Our November Competition
 User Reviews - Add Yours!
The PCHF Lounge
Go Back   PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs
Reload this Page Please help, want to get rid of CDNUP.exe with HIGHJACK THIS
Register for a Free Account

[Fixed] Hijackthis! Logs - Please help, want to get rid of CDNUP.exe with HIGHJACK THIS posted in the Security & Safety forums; Hello, I have recently been swamped with two malicious software 1. Chinese Navigation (c:\program files\cnnic\cdn...) 2. Wazap China Plugin 1.2cn (c:\program files\wzcn) So far, I have tried removing them. Right ...


Reply
Recommended Driver Scanner
Old 10-18-2007   #1
New Poster
 
Join Date: Oct 2007
Posts: 2
Default Please help, want to get rid of CDNUP.exe with HIGHJACK THIS
Hello,

I have recently been swamped with two malicious software
1. Chinese Navigation (c:\program files\cnnic\cdn...)
2. Wazap China Plugin 1.2cn (c:\program files\wzcn)

So far, I have tried removing them. Right now, I'm using hijackthis. I have copied the logfile below. What should I do next? Your help would be greatly appreciated.
-albonicus

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:56:17, on 2007/10/18
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CNNIC\Cdn\cdnup.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\tp4mon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OCINS\idnsvr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
albonicus is offline   Reply With Quote
Advertisement - Register to Remove
Old 10-19-2007   #2
Senior Security Analyst
 
Pancake's Avatar
 
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 6,867
PC Experience: Elite PC Guru
Default Re: Please help, want to get rid of CDNUP.exe with HIGHJACK THIS
You are missing half the HJT log......

As you are not running Service Pack 2 yet. Please save and run the download.It will copy the results to your clipboard. Will you copy and paste them back here please.
http://go.microsoft.com/fwlink/?linkid=52012

====================
Please download Combofix from HERE or HERE

Save ComboFix to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
__________________
  • An Australian Member of
  • and
My real name is Eddy
Pancake is online now   Reply With Quote
Old 10-19-2007   #3
New Poster
 
Join Date: Oct 2007
Posts: 2
Default Re: Please help, want to get rid of CDNUP.exe with HIGHJACK THIS
Pancake,

Thank you for your service. I have pasted the HJT logfile (hopefully fullversion), and after that, I ran combofix. I have also pasted combofix logfile below.

I tried MGADiagnostic but was not able to copy any information. I think the combofix may have help with deleting the cdnup.exe file (Chinese Navigation (c:\program files\cnnic\cdn...) but I still have the Wazap China Plugin 1.2cn (c:\program files\wzcn). What shall I do from here? Your help is greatly appreciated.
-albonicus

