PDA

View Full Version : rundll32.exe application error help please!



rarin
2008-07-11, 07:45
When my computer boots to the login screen, after inputting my password I get a

"rundll32.exe - Application error
The application failed to initialize properly (0xc0000005). Click on OK to terminate the application."

After I click ok twice, it loads to my desktop, but only shows the wallpaper. I have to manually start explorer.exe. I get this pop up with a few other actions, so far add/remove programs does the same, and a few others.

I've run the HJT scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:43:00 PM, on 11/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Styler\Styler.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SCBAL.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [bend logo clock film] C:\Documents and Settings\All Users\Application Data\Frag great bend logo\idol global.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [c8a780bd] rundll32.exe "C:\WINDOWS\system32\sbexvrny.dll",b
O4 - HKLM\..\Run: [BMcb94b321] Rundll32.exe "C:\WINDOWS\system32\wewuadxm.dll",s
O4 - HKCU\..\Run: [itchprogram] C:\DOCUME~1\MANNHI~1\APPLIC~1\THIRDF~1\HOLDLITE01.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mRouterConfig] "C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?4dab94b421cb42aa993a94f9c76d9491
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?4dab94b421cb42aa993a94f9c76d9491
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c004E900.dat
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 9373 bytes

Hope you can help, thanks very much.

pskelley
2008-07-12, 21:57
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

You have at least two nasty infections, Vundo and LOP/C2Media:
http://research.sunbelt-software.com/threatdisplay.aspx?name=C2.lop&threatid=8144

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) Please Download NoLop to your desktop:

http://www.spywareedge.net/nolop/NoLop.exe

First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it.
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log (wait until you finish to post the logs)

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

3) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

rarin
2008-07-13, 10:20
This was my nolop log:

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Mann Hing\Desktop
[13/07/2008]
[3:06:12 PM]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\AA53FF2B91847E4B.job

Beginning Removal...
Rebooting...

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Apple
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Flexnet
C:\Documents and Settings\All Users\Application Data\Frag Great Bend Logo
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Grisoft
C:\Documents and Settings\All Users\Application Data\Installations
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Mcafee.com
C:\Documents and Settings\All Users\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\All Users\Application Data\Messenger Plus!
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Msscanappdatadir
C:\Documents and Settings\All Users\Application Data\Pc Suite
C:\Documents and Settings\All Users\Application Data\Sony Ericsson
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Superantispyware.com
C:\Documents and Settings\All Users\Application Data\Teleca
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
C:\Documents and Settings\All Users\Application Data\Wlinstaller
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Mann Hing\Application Data\Adobe
C:\Documents and Settings\Mann Hing\Application Data\Apple Computer
C:\Documents and Settings\Mann Hing\Application Data\Autopoweron
C:\Documents and Settings\Mann Hing\Application Data\Avg7
C:\Documents and Settings\Mann Hing\Application Data\Deepburner
C:\Documents and Settings\Mann Hing\Application Data\Dvdcss
C:\Documents and Settings\Mann Hing\Application Data\Free Download Manager
C:\Documents and Settings\Mann Hing\Application Data\Gtk-2.0
C:\Documents and Settings\Mann Hing\Application Data\Hamachi
C:\Documents and Settings\Mann Hing\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Mann Hing\Application Data\Identities
C:\Documents and Settings\Mann Hing\Application Data\Image Zone Express
C:\Documents and Settings\Mann Hing\Application Data\Macromedia
C:\Documents and Settings\Mann Hing\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\Mann Hing\Application Data\Media Player Classic
C:\Documents and Settings\Mann Hing\Application Data\Microsoft
C:\Documents and Settings\Mann Hing\Application Data\Mozilla
C:\Documents and Settings\Mann Hing\Application Data\Nokia
C:\Documents and Settings\Mann Hing\Application Data\Nokia Multimedia Player
C:\Documents and Settings\Mann Hing\Application Data\Pc Suite
C:\Documents and Settings\Mann Hing\Application Data\Printer Info Cache
C:\Documents and Settings\Mann Hing\Application Data\Real
C:\Documents and Settings\Mann Hing\Application Data\Sodabush
C:\Documents and Settings\Mann Hing\Application Data\Sony Ericsson
C:\Documents and Settings\Mann Hing\Application Data\Styler
C:\Documents and Settings\Mann Hing\Application Data\Superantispyware.com -- EMPTY Directory
C:\Documents and Settings\Mann Hing\Application Data\Teleca
C:\Documents and Settings\Mann Hing\Application Data\Thirdfile
C:\Documents and Settings\Mann Hing\Application Data\True Sword -- EMPTY Directory
C:\Documents and Settings\Mann Hing\Application Data\Utorrent
C:\Documents and Settings\Mann Hing\Application Data\Vlc
C:\Documents and Settings\Mann Hing\Application Data\Vso
C:\Documents and Settings\Mann Hing\Application Data\Whenu
C:\Documents and Settings\Mann Hing\Application Data\Winrar -- EMPTY Directory
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Poh Hong\Application Data\Adobe
C:\Documents and Settings\Poh Hong\Application Data\Avg7
C:\Documents and Settings\Poh Hong\Application Data\Grisoft
C:\Documents and Settings\Poh Hong\Application Data\Identities
C:\Documents and Settings\Poh Hong\Application Data\Macromedia
C:\Documents and Settings\Poh Hong\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\Poh Hong\Application Data\Microsoft
C:\Documents and Settings\Poh Hong\Application Data\Mozilla
C:\Documents and Settings\Poh Hong\Application Data\Pc Suite
C:\Documents and Settings\Poh Hong\Application Data\Real
C:\Documents and Settings\Poh Hong\Application Data\Sony Ericsson
C:\Documents and Settings\Poh Hong\Application Data\Styler
C:\Documents and Settings\Poh Hong\Application Data\Teleca
C:\Documents and Settings\Weng Khor\Application Data\Avg7
C:\Documents and Settings\Weng Khor\Application Data\Identities
C:\Documents and Settings\Weng Khor\Application Data\Macromedia
C:\Documents and Settings\Weng Khor\Application Data\Mcafee.com Personal Firewall -- EMPTY Directory
C:\Documents and Settings\Weng Khor\Application Data\Microsoft
C:\Documents and Settings\Weng Khor\Application Data\Mozilla
C:\Documents and Settings\Weng Khor\Application Data\Pc Suite
C:\Documents and Settings\Weng Khor\Application Data\Real
C:\Documents and Settings\Weng Khor\Application Data\Sony Ericsson
C:\Documents and Settings\Weng Khor\Application Data\Styler
C:\Documents and Settings\Weng Khor\Application Data\Teleca
C:\Documents and Settings\Weng Khor\Application Data\Vlc


