London_Guy
2007-11-30, 22:30
I recently encountered the same problem as described in the other chinese popups thread. I installed Kaspersky and it deleted a few spywares and I don't get the RunDll error anymore. I thought I was safe. However, after a while, I noticed some strange application being installed w/o me even clicking on anything! Of course I unintalled it and reran Kaspersky. I also ran ComboFix and HIJackthis. If anyone can take a look at the logs and let me know if everything is indeed clean, I'd really appreciate it. Thanks!
ComboFix Log:
ComboFix 07-11-19.4C - Administrator 2007-11-30 15:29:33.1 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Local Settings\Application Data\baidu
C:\Documents and Settings\All Users\Application Data.\microsoft\pctools
C:\Documents and Settings\All Users\Application Data.\microsoft\pctools\pctools.dll
C:\Documents and Settings\All Users\Application Data.\t
C:\Documents and Settings\All Users\Application Data.\t\a1623.dat
C:\Documents and Settings\All Users\Application Data.\t\b1623.dat
C:\Documents and Settings\All Users\Application Data.\t\k1623.dat
C:\Documents and Settings\All Users\Application Data.\t\p1623.dat
C:\Documents and Settings\All Users\Application Data.\t\r1623.dat
C:\Documents and Settings\All Users\Application Data\microsoft\pctools\pctools.dll
C:\Program Files\Common Files\cpush
C:\Program Files\Common Files\cpush\Uninst.exe
C:\WINDOWS\fc1.bmp
C:\WINDOWS\fn00321.log
C:\WINDOWS\ocinfo.dat
C:\WINDOWS\system\dvl
C:\WINDOWS\system\lvl
C:\WINDOWS\system32\1521.dll
C:\WINDOWS\system32\1521.dlltmp
C:\WINDOWS\system32\52241.exe
C:\WINDOWS\system32\911.dll
C:\WINDOWS\system32\d3d1caps.srg
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\inetmib3.sys
C:\WINDOWS\system32\iexp_log.txt
C:\WINDOWS\system32\inetmib3.dll
C:\WINDOWS\system32\inf\scrsys16_071129.dll
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_ACPIDISK
-------\LEGACY_CNPROV
-------\LEGACY_INETMIB3
-------\LEGACY_MS_2FAX
-------\acpidisk
-------\inetmib3
-------\ms_2fax
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.
2007-11-30 12:48 <DIR> d-------- C:\Program Files\Trisnap Technologies
2007-11-30 11:57 <DIR> d-------- C:\Program Files\Viewpoint
2007-11-30 03:41 68 --a------ C:\WINDOWS\system32\ae95
2007-11-30 03:11 68 --a------ C:\WINDOWS\system32\a3f
2007-11-30 02:41 68 --a------ C:\WINDOWS\system32\7b58
2007-11-30 01:11 68 --a------ C:\WINDOWS\system32\0fa
2007-11-30 00:52 68 --a------ C:\WINDOWS\system32\48a
2007-11-30 00:22 68 --a------ C:\WINDOWS\system32\3f3f
2007-11-29 22:25 78 --a------ C:\WINDOWS\system32\mywehit.ini
2007-11-29 22:22 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-11-29 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-29 22:22 1,668,384 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-29 22:22 18,976 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-29 22:22 9,992 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-29 22:22 2,828 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-29 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-11-29 18:25 29 --a------ C:\WINDOWS\system32\-18-98-23117
2007-11-29 18:24 74,360 --a------ C:\WINDOWS\an006.exe
2007-11-29 18:24 14 --a------ C:\WINDOWS\system32\-34-98-23117
2007-11-29 18:23 200,704 --a------ C:\WINDOWS\ThunderBHONew.dll
2007-11-29 18:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2007-11-29 18:18 <DIR> d-------- C:\Program Files\Uniblue
2007-11-29 18:02 24,576 --a------ C:\WINDOWS\my_70203.exe
2007-11-29 10:21 1 --a------ C:\WINDOWS\system32\suxp.uni
2007-11-29 10:14 184,320 --a------ C:\WINDOWS\system32\winlib0.dll
