0

I'm using Windows XP. When run with symantec, I have a hacktool.rootkit message that repeatedly comes up and asks for reboot, which does not fix the issue. When run with AVG, the error turns in to backdoor.generic2.ppu of which AVG cannot fix either. Below is the log from my HJT run. Please give some suggestions. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 17:13:41, on 2006-4-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Tencent\QQ\QQ.exe
C:\Program Files\Tencent\QQ\TIMPlatform.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\BitSpirit\BitSpirit.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} - C:\PROGRA~1\baidu\bar\baidubar.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\Net Transport\NTIEHelper.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O3 - Toolbar: 百度超级霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\PROGRA~1\baidu\bar\baidubar.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [stup.exe] C:\PROGRA~1\TENCENT\Adplus\stup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\RunServices: [iPod USB Service] iPODService.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 用比特精下载(&B) - C:\Program Files\BitSpirit\bsurl.htm
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=taobao (file missing)
O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O11 - Options group: [!CNS] Chinese keywords
O11 - Options group: [JAVA_IBM] Java (IBM)
O18 - Protocol: koboo - {7DEE9D05-FA0A-4416-A6F3-6537D0EAB6A6} - C:\WINDOWS\system32\mbprot.dll
O18 - Protocol: mbox - {7DEE9D05-FA0A-4416-A6F3-6537D0EAB6A6} - C:\WINDOWS\system32\mbprot.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {83DFBFF3-1455-4538-8036-39D2057787DF} - C:\WINDOWS\gsSecurity1.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

3
Contributors
21
Replies
22
Views
11 Years
Discussion Span
Last Post by tanggeng
0

HI, please run HJT again and select Do system scan only.

Then check these items.


O2 - BHO: BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} - C:\PROGRA~1\baidu\bar\baidubar.dll

O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll

O3 - Toolbar: 百度超级霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\PROGRA~1\baidu\bar\baidubar.dll

O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32

O4 - HKLM\..\Run: [stup.exe] C:\PROGRA~1\TENCENT\Adplus\stup.exe

O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe

O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm

O8 - Extra context menu item: 添加到QQ自定义 - C:\Program Files\Tencent\QQ\AddPanel.htm

O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm

O8 - Extra context menu item: 用QQ彩信该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm

O8 - Extra context menu item: 用比特精下载(&B) - C:\Program Files\BitSpirit\bsurl.htm

O18 - Protocol: koboo - {7DEE9D05-FA0A-4416-A6F3-6537D0EAB6A6} - C:\WINDOWS\system32\mbprot.dll

O18 - Protocol: mbox - {7DEE9D05-FA0A-4416-A6F3-6537D0EAB6A6} - C:\WINDOWS\system32\mbprot.dll

O18 - Filter: text/html - {83DFBFF3-1455-4538-8036-39D2057787DF} - C:\WINDOWS\gsSecurity1.dll

Then click Fix Checked

---------------------------------------------------------------

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Now Start killbox Copy the list of files below to the clipboard by selecting all of them with your mouse (Left click the start of the list and drag the mouse to the bottom of the list) and when they are all selected ( highlighted in blue) right click on any part of the blue area and say copy

In the Killbox, Go to the toolbar press file and select Paste from clipboard. The first file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then press the red X again and continue to press untill the last file on the list appears in the window & it says deleted.

File list:

C:\Program Files\Tencent\QQ\QQ.exe

C:\Program Files\Tencent\QQ\AddToNetDisk.htm

C:\Program Files\Tencent\QQ\AddPanel.htm

C:\Program Files\Tencent\QQ\AddEmotion.htm

C:\Program Files\Tencent\QQ\SendMMS.htm

C:\Program Files\BitSpirit\bsurl.htm

C:\WINDOWS\system32\mbprot.dll

C:\WINDOWS\gsSecurity1.dll

If any give you an deletion error, just take not of which it was then skip it...

Then please delete the folloqing folder.

C:\Program Files\Tencent\QQ\

Then empty recycle bin

-------------------------------------------------------
Then download ewido (www.ewido.net). Install. Update. Scan. (Save the log).

Post a new HJT log, and ewido log

0

Followed all the procedures. Semantec seems to be no longer giving the error, but AVG still gives a "While opening file: C:\WINDOWS\system32\drivers\BDGuard.SYS Trojan horse BackDoor.Generic2.PPU" virus detection error. Still will not fix.

Runs from HJT and Killbox are below. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 23:46:55, on 2006-4-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} - C:\PROGRA~1\baidu\bar\baidubar.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\Net Transport\NTIEHelper.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O3 - Toolbar: 百度超级霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\PROGRA~1\baidu\bar\baidubar.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\RunServices: [iPod USB Service] iPODService.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 用比特精下载(&B) - C:\Program Files\BitSpirit\bsurl.htm
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=taobao (file missing)
O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O11 - Options group: [!CNS] Chinese keywords
O11 - Options group: [JAVA_IBM] Java (IBM)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

Pocket Killbox version 2.0.0.532
Running on Windows XP as geng(Administrator)
was started @ Wednesday, April 19, 2006, 7:47 PM

# 1 [Files to Delete]
Path = C:\Program Files\Tencent\QQ\QQ.exe
*This file does not seem to exist

# 2 [Files to Delete]
Path = C:\Program Files\Tencent\QQ\QQ.exe
*File Was Deleted

# 3 [Files to Delete]
Path = C:\Program Files\Tencent\QQ\AddToNetDisk.htm
*File Was Deleted

# 4 [Files to Delete]
Path = C:\Program Files\Tencent\QQ\AddPanel.htm
*File Was Deleted

# 5 [Files to Delete]
Path = C:\Program Files\Tencent\QQ\AddEmotion.htm
*File Was Deleted

# 6 [Files to Delete]
Path = C:\Program Files\Tencent\QQ\SendMMS.htm
*File Was Deleted

# 7 [Files to Delete]
Path = C:\Program Files\BitSpirit\bsurl.htm
*File Was Deleted

# 8 [Files to Delete]
Path = C:\WINDOWS\system32\mbprot.dll
*File Was Deleted

# 9 [Files to Delete]
Path = C:\WINDOWS\gsSecurity1.dll
*This File could not be Deleted

# 10 [Files to Delete]
Path = C:\WINDOWS\gsSecurity1.dll
*This File could not be Deleted

Killbox Closed(Exit) @ 7:49:13 PM
__________________________________________________

Pocket Killbox version 2.0.0.532
Running on Windows XP as geng(Administrator)
was started @ Wednesday, April 19, 2006, 7:54 PM

# 1 [Files to Delete]
Path = C:\Program Files\Tencent\QQ\qdshm.dll
*File Was Deleted

# 2 [Files to Delete]
Path = C:\Program Files\Tencent\QQ\QQIEHelper.dll
*This File could not be Deleted

# 3 [Files to Delete]
Path = C:\Program Files\Tencent\QQ
*This File could not be Deleted

# 4 [Files to Delete]
Path = C:\Program Files\Tencent\QQ\TIMProxy.dll
*File Was Deleted

# 5 [Files to Delete]
Path = C:\Program Files\Tencent\QQ\TIMPlatform.exe
*File Was Deleted

# 6 [Files to Delete]
Path = C:\Program Files\Tencent\QQ\QQIEHelper.dll
*This File could not be Deleted

Killbox Closed(Exit) @ 7:58:29 PM
__________________________________________________

0

Alrite, we'll try this one more time. Fix the following:

O2 - BHO: BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} - C:\PROGRA~1\baidu\bar\baidubar.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O3 - Toolbar: 百度超级霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\PROGRA~1\baidu\bar\baidubar.dll
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O8 - Extra context menu item: 用比特精下载(&B) - C:\Program Files\BitSpirit\bsurl.htm
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.ht...s&btn=yahoomail (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.ht...=cns&btn=taobao (file missing)
O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.ht...cns&btn=yassist (file missing)
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.ht...ns&btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.ht...=cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.ht...=cns&btn=repair (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.ht...e=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.ht...e=cns&btn=clean (file missing)

After fixing these, reboot into safe mode and delete the following folders:

C:\Program Files\baidu
C:\Program Files\BitSpirit

After doing this, search Windows for any of teh following and delete any entries:

CnsHook.dll
CnsMin.dll

After doing this, post back with a new log.

Thanks.

0

I performed all the actions, except I couldn't delete the

C:\Program Files\baidu

program. I tried to delete it using killbox, but it couldn't delete it. When trying to delete manually, the files regenerate themselves immediately when I revisit the fold.

When run under symantec I'm still getting the hacktool.rootkit error of which it cannot get ride of; when run under AVG there is still the backdoor.generic2.ppu issue.

Below is the HJT log. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 11:10:59, on 2006-4-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PPLive TV\PPPlayer.exe
C:\Program Files\Symantec AntiVirus\vptray.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Synacast\SynaLive\PE.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} - C:\PROGRA~1\baidu\bar\baidubar.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\Net Transport\NTIEHelper.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O3 - Toolbar: 百度超级霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\PROGRA~1\baidu\bar\baidubar.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\RunServices: [iPod USB Service] iPODService.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=taobao (file missing)
O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O11 - Options group: [!CNS] Chinese keywords
O11 - Options group: [JAVA_IBM] Java (IBM)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

0

I just noticed the ewido anti-malware program found:

File: CnsHook.dll
Path: C:\WINDOWS\downlo~1
Infection: Adware.Cdn

although when I scan for this file, it cannot find it, which was what I was instructed earlier. This is in adition to being unable to remove the

C:\Program Files\baidu

folder. Symantec still shows the hacktool.rootkit and AVG the backdoor.generic2.ppu issue. Thank you.

0

Ok, step 2.

Have ya tried deleting baidu in safe mode? If so, respond back, and we'll work from there.

ALSO, download 2 programs, SpySweeper and Adaware
(spysweeper in my sig. below)
(adaware - http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5 )

After downloading, run the update for both, and then run both programs, saving the SpySweeper log.

After doing that, fix these in the HJT log:

O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm...&btn=yahoomail (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm...cns&btn=taobao (file missing)
O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm...ns&btn=yassist (file missing)
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm...s&btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm...cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm...cns&btn=repair (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm...=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm...=cns&btn=clean (file missing)

After this, restart the computer and post a new HJT log, and teh Spysweeper log.

Thanks.

0

Got ride of the baidu folder under safe mode.

Performed all the above instructions.

Adware and Spy Sweeper both cannot remove the cnsmin thing.

Also, I get a CnsHook.dll error on ewido anti-malware almost every single time I perform an action on my machine.

