Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with W32.SillyFDC, W32.Harakit and W32.Spybot.Worm


  • Please log in to reply
14 replies to this topic

#1 madcow1

madcow1

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 27 June 2009 - 03:01 AM

Good afternoon to all,

My laptop has been infected by those viruses stated above. Symantec Antivirus was able to detect them in folder WINDOWS/ Temp/ but not able to remove it after reboot and the infected file names were not available after reboot. Besides, the windows firewall was disabled automatically everytime the laptop reboot. Please advice!


DDS (Ver_09-06-26.01) - NTFSx86
Run by Ho Nyuk Shiong at 15:38:08.82 on 27-Jun-09
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.816 [GMT 8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\SIEMENS\S7IEPG\s7oiehsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\SIEMENS\sws\almsrv\almsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Atheros\ACU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
D:\Downloads\FREE\New Folder\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://intra/
uSearch Page = hxxp://mys.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://malaysia.search.yahoo.com/search
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://mys.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://malaysia.search.yahoo.com/search
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRunOnce: [<NO NAME>]
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [LXCYCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCYtime.dll,_RunDLLEntry@16
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRunOnce: [<NO NAME>]
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [<NO NAME>] 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216458990328
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\honyuk~1\applic~1\mozilla\firefox\profiles\4r7wvdat.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\documents and settings\ho nyuk shiong\application data\mozilla\firefox\profiles\4r7wvdat.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSigra.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 almservice;Automation License Manager Service;c:\program files\common files\siemens\sws\almsrv\almsrvx.exe [2009-3-25 770110]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\common files\siemens\s7iepg\s7oiehsx.exe [2009-3-25 208968]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
R3 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090626.016\naveng.sys [2009-6-27 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090626.016\navex15.sys [2009-6-27 876144]
R3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
S0 lkclmltm;lkclmltm;c:\windows\system32\drivers\bgigdz.sys --> c:\windows\system32\drivers\bgigdz.sys [?]
S2 MICOMPar;MICOMPar;c:\windows\system32\drivers\micompar.sys [2008-1-3 13488]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S4 s7asysvx;S7 Global Services;c:\siemens\digsi4\manager\s7bin\s7asysvx.exe [2009-3-25 69685]
S4 S7TraceServiceX;S7TraceServiceX;c:\program files\common files\siemens\automation\traceengine\bin\S7TraceServiceX.exe [2009-3-25 163840]
S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]

=============== Created Last 30 ================

2009-06-27 11:01 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-12 17:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-12 17:52 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-12 17:52 <DIR> --d----- c:\docume~1\honyuk~1\applic~1\SUPERAntiSpyware.com
2009-06-12 17:03 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-12 17:03 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-09 18:35 <DIR> --d----- c:\program files\Atheros
2009-06-02 12:33 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-31 10:37 <DIR> --d----- c:\docume~1\honyuk~1\applic~1\IronCode

==================== Find3M ====================

2009-06-09 18:35 21,275 a------- c:\windows\system32\drivers\AegisP.sys
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-13 13:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 23:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-01 14:00 92,064 a------- c:\documents and settings\ho nyuk shiong\mqdmmdm.sys
2009-05-01 14:00 79,328 a------- c:\documents and settings\ho nyuk shiong\mqdmserd.sys
2009-05-01 14:00 66,656 a------- c:\documents and settings\ho nyuk shiong\mqdmbus.sys
2009-05-01 14:00 25,600 a------- c:\documents and settings\ho nyuk shiong\usbsermptxp.sys
2009-05-01 14:00 22,768 a------- c:\documents and settings\ho nyuk shiong\usbsermpt.sys
2009-05-01 14:00 9,232 a------- c:\documents and settings\ho nyuk shiong\mqdmmdfl.sys
2009-05-01 14:00 6,208 a------- c:\documents and settings\ho nyuk shiong\mqdmcmnt.sys
2009-05-01 14:00 5,936 a------- c:\documents and settings\ho nyuk shiong\mqdmwhnt.sys
2009-05-01 14:00 4,048 a------- c:\documents and settings\ho nyuk shiong\mqdmcr.sys
2009-05-01 11:25 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-04-17 20:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 22:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-08-26 20:21 2,788,800 a------- c:\program files\FLV PlayerFCSetup.exe

============= FINISH: 15:38:48.87 ===============

BC AdBot (Login to Remove)

 


m

#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:08:52 PM

Posted 01 July 2009 - 11:26 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 madcow1

madcow1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 06 July 2009 - 08:05 AM

Here is my DDS.txt log:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Ho Nyuk Shiong at 20:56:44.64 on 06-Jul-09
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.928 [GMT 8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\SIEMENS\S7IEPG\s7oiehsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\SIEMENS\sws\almsrv\almsrvx.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Atheros\ACU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://intra.sesb.com.my/
uSearch Page = hxxp://mys.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://malaysia.search.yahoo.com/search
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://mys.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://malaysia.search.yahoo.com/search
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [LXCYCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCYtime.dll,_RunDLLEntry@16
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [mumservice] c:\program files\motorola\software update\mumservice.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [<NO NAME>] 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216458990328
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {4B1BBEAE-AB8D-4494-A708-4EF89F9DF705} = 10.1.1.7,10.1.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\honyuk~1\applic~1\mozilla\firefox\profiles\4r7wvdat.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\documents and settings\ho nyuk shiong\application data\mozilla\firefox\profiles\4r7wvdat.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSigra.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 almservice;Automation License Manager Service;c:\program files\common files\siemens\sws\almsrv\almsrvx.exe [2009-3-25 770110]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\common files\siemens\s7iepg\s7oiehsx.exe [2009-3-25 208968]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-27 101936]
R3 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090705.003\naveng.sys [2009-7-5 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090705.003\navex15.sys [2009-7-5 876144]
R3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
S0 lkclmltm;lkclmltm;c:\windows\system32\drivers\bgigdz.sys --> c:\windows\system32\drivers\bgigdz.sys [?]
S2 MICOMPar;MICOMPar;c:\windows\system32\drivers\micompar.sys [2008-1-3 13488]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-7-2 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-7-2 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-7-2 42112]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-7-3 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-7-3 8320]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S4 s7asysvx;S7 Global Services;c:\siemens\digsi4\manager\s7bin\s7asysvx.exe [2009-3-25 69685]
S4 S7TraceServiceX;S7TraceServiceX;c:\program files\common files\siemens\automation\traceengine\bin\S7TraceServiceX.exe [2009-3-25 163840]
S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]

=============== Created Last 30 ================

2009-07-06 20:36 359,929 a------- C:\dds.scr
2009-07-03 08:15 0 a---h--- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-07-03 08:12 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-07-03 08:05 <DIR> --d----- c:\program files\common files\PCSuite
2009-07-03 08:05 18,816 a------- c:\windows\system32\drivers\pccsmcfd.sys
2009-07-03 08:05 <DIR> --d----- c:\program files\PC Connectivity Solution
2009-07-03 08:04 8,320 a------- c:\windows\system32\drivers\nmwcdnsuc.sys
2009-07-03 08:04 136,704 a------- c:\windows\system32\drivers\nmwcdnsu.sys
2009-07-03 08:04 7,808 a------- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-07-03 08:04 7,808 a------- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-07-03 08:04 22,016 a------- c:\windows\system32\drivers\ccdcmbo.sys
2009-07-03 08:04 1,112,288 a------- c:\windows\system32\wdfcoinstaller01007.dll
2009-07-03 08:04 659,968 a------- c:\windows\system32\nmwcdcocls.dll
2009-07-03 08:04 17,664 a------- c:\windows\system32\drivers\ccdcmb.sys
2009-07-02 20:18 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-07-02 20:18 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-07-02 20:17 18,688 a------- c:\windows\system32\drivers\motccgp.sys
2009-07-02 20:17 8,320 a------- c:\windows\system32\drivers\motccgpfl.sys
2009-07-02 20:17 6,400 a------- c:\windows\system32\drivers\motswch.sys
2009-07-02 20:17 42,112 a------- c:\windows\system32\drivers\motodrv.sys
2009-07-02 20:16 <DIR> --d----- c:\program files\Motorola
2009-06-30 21:16 0 a------- C:\BOOT.DAT
2009-06-30 21:15 0 a------- c:\documents and settings\ho nyuk shiong\BOOT.DAT
2009-06-29 07:29 <DIR> --d----- C:\SIECBT
2009-06-27 11:01 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-12 17:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-12 17:52 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-12 17:52 <DIR> --d----- c:\docume~1\honyuk~1\applic~1\SUPERAntiSpyware.com
2009-06-12 17:03 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-12 17:03 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-09 18:35 <DIR> --d----- c:\program files\Atheros

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-09 18:35 21,275 a------- c:\windows\system32\drivers\AegisP.sys
2009-05-13 13:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-11 12:47 1,302,600 a------- c:\windows\system32\WUDFUpdate_01007.dll
2009-05-07 23:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-01 14:00 92,064 a------- c:\documents and settings\ho nyuk shiong\mqdmmdm.sys
2009-05-01 14:00 79,328 a------- c:\documents and settings\ho nyuk shiong\mqdmserd.sys
2009-05-01 14:00 66,656 a------- c:\documents and settings\ho nyuk shiong\mqdmbus.sys
2009-05-01 14:00 25,600 a------- c:\documents and settings\ho nyuk shiong\usbsermptxp.sys
2009-05-01 14:00 22,768 a------- c:\documents and settings\ho nyuk shiong\usbsermpt.sys
2009-05-01 14:00 9,232 a------- c:\documents and settings\ho nyuk shiong\mqdmmdfl.sys
2009-05-01 14:00 6,208 a------- c:\documents and settings\ho nyuk shiong\mqdmcmnt.sys
2009-05-01 14:00 5,936 a------- c:\documents and settings\ho nyuk shiong\mqdmwhnt.sys
2009-05-01 14:00 4,048 a------- c:\documents and settings\ho nyuk shiong\mqdmcr.sys
2009-04-17 20:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 22:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-08-26 20:21 2,788,800 a------- c:\program files\FLV PlayerFCSetup.exe

============= FINISH: 20:57:20.51 ===============

Attached Files



#4 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:04:52 PM

Posted 08 July 2009 - 01:23 AM

Hello and welcome to BleepingComputer.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


After that, we'll use ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
-screen317

#5 madcow1

madcow1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 09 July 2009 - 06:12 AM

Hello screen317,

The following is the mbam log as your advice. I also attached Combofix.txt and HijackThis log. Thank you for your prompt reply.

Malwarebytes' Anti-Malware 1.38
Database version: 2397
Windows 5.1.2600 Service Pack 3

09-Jul-09 6:41:47 PM
mbam-log-2009-07-09 (18-41-47).txt

Scan type: Quick Scan
Objects scanned: 108524
Time elapsed: 4 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



#6 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:04:52 PM

Posted 10 July 2009 - 10:56 PM

Hello,

Please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quotebox below into Notepad:

Reglock::
[HKEY_USERS\S-1-5-21-842925246-1004336348-682003330-1003\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Excel\Settings\E*x*p*o*r*t* *p*a*r*a*m*e*t*e*r*s* *t*o*& \File Name MRU]
[HKEY_USERS\S-1-5-21-842925246-1004336348-682003330-1003\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Excel\Settings\E*x*p*o*r*t* *p*a*r*a*m*e*t*e*r*s* *t*o*& \View]
DDS::
mExplorerRun: [<NO NAME>] 1 (0x1)


Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.


