Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Psw


  • This topic is locked This topic is locked
52 replies to this topic

#1 KkianN

KkianN

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 29 October 2007 - 10:19 PM

Sorry for multiply post..i had post at BleepingComputer.com > Security > Am I infected? What do I do? there....They told me to post a HJT log here..I may be infected with 'Trojan Horse PSW'

Here my HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:46 AM, on 10/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\ALMJ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\rpbrowserrecordplugin.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C2626E66-D21B-E628-C1DF-1DACCFA36ED2} - C:\Program Files\Common Files\fjOs0r.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Storm2Set] C:\WINDOWS\system32\rundll32.exe "C:\PROGRA~1\StormII\StormSet.dll",CheckEnv
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [Kvsc3] C:\WINDOWS\Kvsc3.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe
O4 - HKLM\..\Run: [ALMJ] C:\WINDOWS\system32\ALMJ.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &使用快车(FlashGet)下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &使用快车(FlashGet)下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ?3μ - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: ?3μ(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 9479 bytes

BC AdBot (Login to Remove)

 


#2 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:07:47 AM

Posted 01 November 2007 - 11:43 PM

Hi KkianN

I will be helping you with your problems.

Give me a little time to look over your log and i will get back to you asap.

Regards

DC

Edited by Demon Cleaner, 01 November 2007 - 11:46 PM.


#3 KkianN

KkianN
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 02 November 2007 - 05:45 AM

Oh thanks..I will wait you..

#4 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:07:47 AM

Posted 02 November 2007 - 03:58 PM

Hi KkianN

The infection/s present steal passwords and account information for online gaming. I would suggest changing passwords from a different PC. Do not change them from this Pc until i have given you the all clear.


Download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Regards

DC

#5 KkianN

KkianN
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 03 November 2007 - 01:52 AM

May i know this trojan/s steal passwords and accounts for online games ONLY?

Here my combofix log.