Below are the HJT and Spy Sweeper Logs. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 21:32:49, on 2006-4-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\Net Transport\NTIEHelper.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [iPod USB Service] iPODService.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O11 - Options group: [!CNS] Chinese keywords
O11 - Options group: [JAVA_IBM] Java (IBM)
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

********
20:48: | Start of Session, 2006年4月20日 |
20:48: Spy Sweeper started
20:48: Sweep initiated using definitions version 662
20:48: Starting Memory Sweep
20:48: Found Adware: cnsmin
20:48: Detected running threat: C:\WINDOWS\downlo~1\CnsHook.dll (ID = 53247)
20:48: Detected running threat: C:\WINDOWS\Downloaded Program Files\CnsMin.dll (ID = 53251)
20:48: Detected running threat: C:\WINDOWS\Downloaded Program Files\CnsMinIO.dll (ID = 53267)
20:48: Detected running threat: C:\WINDOWS\Downloaded Program Files\cnsio.dll (ID = 192138)
20:48: Detected running threat: C:\WINDOWS\Downloaded Program Files\CnsHook.dll (ID = 53247)
20:50: Detected running threat: C:\WINDOWS\Downloaded Program Files\cnshint.dll (ID = 239052)
20:50: Memory Sweep Complete, Elapsed Time: 00:02:59
20:50: Starting Registry Sweep
20:51: HKCR\adkiller.adkillerobj\ (5 subtraces) (ID = 106148)
20:51: HKCR\clsid\{9eb2b422-c9ee-46c4-a471-1e79c7517b1d}\ (21 subtraces) (ID = 106158)
20:51: HKCR\clsid\{141a5e19-bdcb-4e27-a3d7-9e16503bc05b}\ (11 subtraces) (ID = 106159)
20:51: HKCR\clsid\{abec6103-f6ac-43a3-834f-fb03fba339a2}\ (4 subtraces) (ID = 106162)
20:51: HKCR\clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ (25 subtraces) (ID = 106163)
20:51: HKCR\clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ (15 subtraces) (ID = 106166)
20:51: HKCR\cnshelper.ch.1\ (3 subtraces) (ID = 106168)
20:51: HKCR\cnshelper.ch\ (5 subtraces) (ID = 106169)
20:51: HKLM\software\classes\adkiller.adkillerobj\ (5 subtraces) (ID = 106184)
20:51: HKLM\software\classes\clsid\{9eb2b422-c9ee-46c4-a471-1e79c7517b1d}\ (21 subtraces) (ID = 106189)
20:51: HKLM\software\classes\clsid\{141a5e19-bdcb-4e27-a3d7-9e16503bc05b}\ (11 subtraces) (ID = 106190)
20:51: HKLM\software\classes\clsid\{abec6103-f6ac-43a3-834f-fb03fba339a2}\ (4 subtraces) (ID = 106192)
20:51: HKLM\software\classes\typelib\{7354662f-caa3-448b-bc01-04f55a2dca35}\ (9 subtraces) (ID = 106206)
20:51: HKLM\software\classes\typelib\{f97e75a4-0103-4f27-a752-327b600b1130}\ (9 subtraces) (ID = 106209)
20:51: HKLM\software\cnnic\ (ID = 106210)
20:51: HKLM\software\microsoft\internet explorer\advancedoptions\!cns\ (40 subtraces) (ID = 106213)
20:51: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ (1 subtraces) (ID = 106237)
20:51: HKLM\software\microsoft\windows\currentversion\run\ || cnsmin (ID = 106245)
20:51: HKLM\software\microsoft\windows\currentversion\uninstall\cnsmin\ (2 subtraces) (ID = 106251)
20:51: HKCR\typelib\{7354662f-caa3-448b-bc01-04f55a2dca35}\ (9 subtraces) (ID = 106261)
20:51: HKCR\typelib\{f97e75a4-0103-4f27-a752-327b600b1130}\ (9 subtraces) (ID = 106266)
20:51: HKLM\software\3721\ (4 subtraces) (ID = 872107)
20:51: HKLM\software\3721\cnsmin\ (3 subtraces) (ID = 872108)
20:51: HKLM\system\currentcontrolset\services\cnsminkp\ (19 subtraces) (ID = 872138)
20:51: HKLM\system\currentcontrolset\services\cnsminkp\security\ (1 subtraces) (ID = 872152)
20:51: HKLM\system\currentcontrolset\services\cnsminkp\enum\ (3 subtraces) (ID = 872154)
20:51: HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks\ || {d157330a-9ef3-49f8-9a67-4141ac41add4} (ID = 958059)
20:51: HKCR\typelib\{f9ad9d67-efa8-480e-8291-0163f3960de7}\ (9 subtraces) (ID = 973025)
20:51: HKLM\software\classes\typelib\{f9ad9d67-efa8-480e-8291-0163f3960de7}\ (9 subtraces) (ID = 973117)
20:51: HKLM\software\classes\typelib\{f9ad9d67-efa8-480e-8291-0163f3960de7}\1.0\ (8 subtraces) (ID = 973118)
20:51: HKCR\adkiller.adkillerobj.1\ (3 subtraces) (ID = 1018466)
20:51: HKCR\fflash.flashobjectinterface\ (5 subtraces) (ID = 1018486)
20:51: HKCR\fflash.flashobjectinterface.1\ (3 subtraces) (ID = 1018492)
20:51: HKLM\software\classes\adkiller.adkillerobj.1\ (3 subtraces) (ID = 1018635)
20:51: HKLM\software\classes\fflash.flashobjectinterface\ (5 subtraces) (ID = 1018655)
20:51: HKLM\software\classes\fflash.flashobjectinterface.1\ (3 subtraces) (ID = 1018661)
20:51: HKLM\system\currentcontrolset\services\cnsminkp\enum\ || count (ID = 1018678)
20:51: HKLM\system\currentcontrolset\services\cnsminkp\enum\ || nextinstance (ID = 1018679)
20:51: HKCR\cnshelper.ch\curver\ (1 subtraces) (ID = 1041849)
20:51: HKCR\cnshelper.ch.1\clsid\ (1 subtraces) (ID = 1041853)
20:51: HKLM\software\classes\cnshelper.ch\ (5 subtraces) (ID = 1041942)
20:51: HKLM\software\classes\cnshelper.ch.1\ (3 subtraces) (ID = 1041948)
20:51: HKLM\software\classes\clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ (25 subtraces) (ID = 1041952)
20:51: HKLM\system\currentcontrolset\services\cnsminkp\enum\ || 0 (ID = 1047525)
20:51: HKLM\system\currentcontrolset\enum\root\legacy_cnsminkp\ (10 subtraces) (ID = 1147491)
20:51: HKLM\software\classes\clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ (15 subtraces) (ID = 1240267)
20:51: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\3721\ (5 subtraces) (ID = 106182)
20:51: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\microsoft\internet explorer\main\ || cnsautoupdate (ID = 106221)
20:51: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\microsoft\internet explorer\main\ || cnsenable (ID = 106222)
20:51: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\microsoft\internet explorer\main\ || cnshint (ID = 106223)
20:51: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\microsoft\internet explorer\main\ || cnslist (ID = 106224)
20:51: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\microsoft\internet explorer\main\ || cnsmenu (ID = 106225)
20:51: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\microsoft\internet explorer\main\ || cnsreset (ID = 106226)
20:51: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\microsoft\internet explorer\extensions\cmdmapping\ || {5d73ee86-05f1-49ed-b850-e423120ec338} (ID = 1032318)
20:51: Registry Sweep Complete, Elapsed Time:00:00:11
20:51: Starting Cookie Sweep
20:51: Found Spy Cookie: adjuggler cookie
20:51: [email]geng@rotator.adjuggler[1].txt[/email] (ID = 2071)
20:51: Found Spy Cookie: myaffiliateprogram.com cookie
20:51: [email]geng@www.myaffiliateprogram[2].txt[/email] (ID = 3032)
20:51: Cookie Sweep Complete, Elapsed Time: 00:00:00
20:51: Starting File Sweep
20:51: c:\windows\downloaded program files\3721 (3 subtraces) (ID = -2147469211)
20:51: c:\program files\3721 (1 subtraces) (ID = -2147481237)
20:51: cnsminio.dll (ID = 53267)
20:51: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\setup.exe". The system cannot find the path specified
20:51: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\setup.ilg". The system cannot find the path specified
20:51: cnshook.dll (ID = 53247)
20:51: cns1.exe (ID = 53246)
20:51: cnsmindt.dll (ID = 53261)
20:53: cnsminex.cab (ID = 53262)
20:53: cns.exe (ID = 53246)
20:53: cnsio.dll (ID = 192138)
20:54: Warning: Failed to open file "c:\documents and settings\geng\recent\¤y¤o§? - °?¤@.lnk". The filename, directory name, or volume label syntax is incorrect
20:56: Warning: Failed to open file "c:\windows\winsxs\policies\\1.0.10.0.cat". The system cannot find the file specified
20:56: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\setup.ilg". The system cannot find the path specified
20:57: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\data1.hdr". The system cannot find the path specified
20:57: cns.dll (ID = 53245)
20:59: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\setup.ilg". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\layout.bin". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\data1.hdr". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\data1.cab". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\setup.exe". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\setup.inx". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\icon.bmp". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\data1.hdr". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\windows\winsxs\policies\\7.0.2600.2180.policy". The system cannot find the file specified
20:59: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\data1.hdr". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\setup.ilg". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\setup.inx". The system cannot find the path specified
21:00: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\setup.inx". The system cannot find the path specified
21:01: Warning: Failed to open file "c:\windows\winsxs\policies\\7.0.10.0.policy". The system cannot find the file specified
21:01: Warning: Failed to open file "c:\windows\winsxs\policies\\7.0.10.0.cat". The system cannot find the file specified
21:01: Warning: Failed to open file "c:\windows\winsxs\\msvcirt.dll". The system cannot find the file specified
21:01: Warning: Failed to open file "c:\windows\winsxs\\msvcrt.dll". The system cannot find the file specified
21:01: Warning: Failed to open file "c:\windows\winsxs\policies\\6.0.10.0.cat". The system cannot find the file specified
21:01: Warning: Failed to open file "c:\windows\winsxs\\msvcirt.dll". The system cannot find the file specified
21:01: Warning: Failed to open file "c:\windows\winsxs\\msvcrt.dll". The system cannot find the file specified
21:01: Warning: Failed to open file "c:\program files\\{9b94be6f-7ca3-4c40-a266-62667ff746cc}\data1.hdr". The system cannot find the path specified
21:04: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\setup.exe". The system cannot find the path specified
21:04: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\data1.cab". The system cannot find the path specified
21:04: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\setup.exe". The system cannot find the path specified
21:04: Warning: Failed to open file "c:\program files\\{9b94be6f-7ca3-4c40-a266-62667ff746cc}\setup.exe". The system cannot find the path specified
21:05: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\data1.cab". The system cannot find the path specified
21:05: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\_setup.dll". The system cannot find the path specified
21:05: cnsmindt.cab (ID = 53260)
21:05: cnsminex.dll (ID = 53263)
21:06: cnshint.dll (ID = 239052)
21:06: cns02.dat (ID = 180455)
21:06: cnsmin.dll (ID = 53251)
21:07: Warning: Failed to open file "c:\program files\\{9b94be6f-7ca3-4c40-a266-62667ff746cc}\setup.inx". The system cannot find the path specified
21:07: Warning: Failed to open file "c:\program files\\{9b94be6f-7ca3-4c40-a266-62667ff746cc}\data1.cab". The system cannot find the path specified
21:07: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\data1.cab". The system cannot find the path specified
21:07: Warning: Failed to open file "c:\windows\winsxs\policies\\1.0.2600.2180.cat". The system cannot find the file specified
21:07: Warning: Failed to open file "c:\windows\winsxs\policies\\6.0.2600.2180.cat". The system cannot find the file specified
21:07: Warning: Failed to open file "c:\windows\winsxs\policies\\7.0.2600.2180.cat". The system cannot find the file specified
21:07: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\setup.ilg". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\data1.cab". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\data1.hdr". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\setup.ilg". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\data1.hdr". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\data1.hdr". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\setup.ilg". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\data1.hdr". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\data1.hdr". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\data1.hdr". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\data1.hdr". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\setup.ilg". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\setup.inx". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\setup.ilg". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\setup.exe". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\setup.inx". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\setup.exe". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\setup.inx". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\setup.ilg". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\setup.exe". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\setup.inx". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\setup.exe". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\setup.inx". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\setup.ilg". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\data1.cab". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\setup.exe". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\setup.inx". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\data1.cab". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\setup.inx". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{74574620-fe6e-11d2-aa9b-b732b9de0c29}\data1.hdr". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\data1.cab". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\data1.cab". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{74574620-fe6e-11d2-aa9b-b732b9de0c29}\data1.cab". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{74574620-fe6e-11d2-aa9b-b732b9de0c29}\setup.exe". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{74574620-fe6e-11d2-aa9b-b732b9de0c29}\setup.inx". The system cannot find the path specified
21:10: Warning: Failed to open file "c:\program files\\{6c72e14a-c1f3-45e5-8810-83ce3c19ed63}\setup.ilg". The system cannot find the path specified
21:10: Warning: Failed to open file "c:\program files\\{6c72e14a-c1f3-45e5-8810-83ce3c19ed63}\setup.inx". The system cannot find the path specified
21:10: Warning: Failed to open file "c:\program files\\{3ed8d422-5658-41fa-ae3d-7107b26caab7}\data1.cab". The system cannot find the path specified
21:10: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\data1.cab". The system cannot find the path specified
21:10: Warning: Failed to open file "c:\program files\\{3ed8d422-5658-41fa-ae3d-7107b26caab7}\data1.hdr". The system cannot find the path specified
21:10: Warning: Failed to open file "c:\program files\\{3ed8d422-5658-41fa-ae3d-7107b26caab7}\setup.exe". The system cannot find the path specified
21:10: Warning: Failed to open file "c:\program files\\{3ed8d422-5658-41fa-ae3d-7107b26caab7}\setup.inx". The system cannot find the path specified
21:11: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\setup.ilg". The system cannot find the path specified
21:11: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\data1.hdr". The system cannot find the path specified
21:11: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\data1.cab". The system cannot find the path specified
21:11: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\setup.exe". The system cannot find the path specified
21:11: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\setup.inx". The system cannot find the path specified
21:12: cnsminex.ini (ID = 53264)
21:14: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\setup.exe". The system cannot find the path specified
21:14: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\data1.cab". The system cannot find the path specified
21:14: cnsmincg.ini (ID = 53257)
21:15: Warning: Failed to open file "c:\windows\winsxs\policies\\6.0.10.0.policy". The system cannot find the file specified
21:15: Warning: Failed to open file "c:\windows\winsxs\policies\\1.0.10.0.policy". The system cannot find the file specified
21:15: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\setup.exe". The system cannot find the path specified
21:19: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\setup.inx". The system cannot find the path specified
21:20: cnsmin.ini (ID = 53255)
21:21: File Sweep Complete, Elapsed Time: 00:30:22
21:21: Full Sweep has completed. Elapsed time 00:33:37
21:21: Traces Found: 436
21:21: Removal process initiated
21:24: Quarantining All Traces: cnsmin
21:24: cnsmin is in use. It will be removed on reboot.
21:24: c:\program files\3721 is in use. It will be removed on reboot.
21:24: cnsminio.dll is in use. It will be removed on reboot.
21:24: cnsio.dll is in use. It will be removed on reboot.
21:24: cnshint.dll is in use. It will be removed on reboot.
21:24: clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ is in use. It will be removed on reboot.
21:24: clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ is in use. It will be removed on reboot.
21:24: cnshelper.ch.1\ is in use. It will be removed on reboot.
21:24: cnshelper.ch\ is in use. It will be removed on reboot.
21:24: HKLM: software\microsoft\windows\currentversion\explorer\browser helper objects\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ is in use. It will be removed on reboot.
21:24: HKLM: system\currentcontrolset\services\cnsminkp\ is in use. It will be removed on reboot.
21:24: HKLM: system\currentcontrolset\services\cnsminkp\security\ is in use. It will be removed on reboot.
21:24: HKLM: system\currentcontrolset\services\cnsminkp\enum\ is in use. It will be removed on reboot.
21:24: cnshelper.ch\curver\ is in use. It will be removed on reboot.
21:24: cnshelper.ch.1\clsid\ is in use. It will be removed on reboot.
21:24: HKLM: software\classes\cnshelper.ch\ is in use. It will be removed on reboot.
21:24: HKLM: software\classes\cnshelper.ch.1\ is in use. It will be removed on reboot.
21:24: HKLM: software\classes\clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ is in use. It will be removed on reboot.
21:24: HKLM: software\classes\clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ is in use. It will be removed on reboot.
21:24: Quarantining All Traces: adjuggler cookie
21:24: Quarantining All Traces: myaffiliateprogram.com cookie
21:24: Warning: Launched explorer.exe
21:24: Warning: Quarantine process could not restart Explorer.
21:24: Preparing to restart your computer. Please wait...
21:24: Removal process completed. Elapsed time 00:02:47
21:28: Processing Startup Alerts
21:28: Allowed Startup entry: ibmmessages
********
20:46: | Start of Session, 2006年4月20日 |
20:46: Spy Sweeper started
20:47: Your spyware definitions have been updated.
20:47: Updating spyware definitions
20:47: Your definitions are up to date.
20:48: | End of Session, 2006年4月20日 |