After that, please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Also... Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u13.
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • In the pull down menu next to Platform select Windows
  • Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement"
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windowsi586-p.exe to install the newest version.
Restart your computer, and post a fresh HijackThis log.


After that, please download JavaRa and unzip it to your Desktop.

Double click JavaRa.exe then click Remove Older Versions.

Follow any prompts; a log will popup (JavaRa.log)-- please post the contents of this log.


Finally, download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
-screen317

#7 madcow1

madcow1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 13 July 2009 - 05:37 AM

Good day screen317,

There are 3 infected files found by The Kapersky Online Scan (Report attached). The following is the COMBOFIX.TXT after patching additional code that you posted.

ComboFix 09-07-08.06 - Ho Nyuk Shiong 12-Jul-09 18:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.927 [GMT 8:00]
Running from: d:\downloads\HJT Tools\ComboFix.exe
Command switches used :: d:\downloads\HJT Tools\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2009-06-12 to 2009-07-12 )))))))))))))))))))))))))))))))
.

2009-07-10 13:40 . 2009-07-10 13:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-07-10 13:29 . 2009-07-10 13:29 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-07-10 13:29 . 2009-07-10 13:29 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2009-07-09 10:30 . 2009-06-17 03:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 10:30 . 2009-06-17 03:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-09 10:30 . 2009-07-09 10:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 12:30 . 2009-07-08 12:30 -------- d-----w- c:\program files\Nitro PDF
2009-07-07 11:26 . 2009-07-07 11:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-06 23:40 . 2009-07-06 23:40 -------- d-----w- c:\documents and settings\Ho Nyuk Shiong\Application Data\Apple Computer
2009-07-06 23:34 . 2009-07-06 23:34 -------- d-----w- c:\program files\QuickTime
2009-07-06 23:34 . 2009-07-06 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-06 23:34 . 2009-07-06 23:34 -------- d-----w- c:\documents and settings\Ho Nyuk Shiong\Local Settings\Application Data\Apple
2009-07-06 23:34 . 2009-07-06 23:34 -------- d-----w- c:\program files\Apple Software Update
2009-07-06 23:34 . 2009-07-06 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-06 13:37 . 2009-07-06 13:37 -------- d-----w- c:\documents and settings\Ho Nyuk Shiong\Local Settings\Application Data\Apple Computer
2009-07-03 00:05 . 2009-07-03 00:05 -------- d-----w- c:\program files\Common Files\PCSuite
2009-07-03 00:05 . 2008-08-26 02:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2009-07-03 00:05 . 2009-07-03 00:05 -------- d-----w- c:\program files\PC Connectivity Solution
2009-07-03 00:04 . 2009-03-19 06:48 8320 ----a-w- c:\windows\system32\drivers\nmwcdnsuc.sys
2009-07-03 00:04 . 2009-03-19 06:48 136704 ----a-w- c:\windows\system32\drivers\nmwcdnsu.sys
2009-07-03 00:04 . 2009-02-09 00:37 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-07-03 00:04 . 2009-02-09 00:37 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-07-03 00:04 . 2009-02-09 00:37 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2009-07-03 00:04 . 2009-02-09 00:37 659968 ----a-w- c:\windows\system32\nmwcdcocls.dll
2009-07-03 00:04 . 2009-02-09 00:37 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2009-07-03 00:04 . 2009-02-09 00:32 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2009-07-03 00:03 . 2009-06-30 09:26 33773208 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Nokia_PC_Suite_7_1_30_9_eng_web.exe
2009-07-03 00:03 . 2009-07-03 00:03 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\pcswpcsi.exe
2009-07-03 00:03 . 2009-07-03 00:03 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstCCD.exe
2009-07-03 00:03 . 2009-07-03 00:03 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-07-03 00:03 . 2009-07-03 00:03 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCS.exe
2009-07-02 12:17 . 2008-08-21 10:49 8320 ----a-w- c:\windows\system32\drivers\motccgpfl.sys
2009-07-02 12:17 . 2008-08-21 10:49 18688 ----a-w- c:\windows\system32\drivers\motccgp.sys
2009-07-02 12:17 . 2007-11-02 07:51 6400 ----a-w- c:\windows\system32\drivers\motswch.sys
2009-07-02 12:17 . 2007-10-10 09:41 42112 ----a-w- c:\windows\system32\drivers\motodrv.sys
2009-07-02 12:16 . 2009-07-02 12:16 -------- d-----w- c:\program files\Motorola
2009-07-02 11:31 . 2009-07-02 11:31 -------- d-----w- c:\documents and settings\Ho Nyuk Shiong\Application Data\InstallShield
2009-06-30 23:36 . 2009-06-30 08:00 259368 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dbc02.vdb\ECMSVR32.DLL
2009-06-30 23:36 . 2009-02-18 19:41 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dbc02.vdb\CCERASER.DLL
2009-06-30 23:36 . 2009-02-12 23:04 876144 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dbc02.vdb\NAVEX15.SYS
2009-06-30 23:36 . 2009-02-12 23:04 89104 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dbc02.vdb\NAVENG.SYS
2009-06-30 23:36 . 2009-02-12 23:03 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dbc02.vdb\NAVEX32A.DLL
2009-06-30 23:36 . 2009-02-12 23:03 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dbc02.vdb\NAVENG32.DLL
2009-06-30 23:36 . 2009-02-06 19:26 101936 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dbc02.vdb\ERASER.SYS
2009-06-30 23:36 . 2009-02-06 19:26 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dbc02.vdb\EECTRL.SYS
2009-06-30 13:16 . 2009-06-30 13:16 0 ----a-w- C:\BOOT.DAT
2009-06-30 13:15 . 2009-06-30 13:15 0 ----a-w- c:\documents and settings\Ho Nyuk Shiong\BOOT.DAT
2009-06-28 23:29 . 2009-06-28 23:29 -------- d-----w- C:\SIECBT
2009-06-27 03:01 . 2009-06-27 03:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-27 02:56 . 2009-06-27 02:56 152576 ----a-w- c:\documents and settings\Ho Nyuk Shiong\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-12 10:31 . 2008-07-21 03:03 -------- d-----w- c:\program files\Symantec AntiVirus
2009-07-12 09:35 . 2008-07-19 07:10 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-07-11 08:37 . 2009-01-11 13:49 -------- d-----w- c:\program files\lx_cats
2009-07-08 12:34 . 2009-06-12 10:00 117760 ----a-w- c:\documents and settings\Ho Nyuk Shiong\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-03 00:15 . 2009-07-03 00:15 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-07-03 00:12 . 2009-07-03 00:12 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-07-03 00:05 . 2009-01-23 10:31 -------- d-----w- c:\program files\Common Files\Nokia
2009-07-03 00:05 . 2009-01-22 14:54 -------- d-----w- c:\program files\Nokia
2009-07-03 00:02 . 2009-01-22 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-07-02 12:18 . 2009-07-02 12:18 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-07-02 12:18 . 2009-07-02 12:18 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-07-02 12:16 . 2009-05-01 06:01 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-07-02 11:32 . 2009-05-01 03:23 -------- d-----w- c:\program files\Motorola Phone Tools
2009-07-02 11:31 . 2008-07-19 06:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-29 13:04 . 2009-06-12 09:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-27 03:00 . 2008-07-19 10:06 -------- d-----w- c:\program files\Java
2009-06-15 12:28 . 2008-11-07 02:53 -------- d-----w- c:\program files\AREVA T&D
2009-06-13 10:18 . 2008-07-19 13:19 -------- d-----w- c:\program files\Foxit Software
2009-06-12 09:52 . 2009-06-12 09:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-12 09:52 . 2009-06-12 09:52 -------- d-----w- c:\documents and settings\Ho Nyuk Shiong\Application Data\SUPERAntiSpyware.com
2009-06-12 09:52 . 2008-07-21 06:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-12 07:46 . 2009-01-11 13:44 -------- d-----w- c:\program files\Lexmark Toolbar
2009-06-09 10:35 . 2009-06-09 10:35 21275 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-06-09 10:35 . 2009-06-09 10:35 -------- d-----w- c:\program files\Atheros
2009-06-07 04:09 . 2009-06-07 04:09 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\msxml6Exec.exe
2009-06-07 04:09 . 2009-06-07 04:09 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\Sleep.exe
2009-06-07 04:09 . 2009-06-07 04:09 3181612 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\vcredistExec.exe
2009-06-07 04:09 . 2009-06-07 04:09 24376008 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\NokiaSoftwareUpdaterSetup_1.6.13EN.exe
2009-06-01 04:19 . 2008-07-20 13:22 -------- d-----w- c:\documents and settings\Ho Nyuk Shiong\Application Data\ReyEvo32
2009-05-31 05:34 . 2009-05-31 02:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-31 02:37 . 2009-05-31 02:37 -------- d-----w- c:\documents and settings\Ho Nyuk Shiong\Application Data\IronCode
2009-05-13 05:15 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 04:47 . 2009-05-11 04:47 1302600 ----a-w- c:\windows\system32\WUDFUpdate_01007.dll
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 06:00 . 2009-05-01 06:00 9232 ----a-w- c:\documents and settings\Ho Nyuk Shiong\mqdmmdfl.sys
2009-05-01 06:00 . 2009-05-01 06:00 92064 ----a-w- c:\documents and settings\Ho Nyuk Shiong\mqdmmdm.sys
2009-05-01 06:00 . 2009-05-01 06:00 79328 ----a-w- c:\documents and settings\Ho Nyuk Shiong\mqdmserd.sys
2009-05-01 06:00 . 2009-05-01 06:00 66656 ----a-w- c:\documents and settings\Ho Nyuk Shiong\mqdmbus.sys
2009-05-01 06:00 . 2009-05-01 06:00 6208 ----a-w- c:\documents and settings\Ho Nyuk Shiong\mqdmcmnt.sys
2009-05-01 06:00 . 2009-05-01 06:00 5936 ----a-w- c:\documents and settings\Ho Nyuk Shiong\mqdmwhnt.sys
2009-05-01 06:00 . 2009-05-01 06:00 4048 ----a-w- c:\documents and settings\Ho Nyuk Shiong\mqdmcr.sys
2009-05-01 06:00 . 2009-05-01 03:23 25600 ----a-w- c:\documents and settings\Ho Nyuk Shiong\usbsermptxp.sys
2009-05-01 06:00 . 2009-05-01 03:23 22768 ----a-w- c:\documents and settings\Ho Nyuk Shiong\usbsermpt.sys
2009-04-27 10:54 . 2009-04-27 10:54 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe
2009-04-27 10:54 . 2009-04-27 10:54 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-04-27 10:54 . 2009-04-27 10:54 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe
2009-04-27 10:54 . 2009-04-27 10:55 34396584 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_eng.exe
2009-04-24 02:55 . 2008-07-20 02:04 176235 ----a-w- c:\windows\system32\Primomonnt.dll
2009-04-17 12:26 . 2006-02-28 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-02-28 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-08-26 12:21 . 2008-08-26 12:18 2788800 ----a-w- c:\program files\FLV PlayerFCSetup.exe
2007-10-09 05:35 . 2009-03-24 23:11 155648 ----a-w- c:\program files\internet explorer\plugins\CFCPlugInBase.dll
2007-10-09 05:34 . 2009-03-24 23:11 270336 ----a-w- c:\program files\internet explorer\plugins\SigraPlugInBase.dll
2007-10-09 05:33 . 2009-03-24 23:11 192512 ----a-w- c:\program files\internet explorer\plugins\TAGrid07.dll
2007-05-09 07:33 . 2009-03-24 23:11 147456 ----a-w- c:\program files\internet explorer\plugins\TransientRecordingManager01.dll
2006-03-15 05:42 . 2009-03-24 23:11 94208 ----a-w- c:\program files\internet explorer\plugins\unzdll.dll
2007-10-09 05:34 . 2009-03-24 23:11 270336 ----a-w- c:\program files\mozilla firefox\plugins\SigraPlugInBase.dll
2007-10-09 05:33 . 2009-03-24 23:11 192512 ----a-w- c:\program files\mozilla firefox\plugins\TAGrid07.dll
2007-05-09 07:33 . 2009-03-24 23:11 147456 ----a-w- c:\program files\mozilla firefox\plugins\TransientRecordingManager01.dll
2006-03-15 05:42 . 2009-03-24 23:11 94208 ----a-w- c:\program files\mozilla firefox\plugins\unzdll.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-09_10.56.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 09:32 . 2009-07-12 09:32 16384 c:\windows\Temp\Perflib_Perfdata_73c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-16 124656]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 794713]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-27 148888]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2005-12-01 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ACU"="c:\program files\Atheros\ACU.exe" [2006-03-25 335961]
"mumservice"="c:\program files\Motorola\Software Update\mumservice.exe" [2009-05-19 996608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-12-06 88363]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 04:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SavRoam"=2 (0x2)
"fsproflt"=2 (0x2)
"idsvc"=2 (0x2)
"IDriverT"=3 (0x3)
"ose"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"ServiceLayer"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\AREVA T&D\\MiCOM S1 Studio\\Studio\\Studio.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [26-May-09 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26-May-09 10:05 AM 72944]
R2 almservice;Automation License Manager Service;c:\program files\Common Files\SIEMENS\sws\almsrv\almsrvx.exe [25-Mar-09 7:10 AM 770110]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\Common Files\SIEMENS\S7IEPG\s7oiehsx.exe [25-Mar-09 7:09 AM 208968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27-Jun-09 8:37 AM 101936]
R3 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S0 lkclmltm;lkclmltm;c:\windows\system32\drivers\bgigdz.sys --> c:\windows\system32\drivers\bgigdz.sys [?]
S2 MICOMPar;MICOMPar;c:\windows\system32\drivers\micompar.sys [03-Jan-08 11:53 AM 13488]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [02-Jul-09 8:17 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [02-Jul-09 8:17 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [02-Jul-09 8:17 PM 42112]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [03-Jul-09 8:04 AM 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [03-Jul-09 8:04 AM 8320]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26-May-09 10:05 AM 7408]
S4 s7asysvx;S7 Global Services;c:\siemens\Digsi4\Manager\S7bin\s7asysvx.exe [25-Mar-09 7:09 AM 69685]
S4 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\SIEMENS\Automation\TraceEngine\bin\S7TraceServiceX.exe [25-Mar-09 7:09 AM 163840]
S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [17-Mar-06 6:34 AM 115952]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2009-07-12 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 09:04]