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:59:56, on 2007/10/18
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CNNIC\Cdn\cdnup.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\OCINS\idnsvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\42761.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = CNNICËÑË÷
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = CNNIC×Ô¶¨ÒåËÑË÷
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush0.dll
O2 - BHO: CNNIC ??????Drag - {352E3B3A-CAB5-4DBC-B940-C7F84D0447D8} - C:\PROGRA~1\CNNIC\Cdn\cdndrag.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O2 - BHO: IEAux Class - {7605CC7C-00FD-4A5F-BAFD-828342DE6279} - C:\PROGRA~1\OCINS\ieaux.dll
O2 - BHO: ff Class - {B9751A53-4494-4d7c-9732-AE3058D8145F} - C:\WINDOWS\System32\b421.dll
O2 - BHO: WZCNBHO Class - {D500885E-E400-41CA-804B-CD6373A7EEF2} - C:\Program Files\WZCN\cn_ie_wzcn.dll
O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe
O4 - HKLM\..\Run: [yfkjdk22] %systemroot%\system32\Rundll32.exe "%systemroot%\system32\yfkjdk22.dll",Start
O4 - HKLM\..\Run: [nqbboo39] %systemroot%\system32\Rundll32.exe "%systemroot%\system32\nqbboo39.dll",DllCanUnloadN ow
O4 - HKLM\..\Run: [IdnSvr] C:\Program Files\OCINS\idnsvr.exe
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [kjpwut19] %systemroot%\system32\Rundll32.exe "%systemroot%\system32\kjpwut19.dll",Start
O4 - HKLM\..\Run: [adznpb30] %systemroot%\system32\Rundll32.exe "%systemroot%\system32\adznpb30.dll",DllCanUnloadN ow
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [MSDEG32] LYLoader.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDWG32] LYLoadbr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDCG32 ] LYLeador.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDOG32] LYLoador.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDSG32] LYLoadar.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDMG32] LYLoadmr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDHG32] LYLoadhr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDQG32] LYLoadqr.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Access Internet Keyword - C:\Program Files\OCINS\cnrbtn.html
O8 - Extra context menu item: Access Internet Keyword - C:\Program Files\CNNIC\Cdn\cnnic.htm
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra button: Chinese Navigation - {B012491E-8FA4-4851-AA9B-22E33784FBAD} - C:\Program Files\OCINS\config.exe
O9 - Extra 'Tools' menuitem: Chinese Navigation - {B012491E-8FA4-4851-AA9B-22E33784FBAD} - C:\Program Files\OCINS\config.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing
O11 - Options group: [CDNCLIENT] Chinese Navigation
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\System32\42761.exe
--
End of file - 6367 bytes




-----------------------------------------------------------------------------------


