Windows Police Pro
#1
Posted 25 October 2009 - 11:06 AM
#2
Posted 25 October 2009 - 10:20 PM
- Absence of symptoms does not always mean the computer is clean
- Please do not run any scans or fixes without my direction.
- Finally, stay with this topic until I give you the final 'All clear' post.
I'll give you these instructions, hoping that you get that stroke of luck again and you get to your desktop. If not, let me know, and we'll go for something a little more complex to try and stop the malware from loading on boot.
1) exeHelper
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
2) DDS
Please download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
- When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
- Save both reports to your desktop.
3) RR
Please download RootRepeal.zip.
Save it to your Desktop. Alternate download links here or here.
Please print these instructions, you will not have an Internet connection!
If you have a 3rd party "unzipping" program...use it to open the zipped file...then skip to Step 5. Otherwise...
- Right click on RootRepeal.zip and select "Extract All"....
- Click Next on the "Welcome to the Compressed (zipped) Folders Extraction Wizard."
- Click on the Browse...button, then click on Desktop, then click OK.
- Once done, check (tick) the Show extracted files box and click Finish.
- Before running RootRepeal:
- Disconnect from the Internet as your system will be unprotected while using this tool.
Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
- Disconnect from the Internet as your system will be unprotected while using this tool.
- Open the RootRepeal folder and double-click on RootRepeal.exe to launch it.
- When the program opens, click the Report tab at the bottom, then click the Scan button.
- In the Select Scan, dialog which asks What do you want to include in the scan?, check ALL the boxes.
- Click OK.
- In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
The scan can take some time to finish. Do not use the computer while the scan is running.
When the scan has completed, a list of files will be generated in the RootRepeal window. - Click on the Save Report button and save it as "rootrepeal.txt" to your desktop.
- Close and exit RootRepeal
- Double-click on the file rootrepeal.txt... Notepad will open... copy/paste the file contents in your next reply.
Make sure to enable your anti-virus, Firewall and any other security programs you disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "safe mode".
4) What You Will Need To Post:
- exeHelper log
- DDS logs
- RR log
#3
Posted 26 October 2009 - 09:14 AM
Here's what I was able to do: I downloaded exehelper to my flashdrive from another computer (the one I'm using now) since my infected computer cannot get onto the internet reliably. I was able to save exehelper to the desktop of my infected computer and run it. The txt file for this is posted below.
I saved DDS to my flashdrive too and was also able to save it to the desktop of the infected computer. It ran, however, no txt files were generated. I tried multiple times and all I was able to get was the black screen for the DDS program...it just seemed to pause there. After 15 minutes, I gave up on it. So there are no txt files posted from DDS.
I then tried the RootRepeal. Downloaded it to flashdrive and ran it from the infected computer. It ran, it seemed to have scanned. It seemed to have scanned for about 30 seconds, and then the RootRepeal screen disappeared and no txt files were generated.
exeHelper by Raktor
Build 20091021
Run at 10:29:22 on 10/26/09
Now searching...
Checking for numerical processes...
Deleting file C:\Documents and Settings\All Users\Application Data\26326423\26326423.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\26326423
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\svchast.exe
Deleting file C:\WINDOWS\system32\AVR09.exe
Deleting file C:\WINDOWS\system32\~.exe
Deleting file C:\WINDOWS\system32\winupdate.exe
Deleting file C:\WINDOWS\system32\winhelper.dll
Deleting file C:\WINDOWS\system32\pump.exe
Deleting file C:\WINDOWS\system32\calc.dll
Deleting file C:\WINDOWS\system32\lsm32.sys
Deleting file C:\WINDOWS\system32\opeia.exe
Deleting file C:\WINDOWS\system32\BtwSrv.dll
Error deleting C:\WINDOWS\system32\BtwSrv.dll
Deleting file C:\WINDOWS\wf3.dat
Deleting file C:\WINDOWS\wf4.dat
Deleting file C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe
Deleting file C:\Program Files\AdvancedVirusRemover\PAVRM.exe
Deleting file C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.cfg
Deleting file C:\Program Files\Windows Police Pro\msvcm80.dll
Deleting file C:\Program Files\Windows Police Pro\msvcp80.dll
Deleting file C:\Program Files\Windows Police Pro\msvcr80.dll
Deleting file C:\Documents and Settings\Amy Chen\Desktop\Windows Police Pro.lnk
Deleting file C:\Documents and Settings\Amy Chen\Desktop\AntivirusPro_2010.lnk
Deleting file C:\Documents and Settings\Amy Chen\ntuser.dll
Deleting file C:\Documents and Settings\Amy Chen\Start Menu\Programs\Startup\scandisk.dll
Deleting file C:\Documents and Settings\Amy Chen\Start Menu\Programs\Startup\scandisk.lnk
Deleting file C:\Documents and Settings\Amy Chen\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
Deleting file C:\Documents and Settings\Amy Chen\Application Data\svcst.exe
Deleting file C:\Documents and Settings\Amy Chen\Application Data\seres.exe
Checking for bad registry entries...
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antivirus Pro 2010
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Login Software 2009
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mserv
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
After I finished doing the RootRepeal scan, it seemed like the virus just opened up a billion "scanning for virus" windows and my computer completely froze. I forced it to shut down. That's where I am now. THANKS!
Edited by jay_sohhn, 26 October 2009 - 09:16 AM.
#4
Posted 26 October 2009 - 05:39 PM
Download Combofix from any of the links below but rename it to jay.com before saving it to your desktop.
Link 1
Link 2
==================================
Double click on the renamed ComboFix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt so we can continue cleaning the system.