Er I had to do reboot and didn't manage to save the HJT log which I did after the nolop scan... (I was about to post it, but decided to do everything at once, and proceeded with the combofix. During combofix it said I had to reboot computer and internet conncetion was lost so I lost the HJT log).




The combofix log was:

ComboFix 08-07-12.2 - Mann Hing 2008-07-13 16:33:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.142 [GMT 10:00]
Running from: C:\Documents and Settings\Mann Hing\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMcb94b321.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aenuajsr.dll
C:\WINDOWS\system32\btqlxruf.dll
C:\WINDOWS\system32\ckxmbotk.dll
C:\WINDOWS\system32\cmekvskj.dll
C:\WINDOWS\system32\cpoiduta.ini
C:\WINDOWS\system32\dayjfcpv.dll
C:\WINDOWS\system32\dbfekwta.dll
C:\WINDOWS\system32\ddvfjbfm.dll
C:\WINDOWS\system32\dgnwjmme.dll
C:\WINDOWS\system32\dowsnvva.dll
C:\WINDOWS\system32\dtuawrdn.dll
C:\WINDOWS\system32\dvskcvdv.dll
C:\WINDOWS\system32\elwcqkjq.dll
C:\WINDOWS\system32\euinawsn.ini
C:\WINDOWS\system32\fccaBTkl.dll
C:\WINDOWS\system32\ffpyqcdg.dll
C:\WINDOWS\system32\foovwsht.ini
C:\WINDOWS\system32\fuihkimt.dll
C:\WINDOWS\system32\furxlqtb.ini
C:\WINDOWS\system32\fytcmxcj.ini
C:\WINDOWS\system32\ghmetiys.dll
C:\WINDOWS\system32\gljvsqvn.ini
C:\WINDOWS\system32\gtmnaspp.dll
C:\WINDOWS\system32\iksalyxy.dll
C:\WINDOWS\system32\ipgieflv.dll
C:\WINDOWS\system32\iqxllonx.dll
C:\WINDOWS\system32\ixumsbda.dll
C:\WINDOWS\system32\jhabtbev.dll
C:\WINDOWS\system32\jklklnnn.ini
C:\WINDOWS\system32\jklklnnn.ini2
C:\WINDOWS\system32\jtdlybrw.dll
C:\WINDOWS\system32\jvhrmfuy.dll
C:\WINDOWS\system32\ktayxobw.dll
C:\WINDOWS\system32\kvddptww.dll
C:\WINDOWS\system32\kvhcweyn.dll
C:\WINDOWS\system32\ldpglhxs.dll
C:\WINDOWS\system32\lmnpsgcv.dll
C:\WINDOWS\system32\lxbcpvyk.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mhmkgvif.dll
C:\WINDOWS\system32\ndhtwxux.dll
C:\WINDOWS\system32\nluvxpwb.dll
C:\WINDOWS\system32\nnnlklkj.dll
C:\WINDOWS\system32\nqtebvvk.dll
C:\WINDOWS\system32\nvqsvjlg.dll
C:\WINDOWS\system32\nytlapnx.dll
C:\WINDOWS\system32\oowpnsqc.dll
C:\WINDOWS\system32\ppsanmtg.ini
C:\WINDOWS\system32\pujeohhv.dll
C:\WINDOWS\system32\rpkjwwxd.dll
C:\WINDOWS\system32\rxqfyqoy.ini
C:\WINDOWS\system32\slphakdn.dll
C:\WINDOWS\system32\susliopg.dll
C:\WINDOWS\system32\tbkcmpwk.dll
C:\WINDOWS\system32\tcauvqgo.dll
C:\WINDOWS\system32\txgrwwsp.ini
C:\WINDOWS\system32\uouwwopj.dll
C:\WINDOWS\system32\venvctpt.dll
C:\WINDOWS\system32\vhhoejup.ini
C:\WINDOWS\system32\vhoawdje.dll
C:\WINDOWS\system32\vjlbrtnb.dll
C:\WINDOWS\system32\vkhedppe.dll
C:\WINDOWS\system32\votmhcrw.dll
C:\WINDOWS\system32\vpcfjyad.ini
C:\WINDOWS\system32\vuyeosux.dll
C:\WINDOWS\system32\vwhtywwc.dll
C:\WINDOWS\system32\warrrxdc.dll
C:\WINDOWS\system32\wbivavvs.dll
C:\WINDOWS\system32\wbpdwypm.dll
C:\WINDOWS\system32\wcxyxdgw.dll
C:\WINDOWS\system32\wqsuxymo.dll
C:\WINDOWS\system32\wvxcdhck.dll
C:\WINDOWS\system32\xhgrsdjy.dll
C:\WINDOWS\system32\xiulcifq.dll
C:\WINDOWS\system32\xnpaltyn.ini
C:\WINDOWS\system32\xqhckxbj.dll
C:\WINDOWS\system32\xwikxjgc.dll
C:\WINDOWS\system32\xyvltwjp.dll
C:\WINDOWS\system32\yjdsrghx.ini
C:\WINDOWS\system32\ykoatxxq.dll
C:\WINDOWS\system32\ynrvxebs.ini
C:\WINDOWS\system32\ypqfhshj.dll
C:\WINDOWS\system32\yxylaski.ini
H:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-13 to 2008-07-13 )))))))))))))))))))))))))))))))
.