ComboFix 07-10-17.8@ - Alex 2007-10-18 20:16:44.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.10 [GMT -7:00]
Running from: C:\Documents and Settings\Alex\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data.\microsoft\pctools
C:\Documents and Settings\All Users\Application Data.\microsoft\pctools\pctools.dll
C:\Documents and Settings\All Users\Application Data.\t
C:\Documents and Settings\All Users\Application Data.\t\a1056.dat
C:\Documents and Settings\All Users\Application Data.\t\b1056.dat
C:\Documents and Settings\All Users\Application Data.\t\k1056.dat
C:\Documents and Settings\All Users\Application Data.\t\p1056.dat
C:\Documents and Settings\All Users\Application Data.\t\r1056.dat
C:\Documents and Settings\All Users\Application Data\microsoft\pctools\pctools.dll
C:\Program Files\cnnic\Cdn\cdnacs.dat
C:\Program Files\cnnic\Cdn\cdnacs.dat
C:\Program Files\cnnic\Cdn\cdnaux.dll
C:\Program Files\cnnic\Cdn\cdnaux.dll
C:\Program Files\cnnic\Cdn\cdnbl.dat
C:\Program Files\cnnic\Cdn\cdncmd.dll
C:\Program Files\cnnic\Cdn\cdncol.dll
C:\Program Files\cnnic\Cdn\cdndet.dat
C:\Program Files\cnnic\Cdn\cdndet.dll
C:\Program Files\cnnic\Cdn\cdndet.dll
C:\Program Files\cnnic\Cdn\cdndisp.dat
C:\Program Files\cnnic\Cdn\cdndisp.dat
C:\Program Files\cnnic\Cdn\cdndrag.dll
C:\Program Files\cnnic\Cdn\cdnforie.dll
C:\Program Files\cnnic\Cdn\cdnforie.dll
C:\Program Files\cnnic\Cdn\cdnhint.dat
C:\Program Files\cnnic\Cdn\cdnprev.dat
C:\Program Files\cnnic\Cdn\cdnprev.dat
C:\Program Files\cnnic\Cdn\cdnprh.dll
C:\Program Files\cnnic\Cdn\cdnprh.dll
C:\Program Files\cnnic\Cdn\cdnrenew.exe
C:\Program Files\cnnic\Cdn\cdnrenew.exe
C:\Program Files\cnnic\Cdn\cdnsign.dll
C:\Program Files\cnnic\Cdn\cdntdns.dll
C:\Program Files\cnnic\Cdn\cdntran.dat
C:\Program Files\cnnic\Cdn\cdnuc.exe
C:\Program Files\cnnic\Cdn\cdnuc.exe
C:\Program Files\cnnic\Cdn\cdnunins.exe
C:\Program Files\cnnic\Cdn\cdnunins.exe
C:\Program Files\cnnic\Cdn\cdnup.exe
C:\Program Files\cnnic\Cdn\cdnup.exe
C:\Program Files\cnnic\Cdn\cdnuplib.dll
C:\Program Files\cnnic\Cdn\cdnuplib.dll
C:\Program Files\cnnic\Cdn\cdnvers.dat
C:\Program Files\cnnic\Cdn\cdnvers.dat
C:\Program Files\cnnic\Cdn\client.dll
C:\Program Files\cnnic\Cdn\client.dll
C:\Program Files\cnnic\Cdn\idnconv.dll
C:\Program Files\cnnic\Cdn\idnconv.dll
C:\Program Files\cnnic\Cdn\idnconvs.dll
C:\Program Files\cnnic\Cdn\idnconvs.dll
C:\Program Files\cnnic\Cdn\iesrch.dll
C:\Program Files\cnnic\Cdn\imadom.dat
C:\Program Files\cnnic\Cdn\Images\enter.ico
C:\Program Files\cnnic\Cdn\Images\news.ico
C:\Program Files\cnnic\Cdn\Images\popup.bmp
C:\Program Files\cnnic\Cdn\Images\soft.ico
C:\Program Files\cnnic\Cdn\imaoe.dll
C:\Program Files\cnnic\Cdn\imaoe.dll
C:\Program Files\cnnic\Cdn\rbtnhtm.cab
C:\Program Files\cnnic\Cdn\spkw.dat
C:\Program Files\cnnic\Cdn\src.dat
C:\Program Files\cnnic\Cdn\Update\cdnacs.dat
C:\Program Files\cnnic\Cdn\Update\cdnbl.dat
C:\Program Files\cnnic\Cdn\Update\cdncmd.dll
C:\Program Files\cnnic\Cdn\Update\cdncol.dll
C:\Program Files\cnnic\Cdn\Update\cdndet.dat
C:\Program Files\cnnic\Cdn\Update\cdndet.dll
C:\Program Files\cnnic\Cdn\Update\cdndisp.dat
C:\Program Files\cnnic\Cdn\Update\cdndrag.dll
C:\Program Files\cnnic\Cdn\Update\cdnhint.dat
C:\Program Files\cnnic\Cdn\Update\cdnprev.dat
C:\Program Files\cnnic\Cdn\Update\cdnprot.dat
C:\Program Files\cnnic\Cdn\Update\cdnprot.sys
C:\Program Files\cnnic\Cdn\Update\cdnrenew.exe
C:\Program Files\cnnic\Cdn\Update\cdntdns.dll
C:\Program Files\cnnic\Cdn\Update\cdntran.dat
C:\Program Files\cnnic\Cdn\Update\cdntran.sys
C:\Program Files\cnnic\Cdn\Update\cdnuc.exe
C:\Program Files\cnnic\Cdn\Update\cdnunins.exe
C:\Program Files\cnnic\Cdn\Update\cdnvers.dat
C:\Program Files\cnnic\Cdn\Update\client.dll
C:\Program Files\cnnic\Cdn\Update\enter.ico
C:\Program Files\cnnic\Cdn\Update\idnconv.dll
C:\Program Files\cnnic\Cdn\Update\iesrch.dll
C:\Program Files\cnnic\Cdn\Update\imadom.dat
