1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Remove Infostealer.Gampass malware

Discussion in 'Malware and Virus Removal Archive' started by Starylosophy, 2007/04/08.

  1. 2007/04/23
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Yuck. :(

    See what that Gmer log shows?
    There is that dll file we been trying to kill several times. Part of the problem is that dll is "injected" into nearly every process. This of course makes removal quite difficult cus it is nearly impossible to stop from "running ". Everything is "using" it.
    That msccrt.exe also injects itself to several processes.

    Please send me New complete startup list from Hijackthis.
    Please also send me New SREng log

    Plus a Log from this:

    Download Systemscan.exe and save it to the desktop. If you have it already please delete the one ya got & grab the new one. it is updated often.

    http://www.suspectfile.com/systemscan

    To prevent floods/attacks the site makes you wait several seconds before actually getting the file.
    If you have too much trouble to get it let me know & I'll upload it for you.

    Double click it to run. (it will be a random(ish) name like sys25683.exe)
    Check the following items:

    - suspicious files: compressed with UPX, FSG, Polycrypt, Upack and others
    All the rest are already checked.
    OK the prompt.
    Better disconnect from internet & shut down your AVG & Norton or it is gonna go crazy while systemscan is scanning files.
    Click "scan now"
    OK the prompt.

    **Note
    This scan will take a while so please be patient.
    This tool does not fix anything. it just does a scan and generates a log.
    Once done the log should pop up.

    C:\suspectfile\report.txt

    Upload the report please.
    Don't forget to turn your AV again before you connect to internet.

    Do let me know of new outgoing alerts from firewall.
    The one you had to allow to make IE work is not showing in current logs. So the firewall is helping to "find files" that we can't see.

    Thanks :)
     
  2. 2007/04/23
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Me again...

    Can you scan this file please at Jotti and/or Virus Total:

    C:\Windows\system32\drivers\update.sys

    I rarely ever see that file in gmer logs.

    Jotti/Virus total links:

    http://virusscan.jotti.org/
    http://www.virustotal.com/

    You can also upload that file to your thread at spykiller please if the system will let you.
    I would like to compare it to my file.

    Thanks :)
     

  3. to hide this advert.

  4. 2007/04/24
    Starylosophy

    Starylosophy Inactive Thread Starter

    Joined:
    2007/04/08
    Messages:
    35
    Likes Received:
    0
    Last edited: 2007/04/24
  5. 2007/04/24
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    For some reason I get error trying to access the yousendit site. I don't know if it is only temporary or a problem at my end.
    Can you zip those logs up and upload them to your spykiller thread please?

    Just toss them in a folder, zip it and upload the zip.

    Thanks for the screenshot. File looks OK. I think update.sys is acting funny because of those other files hooking much of your system.

    To get ready for the next round please delete the following:

    C:\Avenger <-- folder
    C:\!Killbox <-- folder
    C:\Avenger.txt

    Download ATF Cleaner by Atribune and save it to your Desktop. Do nothing with it yet.

    http://www.atribune.org/ccount/click.php?id=1

    Thanks
     
  6. 2007/04/25
    Starylosophy

    Starylosophy Inactive Thread Starter

    Joined:
    2007/04/08
    Messages:
    35
    Likes Received:
    0
    Ok, I've uploaded the zipped logs and reports to the spykiller site.
     
  7. 2007/04/26
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    Sorry for delay. My own computer had "issues ".

    Thanks for the logs :)

    Question:

    What is this user account?: Chunlosophy
    You added this?
    It appears to not have admin privs.
    I didn't notice this profile folder in other logs is why I ask. If you did create this account, we'll need to go there later to clean it out.
    Please don't run that account till we clean this one. If something we can't see on yours is "waiting" for us on the other account.... infection re-loads all over again.
    I'll use other tools to gain access to info I need from other account to clean before logging into it.

    I'll be back shortly with instructions.

    Blender
     
  8. 2007/04/27
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Me again....

    Print out or copy instructions to notepad please. You need to be offline to do this and I want all browser windows closed.
    Please also temporarily shut down your antivirus so it does not interfere with fix.

    It may seem the list of files to delete is quite long. Even though all these files don't show in most recent logs they did in others.
    Because of the nature of this malware it is quite possible some of the others came back so I'm including all the known files.

    I am attaching to my post a file called "blender.txt ".
    Please save this file someplace convienant like your desktop.

    Once you have copied the instructions please disconnect from internet, shut off antivirus and exit all browser, Instant Messege programs, email windows.

    Double click ATF-Cleaner.exe
    Check the boxes to the left of:

    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Java Cache
    Recycle bin

    The rest are optional - if you want to remove the lot, check "Select All ".
    Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

    If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

    When you have finished, click on the Exit button in the Main menu.

    Double click avenger.exe

    Under "script to execute" check the radio button that says load script from file
    Click the "folder" icon directly to right, navigate to blender.txt, hilight it and choose "open ".

    Now click the green light at right
    Answer yes twice when prompted.

    Your computer will reboot twice

    Once it restarts again Avenger will flash up a "dos" box. Normal.
    You may also get several errors about files missing. Thats OK. We'll fix that next. Likely you will have trouble again opening your drives. We'll fix that too next.
    It may also take longer than usual to boot. Normal.

    Avenger will show a log file of what was done.

    Please post:

    New hijackthis log
    C:\Avenger.txt

    Please upload:

    New Systemscan log
    New complete startuplist log

    Let me know how machine is running and if you are still getting warnings from your firewall.

    Thanks :)
     
  9. 2007/04/27
    Starylosophy

    Starylosophy Inactive Thread Starter

    Joined:
    2007/04/08
    Messages:
    35
    Likes Received:
    0
    I added this account as Symantec lags the task bar and I couldn't see my desktop icons. But I don't use it now since the one I use works fine already.

    Startuplist Log:
    http://download.yousendit.com/4337400E7B0E6E4F

    Systemscan Log:
    http://download.yousendit.com/4982F5A16A0710DF

    HJT Log:
    Logfile of HijackThis v1.99.1
    Scan saved at 9:26:22 PM, on 4/27/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\Syswm7\svchost.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
    C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Hijackthis\hijackthis.exe

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
    O4 - HKLM\..\Run: [EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /P26 "EPSON Stylus CX3700 Series" /O6 "USB001" /M "Stylus CX3700 "
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
    O4 - HKLM\..\Run: [shualai] C:\WINDOWS\shualai.exe /i
    O4 - HKLM\..\Run: [winform] C:\WINDOWS\winform.exe
    O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe
    O4 - HKLM\..\Run: [cmdcs] C:\WINDOWS\cmdcs.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
    O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab
    O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



    Avenger Log:
    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\jclonwxp

    *******************

    Script file located at: \??\C:\Documents and Settings\fbkqxjir.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Driver f8748fe unloaded successfully.
    Folder C:\WINDOWS\Syswm6 deleted successfully.
    Folder C:\WINDOWS\Syssj4 deleted successfully.
    Folder C:\WINDOWS\SysJT2 deleted successfully.
    Folder C:\WINDOWS\SysSun1 deleted successfully.
    File C:\WINDOWS\system32\F8748FE.DLL deleted successfully.
    File C:\WINDOWS\system32\F8748FE.exe deleted successfully.
    File C:\WINDOWS\system32\mppds.dll deleted successfully.


    File C:\WINDOWS\system32\mppds.exe not found!
    Deletion of file C:\WINDOWS\system32\mppds.exe failed!

    Could not process line:
    C:\WINDOWS\system32\mppds.exe
    Status: 0xc0000034

    File C:\rising.exe deleted successfully.
    File c:\autorun.inf deleted successfully.


    File C:\windows\system32\__delete_on_reboot__F_8_7_4_8_F_E_._D_L_L_ not found!
    Deletion of file C:\windows\system32\__delete_on_reboot__F_8_7_4_8_F_E_._D_L_L_ failed!

    Could not process line:
    C:\windows\system32\__delete_on_reboot__F_8_7_4_8_F_E_._D_L_L_
    Status: 0xc0000034



    File C:\WINDOWS\system32\__delete_on_reboot__g_1_1_7_7_2_4_9_5_3_2_4_._e_x_e_ not found!
    Deletion of file C:\WINDOWS\system32\__delete_on_reboot__g_1_1_7_7_2_4_9_5_3_2_4_._e_x_e_ failed!

    Could not process line:
    C:\WINDOWS\system32\__delete_on_reboot__g_1_1_7_7_2_4_9_5_3_2_4_._e_x_e_
    Status: 0xc0000034



    File C:\WINDOWS\system32\__delete_on_reboot__g_1_1_7_7_2_4_9_5_2_9_2_._e_x_e_ not found!
    Deletion of file C:\WINDOWS\system32\__delete_on_reboot__g_1_1_7_7_2_4_9_5_2_9_2_._e_x_e_ failed!

