Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan/virus That Steals Passwords


  • Please log in to reply
23 replies to this topic

#1 pleaforpeace

pleaforpeace

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 25 November 2007 - 12:34 AM

hey guys, so i got a trojan that steals passwords. was playing a game, left to do something else, came back and couldn't log in. got some other viruses too but more worried about this one. thanks

Attached Files



BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:38 PM

Posted 08 December 2007 - 08:47 AM

Hello pleaforpeace and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log.

Please also post the problems you are having.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 pleaforpeace

pleaforpeace
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 08 December 2007 - 05:07 PM

hey, basically same problem(s).

Attached Files


Edited by pleaforpeace, 08 December 2007 - 05:08 PM.


#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:38 PM

Posted 09 December 2007 - 06:15 AM

Hey pleaforpeace,

thanks for posting back. Please make sure you post everything we asked for within the reply and not as an attachment, as we will ask for more logs as we go along the fix and it makes it easier for the both of us.

Step #1

It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled it, please re-enable it.
If you do not have a firewall installed, please download and install one of these excellent (and free) products:If you want to have a look at the user manuals for the above suggested programs, have a look at the following:If you do decide to install a third party firewall, make sure that the windows firewall is not running and if it is, deactivate it.

Step #2

I see you have AVG Antivirus installed on your pc but have it not actually running in the background. This is somewhat suicidal in today's digital world. You should enable the guard as soon as possible to avoid being infected. Check this thread and just revert the steps mentioned there to disable the guard.

Step #3

Run HijackThis, press Scan, and put a check mark next to all these entries:

O4 - HKLM\..\Policies\Explorer\Run: [none] C:\Program Files\Video ActiveX Object\pmsngr.exe

Close all other windows and browsers, and press the Fix Checked button.

Step #4

Please download SmitfraudFix (by S!Ri), alternate (with instructions as well) and extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Step #5

Please post back with a fresh HijackThis log and the SmitfraudFix log in your next reply. Thanks.

Edited by Yourhighness, 09 December 2007 - 03:26 PM.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:38 PM

Posted 09 December 2007 - 03:27 PM

Okay, sorry for previous confusion. Have posted new instructions above. Please report back with the logs mentioned in step 5. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#6 pleaforpeace

pleaforpeace
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 09 December 2007 - 04:14 PM

hey thanks for the steps.
i have the microsoft firewall and it was on when i did the log and i also deleted the avg anti virus thing cause it did not find anything.

thanks again

Attached Files



#7 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:38 PM

Posted 09 December 2007 - 05:45 PM

Hey Pleaforpeace,

You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world. You need to install an antivirus program as soon as you can and run a complete scan of the computer:Install it and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

I know that firewalls can be a hassle for some games and other programs, but please consider for a second what is more annoying to you - the recurring task of having to clean up your machine of an infection due to lack of protection, or having to train your firewall once for future prevention of being infected again. Considering, that you might even have to change all your passwords in the worst-case scenario, I just personally think that the latter is the best option.

The Windows firewall is better than nothing, but doesn't monitor outgoing packets very well. A third party firewall will bug you with a lot of deny or allow questions for a while, but you should be able to tell it to remember your decision so after about a week or so you will rarely be asked for a decision. It's up to you, I just think you should really give it a try. For a bit more on the firewall thing, have a read here: http://www.us-cert.gov/cas/tips/ST04-004.html.

Step #1

Please navigate to and delete the following folder:

C:\Program Files\Video ActiveX Object <-- this folder

Step #2

Please download ComboFix from here.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". (Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.)
  • Close any open browsers
  • Double click ComboFix.exe and follow the prompts.
  • When finished, it shall produce a log for you, combofix.txt. Post that log in your next reply together with a new HijackThis log
Note: Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

Step #3

Please post back with a fresh HijackThis log and the ComboFix log as a reply to this topic (not an attachment). Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#8 pleaforpeace

pleaforpeace
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 09 December 2007 - 08:23 PM

so i dled the avg anti-virus scanned, no threats found though.
combofix:

ComboFix 07-12-09.1 - LA 2007-12-09 17:16:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.501 [GMT -8:00]
Running from: C:\Documents and Settings\LA\My Documents\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-10 to 2007-12-10 )))))))))))))))))))))))))))))))
.