2009-07-12 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 09:04]

2009-07-11 c:\windows\Tasks\User_Feed_Synchronization-{AE4E4ED5-FE4A-45D5-BD51-DE4E4907BAE3}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intra.sesb.com.my/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://mys.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://malaysia.search.yahoo.com/search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {4B1BBEAE-AB8D-4494-A708-4EF89F9DF705} = 10.1.1.7,10.1.1.1
FF - ProfilePath - c:\documents and settings\Ho Nyuk Shiong\Application Data\Mozilla\Firefox\Profiles\4r7wvdat.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\documents and settings\Ho Nyuk Shiong\Application Data\Mozilla\Firefox\Profiles\4r7wvdat.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSigra.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-12 18:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-842925246-1004336348-682003330-1003\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Excel\Settings\E*x*p*o*r*t* *p*a*r*a*m*e*t*e*r*s* *t*o*& \File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-842925246-1004336348-682003330-1003\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Excel\Settings\E*x*p*o*r*t* *p*a*r*a*m*e*t*e*r*s* *t*o*& \View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2536)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-12 18:39
ComboFix-quarantined-files.txt 2009-07-12 10:38
ComboFix2.txt 2009-07-09 10:59

Pre-Run: 16,720,932,864 bytes free
Post-Run: 16,724,934,656 bytes free

263 --- E O F --- 2009-06-12 09:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Here is the DDS log:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Ho Nyuk Shiong at 19:03:00.59 on 12-Jul-09
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.878 [GMT 8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\SIEMENS\S7IEPG\s7oiehsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\SIEMENS\sws\almsrv\almsrvx.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
D:\Downloads\HJT Tools\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://intra.sesb.com.my/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://mys.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://malaysia.search.yahoo.com/search
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [LXCYCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCYtime.dll,_RunDLLEntry@16
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [mumservice] c:\program files\motorola\software update\mumservice.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216458990328
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {4B1BBEAE-AB8D-4494-A708-4EF89F9DF705} = 10.1.1.7,10.1.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\honyuk~1\applic~1\mozilla\firefox\profiles\4r7wvdat.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\documents and settings\ho nyuk shiong\application data\mozilla\firefox\profiles\4r7wvdat.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSigra.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 almservice;Automation License Manager Service;c:\program files\common files\siemens\sws\almsrv\almsrvx.exe [2009-3-25 770110]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\common files\siemens\s7iepg\s7oiehsx.exe [2009-3-25 208968]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-27 101936]
R3 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090711.006\naveng.sys [2009-7-12 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090711.006\navex15.sys [2009-7-12 876144]
R3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
S0 lkclmltm;lkclmltm;c:\windows\system32\drivers\bgigdz.sys --> c:\windows\system32\drivers\bgigdz.sys [?]
S2 MICOMPar;MICOMPar;c:\windows\system32\drivers\micompar.sys [2008-1-3 13488]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-7-2 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-7-2 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-7-2 42112]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-7-3 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-7-3 8320]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S4 s7asysvx;S7 Global Services;c:\siemens\digsi4\manager\s7bin\s7asysvx.exe [2009-3-25 69685]
S4 S7TraceServiceX;S7TraceServiceX;c:\program files\common files\siemens\automation\traceengine\bin\S7TraceServiceX.exe [2009-3-25 163840]
S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]

=============== Created Last 30 ================

2009-07-09 18:57 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-09 18:51 <DIR> a-dshr-- C:\cmdcons
2009-07-09 18:44 161,792 a------- c:\windows\SWREG.exe
2009-07-09 18:44 155,136 a------- c:\windows\PEV.exe
2009-07-09 18:44 98,816 a------- c:\windows\sed.exe
2009-07-09 18:30 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 18:30 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-09 18:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 20:30 <DIR> --d----- c:\program files\Nitro PDF
2009-07-03 08:15 0 a---h--- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-07-03 08:12 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-07-03 08:05 <DIR> --d----- c:\program files\common files\PCSuite
2009-07-03 08:05 18,816 a------- c:\windows\system32\drivers\pccsmcfd.sys
2009-07-03 08:05 <DIR> --d----- c:\program files\PC Connectivity Solution
2009-07-03 08:04 8,320 a------- c:\windows\system32\drivers\nmwcdnsuc.sys
2009-07-03 08:04 136,704 a------- c:\windows\system32\drivers\nmwcdnsu.sys
2009-07-03 08:04 7,808 a------- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-07-03 08:04 7,808 a------- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-07-03 08:04 22,016 a------- c:\windows\system32\drivers\ccdcmbo.sys
2009-07-03 08:04 1,112,288 a------- c:\windows\system32\wdfcoinstaller01007.dll
2009-07-03 08:04 659,968 a------- c:\windows\system32\nmwcdcocls.dll
2009-07-03 08:04 17,664 a------- c:\windows\system32\drivers\ccdcmb.sys
2009-07-02 20:18 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-07-02 20:18 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-07-02 20:17 18,688 a------- c:\windows\system32\drivers\motccgp.sys
2009-07-02 20:17 8,320 a------- c:\windows\system32\drivers\motccgpfl.sys
2009-07-02 20:17 6,400 a------- c:\windows\system32\drivers\motswch.sys
2009-07-02 20:17 42,112 a------- c:\windows\system32\drivers\motodrv.sys
2009-07-02 20:16 <DIR> --d----- c:\program files\Motorola
2009-06-30 21:16 0 a------- C:\BOOT.DAT
2009-06-30 21:15 0 a------- c:\documents and settings\ho nyuk shiong\BOOT.DAT
2009-06-29 07:29 <DIR> --d----- C:\SIECBT
2009-06-27 11:01 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-06-09 18:35 21,275 a------- c:\windows\system32\drivers\AegisP.sys
2009-05-13 13:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-11 12:47 1,302,600 a------- c:\windows\system32\WUDFUpdate_01007.dll
2009-05-07 23:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-01 14:00 92,064 a------- c:\documents and settings\ho nyuk shiong\mqdmmdm.sys
2009-05-01 14:00 79,328 a------- c:\documents and settings\ho nyuk shiong\mqdmserd.sys
2009-05-01 14:00 66,656 a------- c:\documents and settings\ho nyuk shiong\mqdmbus.sys
2009-05-01 14:00 25,600 a------- c:\documents and settings\ho nyuk shiong\usbsermptxp.sys
2009-05-01 14:00 22,768 a------- c:\documents and settings\ho nyuk shiong\usbsermpt.sys
2009-05-01 14:00 9,232 a------- c:\documents and settings\ho nyuk shiong\mqdmmdfl.sys
2009-05-01 14:00 6,208 a------- c:\documents and settings\ho nyuk shiong\mqdmcmnt.sys
2009-05-01 14:00 5,936 a------- c:\documents and settings\ho nyuk shiong\mqdmwhnt.sys
2009-05-01 14:00 4,048 a------- c:\documents and settings\ho nyuk shiong\mqdmcr.sys
2009-04-24 10:55 176,235 a------- c:\windows\system32\Primomonnt.dll
2009-04-17 20:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 22:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-08-26 20:21 2,788,800 a------- c:\program files\FLV PlayerFCSetup.exe

============= FINISH: 19:03:23.35 ===============

Attached Files



#8 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:04:52 PM

Posted 15 July 2009 - 05:18 PM

Hello,

Navigate to and delete the contents of this folder (leaving it empty):
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5

Also delete SecurityCheck.exe.


