Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

i need your help: infection of ebloc<<VX2>>

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics
View previous topic :: View next topic  
Author Message
vivianhan
Newbie


Joined: 01 Apr 2005
Last Visit: 08 Apr 2005
Posts: 4

PostPosted: Fri Apr 01, 2005 6:49 am    Post subject: i need your help: infection of ebloc<<VX2>> Reply with quote

Mad i'm more than happy to find your site . i appreciate your help.
since yesterday, my computer automaticly log on some websites unceasingly.after i turned to google and found it's ebloc site. and it asked me to install the spyware every sevaral minutes.i didn't click any batton on its site,and run the norton in the safe mode,and removed some virus in the regidit.but after all ,i didn't resolve this problem.it 's been none stopping.the following is my logfile checked by hijackthis,i'm eager for your reply.waiting for your help online.by the way,i'm a chinese,the time stamp on the log is china beijing time. thanks again.


Logfile of HijackThis v1.99.1
Scan saved at 22:25:23, on 2005-4-1
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
c:\windows\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\norton\navapsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\kingsoft\XDICT.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\hijack\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O1 - Hosts: m
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\norton\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: 使用影音传送带下载 - E:\Program Files\NetTransport 2\新建文件夹\NTAddLink.html
O8 - Extra context menu item: 使用影音传送带下载全部链接 - E:\Program Files\NetTransport 2\新建文件夹\NTAddList.html
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - E:\Program Files\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - E:\Program Files\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - E:\Program Files\Tencent\qq\SendMMS.htm
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: 词霸 - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - E:\PROGRA~1\skin\XDictExB.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\tcpipdogr0.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tcpipdogr0.dll
O14 - IERESET.INF: START_PAGE_URL=about:blank
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {DA984A6D-508E-11D6-AA49-0050FF3C628D} (Ravonline) - http://download.rising.com.cn/ravkill/rsonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B45BE28-D867-4C57-9DB5-89ECA672406A}: NameServer = 202.106.46.151 202.106.0.20
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - E:\PROGRA~1\skin\XDictExB.dll (file missing)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\h8l20i3oe8.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus 自动防护服务 (navapsvc) - Symantec Corporation - E:\Program Files\norton\navapsvc.exe
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: PsShutdown (PsShutdownSvc) - Unknown owner - C:\WINDOWS\System32\PSSDNSVC.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


*****PLEASE DO NOT POST MORE THAN ONCE FOR YOUR PROBLEM. ALL OTHER POSTS WILL BE DELETED****TEMERC

Info regarding posting HJT logs in HJT forum
Back to top
View user's profile Send private message
Lobos
SWW Expert


Joined: 14 Jul 2004
Last Visit: 06 Aug 2005
Posts: 49
Location: California. USA

PostPosted: Sat Apr 02, 2005 11:22 pm    Post subject: Reply with quote

Hi vivianhan

Welcome to Spyware warrior


Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Lobos
_________________
If you found our help here worthwhile, and want to further the cause for others, and keep this site running Donate Here


Back to top
View user's profile Send private message
vivianhan
Newbie


Joined: 01 Apr 2005
Last Visit: 08 Apr 2005
Posts: 4

PostPosted: Mon Apr 04, 2005 4:37 am    Post subject: Reply with quote

thank you very much,the following is the log file.and the ebloc site keeps bugging me now.hope for your reply.