2007-12-09 13:07 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-09 13:07 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-09 13:07 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-09 13:07 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-09 13:07 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-09 13:07 . 2007-12-09 13:07 2,628 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-01 21:15 . 2007-12-01 21:15 <DIR> d-------- C:\Program Files\Common Files\Thraex Software
2007-12-01 21:15 . 2007-12-01 21:36 <DIR> d-------- C:\CS1.6 LITE
2007-12-01 20:28 . 2007-12-01 20:33 101,192 --a------ C:\WINDOWS\Portable Counter-Strike 1.6 Uninstaller.exe
2007-12-01 19:55 . 2007-12-01 21:15 295,226 --a------ C:\WINDOWS\CS1.6 LITE Uninstaller.exe
2007-12-01 19:02 . 2007-12-01 19:02 <DIR> dr-h----- C:\Documents and Settings\LA\Application Data\SecuROM
2007-12-01 19:02 . 2007-12-01 19:02 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-12-01 19:01 . 2007-12-01 19:01 <DIR> d-------- C:\Program Files\Hasbro
2007-11-25 16:17 . 2007-11-25 16:17 <DIR> d-------- C:\Documents and Settings\LA\Application Data\Nexon
2007-11-25 14:25 . 2007-11-25 14:33 <DIR> d-------- C:\Program Files\PokerStars
2007-11-24 21:21 . 2007-11-24 21:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-24 17:19 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-24 17:13 . 2004-08-03 23:56 146,432 --a------ C:\WINDOWS\R.COM
2007-11-24 17:13 . 2004-08-03 23:56 135,680 --a------ C:\WINDOWS\system32\T.COM
2007-11-24 16:50 . 2007-11-24 16:50 <DIR> d-------- C:\Documents and Settings\LA\Application Data\TrojanHunter
2007-11-24 16:25 . 2007-11-24 17:35 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-11-24 16:10 . 2007-11-24 16:22 <DIR> d-------- C:\Program Files\RegistryFix
2007-11-24 11:10 . 2007-11-24 11:10 <DIR> d-------- C:\Program Files\CCleaner
2007-11-23 09:05 . 2006-12-25 22:58 189,312 -ra------ C:\WINDOWS\system32\drivers\RTL8187B.sys
2007-11-23 08:34 . 2007-11-23 08:34 <DIR> d-------- C:\NV27642768.TMP
2007-11-18 19:30 . 2007-11-18 19:30 <DIR> d-------- C:\Program Files\Ventrilo
2007-11-18 19:30 . 2007-11-18 19:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-12 15:50 . 2007-11-12 18:29 <DIR> d-------- C:\Program Files\IObit
2007-11-10 21:16 . 2007-11-10 21:16 <DIR> d-------- C:\Program Files\Sygate
2007-11-10 20:43 . 2007-11-12 18:29 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-10 20:32 . 2007-11-12 18:29 <DIR> d-------- C:\Documents and Settings\LA\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 00:10 --------- d-----w C:\Documents and Settings\LA\Application Data\AVG7
2007-12-10 00:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-09 22:32 --------- d-----w C:\Program Files\LimeWire
2007-12-09 21:21 --------- d-----w C:\Program Files\Starcraft
2007-12-08 21:38 --------- d-----w C:\Program Files\Steam
2007-11-30 03:46 --------- d-----w C:\Program Files\DivX
2007-11-25 01:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-23 17:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 16:33 --------- d-----w C:\Program Files\Marvell
2007-11-23 16:32 --------- d-----w C:\Program Files\Gigabyte
2007-11-18 02:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-27 18:29 --------- d-----w C:\Program Files\Java
2007-10-27 18:28 --------- d-----w C:\Program Files\AIM6
2007-10-27 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-27 18:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-20 00:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-10-20 00:54 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 09:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-10-18 09:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-10-18 09:03 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-10-18 09:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 07:20]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 16:57]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 21:32]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 21:39]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 21:39]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-06-28 23:43 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 01:09 C:\WINDOWS\SOUNDMAN.EXE]
"NVRaidService"="C:\WINDOWS\System32\nvraidservice.exe" [2004-06-10 19:15]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 13:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-01 14:49]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-24 17:47]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-24 17:47]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^LA^Start Menu^Programs^Startup^腾讯QQ.lnk]
path=C:\Documents and Settings\LA\Start Menu\Programs\Startup\腾讯QQ.lnk
backup=C:\WINDOWS\pss\腾讯QQ.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
C:\Program Files\Octoshape Streaming Services\LA\OctoshapeClient.exe -inv:bootrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
2006-01-30 08:00 98304 -ra------ C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
2003-01-09 08:21 253952 --a------ C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2003-01-13 09:19 757760 --a------ C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
c:\program files\steam\steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-13 16:57 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-05-14 14:22 35328 --a------ C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"MDM"=2 (0x2)

S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187B.sys

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-04 03:00:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-06 02:50:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-07-09 01:50:23 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 17:18:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-09 17:18:40
C:\ComboFix2.txt ... 2007-12-09 15:59
.
--- E O F ---

Attached Files



#9 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:38 PM

Posted 10 December 2007 - 01:17 PM

Hey Pleaforpeace,

Thanks for posting back. Its not so much if the Antivirus found something this time, but to protect you from malware during the cleaning process and in the future. Same goes for the firewall. Lack of both is just opening you to infections and re-infection.

Step #1
  • Open notepad and copy/paste the text in the codebox below into it:

    File::
    C:\WINDOWS\system32\VCCLSID.exe
    C:\WINDOWS\system32\SrchSTS.exe
    C:\WINDOWS\system32\Process.exe
    C:\WINDOWS\system32\dumphive.exe
    C:\WINDOWS\system32\WS2Fix.exe
    C:\WINDOWS\system32\tmp.reg
    C:\WINDOWS\R.COM
    C:\WINDOWS\system32\T.COM
    C:\NV27642768.TMP
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
  • Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
    Please submit this file via the html page that should popup after running ComboFix.

    Please include a link to this topic in the message.
Step #2

Your log(s) show that you are using a so called peer-to-peer or file-sharing programme (in your case LimeWire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (ie the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Step #3

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Step #4

Please run the F-Secure Online Scanner
(You need to use InternetExplorer or enable IEView in Firefox)
  • Follow the Instruction Here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Step #5

Please post back with the following logs in your next reply: ComboFix log, F-Secure Onlinescan log and a fresh HijackThis log.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#10 pleaforpeace

pleaforpeace
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 10 December 2007 - 08:24 PM

hey man,

FSECURE:

Scanning Report
Monday, December 10, 2007 16:02:36 - 17:16:47
Computer name: ABC-UJIXUAANLHR
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ F:\ G:\


--------------------------------------------------------------------------------

Result: 17 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
W32/Downloader (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NEXONUS\NGM\NGM.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 36509
System: 4466
Not scanned: 2
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 16
Submitted: 1
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-12-10
F-Secure AVP: 7.0.171, 2007-12-11
F-Secure Orion: 1.2.37, 2007-12-11
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0598-150-72
F-Secure Pegasus: 1.19.0, 2007-11-03
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics



----------------------------COMBOFIX----------------------------------------------
ComboFix 07-12-09.1 - LA 2007-12-10 15:50:35.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.543 [GMT -8:00]
Running from: C:\Documents and Settings\LA\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\LA\My Documents\CFscript.txt
* Created a new restore point

FILE
C:\NV27642768.TMP
C:\WINDOWS\R.COM
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\T.COM
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\R.COM
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\T.COM
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-10 to 2007-12-10 )))))))))))))))))))))))))))))))
.