#5
Posted 28 October 2009 - 12:47 PM
------------------------------------------------------------------------------------
ComboFix 09-10-27.08 - Amy Chen 10/28/2009 13:54.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.492 [GMT -4:00]
Running from: c:\documents and settings\Amy Chen\Desktop\Jay.com.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
ADS - svchost.exe: deleted 31744 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\AMYCHE~1\LOCALS~1\Temp\502.exe
c:\docume~1\AMYCHE~1\LOCALS~1\Temp\lsass.exe
c:\docume~1\AMYCHE~1\LOCALS~1\Temp\services.exe
c:\documents and settings\All Users\Application Data\31858934
c:\documents and settings\All Users\Application Data\31858934\31858934 .exe
c:\documents and settings\All Users\Application Data\31858934\31858934.exe
c:\documents and settings\All Users\Application Data\mykypevad.exe
c:\documents and settings\All Users\Documents\atuzyjel.reg
c:\documents and settings\All Users\Documents\fuzaxycuxe._sy
c:\documents and settings\All Users\Documents\uratihezi.dl
c:\documents and settings\Amy Chen\alcmtr .exe
c:\documents and settings\Amy Chen\Application Data\gysap.com
c:\documents and settings\Amy Chen\Application Data\iniasd.txt
c:\documents and settings\Amy Chen\Application Data\lizkavd.exe
c:\documents and settings\Amy Chen\Application Data\svcst .exe
c:\documents and settings\Amy Chen\Application Data\yhipyfypu.dl
c:\documents and settings\Amy Chen\Desktop\Security Tool.lnk
c:\documents and settings\Amy Chen\Local Settings\Application Data\ehywofybyz.dll
c:\documents and settings\Amy Chen\Local Settings\Application Data\fovexapy.dl
c:\documents and settings\Amy Chen\Local Settings\Application Data\fozuqa.exe
c:\documents and settings\Amy Chen\Local Settings\Temporary Internet Files\xalibe._dl
c:\documents and settings\Amy Chen\Local Settings\Temporary Internet Files\yvaciqa.pif
c:\documents and settings\Amy Chen\ntuser.dll
c:\documents and settings\Amy Chen\rthdcpl .exe
c:\documents and settings\Amy Chen\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Amy Chen\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Amy Chen\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\Amy Chen\Start Menu\Programs\Security Tool.lnk
c:\documents and settings\Amy Chen\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Amy Chen\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\Amy Chen\Start Menu\Programs\Windows Police Pro
c:\documents and settings\Amy Chen\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\documents and settings\NetworkService\ntuser.dll
C:\houkh.exe
C:\iopuabg.exe
C:\ntldrs
c:\program files\AntivirusPro_2010
c:\program files\Common Files\silix.dl
c:\program files\Windows Police Pro
c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1811
c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1858
c:\recycler\S-1-5-21-3262063871-891380153-889118470-1003
c:\recycler\S-1-5-21-3937801559-8808261763-161498522-5729
c:\windows\elorej.inf
c:\windows\enex._dl
c:\windows\ganug.vbs
c:\windows\iceg.inf
c:\windows\Install.txt
c:\windows\oryvopin.bin
c:\windows\pamalyxe.dll
c:\windows\rikofoseh.dl
c:\windows\system32\_scui.cpl
c:\windows\system32\6to4v32.dll
c:\windows\system32\api.dat
c:\windows\system32\api32.dll
c:\windows\system32\bedo.scr
c:\windows\system32\buvujano.dll
c:\windows\system32\calc.dll
c:\windows\system32\certstore.dat
c:\windows\system32\ctfmon .exe
c:\windows\system32\dafanose.dll
c:\windows\system32\ebari.reg
c:\windows\system32\ejsut89.dll
c:\windows\system32\fehamito.dll
c:\windows\system32\FInstall.sys
c:\windows\system32\fisalunu.exe
c:\windows\system32\ftbusk54.dll
c:\windows\system32\giwovumo.dll
c:\windows\system32\govegomu.exe
c:\windows\system32\higubuli.dll
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\Install.txt
c:\windows\system32\isasdk.sys
c:\windows\system32\mofawulo.dll
c:\windows\system32\mumehuve.dll
c:\windows\system32\nunupofa.dll
c:\windows\system32\ritelo.inf
c:\windows\system32\sosafimi.dll
c:\windows\system32\titodopu.dll
c:\windows\system32\todolaze.dll
c:\windows\system32\ulabazequ.bat
c:\windows\system32\updatenf.dll
c:\windows\system32\viyiyini.dll
c:\windows\system32\vubuvuha.exe
c:\windows\system32\wewefove.exe
c:\windows\system32\wibakihi.dll
c:\windows\system32\winupdate .exe
c:\windows\system32\wispex.html
c:\windows\system32\wojajugi.dll
c:\windows\system32\xa7Wdel.dll
c:\windows\TEMP\mta13187.dll
c:\windows\xavyk.reg
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Legacy_ANTIPOL
-------\Legacy_ICF
-------\Legacy_ISASDK
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_6to4
-------\Service_ICF
-------\Service_isasdk
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.