2007-11-29 10:10 24,576 --a------ C:\WINDOWS\subc.exe
2007-11-29 10:09 <DIR> d-------- C:\WINDOWS\system32\inf
2007-11-29 10:09 514,812 --a------ C:\WINDOWS\subb.exe
2007-11-29 10:09 128 --a------ C:\WINDOWS\system32\rsfunser.ini
2007-11-29 10:09 0 --a------ C:\WINDOWS\eqigocn321.dll
2007-11-29 10:09 0 --a------ C:\WINDOWS\askerserkb.dll
2007-11-28 21:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Wippien
2007-11-28 21:58 23,096 --a------ C:\WINDOWS\system32\drivers\wip0203.sys
2007-11-28 20:05 <DIR> d-------- C:\Program Files\Trillian
2007-11-28 20:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\.purple
2007-11-28 09:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\.gaim
2007-11-27 18:55 <DIR> d-------- C:\Movies
2007-11-27 10:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Miranda
2007-11-23 21:16 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2007-11-20 13:26 <DIR> d-------- C:\Program Files\Gabest
2007-11-19 12:16 <DIR> d-------- C:\Program Files\NCH Software
2007-11-17 22:59 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-17 21:37 57,344 --------- C:\WINDOWS\system32\ImageDrive.cpl
2007-11-17 21:35 569,344 -ra------ C:\WINDOWS\system32\imagr5.dll
2007-11-17 21:35 544,768 -ra------ C:\WINDOWS\system32\imagx5.dll
2007-11-17 21:35 283,920 -ra------ C:\WINDOWS\system32\ImagXpr5.dll
2007-11-17 21:35 155,648 -ra------ C:\WINDOWS\system32\NeroCheck.exe
2007-11-14 11:58 2,682,880 --------- C:\WINDOWS\UNNeroVision.exe
2007-11-14 11:55 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-11-14 11:55 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-11-14 11:55 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-11-14 11:55 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2007-11-14 11:55 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-11-14 11:55 106,496 --------- C:\WINDOWS\system32\TwnLib20.dll
2007-11-13 21:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ahead
2007-11-13 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2007-11-13 12:59 724,992 --a------ C:\WINDOWS\iun6002.exe
2007-11-08 23:18 51,072 --a--c--- C:\WINDOWS\system32\dllcache\i8042prt.sys
2007-11-08 23:18 22,016 --a--c--- C:\WINDOWS\system32\dllcache\mouclass.sys
2007-11-08 23:17 19,968 --------- C:\WINDOWS\LOGI_MWX.EXE
2007-10-27 14:34 <DIR> d-------- C:\WINDOWS\Cache
2007-10-27 14:34 31 --ah----- C:\WINDOWS\uccspecc.sys
2007-10-21 12:56 <DIR> d-------- C:\Program Files\Compaq Wireless LAN
2007-10-20 23:25 183,296 --a------ C:\WINDOWS\system32\drivers\wlcom51b.sys
2007-10-20 23:25 180,224 --a------ C:\WINDOWS\system32\wacom51b.dll
2007-10-20 23:25 159,744 --a------ C:\WINDOWS\system32\wncom51b.cpl
2007-10-20 23:25 57,344 --a------ C:\WINDOWS\system32\wccom51b.exe
2007-10-20 23:25 7,680 --a------ C:\WINDOWS\system32\wdcmb51b.dll
2007-10-20 20:58 214,896 --a------ C:\WINDOWS\system32\wncom.hlp
2007-10-20 20:58 729 --a------ C:\WINDOWS\system32\wncom.cnt
2007-10-20 20:30 49,664 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-10-20 20:30 49,664 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-10-20 20:30 45,568 --a--c--- C:\WINDOWS\system32\dllcache\iyuv_32.dll
2007-10-20 20:30 8,192 --a------ C:\WINDOWS\system32\tsbyuv.dll
2007-10-20 20:30 8,192 --a--c--- C:\WINDOWS\system32\dllcache\tsbyuv.dll
2007-10-16 14:09 <DIR> d-------- C:\Program Files\iPod
2007-10-16 14:08 <DIR> d-------- C:\Program Files\iTunes
2007-10-16 14:05 <DIR> d-------- C:\Program Files\QuickTime
2007-10-16 14:01 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-16 14:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-12 09:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Move Networks
