This was my nolop log:
NoLop! Log by Skate_Punk_21
Fix running from: C:\Documents and Settings\Mann Hing\Desktop
[13/07/2008]
[3:06:12 PM]
---Infection Files Found/Removed---
C:\WINDOWS\tasks\AA53FF2B91847E4B.job
Beginning Removal...
Rebooting...
Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**
---Listing AppData sub directories---
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Apple
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Flexnet
C:\Documents and Settings\All Users\Application Data\Frag Great Bend Logo
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Grisoft
C:\Documents and Settings\All Users\Application Data\Installations
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Mcafee.com
C:\Documents and Settings\All Users\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\All Users\Application Data\Messenger Plus!
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Msscanappdatadir
C:\Documents and Settings\All Users\Application Data\Pc Suite
C:\Documents and Settings\All Users\Application Data\Sony Ericsson
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Superantispyware.com
C:\Documents and Settings\All Users\Application Data\Teleca
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
C:\Documents and Settings\All Users\Application Data\Wlinstaller
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Mann Hing\Application Data\Adobe
C:\Documents and Settings\Mann Hing\Application Data\Apple Computer
C:\Documents and Settings\Mann Hing\Application Data\Autopoweron
C:\Documents and Settings\Mann Hing\Application Data\Avg7
C:\Documents and Settings\Mann Hing\Application Data\Deepburner
C:\Documents and Settings\Mann Hing\Application Data\Dvdcss
C:\Documents and Settings\Mann Hing\Application Data\Free Download Manager
C:\Documents and Settings\Mann Hing\Application Data\Gtk-2.0
C:\Documents and Settings\Mann Hing\Application Data\Hamachi
C:\Documents and Settings\Mann Hing\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Mann Hing\Application Data\Identities
C:\Documents and Settings\Mann Hing\Application Data\Image Zone Express
C:\Documents and Settings\Mann Hing\Application Data\Macromedia
C:\Documents and Settings\Mann Hing\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\Mann Hing\Application Data\Media Player Classic
C:\Documents and Settings\Mann Hing\Application Data\Microsoft
C:\Documents and Settings\Mann Hing\Application Data\Mozilla
C:\Documents and Settings\Mann Hing\Application Data\Nokia
C:\Documents and Settings\Mann Hing\Application Data\Nokia Multimedia Player
C:\Documents and Settings\Mann Hing\Application Data\Pc Suite
C:\Documents and Settings\Mann Hing\Application Data\Printer Info Cache
C:\Documents and Settings\Mann Hing\Application Data\Real
C:\Documents and Settings\Mann Hing\Application Data\Sodabush
C:\Documents and Settings\Mann Hing\Application Data\Sony Ericsson
C:\Documents and Settings\Mann Hing\Application Data\Styler
C:\Documents and Settings\Mann Hing\Application Data\Superantispyware.com -- EMPTY Directory
C:\Documents and Settings\Mann Hing\Application Data\Teleca
C:\Documents and Settings\Mann Hing\Application Data\Thirdfile
C:\Documents and Settings\Mann Hing\Application Data\True Sword -- EMPTY Directory
C:\Documents and Settings\Mann Hing\Application Data\Utorrent
C:\Documents and Settings\Mann Hing\Application Data\Vlc
C:\Documents and Settings\Mann Hing\Application Data\Vso
C:\Documents and Settings\Mann Hing\Application Data\Whenu
C:\Documents and Settings\Mann Hing\Application Data\Winrar -- EMPTY Directory
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Poh Hong\Application Data\Adobe
C:\Documents and Settings\Poh Hong\Application Data\Avg7
C:\Documents and Settings\Poh Hong\Application Data\Grisoft
C:\Documents and Settings\Poh Hong\Application Data\Identities
C:\Documents and Settings\Poh Hong\Application Data\Macromedia
C:\Documents and Settings\Poh Hong\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\Poh Hong\Application Data\Microsoft
C:\Documents and Settings\Poh Hong\Application Data\Mozilla
C:\Documents and Settings\Poh Hong\Application Data\Pc Suite
C:\Documents and Settings\Poh Hong\Application Data\Real
C:\Documents and Settings\Poh Hong\Application Data\Sony Ericsson
C:\Documents and Settings\Poh Hong\Application Data\Styler
C:\Documents and Settings\Poh Hong\Application Data\Teleca
C:\Documents and Settings\Weng Khor\Application Data\Avg7
C:\Documents and Settings\Weng Khor\Application Data\Identities
C:\Documents and Settings\Weng Khor\Application Data\Macromedia
C:\Documents and Settings\Weng Khor\Application Data\Mcafee.com Personal Firewall -- EMPTY Directory
C:\Documents and Settings\Weng Khor\Application Data\Microsoft
C:\Documents and Settings\Weng Khor\Application Data\Mozilla
C:\Documents and Settings\Weng Khor\Application Data\Pc Suite
C:\Documents and Settings\Weng Khor\Application Data\Real
C:\Documents and Settings\Weng Khor\Application Data\Sony Ericsson
C:\Documents and Settings\Weng Khor\Application Data\Styler
C:\Documents and Settings\Weng Khor\Application Data\Teleca
C:\Documents and Settings\Weng Khor\Application Data\Vlc
Er I had to do reboot and didn't manage to save the HJT log which I did after the nolop scan... (I was about to post it, but decided to do everything at once, and proceeded with the combofix. During combofix it said I had to reboot computer and internet conncetion was lost so I lost the HJT log).