    Could not process line:
    C:\WINDOWS\system32\__delete_on_reboot__g_1_1_7_7_2_4_9_5_2_9_2_._e_x_e_
    Status: 0xc0000034

    File C:\WINDOWS\mppds.exe deleted successfully.
    File C:\WINDOWS\shualai.exe deleted successfully.
    File C:\windows\system32\shualai.dll deleted successfully.


    File C:\WINDOWS\system32\g11763611986.exe not found!
    Deletion of file C:\WINDOWS\system32\g11763611986.exe failed!

    Could not process line:
    C:\WINDOWS\system32\g11763611986.exe
    Status: 0xc0000034

    File C:\WINDOWS\winform.exe deleted successfully.
    File C:\WINDOWS\system32\winform.dll deleted successfully.


    File c:\windows\system32\msccrt.dll not found!
    Deletion of file c:\windows\system32\msccrt.dll failed!

    Could not process line:
    c:\windows\system32\msccrt.dll
    Status: 0xc0000034

    File c:\windows\msccrt.exe deleted successfully.


    File c:\windows\system32\nortins.dll not found!
    Deletion of file c:\windows\system32\nortins.dll failed!

    Could not process line:
    c:\windows\system32\nortins.dll
    Status: 0xc0000034



    File c:\windows\nortins.exe not found!
    Deletion of file c:\windows\nortins.exe failed!

    Could not process line:
    c:\windows\nortins.exe
    Status: 0xc0000034



    File c:\windows\system32\nortond.dll not found!
    Deletion of file c:\windows\system32\nortond.dll failed!

    Could not process line:
    c:\windows\system32\nortond.dll
    Status: 0xc0000034



    File c:\windows\nortond.exe not found!
    Deletion of file c:\windows\nortond.exe failed!

    Could not process line:
    c:\windows\nortond.exe
    Status: 0xc0000034



    File C:\WINDOWS\cmdbcs.exe not found!
    Deletion of file C:\WINDOWS\cmdbcs.exe failed!

    Could not process line:
    C:\WINDOWS\cmdbcs.exe
    Status: 0xc0000034



    File c:\windows\system32\cmdbcs.dll not found!
    Deletion of file c:\windows\system32\cmdbcs.dll failed!

    Could not process line:
    c:\windows\system32\cmdbcs.dll
    Status: 0xc0000034



    File C:\WINDOWS\mafinss.exe not found!
    Deletion of file C:\WINDOWS\mafinss.exe failed!

    Could not process line:
    C:\WINDOWS\mafinss.exe
    Status: 0xc0000034



    File C:\WINDOWS\muceess.exe not found!
    Deletion of file C:\WINDOWS\muceess.exe failed!

    Could not process line:
    C:\WINDOWS\muceess.exe
    Status: 0xc0000034



    File C:\WINDOWS\moonfees.exe not found!
    Deletion of file C:\WINDOWS\moonfees.exe failed!

    Could not process line:
    C:\WINDOWS\moonfees.exe
    Status: 0xc0000034



    File c:\windows\mooness.exe not found!
    Deletion of file c:\windows\mooness.exe failed!

    Could not process line:
    c:\windows\mooness.exe
    Status: 0xc0000034



    File C:\WINDOWS\system32\moonfees.dll not found!
    Deletion of file C:\WINDOWS\system32\moonfees.dll failed!

    Could not process line:
    C:\WINDOWS\system32\moonfees.dll
    Status: 0xc0000034



    File C:\WINDOWS\system32\muceess.dll not found!
    Deletion of file C:\WINDOWS\system32\muceess.dll failed!

    Could not process line:
    C:\WINDOWS\system32\muceess.dll
    Status: 0xc0000034



    File C:\WINDOWS\system32\mafinss.dll not found!
    Deletion of file C:\WINDOWS\system32\mafinss.dll failed!

    Could not process line:
    C:\WINDOWS\system32\mafinss.dll
    Status: 0xc0000034



    File C:\WINDOWS\system32\mooness.dll not found!
    Deletion of file C:\WINDOWS\system32\mooness.dll failed!

    Could not process line:
    C:\WINDOWS\system32\mooness.dll
    Status: 0xc0000034



    File C:\WINDOWS\system32\nortens.dll not found!
    Deletion of file C:\WINDOWS\system32\nortens.dll failed!

    Could not process line:
    C:\WINDOWS\system32\nortens.dll
    Status: 0xc0000034



    File c:\windows\nortens.exe not found!
    Deletion of file c:\windows\nortens.exe failed!

    Could not process line:
    c:\windows\nortens.exe
    Status: 0xc0000034


    Completed script processing.

    *******************

    Finished! Terminate.
     
  10. 2007/04/29
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    Sorry for delay.

    Thanks for info regarding that other account. Keep it for now in case you need it.

    Grrrr!! We are not making much progress are we. Obviously I'm missing something I can't see. :mad: :confused:

    Time to move on to a different method methinks.

    Download Dr.Webs CureIt to your desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

    Double-click the drweb-cureit.exe file and allow it to run the express scan.

    This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

    Once the short scan has finished, select the drives that you want to scan.

    Select all drives. A red dot shows which drives have been chosen.

    Click the green arrow > to the right and the scan will begin.

    At the first infection, select 'Yes to all' if it asks if you want to cure/move the file.

    When the scan has finished, click the "Select all" toggle button (if available) next to the files found

    Then click the green cup icon right below and select Move incurable

    This will move any infected files to the %userprofile%\DoctorWeb\quarantaine-folder that can't be cured (in case if we need samples and in case of any false positives to restore).

    Then, from the main Dr.Web CureIt menu (top left), click File and choose save report list !important!
    Save the report to your desktop. The report will be called DrWeb.csv

    Close Dr.Web Cureit and Restart your computer to completely remove any stubborn files in reboot.

    Next:

    *Create a folder on your desktop called Sysclean.
    Go to http://www.trendmicro.com/download/dcs.asp and download sysclean package to the folder you made.
    Go to http://www.trendmicro.com/download/pattern.asp and download the Virus Pattern File (Official Pattern Release) to your desktop.
    This file will be called lptXXX.zip (XXX represents the version number)
    Unzip lptXXX.zip and you'll get the file lpt$vpn.XXX.
    Read here how to unzip/extract properly:
    http://metallica.geekstogo.com/xpcompressedexplanation.html
    Move the lpt$vpn.XXX to that Sysclean-folder you created on your desktop.

    Reboot into Safe Mode`: ( without networking support !)
    °To get into the Safe mode as the computer is booting press and hold your "F8 Key ". Use your arrow keys to move to "Safe Mode" and press your Enter key.

    Open the sysclean-folder and doubleclick sysclean.com.
    Check: Automatically clean or delete detected files.
    Click scan.
    When the scan is finished reboot back to normal mode.

    Open your sysclean-folder and copy and paste the contents of sysclean.log in your next reply along with the DrWeb.csv report please along with a new hijackthis log.

    If the DrWeb log and sysclean log is too big to post here then upload them please.

    Let me know if you have your XP CD in case we need to use it for access to recovery console. I am exploring this option to delete baddies if above methods don't work.
    If no CD then we do have a file you can create a bootable CD that you can use to access RC.

    I would like to ask as well...
    Right around the time you got attacked by this... what if anything did you install? Something you downloaded from site? p2p?
    Whatever it is I'm interested in it so I can try & reproduce what you have on my test box to see what the heck I am missing out on.

    Thanks :)
     
  11. 2007/04/30
    Starylosophy

    Starylosophy Inactive Thread Starter

    Joined:
    2007/04/08
    Messages:
    35
    Likes Received:
    0
    Hi,

    I do have the XP CD. But it's not the genuine one. I'm wondering why after I reformated my PC, the malware is still there?

    And I also found out that after a reboot sometimes, the date will be changed to Year 2005 and I will have to change to Year 2007 so I could sign in to MSN.

    I remembered I was searching some Chinese fonts and browsing some sites. And whilst clicking, I went to a site and was alerted that my PC had been affected.

    Just to let you know that the trial period for AVG is up so it's not running on my PC now.