ComboFix 07-11-01.1 - KkianN 2007-11-03 14:25:33.1 - NTFSx86
Running from: C:\Documents and Settings\KkianN\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\All Users\Desktop\UUSEE~1.LNK
C:\Documents and Settings\All Users\Start Menu\UUSEE~1.LNK
C:\privilege.dat
C:\Program Files\uusee
C:\Program Files\uusee\32_32.ico
C:\Program Files\uusee\AD\1\000\index_new.html
C:\Program Files\uusee\AD\1\000\uue_new.jpg
C:\Program Files\uusee\AD\1\001\index_new.html
C:\Program Files\uusee\AD\1\001\uue_new.jpg
C:\Program Files\uusee\AD\1\cy\cy.html
C:\Program Files\uusee\AD\1\dsj\dsj.html
C:\Program Files\uusee\AD\1\dst\dst.html
C:\Program Files\uusee\AD\1\dy\dy.html
C:\Program Files\uusee\AD\1\jk\jk.html
C:\Program Files\uusee\AD\1\ty\ty.html
C:\Program Files\uusee\AD\1\yl\yl.html
C:\Program Files\uusee\AD\1\yx\yx1.html
C:\Program Files\uusee\AD\2\100\index.html
C:\Program Files\uusee\AD\2\200\index.html
C:\Program Files\uusee\AD\2\300\index.html
C:\Program Files\uusee\AD\UUAD_Banner_1.html
C:\Program Files\uusee\AD\UUAD_Banner_3.html
C:\Program Files\uusee\AD\UUAD_Buffering.html
C:\Program Files\uusee\AD\UUAD_Buffering.jpg
C:\Program Files\uusee\AD\UUAD_TextLink_0.xml
C:\Program Files\uusee\ARMP.ocx
C:\Program Files\uusee\ARMPD.dll
C:\Program Files\uusee\check_cmd.exe
C:\Program Files\uusee\flvplayer.swf
C:\Program Files\uusee\GoogleToolbarInstaller_zh-CN_signed.msi
C:\Program Files\uusee\in_psp.dll
C:\Program Files\uusee\MultiVMR9.dll
C:\Program Files\uusee\out_mmshttp.dll
C:\Program Files\uusee\rmsp011.ax
C:\Program Files\uusee\skins\UUPlayer\About.bmp
C:\Program Files\uusee\skins\UUPlayer\Control_Button_pause_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Control_Button_pause_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Control_Button_pause_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Control_Button_pause_4.bmp
C:\Program Files\uusee\skins\UUPlayer\Control_Button_Recording_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Control_Button_Recording_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Control_Button_Recording_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_CheckBox_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_CheckBox_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_CheckBox_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_CheckBox_4.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_CheckBox_C1.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_CheckBox_C2.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_CheckBox_C3.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_CheckBox_C4.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_ComboBox_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_ComboBox_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_ComboBox_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_ComboBox_4.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_Edit_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_Edit_4.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_PushButton_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_PushButton_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_PushButton_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_PushButton_4.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_RadioButton_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_RadioButton_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_RadioButton_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_RadioButton_4.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_RadioButton_C1.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_RadioButton_C2.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_RadioButton_C3.bmp
C:\Program Files\uusee\skins\UUPlayer\Ctrl_RadioButton_C4.bmp
C:\Program Files\uusee\skins\UUPlayer\Dlg_Back.bmp
C:\Program Files\uusee\skins\UUPlayer\Dlg_Detect.bmp
C:\Program Files\uusee\skins\UUPlayer\Dlg_Frame_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Dlg_Frame_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Dlg_Frame_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Dlg_Record_Task_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Icon_Information.bmp
C:\Program Files\uusee\skins\UUPlayer\Icon_Question.bmp
C:\Program Files\uusee\skins\UUPlayer\Icon_Stop.bmp
C:\Program Files\uusee\skins\UUPlayer\ListHeader_1.bmp
C:\Program Files\uusee\skins\UUPlayer\ListHeader_2.bmp
C:\Program Files\uusee\skins\UUPlayer\ListHeader_3.bmp
C:\Program Files\uusee\skins\UUPlayer\ListHeader_ArrowD.bmp
C:\Program Files\uusee\skins\UUPlayer\ListHeader_ArrowU.bmp
C:\Program Files\uusee\skins\UUPlayer\ListHeader_SP.bmp
C:\Program Files\uusee\skins\UUPlayer\Play_Window_Rec_icon.bmp
C:\Program Files\uusee\skins\UUPlayer\Progressbar_Block_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Progressbar_Block_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Progressbar_Block_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Progressbar_Block_4.bmp
C:\Program Files\uusee\skins\UUPlayer\Resource.h
C:\Program Files\uusee\skins\UUPlayer\Setting_Group_1_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Setting_Group_1_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Setting_Group_1_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Setting_Group_2_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Setting_Group_2_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Setting_Group_2_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Setting_Group_3_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Setting_Group_3_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Setting_Group_3_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Sidebar_Button_1_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Sidebar_Button_1_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Sidebar_Button_1_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Sidebar_Group_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Sidebar_Group_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Sidebar_Group_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Sidebar_Group_x1.bmp
C:\Program Files\uusee\skins\UUPlayer\Sidebar_Group_x2.bmp
C:\Program Files\uusee\skins\UUPlayer\Sidebar_Group_x3.bmp
C:\Program Files\uusee\skins\UUPlayer\Thumbs.db
C:\Program Files\uusee\skins\UUPlayer\Titlebar_button_Res_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Titlebar_button_Res_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Titlebar_button_Res_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Toolbar_Button_Compact_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Toolbar_Button_Compact_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Toolbar_Button_Compact_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Toolbar_Button_FullScreen_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Toolbar_Button_FullScreen_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Toolbar_Button_FullScreen_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Toolbar_Button_TopMost_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Toolbar_Button_TopMost_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Toolbar_Button_TopMost_3.bmp
C:\Program Files\uusee\skins\UUPlayer\TopTab_Browse.bmp
C:\Program Files\uusee\skins\UUPlayer\TopTab_Browse1.bmp
C:\Program Files\uusee\skins\UUPlayer\TopTab_Play.bmp
C:\Program Files\uusee\skins\UUPlayer\TopTab_Play1.bmp
C:\Program Files\uusee\skins\UUPlayer\TopTab_Record.bmp
C:\Program Files\uusee\skins\UUPlayer\TopTab_Record1.bmp
C:\Program Files\uusee\skins\UUPlayer\Tree_Arrow.bmp
C:\Program Files\uusee\skins\UUPlayer\Tree_Collapse.bmp
C:\Program Files\uusee\skins\UUPlayer\Tree_Expand.bmp
C:\Program Files\uusee\skins\UUPlayer\Tree_Header.bmp
C:\Program Files\uusee\skins\UUPlayer\Tree_ScrollBar_D.bmp
C:\Program Files\uusee\skins\UUPlayer\Tree_ScrollBar_H.bmp
C:\Program Files\uusee\skins\UUPlayer\Tree_ScrollBar_N.bmp
C:\Program Files\uusee\skins\UUPlayer\Tree_ScrollBar_S.bmp
C:\Program Files\uusee\skins\UUPlayer\Tree_ScrollBarThumb_D.bmp
C:\Program Files\uusee\skins\UUPlayer\Tree_ScrollBarThumb_H.bmp
C:\Program Files\uusee\skins\UUPlayer\Tree_ScrollBarThumb_N.bmp