2007-12-01 21:15 . 2007-12-01 21:15 <DIR> d-------- C:\Program Files\Common Files\Thraex Software
2007-12-01 21:15 . 2007-12-01 21:36 <DIR> d-------- C:\CS1.6 LITE
2007-12-01 20:28 . 2007-12-01 20:33 101,192 --a------ C:\WINDOWS\Portable Counter-Strike 1.6 Uninstaller.exe
2007-12-01 19:55 . 2007-12-01 21:15 295,226 --a------ C:\WINDOWS\CS1.6 LITE Uninstaller.exe
2007-12-01 19:02 . 2007-12-01 19:02 <DIR> dr-h----- C:\Documents and Settings\LA\Application Data\SecuROM
2007-12-01 19:02 . 2007-12-01 19:02 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-12-01 19:01 . 2007-12-01 19:01 <DIR> d-------- C:\Program Files\Hasbro
2007-11-25 16:17 . 2007-11-25 16:17 <DIR> d-------- C:\Documents and Settings\LA\Application Data\Nexon
2007-11-25 14:25 . 2007-11-25 14:33 <DIR> d-------- C:\Program Files\PokerStars
2007-11-24 21:21 . 2007-11-24 21:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-24 17:19 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-24 16:50 . 2007-11-24 16:50 <DIR> d-------- C:\Documents and Settings\LA\Application Data\TrojanHunter
2007-11-24 16:25 . 2007-11-24 17:35 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-11-24 16:10 . 2007-11-24 16:22 <DIR> d-------- C:\Program Files\RegistryFix
2007-11-24 11:10 . 2007-11-24 11:10 <DIR> d-------- C:\Program Files\CCleaner
2007-11-23 09:05 . 2006-12-25 22:58 189,312 -ra------ C:\WINDOWS\system32\drivers\RTL8187B.sys
2007-11-23 08:34 . 2007-11-23 08:34 <DIR> d-------- C:\NV27642768.TMP
2007-11-18 19:30 . 2007-11-18 19:30 <DIR> d-------- C:\Program Files\Ventrilo
2007-11-18 19:30 . 2007-11-18 19:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-12 15:50 . 2007-11-12 18:29 <DIR> d-------- C:\Program Files\IObit
2007-11-10 21:16 . 2007-11-10 21:16 <DIR> d-------- C:\Program Files\Sygate
2007-11-10 20:43 . 2007-11-12 18:29 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-10 20:32 . 2007-11-12 18:29 <DIR> d-------- C:\Documents and Settings\LA\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 20:52 --------- d-----w C:\Documents and Settings\LA\Application Data\AVG7
2007-12-10 00:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-09 22:32 --------- d-----w C:\Program Files\LimeWire
2007-12-09 21:21 --------- d-----w C:\Program Files\Starcraft
2007-12-08 21:38 --------- d-----w C:\Program Files\Steam
2007-11-30 03:46 --------- d-----w C:\Program Files\DivX
2007-11-25 01:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-23 17:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 16:33 --------- d-----w C:\Program Files\Marvell
2007-11-23 16:32 --------- d-----w C:\Program Files\Gigabyte
2007-11-18 02:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-27 18:29 --------- d-----w C:\Program Files\Java
2007-10-27 18:28 --------- d-----w C:\Program Files\AIM6
2007-10-27 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-27 18:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-20 00:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-10-20 00:54 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 09:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-10-18 09:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-10-18 09:03 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-10-18 09:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 07:20]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 16:57]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 21:32]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 21:39]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 21:39]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-06-28 23:43 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 01:09 C:\WINDOWS\SOUNDMAN.EXE]
"NVRaidService"="C:\WINDOWS\System32\nvraidservice.exe" [2004-06-10 19:15]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 13:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-01 14:49]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-24 17:47]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-24 17:47]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^LA^Start Menu^Programs^Startup^腾讯QQ.lnk]
path=C:\Documents and Settings\LA\Start Menu\Programs\Startup\腾讯QQ.lnk
backup=C:\WINDOWS\pss\腾讯QQ.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
C:\Program Files\Octoshape Streaming Services\LA\OctoshapeClient.exe -inv:bootrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
2006-01-30 08:00 98304 -ra------ C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
2003-01-09 08:21 253952 --a------ C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2003-01-13 09:19 757760 --a------ C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
c:\program files\steam\steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-13 16:57 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-05-14 14:22 35328 --a------ C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"MDM"=2 (0x2)

S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187B.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-04 03:00:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-06 02:50:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-07-09 01:50:23 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 15:52:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-10 15:52:33
C:\ComboFix2.txt ... 2007-12-09 15:59
.
--- E O F ---

thanks again

Attached Files



#11 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:38 PM

Posted 12 December 2007 - 03:38 AM

Hey Pleaforpeace,

with your antivirus software disabled again, we are both just wasting our time, there is no way we will get you cleaned up if you keep turning of your protection or do not follow my instructions accordingly.

Could you please elaborate a bit further on your following comments:

hey guys, so i got a trojan that steals passwords. was playing a game, left to do something else, came back and couldn't log in. got some other viruses too but more worried about this one. thanks

and

hey, basically same problem(s).

Both do not really explain why you think that you are infected and will make it hard for me to help you as we go along. Also, the following:

i have the microsoft firewall and it was on when i did the log and i also deleted the avg anti virus thing cause it did not find anything.

This is some what counterproductive. You need to be protected by a "propper" firewall and antivirus programme to be sure you do not get infected. I asked you twice and gave reasoning and yet do not see a firewall installed. I cannot and will not force you to install a firewall, but you should not be surprised if you end up being infected again and again due to insufficient protection.

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

It looks like you have a Poker programme installed. Please bare in mind that some of these programmes install some unwanted "additionals" when installing the Poker programme.

Step #1
  • Open notepad and copy/paste the text in the codebox below into it:

    File::
    C:\NV27642768.TMP
    
    Folder::
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NEXONUS\NGM
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
  • Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
    Please submit this file via the html page that should popup after running ComboFix.

    Please include a link to this topic in the message.
Step #2

You still have Viewpoint and File-sharing programmes installed. As suggested in my previous post, you really should uninstall them.

Step #3

Please do another F-Secure Onlinescan and post back with the results.

Step #4

Please post back with a fresh HijackThis log and the F-Secure Onlinescan log.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#12 pleaforpeace

pleaforpeace
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 12 December 2007 - 10:56 PM

Whenever i scan with adaware, it always finds tracking cookies.
sorry that i disabled the antivirus, i thought it just scans.
I'm pretty sure i deleted viewpoint sometime ago and if i didn't , i looked for it at couldnt find it, and i kinda need limewire.