Next, please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quotebox below into Notepad:

Driver::
lkclmltm
File::
c:\windows\system32\drivers\bgigdz.sys
Regnull::
[HKEY_USERS\S-1-5-21-842925246-1004336348-682003330-1003\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Excel\Settings\E*x*p*o*r*t* *p*a*r*a*m*e*t*e*r*s* *t*o*& ]View]


Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.



Let me know what problems remain.


-screen317

Edited by screen317, 15 July 2009 - 05:18 PM.


#9 madcow1

madcow1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 20 July 2009 - 07:26 AM

Good day to you. The viruses didn't pop up on my laptop screen since Saturday even I let it idle for whole afternoon. However, I still carried out the steps that you suggested. Here are the ComboFix log:

ComboFix 09-07-08.06 - Ho Nyuk Shiong 20-Jul-09 7:24.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.920 [GMT 8:00]
Running from: d:\downloads\HJT Tools\ComboFix.exe
Command switches used :: c:\documents and settings\Ho Nyuk Shiong\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
"c:\windows\system32\drivers\bgigdz.sys"
.

((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))
.

2009-07-10 13:40 . 2009-07-10 13:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-07-10 13:29 . 2009-07-10 13:29 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-07-10 13:29 . 2009-07-10 13:29 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2009-07-09 10:30 . 2009-06-17 03:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 10:30 . 2009-06-17 03:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-09 10:30 . 2009-07-09 10:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 12:30 . 2009-07-08 12:30 -------- d-----w- c:\program files\Nitro PDF
2009-07-07 11:26 . 2009-07-07 11:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-06 23:40 . 2009-07-06 23:40 -------- d-----w- c:\documents and settings\Ho Nyuk Shiong\Application Data\Apple Computer
2009-07-06 23:34 . 2009-07-06 23:34 -------- d-----w- c:\program files\QuickTime
2009-07-06 23:34 . 2009-07-06 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-06 23:34 . 2009-07-06 23:34 -------- d-----w- c:\documents and settings\Ho Nyuk Shiong\Local Settings\Application Data\Apple
2009-07-06 23:34 . 2009-07-06 23:34 -------- d-----w- c:\program files\Apple Software Update
2009-07-06 23:34 . 2009-07-06 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-06 13:37 . 2009-07-06 13:37 -------- d-----w- c:\documents and settings\Ho Nyuk Shiong\Local Settings\Application Data\Apple Computer
2009-07-03 00:05 . 2009-07-03 00:05 -------- d-----w- c:\program files\Common Files\PCSuite
2009-07-03 00:05 . 2008-08-26 02:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2009-07-03 00:05 . 2009-07-03 00:05 -------- d-----w- c:\program files\PC Connectivity Solution
2009-07-03 00:04 . 2009-03-19 06:48 8320 ----a-w- c:\windows\system32\drivers\nmwcdnsuc.sys
2009-07-03 00:04 . 2009-03-19 06:48 136704 ----a-w- c:\windows\system32\drivers\nmwcdnsu.sys
2009-07-03 00:04 . 2009-02-09 00:37 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-07-03 00:04 . 2009-02-09 00:37 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-07-03 00:04 . 2009-02-09 00:37 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2009-07-03 00:04 . 2009-02-09 00:37 659968 ----a-w- c:\windows\system32\nmwcdcocls.dll
2009-07-03 00:04 . 2009-02-09 00:37 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2009-07-03 00:04 . 2009-02-09 00:32 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2009-07-03 00:03 . 2009-06-30 09:26 33773208 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Nokia_PC_Suite_7_1_30_9_eng_web.exe
2009-07-03 00:03 . 2009-07-03 00:03 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\pcswpcsi.exe
2009-07-03 00:03 . 2009-07-03 00:03 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstCCD.exe
2009-07-03 00:03 . 2009-07-03 00:03 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-07-03 00:03 . 2009-07-03 00:03 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCS.exe
2009-07-02 12:17 . 2008-08-21 10:49 8320 ----a-w- c:\windows\system32\drivers\motccgpfl.sys
2009-07-02 12:17 . 2008-08-21 10:49 18688 ----a-w- c:\windows\system32\drivers\motccgp.sys
2009-07-02 12:17 . 2007-11-02 07:51 6400 ----a-w- c:\windows\system32\drivers\motswch.sys
2009-07-02 12:17 . 2007-10-10 09:41 42112 ----a-w- c:\windows\system32\drivers\motodrv.sys
2009-07-02 12:16 . 2009-07-02 12:16 -------- d-----w- c:\program files\Motorola
2009-07-02 11:31 . 2009-07-02 11:31 -------- d-----w- c:\documents and settings\Ho Nyuk Shiong\Application Data\InstallShield
2009-06-30 13:16 . 2009-06-30 13:16 0 ----a-w- C:\BOOT.DAT
2009-06-30 13:15 . 2009-06-30 13:15 0 ----a-w- c:\documents and settings\Ho Nyuk Shiong\BOOT.DAT
2009-06-28 23:29 . 2009-06-28 23:29 -------- d-----w- C:\SIECBT
2009-06-27 03:01 . 2009-07-13 05:56 410984 ----a-w- c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 23:22 . 2008-07-21 03:03 -------- d-----w- c:\program files\Symantec AntiVirus
2009-07-17 12:48 . 2008-07-19 07:10 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-07-14 00:49 . 2009-06-12 09:52 -------- d-----w- c:\documents and settings\Ho Nyuk Shiong\Application Data\SUPERAntiSpyware.com
2009-07-14 00:49 . 2008-07-21 06:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-14 00:49 . 2009-06-12 09:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-13 06:32 . 2009-01-11 13:49 -------- d-----w- c:\program files\lx_cats
2009-07-13 05:53 . 2008-07-19 10:06 -------- d-----w- c:\program files\Java
2009-07-03 00:15 . 2009-07-03 00:15 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-07-03 00:12 . 2009-07-03 00:12 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-07-03 00:05 . 2009-01-23 10:31 -------- d-----w- c:\program files\Common Files\Nokia
2009-07-03 00:05 . 2009-01-22 14:54 -------- d-----w- c:\program files\Nokia
2009-07-03 00:02 . 2009-01-22 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-07-02 12:18 . 2009-07-02 12:18 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-07-02 12:18 . 2009-07-02 12:18 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-07-02 12:16 . 2009-05-01 06:01 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-07-02 11:32 . 2009-05-01 03:23 -------- d-----w- c:\program files\Motorola Phone Tools
2009-07-02 11:31 . 2008-07-19 06:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 12:28 . 2008-11-07 02:53 -------- d-----w- c:\program files\AREVA T&D
2009-06-13 10:18 . 2008-07-19 13:19 -------- d-----w- c:\program files\Foxit Software
2009-06-12 09:52 . 2009-06-12 09:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-12 07:46 . 2009-01-11 13:44 -------- d-----w- c:\program files\Lexmark Toolbar
2009-06-09 10:35 . 2009-06-09 10:35 21275 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-06-09 10:35 . 2009-06-09 10:35 -------- d-----w- c:\program files\Atheros
2009-06-07 04:09 . 2009-06-07 04:09 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\msxml6Exec.exe
2009-06-07 04:09 . 2009-06-07 04:09 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\Sleep.exe
2009-06-07 04:09 . 2009-06-07 04:09 3181612 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\vcredistExec.exe
2009-06-07 04:09 . 2009-06-07 04:09 24376008 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\NokiaSoftwareUpdaterSetup_1.6.13EN.exe
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-01 04:19 . 2008-07-20 13:22 -------- d-----w- c:\documents and settings\Ho Nyuk Shiong\Application Data\ReyEvo32
2009-05-31 05:34 . 2009-05-31 02:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-31 02:37 . 2009-05-31 02:37 -------- d-----w- c:\documents and settings\Ho Nyuk Shiong\Application Data\IronCode
2009-05-13 05:15 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 04:47 . 2009-05-11 04:47 1302600 ----a-w- c:\windows\system32\WUDFUpdate_01007.dll
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 06:00 . 2009-05-01 06:00 9232 ----a-w- c:\documents and settings\Ho Nyuk Shiong\mqdmmdfl.sys
2009-05-01 06:00 . 2009-05-01 06:00 92064 ----a-w- c:\documents and settings\Ho Nyuk Shiong\mqdmmdm.sys
2009-05-01 06:00 . 2009-05-01 06:00 79328 ----a-w- c:\documents and settings\Ho Nyuk Shiong\mqdmserd.sys
2009-05-01 06:00 . 2009-05-01 06:00 66656 ----a-w- c:\documents and settings\Ho Nyuk Shiong\mqdmbus.sys
2009-05-01 06:00 . 2009-05-01 06:00 6208 ----a-w- c:\documents and settings\Ho Nyuk Shiong\mqdmcmnt.sys
2009-05-01 06:00 . 2009-05-01 06:00 5936 ----a-w- c:\documents and settings\Ho Nyuk Shiong\mqdmwhnt.sys
2009-05-01 06:00 . 2009-05-01 06:00 4048 ----a-w- c:\documents and settings\Ho Nyuk Shiong\mqdmcr.sys
2009-05-01 06:00 . 2009-05-01 03:23 25600 ----a-w- c:\documents and settings\Ho Nyuk Shiong\usbsermptxp.sys
2009-05-01 06:00 . 2009-05-01 03:23 22768 ----a-w- c:\documents and settings\Ho Nyuk Shiong\usbsermpt.sys
2009-04-27 10:54 . 2009-04-27 10:54 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe
2009-04-27 10:54 . 2009-04-27 10:54 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-04-27 10:54 . 2009-04-27 10:54 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe
2009-04-27 10:54 . 2009-04-27 10:55 34396584 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_eng.exe
2009-04-24 02:55 . 2008-07-20 02:04 176235 ----a-w- c:\windows\system32\Primomonnt.dll
2008-08-26 12:21 . 2008-08-26 12:18 2788800 ----a-w- c:\program files\FLV PlayerFCSetup.exe
2007-10-09 05:35 . 2009-03-24 23:11 155648 ----a-w- c:\program files\internet explorer\plugins\CFCPlugInBase.dll
2007-10-09 05:34 . 2009-03-24 23:11 270336 ----a-w- c:\program files\internet explorer\plugins\SigraPlugInBase.dll
2007-10-09 05:33 . 2009-03-24 23:11 192512 ----a-w- c:\program files\internet explorer\plugins\TAGrid07.dll
2007-05-09 07:33 . 2009-03-24 23:11 147456 ----a-w- c:\program files\internet explorer\plugins\TransientRecordingManager01.dll
2006-03-15 05:42 . 2009-03-24 23:11 94208 ----a-w- c:\program files\internet explorer\plugins\unzdll.dll
2007-10-09 05:34 . 2009-03-24 23:11 270336 ----a-w- c:\program files\mozilla firefox\plugins\SigraPlugInBase.dll
2007-10-09 05:33 . 2009-03-24 23:11 192512 ----a-w- c:\program files\mozilla firefox\plugins\TAGrid07.dll
2007-05-09 07:33 . 2009-03-24 23:11 147456 ----a-w- c:\program files\mozilla firefox\plugins\TransientRecordingManager01.dll
2006-03-15 05:42 . 2009-03-24 23:11 94208 ----a-w- c:\program files\mozilla firefox\plugins\unzdll.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-09_10.56.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-19 23:12 . 2009-07-19 23:12 16384 c:\windows\Temp\Perflib_Perfdata_728.dat
+ 2009-06-16 14:36 . 2009-06-16 14:36 81920 c:\windows\system32\dllcache\fontsub.dll
+ 2008-07-23 10:26 . 2009-07-18 14:20 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-07-23 10:26 . 2009-07-18 14:20 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-07-23 10:26 . 2009-07-18 14:20 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-07-23 10:26 . 2009-07-18 14:20 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-07-23 10:26 . 2009-07-18 14:20 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-07-23 10:26 . 2009-07-18 14:20 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-07-13 05:57 . 2009-07-13 05:56 148888 c:\windows\system32\javaws.exe
- 2009-06-27 03:01 . 2009-06-27 03:00 148888 c:\windows\system32\javaws.exe
+ 2009-07-13 05:57 . 2009-07-13 05:56 144792 c:\windows\system32\javaw.exe
- 2009-06-27 03:01 . 2009-06-27 03:00 144792 c:\windows\system32\javaw.exe
+ 2009-07-13 05:57 . 2009-07-13 05:56 144792 c:\windows\system32\java.exe
- 2009-06-27 03:01 . 2009-06-27 03:00 144792 c:\windows\system32\java.exe
+ 2009-06-16 14:36 . 2009-06-16 14:36 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2008-07-23 10:26 . 2009-07-18 14:20 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-07-23 10:26 . 2009-07-18 14:20 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-07-23 10:26 . 2009-07-18 14:20 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-07-23 10:26 . 2009-07-18 14:20 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-07-23 10:26 . 2009-07-18 14:20 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-05-07 05:12 . 2009-06-03 19:09 1291264 c:\windows\system32\dllcache\quartz.dll
+ 2009-07-13 05:56 . 2009-07-13 05:56 1563648 c:\windows\Installer\5bf2a.msi
+ 2009-06-30 03:30 . 2009-06-30 03:30 5520384 c:\windows\Installer\153062.msp
+ 2008-07-19 09:22 . 2009-07-07 15:10 24539592 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-16 124656]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 794713]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2005-12-01 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ACU"="c:\program files\Atheros\ACU.exe" [2006-03-25 335961]
"mumservice"="c:\program files\Motorola\Software Update\mumservice.exe" [2009-05-19 996608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-13 148888]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-12-06 88363]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SavRoam"=2 (0x2)
"fsproflt"=2 (0x2)
"idsvc"=2 (0x2)
"IDriverT"=3 (0x3)
"ose"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"ServiceLayer"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\AREVA T&D\\MiCOM S1 Studio\\Studio\\Studio.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=