C:\Program Files\uusee\skins\UUPlayer\Tree_ScrollBarThumb_S.bmp
C:\Program Files\uusee\skins\UUPlayer\Tree_SortIconDown.bmp
C:\Program Files\uusee\skins\UUPlayer\Tree_SortIconUp.bmp
C:\Program Files\uusee\skins\UUPlayer\UUSEE.ui
C:\Program Files\uusee\skins\UUPlayer\Volume_Bar_Block_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Volume_Bar_Block_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Volume_Bar_Block_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Volume_Button_2_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Volume_Button_2_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Volume_Button_2_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Browser_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Browser_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Browser_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_ChannelInfo.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_ChannelInfo_5.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Control_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Control_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Control_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Control_4.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Main_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Main_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Main_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Main_5.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Play_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Record_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Record_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Record_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Record_4.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Setting_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Setting_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Setting_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Side_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Side_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Side_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Toolbar_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Toolbar_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Toolbar_3.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Toolbar_4.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Top_1.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Top_2.bmp
C:\Program Files\uusee\skins\UUPlayer\Wnd_Top_3.bmp
C:\Program Files\uusee\u264Dec.ax
C:\Program Files\uusee\UFDeMux.ax
C:\Program Files\uusee\uninst.exe
C:\Program Files\uusee\updateC2.ocx
C:\Program Files\uusee\UUPlayer.dll
C:\Program Files\uusee\UUPlayer.ocx
C:\Program Files\uusee\UUPlayer_update.ini
C:\Program Files\uusee\UUSee.url
C:\Program Files\uusee\uusee_video.dll
C:\Program Files\uusee\UUSEEAudioDec.ax
C:\Program Files\uusee\UUSeePlayer.exe
C:\Program Files\uusee\UUSeePlayer.xml
C:\Program Files\uusee\UUSEETemp\Progressbar_BM_6.bmp
C:\Program Files\uusee\UUSEETemp\Progressbar_BM_7.bmp
C:\Program Files\uusee\UUSEETemp\What's new.mht
C:\Program Files\uusee\UUSEETemp\Wnd_Info.bmp
C:\Program Files\uusee\UUSEETemp\Wnd_Play_2.bmp
C:\Program Files\uusee\UUSEETemp\Wnd_Play_5.bmp
C:\Program Files\uusee\UUTV_MY.xml
C:\Program Files\uusee\UUTV_UUPlayer.xml
C:\Program Files\uusee\UUUpgrade.exe
C:\Program Files\uusee\UUUpgrade.ini
C:\Program Files\uusee\UUUpgrade.ocx
C:\Program Files\uusee\vermini.ini
C:\Program Files\uusee\vermini_x.ini
C:\Program Files\uusee\vermini_x1.ini
C:\Program Files\uusee\What's new.txt
C:\WINDOWS\OPTIONS\CABS\_desktop.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\k11935504498.exe
C:\WINDOWS\system32\k11935504509.exe
C:\WINDOWS\system32\k119355045513.exe
C:\WINDOWS\system32\k11935772258.exe
C:\WINDOWS\system32\k11935776232.exe
C:\WINDOWS\system32\k11937476253.exe
C:\WINDOWS\system32\k11937476285.exe
C:\WINDOWS\system32\k119374784511.exe
C:\WINDOWS\system32\k11939069711.exe
C:\WINDOWS\system32\k11939069743.exe
C:\WINDOWS\system32\k11939069754.exe
C:\WINDOWS\system32\k11939069765.exe
C:\WINDOWS\system32\k11939069797.exe
C:\WINDOWS\system32\k11939107984.exe
C:\WINDOWS\system32\k11939108017.exe
C:\WINDOWS\system32\k119391080510.exe
C:\WINDOWS\system32\k119391080611.exe
C:\WINDOWS\system32\k119391080712.exe
C:\WINDOWS\system32\k119391080813.exe
C:\WINDOWS\system32\k11939371254.exe
C:\WINDOWS\system32\mhsha1.dat
C:\WINDOWS\system32\n1193907193k.exe
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\SHQ.DLL
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-02 22:40 12,564 --a------ C:\WINDOWS\MsPrint32D.exe
2007-10-31 12:44 22,560 --a------ C:\WINDOWS\system32\LYLOADMR.EXE
2007-10-28 21:17 5,632 --a------ C:\WINDOWS\system32\MJHOOK.DLL
2007-10-28 21:11 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-10-24 09:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-24 08:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PPStream
2007-10-24 08:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-23 19:21 <DIR> d-------- C:\Documents and Settings\KkianN\Application Data\Yahoo!
2007-10-23 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-23 19:21 <DIR> dr-h----- C:\Documents and Settings\All Users\Application Data\yahoo!
2007-10-23 19:19 <DIR> d-------- C:\WINDOWS\cache
2007-10-21 21:39 <DIR> d-------- C:\Program Files\PPStream
2007-10-21 21:39 <DIR> d-------- C:\Documents and Settings\KkianN\Application Data\PPStream
2007-10-21 14:01 <DIR> d-------- C:\WINDOWS\Sun
2007-10-21 13:57 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-21 12:34 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-10-21 12:33 <DIR> d--h----- C:\Documents and Settings\KkianN\Application Data\ijjigame
2007-10-21 12:33 58,776 --a------ C:\WINDOWS\system32\ijjiPlugin2.dll
2007-10-21 10:13 36,864 --a------ C:\WINDOWS\system32\EGameEncrypt.dll
2007-10-21 10:12 <DIR> d-------- C:\Program Files\NHN USA
2007-10-21 10:12 692,224 --a------ C:\WINDOWS\system32\ijjiSetup.exe
2007-10-21 01:18 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-10-21 01:18 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-10-21 01:18 740,442 --a------ C:\WINDOWS\system32\divx.dll
2007-10-21 01:18 282,624 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-10-21 01:18 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-10-21 01:18 163,840 --a------ C:\WINDOWS\system32\unrar.dll
2007-10-21 01:18 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-10-20 21:35 <DIR> dr-h----- C:\Documents and Settings\KkianN\Application Data\SecuROM
2007-10-20 21:35 98,304 --a------ C:\WINDOWS\system32CmdLineExt.dll
2007-10-20 21:33 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-10-20 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-10-19 21:10 <DIR> d-------- C:\Program Files\Real Player
2007-10-18 17:17 18,704 -ra------ C:\WINDOWS\system32\drivers\se2End5.sys
2007-10-18 17:16 90,800 -ra------ C:\WINDOWS\system32\drivers\se2Eunic.sys
2007-10-18 17:16 4,128 -ra------ C:\WINDOWS\system32\drivers\se2Ecr.sys
2007-10-18 17:13 88,688 -ra------ C:\WINDOWS\system32\drivers\SE2Emgmt.sys
2007-10-18 00:21 <DIR> d-------- C:\TDDOWNLOAD
2007-10-18 00:16 480 --a------ C:\WINDOWS\system32\keys.dat
2007-10-18 00:15 1,559,040 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-10-18 00:15 5,120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-10-18 00:08 <DIR> d-------- C:\Documents and Settings\KkianN\Application Data\Apple Computer
2007-10-18 00:07 86,560 -ra------ C:\WINDOWS\system32\drivers\SE2Eobex.sys
2007-10-18 00:06 97,184 -ra------ C:\WINDOWS\system32\drivers\SE2Emdm.sys
2007-10-18 00:06 61,600 -ra------ C:\WINDOWS\system32\drivers\SE2Ebus.sys
2007-10-18 00:06 9,360 -ra------ C:\WINDOWS\system32\drivers\SE2Emdfl.sys
2007-10-18 00:06 6,240 -ra------ C:\WINDOWS\system32\drivers\SE2Ecmnt.sys
2007-10-18 00:06 6,240 -ra------ C:\WINDOWS\system32\drivers\SE2Ecm.sys
2007-10-18 00:06 5,872 -ra------ C:\WINDOWS\system32\drivers\SE2Ewhnt.sys
2007-10-18 00:06 5,872 -ra------ C:\WINDOWS\system32\drivers\se2Ewh.sys
2007-10-18 00:01 <DIR> d-------- C:\Documents and Settings\KkianN\Application Data\Teleca
2007-10-17 23:59 <DIR> d-------- C:\Program Files\Sony Ericsson