The combofix log was:
ComboFix 08-07-12.2 - Mann Hing 2008-07-13 16:33:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.142 [GMT 10:00]
Running from: C:\Documents and Settings\Mann Hing\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BMcb94b321.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aenuajsr.dll
C:\WINDOWS\system32\btqlxruf.dll
C:\WINDOWS\system32\ckxmbotk.dll
C:\WINDOWS\system32\cmekvskj.dll
C:\WINDOWS\system32\cpoiduta.ini
C:\WINDOWS\system32\dayjfcpv.dll
C:\WINDOWS\system32\dbfekwta.dll
C:\WINDOWS\system32\ddvfjbfm.dll
C:\WINDOWS\system32\dgnwjmme.dll
C:\WINDOWS\system32\dowsnvva.dll
C:\WINDOWS\system32\dtuawrdn.dll
C:\WINDOWS\system32\dvskcvdv.dll
C:\WINDOWS\system32\elwcqkjq.dll
C:\WINDOWS\system32\euinawsn.ini
C:\WINDOWS\system32\fccaBTkl.dll
C:\WINDOWS\system32\ffpyqcdg.dll
C:\WINDOWS\system32\foovwsht.ini
C:\WINDOWS\system32\fuihkimt.dll
C:\WINDOWS\system32\furxlqtb.ini
C:\WINDOWS\system32\fytcmxcj.ini
C:\WINDOWS\system32\ghmetiys.dll
C:\WINDOWS\system32\gljvsqvn.ini
C:\WINDOWS\system32\gtmnaspp.dll
C:\WINDOWS\system32\iksalyxy.dll
C:\WINDOWS\system32\ipgieflv.dll
C:\WINDOWS\system32\iqxllonx.dll
C:\WINDOWS\system32\ixumsbda.dll
C:\WINDOWS\system32\jhabtbev.dll
C:\WINDOWS\system32\jklklnnn.ini
C:\WINDOWS\system32\jklklnnn.ini2
C:\WINDOWS\system32\jtdlybrw.dll
C:\WINDOWS\system32\jvhrmfuy.dll
C:\WINDOWS\system32\ktayxobw.dll
C:\WINDOWS\system32\kvddptww.dll
C:\WINDOWS\system32\kvhcweyn.dll
C:\WINDOWS\system32\ldpglhxs.dll
C:\WINDOWS\system32\lmnpsgcv.dll
C:\WINDOWS\system32\lxbcpvyk.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mhmkgvif.dll
C:\WINDOWS\system32\ndhtwxux.dll
C:\WINDOWS\system32\nluvxpwb.dll
C:\WINDOWS\system32\nnnlklkj.dll
C:\WINDOWS\system32\nqtebvvk.dll
C:\WINDOWS\system32\nvqsvjlg.dll
C:\WINDOWS\system32\nytlapnx.dll
C:\WINDOWS\system32\oowpnsqc.dll
C:\WINDOWS\system32\ppsanmtg.ini
C:\WINDOWS\system32\pujeohhv.dll
C:\WINDOWS\system32\rpkjwwxd.dll
C:\WINDOWS\system32\rxqfyqoy.ini
C:\WINDOWS\system32\slphakdn.dll
C:\WINDOWS\system32\susliopg.dll
C:\WINDOWS\system32\tbkcmpwk.dll
C:\WINDOWS\system32\tcauvqgo.dll
C:\WINDOWS\system32\txgrwwsp.ini
C:\WINDOWS\system32\uouwwopj.dll
C:\WINDOWS\system32\venvctpt.dll
C:\WINDOWS\system32\vhhoejup.ini
C:\WINDOWS\system32\vhoawdje.dll
C:\WINDOWS\system32\vjlbrtnb.dll
C:\WINDOWS\system32\vkhedppe.dll
C:\WINDOWS\system32\votmhcrw.dll
C:\WINDOWS\system32\vpcfjyad.ini
C:\WINDOWS\system32\vuyeosux.dll
C:\WINDOWS\system32\vwhtywwc.dll
C:\WINDOWS\system32\warrrxdc.dll
C:\WINDOWS\system32\wbivavvs.dll
C:\WINDOWS\system32\wbpdwypm.dll
C:\WINDOWS\system32\wcxyxdgw.dll
C:\WINDOWS\system32\wqsuxymo.dll
C:\WINDOWS\system32\wvxcdhck.dll
C:\WINDOWS\system32\xhgrsdjy.dll
C:\WINDOWS\system32\xiulcifq.dll
C:\WINDOWS\system32\xnpaltyn.ini
C:\WINDOWS\system32\xqhckxbj.dll
C:\WINDOWS\system32\xwikxjgc.dll
C:\WINDOWS\system32\xyvltwjp.dll
C:\WINDOWS\system32\yjdsrghx.ini
C:\WINDOWS\system32\ykoatxxq.dll
C:\WINDOWS\system32\ynrvxebs.ini
C:\WINDOWS\system32\ypqfhshj.dll
C:\WINDOWS\system32\yxylaski.ini
H:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-06-13 to 2008-07-13 )))))))))))))))))))))))))))))))
.