ComboFix 07-12-09.1 - LA 2007-12-12 17:56:53.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.521 [GMT -8:00]
Running from: C:\Documents and Settings\LA\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\LA\My Documents\cfscript.txt
* Created a new restore point

FILE
C:\NV27642768.TMP
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NEXONUS\NGM
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NEXONUS\NGM\33562881.dat
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NEXONUS\NGM\NGM.exe
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NEXONUS\NGM\NGM.log
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NEXONUS\NGM\NGMDll.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-12 17:52 . 2007-12-12 17:52 <DIR> d-------- C:\Documents and Settings\LA\Application Data\MailFrontier
2007-12-12 17:47 . 2007-12-12 18:00 213,280 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-12 17:47 . 2007-12-12 17:59 5,996 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-12 17:44 . 2007-12-12 17:44 <DIR> d-------- C:\Program Files\OGPlanet
2007-12-12 17:39 . 2007-12-12 17:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-12 17:38 . 2007-12-12 17:52 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-12 08:07 . 2007-12-12 08:08 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-12-01 21:15 . 2007-12-01 21:15 <DIR> d-------- C:\Program Files\Common Files\Thraex Software
2007-12-01 21:15 . 2007-12-01 21:36 <DIR> d-------- C:\CS1.6 LITE
2007-12-01 20:28 . 2007-12-01 20:33 101,192 --a------ C:\WINDOWS\Portable Counter-Strike 1.6 Uninstaller.exe
2007-12-01 19:55 . 2007-12-01 21:15 295,226 --a------ C:\WINDOWS\CS1.6 LITE Uninstaller.exe
2007-12-01 19:02 . 2007-12-01 19:02 <DIR> dr-h----- C:\Documents and Settings\LA\Application Data\SecuROM
2007-12-01 19:02 . 2007-12-01 19:02 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-12-01 19:01 . 2007-12-01 19:01 <DIR> d-------- C:\Program Files\Hasbro
2007-11-25 16:17 . 2007-11-25 16:17 <DIR> d-------- C:\Documents and Settings\LA\Application Data\Nexon
2007-11-25 14:25 . 2007-12-12 17:45 <DIR> d-------- C:\Program Files\PokerStars
2007-11-24 21:21 . 2007-11-24 21:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-24 17:19 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-24 16:50 . 2007-11-24 16:50 <DIR> d-------- C:\Documents and Settings\LA\Application Data\TrojanHunter
2007-11-24 16:25 . 2007-11-24 17:35 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-11-24 16:10 . 2007-11-24 16:22 <DIR> d-------- C:\Program Files\RegistryFix
2007-11-24 11:10 . 2007-11-24 11:10 <DIR> d-------- C:\Program Files\CCleaner
2007-11-23 09:05 . 2006-12-25 22:58 189,312 -ra------ C:\WINDOWS\system32\drivers\RTL8187B.sys
2007-11-23 08:34 . 2007-11-23 08:34 <DIR> d-------- C:\NV27642768.TMP
2007-11-18 19:30 . 2007-11-18 19:30 <DIR> d-------- C:\Program Files\Ventrilo
2007-11-18 19:30 . 2007-11-18 19:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2007-12-10 20:52 --------- d-----w C:\Documents and Settings\LA\Application Data\AVG7
2007-12-10 00:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-09 22:32 --------- d-----w C:\Program Files\LimeWire
2007-12-09 21:21 --------- d-----w C:\Program Files\Starcraft
2007-12-08 21:38 --------- d-----w C:\Program Files\Steam
2007-11-30 03:46 --------- d-----w C:\Program Files\DivX
2007-11-25 01:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-23 17:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 16:33 --------- d-----w C:\Program Files\Marvell
2007-11-23 16:32 --------- d-----w C:\Program Files\Gigabyte
2007-11-18 02:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-15 00:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-15 00:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 02:29 --------- d-----w C:\Program Files\IObit
2007-11-11 05:16 --------- d-----w C:\Program Files\Sygate
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 18:29 --------- d-----w C:\Program Files\Java
2007-10-27 18:28 --------- d-----w C:\Program Files\AIM6
2007-10-27 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-27 18:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-20 00:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-10-20 00:54 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 09:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-10-18 09:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-10-18 09:03 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-10-18 09:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-09_15.59.20.62 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-08 00:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-08 00:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-08 00:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2007-08-20 10:04:34 124,928 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\advpack.dll
+ 2007-08-20 10:04:34 214,528 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\dxtrans.dll
+ 2007-08-20 10:04:34 132,608 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\extmgr.dll
+ 2007-08-20 10:04:34 63,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\icardie.dll
+ 2007-08-17 10:20:54 63,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ie4uinit.exe
+ 2007-08-20 10:04:34 153,088 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakeng.dll
+ 2007-08-20 10:04:35 230,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieaksie.dll
+ 2007-08-17 07:34:25 161,792 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakui.dll
+ 2007-08-20 10:04:35 383,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieapfltr.dll
+ 2007-08-20 10:04:35 384,512 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iedkcs32.dll
+ 2007-08-20 10:04:37 6,058,496 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieframe.dll
+ 2007-08-20 10:04:38 44,544 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iernonce.dll
+ 2007-08-20 10:04:38 267,776 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iertutil.dll
+ 2007-08-17 10:20:54 13,824 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieudinit.exe
+ 2007-08-17 10:21:21 625,152 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iexplore.exe
+ 2007-08-20 10:04:39 27,648 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\jsproxy.dll
+ 2007-08-20 10:04:39 459,264 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeeds.dll
+ 2007-08-20 10:04:39 52,224 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeedsbs.dll
+ 2007-08-20 10:04:41 3,584,512 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtml.dll
+ 2007-08-20 10:04:41 477,696 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtmled.dll
+ 2007-08-20 10:04:41 193,024 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msrating.dll
+ 2007-08-20 10:04:42 671,232 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mstime.dll
+ 2007-08-20 10:04:42 102,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\occache.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\updspapi.dll
+ 2007-08-20 10:04:42 105,984 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\url.dll
+ 2007-08-20 10:04:42 1,152,000 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\urlmon.dll
+ 2007-08-20 10:04:42 232,960 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\webcheck.dll
+ 2007-08-20 10:04:43 824,832 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
- 2007-08-20 10:04:34 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2007-10-10 23:55:51 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-08-20 10:04:34 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2007-10-10 23:55:51 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