2007-10-17 23:59 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-10-17 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2007-10-17 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-10-17 23:58 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-10-17 18:35 <DIR> d-------- C:\Program Files\Thunder Network
2007-10-17 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\thunder_vod_cache
2007-10-17 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Thunder Network
2007-10-17 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\mvcache
2007-10-17 18:35 4,538 --a------ C:\WINDOWS\system32\cid_store.dat
2007-10-17 17:12 <DIR> d-------- C:\Documents and Settings\KkianN\Application Data\StromII
2007-10-17 17:06 <DIR> d-------- C:\Program Files\StormII
2007-10-17 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Storm
2007-10-17 16:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-10-17 15:39 <DIR> d-------- C:\Program Files\TTPlayer
2007-10-17 15:20 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-17 15:19 <DIR> d-------- C:\Program Files\Real
2007-10-17 15:18 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-17 15:17 4,177 --a------ C:\WINDOWS\mozver.dat
2007-10-17 15:03 <DIR> d-------- C:\Program Files\Windows Live
2007-10-17 15:03 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2007-10-17 15:00 <DIR> d-------- C:\Documents and Settings\KkianN\Application Data\Skype
2007-10-17 14:59 <DIR> d-------- C:\Program Files\Skype
2007-10-17 14:59 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-10-17 14:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2007-10-17 14:55 <DIR> d-------- C:\Documents and Settings\KkianN\Contacts
2007-10-17 14:54 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-17 14:32 <DIR> d-------- C:\Program Files\Java
2007-10-17 14:32 <DIR> d-------- C:\Documents and Settings\KkianN\Application Data\AVG7
2007-10-17 14:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-17 14:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-17 14:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-17 11:22 <DIR> d-------- C:\Downloads
2007-10-17 10:48 <DIR> d-------- C:\Documents and Settings\KkianN\Application Data\Media Player Classic
2007-10-17 10:20 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-17 10:20 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-17 10:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-17 10:16 <DIR> d-------- C:\Program Files\eMule
2007-10-17 02:16 <DIR> d-------- C:\Documents and Settings\KkianN\Application Data\CyberLink
2007-10-17 02:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-10-17 02:08 <DIR> d---s---- C:\Documents and Settings\KkianN\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-28 11:50 --------- d-----w C:\Program Files\FlashGet
2007-10-27 10:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-23 11:21 --------- d-----w C:\Program Files\Yahoo!
2007-10-21 15:23 --------- d-----w C:\Documents and Settings\KkianN\Application Data\U3
2007-10-17 15:58 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-17 07:18 --------- d-----w C:\Program Files\Google
2007-10-17 07:17 --------- d-----w C:\Documents and Settings\KkianN\Application Data\Ahead
2007-10-16 17:58 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-16 17:55 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-16 17:55 --------- d-----w C:\Documents and Settings\KkianN\Application Data\InterTrust
2007-10-16 17:48 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-16 17:46 --------- d-----w C:\Program Files\Nero
2007-10-16 17:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-10-16 17:44 --------- d-----w C:\Program Files\CyberLink
2007-10-16 17:37 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-10-16 17:37 --------- d-----w C:\Program Files\Realtek
2007-10-16 17:37 --------- d-----w C:\Documents and Settings\KkianN\Application Data\InstallShield
2007-10-16 17:36 15,600 ----a-w C:\WINDOWS\gdrv.sys
2007-10-16 17:35 --------- d-----w C:\Program Files\Intel
2007-10-16 17:30 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-16 17:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-09-16 17:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-09-16 17:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-09-16 17:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-09-16 17:07 6,853,088 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-09-16 17:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-09-16 17:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-09-16 17:07 5,783,040 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-09-16 17:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-09-16 17:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-09-16 17:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-09-16 17:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-09-16 17:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-09-16 17:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-09-16 17:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-09-16 17:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-09-16 17:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-09-16 17:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-09-16 17:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-09-16 17:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-09-16 17:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-09-16 17:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-09-16 17:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-09-16 17:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-09-16 17:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-16 17:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-09-16 17:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-09-16 17:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-09-16 17:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-09-16 17:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2626E66-D21B-E628-C1DF-1DACCFA36ED2}]
C:\Program Files\Common Files\fjOs0r.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2005-01-07 08:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2005-01-07 08:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2005-01-07 08:00]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 17:33 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07]
"nwiz"="nwiz.exe" [2007-09-17 01:07 C:\WINDOWS\system32\nwiz.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 15:10]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-24 00:27]
"Storm2Set"="C:\PROGRA~1\StormII\StormSet.dll" [2007-08-01 18:50]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2005-01-07 08:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2005-01-07 08:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{CC3596CB-D6C1-ECA1-AE51-DEEA63F6C21C}"= C:\Program Files\Internet Explorer\OnlO0r.dll [ ]
"{3422FB0F-95EB-458A-8B56-39552017A4EF}"= C:\WINDOWS\system32\mhdoor0.dll [ ]
"{5731EA1D-6AAF-4DE9-BDDA-7B390A75B286}"= C:\WINDOWS\system32\wodoor0.dll [ ]
"{11DB88F9-409B-475E-8FD7-411653F6D367}"= C:\WINDOWS\system32\55550.dll [ ]
"{32C4BAF4-0411-4000-BDFB-A6F71E669F8C}"= C:\WINDOWS\system32\csdoor0.dll [ ]
"{E03C23BD-35B7-49C2-BBCA-6D8CEC2507E3}"= C:\WINDOWS\system32\wldoor0.dll [ ]
"{A3C95A74-638D-4C6B-A856-4B27664A7F47}"= C:\WINDOWS\system32\wgdoor0.dll [ ]
"{D8CC4845-441C-44F8-9053-28F2EF67655B}"= C:\WINDOWS\system32\dadoor0.dll [ ]
"{A120A1D0-CBCC-4F9B-A183-78B27E4C1B5C}"= C:\WINDOWS\system32\dh3oor0.dll [ ]
"{6826A3DB-EA8E-4E67-880D-53D04C7C0BD8}"= C:\WINDOWS\system32\qjdoor0.dll [ ]
"{EDFF29C1-5A70-4460-AC1D-16DCB4B672F0}"= C:\WINDOWS\system32\rxdoor0.dll [ ]
"{68F7767A-090C-4BBF-A015-720ACC6706E2}"= C:\WINDOWS\system32\wddoor0.dll [ ]
"{08E909A4-B236-48DD-8BCC-90A604B93E68}"= C:\WINDOWS\system32\tldoor0.dll [ ]
"{781FBCC1-99C7-4AE0-95F7-66EA49E86DD7}"= C:\WINDOWS\system32\zxdoor0.dll [ ]
"{ABD0935D-B35A-47BD-BA9A-81678DDE74DD}"= C:\WINDOWS\system32\qhdoor0.dll [ ]
"{04A0CB31-FDEB-4EB8-889B-E00ED87BCE23}"= C:\WINDOWS\system32\cqdoor0.dll [ ]
"{BD9B003B-0BE6-4528-A9D9-B8DBACAC6B9B}"= C:\WINDOWS\system32\fydoor0.dll [ ]