R2 almservice;Automation License Manager Service;c:\program files\Common Files\SIEMENS\sws\almsrv\almsrvx.exe [25-Mar-09 7:10 AM 770110]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\Common Files\SIEMENS\S7IEPG\s7oiehsx.exe [25-Mar-09 7:09 AM 208968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27-Jun-09 8:37 AM 101936]
R3 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S0 lkclmltm;lkclmltm;c:\windows\system32\drivers\bgigdz.sys --> c:\windows\system32\drivers\bgigdz.sys [?]
S2 MICOMPar;MICOMPar;c:\windows\system32\drivers\micompar.sys [03-Jan-08 11:53 AM 13488]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [02-Jul-09 8:17 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [02-Jul-09 8:17 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [02-Jul-09 8:17 PM 42112]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [03-Jul-09 8:04 AM 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [03-Jul-09 8:04 AM 8320]
S4 s7asysvx;S7 Global Services;c:\siemens\Digsi4\Manager\S7bin\s7asysvx.exe [25-Mar-09 7:09 AM 69685]
S4 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\SIEMENS\Automation\TraceEngine\bin\S7TraceServiceX.exe [25-Mar-09 7:09 AM 163840]
S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [17-Mar-06 6:34 AM 115952]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2009-07-12 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 09:04]

2009-07-19 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 09:04]

2009-07-19 c:\windows\Tasks\User_Feed_Synchronization-{AE4E4ED5-FE4A-45D5-BD51-DE4E4907BAE3}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intra.sesb.com.my/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://mys.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://malaysia.search.yahoo.com/search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {4B1BBEAE-AB8D-4494-A708-4EF89F9DF705} = 10.1.1.7,10.1.1.1
FF - ProfilePath - c:\documents and settings\Ho Nyuk Shiong\Application Data\Mozilla\Firefox\Profiles\4r7wvdat.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\documents and settings\Ho Nyuk Shiong\Application Data\Mozilla\Firefox\Profiles\4r7wvdat.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSigra.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-20 07:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-842925246-1004336348-682003330-1003\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Excel\Settings\E*x*p*o*r*t* *p*a*r*a*m*e*t*e*r*s* *t*o*& \File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-842925246-1004336348-682003330-1003\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Excel\Settings\E*x*p*o*r*t* *p*a*r*a*m*e*t*e*r*s* *t*o*& \View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2188)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-19 7:27
ComboFix-quarantined-files.txt 2009-07-19 23:27
ComboFix2.txt 2009-07-12 10:39
ComboFix3.txt 2009-07-09 10:59

Pre-Run: 16,601,886,720 bytes free
Post-Run: 16,643,956,736 bytes free

284 --- E O F --- 2009-07-18 14:20
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The following is the DDS log:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Ho Nyuk Shiong at 7:29:40.00 on 20-Jul-09
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.925 [GMT 8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\SIEMENS\S7IEPG\s7oiehsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\SIEMENS\sws\almsrv\almsrvx.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
D:\Downloads\HJT Tools\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://intra.sesb.com.my/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://mys.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://malaysia.search.yahoo.com/search
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [LXCYCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCYtime.dll,_RunDLLEntry@16
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [mumservice] c:\program files\motorola\software update\mumservice.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216458990328
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {4B1BBEAE-AB8D-4494-A708-4EF89F9DF705} = 10.1.1.7,10.1.1.1
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\honyuk~1\applic~1\mozilla\firefox\profiles\4r7wvdat.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\documents and settings\ho nyuk shiong\application data\mozilla\firefox\profiles\4r7wvdat.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSigra.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 almservice;Automation License Manager Service;c:\program files\common files\siemens\sws\almsrv\almsrvx.exe [2009-3-25 770110]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\common files\siemens\s7iepg\s7oiehsx.exe [2009-3-25 208968]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-27 101936]
R3 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090718.003\naveng.sys [2009-7-19 87888]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090718.003\navex15.sys [2009-7-19 875728]
R3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
S0 lkclmltm;lkclmltm;c:\windows\system32\drivers\bgigdz.sys --> c:\windows\system32\drivers\bgigdz.sys [?]
S2 MICOMPar;MICOMPar;c:\windows\system32\drivers\micompar.sys [2008-1-3 13488]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-7-2 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-7-2 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-7-2 42112]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-7-3 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-7-3 8320]
S4 s7asysvx;S7 Global Services;c:\siemens\digsi4\manager\s7bin\s7asysvx.exe [2009-3-25 69685]
S4 S7TraceServiceX;S7TraceServiceX;c:\program files\common files\siemens\automation\traceengine\bin\S7TraceServiceX.exe [2009-3-25 163840]
S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]

=============== Created Last 30 ================

2009-07-13 13:57 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-09 18:57 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-09 18:51 <DIR> a-dshr-- C:\cmdcons
2009-07-09 18:44 161,792 a------- c:\windows\SWREG.exe
2009-07-09 18:44 155,136 a------- c:\windows\PEV.exe
2009-07-09 18:44 98,816 a------- c:\windows\sed.exe
2009-07-09 18:30 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 18:30 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-09 18:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 20:30 <DIR> --d----- c:\program files\Nitro PDF
2009-07-03 08:15 0 a---h--- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-07-03 08:12 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-07-03 08:05 <DIR> --d----- c:\program files\common files\PCSuite
2009-07-03 08:05 18,816 a------- c:\windows\system32\drivers\pccsmcfd.sys
2009-07-03 08:05 <DIR> --d----- c:\program files\PC Connectivity Solution
2009-07-03 08:04 8,320 a------- c:\windows\system32\drivers\nmwcdnsuc.sys
2009-07-03 08:04 136,704 a------- c:\windows\system32\drivers\nmwcdnsu.sys
2009-07-03 08:04 7,808 a------- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-07-03 08:04 7,808 a------- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-07-03 08:04 22,016 a------- c:\windows\system32\drivers\ccdcmbo.sys
2009-07-03 08:04 1,112,288 a------- c:\windows\system32\wdfcoinstaller01007.dll
2009-07-03 08:04 659,968 a------- c:\windows\system32\nmwcdcocls.dll
2009-07-03 08:04 17,664 a------- c:\windows\system32\drivers\ccdcmb.sys
2009-07-02 20:18 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-07-02 20:18 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-07-02 20:17 18,688 a------- c:\windows\system32\drivers\motccgp.sys
2009-07-02 20:17 8,320 a------- c:\windows\system32\drivers\motccgpfl.sys
2009-07-02 20:17 6,400 a------- c:\windows\system32\drivers\motswch.sys
2009-07-02 20:17 42,112 a------- c:\windows\system32\drivers\motodrv.sys
2009-07-02 20:16 <DIR> --d----- c:\program files\Motorola
2009-06-30 21:16 0 a------- C:\BOOT.DAT
2009-06-30 21:15 0 a------- c:\documents and settings\ho nyuk shiong\BOOT.DAT
2009-06-29 07:29 <DIR> --d----- C:\SIECBT
2009-06-27 11:01 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-06-16 22:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 22:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-09 18:35 21,275 a------- c:\windows\system32\drivers\AegisP.sys
2009-06-04 03:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-13 13:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-11 12:47 1,302,600 a------- c:\windows\system32\WUDFUpdate_01007.dll
2009-05-07 23:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-01 14:00 92,064 a------- c:\documents and settings\ho nyuk shiong\mqdmmdm.sys
2009-05-01 14:00 79,328 a------- c:\documents and settings\ho nyuk shiong\mqdmserd.sys
2009-05-01 14:00 66,656 a------- c:\documents and settings\ho nyuk shiong\mqdmbus.sys
2009-05-01 14:00 25,600 a------- c:\documents and settings\ho nyuk shiong\usbsermptxp.sys
2009-05-01 14:00 22,768 a------- c:\documents and settings\ho nyuk shiong\usbsermpt.sys
2009-05-01 14:00 9,232 a------- c:\documents and settings\ho nyuk shiong\mqdmmdfl.sys
2009-05-01 14:00 6,208 a------- c:\documents and settings\ho nyuk shiong\mqdmcmnt.sys
2009-05-01 14:00 5,936 a------- c:\documents and settings\ho nyuk shiong\mqdmwhnt.sys
2009-05-01 14:00 4,048 a------- c:\documents and settings\ho nyuk shiong\mqdmcr.sys
2009-04-24 10:55 176,235 a------- c:\windows\system32\Primomonnt.dll
2008-08-26 20:21 2,788,800 a------- c:\program files\FLV PlayerFCSetup.exe

============= FINISH: 7:30:02.57 ===============

Attached Files



#10 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:04:52 PM

Posted 22 July 2009 - 06:14 PM

madcow1,

Please try to be more prompt with your replies. In the time spent away, your version of ComboFix expired and didn't do what I wanted it do.