0

Alrite, incredible, we know where it's located now.

With killbox, delete the following on reboot (note: some may not be present, that's ok):

C:\WINDOWS\Downloaded Program Files\CnsHook.dll
C:\WINDOWS\Downloaded Program Files\CnsMin.dll
C:\WINDOWS\Downloaded Program Files\CnsMinIO.dll
C:\WINDOWS\Downloaded Program Files\cnsio.dll
C:\WINDOWS\Downloaded Program Files\CnsHook.dll
C:\WINDOWS\Downloaded Program Files\cnshint.dll
c:\program files\3721

After doing this, reboot your computer again, run SpySweeper again, and save the log. Then, reboot 1 last time, and run a HJT scan.

Post killbox results, spysweeper results, and the HJT results.

Thanks.

0

When trying to delete

C:\WINDOWS\Downloaded Program Files\CnsHook.dll
C:\WINDOWS\Downloaded Program Files\CnsMin.dll
C:\WINDOWS\Downloaded Program Files\CnsMinIO.dll
C:\WINDOWS\Downloaded Program Files\cnsio.dll
C:\WINDOWS\Downloaded Program Files\CnsHook.dll
C:\WINDOWS\Downloaded Program Files\cnshint.dll
c:\program files\3721

in normal startup, they didn't show up, even when hidden files where shown. When starting up in safe mode, these files showed up, but two where still undeletable with killbox, CnsHook.dll and CnsMin.dll. Also
:\program files\3721 was unable to be deleted. This is probably why ewido anti-malware gives me the CnsHook.dll error every time I try to do anything. Below are the HJT and spy sweeper logs. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 0:18:51, on 2006-4-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\Net Transport\NTIEHelper.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [iPod USB Service] iPODService.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=taobao (file missing)
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)
O11 - Options group: [!CNS] Chinese keywords
O11 - Options group: [JAVA_IBM] Java (IBM)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