S2 EBF68B56;EBF68B56;C:\WINDOWS\system32\C1BB8A6A.EXE -k
S3 gdrv;gdrv;\??\C:\WINDOWS\gdrv.sys
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Emdm.sys
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE2Emgmt.sys
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se2End5.sys
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE2Eobex.sys
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se2Eunic.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{faa14f13-7c10-11dc-b8cf-001a4d5121b9}]
\Shell\Auto\command - F:\PegeFile.pif
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL PegeFile.pif

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 14:39:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-03 14:40:17 - machine was rebooted
.
--- E O F ---


Here my HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:51:33 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\rpbrowserrecordplugin.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C2626E66-D21B-E628-C1DF-1DACCFA36ED2} - C:\Program Files\Common Files\fjOs0r.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Storm2Set] C:\WINDOWS\system32\rundll32.exe "C:\PROGRA~1\StormII\StormSet.dll",CheckEnv
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &使用快车(FlashGet)下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &使用快车(FlashGet)下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ?3μ - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: ?3μ(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EBF68B56 - Unknown owner - C:\WINDOWS\system32\C1BB8A6A.EXE (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 9253 bytes

#6 KkianN

KkianN
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 07 November 2007 - 12:01 PM

I wait 5 days already..why still don't have further step to fix the problem??

Anyone can help me please????

#7 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:07:47 AM

Posted 07 November 2007 - 06:55 PM

Hi KkianN

Sorry about the delay.

Will have a reply for you very soon.

Regards DC

#8 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:07:47 AM

Posted 10 November 2007 - 03:12 AM

Hi KkianN

Really sorry for the delay.

The infection/s you had/have do tend to target online games, but if they can steal passwords for those, and your log does not show a third party firewall that blocks outgoing packets, other passwords could have been stolen as well, so it is a good idea to change all of your passwords, especially for anything that might compromise sensitive information such as online banking.
  • 1. Please download Flash_Disinfector by sUBs and save it to your desktop:

  • Double-click Flash_Disinfector.exe to run it.
  • Follow any prompts that may appear.
  • The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.
  • Wait until the program has finished scanning, then please exit the program and reboot.


    2. Please click this link-->Jotti

    When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

    C:\WINDOWS\system32\C1BB8A6A.EXE

    Please post back the results of the scan in your next post.

    If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/



    3. Download this file to your desktop.[attachment=2650:cfscript.txt]

    Posted Image

    Refering to the picture above, drag CFScript into ComboFix.exe

    This will start combofix. Let it run.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

  • When finished, it shall produce a log for you at "C:\ComboFix.txt", post this in a reply to this thread with a fresh Hijackthis log and the jotti/virustotal results.
Regards DC

#9 KkianN

KkianN
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 10 November 2007 - 12:03 PM

Sorry I can't find C1BB8A6A.EXE this file..I even use 'search' in Start>search to search the file but the result came out with 0..what should I do now?

#10 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:07:47 AM

Posted 10 November 2007 - 03:26 PM

carry on with the rest of the fix.