2011-02-27 04:02 . 2009-10-28 18:05 -------- d-----w- c:\program files\Elantech
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 18:34 . 2010-02-19 18:34 -------- d-----w- c:\program files\microsoft frontpage
2010-02-19 18:32 . 2010-02-19 18:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-28 18:05 . 2009-06-04 05:45 -------- d-----w- c:\program files\Symantec AntiVirus
2009-10-28 18:05 . 2009-10-10 00:34 30720 ----a-w- c:\documents and settings\Amy Chen\rthdcpl.exe
2009-10-28 18:05 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxpers.exe
2009-10-28 18:05 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\hkcmd.exe
2009-10-28 18:05 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxtray.exe
2009-10-28 18:03 . 2009-10-28 17:49 46640 ----a-w- c:\windows\system32\msln.exe
2009-10-28 17:47 . 2009-10-09 03:45 407062 ----a-w- c:\windows\system32\raidmg.dll
2009-10-28 17:32 . 2009-07-28 17:32 39424 --sha-w- c:\windows\system32\migitiho.dll
2009-10-28 17:31 . 2009-10-10 00:34 30720 ----a-w- c:\documents and settings\Amy Chen\alcmtr.exe
2009-10-28 17:29 . 2009-10-10 00:33 0 ----a-r- c:\windows\win32k.sys
2009-10-26 14:59 . 2009-10-26 14:59 0 ----a-w- c:\documents and settings\Amy Chen\settings.dat
2009-10-26 14:56 . 2009-06-07 16:21 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\U3
2009-10-26 14:48 . 2009-10-26 14:48 79360 ----a-w- C:\jfmyjbqy.exe
2009-10-26 14:48 . 2009-10-26 14:48 52736 ----a-w- C:\xgmqcrh.exe
2009-10-26 14:48 . 2009-10-26 14:48 96256 ----a-w- C:\fospdj.exe
2009-10-26 14:29 . 2009-10-10 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\26326423
2009-10-10 18:20 . 2009-10-10 01:51 131731 ----a-w- c:\windows\system32\dbsinit.exe
2009-10-10 17:56 . 2009-07-10 17:56 1050147 --sha-w- c:\windows\system32\luravufa.exe
2009-10-10 00:33 . 2010-02-19 17:21 14336 ----a-w- c:\windows\system32\svchost.exe
2009-10-10 00:33 . 2010-02-19 17:21 30720 ----a-w- c:\windows\system32\ctfmon.exe
2009-10-10 00:33 . 2009-10-10 00:33 207872 ----a-w- C:\pnmykhft.exe
2009-10-10 00:33 . 2009-10-10 00:33 79360 ----a-w- C:\xcnq.exe
2009-10-10 00:33 . 2009-10-10 00:33 30720 ----a-w- C:\qvnvkmid.exe
2009-10-10 00:33 . 2009-10-10 00:33 24576 ----a-w- C:\giyoijfx.exe
2009-10-09 03:45 . 2009-10-09 03:45 98304 ----a-w- c:\windows\system32\kbdatat4.dll
2009-10-09 03:45 . 2009-10-09 03:45 19456 ----a-w- C:\dslagxb.exe
2009-10-09 03:45 . 2009-10-09 03:45 52224 ----a-w- C:\elboofy.exe
2009-10-09 03:45 . 2009-10-09 03:45 21504 ----a-w- C:\tixqapi.exe
2009-10-09 03:45 . 2009-10-09 03:45 39936 ----a-w- C:\mkjjnwwp.exe
2009-09-24 04:55 . 2009-02-19 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-14 01:57 . 2009-06-03 15:38 92344 ----a-w- c:\documents and settings\Amy Chen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-14 01:57 . 2009-07-20 20:37 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\Move Networks
2009-09-10 03:34 . 2009-07-03 15:34 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\Skype
2009-09-09 23:30 . 2009-07-03 15:35 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\skypePM
2009-09-01 04:24 . 2009-06-10 23:55 -------- d-----w- c:\program files\Java
2009-08-29 19:44 . 2009-06-04 05:38 -------- d-----w- c:\program files\MSBuild
2009-08-29 19:44 . 2009-08-29 19:44 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2010-02-19 17:21 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2008-05-07 08:34 . 2009-02-19 19:07 15523560 ----a-w- c:\program files\U1 Setup.exe
.
------- Sigcheck -------
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . D9F19E78F98834CB411D6AD3C68D181A . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2009-10-10 00:33 . 0334B4EB4FBFB33C0F821D94BD30C7FA . 30720 . . [------] . . c:\windows\system32\ctfmon.exe
[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-10-28 30720]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-10-28 30720]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-10-28 30720]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-10-28 30720]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-10-28 30720]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-10-28 30720]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-10-28 30720]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2009-10-28 30720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-13 17508864]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-2-19 376832]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2/19/2010 1:21 PM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [4/14/2008 8:00 AM 47104]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2/19/2009 3:22 PM 55136]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 9:09 PM 11032]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 5:41 PM 116664]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2/19/2009 3:02 PM 10752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 11:49 PM 102448]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [7/31/2008 10:24 PM 93696]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [11/4/2008 5:28 AM 38400]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/19/2009 2:56 PM 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/8/2008 6:01 PM 533344]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - BTWSRV
*Deregistered* - mbr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder
2009-08-14 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-08-14 01:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Amy Chen\Application Data\Mozilla\Firefox\Profiles\6qm4eeji.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Amy Chen\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
BHO-{a4e232aa-bd80-4ce2-896f-f0b02c7accc7} - mumehuve.dll
HKLM-Run-31858934 - c:\docume~1\ALLUSE~1\APPLIC~1\31858934\31858934.exe
HKLM-Run-jedohapoj - c:\windows\system32\titodopu.dll
HKLM-Run-seyisevede - higubuli.dll
SharedTaskScheduler-<NO NAME> - (no file)
SharedTaskScheduler-{2a6d6a57-e02c-4c36-9a08-6d1f7170a48b} - c:\windows\system32\titodopu.dll
SSODL-sifiroyiz-{2a6d6a57-e02c-4c36-9a08-6d1f7170a48b} - c:\windows\system32\titodopu.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 14:05
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\Install.txt 265 bytes
c:\windows\system32\BtwSrv.dllx 46592 bytes executable
scan completed successfully
hidden files: 2
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2688)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\jay.com\CF14337.exe
c:\program files\EeePC\ACPI\AsTray .exe
c:\program files\EeePC\ACPI\AsEPCMon .exe
c:\program files\EeePC\ACPI\AsAcpiSvr .exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Elantech\ETDCtrl .exe
c:\progra~1\SYMANT~1\VPTray .exe
c:\windows\system32\wmdtc.exe
c:\windows\system32\wscntfy.exe
c:\docume~1\AMYCHE~1\LOCALS~1\Temp\ctv213.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\lsm32.sys
c:\jay.com\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-28 14:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-28 18:12
Pre-Run: 28,485,570,560 bytes free
Post-Run: 28,366,045,184 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 45297387D4265896916768CD975480C8
#6
Posted 28 October 2009 - 04:45 PM
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
http://www.geekstogo...ro-t256562.html
Collect::
c:\windows\win32k.sys
C:\jfmyjbqy.exe
C:\xgmqcrh.exe
C:\fospdj.exe
c:\windows\system32\dbsinit.exe
c:\windows\system32\luravufa.exe
C:\pnmykhft.exe
C:\xcnq.exe
C:\qvnvkmid.exe
C:\giyoijfx.exe
C:\dslagxb.exe
C:\elboofy.exe
C:\tixqapi.exe
C:\mkjjnwwp.exe
c:\windows\system32\BtwSrv.dllx
Folder::
c:\documents and settings\All Users\Application Data\26326423
Driver::
BtwSrv
NetSvcs::
BtwSrv
FCopy::
c:\windows\system32\dllcache\ctfmon.exe | c:\windows\system32\ctfmon.exe
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
#7
Posted 29 October 2009 - 07:48 AM
I followed the above instructions you provided. The txt report you requested is pasted below.