L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntlRun]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\u0ru0a99ed.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{B739E700-725B-A918-58B3-B43DB3F51099}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM 扫描仪管理"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM 监视器管理"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM 打印机管理"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="加密上下文菜单"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="公文包"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="字体"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC 配置文件"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="网络连接"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="网络连接"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="扫描仪和照相机"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="扫描仪和照相机"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="扫描仪和照相机"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="扫描仪和照相机"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="扫描仪和照相机"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Windows Script Host 的 Shell extensions"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft 数据链接"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="任务计划"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="任务栏和「开始」菜单"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="搜索"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="帮助和支持"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="帮助和支持"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="运行..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="电子邮件"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="字体"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="管理工具"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet 工具栏"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="下载状态"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="补充的外壳文件夹"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="补充的外壳文件夹 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="搜索区"
"{32683183-48a0-441b-a342-7c2a440a9478}"="媒体区"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="窗格中的搜索"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web 搜索"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="注册数目路选项实用程序"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="地址(&A)"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="地址 EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU 自动完成列表"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="自定义 MRU 自动完成列表"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="可访问的"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="跟踪弹出栏"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="地址条解析程序"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft 历史自动完成列表"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft 外壳文件夹自动完成列表"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft 多个自动完成列表容器"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="外壳 DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="外壳 DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="外壳 Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="用户帮助"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="全局文件夹设置"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History 服务"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="历史记录"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Internet 临时文件"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Internet 临时文件"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url 搜索挂接"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 套件初始屏幕"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="浏览器栏"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX 高速缓存文件夹"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="预订文件夹"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ 文件缩略图解压缩程序"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="摘要信息缩略图处理程序(DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML 缩略图的解压缩程序"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="网络出版向导"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="通过 Web 订购照片"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="外壳出版向导对象"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="获取 Passport 向导"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="用户帐户"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="频道文件"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="频道快捷方式"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="频道句柄对象"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="脱机文件夹"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="用户(&P)..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{47B92A27-8252-420D-9630-378EF61434D7}"="PowerWord ExplorerBar"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{B4579AA5-E3A0-49A1-AC0B-5112AFBD215B}"="iSQL*Plus Servers"
"{6B19FEC2-A45B-11CF-9045-00A0C9039735}"="Registered ActiveX Controls"
"{D545EBD1-BD92-11CF-8772-00A0C9039735}"="Developer Studio Components"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{d1539480-f6cc-11ce-b60e-0000c04f79ba}"="MKS Icon Handler"
"{0DD1F413-BBD0-4EF8-9CC9-416A50496DA4}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0DD1F413-BBD0-4EF8-9CC9-416A50496DA4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0DD1F413-BBD0-4EF8-9CC9-416A50496DA4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0DD1F413-BBD0-4EF8-9CC9-416A50496DA4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0DD1F413-BBD0-4EF8-9CC9-416A50496DA4}\InprocServer32]
@="C:\\WINDOWS\\system32\\Pploader.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
akcore.dll Tue 2005-03-29 21:33:52 A.... 188,416 184.00 K
akrules.dll Tue 2005-03-29 21:34:08 A.... 110,592 108.00 K
akupd.dll Tue 2005-03-29 21:32:58 A.... 155,648 152.00 K
c8000i~1.dll Sat 2005-04-02 7:57:50 ..S.R 235,409 229.89 K
cns.dll Thu 2005-02-17 17:19:00 A.... 32,768 32.00 K
codecvt.dll Thu 2005-02-03 18:50:14 A.... 271,872 265.50 K
czrviddc.dll Sun 2005-04-03 9:45:20 ..S.R 235,218 229.70 K
en84l1~1.dll Sat 2005-04-02 17:59:34 ..S.R 235,409 229.89 K
fp0203~1.dll Wed 2005-03-30 20:15:38 ..S.R 233,695 228.21 K
glcards.dll Thu 2005-02-03 18:45:14 A.... 807,424 788.50 K
glcomp~1.dll Thu 2005-02-03 18:45:14 A.... 57,344 56.00 K
glgiftga.dll Thu 2005-02-03 18:45:14 A.... 32,768 32.00 K
gliedo~1.dll Thu 2005-02-03 18:45:14 A.... 106,496 104.00 K
gljpg.dll Thu 2005-02-03 18:45:14 A.... 94,208 92.00 K
glmpdll.dll Thu 2005-02-03 18:45:14 A.... 94,208 92.00 K
glmpeg.dll Thu 2005-02-03 18:45:14 A.... 57,344 56.00 K
glpng.dll Thu 2005-02-03 18:45:14 A.... 94,208 92.00 K
glsocks.dll Thu 2005-02-03 18:45:14 A.... 10,240 10.00 K
glzip.dll Thu 2005-02-03 18:45:12 A.... 69,632 68.00 K
h0n0la~1.dll Fri 2005-04-01 21:48:00 ..S.R 235,171 229.66 K
ir84l5~1.dll Thu 2005-03-31 19:53:52 ..... 235,101 229.59 K
j8p00i~1.dll Sun 2005-04-03 17:48:30 ..S.R 235,403 229.88 K
ltrhelp.dll Fri 2005-04-01 0:08:40 ..S.R 233,616 228.14 K
lvno09~1.dll Sat 2005-04-02 19:47:38 ..S.R 233,251 227.78 K
mshtml.dll Thu 2005-01-27 16:01:10 A.... 2,806,272 2.68 M
mwtask.dll Sun 2005-04-03 21:51:22 ..S.R 235,325 229.81 K
n66qlg~1.dll Thu 2005-03-31 21:59:56 A.... 235,182 229.67 K
nrlanui2.dll Sun 2005-04-03 17:48:30 ..S.R 235,325 229.81 K
ole32.dll Fri 2005-01-14 13:34:58 A.... 1,258,496 1.20 M
olecli32.dll Fri 2005-01-14 13:34:58 A.... 68,608 67.00 K
olecnv32.dll Fri 2005-01-14 13:34:58 A.... 35,328 34.50 K
pploader.dll Mon 2005-04-04 20:10:30 ..S.R 233,866 228.38 K
rpcss.dll Fri 2005-01-14 13:34:58 A.... 284,672 278.00 K
s6pulg~1.dll Mon 2005-04-04 20:10:30 ..S.R 235,842 230.31 K
sporder.dll Tue 2005-03-29 21:34:10 A.... 8,464 8.27 K
symneti.dll Fri 2005-01-21 22:31:54 A.... 513,752 501.71 K
symredir.dll Fri 2005-01-21 22:31:52 A.... 141,016 137.71 K
symstore.dll Fri 2005-01-21 21:30:58 A.... 124,168 121.26 K
u0ru0a~1.dll Mon 2005-04-04 19:45:56 ..S.R 233,866 228.38 K
ueeg.dll Sat 2005-04-02 19:47:38 ..S.R 232,892 227.43 K