DC

#11 KkianN

KkianN
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 10 November 2007 - 10:42 PM

ComboFix 07-11-08.1 - KkianN 2007-11-11 11:36:15.3 - NTFSx86
Running from: C:\Documents and Settings\KkianN\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\KkianN\Desktop\cfscript.txt
* Created a new restore point

FILE
C:\Program Files\Internet Explorer\OnlO0r.dll
C:\WINDOWS\MsPrint32D.exe
C:\WINDOWS\system32\55550.dll
C:\WINDOWS\system32\cqdoor0.dll
C:\WINDOWS\system32\csdoor0.dll
C:\WINDOWS\system32\dadoor0.dll
C:\WINDOWS\system32\dh3oor0.dll
C:\WINDOWS\system32\fydoor0.dll
C:\WINDOWS\system32\LYLOADMR.EXE
C:\WINDOWS\system32\mhdoor0.dll
C:\WINDOWS\system32\MJHOOK.DLL
C:\WINDOWS\system32\qhdoor0.dll
C:\WINDOWS\system32\qjdoor0.dll
C:\WINDOWS\system32\rxdoor0.dll
C:\WINDOWS\system32\tldoor0.dll
C:\WINDOWS\system32\wddoor0.dll
C:\WINDOWS\system32\wgdoor0.dll
C:\WINDOWS\system32\wldoor0.dll
C:\WINDOWS\system32\wodoor0.dll
C:\WINDOWS\system32\zxdoor0.dll
.