------------------------------------------------
ComboFix 09-10-27.08 - Amy Chen 10/29/2009 9:19.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.446 [GMT -4:00]
Running from: c:\documents and settings\Amy Chen\Desktop\Jay.com.exe
Command switches used :: c:\documents and settings\Amy Chen\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
file zipped: C:\dslagxb.exe
file zipped: C:\elboofy.exe
file zipped: C:\fospdj.exe
file zipped: C:\giyoijfx.exe
file zipped: C:\jfmyjbqy.exe
file zipped: C:\mkjjnwwp.exe
file zipped: C:\pnmykhft.exe
file zipped: C:\qvnvkmid.exe
file zipped: C:\tixqapi.exe
file zipped: c:\windows\system32\dbsinit.exe
file zipped: c:\windows\system32\luravufa.exe
file zipped: c:\windows\win32k.sys
file zipped: C:\xcnq.exe
file zipped: C:\xgmqcrh.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\26326423
c:\documents and settings\All Users\Application Data\26326423\26326423 .exe
c:\documents and settings\All Users\Application Data\26326423\26326423.bat
c:\documents and settings\Amy Chen\rthdcpl .exe
C:\dslagxb.exe
C:\elboofy.exe
C:\fospdj.exe
C:\giyoijfx.exe
C:\jfmyjbqy.exe
C:\mkjjnwwp.exe
C:\pnmykhft.exe
C:\qvnvkmid.exe
C:\tixqapi.exe
c:\windows\Install.txt
c:\windows\system32\dbsinit.exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\Install.txt
c:\windows\system32\luravufa.exe
c:\windows\TEMP\mta13187.dll
c:\windows\TEMP\t4m0_241771713460.bk.old
c:\windows\TEMP\x1c65584.dll
c:\windows\win32k.sys
C:\xcnq.exe
C:\xgmqcrh.exe
.
--------------- FCopy ---------------
c:\windows\system32\dllcache\ctfmon.exe --> c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_BTWSRV
-------\Service_BtwSrv
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.
2011-02-27 04:02 . 2009-10-29 13:31 -------- d-----w- c:\program files\Elantech
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 18:34 . 2010-02-19 18:34 -------- d-----w- c:\program files\microsoft frontpage
2010-02-19 18:32 . 2010-02-19 18:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-29 13:32 . 2009-10-10 00:34 30720 ----a-w- c:\documents and settings\Amy Chen\rthdcpl.exe
2009-10-29 13:31 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxpers.exe
2009-10-29 13:31 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\hkcmd.exe
2009-10-29 13:31 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxtray.exe
2009-10-29 13:28 . 2009-06-04 05:45 -------- d-----w- c:\program files\Symantec AntiVirus
2009-10-29 13:07 . 2009-10-10 00:34 30720 ----a-w- c:\documents and settings\Amy Chen\rthdcpl .exe
2009-10-29 13:07 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxpers .exe
2009-10-28 18:05 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxtray .exe
2009-10-28 17:47 . 2009-10-09 03:45 407062 ----a-w- c:\windows\system32\raidmg.dll
2009-10-28 17:32 . 2009-07-28 17:32 39424 --sha-w- c:\windows\system32\migitiho.dll
2009-10-28 17:31 . 2009-10-10 00:34 30720 ----a-w- c:\documents and settings\Amy Chen\alcmtr.exe
2009-10-26 14:59 . 2009-10-26 14:59 0 ----a-w- c:\documents and settings\Amy Chen\settings.dat
2009-10-26 14:56 . 2009-06-07 16:21 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\U3
2009-10-10 00:33 . 2010-02-19 17:21 14336 ------w- c:\windows\system32\svchost.exe
2009-10-09 03:45 . 2009-10-09 03:45 98304 ----a-w- c:\windows\system32\kbdatat4.dll
2009-09-24 04:55 . 2009-02-19 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-14 01:57 . 2009-06-03 15:38 92344 ----a-w- c:\documents and settings\Amy Chen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-14 01:57 . 2009-07-20 20:37 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\Move Networks
2009-09-11 14:18 . 2010-02-19 17:21 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 03:34 . 2009-07-03 15:34 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\Skype
2009-09-09 23:30 . 2009-07-03 15:35 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\skypePM
2009-09-04 21:03 . 2010-02-19 17:21 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 04:24 . 2009-06-10 23:55 -------- d-----w- c:\program files\Java
2009-08-29 08:08 . 2010-02-19 17:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2010-02-19 17:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2010-02-19 17:21 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2008-04-14 00:54 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2008-04-14 00:01 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2008-05-07 08:34 . 2009-02-19 19:07 15523560 ----a-w- c:\program files\U1 Setup.exe
.