- 2007-08-20 10:04:34 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-10-10 23:55:51 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-08-20 10:04:34 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-10-10 23:55:51 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-08-20 10:04:34 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2007-10-10 23:55:51 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2007-08-17 10:20:54 63,488 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2007-10-10 10:59:40 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-08-20 10:04:34 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2007-10-10 23:55:51 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-08-20 10:04:35 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2007-10-10 23:55:51 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-08-17 07:34:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2007-10-10 05:46:55 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-08-20 10:04:35 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2007-10-10 23:55:52 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2007-08-20 10:04:35 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2007-10-10 23:55:52 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-08-20 10:04:37 6,058,496 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2007-10-10 23:55:54 6,065,664 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2007-08-20 10:04:38 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2007-10-10 23:55:55 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-08-20 10:04:38 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2007-10-10 23:55:55 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2007-08-17 10:20:54 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2007-10-10 10:59:40 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2007-08-17 10:21:21 625,152 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2007-10-10 10:59:52 625,152 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-08-20 10:04:39 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-10-10 23:55:56 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2004-08-04 05:58:22 72,960 -c--a-w C:\WINDOWS\system32\dllcache\mqac.sys
+ 2007-07-06 10:05:47 72,960 -c--a-w C:\WINDOWS\system32\dllcache\mqac.sys
- 2004-08-04 07:56:44 138,240 -c--a-w C:\WINDOWS\system32\dllcache\mqad.dll
+ 2007-07-06 12:46:59 138,240 -c--a-w C:\WINDOWS\system32\dllcache\mqad.dll
- 2004-08-04 07:56:44 47,104 -c--a-w C:\WINDOWS\system32\dllcache\mqdscli.dll
+ 2007-07-06 12:46:59 47,104 -c--a-w C:\WINDOWS\system32\dllcache\mqdscli.dll
- 2004-08-04 07:56:44 16,896 -c--a-w C:\WINDOWS\system32\dllcache\mqise.dll
+ 2007-07-06 12:46:59 16,896 -c--a-w C:\WINDOWS\system32\dllcache\mqise.dll
- 2004-08-04 07:56:44 660,992 -c--a-w C:\WINDOWS\system32\dllcache\mqqm.dll
+ 2007-07-06 12:46:59 660,992 -c--a-w C:\WINDOWS\system32\dllcache\mqqm.dll
- 2004-08-04 07:56:44 177,152 -c--a-w C:\WINDOWS\system32\dllcache\mqrt.dll
+ 2007-07-06 12:46:59 177,152 -c--a-w C:\WINDOWS\system32\dllcache\mqrt.dll
+ 2007-07-06 12:46:59 95,744 -c----w C:\WINDOWS\system32\dllcache\mqsec.dll
- 2004-08-04 07:56:44 48,640 -c--a-w C:\WINDOWS\system32\dllcache\mqupgrd.dll
+ 2007-07-06 12:46:59 48,640 -c--a-w C:\WINDOWS\system32\dllcache\mqupgrd.dll
+ 2007-07-06 12:46:59 471,552 -c----w C:\WINDOWS\system32\dllcache\mqutil.dll
- 2007-08-20 10:04:39 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2007-10-10 23:55:56 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2007-08-20 10:04:39 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2007-10-10 23:55:56 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2007-08-20 10:04:41 3,584,512 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-10-30 23:42:28 3,590,656 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-08-20 10:04:41 477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-10-10 23:55:58 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-08-20 10:04:41 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-10-10 23:55:58 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-08-20 10:04:42 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-10-10 23:55:59 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-08-20 10:04:42 102,400 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2007-10-10 23:55:59 102,400 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2007-10-29 22:43:03 1,287,680 -c----w C:\WINDOWS\system32\dllcache\quartz.dll
- 2007-08-20 10:04:42 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
+ 2007-10-10 23:55:59 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
- 2007-08-20 10:04:42 1,152,000 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-10-10 23:56:00 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-08-20 10:04:42 232,960 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2007-10-10 23:56:00 232,960 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-08-20 10:04:43 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-10-10 23:56:00 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-10-19 04:47:18 222,208 -c--a-w C:\WINDOWS\system32\dllcache\WMASF.dll
+ 2007-10-28 01:40:30 222,720 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2007-07-19 23:10:28 127,768 ----a-w C:\WINDOWS\system32\drivers\klif.sys
- 2004-08-04 05:58:22 72,960 -c--a-w C:\WINDOWS\system32\drivers\mqac.sys
+ 2007-07-06 10:05:47 72,960 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
- 2007-08-20 10:04:34 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-10-10 23:55:51 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-08-20 10:04:34 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-10-10 23:55:51 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2007-08-20 10:04:34 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2007-10-10 23:55:51 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-08-17 10:20:54 63,488 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2007-10-10 10:59:40 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-08-20 10:04:34 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2007-10-10 23:55:51 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-08-20 10:04:35 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2007-10-10 23:55:51 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-08-17 07:34:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2007-10-10 05:46:55 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-08-20 10:04:35 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2007-10-10 23:55:52 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-08-20 10:04:35 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2007-10-10 23:55:52 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-08-20 10:04:37 6,058,496 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2007-10-10 23:55:54 6,065,664 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-08-20 10:04:38 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2007-10-10 23:55:55 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-08-20 10:04:38 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2007-10-10 23:55:55 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-08-17 10:20:54 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2007-10-10 10:59:40 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-08-20 10:04:39 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-10-10 23:55:56 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-11-15 00:04:46 796,048 ----a-w C:\WINDOWS\system32\libeay32_0.9.6l.dll
+ 2007-11-21 00:04:14 218,496 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
+ 2007-12-12 06:32:24 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
- 2004-08-04 07:56:44 138,240 -c--a-w C:\WINDOWS\system32\mqad.dll
+ 2007-07-06 12:46:59 138,240 ----a-w C:\WINDOWS\system32\mqad.dll
- 2004-08-04 07:56:44 47,104 -c--a-w C:\WINDOWS\system32\mqdscli.dll
+ 2007-07-06 12:46:59 47,104 ----a-w C:\WINDOWS\system32\mqdscli.dll
- 2004-08-04 07:56:44 16,896 -c--a-w C:\WINDOWS\system32\mqise.dll
+ 2007-07-06 12:46:59 16,896 ----a-w C:\WINDOWS\system32\mqise.dll
- 2004-08-04 07:56:44 660,992 -c--a-w C:\WINDOWS\system32\mqqm.dll
+ 2007-07-06 12:46:59 660,992 ----a-w C:\WINDOWS\system32\mqqm.dll
- 2004-08-04 07:56:44 177,152 -c--a-w C:\WINDOWS\system32\mqrt.dll
+ 2007-07-06 12:46:59 177,152 ----a-w C:\WINDOWS\system32\mqrt.dll
- 2004-08-04 07:56:44 95,744 ----a-w C:\WINDOWS\system32\mqsec.dll
+ 2007-07-06 12:46:59 95,744 ----a-w C:\WINDOWS\system32\mqsec.dll
- 2004-08-04 07:56:44 48,640 -c--a-w C:\WINDOWS\system32\mqupgrd.dll
+ 2007-07-06 12:46:59 48,640 ----a-w C:\WINDOWS\system32\mqupgrd.dll
- 2004-08-04 07:56:44 471,552 ----a-w C:\WINDOWS\system32\mqutil.dll
+ 2007-07-06 12:46:59 471,552 ----a-w C:\WINDOWS\system32\mqutil.dll
- 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-12-02 23:00:05 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-08-20 10:04:39 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2007-10-10 23:55:56 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-08-20 10:04:39 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2007-10-10 23:55:56 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-08-20 10:04:41 3,584,512 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-10-30 23:42:28 3,590,656 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-08-20 10:04:41 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-10-10 23:55:58 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-08-20 10:04:41 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-10-10 23:55:58 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-08-20 10:04:42 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-10-10 23:55:59 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-08-20 10:04:42 102,400 ----a-w C:\WINDOWS\system32\occache.dll