********
23:17: | Start of Session, 2006年4月20日 |
23:17: Spy Sweeper started
23:17: Sweep initiated using definitions version 662
23:17: Starting Memory Sweep
23:17: Found Adware: cnsmin
23:17: Detected running threat: C:\WINDOWS\downlo~1\CnsHook.dll (ID = 53247)
23:18: Detected running threat: C:\WINDOWS\Downloaded Program Files\CnsHook.dll (ID = 53247)
23:18: Detected running threat: C:\WINDOWS\Downloaded Program Files\CnsMin.dll (ID = 53251)
23:21: Detected running threat: C:\WINDOWS\Downloaded Program Files\CnsMinIO.dll (ID = 53267)
23:21: Detected running threat: C:\WINDOWS\Downloaded Program Files\cnsio.dll (ID = 192138)
23:22: Detected running threat: C:\WINDOWS\Downloaded Program Files\cnshint.dll (ID = 239052)
23:22: Detected running threat: C:\WINDOWS\Downloaded Program Files\cnsplus.dll (ID = 192143)
23:22: Memory Sweep Complete, Elapsed Time: 00:05:48
23:22: Starting Registry Sweep
23:22: Found Adware: cnsmin 3721.com hijack
23:22: HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 106146)
23:22: HKLM\software\microsoft\internet explorer\search\ || customizesearch (ID = 106147)
23:22: HKCR\autolive.live\ (5 subtraces) (ID = 106150)
23:22: HKCR\clsid\{7ca83cf1-3aea-42d0-a4e3-1594fc6e48b2}\ (4 subtraces) (ID = 106157)
23:22: HKCR\clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ (25 subtraces) (ID = 106163)
23:22: HKCR\clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ (15 subtraces) (ID = 106166)
23:22: HKCR\cnshelper.ch.1\ (3 subtraces) (ID = 106168)
23:22: HKCR\cnshelper.ch\ (5 subtraces) (ID = 106169)
23:22: HKCR\cnsminhk.cnshook.1\ (3 subtraces) (ID = 106170)
23:22: HKCR\cnsminhk.cnshook\ (5 subtraces) (ID = 106171)
23:22: HKCR\interface\{1bb0abbe-2d95-4847-b9d8-6f90de3714c1}\ (8 subtraces) (ID = 106174)
23:22: HKCR\interface\{be08f6bc-c3e6-4149-beb1-cb449e1b372e}\ (8 subtraces) (ID = 106178)
23:22: HKLM\software\microsoft\internet explorer\advancedoptions\!cns\ (70 subtraces) (ID = 106213)
23:22: HKLM\software\microsoft\internet explorer\extensions\{5d73ee86-05f1-49ed-b850-e423120ec338}\ (6 subtraces) (ID = 106217)
23:22: HKLM\software\microsoft\internet explorer\extensions\{ecf2e268-f28c-48d2-9ab7-8f69c11ccb71}\ (4 subtraces) (ID = 106219)
23:22: HKLM\software\microsoft\internet explorer\extensions\{fd00d911-7529-4084-9946-a29f1bdf4fe5}\ (4 subtraces) (ID = 106220)
23:22: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ (1 subtraces) (ID = 106237)
23:22: HKLM\software\microsoft\windows\currentversion\run\ || cnsmin (ID = 106245)
23:22: HKLM\software\microsoft\windows\currentversion\uninstall\cnsmin\ (2 subtraces) (ID = 106251)
23:22: HKCR\typelib\{4158db95-de71-41ff-bea1-2c3d1c679df1}\ (9 subtraces) (ID = 106260)
23:22: HKCR\typelib\{a5adeae7-a8b4-4f94-9128-bf8d8db5e927}\ (9 subtraces) (ID = 106263)
23:23: HKLM\software\3721\ (43 subtraces) (ID = 872107)
23:23: HKLM\software\3721\cnsmin\ (26 subtraces) (ID = 872108)
23:23: HKLM\system\currentcontrolset\services\cnsminkp\ (19 subtraces) (ID = 872138)
23:23: HKLM\system\currentcontrolset\services\cnsminkp\security\ (1 subtraces) (ID = 872152)
23:23: HKLM\system\currentcontrolset\services\cnsminkp\enum\ (3 subtraces) (ID = 872154)
23:23: HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks\ || {d157330a-9ef3-49f8-9a67-4141ac41add4} (ID = 958059)
23:23: HKCR\autolive.live.1\ (3 subtraces) (ID = 967034)
23:23: HKLM\software\classes\autolive.live.1\ (3 subtraces) (ID = 967206)
23:23: HKLM\software\classes\autolive.live\ (5 subtraces) (ID = 980759)
23:23: HKLM\software\classes\clsid\{7ca83cf1-3aea-42d0-a4e3-1594fc6e48b2}\ (4 subtraces) (ID = 980765)
23:23: HKLM\software\classes\typelib\{4158db95-de71-41ff-bea1-2c3d1c679df1}\ (9 subtraces) (ID = 980775)
23:23: HKLM\system\currentcontrolset\services\cnsminkp\enum\ || count (ID = 1018678)
23:23: HKLM\system\currentcontrolset\services\cnsminkp\enum\ || nextinstance (ID = 1018679)
23:23: HKCR\cnshelper.ch\curver\ (1 subtraces) (ID = 1041849)
23:23: HKCR\cnshelper.ch.1\clsid\ (1 subtraces) (ID = 1041853)
23:23: HKLM\software\classes\cnshelper.ch\ (5 subtraces) (ID = 1041942)
23:23: HKLM\software\classes\cnshelper.ch.1\ (3 subtraces) (ID = 1041948)
23:23: HKLM\software\classes\clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ (25 subtraces) (ID = 1041952)
23:23: HKLM\system\currentcontrolset\services\cnsminkp\enum\ || 0 (ID = 1047525)
23:23: HKLM\system\currentcontrolset\enum\root\legacy_cnsminkp\ (10 subtraces) (ID = 1147491)
23:23: HKLM\software\classes\clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ (15 subtraces) (ID = 1240267)
23:23: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\3721\ (39 subtraces) (ID = 106182)
23:23: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\microsoft\internet explorer\main\ || cnshint (ID = 106223)
23:23: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\microsoft\internet explorer\main\ || cnsreset (ID = 106226)
23:23: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\microsoft\internet explorer\extensions\cmdmapping\ || {5d73ee86-05f1-49ed-b850-e423120ec338} (ID = 1032318)
23:23: HKU\S-1-5-18\software\3721\ (5 subtraces) (ID = 106182)
23:23: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || cnshint (ID = 106223)
23:23: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || cnsreset (ID = 106226)
23:23: Registry Sweep Complete, Elapsed Time:00:00:15
23:23: Starting Cookie Sweep
23:23: Found Spy Cookie: atlas dmt cookie
23:23: [email]geng@atdmt[2].txt[/email] (ID = 2253)
23:23: Found Spy Cookie: questionmarket cookie
23:23: [email]geng@questionmarket[2].txt[/email] (ID = 3217)
23:23: Found Spy Cookie: adjuggler cookie
23:23: [email]geng@rotator.adjuggler[1].txt[/email] (ID = 2071)
23:23: Found Spy Cookie: coremetrics cookie
23:23: [email]geng@twci.coremetrics[1].txt[/email] (ID = 2472)
23:23: Found Spy Cookie: myaffiliateprogram.com cookie
23:23: [email]geng@www.myaffiliateprogram[1].txt[/email] (ID = 3032)
23:23: Cookie Sweep Complete, Elapsed Time: 00:00:00
23:23: Starting File Sweep
23:23: c:\program files\3721 (3 subtraces) (ID = -2147481237)
23:23: c:\windows\downloaded program files\3721 (ID = -2147469211)
23:23: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\setup.exe". The system cannot find the path specified
23:23: cnsminio.dll (ID = 53267)
23:23: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\setup.ilg". The system cannot find the path specified
23:23: cnsminex.dll (ID = 53263)
23:23: cnsmindt.cab (ID = 53260)
23:24: cnsplus.cab (ID = 192142)
23:24: cnsplus.dll (ID = 192143)
23:24: cnsminio.dll (ID = 53267)
23:24: cnsio.dll (ID = 192138)
23:24: cnsminex.dll (ID = 53263)
23:25: cnsminex.cab (ID = 53262)
23:25: cnsminkp.vxd (ID = 163440)
23:25: cnshint.dll (ID = 239052)
23:25: cnshook.dll (ID = 53247)
23:25: cnsminhk.cab (ID = 53265)
23:25: cnsio.dll (ID = 192138)
23:25: cnsio.dll (ID = 192138)
23:25: cnshook.dll (ID = 53247)
23:26: cnsminio.cab (ID = 53266)
23:26: cns1.dll (ID = 53245)
23:26: cnsplus.dll (ID = 192143)
23:26: cns.exe (ID = 53246)
23:27: Warning: Failed to open file "c:\documents and settings\geng\recent\¤y¤o§? - °?¤@.lnk". The filename, directory name, or volume label syntax is incorrect
23:28: cnshint.dll (ID = 239052)
23:29: Warning: Failed to open file "c:\windows\winsxs\policies\\1.0.10.0.cat". The system cannot find the file specified
23:30: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\setup.ilg". The system cannot find the path specified
23:30: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\data1.hdr". The system cannot find the path specified
23:31: cns.dll (ID = 53245)
23:32: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\setup.ilg". The system cannot find the path specified
23:32: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\layout.bin". The system cannot find the path specified
23:32: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\data1.hdr". The system cannot find the path specified
23:32: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\data1.cab". The system cannot find the path specified
23:32: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\setup.exe". The system cannot find the path specified
23:32: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\setup.inx". The system cannot find the path specified
23:33: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\icon.bmp". The system cannot find the path specified
23:33: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\data1.hdr". The system cannot find the path specified
23:33: Warning: Failed to open file "c:\windows\winsxs\policies\\7.0.2600.2180.policy". The system cannot find the file specified
23:33: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\data1.hdr". The system cannot find the path specified
23:33: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\setup.ilg". The system cannot find the path specified
23:33: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\setup.inx". The system cannot find the path specified
23:34: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\setup.inx". The system cannot find the path specified
23:35: Warning: Failed to open file "c:\windows\winsxs\policies\\7.0.10.0.policy". The system cannot find the file specified
23:35: Warning: Failed to open file "c:\windows\winsxs\policies\\7.0.10.0.cat". The system cannot find the file specified
23:35: Warning: Failed to open file "c:\windows\winsxs\\msvcirt.dll". The system cannot find the file specified
23:35: Warning: Failed to open file "c:\windows\winsxs\\msvcrt.dll". The system cannot find the file specified
23:35: Warning: Failed to open file "c:\windows\winsxs\policies\\6.0.10.0.cat". The system cannot find the file specified
23:35: Warning: Failed to open file "c:\windows\winsxs\\msvcirt.dll". The system cannot find the file specified
23:35: Warning: Failed to open file "c:\windows\winsxs\\msvcrt.dll". The system cannot find the file specified
23:35: cnsmin.dll (ID = 53251)
23:35: Warning: Failed to open file "c:\program files\\{9b94be6f-7ca3-4c40-a266-62667ff746cc}\data1.hdr". The system cannot find the path specified
23:38: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\setup.exe". The system cannot find the path specified
23:39: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\data1.cab". The system cannot find the path specified
23:39: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\setup.exe". The system cannot find the path specified
23:39: Warning: Failed to open file "c:\program files\\{9b94be6f-7ca3-4c40-a266-62667ff746cc}\setup.exe". The system cannot find the path specified
23:40: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\data1.cab". The system cannot find the path specified
23:40: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\_setup.dll". The system cannot find the path specified
23:40: cnshook.dll (ID = 53247)
23:41: cnsmin.dll (ID = 53251)
23:42: Warning: Failed to open file "c:\program files\\{9b94be6f-7ca3-4c40-a266-62667ff746cc}\setup.inx". The system cannot find the path specified
23:42: Warning: Failed to open file "c:\program files\\{9b94be6f-7ca3-4c40-a266-62667ff746cc}\data1.cab". The system cannot find the path specified
23:42: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\data1.cab". The system cannot find the path specified
23:43: Warning: Failed to open file "c:\windows\winsxs\policies\\1.0.2600.2180.cat". The system cannot find the file specified
23:43: Warning: Failed to open file "c:\windows\winsxs\policies\\6.0.2600.2180.cat". The system cannot find the file specified
23:43: Warning: Failed to open file "c:\windows\winsxs\policies\\7.0.2600.2180.cat". The system cannot find the file specified
23:43: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\setup.ilg". The system cannot find the path specified
23:43: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\data1.cab". The system cannot find the path specified
23:43: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\data1.hdr". The system cannot find the path specified
23:43: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\setup.ilg". The system cannot find the path specified
23:43: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\data1.hdr". The system cannot find the path specified
23:43: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\data1.hdr". The system cannot find the path specified
23:43: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\setup.ilg". The system cannot find the path specified
23:43: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\data1.hdr". The system cannot find the path specified
23:43: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\data1.hdr". The system cannot find the path specified
23:43: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\data1.hdr". The system cannot find the path specified
23:43: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\data1.hdr". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\setup.ilg". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\setup.inx". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\setup.ilg". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\setup.exe". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\setup.inx". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\setup.exe". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\setup.inx". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\setup.ilg". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\setup.exe". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\setup.inx". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\setup.exe". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\setup.inx". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\setup.ilg". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\data1.cab". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\setup.exe". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\setup.inx". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\data1.cab". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\setup.inx". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{74574620-fe6e-11d2-aa9b-b732b9de0c29}\data1.hdr". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\data1.cab". The system cannot find the path specified