    Dr.Web report:
    http://download.yousendit.com/103A36326116D155

    Sysclean Log:
    http://download.yousendit.com/0263D56B15FA7569

    HJT Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:14:54 PM, on 4/30/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
    C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
    C:\Program Files\Hijackthis\hijackthis.exe

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
    O4 - HKLM\..\Run: [EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /P26 "EPSON Stylus CX3700 Series" /O6 "USB001" /M "Stylus CX3700 "
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKLM\..\Run: [shualai] C:\WINDOWS\shualai.exe /i
    O4 - HKLM\..\Run: [upxdnd] C:\DOCUME~1\STARYL~1\LOCALS~1\Temp\upxdnd.exe
    O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
    O4 - HKLM\..\Run: [winform] C:\WINDOWS\winform.exe
    O4 - HKLM\..\Run: [cmdbs] C:\WINDOWS\cmdbs.exe
    O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
    O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab
    O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: F8748FE - Unknown owner - C:\WINDOWS\system32\F8748FE.EXE (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
     
  12. 2007/04/30
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    As for the CD; the way I may need you to use it won't matter if it is a "genuine" one or not. It will simply be used to access the recovery console much like booting windows 98 with a floppy.
    Some of these infections one has to work "outside" the operating system itself in order to remove files that malware is protecting or files that are injecting themselves into all running processes.

    As for why you were infected after format...
    Either one of the programs you re-installed are infected or you visited a site that re-infected you.

    Leme look at these logs & I'll reply in a bit with further instructions. I will give you some instructions for now too.

    In the mean-time can you do this for me? I really want to find the site that did this so we can find the initial "loader" that sparked off this whole infection-fest.
    If I can get ahold of the "loader" I can get it out to all the AV companies so they can detect/block before it has a chance to "load" anything.

    Click start> run> type:

    shell:cache\content.ie5

    hit enter.

    Don't open any of those odd named folders please.
    There will be a file there called "index.dat ".
    Can you copy this someplace, zip it up and upload it please:
    Just X out of the folder when done.

    Your AVG is still good for manual scanning and manual updates.
    What you did lose from trial expiry was the auto-updates and background protection.
    Otherwise it is still a good program to have.

    While I'm looking at these virus logs; please do the following:

    Start Hijackthis
    Run system scan and check:

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [shualai] C:\WINDOWS\shualai.exe /i
    O4 - HKLM\..\Run: [upxdnd] C:\DOCUME~1\STARYL~1\LOCALS~1\Temp\upxdnd.exe
    O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
    O4 - HKLM\..\Run: [winform] C:\WINDOWS\winform.exe
    O4 - HKLM\..\Run: [cmdbs] C:\WINDOWS\cmdbs.exe
    O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe


    Close all open windows and click "fix checked ", then OK.

    Exit Hijackthis

    Click start> run> type this command and hit enter:

    sc delete F8748FE

    A "dos" box will flash up briefly and dissapear. Normal.

    Reboot

    Please post fresh hijackthis log here.

    Thanks.
     
  13. 2007/04/30
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    After doing the above...

    Please run The Avenger again using same instructions and file as I instructed in this post:

    http://www.windowsbbs.com/showpost.php?p=344129&postcount=47

    Some files won't be present but that's fine. (the log will tell me what was there)
    Neither scanner nailed the dlls.

    Post the new c:\avenger.txt please.

    Thanks :)
     
  14. 2007/04/30
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    Back again...

    I need another log from you. Possible there are some nasties sitting in your Internet Explorer folder & I need to see what is there. Looking for a few other files and registry entries.

    Copy the following text to a new notepad file.
    Make sure "wordwrap" is OFF.
    Save as file name peek.bat
    As file types: all files
    Save it to the desktop.

    Code:
    cd c:\
    if exist peek.txt del peek.txt
    dir /s servet.exe >peek.txt
    dir /s 8.exe >>peek.txt
    dir /s IEXPLORER.EXE >>peek.txt
    
    reg query hklm\system\currentcontrolset\services\WindowsDown >>peek.txt
    reg query hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Exporer\ShellExecuteHooks\{DD7D4640-4464-48C0-82FD-21338366D2D2} >>peek.txt
    reg query hklm\SOFTWARE\Classes\CLSID\{DD7D4640-4464-48C0-82FD-21338366D2D2} >>peek.txt
    
    cd  "c:\program files\internet explorer "
    dir /s >>C:\peek.txt
    
    pause
    
    Once saved double click it and let it run.
    You will be prompted to "press any key to continue "
    Just hit enter and the cmd box will close.

    upload this file please: (will be too big to post here I think)

    C:\peek.txt

    Thanks :)
     
  15. 2007/04/30
    Starylosophy

    Starylosophy Inactive Thread Starter

    Joined:
    2007/04/08
    Messages:
    35
    Likes Received:
    0
    index.bat file:
    http://download.yousendit.com/3D7C13985940EB52


    HJT Log:
    Logfile of HijackThis v1.99.1
    Scan saved at 3:23:19 AM, on 5/1/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\system32\notepad.exe
    C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijackthis\hijackthis.exe

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
    O4 - HKLM\..\Run: [EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /P26 "EPSON Stylus CX3700 Series" /O6 "USB001" /M "Stylus CX3700 "
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
    O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab
    O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



    Avenger Log:

    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\bvtwybgi

    *******************

    Script file located at: \??\C:\Documents and Settings\dsfhcowi.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:



    Registry key \Registry\Machine\System\CurrentControlSet\Services\f8748fe not found!
    Unload of driver f8748fe failed!

    Could not process line:
    f8748fe
    Status: 0xc0000034



    Folder C:\WINDOWS\Syswm6 not found!
    Deletion of folder C:\WINDOWS\Syswm6 failed!

    Could not process line:
    C:\WINDOWS\Syswm6
    Status: 0xc0000034



    Folder C:\WINDOWS\Syssj4 not found!
    Deletion of folder C:\WINDOWS\Syssj4 failed!

    Could not process line:
    C:\WINDOWS\Syssj4
    Status: 0xc0000034

    Folder C:\WINDOWS\SysJT2 deleted successfully.
    Folder C:\WINDOWS\SysSun1 deleted successfully.
    File C:\WINDOWS\system32\F8748FE.DLL deleted successfully.


    File C:\WINDOWS\system32\F8748FE.exe not found!
    Deletion of file C:\WINDOWS\system32\F8748FE.exe failed!

    Could not process line:
    C:\WINDOWS\system32\F8748FE.exe
    Status: 0xc0000034

    File C:\WINDOWS\system32\mppds.dll deleted successfully.


    File C:\WINDOWS\system32\mppds.exe not found!
    Deletion of file C:\WINDOWS\system32\mppds.exe failed!

    Could not process line:
    C:\WINDOWS\system32\mppds.exe
    Status: 0xc0000034



    File C:\rising.exe not found!
    Deletion of file C:\rising.exe failed!

    Could not process line:
    C:\rising.exe
    Status: 0xc0000034

    File c:\autorun.inf deleted successfully.


    File C:\windows\system32\__delete_on_reboot__F_8_7_4_8_F_E_._D_L_L_ not found!
    Deletion of file C:\windows\system32\__delete_on_reboot__F_8_7_4_8_F_E_._D_L_L_ failed!

    Could not process line:
    C:\windows\system32\__delete_on_reboot__F_8_7_4_8_F_E_._D_L_L_
    Status: 0xc0000034



    File C:\WINDOWS\system32\__delete_on_reboot__g_1_1_7_7_2_4_9_5_3_2_4_._e_x_e_ not found!
    Deletion of file C:\WINDOWS\system32\__delete_on_reboot__g_1_1_7_7_2_4_9_5_3_2_4_._e_x_e_ failed!

    Could not process line:
    C:\WINDOWS\system32\__delete_on_reboot__g_1_1_7_7_2_4_9_5_3_2_4_._e_x_e_
    Status: 0xc0000034



    File C:\WINDOWS\system32\__delete_on_reboot__g_1_1_7_7_2_4_9_5_2_9_2_._e_x_e_ not found!
    Deletion of file C:\WINDOWS\system32\__delete_on_reboot__g_1_1_7_7_2_4_9_5_2_9_2_._e_x_e_ failed!

    Could not process line:
    C:\WINDOWS\system32\__delete_on_reboot__g_1_1_7_7_2_4_9_5_2_9_2_._e_x_e_
    Status: 0xc0000034



    File C:\WINDOWS\mppds.exe not found!
    Deletion of file C:\WINDOWS\mppds.exe failed!

    Could not process line:
    C:\WINDOWS\mppds.exe
    Status: 0xc0000034



    File C:\WINDOWS\shualai.exe not found!
    Deletion of file C:\WINDOWS\shualai.exe failed!

    Could not process line:
    C:\WINDOWS\shualai.exe
    Status: 0xc0000034



    File C:\windows\system32\shualai.dll not found!
    Deletion of file C:\windows\system32\shualai.dll failed!