2008-07-13 16:13 . 2008-07-13 16:21 <DIR> d-------- C:\NoLopBackups
2008-07-12 20:45 . 2008-07-12 20:45 51,200 --a------ C:\WINDOWS\system32\__c0086A4.dat
2008-07-12 20:42 . 2008-07-12 20:42 90,992 --a------ C:\WINDOWS\system32\vkgthqee.dll
2008-07-12 20:42 . 2008-07-12 20:42 81,152 --a------ C:\WINDOWS\system32\pswwrgxt.dll
2008-07-12 10:28 . 2008-07-12 10:28 <DIR> d-------- C:\Program Files\CCleaner
2008-07-11 20:45 . 2008-07-11 20:45 81,168 --a------ C:\WINDOWS\system32\jcxmctyf.dll
2008-07-11 20:42 . 2008-07-11 20:42 90,928 --a------ C:\WINDOWS\system32\qjualhuu.dll
2008-07-11 14:42 . 2008-07-11 14:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-11 13:53 . 2008-07-11 13:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-11 13:53 . 2008-07-11 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-11 12:45 . 2008-07-11 12:45 <DIR> d-------- C:\Documents and Settings\Mann Hing\Application Data\True Sword
2008-07-10 20:40 . 2008-07-10 20:40 90,912 --a------ C:\WINDOWS\system32\wewuadxm.dll
2008-07-10 20:40 . 2008-07-10 20:40 51,200 --a------ C:\WINDOWS\system32\__c004E900.dat
2008-07-10 15:57 . 2008-07-10 15:57 <DIR> d-------- C:\Documents and Settings\Poh Hong\Phone Browser
2008-07-09 20:38 . 2008-07-09 20:38 90,816 --a------ C:\WINDOWS\system32\omcbhqjd.dll
2008-07-09 20:37 . 2008-07-09 20:37 51,200 --a------ C:\WINDOWS\system32\__c00B4B27.dat
2008-07-09 20:32 . 2008-07-09 20:32 90,816 --a------ C:\WINDOWS\system32\flmfckvi.dll
2008-07-09 20:32 . 2008-07-09 20:32 81,184 --a------ C:\WINDOWS\system32\yoqyfqxr.dll
2008-07-08 20:30 . 2008-07-08 20:30 90,880 --a------ C:\WINDOWS\system32\uoxmwyle.dll
2008-07-08 20:30 . 2008-07-08 20:30 81,104 --a------ C:\WINDOWS\system32\atudiopc.dll
2008-07-08 08:21 . 2008-07-08 08:21 <DIR> d-------- C:\Program Files\StepMania CVS
2008-07-07 20:44 . 2008-07-07 20:44 51,200 --a------ C:\WINDOWS\system32\__c009408B.dat
2008-07-07 20:41 . 2008-07-07 20:41 51,200 --a------ C:\WINDOWS\system32\__c003B7C6.dat
2008-07-07 20:38 . 2008-07-07 20:38 51,200 --a------ C:\WINDOWS\system32\__c007AE40.dat
2008-07-07 09:20 . 2008-07-11 15:17 <DIR> d-------- C:\Program Files\StepMania
2008-07-06 20:33 . 2008-07-06 20:33 51,200 --a------ C:\WINDOWS\system32\__c00F206C.dat
2008-07-05 20:32 . 2008-07-05 20:32 51,200 --a------ C:\WINDOWS\system32\__c005B6B4.dat
2008-07-04 20:30 . 2008-07-04 20:30 51,200 --a------ C:\WINDOWS\system32\__c002C152.dat
2008-07-03 20:26 . 2008-07-03 20:26 51,200 --a------ C:\WINDOWS\system32\__c00BE739.dat
2008-07-03 20:26 . 2008-07-03 20:26 51,200 --a------ C:\WINDOWS\system32\__c0070D21.dat
2008-07-03 20:25 . 2008-07-03 20:25 51,200 --a------ C:\WINDOWS\system32\__c0014338.dat
2008-07-02 20:31 . 2008-07-02 20:31 51,200 --a------ C:\WINDOWS\system32\__c007B1AA.dat
2008-07-02 08:22 . 2008-07-13 16:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-02 08:22 . 2008-07-02 08:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-01 20:27 . 2008-07-01 20:27 51,200 --a------ C:\WINDOWS\system32\__c001CDE4.dat
2008-06-30 20:07 . 2008-06-30 20:07 51,200 --a------ C:\WINDOWS\system32\__c004E751.dat
2008-06-29 20:06 . 2008-06-29 20:06 51,200 --a------ C:\WINDOWS\system32\__c0061238.dat
2008-06-28 20:06 . 2008-06-28 20:06 51,200 --a------ C:\WINDOWS\system32\__c00E60C9.dat
2008-06-27 20:03 . 2008-06-27 20:03 51,200 --a------ C:\WINDOWS\system32\__c005B92B.dat
2008-06-27 19:56 . 2008-06-27 19:56 51,200 --a------ C:\WINDOWS\system32\__c00A2E40.dat
2008-06-27 19:54 . 2008-07-13 16:53 110,400 --a------ C:\WINDOWS\BMcb94b321.xml
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 00:12 --------- d-----w C:\Program Files\Warcraft III
2008-07-12 00:09 --------- d-----w C:\Program Files\Allok Video to DVD Burner
2008-07-11 09:45 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-07-11 03:38 --------- d-----w C:\Program Files\uTorrent
2008-07-02 09:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-18 14:30 --------- d-----w C:\Documents and Settings\Mann Hing\Application Data\Free Download Manager
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 01:09 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-06-07 10:21 --------- d-----w C:\Documents and Settings\Mann Hing\Application Data\uTorrent
2008-05-27 12:07 --------- d-----w C:\Documents and Settings\Mann Hing\Application Data\Printer Info Cache
2008-05-24 07:53 --------- d-----w C:\Documents and Settings\Mann Hing\Application Data\Nokia
2008-05-24 07:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-08-18 00:34 81,920 ----a-w C:\Documents and Settings\Mann Hing\Application Data\ezpinst.exe
2007-08-18 00:34 47,360 ----a-w C:\Documents and Settings\Mann Hing\Application Data\pcouffin.sys