23:44: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\data1.cab". The system cannot find the path specified
23:45: Warning: Failed to open file "c:\program files\\{74574620-fe6e-11d2-aa9b-b732b9de0c29}\data1.cab". The system cannot find the path specified
23:45: Warning: Failed to open file "c:\program files\\{74574620-fe6e-11d2-aa9b-b732b9de0c29}\setup.exe". The system cannot find the path specified
23:45: Warning: Failed to open file "c:\program files\\{74574620-fe6e-11d2-aa9b-b732b9de0c29}\setup.inx". The system cannot find the path specified
23:46: Warning: Failed to open file "c:\program files\\{6c72e14a-c1f3-45e5-8810-83ce3c19ed63}\setup.ilg". The system cannot find the path specified
23:46: Warning: Failed to open file "c:\program files\\{6c72e14a-c1f3-45e5-8810-83ce3c19ed63}\setup.inx". The system cannot find the path specified
23:46: Warning: Failed to open file "c:\program files\\{3ed8d422-5658-41fa-ae3d-7107b26caab7}\data1.cab". The system cannot find the path specified
23:46: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\data1.cab". The system cannot find the path specified
23:46: Warning: Failed to open file "c:\program files\\{3ed8d422-5658-41fa-ae3d-7107b26caab7}\data1.hdr". The system cannot find the path specified
23:46: Warning: Failed to open file "c:\program files\\{3ed8d422-5658-41fa-ae3d-7107b26caab7}\setup.exe". The system cannot find the path specified
23:46: Warning: Failed to open file "c:\program files\\{3ed8d422-5658-41fa-ae3d-7107b26caab7}\setup.inx". The system cannot find the path specified
23:47: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\setup.ilg". The system cannot find the path specified
23:47: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\data1.hdr". The system cannot find the path specified
23:47: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\data1.cab". The system cannot find the path specified
23:47: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\setup.exe". The system cannot find the path specified
23:47: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\setup.inx". The system cannot find the path specified
23:48: cnsminex.ini (ID = 53264)
23:48: cnsminio.cab (ID = 53266)
23:48: cnsmincg.ini (ID = 53257)
23:50: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\setup.exe". The system cannot find the path specified
23:50: cnsmindt.dll (ID = 53261)
23:50: cnsmindt.dll (ID = 53261)
23:50: cnsminex.cab (ID = 53262)
23:50: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\data1.cab". The system cannot find the path specified
23:51: cnsmindt.cab (ID = 53260)
23:51: Warning: Failed to open file "c:\windows\winsxs\policies\\6.0.10.0.policy". The system cannot find the file specified
23:51: Warning: Failed to open file "c:\windows\winsxs\policies\\1.0.10.0.policy". The system cannot find the file specified
23:52: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\setup.exe". The system cannot find the path specified
23:52: cnsminhk.cab (ID = 53265)
23:52: cns1.exe (ID = 53246)
23:52: cnsmincg.ini (ID = 53257)
23:53: cnsminex.ini (ID = 53264)
23:54: cnsplus[1].cab (ID = 192142)
23:54: cnsplus.cab (ID = 192142)
23:58: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\setup.inx". The system cannot find the path specified
23:58: cnsmin.ini (ID = 53255)
23:58: cnsmin.ini (ID = 53255)
0:00: File Sweep Complete, Elapsed Time: 00:37:27
0:00: Full Sweep has completed. Elapsed time 00:43:34
0:00: Traces Found: 512
0:00: Removal process initiated
0:01: Quarantining All Traces: cnsmin
0:01: cnsmin is in use. It will be removed on reboot.
0:01: c:\program files\3721 is in use. It will be removed on reboot.
0:01: cnsminio.dll is in use. It will be removed on reboot.
0:01: cnsplus.dll is in use. It will be removed on reboot.
0:01: cnsio.dll is in use. It will be removed on reboot.
0:01: cnshint.dll is in use. It will be removed on reboot.
0:01: clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ is in use. It will be removed on reboot.
0:01: clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ is in use. It will be removed on reboot.
0:01: cnshelper.ch.1\ is in use. It will be removed on reboot.
0:01: cnshelper.ch\ is in use. It will be removed on reboot.
0:01: HKLM: software\microsoft\windows\currentversion\explorer\browser helper objects\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ is in use. It will be removed on reboot.
0:01: HKLM: system\currentcontrolset\services\cnsminkp\ is in use. It will be removed on reboot.
0:01: HKLM: system\currentcontrolset\services\cnsminkp\security\ is in use. It will be removed on reboot.
0:01: HKLM: system\currentcontrolset\services\cnsminkp\enum\ is in use. It will be removed on reboot.
0:01: cnshelper.ch\curver\ is in use. It will be removed on reboot.
0:01: cnshelper.ch.1\clsid\ is in use. It will be removed on reboot.
0:01: HKLM: software\classes\cnshelper.ch\ is in use. It will be removed on reboot.
0:01: HKLM: software\classes\cnshelper.ch.1\ is in use. It will be removed on reboot.
0:01: HKLM: software\classes\clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ is in use. It will be removed on reboot.
0:01: HKLM: software\classes\clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ is in use. It will be removed on reboot.
0:01: C:\WINDOWS\downlo~1\CnsHook.dll is in use. It will be removed on reboot.
0:01: C:\WINDOWS\Downloaded Program Files\CnsHook.dll is in use. It will be removed on reboot.
0:01: C:\WINDOWS\Downloaded Program Files\CnsMin.dll is in use. It will be removed on reboot.
0:01: C:\WINDOWS\Downloaded Program Files\CnsMinIO.dll is in use. It will be removed on reboot.
0:01: C:\WINDOWS\Downloaded Program Files\cnsio.dll is in use. It will be removed on reboot.
0:01: C:\WINDOWS\Downloaded Program Files\cnshint.dll is in use. It will be removed on reboot.
0:01: C:\WINDOWS\Downloaded Program Files\cnsplus.dll is in use. It will be removed on reboot.
0:01: Quarantining All Traces: cnsmin 3721.com hijack
0:01: Quarantining All Traces: adjuggler cookie
0:01: Quarantining All Traces: atlas dmt cookie
0:01: Quarantining All Traces: coremetrics cookie
0:01: Quarantining All Traces: myaffiliateprogram.com cookie
0:01: Quarantining All Traces: questionmarket cookie
0:01: Warning: Launched explorer.exe
0:01: Warning: Quarantine process could not restart Explorer.
0:01: Removal process completed. Elapsed time 00:00:55
********
21:34: | Start of Session, 2006年4月20日 |
21:34: Spy Sweeper started
21:34: Sweep initiated using definitions version 662
21:34: Starting Memory Sweep
21:34: Found Adware: cnsmin
21:34: Detected running threat: C:\WINDOWS\downlo~1\CnsHook.dll (ID = 53247)
21:35: Detected running threat: C:\WINDOWS\Downloaded Program Files\CnsMin.dll (ID = 53251)
21:37: Detected running threat: C:\WINDOWS\Downloaded Program Files\CnsHook.dll (ID = 53247)
21:38: Memory Sweep Complete, Elapsed Time: 00:04:25
21:38: Starting Registry Sweep
21:38: HKCR\clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ (25 subtraces) (ID = 106163)
21:38: HKCR\clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ (15 subtraces) (ID = 106166)
21:38: HKCR\cnshelper.ch.1\ (3 subtraces) (ID = 106168)
21:38: HKCR\cnshelper.ch\ (5 subtraces) (ID = 106169)
21:38: HKLM\software\microsoft\internet explorer\advancedoptions\!cns\ (40 subtraces) (ID = 106213)
21:38: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ (1 subtraces) (ID = 106237)
21:38: HKLM\software\microsoft\windows\currentversion\run\ || cnsmin (ID = 106245)
21:38: HKLM\software\microsoft\windows\currentversion\uninstall\cnsmin\ (2 subtraces) (ID = 106251)
21:38: HKLM\software\3721\ (6 subtraces) (ID = 872107)
21:38: HKLM\software\3721\cnsmin\ (5 subtraces) (ID = 872108)
21:38: HKLM\system\currentcontrolset\services\cnsminkp\ (19 subtraces) (ID = 872138)
21:38: HKLM\system\currentcontrolset\services\cnsminkp\security\ (1 subtraces) (ID = 872152)
21:38: HKLM\system\currentcontrolset\services\cnsminkp\enum\ (3 subtraces) (ID = 872154)
21:38: HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks\ || {d157330a-9ef3-49f8-9a67-4141ac41add4} (ID = 958059)
21:38: HKLM\system\currentcontrolset\services\cnsminkp\enum\ || count (ID = 1018678)
21:38: HKLM\system\currentcontrolset\services\cnsminkp\enum\ || nextinstance (ID = 1018679)
21:38: HKCR\cnshelper.ch\curver\ (1 subtraces) (ID = 1041849)
21:38: HKCR\cnshelper.ch.1\clsid\ (1 subtraces) (ID = 1041853)
21:38: HKLM\software\classes\cnshelper.ch\ (5 subtraces) (ID = 1041942)
21:38: HKLM\software\classes\cnshelper.ch.1\ (3 subtraces) (ID = 1041948)
21:38: HKLM\software\classes\clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ (25 subtraces) (ID = 1041952)
21:38: HKLM\system\currentcontrolset\services\cnsminkp\enum\ || 0 (ID = 1047525)
21:38: HKLM\system\currentcontrolset\enum\root\legacy_cnsminkp\ (11 subtraces) (ID = 1147491)
21:38: HKLM\software\classes\clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ (15 subtraces) (ID = 1240267)
21:38: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\3721\ (7 subtraces) (ID = 106182)
21:38: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\microsoft\internet explorer\main\ || cnshint (ID = 106223)
21:38: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\microsoft\internet explorer\main\ || cnsreset (ID = 106226)
21:38: Registry Sweep Complete, Elapsed Time:00:00:19
21:38: Starting Cookie Sweep
21:38: Found Spy Cookie: atlas dmt cookie
21:38: [email]geng@atdmt[2].txt[/email] (ID = 2253)
21:38: Found Spy Cookie: adjuggler cookie
21:38: [email]geng@rotator.adjuggler[1].txt[/email] (ID = 2071)
21:38: Found Spy Cookie: myaffiliateprogram.com cookie
21:38: [email]geng@www.myaffiliateprogram[2].txt[/email] (ID = 3032)
21:38: Cookie Sweep Complete, Elapsed Time: 00:00:01
21:38: Starting File Sweep
21:39: c:\program files\3721 (ID = -2147481237)
21:39: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\setup.exe". The system cannot find the path specified
21:39: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\setup.ilg". The system cannot find the path specified
21:39: cnshook.dll (ID = 53247)
21:42: cns.exe (ID = 53246)
21:44: Warning: Failed to open file "c:\documents and settings\geng\recent\¤y¤o§? - °?¤@.lnk". The filename, directory name, or volume label syntax is incorrect
21:45: Warning: Failed to open file "c:\windows\winsxs\policies\\1.0.10.0.cat". The system cannot find the file specified
21:46: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\setup.ilg". The system cannot find the path specified
21:47: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\data1.hdr". The system cannot find the path specified
21:47: cns.dll (ID = 53245)
21:49: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\setup.ilg". The system cannot find the path specified
21:49: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\layout.bin". The system cannot find the path specified
21:49: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\data1.hdr". The system cannot find the path specified
21:49: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\data1.cab". The system cannot find the path specified
21:49: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\setup.exe". The system cannot find the path specified
21:49: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\setup.inx". The system cannot find the path specified
21:49: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\icon.bmp". The system cannot find the path specified
21:49: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\data1.hdr". The system cannot find the path specified
21:50: Warning: Failed to open file "c:\windows\winsxs\policies\\7.0.2600.2180.policy". The system cannot find the file specified
21:50: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\data1.hdr". The system cannot find the path specified
21:50: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\setup.ilg". The system cannot find the path specified
21:50: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\setup.inx". The system cannot find the path specified
21:50: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\setup.inx". The system cannot find the path specified
21:51: Warning: Failed to open file "c:\windows\winsxs\policies\\7.0.10.0.policy". The system cannot find the file specified
21:51: Warning: Failed to open file "c:\windows\winsxs\policies\\7.0.10.0.cat". The system cannot find the file specified
21:51: Warning: Failed to open file "c:\windows\winsxs\\msvcirt.dll". The system cannot find the file specified
21:51: Warning: Failed to open file "c:\windows\winsxs\\msvcrt.dll". The system cannot find the file specified
21:51: Warning: Failed to open file "c:\windows\winsxs\policies\\6.0.10.0.cat". The system cannot find the file specified
21:51: Warning: Failed to open file "c:\windows\winsxs\\msvcirt.dll". The system cannot find the file specified
21:51: Warning: Failed to open file "c:\windows\winsxs\\msvcrt.dll". The system cannot find the file specified
21:52: Warning: Failed to open file "c:\program files\\{9b94be6f-7ca3-4c40-a266-62667ff746cc}\data1.hdr". The system cannot find the path specified
21:55: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\setup.exe". The system cannot find the path specified
21:55: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\data1.cab". The system cannot find the path specified
21:55: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\setup.exe". The system cannot find the path specified
21:55: Warning: Failed to open file "c:\program files\\{9b94be6f-7ca3-4c40-a266-62667ff746cc}\setup.exe". The system cannot find the path specified
21:57: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\data1.cab". The system cannot find the path specified
21:57: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\_setup.dll". The system cannot find the path specified
21:57: cnsmin.dll (ID = 53251)