    Could not process line:
    C:\windows\system32\shualai.dll
    Status: 0xc0000034



    File C:\WINDOWS\system32\g11763611986.exe not found!
    Deletion of file C:\WINDOWS\system32\g11763611986.exe failed!

    Could not process line:
    C:\WINDOWS\system32\g11763611986.exe
    Status: 0xc0000034

    File C:\WINDOWS\winform.exe deleted successfully.
    File C:\WINDOWS\system32\winform.dll deleted successfully.


    File c:\windows\system32\msccrt.dll not found!
    Deletion of file c:\windows\system32\msccrt.dll failed!

    Could not process line:
    c:\windows\system32\msccrt.dll
    Status: 0xc0000034

    File c:\windows\msccrt.exe deleted successfully.


    File c:\windows\system32\nortins.dll not found!
    Deletion of file c:\windows\system32\nortins.dll failed!

    Could not process line:
    c:\windows\system32\nortins.dll
    Status: 0xc0000034



    File c:\windows\nortins.exe not found!
    Deletion of file c:\windows\nortins.exe failed!

    Could not process line:
    c:\windows\nortins.exe
    Status: 0xc0000034



    File c:\windows\system32\nortond.dll not found!
    Deletion of file c:\windows\system32\nortond.dll failed!

    Could not process line:
    c:\windows\system32\nortond.dll
    Status: 0xc0000034



    File c:\windows\nortond.exe not found!
    Deletion of file c:\windows\nortond.exe failed!

    Could not process line:
    c:\windows\nortond.exe
    Status: 0xc0000034



    File C:\WINDOWS\cmdbcs.exe not found!
    Deletion of file C:\WINDOWS\cmdbcs.exe failed!

    Could not process line:
    C:\WINDOWS\cmdbcs.exe
    Status: 0xc0000034



    File c:\windows\system32\cmdbcs.dll not found!
    Deletion of file c:\windows\system32\cmdbcs.dll failed!

    Could not process line:
    c:\windows\system32\cmdbcs.dll
    Status: 0xc0000034



    File C:\WINDOWS\mafinss.exe not found!
    Deletion of file C:\WINDOWS\mafinss.exe failed!

    Could not process line:
    C:\WINDOWS\mafinss.exe
    Status: 0xc0000034



    File C:\WINDOWS\muceess.exe not found!
    Deletion of file C:\WINDOWS\muceess.exe failed!

    Could not process line:
    C:\WINDOWS\muceess.exe
    Status: 0xc0000034



    File C:\WINDOWS\moonfees.exe not found!
    Deletion of file C:\WINDOWS\moonfees.exe failed!

    Could not process line:
    C:\WINDOWS\moonfees.exe
    Status: 0xc0000034



    File c:\windows\mooness.exe not found!
    Deletion of file c:\windows\mooness.exe failed!

    Could not process line:
    c:\windows\mooness.exe
    Status: 0xc0000034



    File C:\WINDOWS\system32\moonfees.dll not found!
    Deletion of file C:\WINDOWS\system32\moonfees.dll failed!

    Could not process line:
    C:\WINDOWS\system32\moonfees.dll
    Status: 0xc0000034



    File C:\WINDOWS\system32\muceess.dll not found!
    Deletion of file C:\WINDOWS\system32\muceess.dll failed!

    Could not process line:
    C:\WINDOWS\system32\muceess.dll
    Status: 0xc0000034



    File C:\WINDOWS\system32\mafinss.dll not found!
    Deletion of file C:\WINDOWS\system32\mafinss.dll failed!

    Could not process line:
    C:\WINDOWS\system32\mafinss.dll
    Status: 0xc0000034



    File C:\WINDOWS\system32\mooness.dll not found!
    Deletion of file C:\WINDOWS\system32\mooness.dll failed!

    Could not process line:
    C:\WINDOWS\system32\mooness.dll
    Status: 0xc0000034



    File C:\WINDOWS\system32\nortens.dll not found!
    Deletion of file C:\WINDOWS\system32\nortens.dll failed!

    Could not process line:
    C:\WINDOWS\system32\nortens.dll
    Status: 0xc0000034



    File c:\windows\nortens.exe not found!
    Deletion of file c:\windows\nortens.exe failed!

    Could not process line:
    c:\windows\nortens.exe
    Status: 0xc0000034


    Completed script processing.

    *******************

    Finished! Terminate.


    Peek report:

    Volume in drive C has no label.
    Volume Serial Number is A882-AB77
    Volume in drive C has no label.
    Volume Serial Number is A882-AB77
    Volume in drive C has no label.
    Volume Serial Number is A882-AB77
    Volume in drive C has no label.
    Volume Serial Number is A882-AB77

    Directory of C:\Program Files\Internet Explorer

    04/15/2007 09:07 PM <DIR> .
    04/15/2007 09:07 PM <DIR> ..
    04/15/2007 09:15 PM <DIR> 1.0.11.39
    04/15/2007 09:48 PM <DIR> cache
    04/08/2007 11:40 PM <DIR> Connection Wizard
    08/04/2004 08:56 AM 38,912 HMMAPI.DLL
    04/15/2007 09:42 PM <DIR> http
    01/04/2007 06:36 PM 18,432 iedw.exe
    08/04/2004 08:56 AM 93,184 IEXPLORE.EXE
    04/15/2007 09:07 PM <DIR> log
    04/20/2007 04:26 PM <DIR> PLUGINS
    04/15/2007 09:07 PM <DIR> preview
    04/09/2007 11:21 PM <DIR> SIGNUP
    3 File(s) 150,528 bytes

    Directory of C:\Program Files\Internet Explorer\1.0.11.39

    04/15/2007 09:15 PM <DIR> .
    04/15/2007 09:15 PM <DIR> ..
    04/15/2007 09:15 PM 606,208 vodnet.dll
    04/15/2007 09:09 PM 217,088 vodres.dll
    2 File(s) 823,296 bytes

    Directory of C:\Program Files\Internet Explorer\cache

    04/15/2007 09:48 PM <DIR> .
    04/15/2007 09:48 PM <DIR> ..
    04/15/2007 09:48 PM 6 msg.dat
    1 File(s) 6 bytes

    Directory of C:\Program Files\Internet Explorer\Connection Wizard

    04/08/2007 11:40 PM <DIR> .
    04/08/2007 11:40 PM <DIR> ..
    08/04/2004 08:56 AM 61,440 icwconn.dll
    08/04/2004 08:56 AM 214,528 icwconn1.exe
    08/04/2004 08:56 AM 86,016 icwconn2.exe
    08/04/2004 08:56 AM 32,768 icwdl.dll
    08/04/2004 08:56 AM 172,032 icwhelp.dll
    07/17/2004 07:34 PM 352 icwip.dun
    08/23/2001 01:00 PM 61,440 icwres.dll
    08/04/2004 08:56 AM 24,576 icwrmind.exe
    08/23/2001 01:00 PM 73,728 icwtutor.exe
    08/04/2004 08:56 AM 49,152 icwutil.dll
    07/17/2004 07:34 PM 566 icwx25a.dun
    07/17/2004 07:34 PM 617 icwx25b.dun
    07/17/2004 07:34 PM 566 icwx25c.dun
    08/04/2004 08:56 AM 20,480 inetwiz.exe
    08/23/2001 01:00 PM 16,384 isignup.exe
    07/17/2004 07:34 PM 158 msicw.isp
    07/17/2004 07:34 PM 197 msn.isp
    07/17/2004 07:34 PM 2,921 phone.icw
    07/17/2004 07:34 PM 19 phone.ver
    07/17/2004 07:34 PM 851 state.icw
    07/17/2004 07:34 PM 132 support.icw
    08/23/2001 01:00 PM 40,960 trialoc.dll
    22 File(s) 859,883 bytes

    Directory of C:\Program Files\Internet Explorer\http

    04/15/2007 09:42 PM <DIR> .
    04/15/2007 09:42 PM <DIR> ..
    04/15/2007 09:42 PM 265 xUOO™ñý2I ".asx
    1 File(s) 265 bytes

    Directory of C:\Program Files\Internet Explorer\log

    04/15/2007 09:07 PM <DIR> .
    04/15/2007 09:07 PM <DIR> ..
    0 File(s) 0 bytes