------- Sigcheck -------
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . D9F19E78F98834CB411D6AD3C68D181A . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-10-28_18.05.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-29 13:30 . 2009-10-29 13:30 16384 c:\windows\temp\Perflib_Perfdata_1ac.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 86528 c:\windows\system32\wmdtc.exe
- 2010-02-19 17:21 . 2009-10-26 14:53 71810 c:\windows\system32\perfc009.dat
+ 2010-02-19 17:21 . 2009-10-28 18:31 71810 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 86528 c:\windows\system32\opeia.exe
+ 2007-08-13 23:54 . 2009-08-29 08:08 55296 c:\windows\system32\msfeedsbs.dll
- 2007-08-13 23:54 . 2009-07-03 17:09 55296 c:\windows\system32\msfeedsbs.dll
- 2010-02-19 17:21 . 2009-07-03 17:09 25600 c:\windows\system32\jsproxy.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 25600 c:\windows\system32\jsproxy.dll
+ 2008-04-14 12:00 . 2008-04-14 12:00 46592 c:\windows\system32\FastNetSrv.exe
+ 2009-07-12 16:20 . 2009-08-29 08:08 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-07-12 16:20 . 2009-07-03 17:09 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-02-19 19:29 . 2009-07-03 17:09 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-02-19 19:29 . 2009-08-29 08:08 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2010-02-19 17:21 . 2009-09-04 21:03 58880 c:\windows\system32\dllcache\msasn1.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2010-02-19 17:21 . 2009-07-03 17:09 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2010-02-19 17:21 . 2008-04-14 12:00 15360 c:\windows\system32\ctfmon .exe
+ 2009-02-19 20:51 . 2009-10-28 18:12 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-19 20:51 . 2009-10-28 17:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-19 20:51 . 2009-10-28 17:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-19 20:51 . 2009-10-28 18:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-06-24 23:56 . 2009-06-24 23:56 73728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
+ 2008-05-28 04:49 . 2008-05-28 04:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2007-04-14 01:58 . 2007-04-14 01:58 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2008-05-28 04:49 . 2008-05-28 04:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2008-05-28 04:49 . 2008-05-28 04:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2007-04-14 02:30 . 2007-04-14 02:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2008-05-28 05:30 . 2008-05-28 05:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2009-10-28 18:27 . 2009-07-03 17:09 12800 c:\windows\ie8updates\KB974455-IE8\xpshims.dll
+ 2009-10-28 18:27 . 2009-07-03 17:09 55296 c:\windows\ie8updates\KB974455-IE8\msfeedsbs.dll
+ 2009-10-28 18:27 . 2009-07-03 17:09 25600 c:\windows\ie8updates\KB974455-IE8\jsproxy.dll
+ 2009-10-28 18:23 . 2009-10-28 18:23 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_c9935a78\System.Drawing.Design.dll
+ 2009-10-28 18:23 . 2009-10-28 18:23 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_2477a54e\CustomMarshalers.dll
+ 2009-10-29 13:13 . 2009-10-29 13:13 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\b4a9e413d5cd6d6ec2d50aa05381e293\UIAutomationProvider.ni.dll
+ 2009-10-29 13:09 . 2009-10-29 13:09 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\3dd0f86c966c75755d62eab8ddf0634c\PresentationFontCache.ni.exe
+ 2009-10-29 13:08 . 2009-10-29 13:08 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\034d081fe294bab1ee1ecc98c1181424\PresentationCFFRasterizer.ni.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2010-02-19 17:21 . 2009-04-02 03:02 604160 c:\windows\system32\wmspdmod.dll
+ 2010-02-19 17:21 . 2009-10-28 18:31 442024 c:\windows\system32\perfh009.dat
- 2010-02-19 17:21 . 2009-10-26 14:53 442024 c:\windows\system32\perfh009.dat
+ 2010-02-19 17:21 . 2009-08-29 08:08 206848 c:\windows\system32\occache.dll
- 2010-02-19 17:21 . 2009-07-03 17:09 206848 c:\windows\system32\occache.dll
- 2007-08-13 23:54 . 2009-07-03 17:09 594432 c:\windows\system32\msfeeds.dll
+ 2007-08-13 23:54 . 2009-08-29 08:08 594432 c:\windows\system32\msfeeds.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 184320 c:\windows\system32\iepeers.dll
- 2010-02-19 17:21 . 2009-07-03 17:09 184320 c:\windows\system32\iepeers.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 387584 c:\windows\system32\iedkcs32.dll
- 2010-02-19 17:21 . 2009-07-03 11:01 173056 c:\windows\system32\ie4uinit.exe
+ 2010-02-19 17:21 . 2009-08-28 10:35 173056 c:\windows\system32\ie4uinit.exe
+ 2010-02-19 17:21 . 2009-04-02 03:02 604160 c:\windows\system32\dllcache\wmspdmod.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 916480 c:\windows\system32\dllcache\wininet.dll
+ 2010-02-19 17:21 . 2009-08-26 08:00 247326 c:\windows\system32\dllcache\strmdll.dll
- 2010-02-19 17:21 . 2008-10-03 10:02 247326 c:\windows\system32\dllcache\strmdll.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 206848 c:\windows\system32\dllcache\occache.dll
- 2010-02-19 17:21 . 2009-07-03 17:09 206848 c:\windows\system32\dllcache\occache.dll
+ 2010-02-19 17:21 . 2009-09-11 14:18 136192 c:\windows\system32\dllcache\msv1_0.dll
- 2010-02-19 17:21 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll
- 2009-02-19 19:29 . 2009-07-03 17:09 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-02-19 19:29 . 2009-08-29 08:08 594432 c:\windows\system32\dllcache\msfeeds.dll
- 2009-07-12 16:20 . 2009-07-03 17:09 246272 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-07-12 16:20 . 2009-08-29 08:08 246272 c:\windows\system32\dllcache\ieproxy.dll
- 2010-02-19 17:21 . 2009-07-03 17:09 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2010-02-19 17:21 . 2009-07-03 11:01 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2010-02-19 17:21 . 2009-08-28 10:35 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-08-08 03:51 . 2009-08-08 03:51 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2008-05-28 04:49 . 2008-05-28 04:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2007-04-14 01:58 . 2007-04-14 01:58 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2007-04-14 01:56 . 2007-04-14 01:56 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2008-05-28 04:48 . 2008-05-28 04:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2007-04-14 02:30 . 2007-04-14 02:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2008-05-28 05:30 . 2008-05-28 05:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2009-10-28 18:27 . 2009-07-03 17:09 915456 c:\windows\ie8updates\KB974455-IE8\wininet.dll
+ 2009-10-28 18:27 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB974455-IE8\spuninst\updspapi.dll
+ 2009-10-28 18:27 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB974455-IE8\spuninst\spuninst.exe
+ 2009-10-28 18:27 . 2009-07-03 17:09 206848 c:\windows\ie8updates\KB974455-IE8\occache.dll