21:59: Warning: Failed to open file "c:\program files\\{9b94be6f-7ca3-4c40-a266-62667ff746cc}\setup.inx". The system cannot find the path specified
21:59: Warning: Failed to open file "c:\program files\\{9b94be6f-7ca3-4c40-a266-62667ff746cc}\data1.cab". The system cannot find the path specified
21:59: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\data1.cab". The system cannot find the path specified
21:59: Warning: Failed to open file "c:\windows\winsxs\policies\\1.0.2600.2180.cat". The system cannot find the file specified
21:59: Warning: Failed to open file "c:\windows\winsxs\policies\\6.0.2600.2180.cat". The system cannot find the file specified
21:59: Warning: Failed to open file "c:\windows\winsxs\policies\\7.0.2600.2180.cat". The system cannot find the file specified
21:59: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\setup.ilg". The system cannot find the path specified
22:00: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\data1.cab". The system cannot find the path specified
22:00: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\data1.hdr". The system cannot find the path specified
22:00: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\setup.ilg". The system cannot find the path specified
22:00: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\data1.hdr". The system cannot find the path specified
22:00: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\data1.hdr". The system cannot find the path specified
22:00: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\setup.ilg". The system cannot find the path specified
22:00: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\data1.hdr". The system cannot find the path specified
22:00: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\data1.hdr". The system cannot find the path specified
22:00: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\data1.hdr". The system cannot find the path specified
22:00: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\data1.hdr". The system cannot find the path specified
22:00: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\setup.ilg". The system cannot find the path specified
22:00: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\setup.inx". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\setup.ilg". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\setup.exe". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\setup.inx". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\setup.exe". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\setup.inx". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\setup.ilg". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\setup.exe". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\setup.inx". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\setup.exe". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\setup.inx". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\setup.ilg". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\data1.cab". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\setup.exe". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\setup.inx". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\data1.cab". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\setup.inx". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{74574620-fe6e-11d2-aa9b-b732b9de0c29}\data1.hdr". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\data1.cab". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\data1.cab". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{74574620-fe6e-11d2-aa9b-b732b9de0c29}\data1.cab". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{74574620-fe6e-11d2-aa9b-b732b9de0c29}\setup.exe". The system cannot find the path specified
22:01: Warning: Failed to open file "c:\program files\\{74574620-fe6e-11d2-aa9b-b732b9de0c29}\setup.inx". The system cannot find the path specified
22:02: Warning: Failed to open file "c:\program files\\{6c72e14a-c1f3-45e5-8810-83ce3c19ed63}\setup.ilg". The system cannot find the path specified
22:02: Warning: Failed to open file "c:\program files\\{6c72e14a-c1f3-45e5-8810-83ce3c19ed63}\setup.inx". The system cannot find the path specified
22:02: Warning: Failed to open file "c:\program files\\{3ed8d422-5658-41fa-ae3d-7107b26caab7}\data1.cab". The system cannot find the path specified
22:02: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\data1.cab". The system cannot find the path specified
22:02: Warning: Failed to open file "c:\program files\\{3ed8d422-5658-41fa-ae3d-7107b26caab7}\data1.hdr". The system cannot find the path specified
22:03: Warning: Failed to open file "c:\program files\\{3ed8d422-5658-41fa-ae3d-7107b26caab7}\setup.exe". The system cannot find the path specified
22:03: Warning: Failed to open file "c:\program files\\{3ed8d422-5658-41fa-ae3d-7107b26caab7}\setup.inx". The system cannot find the path specified
22:03: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\setup.ilg". The system cannot find the path specified
22:03: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\data1.hdr". The system cannot find the path specified
22:03: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\data1.cab". The system cannot find the path specified
22:03: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\setup.exe". The system cannot find the path specified
22:03: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\setup.inx". The system cannot find the path specified
22:06: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\setup.exe". The system cannot find the path specified
22:06: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\data1.cab". The system cannot find the path specified
22:07: Warning: Failed to open file "c:\windows\winsxs\policies\\6.0.10.0.policy". The system cannot find the file specified
22:07: Warning: Failed to open file "c:\windows\winsxs\policies\\1.0.10.0.policy". The system cannot find the file specified
22:07: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\setup.exe". The system cannot find the path specified
22:12: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\setup.inx". The system cannot find the path specified
22:13: Warning: Failed to open file "c:\documents and settings\geng\desktop\ssfsetup1_0.exe:zone.identifier". The system cannot find the file specified
22:13: Warning: Failed to open file "c:\documents and settings\geng\desktop\stuff.txt". The system cannot find the file specified
22:14: Found System Monitor: potentially rootkit-masked files
22:14: ca4lyppu. (ID = 0)
22:16: File Sweep Complete, Elapsed Time: 00:37:25
22:16: Full Sweep has completed. Elapsed time 00:42:15
22:16: Traces Found: 232
22:17: Removal process initiated
22:17: Quarantining All Traces: potentially rootkit-masked files
22:17: potentially rootkit-masked files is in use. It will be removed on reboot.
22:17: ca4lyppu. is in use. It will be removed on reboot.
22:17: Quarantining All Traces: adjuggler cookie
22:17: Quarantining All Traces: atlas dmt cookie
22:17: Quarantining All Traces: myaffiliateprogram.com cookie
22:17: Removal process completed. Elapsed time 00:00:09
22:18: Removal process initiated
22:18: Quarantining All Traces: cnsmin
22:18: cnsmin is in use. It will be removed on reboot.
22:18: clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ is in use. It will be removed on reboot.
22:18: clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ is in use. It will be removed on reboot.
22:18: cnshelper.ch.1\ is in use. It will be removed on reboot.
22:18: cnshelper.ch\ is in use. It will be removed on reboot.
22:18: HKLM: software\microsoft\windows\currentversion\explorer\browser helper objects\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ is in use. It will be removed on reboot.
22:18: HKLM: system\currentcontrolset\services\cnsminkp\ is in use. It will be removed on reboot.
22:18: HKLM: system\currentcontrolset\services\cnsminkp\security\ is in use. It will be removed on reboot.
22:18: HKLM: system\currentcontrolset\services\cnsminkp\enum\ is in use. It will be removed on reboot.
22:18: cnshelper.ch\curver\ is in use. It will be removed on reboot.
22:18: cnshelper.ch.1\clsid\ is in use. It will be removed on reboot.
22:18: HKLM: software\classes\cnshelper.ch\ is in use. It will be removed on reboot.
22:18: HKLM: software\classes\cnshelper.ch.1\ is in use. It will be removed on reboot.
22:18: HKLM: software\classes\clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ is in use. It will be removed on reboot.
22:18: HKLM: software\classes\clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ is in use. It will be removed on reboot.
22:18: Warning: Launched explorer.exe
22:18: Warning: Quarantine process could not restart Explorer.
22:18: Removal process completed. Elapsed time 00:00:29
22:25: Processing Startup Alerts
22:25: Allowed Startup entry: vptray
22:25: Allowed Startup entry: ibmmessages
23:17: Processing Startup Alerts
23:17: Removed Startup entry: helper.dll
23:17: | End of Session, 2006年4月20日 |
********
20:48: | Start of Session, 2006年4月20日 |
20:48: Spy Sweeper started
20:48: Sweep initiated using definitions version 662
20:48: Starting Memory Sweep
20:48: Found Adware: cnsmin
20:48: Detected running threat: C:\WINDOWS\downlo~1\CnsHook.dll (ID = 53247)
20:48: Detected running threat: C:\WINDOWS\Downloaded Program Files\CnsMin.dll (ID = 53251)
20:48: Detected running threat: C:\WINDOWS\Downloaded Program Files\CnsMinIO.dll (ID = 53267)
20:48: Detected running threat: C:\WINDOWS\Downloaded Program Files\cnsio.dll (ID = 192138)
20:48: Detected running threat: C:\WINDOWS\Downloaded Program Files\CnsHook.dll (ID = 53247)
20:50: Detected running threat: C:\WINDOWS\Downloaded Program Files\cnshint.dll (ID = 239052)
20:50: Memory Sweep Complete, Elapsed Time: 00:02:59
20:50: Starting Registry Sweep
20:51: HKCR\adkiller.adkillerobj\ (5 subtraces) (ID = 106148)
20:51: HKCR\clsid\{9eb2b422-c9ee-46c4-a471-1e79c7517b1d}\ (21 subtraces) (ID = 106158)
20:51: HKCR\clsid\{141a5e19-bdcb-4e27-a3d7-9e16503bc05b}\ (11 subtraces) (ID = 106159)
20:51: HKCR\clsid\{abec6103-f6ac-43a3-834f-fb03fba339a2}\ (4 subtraces) (ID = 106162)
20:51: HKCR\clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ (25 subtraces) (ID = 106163)
20:51: HKCR\clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ (15 subtraces) (ID = 106166)
20:51: HKCR\cnshelper.ch.1\ (3 subtraces) (ID = 106168)
20:51: HKCR\cnshelper.ch\ (5 subtraces) (ID = 106169)
20:51: HKLM\software\classes\adkiller.adkillerobj\ (5 subtraces) (ID = 106184)
20:51: HKLM\software\classes\clsid\{9eb2b422-c9ee-46c4-a471-1e79c7517b1d}\ (21 subtraces) (ID = 106189)
20:51: HKLM\software\classes\clsid\{141a5e19-bdcb-4e27-a3d7-9e16503bc05b}\ (11 subtraces) (ID = 106190)
20:51: HKLM\software\classes\clsid\{abec6103-f6ac-43a3-834f-fb03fba339a2}\ (4 subtraces) (ID = 106192)
20:51: HKLM\software\classes\typelib\{7354662f-caa3-448b-bc01-04f55a2dca35}\ (9 subtraces) (ID = 106206)
20:51: HKLM\software\classes\typelib\{f97e75a4-0103-4f27-a752-327b600b1130}\ (9 subtraces) (ID = 106209)
20:51: HKLM\software\cnnic\ (ID = 106210)
20:51: HKLM\software\microsoft\internet explorer\advancedoptions\!cns\ (40 subtraces) (ID = 106213)
20:51: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ (1 subtraces) (ID = 106237)
20:51: HKLM\software\microsoft\windows\currentversion\run\ || cnsmin (ID = 106245)
20:51: HKLM\software\microsoft\windows\currentversion\uninstall\cnsmin\ (2 subtraces) (ID = 106251)
20:51: HKCR\typelib\{7354662f-caa3-448b-bc01-04f55a2dca35}\ (9 subtraces) (ID = 106261)
20:51: HKCR\typelib\{f97e75a4-0103-4f27-a752-327b600b1130}\ (9 subtraces) (ID = 106266)
20:51: HKLM\software\3721\ (4 subtraces) (ID = 872107)
20:51: HKLM\software\3721\cnsmin\ (3 subtraces) (ID = 872108)
20:51: HKLM\system\currentcontrolset\services\cnsminkp\ (19 subtraces) (ID = 872138)
20:51: HKLM\system\currentcontrolset\services\cnsminkp\security\ (1 subtraces) (ID = 872152)
20:51: HKLM\system\currentcontrolset\services\cnsminkp\enum\ (3 subtraces) (ID = 872154)
20:51: HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks\ || {d157330a-9ef3-49f8-9a67-4141ac41add4} (ID = 958059)
20:51: HKCR\typelib\{f9ad9d67-efa8-480e-8291-0163f3960de7}\ (9 subtraces) (ID = 973025)
20:51: HKLM\software\classes\typelib\{f9ad9d67-efa8-480e-8291-0163f3960de7}\ (9 subtraces) (ID = 973117)
20:51: HKLM\software\classes\typelib\{f9ad9d67-efa8-480e-8291-0163f3960de7}\1.0\ (8 subtraces) (ID = 973118)
20:51: HKCR\adkiller.adkillerobj.1\ (3 subtraces) (ID = 1018466)
20:51: HKCR\fflash.flashobjectinterface\ (5 subtraces) (ID = 1018486)
20:51: HKCR\fflash.flashobjectinterface.1\ (3 subtraces) (ID = 1018492)
20:51: HKLM\software\classes\adkiller.adkillerobj.1\ (3 subtraces) (ID = 1018635)
20:51: HKLM\software\classes\fflash.flashobjectinterface\ (5 subtraces) (ID = 1018655)
20:51: HKLM\software\classes\fflash.flashobjectinterface.1\ (3 subtraces) (ID = 1018661)
20:51: HKLM\system\currentcontrolset\services\cnsminkp\enum\ || count (ID = 1018678)
20:51: HKLM\system\currentcontrolset\services\cnsminkp\enum\ || nextinstance (ID = 1018679)
20:51: HKCR\cnshelper.ch\curver\ (1 subtraces) (ID = 1041849)
20:51: HKCR\cnshelper.ch.1\clsid\ (1 subtraces) (ID = 1041853)
20:51: HKLM\software\classes\cnshelper.ch\ (5 subtraces) (ID = 1041942)
20:51: HKLM\software\classes\cnshelper.ch.1\ (3 subtraces) (ID = 1041948)
20:51: HKLM\software\classes\clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ (25 subtraces) (ID = 1041952)
20:51: HKLM\system\currentcontrolset\services\cnsminkp\enum\ || 0 (ID = 1047525)
20:51: HKLM\system\currentcontrolset\enum\root\legacy_cnsminkp\ (10 subtraces) (ID = 1147491)
20:51: HKLM\software\classes\clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ (15 subtraces) (ID = 1240267)
20:51: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\3721\ (5 subtraces) (ID = 106182)
20:51: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\microsoft\internet explorer\main\ || cnsautoupdate (ID = 106221)
20:51: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\microsoft\internet explorer\main\ || cnsenable (ID = 106222)