    Directory of C:\Program Files\Internet Explorer\PLUGINS

    04/20/2007 04:26 PM <DIR> .
    04/20/2007 04:26 PM <DIR> ..
    12/18/2006 04:18 AM 77,824 nppdf32.dll
    04/18/2007 03:23 AM 126,976 npqtplugin.dll
    04/18/2007 03:23 AM 126,976 npqtplugin2.dll
    04/18/2007 03:23 AM 126,976 npqtplugin3.dll
    04/18/2007 03:23 AM 126,976 npqtplugin4.dll
    04/18/2007 03:23 AM 126,976 npqtplugin5.dll
    04/18/2007 03:23 AM 126,976 npqtplugin6.dll
    04/18/2007 03:23 AM 126,976 npqtplugin7.dll
    04/18/2007 03:23 AM 4,208 QuickTimePlugin.class
    04/09/2007 11:24 PM <DIR> RichFX
    9 File(s) 970,864 bytes

    Directory of C:\Program Files\Internet Explorer\PLUGINS\RichFX

    04/09/2007 11:24 PM <DIR> .
    04/09/2007 11:24 PM <DIR> ..
    04/09/2007 11:24 PM <DIR> Player
    0 File(s) 0 bytes

    Directory of C:\Program Files\Internet Explorer\PLUGINS\RichFX\Player

    04/09/2007 11:24 PM <DIR> .
    04/09/2007 11:24 PM <DIR> ..
    04/09/2007 11:24 PM 569,397 nprfxins.dll
    04/09/2007 11:25 PM 11,028 nprfxins_EULA.txt
    2 File(s) 580,425 bytes

    Directory of C:\Program Files\Internet Explorer\preview

    04/15/2007 09:07 PM <DIR> .
    04/15/2007 09:07 PM <DIR> ..
    0 File(s) 0 bytes

    Directory of C:\Program Files\Internet Explorer\SIGNUP

    04/09/2007 11:21 PM <DIR> .
    04/09/2007 11:21 PM <DIR> ..
    08/23/2001 01:00 PM 1,363 INSTALL.INS
    1 File(s) 1,363 bytes

    Total Files Listed:
    41 File(s) 3,386,630 bytes
    32 Dir(s) 51,183,722,496 bytes free
     
  16. 2007/05/01
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    Thanks for the file.
    I think ATF-Cleaner deleted the origional index.dat that would have shown me how you got attacked but there are a few things we will block that I saw in your logs.

    Open Hijackthis
    Click "open misc tools section "
    click "open Hosts file manager "
    Click "open with notepad "
    Scroll to the bottom of the file and copy/paste this line to the bottom of the notepad file:

    127.0.0.1 nx.51ylb.cn

    Close the notepad file & accept changes.

    Use your firewall to block these IP numbers:

    222.72.220.49
    222.72.220.48

    You don't want your computer talking to them and you don't want them talking to your computer.

    If needed you can download the manual here to assist with creating rules:

    http://www.personalfirewall.comodo.com/support.html?currency=USD&region=North America&country=US

    Check your program control section in Comodo and delete the exes you had to allow earlier in order for IE to work. (mppds.exe, shualai.exe, winform.exe, msccrt.exe, cmdbcs.exe)
    If you delete them and they come back and ask for access you will be notified again by comodo.
    Let me know if you still get these messeges.

    I hesitate to say anything too quick but I think we are near there.
    How are things acting?
    Can you access c:\ & D:\ drive properly?
    Is your firewall still giving you warnings about these dlls riding on IE, MSN, etc?

    If present delete the following:

    C:\Avenger <-- folder
    C:\documents and settings\Starylosophy\Doctor Web\quarentine <-- folder

    Empty same from recycle bin.

    If you still have any "fix.reg" saved on desktop please delete them.

    Copy the following text to a new notepad file.
    Save as file name fix.reg
    As file types: all files
    save to desktop.

    Code:
    REGEDIT4
    
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
    
    The above script was designed for this user only. If you are not Starylosophy; do not run this script or you can damage the inner workings of your system!

    Once saved, double click it and allow the merge.
    Should get success messege.

    Reboot and send me new log from systemscan and let me know how things are running.

    Thanks :)
     
  17. 2007/05/01
    Starylosophy

    Starylosophy Inactive Thread Starter

    Joined:
    2007/04/08
    Messages:
    35
    Likes Received:
    0
    Hi,

    I have to do a right-click and open to open my D:\. I don't have any problems opening my C:\

    Regarding the blocking of the two IPs, I input them as this:

    Start Range: 222.72.220.49
    End Range: 222.72.220.49

    Start Range: 222.72.220.48
    End Range: 222.72.220.48

    Is this correct?

    After the reboot, there isn't any alerts from Symantec as well as Comodo for the following: (mppds.exe, shualai.exe, winform.exe, msccrt.exe, cmdbcs.exe).

    But it detected this riding on IE, MSN:
    C:\Documents and Settings\Starylosophy\Local\Settings\Temp\nsk3.tmp\wkoxiyiefu.exe

    Systemscan report:
    http://download.yousendit.com/CA0AA4B245F7DE4F
     
    Last edited: 2007/05/01
  18. 2007/05/01
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    That file that was riding MSN, IE was part of systemscan. (wkoxiyiefu.exe)
    This alert you got when running systemscan?

    What are these? You downloaded a screensaver somplace?
    I ask because lots of screensavers come bundled with malware.

    c:\windows\mickey32.dll
    c:\windows\install.exe
    c:\windows\install.scr
    c:\windows\02.exe
    c:\windows\02.scr

    Mixed results I get on the dll.

    Can you scan those here please:

    http://virusscan.jotti.org/

    http://www.virustotal.com/

    Post results if any.

    What is in this folder?:
    Anything you recognize?

    c:\s1is

    ------------------------

    I think we can start cleaning up our tools now.

    You can delete off the desktop any tools/fixes I had you download/create.

    As well as these:

    From c:\

    avenger.txt
    peek.txt
    suspectfile
    win32delfkil.exe
    windelf.txt
    qoobox
    combofix2.txt
    combofix-quarentined-files.txt
    combofix.txt

    From C:\Windows:

    Syswm7 <-- folder

    While in the windows folder double click on gmer_uninstall.cmd
    Hit "enter" when it tells you to "press any key to continue "
    Then you can delete gmer.ini and gmer_uninstall.cmd

    Empty recycle bin.

    Click start> run> type:

    sc delete pwalker and hit enter.
    A "dos" box flashes up & dissapears. Normal.
    This removes systemscan's leftovers.

    Regarding the blocking of the two IPs...
    As long as you got em blocked both in & out yes that is fine. If I read the tutorial right you would have had to create a blocked zone.
    I myself run Zone Alarm so am unsure exactly how to get around in Comodo.

    Check the D:\ drive for that "autorun.inf ". Look at it in notepad.
    If it points to "rising.exe" then delete it.
    Let me know if D:\ drive opens correctly after.

    Couple registry keys I wanna check.

    Copy the following text to a new notepad file
    Save as file name export.bat
    As file types: all files
    Save to desktop.


    Code:
    cd c:\
    mkdir regfiles
    regedit /a /e c:\regfiles\1.txt HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
    regedit /a /e c:\regfiles\2.txt HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced
    cd regfiles
    copy 1.txt + 2.txt = mount.txt
    pause
    
    Once saved, double click it.
    Press "enter" when prompted to "press any key "

    Upload me this log please.
    C:\Mount.txt

    You can delete c:\regfiles folder once you upload mount.txt

    Thanks :)
     
  19. 2007/05/01
    Starylosophy

    Starylosophy Inactive Thread Starter

    Joined:
    2007/04/08
    Messages:
    35
    Likes Received:
    0
    Last edited: 2007/05/01
  20. 2007/05/03
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    Copy the following text inside code box to a new notepad file.
    Save as file name fix.reg
    As file types: All files
    Save it to the desktop.

    Code:
    REGEDIT4
    
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b535bb5f-e625-11db-b366-806d6172696f}\Shell\Auto\command]
    
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b535bb5f-e625-11db-b366-806d6172696f}\Shell\AutoRun\command]
    
    
    Once saved, double click it and allow the merge.
    You should get success messege.
    You can delete fix.reg and c:\regfiles

    I'm curious what is in that folder.

    lets find out what is there.
    Copy the following text to another new notepad file
    Save as file name peek.bat
    as file types: all files
    Save to desktop.

    Code:
    cd c:\s1is
    dir /s > c:\s1is.txt
    notepad c:\s1is.txt
    del c:\s1is
    exit
    
    Once saved double click it and klet it run.
    Notepad will pop up with log.
    Copy/paste contents of log here.
    When you close notepad window the log will be deleted.
    You can delete peek.txt.

    Everything still working good?
    No funny firewall alerts?
    No Norton warnings?