40 items found: 40 files (14 H/S), 0 directories.
Total of file sizes: 11,178,515 bytes 10.66 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is SYSTEM
Volume Serial Number is 38A6-47DE

Directory of C:\WINDOWS\System32

2005-04-04 20:10 233,866 Pploader.dll
2005-04-04 20:10 235,842 s6pulg7916.dll
2005-04-04 19:47 <DIR> dllcache
2005-04-04 19:45 233,866 u0ru0a99ed.dll
2005-04-03 21:51 235,325 mwtask.dll
2005-04-03 17:48 235,325 nrlanui2.dll
2005-04-03 17:48 235,403 j8p00i7me8.dll
2005-04-03 09:45 235,218 czrviddc.dll
2005-04-02 19:47 232,892 ueeg.dll
2005-04-02 19:47 233,251 lvno0953e.dll
2005-04-02 17:59 235,409 en84l1lq1.dll
2005-04-02 07:57 235,409 c8000idme80a0.dll
2005-04-01 21:47 235,171 h0n0la5m1d.dll
2005-04-01 00:08 233,616 ltrhelp.dll
2005-03-30 20:15 233,695 fp0203doe.dll
2004-03-31 16:51 32 {2A9CF478-B6F2-4F0F-868E-53CEDFA37C4C}.dat
2004-03-31 16:22 <DIR> Microsoft
2001-04-06 09:43 94,208 msstkprp.dll
16 File(s) 3,378,528 bytes
2 Dir(s) 1,291,370,496 bytes free
Back to top
View user's profile Send private message
Lobos
SWW Expert


Joined: 14 Jul 2004
Last Visit: 06 Aug 2005
Posts: 49
Location: California. USA

PostPosted: Mon Apr 04, 2005 6:38 pm    Post subject: Reply with quote

OK, good job.

Now we need to do the next part of the fix.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. smile.gif

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!