2007-08-18 00:19 87,608 ----a-w C:\Documents and Settings\Mann Hing\Application Data\inst.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]
"mRouterConfig"="C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe" [2006-03-02 10:54 290816]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 15:31 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 22:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 22:00 455168]
"McRegWiz"="C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe" [2005-06-01 14:35 368714]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-07-15 12:50 999424]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 19:52 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2005-07-08 17:46 212992]
"Styler"="C:\Program Files\Styler\Styler.exe" [2006-05-03 11:18 307200]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 15:21 270336]
"bend logo clock film"="C:\Documents and Settings\All Users\Application Data\Frag great bend logo\idol global.exe" [2008-07-13 16:51 3379200]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09 63712]
"PC Suite for Smartphones"="C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" [2007-05-28 09:14 528384]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 17:26 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-16 11:23 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 22:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 12:10 267048]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 17:56 158208]
"BMcb94b321"="C:\WINDOWS\system32\qjualhuu.dll" [2008-07-11 20:42 90928]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 17:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Firefox Preloader.lnk - C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe [2008-04-29 16:50:28 98304]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\windows\\resources\\Logons\\8270-slate\\logonui.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McTskshd.exe"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);C:\WINDOWS\system32\DRIVERS\zebrceb.sys [2007-04-13 07:50]
S3 dump_wmimmc;dump_wmimmc;C:\AeriaGames\Shaiya\GameGuard\dump_wmimmc.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys []
S3 zebrbus;Sony Ericsson Composite Device driver;C:\WINDOWS\system32\DRIVERS\zebrbus.sys [2007-04-13 07:50]
S3 zebrmdfl;Sony Ericsson Modem Filter;C:\WINDOWS\system32\DRIVERS\zebrmdfl.sys [2007-04-13 07:50]
S3 zebrmdm;Sony Ericsson Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdm.sys [2007-04-13 07:50]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdmc.sys [2007-04-13 07:50]
S3 zebrsce;Sony Ericsson PC-Connect Port;C:\WINDOWS\system32\DRIVERS\zebrsce.sys [2007-04-13 07:50]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f324e77-b0d5-11dc-af6e-00112f110276}]
\Shell\Auto\command - Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97269e0c-4cab-11dc-ae46-00112f110276}]
\Shell\Auto\command - E:\Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9834301-47dd-11dc-ae2a-00112f110276}]
\Shell\Auto\command - E:\Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-07-13 05:21:05 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-c8a780bd - C:\WINDOWS\system32\sbexvrny.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-13 16:50:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\qjualhuu.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\McAfee.com\Agent\mcregwiz.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SCBAL.exe
.
**************************************************************************
.
Completion time: 2008-07-13 17:14:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-13 07:14:10
Pre-Run: 17,861,857,280 bytes free
Post-Run: 18,048,176,128 bytes free
278 --- E O F --- 2008-06-21 00:35:51
And the final HJT log after combofix finished was:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:38 PM, on 13/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SCBAL.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [bend logo clock film] C:\Documents and Settings\All Users\Application Data\Frag great bend logo\idol global.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BMcb94b321] Rundll32.exe "C:\WINDOWS\system32\qjualhuu.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mRouterConfig] "C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?4dab94b421cb42aa993a94f9c76d9491
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?4dab94b421cb42aa993a94f9c76d9491
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 9685 bytes
Thanks!
pskelley
2008-07-13, 15:26
Thanks for returning your information, you said this:
so I lost the HJT log
Thanks is not a problem, I really only need the HJT once, after all tools have been run. I usually remember to post that fact but I quess I missed it. Comes from from trying to help 50 folks at once.