    Thanks :)
     
  21. 2007/05/03
    Starylosophy

    Starylosophy Inactive Thread Starter

    Joined:
    2007/04/08
    Messages:
    35
    Likes Received:
    0
    Hi,

    Yeap, so far everything is good, there isn't any warnings from Symantec and Comodo. :)

    s1is.txt:

    Volume in drive C has no label.
    Volume Serial Number is A882-AB77

    Directory of C:\Documents and Settings\Starylosophy\Desktop

    05/03/2007 04:57 PM <DIR> .
    05/03/2007 04:57 PM <DIR> ..
    04/28/2007 12:42 AM <DIR> 01
    04/30/2007 10:29 PM 202,039,182 060917_36913__26085__20843__40670__27284_-_26696__30332__29694__22580_.rm
    04/26/2007 12:29 AM <DIR> 200 Pounds Beauty (OST)
    05/03/2007 12:18 AM 387,841 4a9b842fe74d933c1e30894jz4.jpg
    04/10/2007 03:28 AM 814 Adobe Photoshop 7.0.lnk
    04/25/2007 07:31 PM 50,688 ATF-Cleaner.exe
    04/15/2007 01:37 AM 630 Audacity.lnk
    04/20/2007 12:52 PM <DIR> avenger
    04/12/2007 05:30 AM 694 BitComet.lnk
    05/03/2007 12:23 PM 248,524 cashbox1.jpg
    05/03/2007 12:38 PM 288,601 cashbox2.jpg
    05/03/2007 12:39 PM 192,937 cashbox3.jpg
    05/03/2007 12:39 PM 182,914 cashbox4.jpg
    05/03/2007 12:39 PM 139,936 cashbox5.jpg
    04/23/2007 11:09 PM 7,943,248 CFP_Setup_English_2.4.18.184.exe
    04/21/2007 01:19 AM 974,768 ComboFix.exe
    04/30/2007 03:26 PM 6,283,360 drweb-cureit.exe
    04/24/2007 04:15 AM <DIR> ECAI by dreamstar
    05/02/2007 03:15 AM <DIR> fly to the sky 6
    05/02/2007 02:55 AM 68,602,994 fly to the sky 6.zip
    04/26/2007 12:44 AM 4,700,384 FRHjap1.psd
    04/26/2007 02:01 AM 2,886,774 FRHjapwalle2.psd
    04/23/2007 10:08 PM <DIR> gmer
    04/23/2007 10:52 PM <DIR> hosts
    04/12/2007 10:41 PM 73,728 KillBox.exe
    05/01/2007 12:24 PM <DIR> KT new
    04/24/2007 06:13 PM 59,173 locketcharm.jpg
    04/24/2007 06:17 PM 353,090 locketcharm2.jpg
    04/22/2007 06:47 PM 626 mIRC.lnk
    04/20/2007 03:26 AM 1,367,553 mirc621.exe
    04/28/2007 12:40 AM <DIR> Mp3s2
    04/09/2007 11:24 PM 104 My Computer.lnk
    04/10/2007 01:47 AM 777 NJStar 5.0 Chinese WP.LNK
    05/03/2007 04:57 PM 72 peek.bat
    04/18/2007 08:00 PM <DIR> sfp
    03/23/2007 06:10 PM 8 singnet pw.txt
    04/18/2007 08:17 PM <DIR> sreng2
    05/02/2007 01:44 AM <DIR> StyLe-StyLe
    04/30/2007 08:48 PM <DIR> Sysclean
    04/23/2007 03:29 AM <DIR> SZGHCD by dreamstar
    04/22/2007 02:45 AM 17,728 test1.jpg
    04/22/2007 03:03 PM 38,320 test2.jpg
    04/28/2007 05:36 PM 166,255 test3.jpg
    04/29/2007 02:24 PM 912,087 Untitled-1.psd
    04/22/2007 04:41 PM 492,645 Untitled-5.psd
    05/02/2007 12:41 AM 82 v1.txt
    04/13/2007 11:17 AM 278,902 win32delfkil.exe
    04/10/2007 04:13 PM 1,823,624 WindowsXP-KB925902-x86-ENU.exe
    05/03/2007 01:03 AM 68,451,432 Wu Zun at Guangzhou_Hana Kimi Promos.rmvb
    35 File(s) 368,960,495 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\01

    04/28/2007 12:42 AM <DIR> .
    04/28/2007 12:42 AM <DIR> ..
    04/26/2007 11:37 AM 5,545,410 01.mp3
    04/26/2007 11:37 AM 7,214,810 02.mp3
    04/26/2007 11:37 AM 5,509,847 03.mp3
    3 File(s) 18,270,067 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\200 Pounds Beauty (OST)

    04/26/2007 12:29 AM <DIR> .
    04/26/2007 12:29 AM <DIR> ..
    01/06/2007 03:43 PM 2,243,628 01.mp3
    01/06/2007 03:41 PM 7,249,920 02.mp3
    01/06/2007 03:43 PM 4,507,648 03.mp3
    01/06/2007 03:43 PM 4,794,368 04.mp3
    01/06/2007 03:43 PM 4,341,760 05.mp3
    01/06/2007 03:43 PM 5,976,064 06.mp3
    01/06/2007 03:44 PM 4,784,256 07.mp3
    01/06/2007 03:38 PM 4,956,160 08.mp3
    01/06/2007 03:44 PM 2,154,496 09.mp3
    01/06/2007 03:40 PM 5,799,936 10.mp3
    01/06/2007 03:43 PM 2,994,304 11.mp3
    01/06/2007 03:22 PM 62,679 200.jpg
    12 File(s) 49,865,219 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\avenger

    04/20/2007 12:52 PM <DIR> .
    04/20/2007 12:52 PM <DIR> ..
    02/25/2006 11:28 PM 130,048 avenger.exe
    1 File(s) 130,048 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\ECAI by dreamstar

    04/24/2007 04:15 AM <DIR> .
    04/24/2007 04:15 AM <DIR> ..
    04/24/2007 04:16 AM <DIR> Eason Chan ??? - Admit It ???
    0 File(s) 0 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\ECAI by dreamstar\Eason Chan ??? - Admit It ???

    04/24/2007 04:16 AM <DIR> .
    04/24/2007 04:16 AM <DIR> ..
    04/22/2007 11:11 AM 6,536,533 01 ??.mp3
    04/22/2007 11:11 AM 7,058,419 02 ??.mp3
    04/22/2007 11:11 AM 5,087,598 03 ????.mp3
    04/22/2007 11:11 AM 6,023,803 04 ???.mp3
    04/22/2007 11:11 AM 6,864,581 05 ????.mp3
    04/22/2007 11:11 AM 6,476,126 06 ????.mp3
    04/22/2007 11:12 AM 5,321,964 07 ????.mp3
    04/22/2007 11:12 AM 6,671,086 08 ?????.mp3
    04/22/2007 11:12 AM 5,142,867 09 ??????.mp3
    04/22/2007 11:12 AM 6,945,476 10 ????.mp3
    04/22/2007 11:12 AM 5,548,455 11 ?????(??).mp3
    04/21/2007 09:39 PM 50,080 Album cover.jpg
    12 File(s) 67,726,988 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\fly to the sky 6

    05/02/2007 03:15 AM <DIR> .
    05/02/2007 03:15 AM <DIR> ..
    05/02/2007 03:15 AM <DIR> fly to the sky 6
    0 File(s) 0 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\fly to the sky 6\fly to the sky 6

    05/02/2007 03:15 AM <DIR> .
    05/02/2007 03:15 AM <DIR> ..
    05/02/2007 04:04 PM 5,744,768 01.mp3
    05/02/2007 04:08 PM 6,267,008 02.mp3
    05/02/2007 05:08 PM 5,548,160 03.mp3
    05/02/2007 04:20 PM 5,148,800 04.mp3
    05/02/2007 04:52 PM 6,176,896 05.mp3
    05/02/2007 03:54 PM 5,304,448 06.mp3
    05/02/2007 04:16 PM 6,041,728 07.mp3
    05/02/2007 04:24 PM 5,537,920 08.mp3
    05/02/2007 04:27 PM 4,948,096 09.mp3
    05/02/2007 04:12 PM 5,853,312 10.mp3
    05/02/2007 04:32 PM 6,623,360 11.mp3
    05/02/2007 04:00 PM 6,264,960 12.mp3
    12 File(s) 69,459,456 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\gmer

    04/23/2007 10:08 PM <DIR> .
    04/23/2007 10:08 PM <DIR> ..
    04/12/2007 05:04 PM 577,536 gmer.exe
    1 File(s) 577,536 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\hosts