I'm glad there you aren't experiencing any symptoms on this computer, but this script needs to go through soon.


Please delete your copy of ComboFix.

Next, please download the latest version ofCombofix, save it to your Desktop, but do not run it yet.


Next, please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quotebox below into Notepad:

Driver::
lkclmltm
File::
c:\windows\system32\drivers\bgigdz.sys
Regnull::
[HKEY_USERS\S-1-5-21-842925246-1004336348-682003330-1003\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Excel\Settings\E*x*p*o*r*t* *p*a*r*a*m*e*t*e*r*s* *t*o*& ]


Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.


-screen317

#11 madcow1

madcow1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 08 August 2009 - 01:57 AM

Dear Screen317,

Terribly sorry for the late reply as the telco fixed-line network was caught on fire and down in my area. The network had been restored yesterday and the following are the COMBOFIX and DDS logs:

ComboFix 09-08-07.09 - Ho Nyuk Shiong 08-Aug-09 14:27.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.915 [GMT 8:00]
Running from: c:\documents and settings\Ho Nyuk Shiong\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ho Nyuk Shiong\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\windows\system32\drivers\bgigdz.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_lkclmltm


((((((((((((((((((((((((( Files Created from 2009-07-08 to 2009-08-08 )))))))))))))))))))))))))))))))
.