2007-10-03 17:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Samsung
2007-10-03 16:53 22,486 -ra------ C:\WINDOWS\system32\UnInstall_Sample.ico
2007-10-03 16:50 <DIR> d-------- C:\WINDOWS\system32\Samsung PC Studio Codecs
2007-10-03 16:50 766 --a--c--- C:\WINDOWS\system32\Uninstall.ico
2007-10-03 16:46 <DIR> d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2007-10-03 16:46 <DIR> d-------- C:\WINDOWS\LastGood
2007-10-03 16:46 94,000 --a------ C:\WINDOWS\system32\drivers\ssm_mdm.sys
2007-10-03 16:46 58,320 --a------ C:\WINDOWS\system32\drivers\ssm_bus.sys
2007-10-03 16:46 22,486 -ra------ C:\WINDOWS\system32\UnInstall_Driver.ico
2007-10-03 16:46 8,336 --a------ C:\WINDOWS\system32\drivers\ssm_mdfl.sys
2007-10-03 16:46 6,176 --a------ C:\WINDOWS\system32\drivers\ssm_cmnt.sys
2007-10-03 16:46 6,176 --a------ C:\WINDOWS\system32\drivers\ssm_cm.sys
2007-10-03 16:46 5,840 --a------ C:\WINDOWS\system32\drivers\ssm_whnt.sys
2007-10-03 16:46 5,840 --a------ C:\WINDOWS\system32\drivers\ssm_wh.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 17:39 --------- d-----w C:\Program Files\ICQ
2007-11-30 03:34 82,061 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2007-11-30 03:34 81,549 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2007-11-29 01:02 --------- d-----w C:\Documents and Settings\Administrator\Application Data\.purple
2007-11-28 14:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\.gaim
2007-11-28 05:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2007-11-27 22:41 53,248 ----a-r C:\WINDOWS\c861.exe
2007-11-19 17:21 --------- d-----w C:\Program Files\Samsung
2007-11-18 05:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-18 02:59 --------- d-----w C:\Program Files\Logitech
2007-11-18 02:44 --------- d-----w C:\Program Files\Common Files\Logitech
2007-11-18 02:42 --------- d-----w C:\Program Files\Java
2007-11-18 02:39 --------- d-----w C:\Program Files\Common Files\aolshare
2007-11-18 02:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-18 02:36 --------- d-----w C:\Program Files\Ahead
2007-10-16 19:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-15 18:44 --------- d-----w C:\Program Files\VAG-COM
2007-10-08 14:40 --------- d-----w C:\Program Files\FlashGet
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}]
C:\WINDOWS\System32\1521.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9751A53-4494-4d7c-9732-AE3058D8145F}]
C:\WINDOWS\System32\1521.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE439C63-384A-747A-A357-23D96B5D652B}]
2005-01-27 06:37 970240 --------- C:\PROGRA~1\ALiBaBar\ALiBaBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0A1375E1-56C2-11D6-8E45-8933A0FB5235}"= C:\PROGRA~1\ALiBaBar\ALiBaBar.dll [2005-01-27 06:37 970240]
[HKEY_CLASSES_ROOT\clsid\{0a1375e1-56c2-11d6-8e45-8933a0fb5235}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41]
"ICQ Plus"="C:\Program Files\ICQPlus\vplus.exe" [2002-12-04 05:32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vmlist"="regsvr32 /s apphelps.dll" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-10 11:41]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 23:39]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 23:39]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 04:50]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2006-06-08 17:37]
"LTWinModem1"="ltmsg.exe" [2003-10-28 01:00 C:\WINDOWS\system32\ltmsg.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2002-08-28 23:38]
"HostManager"="C:\Program Files\Common Files\AOL\1189113338\ee\AOLSoftware.exe" [2006-09-25 19:52]
"hkss"="C:\Program Files\Compaq\Hotkey Software\hkss.exe" [2002-09-19 14:30]