    04/23/2007 10:52 PM <DIR> .
    04/23/2007 10:52 PM <DIR> ..
    04/08/2007 02:07 AM 567,707 HOSTS
    11/26/2005 12:40 AM 13,799 License.txt
    11/01/2006 09:49 AM 1,400 mvps.bat
    11/26/2005 03:53 AM 2,015 PrivacyPolicy.txt
    02/24/2007 12:36 AM 4,893 readme.txt
    5 File(s) 589,814 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\KT new

    05/01/2007 12:24 PM <DIR> .
    05/01/2007 12:24 PM <DIR> ..
    04/16/2007 02:38 AM 32,708,615 20070414jinan_talk.wmv
    04/16/2007 04:54 PM 10,754,643 20070415dragontv.wmv
    04/15/2007 01:55 AM 682,971 200704_kt_ost.mp3
    04/30/2007 09:31 PM 42,828 img_3_1481_0.jpg
    4 File(s) 44,189,057 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2

    04/28/2007 12:40 AM <DIR> .
    04/28/2007 12:40 AM <DIR> ..
    04/02/2007 04:13 PM 6,015,328 01 01 ???????? ????.mp3
    04/19/2007 04:37 AM <DIR> 02dko
    04/02/2007 03:46 PM 4,080,191 03 ??? (Waiting).mp3
    03/30/2007 08:41 PM 6,760,576 03.mp3
    04/16/2007 05:20 PM <DIR> 03grm
    04/19/2007 04:29 AM <DIR> 03gro
    04/02/2007 03:49 PM 4,376,165 05 05. ????.mp3
    04/19/2007 07:08 PM <DIR> 05fee
    04/16/2007 05:29 PM <DIR> 103werf
    04/16/2007 05:20 PM <DIR> 10gth
    04/02/2007 03:36 PM 4,614,144 Always.mp3
    03/05/2007 12:35 AM 6,816,372 Lin Yi Chen- Fei Ni Mo Shu.mp3
    04/23/2007 07:17 PM <DIR> Luo Zhi Xiang - Ai Zhuan Jiao
    04/03/2007 03:09 AM 4,376,185 Shin Hyesung & Lyn - ??...??.mp3
    04/21/2007 01:59 AM <DIR> SSYZNG07128byairbubble
    04/21/2007 01:58 AM <DIR> tank
    04/22/2007 12:05 AM <DIR> VWVD by dreamstar
    03/02/2007 08:44 PM 3,962,455 Xiao Gui & Zhuo Wen Xuan - Ai De Zhu Xuan Lu.mp3
    04/21/2007 01:57 AM <DIR> Zhang Shao Han
    04/21/2007 01:56 AM <DIR> [2007-03-16] __ - _____
    04/19/2007 02:01 AM <DIR> [KBS] Hello! Miss OST
    8 File(s) 41,001,416 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2\02dko

    04/19/2007 04:37 AM <DIR> .
    04/19/2007 04:37 AM <DIR> ..
    04/18/2007 11:38 AM 6,940,800 02.mp3
    1 File(s) 6,940,800 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2\03grm

    04/16/2007 05:20 PM <DIR> .
    04/16/2007 05:20 PM <DIR> ..
    04/11/2007 10:37 PM 7,202,816 03.mp3
    1 File(s) 7,202,816 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2\03gro

    04/19/2007 04:29 AM <DIR> .
    04/19/2007 04:29 AM <DIR> ..
    04/19/2007 01:52 PM 6,334,592 03.mp3
    1 File(s) 6,334,592 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2\05fee

    04/19/2007 07:08 PM <DIR> .
    04/19/2007 07:08 PM <DIR> ..
    04/19/2007 09:43 PM 5,382,272 05.mp3
    1 File(s) 5,382,272 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2\103werf

    04/16/2007 05:29 PM <DIR> .
    04/16/2007 05:29 PM <DIR> ..
    04/16/2007 05:38 PM 5,904,749 103.mp3
    1 File(s) 5,904,749 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2\10gth

    04/16/2007 05:20 PM <DIR> .
    04/16/2007 05:20 PM <DIR> ..
    04/11/2007 10:38 PM 7,446,528 10.mp3
    1 File(s) 7,446,528 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2\Luo Zhi Xiang - Ai Zhuan Jiao

    04/23/2007 07:17 PM <DIR> .
    04/23/2007 07:17 PM <DIR> ..
    01/17/2007 05:41 PM 7,734,309 01.mp3
    1 File(s) 7,734,309 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2\SSYZNG07128byairbubble

    04/21/2007 01:59 AM <DIR> .
    04/21/2007 01:59 AM <DIR> ..
    04/21/2007 01:59 AM <DIR> Stefanie Sun Yan Zi - Ni Guang 2007
    0 File(s) 0 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2\SSYZNG07128byairbubble\Stefanie Sun Yan Zi - Ni Guang 2007

    04/21/2007 01:59 AM <DIR> .
    04/21/2007 01:59 AM <DIR> ..
    03/21/2007 01:39 PM 554,054 cover.jpg
    03/21/2007 02:01 PM 963,875 Stefanie Sun Yan Zi - [Ni Guang 2007] - 01 - In The Beginning.mp3
    04/18/2007 03:43 AM 4,675,762 Stefanie Sun Yan Zi - [Ni Guang 2007] - 02 - Ni Guang.mp3
    03/21/2007 02:02 PM 2,995,984 Stefanie Sun Yan Zi - [Ni Guang 2007] - 03 - Meng You.mp3
    03/21/2007 02:02 PM 4,340,144 Stefanie Sun Yan Zi - [Ni Guang 2007] - 04 - Gu Ji Gu Ji.mp3
    04/18/2007 03:43 AM 4,596,357 Stefanie Sun Yan Zi - [Ni Guang 2007] - 05 - Wo Huai Nian De.mp3
    03/21/2007 02:02 PM 3,156,479 Stefanie Sun Yan Zi - [Ni Guang 2007] - 06 - An Ning.mp3
    04/18/2007 03:43 AM 3,972,337 Stefanie Sun Yan Zi - [Ni Guang 2007] - 07 - Piao Zhe.mp3
    03/21/2007 02:02 PM 3,556,478 Stefanie Sun Yan Zi - [Ni Guang 2007] - 08 - Ai Qing De Hua Yang.mp3
    03/21/2007 02:02 PM 4,628,532 Stefanie Sun Yan Zi - [Ni Guang 2007] - 09 - Xuan Wo.mp3
    03/21/2007 02:02 PM 3,956,037 Stefanie Sun Yan Zi - [Ni Guang 2007] - 10 - Xu Yao Ni.mp3
    03/21/2007 02:03 PM 3,780,075 Stefanie Sun Yan Zi - [Ni Guang 2007] - 11 - Guan Yu.mp3
    03/21/2007 02:03 PM 909,533 Stefanie Sun Yan Zi - [Ni Guang 2007] - 12 - Afterward.mp3
    13 File(s) 42,085,647 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2\tank

    04/21/2007 01:58 AM <DIR> .
    04/21/2007 01:58 AM <DIR> ..
    04/21/2007 01:59 AM <DIR> tank
    0 File(s) 0 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2\tank\tank

    04/21/2007 01:59 AM <DIR> .
    04/21/2007 01:59 AM <DIR> ..
    01/31/2007 11:48 PM 4,162,818 Tank - Cheng Li De Yue Guang.mp3
    02/01/2007 12:01 AM 4,306,998 Tank - Dear Tank.mp3
    02/01/2007 12:28 AM 3,282,998 Tank - Di Er Ci Chu Lian.mp3
    03/07/2007 06:47 AM 4,562,547 tank - fei ni mo shu.mp3
    02/01/2007 12:32 AM 3,169,870 Tank - Jie Tou Ba Wang.mp3
    03/29/2007 06:04 PM 3,939,178 Tank - Lan.mp3
    01/31/2007 11:30 PM 4,514,724 Tank - Qing Tian Yu.mp3
    01/31/2007 11:51 PM 3,122,502 Tank - Yan Chang Bi Sai.mp3
    01/31/2007 11:25 PM 4,136,428 Tank - zhuan shu tian shi.mp3
    01/31/2007 11:34 PM 3,458,959 Tank - Zui Hou Wei Xiao.mp3
    10 File(s) 38,657,022 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2\VWVD by dreamstar

    04/22/2007 12:05 AM <DIR> .
    04/22/2007 12:05 AM <DIR> ..
    04/22/2007 12:05 AM <DIR> Vanness Wu ??? - V.DUBB
    0 File(s) 0 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2\VWVD by dreamstar\Vanness Wu ??? - V.DUBB