20:51: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\microsoft\internet explorer\main\ || cnshint (ID = 106223)
20:51: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\microsoft\internet explorer\main\ || cnslist (ID = 106224)
20:51: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\microsoft\internet explorer\main\ || cnsmenu (ID = 106225)
20:51: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\microsoft\internet explorer\main\ || cnsreset (ID = 106226)
20:51: HKU\S-1-5-21-1612712036-2320844081-1803406932-1005\software\microsoft\internet explorer\extensions\cmdmapping\ || {5d73ee86-05f1-49ed-b850-e423120ec338} (ID = 1032318)
20:51: Registry Sweep Complete, Elapsed Time:00:00:11
20:51: Starting Cookie Sweep
20:51: Found Spy Cookie: adjuggler cookie
20:51: [email]geng@rotator.adjuggler[1].txt[/email] (ID = 2071)
20:51: Found Spy Cookie: myaffiliateprogram.com cookie
20:51: [email]geng@www.myaffiliateprogram[2].txt[/email] (ID = 3032)
20:51: Cookie Sweep Complete, Elapsed Time: 00:00:00
20:51: Starting File Sweep
20:51: c:\windows\downloaded program files\3721 (3 subtraces) (ID = -2147469211)
20:51: c:\program files\3721 (1 subtraces) (ID = -2147481237)
20:51: cnsminio.dll (ID = 53267)
20:51: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\setup.exe". The system cannot find the path specified
20:51: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\setup.ilg". The system cannot find the path specified
20:51: cnshook.dll (ID = 53247)
20:51: cns1.exe (ID = 53246)
20:51: cnsmindt.dll (ID = 53261)
20:53: cnsminex.cab (ID = 53262)
20:53: cns.exe (ID = 53246)
20:53: cnsio.dll (ID = 192138)
20:54: Warning: Failed to open file "c:\documents and settings\geng\recent\¤y¤o§? - °?¤@.lnk". The filename, directory name, or volume label syntax is incorrect
20:56: Warning: Failed to open file "c:\windows\winsxs\policies\\1.0.10.0.cat". The system cannot find the file specified
20:56: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\setup.ilg". The system cannot find the path specified
20:57: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\data1.hdr". The system cannot find the path specified
20:57: cns.dll (ID = 53245)
20:59: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\setup.ilg". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\layout.bin". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\data1.hdr". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\data1.cab". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\setup.exe". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\setup.inx". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\program files\\{91810afc-a4f8-4eba-a5aa-b198bbc81144}\icon.bmp". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\data1.hdr". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\windows\winsxs\policies\\7.0.2600.2180.policy". The system cannot find the file specified
20:59: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\data1.hdr". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\setup.ilg". The system cannot find the path specified
20:59: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\setup.inx". The system cannot find the path specified
21:00: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\setup.inx". The system cannot find the path specified
21:01: Warning: Failed to open file "c:\windows\winsxs\policies\\7.0.10.0.policy". The system cannot find the file specified
21:01: Warning: Failed to open file "c:\windows\winsxs\policies\\7.0.10.0.cat". The system cannot find the file specified
21:01: Warning: Failed to open file "c:\windows\winsxs\\msvcirt.dll". The system cannot find the file specified
21:01: Warning: Failed to open file "c:\windows\winsxs\\msvcrt.dll". The system cannot find the file specified
21:01: Warning: Failed to open file "c:\windows\winsxs\policies\\6.0.10.0.cat". The system cannot find the file specified
21:01: Warning: Failed to open file "c:\windows\winsxs\\msvcirt.dll". The system cannot find the file specified
21:01: Warning: Failed to open file "c:\windows\winsxs\\msvcrt.dll". The system cannot find the file specified
21:01: Warning: Failed to open file "c:\program files\\{9b94be6f-7ca3-4c40-a266-62667ff746cc}\data1.hdr". The system cannot find the path specified
21:04: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\setup.exe". The system cannot find the path specified
21:04: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\data1.cab". The system cannot find the path specified
21:04: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\setup.exe". The system cannot find the path specified
21:04: Warning: Failed to open file "c:\program files\\{9b94be6f-7ca3-4c40-a266-62667ff746cc}\setup.exe". The system cannot find the path specified
21:05: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\data1.cab". The system cannot find the path specified
21:05: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\_setup.dll". The system cannot find the path specified
21:05: cnsmindt.cab (ID = 53260)
21:05: cnsminex.dll (ID = 53263)
21:06: cnshint.dll (ID = 239052)
21:06: cns02.dat (ID = 180455)
21:06: cnsmin.dll (ID = 53251)
21:07: Warning: Failed to open file "c:\program files\\{9b94be6f-7ca3-4c40-a266-62667ff746cc}\setup.inx". The system cannot find the path specified
21:07: Warning: Failed to open file "c:\program files\\{9b94be6f-7ca3-4c40-a266-62667ff746cc}\data1.cab". The system cannot find the path specified
21:07: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\data1.cab". The system cannot find the path specified
21:07: Warning: Failed to open file "c:\windows\winsxs\policies\\1.0.2600.2180.cat". The system cannot find the file specified
21:07: Warning: Failed to open file "c:\windows\winsxs\policies\\6.0.2600.2180.cat". The system cannot find the file specified
21:07: Warning: Failed to open file "c:\windows\winsxs\policies\\7.0.2600.2180.cat". The system cannot find the file specified
21:07: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\setup.ilg". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\data1.cab". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\data1.hdr". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\setup.ilg". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\data1.hdr". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\data1.hdr". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\setup.ilg". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\data1.hdr". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\data1.hdr". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\data1.hdr". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\data1.hdr". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\setup.ilg". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\setup.inx". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\setup.ilg". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\setup.exe". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{ea664480-3844-11d5-8c25-444553540000}\setup.inx". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\setup.exe". The system cannot find the path specified
21:08: Warning: Failed to open file "c:\program files\\{9fac9e5c-0d20-4dbf-afe5-2e09c52a95a2}\setup.inx". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\setup.ilg". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\setup.exe". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{3f92abbb-6bbf-11d5-b229-002078017fbf}\setup.inx". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\setup.exe". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{e646dcf0-5a68-11d5-b229-002078017fbf}\setup.inx". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\setup.ilg". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\data1.cab". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\setup.exe". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{3ea9d975-bfdc-4e8e-b88b-0446fbc8ca66}\setup.inx". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\data1.cab". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\setup.inx". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{74574620-fe6e-11d2-aa9b-b732b9de0c29}\data1.hdr". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{2111b23f-7fda-4a41-8309-e5a1663ca296}\data1.cab". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{72806716-7088-41b2-8fa6-717a2a164dab}\data1.cab". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{74574620-fe6e-11d2-aa9b-b732b9de0c29}\data1.cab". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{74574620-fe6e-11d2-aa9b-b732b9de0c29}\setup.exe". The system cannot find the path specified
21:09: Warning: Failed to open file "c:\program files\\{74574620-fe6e-11d2-aa9b-b732b9de0c29}\setup.inx". The system cannot find the path specified
21:10: Warning: Failed to open file "c:\program files\\{6c72e14a-c1f3-45e5-8810-83ce3c19ed63}\setup.ilg". The system cannot find the path specified
21:10: Warning: Failed to open file "c:\program files\\{6c72e14a-c1f3-45e5-8810-83ce3c19ed63}\setup.inx". The system cannot find the path specified
21:10: Warning: Failed to open file "c:\program files\\{3ed8d422-5658-41fa-ae3d-7107b26caab7}\data1.cab". The system cannot find the path specified
21:10: Warning: Failed to open file "c:\program files\\{82512bc9-bd5d-4c50-be4d-b98e7df78687}\data1.cab". The system cannot find the path specified
21:10: Warning: Failed to open file "c:\program files\\{3ed8d422-5658-41fa-ae3d-7107b26caab7}\data1.hdr". The system cannot find the path specified
21:10: Warning: Failed to open file "c:\program files\\{3ed8d422-5658-41fa-ae3d-7107b26caab7}\setup.exe". The system cannot find the path specified
21:10: Warning: Failed to open file "c:\program files\\{3ed8d422-5658-41fa-ae3d-7107b26caab7}\setup.inx". The system cannot find the path specified
21:11: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\setup.ilg". The system cannot find the path specified
21:11: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\data1.hdr". The system cannot find the path specified
21:11: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\data1.cab". The system cannot find the path specified
21:11: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\setup.exe". The system cannot find the path specified
21:11: Warning: Failed to open file "c:\program files\\{22b71a00-4ded-11d4-a5e5-0004ac564f43}\setup.inx". The system cannot find the path specified
21:12: cnsminex.ini (ID = 53264)
21:14: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\setup.exe". The system cannot find the path specified
21:14: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\data1.cab". The system cannot find the path specified
21:14: cnsmincg.ini (ID = 53257)
21:15: Warning: Failed to open file "c:\windows\winsxs\policies\\6.0.10.0.policy". The system cannot find the file specified
21:15: Warning: Failed to open file "c:\windows\winsxs\policies\\1.0.10.0.policy". The system cannot find the file specified
21:15: Warning: Failed to open file "c:\program files\\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\setup.exe". The system cannot find the path specified
21:19: Warning: Failed to open file "c:\program files\\{4fe92d2d-89ff-4e24-8a8f-b1956eacf704}\setup.inx". The system cannot find the path specified
21:20: cnsmin.ini (ID = 53255)
21:21: File Sweep Complete, Elapsed Time: 00:30:22
21:21: Full Sweep has completed. Elapsed time 00:33:37
21:21: Traces Found: 436
21:21: Removal process initiated
21:24: Quarantining All Traces: cnsmin
21:24: cnsmin is in use. It will be removed on reboot.
21:24: c:\program files\3721 is in use. It will be removed on reboot.
21:24: cnsminio.dll is in use. It will be removed on reboot.
21:24: cnsio.dll is in use. It will be removed on reboot.
21:24: cnshint.dll is in use. It will be removed on reboot.
21:24: clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ is in use. It will be removed on reboot.
21:24: clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ is in use. It will be removed on reboot.
21:24: cnshelper.ch.1\ is in use. It will be removed on reboot.
21:24: cnshelper.ch\ is in use. It will be removed on reboot.
21:24: HKLM: software\microsoft\windows\currentversion\explorer\browser helper objects\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ is in use. It will be removed on reboot.
21:24: HKLM: system\currentcontrolset\services\cnsminkp\ is in use. It will be removed on reboot.
21:24: HKLM: system\currentcontrolset\services\cnsminkp\security\ is in use. It will be removed on reboot.
21:24: HKLM: system\currentcontrolset\services\cnsminkp\enum\ is in use. It will be removed on reboot.
21:24: cnshelper.ch\curver\ is in use. It will be removed on reboot.
21:24: cnshelper.ch.1\clsid\ is in use. It will be removed on reboot.
21:24: HKLM: software\classes\cnshelper.ch\ is in use. It will be removed on reboot.
21:24: HKLM: software\classes\cnshelper.ch.1\ is in use. It will be removed on reboot.
21:24: HKLM: software\classes\clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ is in use. It will be removed on reboot.
21:24: HKLM: software\classes\clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ is in use. It will be removed on reboot.
21:24: Quarantining All Traces: adjuggler cookie
21:24: Quarantining All Traces: myaffiliateprogram.com cookie
21:24: Warning: Launched explorer.exe
21:24: Warning: Quarantine process could not restart Explorer.
21:24: Preparing to restart your computer. Please wait...
21:24: Removal process completed. Elapsed time 00:02:47
21:28: Processing Startup Alerts
21:28: Allowed Startup entry: ibmmessages
21:33: Memory Shield: Found: Memory-resident threat cnsmin, version 1.0.0.0
21:33: Detected running threat: cnsmin
21:34: | End of Session, 2006年4月20日 |
********
20:46: | Start of Session, 2006年4月20日 |
20:46: Spy Sweeper started
20:47: Your spyware definitions have been updated.
20:47: Updating spyware definitions
20:47: Your definitions are up to date.
20:48: | End of Session, 2006年4月20日 |