2008-07-13 16:13 . 2008-07-13 16:21 <DIR> d-------- C:\NoLopBackups
2008-07-12 20:45 . 2008-07-12 20:45 51,200 --a------ C:\WINDOWS\system32\__c0086A4.dat
2008-07-12 20:42 . 2008-07-12 20:42 90,992 --a------ C:\WINDOWS\system32\vkgthqee.dll
2008-07-12 20:42 . 2008-07-12 20:42 81,152 --a------ C:\WINDOWS\system32\pswwrgxt.dll
2008-07-12 10:28 . 2008-07-12 10:28 <DIR> d-------- C:\Program Files\CCleaner
2008-07-11 20:45 . 2008-07-11 20:45 81,168 --a------ C:\WINDOWS\system32\jcxmctyf.dll
2008-07-11 20:42 . 2008-07-11 20:42 90,928 --a------ C:\WINDOWS\system32\qjualhuu.dll
2008-07-11 14:42 . 2008-07-11 14:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-11 13:53 . 2008-07-11 13:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-11 13:53 . 2008-07-11 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-11 12:45 . 2008-07-11 12:45 <DIR> d-------- C:\Documents and Settings\Mann Hing\Application Data\True Sword
2008-07-10 20:40 . 2008-07-10 20:40 90,912 --a------ C:\WINDOWS\system32\wewuadxm.dll
2008-07-10 20:40 . 2008-07-10 20:40 51,200 --a------ C:\WINDOWS\system32\__c004E900.dat
2008-07-10 15:57 . 2008-07-10 15:57 <DIR> d-------- C:\Documents and Settings\Poh Hong\Phone Browser
2008-07-09 20:38 . 2008-07-09 20:38 90,816 --a------ C:\WINDOWS\system32\omcbhqjd.dll
2008-07-09 20:37 . 2008-07-09 20:37 51,200 --a------ C:\WINDOWS\system32\__c00B4B27.dat
2008-07-09 20:32 . 2008-07-09 20:32 90,816 --a------ C:\WINDOWS\system32\flmfckvi.dll
2008-07-09 20:32 . 2008-07-09 20:32 81,184 --a------ C:\WINDOWS\system32\yoqyfqxr.dll
2008-07-08 20:30 . 2008-07-08 20:30 90,880 --a------ C:\WINDOWS\system32\uoxmwyle.dll
2008-07-08 20:30 . 2008-07-08 20:30 81,104 --a------ C:\WINDOWS\system32\atudiopc.dll
2008-07-08 08:21 . 2008-07-08 08:21 <DIR> d-------- C:\Program Files\StepMania CVS
2008-07-07 20:44 . 2008-07-07 20:44 51,200 --a------ C:\WINDOWS\system32\__c009408B.dat
2008-07-07 20:41 . 2008-07-07 20:41 51,200 --a------ C:\WINDOWS\system32\__c003B7C6.dat
2008-07-07 20:38 . 2008-07-07 20:38 51,200 --a------ C:\WINDOWS\system32\__c007AE40.dat
2008-07-07 09:20 . 2008-07-11 15:17 <DIR> d-------- C:\Program Files\StepMania
2008-07-06 20:33 . 2008-07-06 20:33 51,200 --a------ C:\WINDOWS\system32\__c00F206C.dat
2008-07-05 20:32 . 2008-07-05 20:32 51,200 --a------ C:\WINDOWS\system32\__c005B6B4.dat
2008-07-04 20:30 . 2008-07-04 20:30 51,200 --a------ C:\WINDOWS\system32\__c002C152.dat
2008-07-03 20:26 . 2008-07-03 20:26 51,200 --a------ C:\WINDOWS\system32\__c00BE739.dat
2008-07-03 20:26 . 2008-07-03 20:26 51,200 --a------ C:\WINDOWS\system32\__c0070D21.dat
2008-07-03 20:25 . 2008-07-03 20:25 51,200 --a------ C:\WINDOWS\system32\__c0014338.dat
2008-07-02 20:31 . 2008-07-02 20:31 51,200 --a------ C:\WINDOWS\system32\__c007B1AA.dat
2008-07-02 08:22 . 2008-07-13 16:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-02 08:22 . 2008-07-02 08:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-01 20:27 . 2008-07-01 20:27 51,200 --a------ C:\WINDOWS\system32\__c001CDE4.dat
2008-06-30 20:07 . 2008-06-30 20:07 51,200 --a------ C:\WINDOWS\system32\__c004E751.dat
2008-06-29 20:06 . 2008-06-29 20:06 51,200 --a------ C:\WINDOWS\system32\__c0061238.dat
2008-06-28 20:06 . 2008-06-28 20:06 51,200 --a------ C:\WINDOWS\system32\__c00E60C9.dat
2008-06-27 20:03 . 2008-06-27 20:03 51,200 --a------ C:\WINDOWS\system32\__c005B92B.dat
2008-06-27 19:56 . 2008-06-27 19:56 51,200 --a------ C:\WINDOWS\system32\__c00A2E40.dat
2008-06-27 19:54 . 2008-07-13 16:53 110,400 --a------ C:\WINDOWS\BMcb94b321.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 00:12 --------- d-----w C:\Program Files\Warcraft III
2008-07-12 00:09 --------- d-----w C:\Program Files\Allok Video to DVD Burner
2008-07-11 09:45 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-07-11 03:38 --------- d-----w C:\Program Files\uTorrent
2008-07-02 09:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-18 14:30 --------- d-----w C:\Documents and Settings\Mann Hing\Application Data\Free Download Manager
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 01:09 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-06-07 10:21 --------- d-----w C:\Documents and Settings\Mann Hing\Application Data\uTorrent