You had a badly infected computer, do you know where you picked up all of this infection?
I will need your help on a few items.
1) C:\Program Files\Messenger Plus! Live <<< this is where you got the LOP/C2Media infection. I strongly suggest you uninstall that junk:
http://inetexplorer.mvps.org/answers/43.html
http://www.castlecops.com/startuplist-2034.html
2) C:\Program Files\Styler\Styler.exe <<< assure me you know this program and it is safe.
3) combofix has removed much junk but it passed over some files I believe are bad. I can not get a confirmation on these:
C:\WINDOWS\system32\__c0086A4.dat <<< look at Files Created from 2008-06-13 to 2008-07-13 there are a lot of them, all are exactly the same size just different numbers. I am 99.9% sure they are bad. If you do not know why there are there, you can scan one or more with one or more of these free scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
You will probably need to show hidden files and folders to see them:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
I will schedule removal, if you find something other than what I suspect, stop, make me aware.
4) You may remove NoLop from your computer. It removed the hidden part of that infection:
---Infection Files Found/Removed---
C:\WINDOWS\tasks\AA53FF2B91847E4B.job
4) C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
Return System Configuration Utility (MSConfig) to NORMAL MODE. You can return to Selective Startup when we finish.
5) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
(careful here, must be done exactly as posted!!)
6) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\BMcb94b321.xml
C:\WINDOWS\system32\qjualhuu.dll
C:\WINDOWS\system32\vkgthqee.dll
C:\WINDOWS\system32\pswwrgxt.dll
C:\WINDOWS\system32\jcxmctyf.dll
C:\WINDOWS\system32\qjualhuu.dll
C:\WINDOWS\system32\wewuadxm.dll
C:\WINDOWS\system32\omcbhqjd.dll
C:\WINDOWS\system32\flmfckvi.dll
C:\WINDOWS\system32\yoqyfqxr.dll
C:\WINDOWS\system32\uoxmwyle.dll
C:\WINDOWS\system32\atudiopc.dll
C:\WINDOWS\system32\__c0086A4.dat
C:\WINDOWS\system32\__c004E900.dat
C:\WINDOWS\system32\__c00B4B27.dat
C:\WINDOWS\system32\__c009408B.dat
C:\WINDOWS\system32\__c003B7C6.dat
C:\WINDOWS\system32\__c007AE40.dat
C:\WINDOWS\system32\__c00F206C.dat
C:\WINDOWS\system32\__c005B6B4.dat
C:\WINDOWS\system32\__c002C152.dat
C:\WINDOWS\system32\__c00BE739.dat
C:\WINDOWS\system32\__c0070D21.dat
C:\WINDOWS\system32\__c0014338.dat
C:\WINDOWS\system32\__c007B1AA.dat
C:\WINDOWS\system32\__c001CDE4.dat
C:\WINDOWS\system32\__c004E751.dat
C:\WINDOWS\system32\__c0061238.dat
C:\WINDOWS\system32\__c00E60C9.dat
C:\WINDOWS\system32\__c005B92B.dat
C:\WINDOWS\system32\__c00A2E40.dat
Folder::
C:\NoLopBackups
C:\Documents and Settings\All Users\Application Data\Frag great bend logo
Save this as CFScript
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
7) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [bend logo clock film] C:\Documents and Settings\All Users\Application Data\Frag great bend logo\idol global.exe
O4 - HKLM\..\Run: [BMcb94b321] Rundll32.exe "C:\WINDOWS\system32\qjualhuu.dll",s
Close all programs but HJT and all browser windows, then click on "Fix Checked"
8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post the combofix log from CFScript, a new HJT log and some feedback from you. How is the computer running now?
Thanks
1) Windows messenger live plus! uninstalled.
2) Styler.exe is a program that changes the style of my XP to make it look like vista. It was part of the Vista transformation pack. I've had it for a while so I believe it to be safe (years).
3) I scanned some of the files with kaspersky virus scanner and they were trojans. I decided to leave them for now, but I believe combofix deleted most or all of those files.
4) Nolop removed.