((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-11 11:30 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-11-10 18:21 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-11-10 18:17 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-11-08 13:49 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-11-08 13:48 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-11-07 23:07 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-07 23:07 <DIR> d-------- C:\Program Files\Autodesk
2007-11-07 23:07 54,784 --a------ C:\WINDOWS\system32\drivers\CDAC11BA.EXE
2007-11-07 23:07 12,464 --a------ C:\WINDOWS\system32\drivers\CDAC15BA.SYS
2007-11-07 23:06 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2007-11-07 18:58 <DIR> d-------- C:\Program Files\Autocad2004
2007-11-07 18:41 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2007-11-07 18:41 <DIR> d-------- C:\Documents and Settings\KkianN\Application Data\Autodesk
2007-11-07 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2007-11-05 20:37 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-11-04 20:03 <DIR> d-------- C:\Documents and Settings\KkianN\Application Data\Kingsoft
2007-11-04 20:00 <DIR> d-------- C:\Program Files\Kingsoft
2007-11-04 20:00 <DIR> d-------- C:\Program Files\Common Files\Kingsoft
2007-10-24 09:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-24 08:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PPStream
2007-10-24 08:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-23 19:21 <DIR> d-------- C:\Documents and Settings\KkianN\Application Data\Yahoo!
2007-10-23 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-23 19:21 <DIR> dr-h----- C:\Documents and Settings\All Users\Application Data\yahoo!
2007-10-23 19:19 <DIR> d-------- C:\WINDOWS\cache
2007-10-21 21:39 <DIR> d-------- C:\Program Files\PPStream
2007-10-21 21:39 <DIR> d-------- C:\Documents and Settings\KkianN\Application Data\PPStream
2007-10-21 14:01 <DIR> d-------- C:\WINDOWS\Sun
2007-10-21 13:57 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-21 12:34 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-10-21 12:33 <DIR> d--h----- C:\Documents and Settings\KkianN\Application Data\ijjigame
2007-10-21 12:33 58,776 --a------ C:\WINDOWS\system32\ijjiPlugin2.dll
2007-10-21 10:13 36,864 --a------ C:\WINDOWS\system32\EGameEncrypt.dll
2007-10-21 10:12 <DIR> d-------- C:\Program Files\NHN USA
2007-10-21 10:12 692,224 --a------ C:\WINDOWS\system32\ijjiSetup.exe
2007-10-21 01:18 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-10-21 01:18 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-10-21 01:18 740,442 --a------ C:\WINDOWS\system32\divx.dll
2007-10-21 01:18 282,624 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-10-21 01:18 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-10-21 01:18 163,840 --a------ C:\WINDOWS\system32\unrar.dll
2007-10-21 01:18 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-10-20 21:35 <DIR> dr-h----- C:\Documents and Settings\KkianN\Application Data\SecuROM
2007-10-20 21:33 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-10-20 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-10-19 21:10 <DIR> d-------- C:\Program Files\Real Player
2007-10-18 17:17 18,704 -ra------ C:\WINDOWS\system32\drivers\se2End5.sys
2007-10-18 17:16 90,800 -ra------ C:\WINDOWS\system32\drivers\se2Eunic.sys
2007-10-18 17:16 4,128 -ra------ C:\WINDOWS\system32\drivers\se2Ecr.sys
2007-10-18 17:13 88,688 -ra------ C:\WINDOWS\system32\drivers\SE2Emgmt.sys
2007-10-18 00:21 <DIR> d-------- C:\TDDOWNLOAD
2007-10-18 00:16 480 --a------ C:\WINDOWS\system32\keys.dat
2007-10-18 00:15 1,559,040 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-10-18 00:15 5,120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-10-18 00:08 <DIR> d-------- C:\Documents and Settings\KkianN\Application Data\Apple Computer
2007-10-18 00:07 86,560 -ra------ C:\WINDOWS\system32\drivers\SE2Eobex.sys
2007-10-18 00:06 97,184 -ra------ C:\WINDOWS\system32\drivers\SE2Emdm.sys
2007-10-18 00:06 61,600 -ra------ C:\WINDOWS\system32\drivers\SE2Ebus.sys
2007-10-18 00:06 9,360 -ra------ C:\WINDOWS\system32\drivers\SE2Emdfl.sys
2007-10-18 00:06 6,240 -ra------ C:\WINDOWS\system32\drivers\SE2Ecmnt.sys
2007-10-18 00:06 6,240 -ra------ C:\WINDOWS\system32\drivers\SE2Ecm.sys
2007-10-18 00:06 5,872 -ra------ C:\WINDOWS\system32\drivers\SE2Ewhnt.sys
2007-10-18 00:06 5,872 -ra------ C:\WINDOWS\system32\drivers\se2Ewh.sys
2007-10-18 00:01 <DIR> d-------- C:\Documents and Settings\KkianN\Application Data\Teleca
2007-10-17 23:59 <DIR> d-------- C:\Program Files\Sony Ericsson
2007-10-17 23:59 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-10-17 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2007-10-17 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-10-17 23:58 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-10-17 18:35 <DIR> d-------- C:\Program Files\Thunder Network
2007-10-17 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\thunder_vod_cache
2007-10-17 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Thunder Network
2007-10-17 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\mvcache
2007-10-17 18:35 8,637 --a------ C:\WINDOWS\system32\cid_store.dat
2007-10-17 17:12 <DIR> d-------- C:\Documents and Settings\KkianN\Application Data\StromII
2007-10-17 17:06 <DIR> d-------- C:\Program Files\StormII
2007-10-17 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Storm
2007-10-17 16:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-10-17 15:39 <DIR> d-------- C:\Program Files\TTPlayer
2007-10-17 15:20 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-17 15:19 <DIR> d-------- C:\Program Files\Real
2007-10-17 15:18 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-17 15:17 4,177 --a------ C:\WINDOWS\mozver.dat
2007-10-17 15:03 <DIR> d-------- C:\Program Files\Windows Live
2007-10-17 15:03 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2007-10-17 15:00 <DIR> d-------- C:\Documents and Settings\KkianN\Application Data\Skype
2007-10-17 14:59 <DIR> d-------- C:\Program Files\Skype
2007-10-17 14:59 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-10-17 14:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2007-10-17 14:55 <DIR> d-------- C:\Documents and Settings\KkianN\Contacts
2007-10-17 14:54 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-17 14:32 <DIR> d-------- C:\Program Files\Java
2007-10-17 14:32 <DIR> d-------- C:\Documents and Settings\KkianN\Application Data\AVG7
2007-10-17 14:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-17 14:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-17 14:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-17 11:22 <DIR> d-------- C:\Downloads
2007-10-17 10:48 <DIR> d-------- C:\Documents and Settings\KkianN\Application Data\Media Player Classic
2007-10-17 10:20 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-17 10:20 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 03:28 --------- d-----w C:\Program Files\FlashGet
2007-11-10 09:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-23 11:21 --------- d-----w C:\Program Files\Yahoo!
2007-10-21 15:23 --------- d-----w C:\Documents and Settings\KkianN\Application Data\U3
2007-10-17 15:58 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-17 07:18 --------- d-----w C:\Program Files\Google
2007-10-17 07:17 --------- d-----w C:\Documents and Settings\KkianN\Application Data\Ahead
2007-10-16 17:58 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-16 17:55 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-16 17:55 --------- d-----w C:\Documents and Settings\KkianN\Application Data\InterTrust
2007-10-16 17:48 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-16 17:46 --------- d-----w C:\Program Files\Nero
2007-10-16 17:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-10-16 17:44 --------- d-----w C:\Program Files\CyberLink
2007-10-16 17:37 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-10-16 17:37 --------- d-----w C:\Program Files\Realtek
2007-10-16 17:37 --------- d-----w C:\Documents and Settings\KkianN\Application Data\InstallShield
2007-10-16 17:36 15,600 ----a-w C:\WINDOWS\gdrv.sys
2007-10-16 17:35 --------- d-----w C:\Program Files\Intel
2007-10-16 17:30 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-04 09:14 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-10-04 09:14 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-10-04 09:14 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-10-04 09:14 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-10-04 09:14 6,854,464 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-10-04 09:14 6,750,208 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-10-04 09:14 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-10-04 09:14 5,783,424 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-10-04 09:14 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-10-04 09:14 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-10-04 09:14 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-10-04 09:14 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-10-04 09:14 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-10-04 09:14 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-10-04 09:14 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-10-04 09:14 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-10-04 09:14 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-10-04 09:14 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-10-04 09:14 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-10-04 09:14 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-10-04 09:14 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-10-04 09:14 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-10-04 09:14 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-10-04 09:14 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-10-04 09:14 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-10-04 09:14 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-10-04 09:14 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-10-04 09:14 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-10-04 09:14 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-10-04 09:14 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\cache ----

2006-04-14 13:09 188968 --a------ C:\WINDOWS\cache\yinsthelper.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2005-01-07 08:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2005-01-07 08:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2005-01-07 08:00]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 17:33 C:\WINDOWS\RTHDCPL.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 15:10]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-24 00:27]
"Storm2Set"="C:\PROGRA~1\StormII\StormSet.dll" [2007-08-01 18:50]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14]
"nwiz"="nwiz.exe" [2007-10-04 17:14 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2005-01-07 08:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

S2 EBF68B56;EBF68B56;C:\WINDOWS\system32\C1BB8A6A.EXE -k
S3 gdrv;gdrv;\??\C:\WINDOWS\gdrv.sys
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Emdm.sys
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE2Emgmt.sys
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se2End5.sys
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE2Eobex.sys
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se2Eunic.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 11:37:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 11:37:26
C:\ComboFix2.txt ... 2007-11-11 11:27
.
--- E O F ---







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:55 AM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: ThunderAtOnce Class - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\rpbrowserrecordplugin.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Storm2Set] C:\WINDOWS\system32\rundll32.exe "C:\PROGRA~1\StormII\StormSet.dll",CheckEnv
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &使用快车(FlashGet)下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &使用快车(FlashGet)下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ?3μ - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: ?3μ(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: EBF68B56 - Unknown owner - C:\WINDOWS\system32\C1BB8A6A.EXE (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 9311 bytes

#12 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:07:47 AM

Posted 12 November 2007 - 07:47 PM

Hi KkianN

Can you confirm that you ran the Flash Disinfector (step 1 of my last post) before combofix.