+ 2007-10-10 23:55:59 102,400 ----a-w C:\WINDOWS\system32\occache.dll
+ 2004-04-27 12:40:52 11,264 ----a-w C:\WINDOWS\system32\SpOrder.dll
- 2007-07-18 12:42:22 60,416 ------w C:\WINDOWS\system32\tzchange.exe
+ 2007-11-13 11:31:11 60,416 ------w C:\WINDOWS\system32\tzchange.exe
- 2007-08-20 10:04:42 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2007-10-10 23:55:59 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-08-20 10:04:42 1,152,000 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-10-10 23:56:00 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-11-15 00:04:52 83,432 ----a-w C:\WINDOWS\system32\vsdata.dll
+ 2007-11-15 00:05:16 394,952 ----a-w C:\WINDOWS\system32\vsdatant.sys
+ 2007-11-15 00:04:52 157,160 ----a-w C:\WINDOWS\system32\vsinit.dll
+ 2007-11-15 00:04:52 103,912 ----a-w C:\WINDOWS\system32\vsmonapi.dll
+ 2007-11-15 00:04:52 275,944 ----a-w C:\WINDOWS\system32\vspubapi.dll
+ 2007-11-15 00:04:52 71,144 ----a-w C:\WINDOWS\system32\vsregexp.dll
+ 2007-11-15 00:04:54 472,552 ----a-w C:\WINDOWS\system32\vsutil.dll
+ 2007-11-15 00:04:54 46,568 ----a-w C:\WINDOWS\system32\vswmi.dll
+ 2007-11-15 00:04:54 99,816 ----a-w C:\WINDOWS\system32\vsxml.dll
- 2007-08-20 10:04:42 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2007-10-10 23:56:00 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-08-20 10:04:43 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-10-10 23:56:00 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-11-15 00:04:56 83,432 ----a-w C:\WINDOWS\system32\zlcomm.dll
+ 2007-11-15 00:04:56 71,144 ----a-w C:\WINDOWS\system32\zlcommdb.dll
+ 2007-12-13 01:47:24 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
+ 2007-11-15 00:04:44 370,208 ----a-w C:\WINDOWS\system32\ZoneLabs\av.dll
+ 2007-05-31 08:03:30 65,248 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\aphish.dat
+ 2006-06-30 22:47:36 21,568 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\avcmhk4.dll
+ 2007-05-31 08:03:16 77,824 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-31 08:03:16 110,592 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-31 08:03:16 331,776 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-31 08:03:16 38,400 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
+ 2007-07-19 23:10:32 110,360 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\kl1.sys
+ 2007-07-19 23:10:32 186,128 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\klif.sys
+ 2007-05-31 08:03:48 110,360 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\kl1.sys
+ 2007-07-19 23:10:28 127,768 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\klif.sys
+ 2007-05-31 08:03:50 45,056 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\regcat.exe
+ 2006-09-20 07:12:14 208,960 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\inv.dll
+ 2007-09-12 05:09:16 274,432 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
+ 2006-12-20 02:13:52 1,093,632 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\libeay32.dll
+ 2007-05-31 08:03:20 548,864 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-31 08:03:20 626,688 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcr80.dll
+ 2007-05-31 08:03:18 184,320 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
+ 2007-05-31 08:03:22 90,112 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prremote.dll
+ 2007-09-12 05:09:16 135,168 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
+ 2006-12-20 02:13:52 200,704 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ssleay32.dll
+ 2007-11-15 00:04:44 99,816 ----a-w C:\WINDOWS\system32\ZoneLabs\camupd.dll
+ 2004-01-30 20:35:08 813,568 ----a-w C:\WINDOWS\system32\ZoneLabs\dbghelp.dll
+ 2007-11-15 00:04:46 128,480 ----a-w C:\WINDOWS\system32\ZoneLabs\fbl.dll
+ 2007-11-15 00:04:46 38,376 ----a-w C:\WINDOWS\system32\ZoneLabs\featuremap.dll
+ 2007-11-15 00:04:46 321,016 ----a-w C:\WINDOWS\system32\ZoneLabs\imsecure.dll
+ 2007-11-15 00:05:18 288,144 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2007-11-15 00:05:18 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2007-11-15 00:05:18 26,000 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
+ 2007-11-15 00:05:18 1,361,296 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
+ 2007-11-15 00:05:20 71,056 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
+ 2007-11-15 00:06:34 30,184 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2007-11-15 00:06:36 30,216 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2007-10-19 04:18:38 714,208 ----a-w C:\WINDOWS\system32\ZoneLabs\qrbase.dll
+ 2007-10-19 04:18:38 787,936 ----a-w C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
+ 2007-11-15 00:04:48 173,544 ----a-w C:\WINDOWS\system32\ZoneLabs\scheduler.dll
+ 2007-01-11 19:12:08 2,432,259 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2007-10-19 04:18:40 1,500,640 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.dll
+ 2007-10-19 04:18:44 51,176 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.sys
+ 2007-11-15 00:04:50 456,168 ----a-w C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2007-11-15 00:06:36 214,528 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2007-11-15 00:06:36 3,266,040 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
+ 2006-09-05 04:59:14 503,875 ----a-w C:\WINDOWS\system32\ZoneLabs\upd_core.dll
+ 2007-10-12 00:50:32 832,984 ----a-w C:\WINDOWS\system32\ZoneLabs\updating.dll
+ 2007-11-15 00:05:06 144,936 ----a-w C:\WINDOWS\system32\ZoneLabs\updclient.exe
+ 2007-01-12 01:31:06 286,787 ----a-w C:\WINDOWS\system32\ZoneLabs\updtrsdk.dll
+ 2007-11-15 00:04:52 108,008 ----a-w C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
+ 2007-11-15 00:04:52 83,432 ----a-w C:\WINDOWS\system32\ZoneLabs\vsdb.dll
+ 2007-11-15 00:05:06 75,304 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2007-11-15 00:04:52 2,029,032 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmondll.dll
+ 2007-11-15 00:04:54 1,361,384 ----a-w C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2007-11-15 00:04:54 239,080 ----a-w C:\WINDOWS\system32\ZoneLabs\vsvault.dll
+ 2007-01-11 19:12:08 2,432,259 ----a-w C:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
+ 2007-11-15 00:04:56 177,640 ----a-w C:\WINDOWS\system32\ZoneLabs\zlparser.dll
+ 2007-11-15 00:04:56 79,344 ----a-w C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
+ 2007-11-15 00:04:58 382,440 ----a-w C:\WINDOWS\system32\ZoneLabs\zlsre.dll
+ 2007-11-15 00:04:58 120,296 ----a-w C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 07:20]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 16:57]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 21:32]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 21:39]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 21:39]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-06-28 23:43 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 01:09 C:\WINDOWS\SOUNDMAN.EXE]
"NVRaidService"="C:\WINDOWS\System32\nvraidservice.exe" [2004-06-10 19:15]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 13:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-01 14:49]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-24 17:47]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^LA^Start Menu^Programs^Startup^腾讯QQ.lnk]
path=C:\Documents and Settings\LA\Start Menu\Programs\Startup\腾讯QQ.lnk
backup=C:\WINDOWS\pss\腾讯QQ.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
C:\Program Files\Octoshape Streaming Services\LA\OctoshapeClient.exe -inv:bootrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
2006-01-30 08:00 98304 -ra------ C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
2003-01-09 08:21 253952 --a------ C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2003-01-13 09:19 757760 --a------ C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
c:\program files\steam\steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-13 16:57 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-05-14 14:22 35328 --a------ C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"MDM"=2 (0x2)