+ 2009-10-28 18:27 . 2009-07-03 17:09 594432 c:\windows\ie8updates\KB974455-IE8\msfeeds.dll
+ 2009-10-28 18:27 . 2009-07-03 17:09 246272 c:\windows\ie8updates\KB974455-IE8\ieproxy.dll
+ 2009-10-28 18:27 . 2009-07-03 17:09 184320 c:\windows\ie8updates\KB974455-IE8\iepeers.dll
+ 2009-10-28 18:27 . 2009-07-03 17:09 386048 c:\windows\ie8updates\KB974455-IE8\iedkcs32.dll
+ 2009-10-28 18:27 . 2009-07-03 11:01 173056 c:\windows\ie8updates\KB974455-IE8\ie4uinit.exe
+ 2009-10-28 18:23 . 2009-10-28 18:23 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_ea5748e8\System.Drawing.dll
+ 2009-10-28 18:24 . 2009-10-28 18:24 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_e5dc6233\System.Drawing.Design.dll
+ 2009-10-28 18:24 . 2009-10-28 18:24 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_c8045b0c\CustomMarshalers.dll
+ 2009-10-29 13:13 . 2009-10-29 13:13 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\bf92bc207f927cbbd6dfc9dc0c3eae68\WindowsFormsIntegration.ni.dll
+ 2009-10-29 13:13 . 2009-10-29 13:13 187904 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\6f488b7644dc50a083868e91a4014466\UIAutomationTypes.ni.dll
+ 2009-10-29 13:13 . 2009-10-29 13:13 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\c2fbf25609b704061a93500efa6f241d\UIAutomationClient.ni.dll
+ 2009-10-29 13:12 . 2009-10-29 13:12 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\ca6d7208c0fb72ff97429f2636ced321\System.Drawing.Design.ni.dll
+ 2009-10-29 13:10 . 2009-10-29 13:10 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\96f74da5fc40b92f09069230bc0df4f0\PresentationFramework.Royale.ni.dll
+ 2009-10-29 13:10 . 2009-10-29 13:10 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\3bb4d16b042b72c2c85a0f8ac9d48f28\PresentationFramework.Luna.ni.dll
+ 2009-10-29 13:10 . 2009-10-29 13:10 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\30c5c2682d3c5bdaa83bb9a36ee48afa\PresentationFramework.Aero.ni.dll
+ 2009-10-29 13:10 . 2009-10-29 13:10 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\07e952efd70f5608e221a008e6231ace\PresentationFramework.Classic.ni.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2009-10-28 18:12 . 2009-08-13 13:55 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
- 2010-02-19 17:21 . 2009-07-03 17:09 1208832 c:\windows\system32\urlmon.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 1208832 c:\windows\system32\urlmon.dll
- 2010-02-19 17:21 . 2008-04-14 12:00 1435648 c:\windows\system32\query.dll
+ 2010-02-19 17:21 . 2009-07-17 16:22 1435648 c:\windows\system32\query.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 5940224 c:\windows\system32\mshtml.dll
- 2007-08-13 23:34 . 2009-07-03 17:09 1985536 c:\windows\system32\iertutil.dll
+ 2007-08-13 23:34 . 2009-08-29 08:08 1985536 c:\windows\system32\iertutil.dll
- 2010-02-19 17:21 . 2009-07-03 17:09 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2010-02-19 17:21 . 2009-07-17 16:22 1435648 c:\windows\system32\dllcache\query.dll
- 2010-02-19 17:21 . 2008-04-14 12:00 1435648 c:\windows\system32\dllcache\query.dll
+ 2009-02-19 18:54 . 2009-08-05 00:44 2189184 c:\windows\system32\dllcache\ntoskrnl.exe
- 2009-02-19 18:54 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2009-02-19 18:54 . 2009-08-04 14:20 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
- 2009-02-19 18:54 . 2009-02-07 23:02 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2009-02-19 18:54 . 2009-08-04 14:20 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2009-02-19 18:54 . 2009-08-04 15:13 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2009-02-19 18:54 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2010-02-19 17:21 . 2009-08-29 08:08 5940224 c:\windows\system32\dllcache\mshtml.dll
- 2009-02-19 19:29 . 2009-07-03 17:09 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2009-02-19 19:29 . 2009-08-29 08:08 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2009-08-08 03:51 . 2009-08-08 03:51 5812560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
- 2008-11-25 08:59 . 2008-11-25 08:59 4546560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2009-08-08 03:51 . 2009-08-08 03:51 4546560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
- 2007-04-14 02:35 . 2007-04-14 02:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2008-05-28 05:35 . 2008-05-28 05:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2008-05-28 05:35 . 2008-05-28 05:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2007-04-14 02:35 . 2007-04-14 02:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2008-05-28 04:48 . 2008-05-28 04:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2008-05-28 04:48 . 2008-05-28 04:48 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2007-04-14 01:50 . 2007-04-14 01:50 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2008-05-28 04:43 . 2008-05-28 04:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2009-10-28 18:27 . 2009-07-03 17:09 1208832 c:\windows\ie8updates\KB974455-IE8\urlmon.dll
+ 2009-10-28 18:27 . 2009-07-19 13:18 5937152 c:\windows\ie8updates\KB974455-IE8\mshtml.dll
+ 2009-10-28 18:27 . 2009-07-03 17:09 1985536 c:\windows\ie8updates\KB974455-IE8\iertutil.dll
+ 2009-02-19 18:54 . 2009-08-05 00:44 2189184 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2009-02-19 18:54 . 2009-08-04 14:20 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2009-02-19 18:54 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2009-02-19 18:54 . 2009-08-04 14:20 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2009-02-19 18:54 . 2009-02-07 23:02 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2009-02-19 18:54 . 2009-08-04 15:13 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2009-02-19 18:54 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-10-28 18:23 . 2009-10-28 18:23 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_cb77ef9d\System.dll
+ 2009-10-28 18:24 . 2009-10-28 18:24 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_7d74987b\System.dll
+ 2009-10-28 18:24 . 2009-10-28 18:24 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_ba2f59d0\System.Xml.dll
+ 2009-10-28 18:23 . 2009-10-28 18:23 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_3d9a7d92\System.Xml.dll
+ 2009-10-28 18:24 . 2009-10-28 18:24 7884800 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_e188e126\System.Windows.Forms.dll
+ 2009-10-28 18:23 . 2009-10-28 18:23 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_8c82f25d\System.Windows.Forms.dll
+ 2009-10-28 18:24 . 2009-10-28 18:24 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_11b37e97\System.Drawing.dll
+ 2009-10-28 18:24 . 2009-10-28 18:24 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_8d698180\System.Design.dll
+ 2009-10-28 18:23 . 2009-10-28 18:23 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_41f6b818\System.Design.dll
+ 2009-10-28 18:24 . 2009-10-28 18:24 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_deb2f9d6\mscorlib.dll