2008-05-27 12:07 --------- d-----w C:\Documents and Settings\Mann Hing\Application Data\Printer Info Cache
2008-05-24 07:53 --------- d-----w C:\Documents and Settings\Mann Hing\Application Data\Nokia
2008-05-24 07:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-08-18 00:34 81,920 ----a-w C:\Documents and Settings\Mann Hing\Application Data\ezpinst.exe
2007-08-18 00:34 47,360 ----a-w C:\Documents and Settings\Mann Hing\Application Data\pcouffin.sys
2007-08-18 00:19 87,608 ----a-w C:\Documents and Settings\Mann Hing\Application Data\inst.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]
"mRouterConfig"="C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe" [2006-03-02 10:54 290816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 15:31 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 22:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 22:00 455168]
"McRegWiz"="C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe" [2005-06-01 14:35 368714]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-07-15 12:50 999424]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 19:52 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2005-07-08 17:46 212992]
"Styler"="C:\Program Files\Styler\Styler.exe" [2006-05-03 11:18 307200]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 15:21 270336]
"bend logo clock film"="C:\Documents and Settings\All Users\Application Data\Frag great bend logo\idol global.exe" [2008-07-13 16:51 3379200]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09 63712]
"PC Suite for Smartphones"="C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" [2007-05-28 09:14 528384]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 17:26 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-16 11:23 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 22:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 12:10 267048]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 17:56 158208]
"BMcb94b321"="C:\WINDOWS\system32\qjualhuu.dll" [2008-07-11 20:42 90928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 17:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Firefox Preloader.lnk - C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe [2008-04-29 16:50:28 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\windows\\resources\\Logons\\8270-slate\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McTskshd.exe"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);C:\WINDOWS\system32\DRIVERS\zebrceb.sys [2007-04-13 07:50]
S3 dump_wmimmc;dump_wmimmc;C:\AeriaGames\Shaiya\GameGuard\dump_wmimmc.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys []
S3 zebrbus;Sony Ericsson Composite Device driver;C:\WINDOWS\system32\DRIVERS\zebrbus.sys [2007-04-13 07:50]
S3 zebrmdfl;Sony Ericsson Modem Filter;C:\WINDOWS\system32\DRIVERS\zebrmdfl.sys [2007-04-13 07:50]
S3 zebrmdm;Sony Ericsson Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdm.sys [2007-04-13 07:50]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdmc.sys [2007-04-13 07:50]
S3 zebrsce;Sony Ericsson PC-Connect Port;C:\WINDOWS\system32\DRIVERS\zebrsce.sys [2007-04-13 07:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f324e77-b0d5-11dc-af6e-00112f110276}]
\Shell\Auto\command - Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97269e0c-4cab-11dc-ae46-00112f110276}]
\Shell\Auto\command - E:\Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9834301-47dd-11dc-ae2a-00112f110276}]
\Shell\Auto\command - E:\Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-07-13 05:21:05 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-c8a780bd - C:\WINDOWS\system32\sbexvrny.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-13 16:50:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\qjualhuu.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\McAfee.com\Agent\mcregwiz.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SCBAL.exe
.
**************************************************************************
.
Completion time: 2008-07-13 17:14:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-13 07:14:10