S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187B.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-11 03:00:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-06 02:50:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-07-09 01:50:23 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 18:00:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-12 18:02:15 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-10 15:52
C:\ComboFix3.txt ... 2007-12-09 15:59
.
--- E O F ---




FSECURE-----------


Result: 14 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 37490
System: 4535
Not scanned: 3
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 13
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{D8741F28-8FBF-43C3-BFCB-5CE5B56E59F1}.BIN

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-12-12
F-Secure AVP: 7.0.171, 2007-12-13
F-Secure Orion: 1.2.37, 2007-12-13
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2007-11-28
F-Secure Pegasus: 1.19.0, 2007-11-09
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

Attached Files



#13 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:38 PM

Posted 13 December 2007 - 04:32 PM

Hey Pleaforpeace,

tracking cookies are part of today's Internet world. If you wish to block them or know more on what they are, you can read these links:

i kinda need limewire.

What do you need it for? If you are after programmes and music that is allowed to be downloaded via p2p software, then there are many other programmes of choice that are much safer than this one. Keeping this programme will just leave you open for re-infection in no time.

with your antivirus software disabled again, we are both just wasting our time, there is no way we will get you cleaned up if you keep turning off your protection or do not follow my instructions accordingly.

Step #1

While Spybot's TeaTimer is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
  • Run Spybot-S&D
  • Go to the Mode menu, and make sure "Advanced Mode" is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Step #2
  • Open notepad and copy/paste the text in the codebox below into it:

    File::
    C:\NV27642768.TMP
    
    Folder::
    C:\Documents and Settings\All Users\Application Data\Viewpoint
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
Step #3

Please post back with a fresh HijackThis log and the ComboFix log.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#14 pleaforpeace

pleaforpeace
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 13 December 2007 - 10:25 PM

hey, the spybot teatimer was already unchecked.
oh yeah if i delete limewire, will i loose everything i downloaded from it?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:21 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\nvraidservice.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

--
End of file - 7440 bytes


COMBOFIX_______________________________________________________


ComboFix 07-12-09.1 - LA 2007-12-13 19:11:57.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.535 [GMT -8:00]
Running from: C:\Documents and Settings\LA\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\LA\My Documents\cfscript.txt
* Created a new restore point

FILE
C:\NV27642768.TMP
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\config.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\Downloads\Cache\1C85739532179E35254195204D050F03C9DC26D3.dat
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\Downloads\Cache\1DC35D5766C037FEBEF69DA43E8C12BEF1868DFC.dat
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\Downloads\Cache\22C617B83891408EB6AB12EF1A93A9E7D8E3C955.dat
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\Downloads\Cache\25E530C0266043F06DDBF19083992C55D506A67D.dat
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\Downloads\Cache\44EA01069E17599C43FFB0E96AD5897F2D212A20.dat
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\Downloads\Cache\5D77D966848120E827ECF25D743E9AEA6B68CC1D.dat
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\Downloads\Cache\8FE4C9CCDC0B25D28F4A0320F11B1996231B7912.dat
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\Downloads\Cache\cache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\Downloads\Cache\D1A57250C5C318DC64EB161B38082AB72920FFF4.dat
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\Downloads\Cache\D49E2FAA4017EEE09B851548D7ED3256598CD768.dat
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\history.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\locate-akamai.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\locate.mtz
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\policy-akamai.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\ServicesRegistry.xml
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\updates-akamai.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\vdt.dat
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\HostRegistry.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-1216280834.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-2136829663.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\1296253975.mtz
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\1539226850.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\253621806.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\627924407.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-1293832449.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-1470562119.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-1585819430.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-1675640269.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-175997629.mtz
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-526872310.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1040960286.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\226815145.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\625127249.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\706973891.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\759269103.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\1938724535.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\407034558.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\960147799.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1221553041.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\215672118.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\777095010.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\UpdateVersionList_v2.mtx

.
((((((((((((((((((((((((( Files Created from 2007-11-14 to 2007-12-14 )))))))))))))))))))))))))))))))
.