+ 2009-10-28 18:24 . 2009-10-28 18:24 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_22bf4f49\mscorlib.dll
+ 2009-10-29 13:08 . 2009-10-29 13:08 3313664 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\204d6e5b335134f23ca37638b9227ecf\WindowsBase.ni.dll
+ 2009-10-29 13:13 . 2009-10-29 13:13 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\0f2ed6a204eb13841e99b77025464afc\UIAutomationClientsideProviders.ni.dll
+ 2009-10-29 13:08 . 2009-10-29 13:08 7868416 c:\windows\assembly\NativeImages_v2.0.50727_32\System\3de5bd01124463d7862bd173af90bc83\System.ni.dll
+ 2009-10-29 13:13 . 2009-10-29 13:13 5450752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\5913d3f81e77194ec833991b1047a532\System.Xml.ni.dll
+ 2009-10-29 13:12 . 2009-10-29 13:12 1917440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\99594bae1d022502925f5b9dfcdaae9a\System.Speech.ni.dll
+ 2009-10-29 13:12 . 2009-10-29 13:12 1035264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\e5313735a40c0800f116e27fba4754db\System.Printing.ni.dll
+ 2009-10-29 13:12 . 2009-10-29 13:12 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\abb2ac7e08bee026f857d8fa36f9fe6f\System.Drawing.ni.dll
+ 2009-10-29 13:11 . 2009-10-29 13:11 6616576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\694c07365e0fd6bba0bc304d4d2404a7\System.Data.ni.dll
+ 2009-10-29 13:11 . 2009-10-29 13:11 2516480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\32788c58ff9f8324460604cf1fe7681b\System.Data.Linq.ni.dll
+ 2009-10-29 13:11 . 2009-10-29 13:11 2295296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\c0a42d2ad8a4078040b334f6770ea11f\System.Core.ni.dll
+ 2009-10-29 13:10 . 2009-10-29 13:10 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\954685c29689d2a6126ceca1fd55e904\ReachFramework.ni.dll
+ 2009-10-29 13:10 . 2009-10-29 13:10 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\a3a6f52ce1d09a7bdccc8e7fc664792d\PresentationUI.ni.dll
+ 2009-10-29 13:08 . 2009-10-29 13:08 1451008 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\f906701365083c1473db31519147e263\PresentationBuildTasks.ni.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2009-02-19 18:48 . 2009-02-19 18:48 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2009-10-28 18:23 . 2009-10-28 18:23 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2009-10-28 18:23 . 2009-10-28 18:23 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2009-02-19 18:48 . 2009-02-19 18:48 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-10-28 18:24 . 2009-10-02 15:01 25198016 c:\windows\system32\MRT.exe
+ 2007-08-13 23:54 . 2009-08-29 08:08 11069440 c:\windows\system32\ieframe.dll
+ 2009-02-19 19:29 . 2009-08-29 08:08 11069440 c:\windows\system32\dllcache\ieframe.dll
+ 2009-08-11 01:08 . 2009-08-11 01:08 11315712 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp
+ 2009-08-15 00:32 . 2009-08-15 00:32 11110912 c:\windows\Installer\1116e1.msp
+ 2009-08-10 18:09 . 2009-08-10 18:09 17254912 c:\windows\Installer\1116d8.msp
+ 2009-10-28 18:27 . 2009-07-19 22:48 11067392 c:\windows\ie8updates\KB974455-IE8\ieframe.dll
+ 2009-10-29 13:12 . 2009-10-29 13:12 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d2ea8d76f015817db1607075812b555f\System.Windows.Forms.ni.dll
+ 2009-10-29 13:12 . 2009-10-29 13:12 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\8b82e08c008924d51833cb0884bcbfc5\System.Design.ni.dll
+ 2009-10-29 13:10 . 2009-10-29 13:10 14327808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\58c7ac6b6054038dc9346d7ec8e32b4c\PresentationFramework.ni.dll
+ 2009-10-29 13:09 . 2009-10-29 13:09 12216320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\94badbd64df59de7da249f71da38b1c2\PresentationCore.ni.dll
+ 2009-10-29 13:08 . 2009-10-29 13:08 11486720 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7124a40b9998f7b63c86bd1a2125ce26\mscorlib.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-10-29 30720]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-10-29 30720]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-10-29 30720]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-10-29 30720]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-10-29 30720]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-10-29 30720]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2009-10-29 30720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-13 17508864]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-2-19 376832]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2/19/2010 1:21 PM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [4/14/2008 8:00 AM 46592]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2/19/2009 3:22 PM 55136]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 9:09 PM 11032]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 5:41 PM 116664]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2/19/2009 3:02 PM 10752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 11:49 PM 102448]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [7/31/2008 10:24 PM 93696]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [11/4/2008 5:28 AM 38400]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/19/2009 2:56 PM 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/8/2008 6:01 PM 533344]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - BTWSRV
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Amy Chen\Application Data\Mozilla\Firefox\Profiles\6qm4eeji.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Amy Chen\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-ETDWare - c:\program files\Elantech\ETDCtrl.exe
SharedTaskScheduler-<NO NAME> - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 09:31
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\Install.txt
c:\windows\system32\igfxpers .exe 30720 bytes executable
scan completed successfully
hidden files: 2
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1684)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\jay.com\CF3750.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\EeePC\ACPI\AsTray .exe
c:\program files\EeePC\ACPI\AsAcpiSvr .exe
c:\program files\EeePC\ACPI\AsEPCMon .exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Elantech\ETDCtrl .exe
c:\progra~1\SYMANT~1\VPTray .exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wmdtc.exe
c:\docume~1\AMYCHE~1\LOCALS~1\Temp\ctv230.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\lsm32.sys
c:\jay.com\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-29 9:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-29 13:36
ComboFix2.txt 2009-10-28 18:12
Pre-Run: 28,250,202,112 bytes free
Post-Run: 28,233,273,344 bytes free
- - End Of File - - 9C27D2036EE335C46CBACCEA0E82031A
#8
Posted 30 October 2009 - 08:38 PM
Jotti
Virus Total
Click on Browse, and upload the following file for analysis:
c:\program files\EeePC\ACPI\AsAcpiSvr.exe
Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.