0

Just downloaded spypot and scanned my system. It also found Cnsmin and said would remove on reboot, but could not remove.

I noticed also when starting in safe mode that

Windows\System32\Drivers\CnsminKP.sys

shows up in the list of programs run during startup. I think this is probably why I cannot delete the file using killbox even in safe mode, which I have tried again.

Ewido is still giving the Cnshook file error.

Spy Sweeper will occasionally pop up a warning saying:

csnmin was detected running in memory

Description: CnsMin is an IE Browser Helper Object that may hijack address-bar searches and replaces the IE search feature with a site written in Chinese.

It then asks if I want to run a sweep to remove, but still will not remove.

Is there any one to remove the Cnsmin/Cnshook files? Thank you.

0

Is there Any "way" to remove these two files. Wrong word, apologies.

0

Ok, in safe mode. Press Control + Alt + Delete. Then select the processes tab. Find, any or all of the following.

Cnshook

Cnsmin

And click End Process, you should then be able to delete the files.

0

Ahhh good. I've done some researching, and from what I read, Adaware should be able to remove it. However, this info was posted yesterday, so I'm not completely certain of it just yet--as the required update is not avaiable for automatic update yet. What ya need to do is install Adaware, and then also install an update manually.

Let's try this.

Download Adaware, and update definitions.

Then, after this, install this update: http://updates.ls-servers.com/public/defs.zip

After that, run a full scan, and when done, restart the computer.

Next, run HJT and post a new log.

Thanks.

0

1. I started in safe mode, opened the Windows Task Manger, and went to the process tab, but there is nothing running

Cnshook

Cnsmin

so nothing to delete.

2. I downloaded adaware again and also went to the link to download the update, but it seems the zip file does not contain an update, as nothing is "runnable" in the folder when i extract it. Adaware was still unable to delete the files on startup as ewido detects it right on start up.

below is the HJT log. Thank you very much.

Logfile of HijackThis v1.99.1
Scan saved at 0:07:49, on 2006-4-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\Net Transport\NTIEHelper.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [iPod USB Service] iPODService.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)
O11 - Options group: [!CNS] Chinese keywords
O11 - Options group: [JAVA_IBM] Java (IBM)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

0

Hmm, I dunno if we've tried this already, but have ya tried running SpySweeper in safe mode?

If not, let's try that.
If so, post back and we'll work from there.

Thanks.

0

I just scanned with spy sweeper in safe mode, still was not able to get ride of the cnsmin and cnshook files. Thank you.

0

Ok, more researching done by I.

Here's what I found--wouldn't hurt to try it out:

In Windows NT/2000/XP it is possible to move the files so that they cannot be reloaded. Open the Command prompt (Start -> Programs -> Accessories) and type:

cd "%WinDir%\Downloaded Program Files"
ren CnsMin.dll CnsDel.dll

Reboot and load the Command prompt again. Type:

cd "%WinDir%\Downloaded Program Files"
del cns*.*

The first time you reboot after deleting or moving CnsMin you'll get an error about not being able to find it. Ignore this. To clean up the remaining traces of the software that cause this, open the registry (Start -> Run -> regedit) and delete the following keys:

HKEY_CLASSES_ROOT\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}
HKEY_CLASSES_ROOT\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}
HKEY_CLASSES_ROOT\CnsHelper.CH
HKEY_CLASSES_ROOT\CnsHelper.CH.1
HKEY_CLASSES_ROOT\CnsMinHK.CnsHook
HKEY_CLASSES_ROOT\CnsMinHK.CnsHook.1
HKEY_CURRENT_USER\Software\3721
HKEY_LOCAL_MACHINE\Software\3721
HKEY_LOCAL_MACHINE\Software\InterChina
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AdvancedOptions\!CNS
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{5D73EE86-05F1-49ed-B850-E423120EC338}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{FD00D911-7529-4084-9946-A29F1BDF4FE5}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\CnsMin
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\CnsMin

After tryin this out, post back and tell us youre status, along with a new HJT log.

Thanks.

0

I downloaded a program called XCleaner and I believe that it was able to remove the Cnsmin/Cnshook files as they do not appear in warnings from AVG or Ewido. However I'm still getting hackroot.rootkit errors from symantec. Below is the HJT log. Thank you. Norton is the only antivirus that gives me this hackroot.rootkit error.

Logfile of HijackThis v1.99.1
Scan saved at 14:23:18, on 2006-5-1
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PPLive TV\PPPlayer.exe
C:\Program Files\Common Files\Synacast\SynaLive\PE.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\Net Transport\NTIEHelper.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\RunServices: [iPod USB Service] iPODService.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)
O11 - Options group: [JAVA_IBM] Java (IBM)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

0

Hmm, I don't see anything in the log but this. Fix the following:

O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm...s&btn=yahoomsg (file missing)

And since some different things happened, lets try this again for the heck of it.

Copy this advise to a Notepad file. Save it to your desktop. We will use it later.

1) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

2) Once in Safe Mode, please run Killbox.

3) Select "delete on reboot" and put a check in the "unregister dll.

4) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\Downloaded Program Files\CnsHook.dll
C:\WINDOWS\Downloaded Program Files\CnsMin.dll
C:\WINDOWS\Downloaded Program Files\CnsMinIO.dll
C:\WINDOWS\Downloaded Program Files\cnsio.dll
C:\WINDOWS\Downloaded Program Files\CnsHook.dll
C:\WINDOWS\Downloaded Program Files\cnshint.dll

5) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

6) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Post back after that.

Thanks.

0

I scanned with HJT and removed the

O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm...s&btn=yahoomsg (file missing)

Reboted in safe mode, didn't find the CnsHook or CnsMin files. I believe they are gone.

The only issue is that Symantec, and Symantec only still gives me the hacktool.rootkit message. All other issues seems to have been resolved. Thank you.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.