C:\Program Files\cnnic\Cdn\Update\imaoe.dll
C:\Program Files\cnnic\Cdn\Update\news.ico
C:\Program Files\cnnic\Cdn\Update\popup.bmp
C:\Program Files\cnnic\Cdn\Update\rbtnhtm.cab
C:\Program Files\cnnic\Cdn\Update\soft.ico
C:\Program Files\cnnic\Cdn\Update\spkw.dat
C:\Program Files\cnnic\Cdn\Update\wmhlpr.dll
C:\Program Files\cnnic\Cdn\wmhlpr.dll
C:\Program Files\Common Files\cpush
C:\Program Files\Common Files\cpush\cpush.dll
C:\Program Files\Common Files\cpush\cpush0.dll
C:\Program Files\Common Files\cpush\Uninst.exe
C:\Program Files\OCINS\austr.dll
C:\Program Files\OCINS\austr.dll
C:\Program Files\OCINS\cndsv.dll
C:\Program Files\OCINS\cndsv.dll
C:\Program Files\OCINS\cnprovh.dll
C:\Program Files\OCINS\cnprovh.dll
C:\Program Files\OCINS\cnrbtn.html
C:\Program Files\OCINS\cnstc.ini
C:\Program Files\OCINS\cnstc.ini
C:\Program Files\OCINS\config.exe
C:\Program Files\OCINS\config.exe
C:\Program Files\OCINS\convf.dll
C:\Program Files\OCINS\convf.dll
C:\Program Files\OCINS\ctrcfg.ini
C:\Program Files\OCINS\ctrcfg.ini
C:\Program Files\OCINS\cuscfg.dat
C:\Program Files\OCINS\cuscfg.dat
C:\Program Files\OCINS\idnaux.dat
C:\Program Files\OCINS\idnsvr.dll
C:\Program Files\OCINS\idnsvr.dll
C:\Program Files\OCINS\idnsvr.exe
C:\Program Files\OCINS\idnsvr.exe
C:\Program Files\OCINS\ieaux.dll
C:\Program Files\OCINS\ieaux.dll
C:\Program Files\OCINS\kwacs.dat
C:\Program Files\OCINS\kwacs.dat
C:\Program Files\OCINS\kwrep.dat
C:\Program Files\OCINS\kwrep.dat
C:\Program Files\OCINS\srchsp.dll
C:\Program Files\OCINS\uninstall.exe
C:\Program Files\OCINS\uninstall.exe
C:\Program Files\OCINS\update\update.exe
C:\Program Files\OCINS\update\version.dat
C:\Program Files\OCINS\usrcfg.ini
C:\Program Files\OCINS\version.dat
C:\Program Files\OCINS\version.dat
C:\WINDOWS\251.bmp
C:\WINDOWS\KB611311.log
C:\WINDOWS\ocinfo.dat
C:\WINDOWS\system32\3b1.dll
C:\WINDOWS\system32\42761.exe
C:\WINDOWS\system32\addrmshelp.dll
C:\WINDOWS\system32\addrmshelp.dll
C:\WINDOWS\system32\b421.dll
C:\WINDOWS\system32\bfgrxl.dll
C:\WINDOWS\system32\cdnprot.dat
C:\WINDOWS\system32\cdnprot.dat
C:\WINDOWS\system32\cnprov.dat
C:\WINDOWS\system32\cnprov.dat
C:\WINDOWS\system32\d3d1caps.srg
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\cdnprot.sys
C:\WINDOWS\system32\drivers\cdnprot.sys
C:\WINDOWS\system32\drivers\cdntran.sys
C:\WINDOWS\system32\drivers\cnprov.sys
C:\WINDOWS\system32\drivers\cnprov.sys
C:\WINDOWS\system32\drivers\dfcbebah.sys
C:\WINDOWS\system32\drivers\idnaux.sys
C:\WINDOWS\system32\drivers\mxdispdr.sys
C:\WINDOWS\system32\drivers\pmahrp64.sys
C:\WINDOWS\system32\drivers\pmahrp64.sys
C:\WINDOWS\system32\drivers\sniiek81.sys
C:\WINDOWS\system32\evvafw.dll
C:\WINDOWS\system32\haczkk.dll
C:\WINDOWS\system32\idnreg.dll
C:\WINDOWS\system32\inyskt.dll
C:\WINDOWS\system32\iquqsz.dll
C:\WINDOWS\system32\ljzlvx.dll
C:\WINDOWS\system32\lyloader.exe
C:\WINDOWS\system32\LYMANGR.DLL
C:\WINDOWS\system32\lymangr.dll
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
C:\WINDOWS\system32\msdeg32.dll
C:\WINDOWS\system32\MSDEG32.DLL
C:\WINDOWS\system32\otpqwm.dll
C:\WINDOWS\system32\pmahrp64.dll
C:\WINDOWS\system32\pmahrp64.dll
C:\WINDOWS\system32\pmahrp64.ini
C:\WINDOWS\system32\qgfefr.dll
C:\WINDOWS\system32\rivefk.dll
C:\WINDOWS\system32\rnajul.dll
C:\WINDOWS\system32\rnzlty.dll
C:\WINDOWS\system32\SHQMANGR.DLL
C:\WINDOWS\system32\SHQMANGR.DLL
C:\WINDOWS\system32\szycri.dll
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\winiek81.bin
C:\WINDOWS\system32\winup
C:\WINDOWS\system32\winup\wlzctj92.dll
C:\WINDOWS\TEMP.\~my1.tmp
C:\WINDOWS\upxdnd.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_ACPIDISK
-------\LEGACY_CDNPROT
-------\LEGACY_CNPROV
-------\LEGACY_MS_2FAX
-------\LEGACY_MXDISPDR
-------\LEGACY_PMAHRP64
-------\LEGACY_SNIIEK81
-------\acpidisk
-------\cdnprot
-------\cdntran
-------\cnprov
-------\idnaux
-------\ms_2fax
-------\mxdispdr
-------\pmahrp64
-------\sniiek81