Pre-Run: 17,861,857,280 bytes free
Post-Run: 18,048,176,128 bytes free

278 --- E O F --- 2008-06-21 00:35:51




And the final HJT log after combofix finished was:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:38 PM, on 13/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SCBAL.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [bend logo clock film] C:\Documents and Settings\All Users\Application Data\Frag great bend logo\idol global.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BMcb94b321] Rundll32.exe "C:\WINDOWS\system32\qjualhuu.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mRouterConfig] "C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?4dab94b421cb42aa993a94f9c76d9491
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?4dab94b421cb42aa993a94f9c76d9491
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 9685 bytes

Thanks!

pskelley
2008-07-13, 15:26
Thanks for returning your information, you said this:

so I lost the HJT log
Thanks is not a problem, I really only need the HJT once, after all tools have been run. I usually remember to post that fact but I quess I missed it. Comes from from trying to help 50 folks at once.

You had a badly infected computer, do you know where you picked up all of this infection?

I will need your help on a few items.

1) C:\Program Files\Messenger Plus! Live <<< this is where you got the LOP/C2Media infection. I strongly suggest you uninstall that junk:
http://inetexplorer.mvps.org/answers/43.html
http://www.castlecops.com/startuplist-2034.html

2) C:\Program Files\Styler\Styler.exe <<< assure me you know this program and it is safe.

3) combofix has removed much junk but it passed over some files I believe are bad. I can not get a confirmation on these:
C:\WINDOWS\system32\__c0086A4.dat <<< look at Files Created from 2008-06-13 to 2008-07-13 there are a lot of them, all are exactly the same size just different numbers. I am 99.9% sure they are bad. If you do not know why there are there, you can scan one or more with one or more of these free scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
You will probably need to show hidden files and folders to see them:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
I will schedule removal, if you find something other than what I suspect, stop, make me aware.

4) You may remove NoLop from your computer. It removed the hidden part of that infection:
---Infection Files Found/Removed---
C:\WINDOWS\tasks\AA53FF2B91847E4B.job

4) C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
Return System Configuration Utility (MSConfig) to NORMAL MODE. You can return to Selective Startup when we finish.

5) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

(careful here, must be done exactly as posted!!)

6) Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\BMcb94b321.xml
C:\WINDOWS\system32\qjualhuu.dll
C:\WINDOWS\system32\vkgthqee.dll
C:\WINDOWS\system32\pswwrgxt.dll
C:\WINDOWS\system32\jcxmctyf.dll
C:\WINDOWS\system32\qjualhuu.dll
C:\WINDOWS\system32\wewuadxm.dll
C:\WINDOWS\system32\omcbhqjd.dll
C:\WINDOWS\system32\flmfckvi.dll
C:\WINDOWS\system32\yoqyfqxr.dll
C:\WINDOWS\system32\uoxmwyle.dll
C:\WINDOWS\system32\atudiopc.dll
C:\WINDOWS\system32\__c0086A4.dat
C:\WINDOWS\system32\__c004E900.dat
C:\WINDOWS\system32\__c00B4B27.dat
C:\WINDOWS\system32\__c009408B.dat
C:\WINDOWS\system32\__c003B7C6.dat
C:\WINDOWS\system32\__c007AE40.dat
C:\WINDOWS\system32\__c00F206C.dat
C:\WINDOWS\system32\__c005B6B4.dat
C:\WINDOWS\system32\__c002C152.dat
C:\WINDOWS\system32\__c00BE739.dat
C:\WINDOWS\system32\__c0070D21.dat
C:\WINDOWS\system32\__c0014338.dat
C:\WINDOWS\system32\__c007B1AA.dat
C:\WINDOWS\system32\__c001CDE4.dat
C:\WINDOWS\system32\__c004E751.dat
C:\WINDOWS\system32\__c0061238.dat
C:\WINDOWS\system32\__c00E60C9.dat
C:\WINDOWS\system32\__c005B92B.dat
C:\WINDOWS\system32\__c00A2E40.dat

Folder::
C:\NoLopBackups
C:\Documents and Settings\All Users\Application Data\Frag great bend logo

Save this as CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

7) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [bend logo clock film] C:\Documents and Settings\All Users\Application Data\Frag great bend logo\idol global.exe
O4 - HKLM\..\Run: [BMcb94b321] Rundll32.exe "C:\WINDOWS\system32\qjualhuu.dll",s

Close all programs but HJT and all browser windows, then click on "Fix Checked"

8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the combofix log from CFScript, a new HJT log and some feedback from you. How is the computer running now?

Thanks

rarin
2008-07-17, 14:20
1) Windows messenger live plus! uninstalled.

2) Styler.exe is a program that changes the style of my XP to make it look like vista. It was part of the Vista transformation pack. I've had it for a while so I believe it to be safe (years).

3) I scanned some of the files with kaspersky virus scanner and they were trojans. I decided to leave them for now, but I believe combofix deleted most or all of those files.

4) Nolop removed.