5) ATF cleaner downloaded
6) Combofix log:
ComboFix 08-07-12.2 - Mann Hing 2008-07-17 20:30:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.148 [GMT 10:00]
Running from: C:\Documents and Settings\Mann Hing\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mann Hing\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\BMcb94b321.xml
C:\WINDOWS\system32\__c0014338.dat
C:\WINDOWS\system32\__c001CDE4.dat
C:\WINDOWS\system32\__c002C152.dat
C:\WINDOWS\system32\__c003B7C6.dat
C:\WINDOWS\system32\__c004E751.dat
C:\WINDOWS\system32\__c004E900.dat
C:\WINDOWS\system32\__c005B6B4.dat
C:\WINDOWS\system32\__c005B92B.dat
C:\WINDOWS\system32\__c0061238.dat
C:\WINDOWS\system32\__c0070D21.dat
C:\WINDOWS\system32\__c007AE40.dat
C:\WINDOWS\system32\__c007B1AA.dat
C:\WINDOWS\system32\__c0086A4.dat
C:\WINDOWS\system32\__c009408B.dat
C:\WINDOWS\system32\__c00A2E40.dat
C:\WINDOWS\system32\__c00B4B27.dat
C:\WINDOWS\system32\__c00BE739.dat
C:\WINDOWS\system32\__c00E60C9.dat
C:\WINDOWS\system32\__c00F206C.dat
C:\WINDOWS\system32\atudiopc.dll
C:\WINDOWS\system32\flmfckvi.dll
C:\WINDOWS\system32\jcxmctyf.dll
C:\WINDOWS\system32\omcbhqjd.dll
C:\WINDOWS\system32\pswwrgxt.dll
C:\WINDOWS\system32\qjualhuu.dll
C:\WINDOWS\system32\uoxmwyle.dll
C:\WINDOWS\system32\vkgthqee.dll
C:\WINDOWS\system32\wewuadxm.dll
C:\WINDOWS\system32\yoqyfqxr.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Frag great bend logo
C:\Documents and Settings\All Users\Application Data\Frag great bend logo\idol global.exe
C:\NoLopBackups
C:\NoLopBackups\AA53FF2B91847E4B.job.01.infected
C:\WINDOWS\BMcb94b321.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\__c0014338.dat
C:\WINDOWS\system32\__c001CDE4.dat
C:\WINDOWS\system32\__c002C152.dat
C:\WINDOWS\system32\__c003B7C6.dat
C:\WINDOWS\system32\__c004E751.dat
C:\WINDOWS\system32\__c004E900.dat
C:\WINDOWS\system32\__c005B6B4.dat
C:\WINDOWS\system32\__c005B92B.dat
C:\WINDOWS\system32\__c0061238.dat
C:\WINDOWS\system32\__c0070D21.dat
C:\WINDOWS\system32\__c007AE40.dat
C:\WINDOWS\system32\__c007B1AA.dat
C:\WINDOWS\system32\__c0086A4.dat
C:\WINDOWS\system32\__c009408B.dat
C:\WINDOWS\system32\__c00A2E40.dat
C:\WINDOWS\system32\__c00B4B27.dat
C:\WINDOWS\system32\__c00BE739.dat
C:\WINDOWS\system32\__c00E60C9.dat
C:\WINDOWS\system32\__c00F206C.dat
C:\WINDOWS\system32\atudiopc.dll
C:\WINDOWS\system32\flmfckvi.dll
C:\WINDOWS\system32\jcxmctyf.dll
C:\WINDOWS\system32\omcbhqjd.dll
C:\WINDOWS\system32\pswwrgxt.dll
C:\WINDOWS\system32\qjualhuu.dll
C:\WINDOWS\system32\uoxmwyle.dll
C:\WINDOWS\system32\vkgthqee.dll
C:\WINDOWS\system32\wewuadxm.dll
C:\WINDOWS\system32\yoqyfqxr.dll
.
((((((((((((((((((((((((( Files Created from 2008-06-17 to 2008-07-17 )))))))))))))))))))))))))))))))
.
2008-07-14 20:53 . 2008-07-14 20:53 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-07-13 22:11 . 2008-04-23 14:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-13 22:11 . 2007-04-17 19:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-13 22:11 . 2007-03-08 15:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-13 22:11 . 2008-04-23 14:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-13 22:11 . 2008-04-23 14:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-13 22:11 . 2008-04-23 14:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-13 22:11 . 2008-04-23 14:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-13 22:11 . 2008-04-23 14:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-13 22:11 . 2008-04-22 17:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-12 10:28 . 2008-07-12 10:28 <DIR> d-------- C:\Program Files\CCleaner
2008-07-11 14:42 . 2008-07-11 14:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-11 13:53 . 2008-07-11 13:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-11 13:53 . 2008-07-11 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-11 12:45 . 2008-07-11 12:45 <DIR> d-------- C:\Documents and Settings\Mann Hing\Application Data\True Sword
2008-07-10 15:57 . 2008-07-10 15:57 <DIR> d-------- C:\Documents and Settings\Poh Hong\Phone Browser
2008-07-08 08:21 . 2008-07-08 08:21 <DIR> d-------- C:\Program Files\StepMania CVS
2008-07-07 09:20 . 2008-07-11 15:17 <DIR> d-------- C:\Program Files\StepMania
2008-07-02 08:22 . 2008-07-17 20:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-02 08:22 . 2008-07-02 08:22 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 00:12 --------- d-----w C:\Program Files\Warcraft III
2008-07-12 00:09 --------- d-----w C:\Program Files\Allok Video to DVD Burner
2008-07-11 03:38 --------- d-----w C:\Program Files\uTorrent
2008-07-02 09:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-18 14:30 --------- d-----w C:\Documents and Settings\Mann Hing\Application Data\Free Download Manager
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 01:09 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-06-07 10:21 --------- d-----w C:\Documents and Settings\Mann Hing\Application Data\uTorrent
2008-05-27 12:07 --------- d-----w C:\Documents and Settings\Mann Hing\Application Data\Printer Info Cache
2008-05-24 07:53 --------- d-----w C:\Documents and Settings\Mann Hing\Application Data\Nokia
2008-05-24 07:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-08-18 00:34 81,920 ----a-w C:\Documents and Settings\Mann Hing\Application Data\ezpinst.exe
2007-08-18 00:34 47,360 ----a-w C:\Documents and Settings\Mann Hing\Application Data\pcouffin.sys
2007-08-18 00:19 87,608 ----a-w C:\Documents and Settings\Mann Hing\Application Data\inst.exe
.