"EPSON Stylus CX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [2005-02-08 03:00]
"eabconfg.cpl"="C:\Program Files\Compaq\EAB\EABSERVR.exe" [2002-11-12 11:39]
"CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [2004-08-12 14:55]
"AtiPTA"="atiptaxx.exe" [2002-02-07 23:10 C:\WINDOWS\system32\atiptaxx.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 15:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2001-08-23 07:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2001-08-23 07:00]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 05:41]
C:\WINDOWS\System32\klogon.dll 2007-06-28 12:51 206088 C:\WINDOWS\system32\klogon.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\combofix]
@="service"
R2 MSDCOMClient;DCOM Service Process Manager;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 BCM42U;USB HPNA 10 Mbps Network Adapter Driver;C:\WINDOWS\System32\DRIVERS\BCM42U.SYS
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\System32\DRIVERS\klim5.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\System32\drivers\WmBEnum.sys
R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\System32\drivers\WmFilter.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\System32\drivers\WmXlCore.sys
S0 rupewz;rupew;C:\WINDOWS\System32\DRIVERS\rupewz.sys
S0 yoycsp48;yoycsp4;C:\WINDOWS\System32\DRIVERS\yoycsp48.sys
S2 qsvn;Windows qsvn RunThem;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;C:\WINDOWS\System32\drivers\usbscan.sys
S3 wip0203;Wippien Network Adapter 2.3;C:\WINDOWS\System32\DRIVERS\wip0203.sys
S3 wlcom51b;Compaq USB Driver;C:\WINDOWS\System32\DRIVERS\wlcom51b.sys
S3 wltwo48b;2Wire Wireless PC Card Driver;C:\WINDOWS\System32\DRIVERS\wltwo48b.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\System32\drivers\WmVirHid.sys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qsvn
MSDCOMClient
.
Contents of the 'Scheduled Tasks' folder
"2007-11-27 02:18:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 15:34:46
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-30 15:36:37 - machine was rebooted
.
--- E O F ---
ComboFix Log:
ComboFix 07-11-19.4C - Administrator 2007-11-30 15:29:33.1 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Local Settings\Application Data\baidu
C:\Documents and Settings\All Users\Application Data.\microsoft\pctools
C:\Documents and Settings\All Users\Application Data.\microsoft\pctools\pctools.dll
C:\Documents and Settings\All Users\Application Data.\t
C:\Documents and Settings\All Users\Application Data.\t\a1623.dat
C:\Documents and Settings\All Users\Application Data.\t\b1623.dat
C:\Documents and Settings\All Users\Application Data.\t\k1623.dat
C:\Documents and Settings\All Users\Application Data.\t\p1623.dat
C:\Documents and Settings\All Users\Application Data.\t\r1623.dat
C:\Documents and Settings\All Users\Application Data\microsoft\pctools\pctools.dll
C:\Program Files\Common Files\cpush
C:\Program Files\Common Files\cpush\Uninst.exe
C:\WINDOWS\fc1.bmp
C:\WINDOWS\fn00321.log
C:\WINDOWS\ocinfo.dat
C:\WINDOWS\system\dvl
C:\WINDOWS\system\lvl
C:\WINDOWS\system32\1521.dll
C:\WINDOWS\system32\1521.dlltmp
C:\WINDOWS\system32\52241.exe
C:\WINDOWS\system32\911.dll
C:\WINDOWS\system32\d3d1caps.srg
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\inetmib3.sys
C:\WINDOWS\system32\iexp_log.txt
C:\WINDOWS\system32\inetmib3.dll
C:\WINDOWS\system32\inf\scrsys16_071129.dll
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_ACPIDISK
-------\LEGACY_CNPROV
-------\LEGACY_INETMIB3
-------\LEGACY_MS_2FAX
-------\acpidisk
-------\inetmib3
-------\ms_2fax
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.