((((((((((((((((((((((((( Files Created from 2007-09-19 to 2007-10-19 )))))))))))))))))))))))))))))))
.
2007-10-18 20:13 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-18 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-10-18 13:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-18 13:13 61,440 --a------ C:\WINDOWS\system32\sniiek81.dll
2007-10-18 13:12 86,016 --a------ C:\WINDOWS\system32\winiek81.dll
2007-10-18 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-18 13:02 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\Grisoft
2007-10-18 13:02 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-18 12:11 19,700 --a------ C:\WINDOWS\system32\LYLOADMR.EXE
2007-10-18 12:11 20 --a------ C:\WINDOWS\system32\mhsha1.dat
2007-10-18 10:32 165,572 --a------ C:\WINDOWS\system32\TAIAO005_IE_Plugin_mini.exe
2007-10-18 10:21 <DIR> d--hs---- C:\FOUND.003
2007-10-17 23:09 <DIR> d--hs---- C:\FOUND.002
2007-10-17 23:04 <DIR> d-------- C:\Program Files\WZCN
2007-10-17 23:02 34,304 --a------ C:\WINDOWS\system32\SHQ.DLL
2007-10-17 23:00 <DIR> d--hs---- C:\FOUND.001
2007-10-17 15:51 20 --a------ C:\Documents and Settings\Alex\mhsha1.dat
2007-10-17 13:51 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\WZCN
2007-10-17 13:50 24,832 --ahs---- C:\WINDOWS\system32\system.dat
2007-10-17 13:50 9,307 --ah----- C:\WINDOWS\system32\qdshm.dll
2007-10-15 09:46 <DIR> d-------- C:\20319965ce451cd49d
2007-10-15 09:44 218,624 --a------ C:\WINDOWS\system32\srrstr.dll
2007-10-15 09:44 218,624 --a------ C:\WINDOWS\system32\dllcache\srrstr.dll
2007-10-13 10:29 <DIR> d-------- C:\WINDOWS\system32\bits
2007-10-13 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2007-10-13 10:24 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\MSN6
2007-10-13 10:21 <DIR> d--h----- C:\WINDOWS\$xpsp1hfm$
2007-10-13 10:21 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-10-03 12:38 156,800 --a------ C:\WINDOWS\system32\drivers\iaecijjf.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-31 02:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 02:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-31 02:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2002-12-04 04:59 266 --sh--w C:\Program Files\desktop.ini
2002-12-04 04:59 11,079 ---h--w C:\Program Files\folder.htt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D500885E-E400-41CA-804B-CD6373A7EEF2}]
2007-10-11 20:54 270336 --a------ C:\Program Files\WZCN\cn_ie_wzcn.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"@"="" []
"TrackPointSrv"="tp4mon.exe" [2001-08-17 22:37 C:\WINDOWS\system32\tp4mon.exe]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.e xe" [2001-08-18 21:00]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScI nst.exe" []
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT \TINTSETP.exe" []
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TIN TSETP.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"yfkjdk22"="C:\WINDOWS\system32\%systemroot%\syste m32\yfkjdk22.dll" []
"nqbboo39"="C:\WINDOWS\system32\%systemroot%\syste m32\nqbboo39.dll" []
"kjpwut19"="C:\WINDOWS\system32\%systemroot%\syste m32\kjpwut19.dll" []
"adznpb30"="C:\WINDOWS\system32\%systemroot%\syste m32\adznpb30.dll" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-18 12:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14]
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
@=
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{ACADABAF-1000-0010-8000-10AA006D2EA4}"= C:\WINDOWS\System32\system.dat [2007-10-17 19:46 24832]