Lobos
_________________
If you found our help here worthwhile, and want to further the cause for others, and keep this site running Donate Here


Back to top
View user's profile Send private message
vivianhan
Newbie


Joined: 01 Apr 2005
Last Visit: 08 Apr 2005
Posts: 4

PostPosted: Tue Apr 05, 2005 4:18 am    Post subject: Reply with quote

Sad thanks for your help.


L2Mfix 1.03

Running From:
C:\Documents and Settings\ninianhan\桌面\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\ninianhan\桌面\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\ninianhan\桌面\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1028 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1216 'rundll32.exe'
Killing PID 1324 'rundll32.exe'
Error 0x6 : 句柄无效。

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\c8000idme80a0.dll
已复制 1 个文件。
Backing Up: C:\WINDOWS\system32\czrviddc.dll
已复制 1 个文件。
Backing Up: C:\WINDOWS\system32\dbprpres.dll
已复制 1 个文件。
Backing Up: C:\WINDOWS\system32\en84l1lq1.dll
已复制 1 个文件。
Backing Up: C:\WINDOWS\system32\fp0203doe.dll
已复制 1 个文件。
Backing Up: C:\WINDOWS\system32\h0n0la5m1d.dll
已复制 1 个文件。
Backing Up: C:\WINDOWS\system32\hrl8053ue.dll
已复制 1 个文件。
Backing Up: C:\WINDOWS\system32\ir84l5lq1.dll
已复制 1 个文件。
Backing Up: C:\WINDOWS\system32\j8p00i7me8.dll
已复制 1 个文件。
Backing Up: C:\WINDOWS\system32\kydazel.dll
已复制 1 个文件。
Backing Up: C:\WINDOWS\system32\ltrhelp.dll
已复制 1 个文件。
Backing Up: C:\WINDOWS\system32\lvno0953e.dll
已复制 1 个文件。
Backing Up: C:\WINDOWS\system32\mwtask.dll
已复制 1 个文件。
Backing Up: C:\WINDOWS\system32\n66qlgj516o.dll
已复制 1 个文件。
Backing Up: C:\WINDOWS\system32\nrlanui2.dll
已复制 1 个文件。
Backing Up: C:\WINDOWS\system32\ueeg.dll
已复制 1 个文件。
deleting: C:\WINDOWS\system32\c8000idme80a0.dll
Successfully Deleted: C:\WINDOWS\system32\c8000idme80a0.dll
deleting: C:\WINDOWS\system32\czrviddc.dll
Successfully Deleted: C:\WINDOWS\system32\czrviddc.dll
deleting: C:\WINDOWS\system32\dbprpres.dll
Successfully Deleted: C:\WINDOWS\system32\dbprpres.dll
deleting: C:\WINDOWS\system32\en84l1lq1.dll
Successfully Deleted: C:\WINDOWS\system32\en84l1lq1.dll
deleting: C:\WINDOWS\system32\fp0203doe.dll
Successfully Deleted: C:\WINDOWS\system32\fp0203doe.dll
deleting: C:\WINDOWS\system32\h0n0la5m1d.dll
Successfully Deleted: C:\WINDOWS\system32\h0n0la5m1d.dll
deleting: C:\WINDOWS\system32\hrl8053ue.dll
Successfully Deleted: C:\WINDOWS\system32\hrl8053ue.dll
deleting: C:\WINDOWS\system32\ir84l5lq1.dll
Successfully Deleted: C:\WINDOWS\system32\ir84l5lq1.dll
deleting: C:\WINDOWS\system32\j8p00i7me8.dll
Successfully Deleted: C:\WINDOWS\system32\j8p00i7me8.dll
deleting: C:\WINDOWS\system32\kydazel.dll
Successfully Deleted: C:\WINDOWS\system32\kydazel.dll
deleting: C:\WINDOWS\system32\ltrhelp.dll
Successfully Deleted: C:\WINDOWS\system32\ltrhelp.dll
deleting: C:\WINDOWS\system32\lvno0953e.dll
Successfully Deleted: C:\WINDOWS\system32\lvno0953e.dll
deleting: C:\WINDOWS\system32\mwtask.dll
Successfully Deleted: C:\WINDOWS\system32\mwtask.dll
deleting: C:\WINDOWS\system32\n66qlgj516o.dll
Successfully Deleted: C:\WINDOWS\system32\n66qlgj516o.dll
deleting: C:\WINDOWS\system32\nrlanui2.dll
Successfully Deleted: C:\WINDOWS\system32\nrlanui2.dll
deleting: C:\WINDOWS\system32\ueeg.dll
Successfully Deleted: C:\WINDOWS\system32\ueeg.dll