5) ATF cleaner downloaded

6) Combofix log:

ComboFix 08-07-12.2 - Mann Hing 2008-07-17 20:30:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.148 [GMT 10:00]
Running from: C:\Documents and Settings\Mann Hing\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mann Hing\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMcb94b321.xml
C:\WINDOWS\system32\__c0014338.dat
C:\WINDOWS\system32\__c001CDE4.dat
C:\WINDOWS\system32\__c002C152.dat
C:\WINDOWS\system32\__c003B7C6.dat
C:\WINDOWS\system32\__c004E751.dat
C:\WINDOWS\system32\__c004E900.dat
C:\WINDOWS\system32\__c005B6B4.dat
C:\WINDOWS\system32\__c005B92B.dat
C:\WINDOWS\system32\__c0061238.dat
C:\WINDOWS\system32\__c0070D21.dat
C:\WINDOWS\system32\__c007AE40.dat
C:\WINDOWS\system32\__c007B1AA.dat
C:\WINDOWS\system32\__c0086A4.dat
C:\WINDOWS\system32\__c009408B.dat
C:\WINDOWS\system32\__c00A2E40.dat
C:\WINDOWS\system32\__c00B4B27.dat
C:\WINDOWS\system32\__c00BE739.dat
C:\WINDOWS\system32\__c00E60C9.dat
C:\WINDOWS\system32\__c00F206C.dat
C:\WINDOWS\system32\atudiopc.dll
C:\WINDOWS\system32\flmfckvi.dll
C:\WINDOWS\system32\jcxmctyf.dll
C:\WINDOWS\system32\omcbhqjd.dll
C:\WINDOWS\system32\pswwrgxt.dll
C:\WINDOWS\system32\qjualhuu.dll
C:\WINDOWS\system32\uoxmwyle.dll
C:\WINDOWS\system32\vkgthqee.dll
C:\WINDOWS\system32\wewuadxm.dll
C:\WINDOWS\system32\yoqyfqxr.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Frag great bend logo
C:\Documents and Settings\All Users\Application Data\Frag great bend logo\idol global.exe
C:\NoLopBackups
C:\NoLopBackups\AA53FF2B91847E4B.job.01.infected
C:\WINDOWS\BMcb94b321.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\__c0014338.dat
C:\WINDOWS\system32\__c001CDE4.dat
C:\WINDOWS\system32\__c002C152.dat
C:\WINDOWS\system32\__c003B7C6.dat
C:\WINDOWS\system32\__c004E751.dat
C:\WINDOWS\system32\__c004E900.dat
C:\WINDOWS\system32\__c005B6B4.dat
C:\WINDOWS\system32\__c005B92B.dat
C:\WINDOWS\system32\__c0061238.dat
C:\WINDOWS\system32\__c0070D21.dat
C:\WINDOWS\system32\__c007AE40.dat
C:\WINDOWS\system32\__c007B1AA.dat
C:\WINDOWS\system32\__c0086A4.dat
C:\WINDOWS\system32\__c009408B.dat
C:\WINDOWS\system32\__c00A2E40.dat
C:\WINDOWS\system32\__c00B4B27.dat
C:\WINDOWS\system32\__c00BE739.dat
C:\WINDOWS\system32\__c00E60C9.dat
C:\WINDOWS\system32\__c00F206C.dat
C:\WINDOWS\system32\atudiopc.dll
C:\WINDOWS\system32\flmfckvi.dll
C:\WINDOWS\system32\jcxmctyf.dll
C:\WINDOWS\system32\omcbhqjd.dll
C:\WINDOWS\system32\pswwrgxt.dll
C:\WINDOWS\system32\qjualhuu.dll
C:\WINDOWS\system32\uoxmwyle.dll
C:\WINDOWS\system32\vkgthqee.dll
C:\WINDOWS\system32\wewuadxm.dll
C:\WINDOWS\system32\yoqyfqxr.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-17 to 2008-07-17 )))))))))))))))))))))))))))))))
.

2008-07-14 20:53 . 2008-07-14 20:53 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-07-13 22:11 . 2008-04-23 14:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-13 22:11 . 2007-04-17 19:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-13 22:11 . 2007-03-08 15:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-13 22:11 . 2008-04-23 14:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-13 22:11 . 2008-04-23 14:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-13 22:11 . 2008-04-23 14:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-13 22:11 . 2008-04-23 14:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-13 22:11 . 2008-04-23 14:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-13 22:11 . 2008-04-22 17:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-12 10:28 . 2008-07-12 10:28 <DIR> d-------- C:\Program Files\CCleaner
2008-07-11 14:42 . 2008-07-11 14:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-11 13:53 . 2008-07-11 13:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-11 13:53 . 2008-07-11 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-11 12:45 . 2008-07-11 12:45 <DIR> d-------- C:\Documents and Settings\Mann Hing\Application Data\True Sword
2008-07-10 15:57 . 2008-07-10 15:57 <DIR> d-------- C:\Documents and Settings\Poh Hong\Phone Browser
2008-07-08 08:21 . 2008-07-08 08:21 <DIR> d-------- C:\Program Files\StepMania CVS
2008-07-07 09:20 . 2008-07-11 15:17 <DIR> d-------- C:\Program Files\StepMania
2008-07-02 08:22 . 2008-07-17 20:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-02 08:22 . 2008-07-02 08:22 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 00:12 --------- d-----w C:\Program Files\Warcraft III
2008-07-12 00:09 --------- d-----w C:\Program Files\Allok Video to DVD Burner
2008-07-11 03:38 --------- d-----w C:\Program Files\uTorrent
2008-07-02 09:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-18 14:30 --------- d-----w C:\Documents and Settings\Mann Hing\Application Data\Free Download Manager
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 01:09 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-06-07 10:21 --------- d-----w C:\Documents and Settings\Mann Hing\Application Data\uTorrent
2008-05-27 12:07 --------- d-----w C:\Documents and Settings\Mann Hing\Application Data\Printer Info Cache
2008-05-24 07:53 --------- d-----w C:\Documents and Settings\Mann Hing\Application Data\Nokia
2008-05-24 07:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-08-18 00:34 81,920 ----a-w C:\Documents and Settings\Mann Hing\Application Data\ezpinst.exe
2007-08-18 00:34 47,360 ----a-w C:\Documents and Settings\Mann Hing\Application Data\pcouffin.sys
2007-08-18 00:19 87,608 ----a-w C:\Documents and Settings\Mann Hing\Application Data\inst.exe
.