2007-11-30 12:48 <DIR> d-------- C:\Program Files\Trisnap Technologies
2007-11-30 11:57 <DIR> d-------- C:\Program Files\Viewpoint
2007-11-30 03:41 68 --a------ C:\WINDOWS\system32\ae95
2007-11-30 03:11 68 --a------ C:\WINDOWS\system32\a3f
2007-11-30 02:41 68 --a------ C:\WINDOWS\system32\7b58
2007-11-30 01:11 68 --a------ C:\WINDOWS\system32\0fa
2007-11-30 00:52 68 --a------ C:\WINDOWS\system32\48a
2007-11-30 00:22 68 --a------ C:\WINDOWS\system32\3f3f
2007-11-29 22:25 78 --a------ C:\WINDOWS\system32\mywehit.ini
2007-11-29 22:22 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-11-29 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-29 22:22 1,668,384 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-29 22:22 18,976 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-29 22:22 9,992 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-29 22:22 2,828 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-29 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-11-29 18:25 29 --a------ C:\WINDOWS\system32\-18-98-23117
2007-11-29 18:24 74,360 --a------ C:\WINDOWS\an006.exe
2007-11-29 18:24 14 --a------ C:\WINDOWS\system32\-34-98-23117
2007-11-29 18:23 200,704 --a------ C:\WINDOWS\ThunderBHONew.dll
2007-11-29 18:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2007-11-29 18:18 <DIR> d-------- C:\Program Files\Uniblue
2007-11-29 18:02 24,576 --a------ C:\WINDOWS\my_70203.exe
2007-11-29 10:21 1 --a------ C:\WINDOWS\system32\suxp.uni
2007-11-29 10:14 184,320 --a------ C:\WINDOWS\system32\winlib0.dll
2007-11-29 10:10 24,576 --a------ C:\WINDOWS\subc.exe
2007-11-29 10:09 <DIR> d-------- C:\WINDOWS\system32\inf
2007-11-29 10:09 514,812 --a------ C:\WINDOWS\subb.exe
2007-11-29 10:09 128 --a------ C:\WINDOWS\system32\rsfunser.ini
2007-11-29 10:09 0 --a------ C:\WINDOWS\eqigocn321.dll
2007-11-29 10:09 0 --a------ C:\WINDOWS\askerserkb.dll
2007-11-28 21:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Wippien
2007-11-28 21:58 23,096 --a------ C:\WINDOWS\system32\drivers\wip0203.sys
2007-11-28 20:05 <DIR> d-------- C:\Program Files\Trillian
2007-11-28 20:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\.purple
2007-11-28 09:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\.gaim
2007-11-27 18:55 <DIR> d-------- C:\Movies
2007-11-27 10:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Miranda
2007-11-23 21:16 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2007-11-20 13:26 <DIR> d-------- C:\Program Files\Gabest
2007-11-19 12:16 <DIR> d-------- C:\Program Files\NCH Software
2007-11-17 22:59 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-17 21:37 57,344 --------- C:\WINDOWS\system32\ImageDrive.cpl
2007-11-17 21:35 569,344 -ra------ C:\WINDOWS\system32\imagr5.dll
2007-11-17 21:35 544,768 -ra------ C:\WINDOWS\system32\imagx5.dll
2007-11-17 21:35 283,920 -ra------ C:\WINDOWS\system32\ImagXpr5.dll
2007-11-17 21:35 155,648 -ra------ C:\WINDOWS\system32\NeroCheck.exe
2007-11-14 11:58 2,682,880 --------- C:\WINDOWS\UNNeroVision.exe
2007-11-14 11:55 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-11-14 11:55 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-11-14 11:55 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-11-14 11:55 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2007-11-14 11:55 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-11-14 11:55 106,496 --------- C:\WINDOWS\system32\TwnLib20.dll
2007-11-13 21:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ahead
2007-11-13 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2007-11-13 12:59 724,992 --a------ C:\WINDOWS\iun6002.exe