Zipping up files for submission:
adding: c8000idme80a0.dll (140 bytes security) (deflated 5%)
adding: czrviddc.dll (140 bytes security) (deflated 5%)
adding: dbprpres.dll (140 bytes security) (deflated 5%)
adding: en84l1lq1.dll (140 bytes security) (deflated 5%)
adding: fp0203doe.dll (140 bytes security) (deflated 4%)
adding: h0n0la5m1d.dll (140 bytes security) (deflated 5%)
adding: hrl8053ue.dll (140 bytes security) (deflated 4%)
adding: ir84l5lq1.dll (140 bytes security) (deflated 5%)
adding: j8p00i7me8.dll (140 bytes security) (deflated 5%)
adding: kydazel.dll (140 bytes security) (deflated 5%)
adding: ltrhelp.dll (140 bytes security) (deflated 4%)
adding: lvno0953e.dll (140 bytes security) (deflated 4%)
adding: mwtask.dll (140 bytes security) (deflated 5%)
adding: n66qlgj516o.dll (140 bytes security) (deflated 5%)
adding: nrlanui2.dll (140 bytes security) (deflated 5%)
adding: ueeg.dll (140 bytes security) (deflated 4%)
adding: clear.reg (140 bytes security) (deflated 22%)
adding: echo.reg (140 bytes security) (deflated 6%)
adding: direct.txt (140 bytes security) (stored 0%)
adding: lo2.txt (140 bytes security) (deflated 81%)
adding: readme.txt (140 bytes security) (deflated 49%)
adding: report.txt (140 bytes security) (deflated 60%)
adding: test.txt (140 bytes security) (deflated 76%)
adding: test2.txt (140 bytes security) (stored 0%)
adding: test3.txt (140 bytes security) (stored 0%)
adding: test5.txt (140 bytes security) (stored 0%)
adding: xfind.txt (140 bytes security) (deflated 70%)
adding: backregs/0DD1F413-BBD0-4EF8-9CC9-416A50496DA4.reg (140 bytes security) (deflated 70%)
adding: backregs/shell.reg (140 bytes security) (deflated 71%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: c8000idme80a0.dll
deleting local copy: czrviddc.dll
deleting local copy: dbprpres.dll
deleting local copy: en84l1lq1.dll
deleting local copy: fp0203doe.dll
deleting local copy: h0n0la5m1d.dll
deleting local copy: hrl8053ue.dll
deleting local copy: ir84l5lq1.dll
deleting local copy: j8p00i7me8.dll
deleting local copy: kydazel.dll
deleting local copy: ltrhelp.dll
deleting local copy: lvno0953e.dll
deleting local copy: mwtask.dll
deleting local copy: n66qlgj516o.dll
deleting local copy: nrlanui2.dll
deleting local copy: ueeg.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\c8000idme80a0.dll
C:\WINDOWS\system32\czrviddc.dll
C:\WINDOWS\system32\dbprpres.dll
C:\WINDOWS\system32\en84l1lq1.dll
C:\WINDOWS\system32\fp0203doe.dll
C:\WINDOWS\system32\h0n0la5m1d.dll
C:\WINDOWS\system32\hrl8053ue.dll
C:\WINDOWS\system32\ir84l5lq1.dll
C:\WINDOWS\system32\j8p00i7me8.dll
C:\WINDOWS\system32\kydazel.dll
C:\WINDOWS\system32\ltrhelp.dll
C:\WINDOWS\system32\lvno0953e.dll
C:\WINDOWS\system32\mwtask.dll
C:\WINDOWS\system32\n66qlgj516o.dll
C:\WINDOWS\system32\nrlanui2.dll
C:\WINDOWS\system32\ueeg.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{0DD1F413-BBD0-4EF8-9CC9-416A50496DA4}"=-
[-HKEY_CLASSES_ROOT\CLSID\{0DD1F413-BBD0-4EF8-9CC9-416A50496DA4}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************






the following is the hijackthis log after the step 2:

Logfile of HijackThis v1.99.1
Scan saved at 20:17:13, on 2005-4-5
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
c:\windows\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\3721\assistse.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\norton\navapsvc.exe
c:\windows\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
e:\Program Files\Real\RealOne Player\realplay.exe
H:\hijack\HijackThis.exe

R3 - URLSearchHook: 上网助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\Assist\asbar.dll
O1 - Hosts: tatus.qckads.com
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\norton\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: 上网助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\Assist\asbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [assistse] "C:\PROGRA~1\3721\assistse.exe"
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: !搜一搜 - res://C:\WINDOWS\downlo~1\CnsMinEx.dll/1003
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: 使用影音传送带下载 - E:\Program Files\NetTransport 2\新建文件夹\NTAddLink.html
O8 - Extra context menu item: 使用影音传送带下载全部链接 - E:\Program Files\NetTransport 2\新建文件夹\NTAddList.html
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - E:\Program Files\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - E:\Program Files\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - E:\Program Files\Tencent\qq\SendMMS.htm
O9 - Extra button: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - Extra button: 上网助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: 词霸 - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - E:\PROGRA~1\skin\XDictExB.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\tcpipdogr0.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tcpipdogr0.dll
O11 - Options group: [!CNS] 上网助手-地址栏搜索
O14 - IERESET.INF: START_PAGE_URL=about:blank
O16 - DPF: {DA984A6D-508E-11D6-AA49-0050FF3C628D} (Ravonline) - http://download.rising.com.cn/ravkill/rsonline.cab
O16 - DPF: {DDA166FA-B3EA-4A3B-8EE2-4F552CDEEE81} (KATScan Control) - http://211.152.52.102/duba/antitrojan/update/OCX/KATScan.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B45BE28-D867-4C57-9DB5-89ECA672406A}: NameServer = 202.106.46.151 202.106.0.20
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - E:\PROGRA~1\skin\XDictExB.dll (file missing)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus 自动防护服务 (navapsvc) - Symantec Corporation - E:\Program Files\norton\navapsvc.exe
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: PsShutdown (PsShutdownSvc) - Unknown owner - C:\WINDOWS\System32\PSSDNSVC.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Back to top
View user's profile Send private message
Lobos
SWW Expert


Joined: 14 Jul 2004
Last Visit: 06 Aug 2005
Posts: 49
Location: California. USA

PostPosted: Tue Apr 05, 2005 1:49 pm    Post subject: Reply with quote

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\PROGRA~1\3721\assistse.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:



Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):


R3 - URLSearchHook: 上网助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\Assist\asbar.dll
O1 - Hosts: tatus.qckads.com
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O3 - Toolbar: 上网助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\Assist\asbar.dll

O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [assistse] "C:\PROGRA~1\3721\assistse.exe"
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32

O8 - Extra context menu item: !搜一搜 - res://C:\WINDOWS\downlo~1\CnsMinEx.dll/1003

O9 - Extra button: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - Extra button: 上网助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\downloaded Program files\CnsMinEx.dll << This file
C:\WINDOWS\downloaded program files\CnsMin.dll << This file
C:\PROGRAM FILES\3721 << This folder


Reboot in normal mode

Run HiJackThis again and post a new log in this thread.

Lobos
_________________
If you found our help here worthwhile, and want to further the cause for others, and keep this site running Donate Here


Back to top
View user's profile Send private message
vivianhan
Newbie


Joined: 01 Apr 2005
Last Visit: 08 Apr 2005
Posts: 4

PostPosted: Fri Apr 08, 2005 7:44 am    Post subject: Reply with quote

i really appreciate your help.since the other day i got something to do and had no time to be here.so i didn't reply your help
betimes.i'm so sorry,i'll do as you told me to at once and let you know if there's any problem.
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group