2009-08-07 13:29 . 2009-08-07 13:29 152576 ----a-w- c:\documents and settings\Ho Nyuk Shiong\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-04 08:50 . 2009-08-04 08:50 -------- d-sh--w- c:\windows\ftpcache
2009-08-04 08:14 . 2009-06-29 20:11 875728 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0605.vdb\NAVEX15.SYS
2009-08-04 08:14 . 2009-06-29 20:11 87888 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0605.vdb\NAVENG.SYS
2009-08-04 08:14 . 2009-02-12 23:03 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0605.vdb\NAVEX32A.DLL
2009-08-04 08:14 . 2009-02-12 23:03 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0605.vdb\NAVENG32.DLL
2009-08-04 08:14 . 2009-08-03 08:00 259368 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0605.vdb\ECMSVR32.DLL
2009-08-04 08:14 . 2009-02-18 19:41 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0605.vdb\CCERASER.DLL
2009-08-04 08:14 . 2009-02-06 19:26 101936 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0605.vdb\ERASER.SYS
2009-08-04 08:14 . 2009-02-06 19:26 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e0605.vdb\EECTRL.SYS
2009-08-04 02:19 . 2009-08-04 02:19 -------- d-----w- C:\My Lockbox
2009-07-29 08:45 . 2009-07-29 08:45 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-27 03:27 . 2009-07-27 03:27 -------- d-----w- c:\windows\system32\NtmsData
2009-07-10 13:40 . 2009-07-10 13:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-07-10 13:29 . 2009-07-10 13:29 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-07-10 13:29 . 2009-07-10 13:29 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2009-07-09 10:30 . 2009-07-13 05:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 10:30 . 2009-07-13 05:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-09 10:30 . 2009-07-29 08:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-08 06:36 . 2008-07-21 03:03 -------- d-----w- c:\program files\Symantec AntiVirus
2009-08-07 13:32 . 2008-07-19 10:06 -------- d-----w- c:\program files\Java
2009-08-07 12:32 . 2008-07-19 07:10 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-08-04 02:19 . 2008-07-23 00:23 -------- d-----w- c:\program files\My Lockbox
2009-08-01 06:15 . 2009-07-07 11:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-27 10:53 . 2009-01-11 13:49 -------- d-----w- c:\program files\lx_cats
2009-07-25 11:25 . 2009-07-25 11:25 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01007.Wdf
2009-07-25 11:25 . 2009-07-25 11:25 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01007.Wdf
2009-07-25 11:24 . 2009-05-01 06:01 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-07-25 11:24 . 2009-07-02 12:16 -------- d-----w- c:\program files\Motorola
2009-07-24 21:23 . 2009-06-27 03:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-14 00:49 . 2009-06-12 09:52 -------- d-----w- c:\documents and settings\Ho Nyuk Shiong\Application Data\SUPERAntiSpyware.com
2009-07-14 00:49 . 2008-07-21 06:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-14 00:49 . 2009-06-12 09:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-08 12:30 . 2009-07-08 12:30 -------- d-----w- c:\program files\Nitro PDF
2009-07-06 23:40 . 2009-07-06 23:40 -------- d-----w- c:\documents and settings\Ho Nyuk Shiong\Application Data\Apple Computer
2009-07-06 23:34 . 2009-07-06 23:34 -------- d-----w- c:\program files\QuickTime
2009-07-06 23:34 . 2009-07-06 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-06 23:34 . 2009-07-06 23:34 -------- d-----w- c:\program files\Apple Software Update
2009-07-06 23:34 . 2009-07-06 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-03 17:09 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-03 00:15 . 2009-07-03 00:15 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-07-03 00:12 . 2009-07-03 00:12 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-07-03 00:05 . 2009-07-03 00:05 -------- d-----w- c:\program files\Common Files\PCSuite
2009-07-03 00:05 . 2009-01-23 10:31 -------- d-----w- c:\program files\Common Files\Nokia
2009-07-03 00:05 . 2009-01-22 14:54 -------- d-----w- c:\program files\Nokia
2009-07-03 00:05 . 2009-07-03 00:05 -------- d-----w- c:\program files\PC Connectivity Solution
2009-06-19 08:59 . 2009-07-02 12:17 19712 ----a-w- c:\windows\system32\drivers\motccgp.sys
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 12:28 . 2008-11-07 02:53 -------- d-----w- c:\program files\AREVA T&D
2009-06-13 10:18 . 2008-07-19 13:19 -------- d-----w- c:\program files\Foxit Software
2009-06-12 07:46 . 2009-01-11 13:44 -------- d-----w- c:\program files\Lexmark Toolbar
2009-06-09 10:35 . 2009-06-09 10:35 21275 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-06-09 10:35 . 2009-06-09 10:35 -------- d-----w- c:\program files\Atheros
2009-06-07 04:09 . 2009-06-07 04:09 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\msxml6Exec.exe
2009-06-07 04:09 . 2009-06-07 04:09 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\Sleep.exe
2009-06-07 04:09 . 2009-06-07 04:09 3181612 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\vcredistExec.exe
2009-06-07 04:09 . 2009-06-07 04:09 24376008 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\NokiaSoftwareUpdaterSetup_1.6.13EN.exe
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-11 04:47 . 2009-05-11 04:47 1302600 ----a-w- c:\windows\system32\WUDFUpdate_01007.dll
2008-08-26 12:21 . 2008-08-26 12:18 2788800 ----a-w- c:\program files\FLV PlayerFCSetup.exe
2007-10-09 05:35 . 2009-03-24 23:11 155648 ----a-w- c:\program files\internet explorer\plugins\CFCPlugInBase.dll
2007-10-09 05:34 . 2009-03-24 23:11 270336 ----a-w- c:\program files\internet explorer\plugins\SigraPlugInBase.dll
2007-10-09 05:33 . 2009-03-24 23:11 192512 ----a-w- c:\program files\internet explorer\plugins\TAGrid07.dll
2007-05-09 07:33 . 2009-03-24 23:11 147456 ----a-w- c:\program files\internet explorer\plugins\TransientRecordingManager01.dll
2006-03-15 05:42 . 2009-03-24 23:11 94208 ----a-w- c:\program files\internet explorer\plugins\unzdll.dll
2007-10-09 05:34 . 2009-03-24 23:11 270336 ----a-w- c:\program files\mozilla firefox\plugins\SigraPlugInBase.dll
2007-10-09 05:33 . 2009-03-24 23:11 192512 ----a-w- c:\program files\mozilla firefox\plugins\TAGrid07.dll
2007-05-09 07:33 . 2009-03-24 23:11 147456 ----a-w- c:\program files\mozilla firefox\plugins\TransientRecordingManager01.dll
2006-03-15 05:42 . 2009-03-24 23:11 94208 ----a-w- c:\program files\mozilla firefox\plugins\unzdll.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-09_10.56.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 11:41 . 2009-07-11 11:41 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
+ 2009-08-08 06:35 . 2009-08-08 06:35 16384 c:\windows\Temp\Perflib_Perfdata_648.dat
- 2006-02-28 12:00 . 2009-07-07 23:40 71404 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2009-07-27 06:35 71404 c:\windows\system32\perfc009.dat
- 2007-08-13 10:54 . 2009-03-07 20:31 55296 c:\windows\system32\msfeedsbs.dll
+ 2007-08-13 10:54 . 2009-07-03 17:09 55296 c:\windows\system32\msfeedsbs.dll
- 2006-02-28 12:00 . 2009-04-30 21:22 25600 c:\windows\system32\jsproxy.dll
+ 2006-02-28 12:00 . 2009-07-03 17:09 25600 c:\windows\system32\jsproxy.dll
+ 2009-07-25 11:25 . 2009-01-29 09:15 23680 c:\windows\system32\DRVSTORE\motport_13D3D5DC43EEE2854D06F3DE03A16782B44499DD\motport.sys
+ 2009-07-25 11:25 . 2009-01-29 08:42 23296 c:\windows\system32\DRVSTORE\motousbnet_C747F81EC036F7CC39DC73BC09B6BDEB36EA40EC\Motousbnet.sys
+ 2009-07-25 11:25 . 2009-05-08 03:56 42752 c:\windows\system32\DRVSTORE\motodrv_989F8AB3F0FB5FD805F730766660F315531116DF\motodrv.sys
+ 2009-07-25 11:25 . 2009-01-29 09:15 23680 c:\windows\system32\DRVSTORE\motmodem_296B472DCD0F817CC80C723B86EEF842F9F0DD28\motmodem.sys
+ 2009-07-25 11:25 . 2009-06-19 08:59 19712 c:\windows\system32\DRVSTORE\motccgp_2B0E40CD867DD282CA1027F9A569698F0546883A\motccgp.sys
+ 2009-07-02 12:17 . 2009-05-08 03:56 42752 c:\windows\system32\drivers\motodrv.sys
+ 2009-06-12 09:03 . 2009-07-03 17:09 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-06-12 09:03 . 2009-04-30 21:22 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2008-07-20 00:58 . 2009-07-03 17:09 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-07-20 00:58 . 2009-03-07 20:31 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2006-02-28 12:00 . 2009-04-30 21:22 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-02-28 12:00 . 2009-07-03 17:09 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-06-16 14:36 . 2009-06-16 14:36 81920 c:\windows\system32\dllcache\fontsub.dll
- 2008-07-23 10:26 . 2009-06-12 09:55 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-07-23 10:26 . 2009-07-18 14:20 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-07-23 10:26 . 2009-07-18 14:20 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-07-23 10:26 . 2009-07-18 14:20 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-07-23 10:26 . 2009-07-18 14:20 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-07-23 10:26 . 2009-07-18 14:20 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-07-25 11:24 . 2009-07-25 11:24 22486 c:\windows\Installer\{411F092D-9873-44EB-A886-8A140AA8F31A}\_A2553D7E764A549EEF547E.exe
+ 2009-07-25 11:24 . 2009-07-25 11:24 22486 c:\windows\Installer\{411F092D-9873-44EB-A886-8A140AA8F31A}\_6FEFF9B68218417F98F549.exe
+ 2009-07-25 11:24 . 2009-07-25 11:24 21462 c:\windows\Installer\{411F092D-9873-44EB-A886-8A140AA8F31A}\_5F50FFC72A3372C6428685.exe
+ 2009-07-25 11:24 . 2009-07-25 11:24 22486 c:\windows\Installer\{411F092D-9873-44EB-A886-8A140AA8F31A}\_380B380747675BB8919EA0.exe
+ 2009-07-29 14:04 . 2009-04-30 21:22 12800 c:\windows\ie8updates\KB972260-IE8\xpshims.dll
+ 2009-07-29 14:04 . 2009-03-07 20:31 55296 c:\windows\ie8updates\KB972260-IE8\msfeedsbs.dll
+ 2009-07-29 14:04 . 2009-04-30 21:22 25600 c:\windows\ie8updates\KB972260-IE8\jsproxy.dll
+ 2009-07-25 11:25 . 2009-05-06 11:16 6656 c:\windows\system32\DRVSTORE\motusbdevi_3E0A5922E68751FB5ECB83154D92385876042AA4\motusbdevice.sys
+ 2009-07-25 11:25 . 2007-11-02 07:51 6400 c:\windows\system32\DRVSTORE\motousbnet_C747F81EC036F7CC39DC73BC09B6BDEB36EA40EC\motswch.sys
+ 2009-07-25 11:25 . 2009-01-29 09:11 6016 c:\windows\system32\DRVSTORE\motousbnet_C747F81EC036F7CC39DC73BC09B6BDEB36EA40EC\motfilt.sys
+ 2009-07-25 11:25 . 2006-07-28 13:10 6144 c:\windows\system32\DRVSTORE\motodrv_989F8AB3F0FB5FD805F730766660F315531116DF\mot_ci.dll
+ 2009-07-25 11:25 . 2007-11-02 07:51 6400 c:\windows\system32\DRVSTORE\motccgp_2B0E40CD867DD282CA1027F9A569698F0546883A\motswch.sys
+ 2009-07-25 11:25 . 2009-01-29 09:18 8320 c:\windows\system32\DRVSTORE\motccgp_2B0E40CD867DD282CA1027F9A569698F0546883A\motccgpfl.sys
- 2009-07-02 12:17 . 2008-08-21 10:49 8320 c:\windows\system32\drivers\motccgpfl.sys
+ 2009-07-02 12:17 . 2009-01-29 09:18 8320 c:\windows\system32\drivers\motccgpfl.sys
+ 2008-07-23 10:26 . 2009-07-18 14:20 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-08-08 06:33 . 2009-08-08 06:33 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-08 06:33 . 2009-08-08 06:33 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
- 2006-02-28 12:00 . 2009-07-07 23:40 441252 c:\windows\system32\perfh009.dat
+ 2006-02-28 12:00 . 2009-07-27 06:35 441252 c:\windows\system32\perfh009.dat
+ 2006-02-28 12:00 . 2009-07-03 17:09 206848 c:\windows\system32\occache.dll
+ 2007-08-13 10:54 . 2009-07-03 17:09 594432 c:\windows\system32\msfeeds.dll
- 2007-08-13 10:54 . 2009-03-07 20:32 594432 c:\windows\system32\msfeeds.dll
+ 2009-08-07 13:32 . 2009-07-24 21:23 149280 c:\windows\system32\javaws.exe
+ 2009-08-07 13:32 . 2009-07-24 21:23 145184 c:\windows\system32\javaw.exe
+ 2009-08-07 13:32 . 2009-07-24 21:23 145184 c:\windows\system32\java.exe
+ 2006-02-28 12:00 . 2009-07-03 17:09 184320 c:\windows\system32\iepeers.dll
+ 2006-02-28 12:00 . 2009-07-03 17:09 386048 c:\windows\system32\iedkcs32.dll
+ 2006-02-28 12:00 . 2009-07-03 11:01 173056 c:\windows\system32\ie4uinit.exe
- 2006-02-28 12:00 . 2009-04-30 11:21 173056 c:\windows\system32\ie4uinit.exe
+ 2009-07-25 11:25 . 2009-03-02 14:00 103552 c:\windows\system32\DRVSTORE\Moser_D7089C7835F0E7ECEC244A670740F4C8336E0FA1\Mousbser.sys
+ 2009-07-25 11:25 . 2009-03-02 14:00 103552 c:\windows\system32\DRVSTORE\Momdm_D7089C7835F0E7ECEC244A670740F4C8336E0FA1\Mousbser.sys
- 2006-02-28 12:00 . 2009-05-13 05:15 915456 c:\windows\system32\dllcache\wininet.dll
+ 2006-02-28 12:00 . 2009-07-03 17:09 915456 c:\windows\system32\dllcache\wininet.dll
+ 2009-06-16 14:36 . 2009-06-16 14:36 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2006-02-28 12:00 . 2009-07-03 17:09 206848 c:\windows\system32\dllcache\occache.dll
- 2008-07-20 00:58 . 2009-03-07 20:32 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-07-20 00:58 . 2009-07-03 17:09 594432 c:\windows\system32\dllcache\msfeeds.dll
- 2009-06-12 09:03 . 2009-04-30 21:22 246272 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-06-12 09:03 . 2009-07-03 17:09 246272 c:\windows\system32\dllcache\ieproxy.dll
+ 2006-02-28 12:00 . 2009-07-03 17:09 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2006-02-28 12:00 . 2009-07-03 17:09 386048 c:\windows\system32\dllcache\iedkcs32.dll
- 2006-02-28 12:00 . 2009-04-30 11:21 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2006-02-28 12:00 . 2009-07-03 11:01 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-07-29 14:04 . 2009-07-29 14:04 248832 c:\windows\Installer\6e7d9a.msi
+ 2008-07-23 10:26 . 2009-07-18 14:20 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-07-23 10:26 . 2009-07-18 14:20 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-07-23 10:26 . 2009-07-18 14:20 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-07-23 10:26 . 2009-07-18 14:20 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-07-23 10:26 . 2009-07-18 14:20 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-07-23 10:26 . 2009-06-12 09:55 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-01-18 08:05 . 2009-01-18 08:05 675840 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\JP2KLib.dll
+ 2009-07-29 14:04 . 2009-05-13 05:15 915456 c:\windows\ie8updates\KB972260-IE8\wininet.dll
+ 2009-07-29 14:05 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB972260-IE8\spuninst\updspapi.dll
+ 2009-07-29 14:05 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB972260-IE8\spuninst\spuninst.exe
+ 2009-07-29 14:04 . 2009-03-07 20:34 109568 c:\windows\ie8updates\KB972260-IE8\occache.dll
+ 2009-07-29 14:04 . 2009-03-07 20:32 594432 c:\windows\ie8updates\KB972260-IE8\msfeeds.dll
+ 2009-07-29 14:04 . 2009-04-30 21:22 246272 c:\windows\ie8updates\KB972260-IE8\ieproxy.dll
+ 2009-07-29 14:04 . 2009-03-07 20:31 183808 c:\windows\ie8updates\KB972260-IE8\iepeers.dll
+ 2009-07-29 14:04 . 2009-04-30 21:22 385536 c:\windows\ie8updates\KB972260-IE8\iedkcs32.dll
+ 2009-07-29 14:04 . 2009-04-30 11:21 173056 c:\windows\ie8updates\KB972260-IE8\ie4uinit.exe
+ 2009-08-08 06:33 . 2009-08-08 06:33 446464 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-08 06:33 . 2009-08-08 06:33 241664 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-08 06:33 . 2009-08-08 06:33 237568 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2006-02-28 12:00 . 2009-07-03 17:09 1208832 c:\windows\system32\urlmon.dll
+ 2006-02-28 12:00 . 2009-07-19 13:18 5937152 c:\windows\system32\mshtml.dll
+ 2007-08-13 10:34 . 2009-07-03 17:09 1985536 c:\windows\system32\iertutil.dll
+ 2009-07-25 11:25 . 2008-03-27 09:49 1112288 c:\windows\system32\DRVSTORE\motusbdevi_3E0A5922E68751FB5ECB83154D92385876042AA4\wdfcoinstaller01007.dll
+ 2009-07-25 11:25 . 2008-03-27 09:49 1112288 c:\windows\system32\DRVSTORE\motport_13D3D5DC43EEE2854D06F3DE03A16782B44499DD\wdfcoinstaller01007.dll
+ 2009-07-25 11:25 . 2008-03-27 09:49 1112288 c:\windows\system32\DRVSTORE\motousbnet_C747F81EC036F7CC39DC73BC09B6BDEB36EA40EC\wdfcoinstaller01007.dll
+ 2009-07-25 11:25 . 2008-03-27 09:49 1112288 c:\windows\system32\DRVSTORE\motmodem_296B472DCD0F817CC80C723B86EEF842F9F0DD28\wdfcoinstaller01007.dll
+ 2009-07-25 11:25 . 2008-03-27 09:49 1112288 c:\windows\system32\DRVSTORE\motccgp_2B0E40CD867DD282CA1027F9A569698F0546883A\wdfcoinstaller01007.dll
+ 2006-02-28 12:00 . 2009-07-03 17:09 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2008-05-07 05:12 . 2009-06-03 19:09 1291264 c:\windows\system32\dllcache\quartz.dll
+ 2006-02-28 12:00 . 2009-07-19 13:18 5937152 c:\windows\system32\dllcache\mshtml.dll
+ 2008-07-20 00:58 . 2009-07-03 17:09 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2009-07-25 11:24 . 2009-07-25 11:24 3087360 c:\windows\Installer\f1ce8.msi
+ 2009-07-13 05:56 . 2009-07-13 05:56 1563648 c:\windows\Installer\5bf2a.msi
+ 2009-07-24 08:51 . 2009-07-24 08:51 6653952 c:\windows\Installer\184d884.msp
+ 2009-06-30 03:30 . 2009-06-30 03:30 5520384 c:\windows\Installer\153062.msp
+ 2008-12-18 08:48 . 2008-12-18 08:48 3645440 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\authplay.dll
+ 2009-07-29 14:04 . 2009-04-30 21:22 1207808 c:\windows\ie8updates\KB972260-IE8\urlmon.dll
+ 2009-07-29 14:04 . 2009-05-13 05:15 5936128 c:\windows\ie8updates\KB972260-IE8\mshtml.dll
+ 2009-07-29 14:04 . 2009-04-30 21:22 1985024 c:\windows\ie8updates\KB972260-IE8\iertutil.dll
+ 2009-08-08 06:33 . 2009-08-08 06:33 7761920 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
+ 2008-07-19 09:22 . 2009-07-07 15:10 24539592 c:\windows\system32\MRT.exe
+ 2007-08-13 10:54 . 2009-07-19 10:48 11067392 c:\windows\system32\ieframe.dll
+ 2008-07-20 00:58 . 2009-07-19 10:48 11067392 c:\windows\system32\dllcache\ieframe.dll
+ 2009-07-31 10:48 . 2009-07-31 10:48 15705600 c:\windows\Installer\35f830.msp
+ 2009-07-22 11:17 . 2009-07-22 11:17 15706112 c:\windows\Installer\264f46.msp
+ 2009-02-27 08:37 . 2009-02-27 08:37 20403568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\AcroRd32.dll
+ 2009-07-29 14:04 . 2009-04-30 21:22 11064832 c:\windows\ie8updates\KB972260-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-16 124656]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 794713]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2005-12-01 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ACU"="c:\program files\Atheros\ACU.exe" [2006-03-25 335961]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"mumservice"="c:\program files\Motorola\Software Update\mumservice.exe" [2009-07-15 996608]
"mylbx"="c:\program files\My Lockbox\mylbx.exe" [2009-03-04 1074352]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 149280]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-12-06 88363]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SavRoam"=2 (0x2)
"fsproflt"=2 (0x2)
"idsvc"=2 (0x2)
"IDriverT"=3 (0x3)
"ose"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"ServiceLayer"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\AREVA T&D\\MiCOM S1 Studio\\Studio\\Studio.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=

