF} (Siebel High Interactivity Framework) - http://bpo-4brsr1x-mob.accenture.com..._HI_Client.cab
O16 - DPF: {1416D7C8-8A28-11CF-9236-444553540000} (Infragistics Data Explorer Control) - https://mylearning-lms6.accenture.co.../pvxplore8.cab
O16 - DPF: {252D8B73-FEEF-454D-97EB-F6BCF54DE48C} (Siebel High Interactivity Framework) - http://134.96.33.102/ecommunications..._HI_Client.cab
O16 - DPF: {28EE9D9D-1A80-4BFF-B464-0E6B69E26B05} (Printer Class) - http://134.96.37.147:6001/CTZJPGWeb/ocx/printatl.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E07E152B-A291-4701-9C4D-AFD62B2ED430} (ClipboardAccess Class) - https://mylearning-lms6.accenture.co...SClipboard.cab
O16 - DPF: {FCEFD5DD-7152-4317-ABC1-16682376EE7A} (dddolsp Class) - http://ddddl.dudu.com/ddd/update/plugin/dddol.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\Software\..\Telephony: DomainName = accenture.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = accenture.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
ewido logs:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 17:42:08, 2006-4-11
+ Report-Checksum: 56F245F9
+ Scan result:
HKLM\SOFTWARE\3721 -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\3721\Assist -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\3721\Assist\Modules -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\3721\AutoLive -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\3721\AutoLive\scrblock -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\3721\CnsMin -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\3721\CnsMin\CnsMinEx -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\3721\CnsMin\Variant -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\3721\CnsMinCg -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\AutoLive.Live.1 -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\CnsMinHK.CnsHook -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\CnsMinHK.CnsHook\CLSID -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\CnsMinHK.CnsHook\CurVer -> Adware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\CnsMinHK.CnsHook.1 -> Adware.CnsMin : Cleaned with backup
C:\WINDOWS\system32\AdCache -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_445900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_446000.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_1_0_448500.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_1_0_448600.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_1_0_448600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_1_0_453800.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_0_814200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_0_815600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_0_815900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\mmm.dat -> Backdoor.GrayBird.eh : Cleaned with backup
:mozilla.8
:\Documents and Settings\f.zhu\Application Data\Mozilla\Firefox\Profiles\i9zwi37y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup:mozilla.9
:\Documents and Settings\f.zhu\Application Data\Mozilla\Firefox\Profiles\i9zwi37y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup:mozilla.10
:\Documents and Settings\f.zhu\Application Data\Mozilla\Firefox\Profiles\i9zwi37y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup:mozilla.11
:\Documents and Settings\f.zhu\Application Data\Mozilla\Firefox\Profiles\i9zwi37y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup:mozilla.12
:\Documents and Settings\f.zhu\Application Data\Mozilla\Firefox\Profiles\i9zwi37y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup:mozilla.17
:\Documents and Settings\f.zhu\Application Data\Mozilla\Firefox\Profiles\i9zwi37y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backupD:\Documents and Settings\f.zhu\Cookies\f.zhu@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
D:\Documents and Settings\f.zhu\Cookies\f.zhu@ehg-siebel.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
D:\Documents and Settings\f.zhu\Cookies\f.zhu@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
D:\Documents and Settings\f.zhu\Local Settings\Temp\Cookies\f.zhu@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
D:\Documents and Settings\f.zhu\Local Settings\Temp\Cookies\f.zhu@elong.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
::Report End
 |
Similar Threads
- Hacktool Rootkit Nightmare! (Viruses, Spyware and other Nasties)
- xz.bat and hacktool.rootkit (HJT included) (Viruses, Spyware and other Nasties)
- Hacktool.Rootkit virus, round 2! (Viruses, Spyware and other Nasties)
- Help with Hacktool Rootkit, HJT log posted (Viruses, Spyware and other Nasties)
- Hacktool.rootkit problem! (Viruses, Spyware and other Nasties)
- Hacktool.rootkit - can't get rid of it (Viruses, Spyware and other Nasties)
- Another HijackThis Log for hacktool.rootkit virus (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: trojan cacehcache removal ?
- Next Thread: Problems with Windows Media Player 10
Views: 3093 | Replies: 2
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
acrobat adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china combofix commercial conficker control cybercrime cyberwarfare ddos education email europe exam exploit explorer facebook fake fancheckvirus firefox gtaiv halloween herss.exe hijack hosting ie8 internet iphone links logfiles malware mcafee microsoft mobile msn nazi news norton obama onlinethreats paedophile panel parents patch pc pdf policeprovirusmba-mblockedinternetaccess president privacy pro redirect redirecting report research rogueantivirus rootkit samhain sans scareware search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans symantec system teen threat translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista vulnerability war warning windows worm yahoo zero-day zeroday