2007-12-12 18:26 . 2007-12-12 18:26 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-12-12 17:44 . 2007-12-12 17:44 <DIR> d-------- C:\Program Files\OGPlanet
2007-12-12 17:39 . 2007-12-12 18:29 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-12-12 17:39 . 2007-12-12 18:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-12 17:39 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-12-12 17:39 . 2007-12-12 18:23 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-12-12 17:38 . 2007-12-12 18:29 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-12 08:07 . 2007-12-12 08:08 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-12-01 21:15 . 2007-12-01 21:15 <DIR> d-------- C:\Program Files\Common Files\Thraex Software
2007-12-01 21:15 . 2007-12-01 21:36 <DIR> d-------- C:\CS1.6 LITE
2007-12-01 20:28 . 2007-12-01 20:33 101,192 --a------ C:\WINDOWS\Portable Counter-Strike 1.6 Uninstaller.exe
2007-12-01 19:55 . 2007-12-01 21:15 295,226 --a------ C:\WINDOWS\CS1.6 LITE Uninstaller.exe
2007-12-01 19:02 . 2007-12-01 19:02 <DIR> dr-h----- C:\Documents and Settings\LA\Application Data\SecuROM
2007-12-01 19:02 . 2007-12-01 19:02 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-12-01 19:01 . 2007-12-01 19:01 <DIR> d-------- C:\Program Files\Hasbro
2007-11-25 16:17 . 2007-11-25 16:17 <DIR> d-------- C:\Documents and Settings\LA\Application Data\Nexon
2007-11-25 14:25 . 2007-12-12 17:45 <DIR> d-------- C:\Program Files\PokerStars
2007-11-24 21:21 . 2007-11-24 21:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-24 17:19 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-24 16:50 . 2007-11-24 16:50 <DIR> d-------- C:\Documents and Settings\LA\Application Data\TrojanHunter
2007-11-24 16:25 . 2007-11-24 17:35 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-11-24 16:10 . 2007-11-24 16:22 <DIR> d-------- C:\Program Files\RegistryFix
2007-11-24 11:10 . 2007-11-24 11:10 <DIR> d-------- C:\Program Files\CCleaner
2007-11-23 09:05 . 2006-12-25 22:58 189,312 -ra------ C:\WINDOWS\system32\drivers\RTL8187B.sys
2007-11-23 08:34 . 2007-11-23 08:34 <DIR> d-------- C:\NV27642768.TMP
2007-11-18 19:30 . 2007-11-18 19:30 <DIR> d-------- C:\Program Files\Ventrilo
2007-11-18 19:30 . 2007-11-18 19:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2007-12-10 20:52 --------- d-----w C:\Documents and Settings\LA\Application Data\AVG7
2007-12-10 00:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-09 22:32 --------- d-----w C:\Program Files\LimeWire
2007-12-09 21:21 --------- d-----w C:\Program Files\Starcraft
2007-12-08 21:38 --------- d-----w C:\Program Files\Steam
2007-11-30 03:46 --------- d-----w C:\Program Files\DivX
2007-11-25 01:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-23 17:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 16:33 --------- d-----w C:\Program Files\Marvell
2007-11-23 16:32 --------- d-----w C:\Program Files\Gigabyte
2007-11-18 02:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 02:29 --------- d-----w C:\Program Files\IObit
2007-11-11 05:16 --------- d-----w C:\Program Files\Sygate
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 18:29 --------- d-----w C:\Program Files\Java
2007-10-27 18:28 --------- d-----w C:\Program Files\AIM6
2007-10-27 18:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-20 00:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-10-20 00:54 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 09:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-10-18 09:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-10-18 09:03 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-10-18 09:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((( snapshot_2007-12-12_18.01.19.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-13 02:27:01 18,718 ----a-r C:\WINDOWS\Installer\{BFD080F6-3BF0-40E1-9507-9CA969C35870}\ARPPRODUCTICON.exe
+ 2007-12-13 02:27:01 18,718 ----a-r C:\WINDOWS\Installer\{BFD080F6-3BF0-40E1-9507-9CA969C35870}\NewShortcut1_E659E0EE10E649B7869660F38D0EB174.exe
+ 2007-12-13 02:27:01 18,718 ----a-r C:\WINDOWS\Installer\{BFD080F6-3BF0-40E1-9507-9CA969C35870}\NewShortcut2_8315396A5EA1419DBEC4978284BDF556.exe
+ 2007-04-26 18:21:30 302,000 ----a-w C:\WINDOWS\system32\drivers\fwdrv.sys
+ 2007-04-26 18:21:34 72,624 ----a-w C:\WINDOWS\system32\drivers\khips.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 07:20]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 16:57]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 21:32]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 21:39]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 21:39]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-06-28 23:43 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 01:09 C:\WINDOWS\SOUNDMAN.EXE]
"NVRaidService"="C:\WINDOWS\System32\nvraidservice.exe" [2004-06-10 19:15]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 13:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-01 14:49]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-24 17:47]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^LA^Start Menu^Programs^Startup^腾讯QQ.lnk]
path=C:\Documents and Settings\LA\Start Menu\Programs\Startup\腾讯QQ.lnk
backup=C:\WINDOWS\pss\腾讯QQ.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
C:\Program Files\Octoshape Streaming Services\LA\OctoshapeClient.exe -inv:bootrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
2006-01-30 08:00 98304 -ra------ C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
2003-01-09 08:21 253952 --a------ C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2003-01-13 09:19 757760 --a------ C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
c:\program files\steam\steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-13 16:57 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-05-14 14:22 35328 --a------ C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"MDM"=2 (0x2)

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe"
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187B.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-11 03:00:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-06 02:50:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-07-09 01:50:23 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 19:16:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-13 19:17:44
C:\ComboFix2.txt ... 2007-12-12 18:02
C:\ComboFix3.txt ... 2007-12-10 15:52
.
--- E O F ---

THANKS

Edited by pleaforpeace, 13 December 2007 - 10:27 PM.


#15 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:38 PM

Posted 15 December 2007 - 06:35 PM

Hey Pleaforpeace,

oh yeah if i delete limewire, will i loose everything i downloaded from it?

You can always check what folder you chose to store your downloaded files in. If you are unsure, just move it to a folder where you are sure it is safe from removal.

Step #1
  • Open notepad and copy/paste the text in the codebox below into it:

    Folder::
    C:\NV27642768.TMP
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
Step #2

Please do a final scan with F-Secure to see what we are left with now.

Step #3

Please post back with the ComboFix log and the F-Secure report. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users