R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [16-Apr-09 8:50 PM 43792]
R2 almservice;Automation License Manager Service;c:\program files\Common Files\SIEMENS\sws\almsrv\almsrvx.exe [25-Mar-09 7:10 AM 770110]
R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [16-Apr-09 8:50 PM 73344]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [25-Jul-09 7:24 PM 91392]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\Common Files\SIEMENS\S7IEPG\s7oiehsx.exe [25-Mar-09 7:09 AM 208968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27-Jun-09 8:37 AM 101936]
R3 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S2 MICOMPar;MICOMPar;c:\windows\system32\drivers\micompar.sys [03-Jan-08 11:53 AM 13488]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [02-Jul-09 8:17 PM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [02-Jul-09 8:17 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [02-Jul-09 8:17 PM 42752]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [03-Jul-09 8:04 AM 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [03-Jul-09 8:04 AM 8320]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [17-Mar-06 6:34 AM 115952]
S4 s7asysvx;S7 Global Services;c:\siemens\Digsi4\Manager\S7bin\s7asysvx.exe [25-Mar-09 7:09 AM 69685]
S4 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\SIEMENS\Automation\TraceEngine\bin\S7TraceServiceX.exe [25-Mar-09 7:09 AM 163840]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2009-07-23 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 09:04]

2009-08-08 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 09:04]

2009-08-08 c:\windows\Tasks\User_Feed_Synchronization-{AE4E4ED5-FE4A-45D5-BD51-DE4E4907BAE3}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intra.sesb.com.my/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://mys.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://malaysia.search.yahoo.com/search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {79C44ADF-8C8E-4608-BC03-9B8E1DA3DFA6} = 202.188.0.133 202.188.1.5
FF - ProfilePath - c:\documents and settings\Ho Nyuk Shiong\Application Data\Mozilla\Firefox\Profiles\4r7wvdat.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\documents and settings\Ho Nyuk Shiong\Application Data\Mozilla\Firefox\Profiles\4r7wvdat.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSigra.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-08 14:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-842925246-1004336348-682003330-1003\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Excel\Settings\E*x*p*o*r*t* *p*a*r*a*m*e*t*e*r*s* *t*o*& \File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-842925246-1004336348-682003330-1003\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Excel\Settings\E*x*p*o*r*t* *p*a*r*a*m*e*t*e*r*s* *t*o*& \View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3816)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\acs.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\locator.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Motorola\MotoConnectService\MotoConnect.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\windows\system32\lxcycoms.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
.
**************************************************************************
.
Completion time: 2009-08-08 14:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-08 06:42
ComboFix2.txt 2009-07-19 23:27
ComboFix3.txt 2009-07-12 10:39
ComboFix4.txt 2009-07-09 10:59

Pre-Run: 15,334,555,648 bytes free
Post-Run: 15,225,638,912 bytes free

379 --- E O F --- 2009-07-31 10:48

++++++++++++++++++++++++++++++++++


DDS (Ver_09-06-26.01) - NTFSx86
Run by Ho Nyuk Shiong at 14:44:22.65 on 08-Aug-09
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.876 [GMT 8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\fsproflt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\Program Files\Common Files\SIEMENS\S7IEPG\s7oiehsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\SIEMENS\sws\almsrv\almsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\My Lockbox\mylbx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\WINDOWS\explorer.exe
D:\Downloads\HJT Tools\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://intra.sesb.com.my/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://mys.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://malaysia.search.yahoo.com/search
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRunOnce: [<NO NAME>]
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [LXCYCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCYtime.dll,_RunDLLEntry@16
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [mumservice] c:\program files\motorola\software update\mumservice.exe
mRun: [mylbx] c:\program files\my lockbox\mylbx.exe /a
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [<NO NAME>]
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [<NO NAME>]
mExplorerRun: [<NO NAME>] 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216458990328
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
TCP: {79C44ADF-8C8E-4608-BC03-9B8E1DA3DFA6} = 202.188.0.133 202.188.1.5
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\honyuk~1\applic~1\mozilla\firefox\profiles\4r7wvdat.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\documents and settings\ho nyuk shiong\application data\mozilla\firefox\profiles\4r7wvdat.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSigra.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [2009-4-16 43792]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 almservice;Automation License Manager Service;c:\program files\common files\siemens\sws\almsrv\almsrvx.exe [2009-3-25 770110]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [2009-4-16 73344]
R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2009-7-25 91392]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\common files\siemens\s7iepg\s7oiehsx.exe [2009-3-25 208968]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-27 101936]
R3 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090807.007\naveng.sys [2009-8-8 87888]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090807.007\navex15.sys [2009-8-8 875728]
R3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
S2 MICOMPar;MICOMPar;c:\windows\system32\drivers\micompar.sys [2008-1-3 13488]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-7-2 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-7-2 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-7-2 42752]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-7-3 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-7-3 8320]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]
S4 s7asysvx;S7 Global Services;c:\siemens\digsi4\manager\s7bin\s7asysvx.exe [2009-3-25 69685]
S4 S7TraceServiceX;S7TraceServiceX;c:\program files\common files\siemens\automation\traceengine\bin\S7TraceServiceX.exe [2009-3-25 163840]

=============== Created Last 30 ================

2009-08-04 16:50 <DIR> --dsh--- c:\windows\ftpcache
2009-08-04 10:19 <DIR> --d----- C:\My Lockbox
2009-07-27 11:27 <DIR> --d----- c:\windows\system32\NtmsData
2009-07-25 19:25 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01007.Wdf
2009-07-25 19:25 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgp_01007.Wdf
2009-07-13 13:57 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-09 18:57 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-09 18:51 <DIR> a-dshr-- C:\cmdcons
2009-07-09 18:44 216,064 a------- c:\windows\PEV.exe
2009-07-09 18:44 161,792 a------- c:\windows\SWREG.exe
2009-07-09 18:44 98,816 a------- c:\windows\sed.exe
2009-07-09 18:30 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 18:30 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-09 18:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-04 01:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 08:15 0 a---h--- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-07-03 08:12 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-07-02 20:18 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-07-02 20:18 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-06-30 21:16 0 a------- C:\BOOT.DAT
2009-06-30 21:15 0 a------- c:\documents and settings\ho nyuk shiong\BOOT.DAT
2009-06-19 16:59 19,712 a------- c:\windows\system32\drivers\motccgp.sys
2009-06-16 22:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 22:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-09 18:35 21,275 a------- c:\windows\system32\drivers\AegisP.sys
2009-06-04 03:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-11 12:47 1,302,600 a------- c:\windows\system32\WUDFUpdate_01007.dll
2009-05-01 14:00 92,064 a------- c:\documents and settings\ho nyuk shiong\mqdmmdm.sys
2009-05-01 14:00 79,328 a------- c:\documents and settings\ho nyuk shiong\mqdmserd.sys
2009-05-01 14:00 66,656 a------- c:\documents and settings\ho nyuk shiong\mqdmbus.sys
2009-05-01 14:00 25,600 a------- c:\documents and settings\ho nyuk shiong\usbsermptxp.sys
2009-05-01 14:00 22,768 a------- c:\documents and settings\ho nyuk shiong\usbsermpt.sys
2009-05-01 14:00 9,232 a------- c:\documents and settings\ho nyuk shiong\mqdmmdfl.sys
2009-05-01 14:00 6,208 a------- c:\documents and settings\ho nyuk shiong\mqdmcmnt.sys
2009-05-01 14:00 5,936 a------- c:\documents and settings\ho nyuk shiong\mqdmwhnt.sys
2009-05-01 14:00 4,048 a------- c:\documents and settings\ho nyuk shiong\mqdmcr.sys
2008-08-26 20:21 2,788,800 a------- c:\program files\FLV PlayerFCSetup.exe

============= FINISH: 14:44:49.85 ===============

Attached Files



#12 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:04:52 PM

Posted 12 August 2009 - 03:15 PM

madcow1,

Sorry for the delay. Was out for a week and I should have mentioned it to you sooner...


Update MBAM, run a Quick Scan, and post its log.


Let me know how things are running now. Any recurring problems?

-screen317

#13 madcow1

madcow1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 13 August 2009 - 06:35 AM

screen317,

The viruses didn't pop up anymore. Thank you.

Malwarebytes' Anti-Malware 1.40
Database version: 2615
Windows 5.1.2600 Service Pack 3

13/08/2009 19:29:34
mbam-log-2009-08-13 (19-29-33).txt

Scan type: Quick Scan
Objects scanned: 107692
Time elapsed: 6 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:04:52 PM

Posted 15 August 2009 - 04:21 AM

madcow1,



Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.


Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Kerio
Comodo
Outpost

2) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

3) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

6) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and IE.

7) Be sure to update your Antivirus and Antispyware programs often!


Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?




Safe surfing,

-screen317

#15 madcow1

madcow1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 21 August 2009 - 09:46 PM

Thank you!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users