2007-11-08 23:18 51,072 --a--c--- C:\WINDOWS\system32\dllcache\i8042prt.sys
2007-11-08 23:18 22,016 --a--c--- C:\WINDOWS\system32\dllcache\mouclass.sys
2007-11-08 23:17 19,968 --------- C:\WINDOWS\LOGI_MWX.EXE
2007-10-27 14:34 <DIR> d-------- C:\WINDOWS\Cache
2007-10-27 14:34 31 --ah----- C:\WINDOWS\uccspecc.sys
2007-10-21 12:56 <DIR> d-------- C:\Program Files\Compaq Wireless LAN
2007-10-20 23:25 183,296 --a------ C:\WINDOWS\system32\drivers\wlcom51b.sys
2007-10-20 23:25 180,224 --a------ C:\WINDOWS\system32\wacom51b.dll
2007-10-20 23:25 159,744 --a------ C:\WINDOWS\system32\wncom51b.cpl
2007-10-20 23:25 57,344 --a------ C:\WINDOWS\system32\wccom51b.exe
2007-10-20 23:25 7,680 --a------ C:\WINDOWS\system32\wdcmb51b.dll
2007-10-20 20:58 214,896 --a------ C:\WINDOWS\system32\wncom.hlp
2007-10-20 20:58 729 --a------ C:\WINDOWS\system32\wncom.cnt
2007-10-20 20:30 49,664 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-10-20 20:30 49,664 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-10-20 20:30 45,568 --a--c--- C:\WINDOWS\system32\dllcache\iyuv_32.dll
2007-10-20 20:30 8,192 --a------ C:\WINDOWS\system32\tsbyuv.dll
2007-10-20 20:30 8,192 --a--c--- C:\WINDOWS\system32\dllcache\tsbyuv.dll
2007-10-16 14:09 <DIR> d-------- C:\Program Files\iPod
2007-10-16 14:08 <DIR> d-------- C:\Program Files\iTunes
2007-10-16 14:05 <DIR> d-------- C:\Program Files\QuickTime
2007-10-16 14:01 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-16 14:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-12 09:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Move Networks
2007-10-03 17:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Samsung
2007-10-03 16:53 22,486 -ra------ C:\WINDOWS\system32\UnInstall_Sample.ico
2007-10-03 16:50 <DIR> d-------- C:\WINDOWS\system32\Samsung PC Studio Codecs
2007-10-03 16:50 766 --a--c--- C:\WINDOWS\system32\Uninstall.ico
2007-10-03 16:46 <DIR> d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2007-10-03 16:46 <DIR> d-------- C:\WINDOWS\LastGood
2007-10-03 16:46 94,000 --a------ C:\WINDOWS\system32\drivers\ssm_mdm.sys
2007-10-03 16:46 58,320 --a------ C:\WINDOWS\system32\drivers\ssm_bus.sys
2007-10-03 16:46 22,486 -ra------ C:\WINDOWS\system32\UnInstall_Driver.ico
2007-10-03 16:46 8,336 --a------ C:\WINDOWS\system32\drivers\ssm_mdfl.sys
2007-10-03 16:46 6,176 --a------ C:\WINDOWS\system32\drivers\ssm_cmnt.sys
2007-10-03 16:46 6,176 --a------ C:\WINDOWS\system32\drivers\ssm_cm.sys
2007-10-03 16:46 5,840 --a------ C:\WINDOWS\system32\drivers\ssm_whnt.sys
2007-10-03 16:46 5,840 --a------ C:\WINDOWS\system32\drivers\ssm_wh.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 17:39 --------- d-----w C:\Program Files\ICQ
2007-11-30 03:34 82,061 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2007-11-30 03:34 81,549 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2007-11-29 01:02 --------- d-----w C:\Documents and Settings\Administrator\Application Data\.purple
2007-11-28 14:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\.gaim
2007-11-28 05:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2007-11-27 22:41 53,248 ----a-r C:\WINDOWS\c861.exe
2007-11-19 17:21 --------- d-----w C:\Program Files\Samsung
2007-11-18 05:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-18 02:59 --------- d-----w C:\Program Files\Logitech
2007-11-18 02:44 --------- d-----w C:\Program Files\Common Files\Logitech
2007-11-18 02:42 --------- d-----w C:\Program Files\Java
2007-11-18 02:39 --------- d-----w C:\Program Files\Common Files\aolshare
2007-11-18 02:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-18 02:36 --------- d-----w C:\Program Files\Ahead