*Newly Created Service* - ACPIDISK
*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
*Newly Created Service* - NEDJCX84
*Newly Created Service* - OLSUZP14
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2007-07-19 06:24:48 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-18 20:33:19
Windows 5.1.2600 FAT NTAPI
scanning hidden processes ...
C:\windows\system32\gdisvc.exe [1288] 0x809A3020
C:\program files\common files\microsoft shared\vgx\regin.exe [1296] 0x80A09020
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run
MSDCG32 = LYLeador.exe?
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-10-18 20:41:02 - machine was rebooted
.
--- E O F ---
albonicus is offline   Reply With Quote
Old 10-19-2007   #4
Senior Security Analyst
 
Pancake's Avatar
 
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 6,867
PC Experience: Elite PC Guru
Default Re: Please help, want to get rid of CDNUP.exe with HIGHJACK THIS
Still a lot to clearup yet..You did not do the http://go.microsoft.com/fwlink/?linkid=52012
__________________
  • An Australian Member of
  • and
My real name is Eddy
Pancake is online now   Reply With Quote

Reply


Bookmarks

Tags
cdnupexe, highjack, rid
Similar discussions...
Thread Thread Starter Forum Replies Last Post
Fixed: Using Lavasoft to get rid of Spylocked ?!? epackage Windows 95, 98 & ME 8 05-22-2007 05:36 AM
[Fixed] Can't rid Bargainbuddy from my Hkey_User Jimmyb30 [Fixed] Hijackthis! Logs 8 10-04-2006 05:26 AM
[Fixed] theuptodatesafety/protection bar how to get rid of ijustneedhelp [Fixed] Hijackthis! Logs 10 09-29-2006 11:50 PM
[Resolved] Please help me get rid of this malwarewipe donniet1977 [Fixed] Hijackthis! Logs 1 05-01-2006 01:19 AM
[Resolved] Please Help... I cant get rid of filost dave88 [Fixed] Hijackthis! Logs 16 01-11-2006 02:01 AM

« Think-Adz got me...Hijackthis log.... | Very odd Vista issues »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On


Site Map - Top

All times are GMT. The time now is 05:14 AM.
Powered by vBulletin
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2