((((((((((((((((((((((((((((( snapshot@2008-07-13_17.13.51.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-26 11:48:44 297,984 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\SP2QFE\msctf.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\updspapi.dll
+ 2007-07-12 23:28:55 765,952 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\SP2QFE\vgx.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\updspapi.dll
- 2008-07-13 06:49:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-17 10:38:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-13 08:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
+ 2007-08-13 08:39:00 123,904 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll
+ 2007-08-13 08:35:46 346,624 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll
+ 2007-08-13 08:35:38 214,528 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll
+ 2007-08-13 08:54:10 131,584 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll
+ 2007-08-13 08:36:26 61,952 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\icardie.dll
+ 2007-08-13 08:39:06 54,784 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe
+ 2007-08-13 08:39:26 152,064 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll
+ 2007-08-13 08:39:54 229,376 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll
+ 2007-08-13 07:56:54 161,792 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll
+ 2007-02-12 06:10:12 2,451,312 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dat
+ 2007-07-11 02:27:48 383,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dll
+ 2007-08-13 08:39:50 382,976 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll
+ 2007-08-13 08:54:10 6,049,280 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieframe.dll
+ 2007-08-13 08:39:10 43,008 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll
+ 2007-08-13 08:34:04 266,752 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iertutil.dll
+ 2007-08-13 08:39:10 13,312 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe
+ 2007-08-13 08:43:56 622,080 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
+ 2007-08-13 08:54:10 27,136 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll
+ 2007-08-13 08:54:10 458,752 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeeds.dll
+ 2007-08-13 08:54:10 50,688 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeedsbs.dll
+ 2007-08-13 08:54:12 3,578,368 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll
+ 2007-08-13 08:54:10 475,648 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll
+ 2007-08-13 08:44:26 192,000 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll
+ 2007-08-13 08:54:10 670,720 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll
+ 2007-08-13 08:44:06 101,376 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll
+ 2007-08-13 08:36:12 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\updspapi.dll
+ 2007-08-13 08:44:30 105,984 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll
+ 2007-08-13 08:54:10 1,162,240 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll
+ 2007-08-13 08:54:10 231,424 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll
+ 2007-08-13 08:54:10 818,688 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
+ 2007-03-22 07:07:56 91,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\ADDRPARS.DLL
+ 2007-04-19 01:53:52 127,328 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\IMPMAIL.DLL
+ 2007-04-19 01:53:44 106,336 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OUTLMIME.DLL
+ 2007-03-22 07:07:10 41,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\RECALL.DLL
+ 2007-03-22 07:07:54 78,168 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\RM.DLL
+ 2007-03-22 07:22:02 103,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\TRANSMGR.DLL
- 2008-06-15 11:32:14 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-07-14 10:57:09 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-06-15 11:32:14 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-07-14 10:57:09 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-06-15 11:32:15 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-07-14 10:57:09 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-06-15 11:32:14 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-07-14 10:57:09 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-06-15 11:32:15 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-07-14 10:57:09 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-06-15 11:32:15 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-07-14 10:57:09 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-06-15 11:32:15 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-07-14 10:57:09 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-06-15 11:32:15 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-07-14 10:57:09 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-06-15 11:32:14 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-07-14 10:57:09 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-06-15 11:32:14 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-07-14 10:57:09 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-06-15 11:32:15 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-07-14 10:57:09 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-06-15 11:32:14 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-07-14 10:57:09 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-06-15 11:32:14 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-07-14 10:57:09 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-08-13 08:39:00 123,904 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-08-13 08:39:00 123,904 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-04-23 04:16:28 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
- 2007-08-13 08:35:46 346,624 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-08-13 08:35:38 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-08-13 08:54:10 131,584 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-04-23 04:16:28 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-08-13 08:39:06 54,784 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-08-13 08:39:26 152,064 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-08-13 08:39:54 229,376 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-08-13 07:56:54 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-04-20 05:07:51 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-08-13 08:39:50 382,976 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-08-13 08:39:10 43,008 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-08-13 08:43:56 622,080 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-04-22 07:40:18 625,664 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-08-13 08:54:10 27,136 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-02-26 11:59:50 294,912 -c----w C:\WINDOWS\system32\dllcache\msctf.dll
- 2007-08-13 08:54:12 3,578,368 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-04-23 12:16:30 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-08-13 08:54:10 475,648 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-08-13 08:44:26 192,000 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-04-23 04:16:28 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-08-13 08:54:10 670,720 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-04-23 04:16:28 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-08-13 08:44:06 101,376 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-04-23 04:16:28 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