2007-10-16 19:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-15 18:44 --------- d-----w C:\Program Files\VAG-COM
2007-10-08 14:40 --------- d-----w C:\Program Files\FlashGet
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}]
C:\WINDOWS\System32\1521.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9751A53-4494-4d7c-9732-AE3058D8145F}]
C:\WINDOWS\System32\1521.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE439C63-384A-747A-A357-23D96B5D652B}]
2005-01-27 06:37 970240 --------- C:\PROGRA~1\ALiBaBar\ALiBaBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0A1375E1-56C2-11D6-8E45-8933A0FB5235}"= C:\PROGRA~1\ALiBaBar\ALiBaBar.dll [2005-01-27 06:37 970240]
[HKEY_CLASSES_ROOT\clsid\{0a1375e1-56c2-11d6-8e45-8933a0fb5235}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41]
"ICQ Plus"="C:\Program Files\ICQPlus\vplus.exe" [2002-12-04 05:32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vmlist"="regsvr32 /s apphelps.dll" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-10 11:41]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 23:39]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 23:39]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 04:50]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2006-06-08 17:37]
"LTWinModem1"="ltmsg.exe" [2003-10-28 01:00 C:\WINDOWS\system32\ltmsg.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2002-08-28 23:38]
"HostManager"="C:\Program Files\Common Files\AOL\1189113338\ee\AOLSoftware.exe" [2006-09-25 19:52]
"hkss"="C:\Program Files\Compaq\Hotkey Software\hkss.exe" [2002-09-19 14:30]
"EPSON Stylus CX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [2005-02-08 03:00]
"eabconfg.cpl"="C:\Program Files\Compaq\EAB\EABSERVR.exe" [2002-11-12 11:39]
"CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [2004-08-12 14:55]
"AtiPTA"="atiptaxx.exe" [2002-02-07 23:10 C:\WINDOWS\system32\atiptaxx.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 15:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2001-08-23 07:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2001-08-23 07:00]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 05:41]
C:\WINDOWS\System32\klogon.dll 2007-06-28 12:51 206088 C:\WINDOWS\system32\klogon.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\combofix]
@="service"
R2 MSDCOMClient;DCOM Service Process Manager;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 BCM42U;USB HPNA 10 Mbps Network Adapter Driver;C:\WINDOWS\System32\DRIVERS\BCM42U.SYS
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\System32\DRIVERS\klim5.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\System32\drivers\WmBEnum.sys
R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\System32\drivers\WmFilter.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\System32\drivers\WmXlCore.sys
S0 rupewz;rupew;C:\WINDOWS\System32\DRIVERS\rupewz.sys
S0 yoycsp48;yoycsp4;C:\WINDOWS\System32\DRIVERS\yoycsp48.sys
S2 qsvn;Windows qsvn RunThem;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;C:\WINDOWS\System32\drivers\usbscan.sys
S3 wip0203;Wippien Network Adapter 2.3;C:\WINDOWS\System32\DRIVERS\wip0203.sys
S3 wlcom51b;Compaq USB Driver;C:\WINDOWS\System32\DRIVERS\wlcom51b.sys
S3 wltwo48b;2Wire Wireless PC Card Driver;C:\WINDOWS\System32\DRIVERS\wltwo48b.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\System32\drivers\WmVirHid.sys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qsvn
MSDCOMClient
.
Contents of the 'Scheduled Tasks' folder
"2007-11-27 02:18:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 15:34:46
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-30 15:36:37 - machine was rebooted
.
--- E O F ---