    04/22/2007 12:05 AM <DIR> .
    04/22/2007 12:05 AM <DIR> ..
    04/21/2007 12:38 AM 4,886,656 01 ????.mp3
    04/21/2007 12:37 AM 4,690,048 02 Never Let You Go.mp3
    04/21/2007 12:38 AM 5,390,464 03 ??.mp3
    04/21/2007 12:37 AM 4,624,512 04 Just One Dance.mp3
    04/21/2007 12:37 AM 4,937,856 05 Friday Night.mp3
    04/21/2007 12:38 AM 4,378,752 06 ????.mp3
    04/21/2007 12:38 AM 4,526,208 07 ???.mp3
    04/21/2007 12:38 AM 5,003,392 08 ??.mp3
    04/21/2007 12:38 AM 4,948,096 09 ??.mp3
    04/21/2007 12:37 AM 7,229,568 10 Eternity.mp3
    04/21/2007 12:38 AM 8,280,192 11 ???? (House remix) ???.mp3
    04/20/2007 11:24 PM 42,529 Album cover.jpg
    12 File(s) 58,938,273 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2\Zhang Shao Han

    04/21/2007 01:57 AM <DIR> .
    04/21/2007 01:57 AM <DIR> ..
    03/25/2007 01:31 AM 3,959,812 butong.mp3
    04/21/2007 01:58 AM <DIR> ???®???¯
    1 File(s) 3,959,812 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2\Zhang Shao Han\???®???¯

    04/21/2007 01:58 AM <DIR> .
    04/21/2007 01:58 AM <DIR> ..
    01/11/2007 02:56 PM 6,048,192 01.mp3
    01/11/2007 02:56 PM 6,840,298 02.mp3
    01/11/2007 02:57 PM 5,738,849 03.mp3
    01/11/2007 02:52 PM 7,117,497 04.mp3
    01/11/2007 02:55 PM 6,584,759 05.mp3
    01/11/2007 02:56 PM 4,444,349 06.mp3
    01/11/2007 02:56 PM 6,687,896 07.mp3
    01/11/2007 02:57 PM 6,632,913 08.mp3
    01/11/2007 02:56 PM 7,332,353 09.mp3
    01/11/2007 02:56 PM 5,592,862 10.mp3
    01/11/2007 02:55 PM 5,705,129 11.mp3
    11 File(s) 68,725,097 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2\[2007-03-16] __ - _____

    04/21/2007 01:56 AM <DIR> .
    04/21/2007 01:56 AM <DIR> ..
    04/21/2007 01:57 AM <DIR> [2007-03-16] ?? - ?????
    0 File(s) 0 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2\[2007-03-16] __ - _____\[2007-03-16] ?? - ?????

    04/21/2007 01:57 AM <DIR> .
    04/21/2007 01:57 AM <DIR> ..
    03/19/2007 01:29 AM 7,114,049 01. ????.mp3
    03/19/2007 01:29 AM 5,997,790 02. ?????.mp3
    03/19/2007 01:29 AM 6,729,690 03. ?????.mp3
    03/19/2007 01:31 AM 6,779,433 04. ???.mp3
    03/19/2007 01:30 AM 6,139,896 05. ???.mp3
    03/19/2007 01:30 AM 5,745,230 06. ????.mp3
    03/19/2007 01:30 AM 7,254,488 07. ??.mp3
    03/19/2007 01:27 AM 6,059,164 08. ???.mp3
    03/19/2007 01:30 AM 6,361,328 09. ???.mp3
    03/19/2007 01:28 AM 2,848,487 10. ?? (??).mp3
    03/19/2007 01:27 AM 5,107,006 11. ?????.mp3
    11 File(s) 66,136,561 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2\[KBS] Hello! Miss OST

    04/19/2007 02:01 AM <DIR> .
    04/19/2007 02:01 AM <DIR> ..
    04/19/2007 02:02 AM <DIR> [KBS] Hello! Miss OST
    0 File(s) 0 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Mp3s2\[KBS] Hello! Miss OST\[KBS] Hello! Miss OST

    04/19/2007 02:02 AM <DIR> .
    04/19/2007 02:02 AM <DIR> ..
    03/27/2007 06:25 PM 35,247 00348430.jpg
    03/27/2007 06:26 PM 5,162,196 01 Funky Dance!!.mp3
    04/20/2007 02:22 AM 4,373,836 02 Stay By My Side.mp3
    04/26/2007 01:12 PM 5,826,388 03 +++- Ã*... (Love Theme).mp3
    04/20/2007 03:10 AM 4,373,836 04 She.mp3
    03/27/2007 06:26 PM 4,369,740 05 Round N Around.mp3
    03/27/2007 06:26 PM 3,710,842 06 Hello Beautiful Girl.mp3
    03/27/2007 06:26 PM 3,855,655 07 Moon Sounds.mp3
    03/27/2007 06:26 PM 2,923,395 08 Cuty Baby.mp3
    03/27/2007 06:27 PM 4,367,243 09 She (Guitar Ver.).mp3
    03/27/2007 06:27 PM 1,767,323 10 Fake Motion.mp3
    03/27/2007 06:27 PM 3,771,032 11 Funky Dance (Orch Ver.).mp3
    03/27/2007 06:27 PM 3,337,176 12 Sunny Day.mp3
    03/27/2007 06:27 PM 4,119,001 13 +++- Ã*... (Orch Ver.).mp3
    03/27/2007 06:27 PM 4,371,623 14 Romance.mp3
    03/27/2007 06:27 PM 3,315,251 15 Stay By My Side (Orch Ver.).mp3
    03/27/2007 06:27 PM 3,362,250 16 Winds.mp3
    17 File(s) 63,042,034 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\sfp

    04/18/2007 08:00 PM <DIR> .
    04/18/2007 08:00 PM <DIR> ..
    07/20/2005 11:32 AM 518,656 sfp.exe
    1 File(s) 518,656 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\sreng2

    04/18/2007 08:17 PM <DIR> .
    04/18/2007 08:17 PM <DIR> ..
    12/11/2005 11:21 PM 5,003 Licence.txt
    04/18/2007 08:17 PM <DIR> Plugins
    03/10/2007 03:27 AM 38,653 ReleaseNotes2.htm
    03/08/2007 01:52 AM 544,256 SREng.EXE
    3 File(s) 587,912 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\sreng2\Plugins

    04/18/2007 08:17 PM <DIR> .
    04/18/2007 08:17 PM <DIR> ..
    02/21/2007 03:55 AM 106,496 NWMON.SRE
    1 File(s) 106,496 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\StyLe-StyLe

    05/02/2007 01:44 AM <DIR> .
    05/02/2007 01:44 AM <DIR> ..
    04/10/2007 09:07 PM <DIR> StyLe-StyLe
    0 File(s) 0 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\StyLe-StyLe\StyLe-StyLe

    04/10/2007 09:07 PM <DIR> .
    04/10/2007 09:07 PM <DIR> ..
    04/10/2007 09:09 PM 5,570,560 01. ?,??.mp3
    04/10/2007 09:09 PM 5,683,200 02. GO.mp3
    04/10/2007 09:09 PM 6,471,680 03. ??.mp3
    04/10/2007 09:09 PM 5,636,096 04. ?????.mp3
    04/10/2007 09:09 PM 6,250,496 05. Incomplete.mp3
    04/10/2007 09:09 PM 5,400,576 06. Desire.mp3
    04/10/2007 09:09 PM 5,193,728 07. ????.mp3
    04/10/2007 09:09 PM 5,150,720 08. ????.mp3
    04/10/2007 09:09 PM 5,441,536 09. ??????.mp3
    04/10/2007 09:09 PM 4,329,472 10. ??,?????.mp3
    04/10/2007 03:23 PM 40,864 cover.jpg
    11 File(s) 55,168,928 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\Sysclean

    04/30/2007 08:48 PM <DIR> .
    04/30/2007 08:48 PM <DIR> ..
    04/29/2007 03:47 PM 33,214,153 lpt$vpn.443
    04/30/2007 06:05 PM 3,447,818 sysclean.com
    04/30/2007 06:29 PM 204,800 sysclean.exe
    04/30/2007 08:19 PM 12,408 sysclean.log
    04/30/2007 06:30 PM 27 TSCDebug.log
    5 File(s) 36,879,206 bytes

    Directory of C:\Documents and Settings\Starylosophy\Desktop\SZGHCD by dreamstar

    04/23/2007 03:29 AM <DIR> .
    04/23/2007 03:29 AM <DIR> ..
    04/29/2007 01:09 PM 4,563,289 S.H.E - ??? Zhong Guo Hua (CD Version).mp3
    1 File(s) 4,563,289 bytes

    Total Files Listed:
    197 File(s) 1,147,085,095 bytes
    113 Dir(s) 51,421,605,888 bytes free
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.