1. Download this file to your desktop.[attachment=2688:cfscript.txt]

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start combofix. Let it run.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


When combofix has finished running you should see this:

Posted Image

Click ok and then you will see this:

Posted Image

Follow the instructions and that should upload a suspicous file for analysis.


2. Start HijackThis and click the Scan button to perform a scan. Once the scan has completed look for the following item/s and click in the checkbox in front of each item to select it (if present):

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

3. Next close all open windows apart from hjt and click fix checked and then exit the program.

4. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply post:
  • Kaspersky report
  • A fresh Hijackthis log
And let me know:
  • How the file submittal Went
  • How your PC is running now
Regards DC

#13 KkianN

KkianN
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 13 November 2007 - 09:50 AM

First of all, I had ran the Flash Disinfector. Then I straightly do this step-->1. Download this file to your desktop. cfscript.txt ( 105bytes ).
But when I click the file cfscript.txt ,a IE window come out with these few words inside: -

http://www.bleepingcomputer.com/forums/t/114298/trojan-horse-psw/

Suspect::[1]
C:\WINDOWS\system32\C1BB8A6A.EXE

Anyway, i copy and paste it into notepad and then save it namely CFScript.txt. After that drag CFScript.txt into ComboFix.exe.When Combofix finished running, it didn't show what you paste in your last post-->Submit Files for Further Analysis

After that I scan with HJT and checked the file "O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)" then fixed it.

As what you said, do Kaspersky Online Scan..here the Kaspersky log.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 13, 2007 7:27:55 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/11/2007
Kaspersky Anti-Virus database records: 457375
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 33798
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:20:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\thunder_vod_cache\106952ECF930ABB9C8D369933A9AD0BDC5C4CE79\0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\thunder_vod_cache\106952ECF930ABB9C8D369933A9AD0BDC5C4CE79\5015.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\thunder_vod_cache\106952ECF930ABB9C8D369933A9AD0BDC5C4CE79\82630415.dat Object is locked skipped
C:\Documents and Settings\KkianN\Application Data\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
C:\Documents and Settings\KkianN\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\KkianN\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\KkianN\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\KkianN\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\KkianN\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\KkianN\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\KkianN\Local Settings\History\History.IE5\MSHist012007111320071114\index.dat Object is locked skipped
C:\Documents and Settings\KkianN\Local Settings\Temp\~DF3BF1.tmp Object is locked skipped
C:\Documents and Settings\KkianN\Local Settings\Temp\~DFDFBC.tmp Object is locked skipped
C:\Documents and Settings\KkianN\Local Settings\Temp\~DFE0C3.tmp Object is locked skipped
C:\Documents and Settings\KkianN\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\KkianN\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\KkianN\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Thunder Network\Thunder\Components\Security\SafeHistory.dat Object is locked skipped
C:\Program Files\Thunder Network\Thunder\Profiles\history6.dat Object is locked skipped
C:\Program Files\Thunder Network\Thunder\Program\record.bin Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9B045C62-7CF3-435F-B251-B06F60B945CD}\RP63\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{9B045C62-7CF3-435F-B251-B06F60B945CD}\RP63\change.log Object is locked skipped

Scan process completed.


Following by HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:13 PM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Kingsoft\Powerword 2007\xdict.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\rpbrowserrecordplugin.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Storm2Set] C:\WINDOWS\system32\rundll32.exe "C:\PROGRA~1\StormII\StormSet.dll",CheckEnv
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &使用快车(FlashGet)下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &使用快车(FlashGet)下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ?3μ - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: ?3μ(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: EBF68B56 - Unknown owner - C:\WINDOWS\system32\C1BB8A6A.EXE (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 9342 bytes


Honestly, I think my computer is ok now because didn't infect trojan horse PSW which I always did infect few times in week before I post my problem in HijackThis Logs and Malware Removal. But sometimes when I opened IE, the window will suddenly quit..But when I used firefox, it will not happen..I wonder why..By the way, what do u mean by submittal went?

#14 KkianN

KkianN
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 15 November 2007 - 09:13 AM

Anyone can tell me is my computer clear of trojans and viruses?

#15 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:07:47 AM

Posted 20 November 2007 - 01:08 PM

Hi KkianN

We are nearly finished but just have one suspicous file that we need to look at closer.

Copy/paste the text in the following codebox into notepad.
http://www.bleepingcomputer.com/forums/t/114298/trojan-horse-psw/

Suspect::[1]
C:\WINDOWS\system32\C1BB8A6A.EXE

And save it as cfscript to your desktop.

Make sure you are not connected to the internet.

Please disable your antivirus.

To do this open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( Ill let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe.

This will start combofix. Let it run.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


When combofix has finished running if you see this:

Posted Image

Reconnect to the internet after re-anabling Avg.

Click ok and then you will see this:

Posted Image

Follow the instructions and that should upload a suspicous file for analysis.

DC




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users