- 2007-08-13 08:36:12 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-08-13 08:44:30 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-04-23 04:16:28 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
- 2007-08-13 08:54:10 1,162,240 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-08-13 08:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:31:54 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2007-08-13 08:54:10 231,424 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-04-23 04:16:29 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-08-13 08:54:10 818,688 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-04-23 04:16:29 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2007-08-13 08:35:46 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-08-13 08:35:38 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-08-13 08:54:10 131,584 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2007-08-13 08:36:26 61,952 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-04-23 04:16:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-08-13 08:39:06 54,784 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-08-13 08:39:26 152,064 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-08-13 08:39:54 229,376 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-08-13 07:56:54 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-04-20 05:07:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-02-12 06:10:12 2,451,312 ----a-w C:\WINDOWS\system32\ieapfltr.dat
+ 2007-04-17 09:32:38 2,455,488 ----a-w C:\WINDOWS\system32\ieapfltr.dat
- 2007-07-11 02:27:48 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-08-13 08:39:50 382,976 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-08-13 08:54:10 6,049,280 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-08-13 08:39:10 43,008 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-08-13 08:34:04 266,752 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-08-13 08:39:10 13,312 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-08-13 08:54:10 27,136 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2004-08-04 07:56:42 294,400 ----a-w C:\WINDOWS\system32\msctf.dll
+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
- 2007-08-13 08:54:10 458,752 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-08-13 08:54:10 50,688 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-08-13 08:54:12 3,578,368 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-23 12:16:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-08-13 08:54:10 475,648 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-08-13 08:44:26 192,000 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-08-13 08:54:10 670,720 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-08-13 08:44:06 101,376 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-04-23 04:16:28 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2007-08-13 08:36:12 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-08-13 08:44:30 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-08-13 08:54:10 1,162,240 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-08-13 08:54:10 231,424 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-04-23 04:16:29 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]
"mRouterConfig"="C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe" [2006-03-02 10:54 290816]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 10:34 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 15:31 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 22:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 22:00 455168]
"McRegWiz"="C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe" [2005-06-01 14:35 368714]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-07-15 12:50 999424]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 19:52 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2005-07-08 17:46 212992]
"Styler"="C:\Program Files\Styler\Styler.exe" [2006-05-03 11:18 307200]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 15:21 270336]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09 63712]
"PC Suite for Smartphones"="C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" [2007-05-28 09:14 528384]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 17:26 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-16 11:23 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 22:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 12:10 267048]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 17:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Firefox Preloader.lnk - C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe [2008-04-29 16:50:28 98304]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\windows\\resources\\Logons\\8270-slate\\logonui.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);C:\WINDOWS\system32\DRIVERS\zebrceb.sys [2007-04-13 07:50]
S3 dump_wmimmc;dump_wmimmc;C:\AeriaGames\Shaiya\GameGuard\dump_wmimmc.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys []
S3 zebrbus;Sony Ericsson Composite Device driver;C:\WINDOWS\system32\DRIVERS\zebrbus.sys [2007-04-13 07:50]
S3 zebrmdfl;Sony Ericsson Modem Filter;C:\WINDOWS\system32\DRIVERS\zebrmdfl.sys [2007-04-13 07:50]
S3 zebrmdm;Sony Ericsson Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdm.sys [2007-04-13 07:50]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdmc.sys [2007-04-13 07:50]
S3 zebrsce;Sony Ericsson PC-Connect Port;C:\WINDOWS\system32\DRIVERS\zebrsce.sys [2007-04-13 07:50]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f324e77-b0d5-11dc-af6e-00112f110276}]
\Shell\Auto\command - Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97269e0c-4cab-11dc-ae46-00112f110276}]
\Shell\Auto\command - E:\Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9834301-47dd-11dc-ae2a-00112f110276}]
\Shell\Auto\command - E:\Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-07-17 10:21:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-bend logo clock film - C:\Documents and Settings\All Users\Application Data\Frag great bend logo\idol global.exe
HKLM-Run-BMcb94b321 - C:\WINDOWS\system32\qjualhuu.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-17 20:39:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
C:\WINDOWS\explorer.exe [2032] 0x82101488
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\Program Files\McAfee.com\Agent\mcregwiz.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SCBAL.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-17 21:01:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-17 11:01:39
ComboFix2.txt 2008-07-13 07:14:17
Pre-Run: 21,339,578,368 bytes free
Post-Run: 21,345,034,240 bytes free
422 --- E O F --- 2008-07-14 10:57:26
7) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
Only this line was avaliable to be checked. The other ones:
O4 - HKLM\..\Run: [bend logo clock film] C:\Documents and Settings\All Users\Application Data\Frag great bend logo\idol global.exe
O4 - HKLM\..\Run: [BMcb94b321] Rundll32.exe "C:\WINDOWS\system32\qjualhuu.dll",s
weren't located in the box.
8) To be done soon!