((((((((((((((((((((((((((((( snapshot@2008-07-13_17.13.51.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-26 11:48:44 297,984 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\SP2QFE\msctf.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\updspapi.dll
+ 2007-07-12 23:28:55 765,952 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\SP2QFE\vgx.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\updspapi.dll
- 2008-07-13 06:49:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-17 10:38:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-13 08:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
+ 2007-08-13 08:39:00 123,904 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll
+ 2007-08-13 08:35:46 346,624 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll
+ 2007-08-13 08:35:38 214,528 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll
+ 2007-08-13 08:54:10 131,584 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll
+ 2007-08-13 08:36:26 61,952 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\icardie.dll
+ 2007-08-13 08:39:06 54,784 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe
+ 2007-08-13 08:39:26 152,064 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll
+ 2007-08-13 08:39:54 229,376 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll
+ 2007-08-13 07:56:54 161,792 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll
+ 2007-02-12 06:10:12 2,451,312 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dat
+ 2007-07-11 02:27:48 383,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dll
+ 2007-08-13 08:39:50 382,976 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll
+ 2007-08-13 08:54:10 6,049,280 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieframe.dll
+ 2007-08-13 08:39:10 43,008 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll
+ 2007-08-13 08:34:04 266,752 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iertutil.dll
+ 2007-08-13 08:39:10 13,312 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe
+ 2007-08-13 08:43:56 622,080 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
+ 2007-08-13 08:54:10 27,136 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll
+ 2007-08-13 08:54:10 458,752 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeeds.dll
+ 2007-08-13 08:54:10 50,688 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeedsbs.dll
+ 2007-08-13 08:54:12 3,578,368 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll
+ 2007-08-13 08:54:10 475,648 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll
+ 2007-08-13 08:44:26 192,000 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll
+ 2007-08-13 08:54:10 670,720 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll
+ 2007-08-13 08:44:06 101,376 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll
+ 2007-08-13 08:36:12 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\updspapi.dll
+ 2007-08-13 08:44:30 105,984 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll
+ 2007-08-13 08:54:10 1,162,240 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll
+ 2007-08-13 08:54:10 231,424 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll
+ 2007-08-13 08:54:10 818,688 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
+ 2007-03-22 07:07:56 91,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\ADDRPARS.DLL
+ 2007-04-19 01:53:52 127,328 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\IMPMAIL.DLL
+ 2007-04-19 01:53:44 106,336 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OUTLMIME.DLL
+ 2007-03-22 07:07:10 41,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\RECALL.DLL
+ 2007-03-22 07:07:54 78,168 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\RM.DLL
+ 2007-03-22 07:22:02 103,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\TRANSMGR.DLL
- 2008-06-15 11:32:14 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-07-14 10:57:09 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-06-15 11:32:14 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-07-14 10:57:09 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-06-15 11:32:15 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-07-14 10:57:09 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-06-15 11:32:14 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-07-14 10:57:09 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-06-15 11:32:15 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-07-14 10:57:09 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-06-15 11:32:15 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-07-14 10:57:09 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-06-15 11:32:15 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-07-14 10:57:09 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-06-15 11:32:15 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-07-14 10:57:09 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-06-15 11:32:14 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-07-14 10:57:09 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-06-15 11:32:14 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-07-14 10:57:09 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-06-15 11:32:15 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-07-14 10:57:09 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-06-15 11:32:14 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-07-14 10:57:09 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-06-15 11:32:14 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-07-14 10:57:09 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-08-13 08:39:00 123,904 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-08-13 08:39:00 123,904 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-04-23 04:16:28 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
- 2007-08-13 08:35:46 346,624 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-08-13 08:35:38 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-08-13 08:54:10 131,584 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-04-23 04:16:28 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-08-13 08:39:06 54,784 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-08-13 08:39:26 152,064 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-08-13 08:39:54 229,376 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-08-13 07:56:54 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-04-20 05:07:51 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-08-13 08:39:50 382,976 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-08-13 08:39:10 43,008 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-08-13 08:43:56 622,080 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-04-22 07:40:18 625,664 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-08-13 08:54:10 27,136 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-02-26 11:59:50 294,912 -c----w C:\WINDOWS\system32\dllcache\msctf.dll
- 2007-08-13 08:54:12 3,578,368 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-04-23 12:16:30 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-08-13 08:54:10 475,648 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-08-13 08:44:26 192,000 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-04-23 04:16:28 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-08-13 08:54:10 670,720 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-04-23 04:16:28 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-08-13 08:44:06 101,376 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-04-23 04:16:28 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
- 2007-08-13 08:36:12 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-08-13 08:44:30 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-04-23 04:16:28 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
- 2007-08-13 08:54:10 1,162,240 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-08-13 08:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:31:54 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2007-08-13 08:54:10 231,424 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-04-23 04:16:29 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-08-13 08:54:10 818,688 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-04-23 04:16:29 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2007-08-13 08:35:46 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-08-13 08:35:38 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-08-13 08:54:10 131,584 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2007-08-13 08:36:26 61,952 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-04-23 04:16:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-08-13 08:39:06 54,784 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-08-13 08:39:26 152,064 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-08-13 08:39:54 229,376 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-08-13 07:56:54 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-04-20 05:07:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-02-12 06:10:12 2,451,312 ----a-w C:\WINDOWS\system32\ieapfltr.dat
+ 2007-04-17 09:32:38 2,455,488 ----a-w C:\WINDOWS\system32\ieapfltr.dat
- 2007-07-11 02:27:48 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-08-13 08:39:50 382,976 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-08-13 08:54:10 6,049,280 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-08-13 08:39:10 43,008 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-08-13 08:34:04 266,752 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-08-13 08:39:10 13,312 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-08-13 08:54:10 27,136 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2004-08-04 07:56:42 294,400 ----a-w C:\WINDOWS\system32\msctf.dll
+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
- 2007-08-13 08:54:10 458,752 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-08-13 08:54:10 50,688 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-08-13 08:54:12 3,578,368 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-23 12:16:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-08-13 08:54:10 475,648 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-08-13 08:44:26 192,000 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-08-13 08:54:10 670,720 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-08-13 08:44:06 101,376 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-04-23 04:16:28 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2007-08-13 08:36:12 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-08-13 08:44:30 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-08-13 08:54:10 1,162,240 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-08-13 08:54:10 231,424 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-04-23 04:16:29 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]
"mRouterConfig"="C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe" [2006-03-02 10:54 290816]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 10:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 15:31 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 22:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 22:00 455168]
"McRegWiz"="C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe" [2005-06-01 14:35 368714]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-07-15 12:50 999424]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 19:52 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2005-07-08 17:46 212992]
"Styler"="C:\Program Files\Styler\Styler.exe" [2006-05-03 11:18 307200]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 15:21 270336]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09 63712]
"PC Suite for Smartphones"="C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" [2007-05-28 09:14 528384]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 17:26 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-16 11:23 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 22:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 12:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 17:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Firefox Preloader.lnk - C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe [2008-04-29 16:50:28 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\windows\\resources\\Logons\\8270-slate\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);C:\WINDOWS\system32\DRIVERS\zebrceb.sys [2007-04-13 07:50]
S3 dump_wmimmc;dump_wmimmc;C:\AeriaGames\Shaiya\GameGuard\dump_wmimmc.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys []
S3 zebrbus;Sony Ericsson Composite Device driver;C:\WINDOWS\system32\DRIVERS\zebrbus.sys [2007-04-13 07:50]
S3 zebrmdfl;Sony Ericsson Modem Filter;C:\WINDOWS\system32\DRIVERS\zebrmdfl.sys [2007-04-13 07:50]
S3 zebrmdm;Sony Ericsson Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdm.sys [2007-04-13 07:50]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdmc.sys [2007-04-13 07:50]
S3 zebrsce;Sony Ericsson PC-Connect Port;C:\WINDOWS\system32\DRIVERS\zebrsce.sys [2007-04-13 07:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f324e77-b0d5-11dc-af6e-00112f110276}]
\Shell\Auto\command - Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97269e0c-4cab-11dc-ae46-00112f110276}]
\Shell\Auto\command - E:\Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9834301-47dd-11dc-ae2a-00112f110276}]
\Shell\Auto\command - E:\Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-07-17 10:21:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-bend logo clock film - C:\Documents and Settings\All Users\Application Data\Frag great bend logo\idol global.exe
HKLM-Run-BMcb94b321 - C:\WINDOWS\system32\qjualhuu.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-17 20:39:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [2032] 0x82101488

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\Program Files\McAfee.com\Agent\mcregwiz.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SCBAL.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-17 21:01:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-17 11:01:39
ComboFix2.txt 2008-07-13 07:14:17

Pre-Run: 21,339,578,368 bytes free
Post-Run: 21,345,034,240 bytes free

422 --- E O F --- 2008-07-14 10:57:26


7) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
Only this line was avaliable to be checked. The other ones:

O4 - HKLM\..\Run: [bend logo clock film] C:\Documents and Settings\All Users\Application Data\Frag great bend logo\idol global.exe
O4 - HKLM\..\Run: [BMcb94b321] Rundll32.exe "C:\WINDOWS\system32\qjualhuu.dll",s

weren't located in the box.

8) To be done soon!

pskelley
2008-07-23, 17:10
8) To be done soon!

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.