Please also post the contents of C:\Qoobox\ComboFix-quarantined-files.txt.
Edited by Raktor, 31 October 2009 - 12:50 AM.
#9
Posted 31 October 2009 - 08:23 AM
#10
Posted 01 November 2009 - 12:11 AM
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
http://www.geekstogo...ro-t256562.html
Suspect::[88]
c:\program files\EeePC\ACPI\AsAcpiSvr.exe
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
At the conclusion of the run, it should attempt to upload the file to my analysis channel... but this might not happen if the internet is not working properly from that computer. Instead...
1. Please copy C:\Qoobox\Quarantine\[88][email protected] (It will be similar to that filename, but with the date and time instead) onto a USB key, and take it to the computer that is working.
2. Please visit this site and follow the instructions for uploading that zip file.
#11
Posted 04 November 2009 - 09:38 AM
Sorry about the delay in response. I've posted the scan results below. I was able to get on the internet from the infected computer, so that file you were talking about earlier should have uploaded successfully to your analysis channel. I await your next response ... Thanks!
ComboFix 09-10-27.08 - Amy Chen 11/04/2009 10:06.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.548 [GMT -5:00]
Running from: c:\documents and settings\Amy Chen\Desktop\Jay.com.exe
Command switches used :: E:\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
- REDUCED FUNCTIONALITY MODE -
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\AMYCHE~1\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\AMYCHE~1\LOCALS~1\Temp\winlogon.exe
C:\ntldrs
c:\program files\AdvancedVirusRemover
c:\program files\AdvancedVirusRemover\PAVRM.exe
c:\windows\Install.txt
c:\windows\syssvc.exe
c:\windows\system32\calc.dll
c:\windows\system32\fupipivo.dll
c:\windows\system32\iehelper.dll
c:\windows\system32\Install.txt
c:\windows\system32\lsp.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.
2011-02-27 04:02 . 2009-10-29 13:31 -------- d-----w- c:\program files\Elantech
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 18:34 . 2010-02-19 18:34 -------- d-----w- c:\program files\microsoft frontpage
2010-02-19 18:32 . 2010-02-19 18:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-04 15:15 . 2009-06-04 05:45 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-04 15:13 . 2009-10-10 00:34 30720 ----a-w- c:\documents and settings\Amy Chen\rthdcpl.exe
2009-11-04 15:13 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxpers.exe
2009-11-04 15:13 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\hkcmd.exe
2009-11-04 14:50 . 2009-11-04 14:50 39424 --sh--w- c:\windows\system32\zevofito.dll
2009-11-04 14:50 . 2009-11-04 14:50 92160 --sh--w- c:\windows\system32\tosikuli.dll
2009-11-04 14:50 . 2009-11-04 14:50 60928 --sh--w- c:\windows\system32\nakuteye.dll
2009-11-04 14:49 . 2009-11-04 14:49 169472 ----a-w- c:\windows\msa.exe
2009-11-04 14:48 . 2009-11-04 14:48 0 ----a-r- c:\windows\win32k.sys
2009-11-04 14:48 . 2009-11-04 14:48 95232 ----a-w- c:\windows\system32\41.exe
2009-11-04 14:44 . 2009-10-31 14:06 -------- d-----w- c:\program files\ewmnru
2009-11-04 14:43 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxtray.exe
2009-10-31 14:03 . 2009-10-29 13:47 -------- d-----w- c:\program files\xhonsl
2009-10-31 13:57 . 2009-10-31 13:57 91648 --sh--w- c:\windows\system32\bebaluno.dll
2009-10-29 13:44 . 2009-10-29 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\90489939
2009-10-29 13:42 . 2009-10-29 13:42 15000 ----a-w- c:\windows\system32\h2w8l.dll
2009-10-29 13:41 . 2009-10-29 13:41 52736 ----a-w- C:\ldvx.exe
2009-10-29 13:41 . 2009-10-29 13:41 302080 ----a-w- c:\windows\system32\~.exe
2009-10-29 13:31 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\hkcmd .exe
2009-10-29 13:07 . 2009-10-10 00:34 30720 ----a-w- c:\documents and settings\Amy Chen\rthdcpl .exe
2009-10-29 13:07 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxpers .exe
2009-10-28 18:05 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxtray .exe
2009-10-28 17:47 . 2009-10-09 03:45 407062 ----a-w- c:\windows\system32\raidmg.dll
2009-10-28 17:32 . 2009-07-28 17:32 39424 --sha-w- c:\windows\system32\migitiho.dll
2009-10-28 17:31 . 2009-10-10 00:34 30720 ----a-w- c:\documents and settings\Amy Chen\alcmtr.exe
2009-10-26 14:59 . 2009-10-26 14:59 0 ----a-w- c:\documents and settings\Amy Chen\settings.dat
2009-10-26 14:56 . 2009-06-07 16:21 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\U3
2009-10-10 00:33 . 2010-02-19 17:21 14336 ------w- c:\windows\system32\svchost.exe
2009-10-09 03:45 . 2009-10-09 03:45 98304 ----a-w- c:\windows\system32\kbdatat4.dll
2009-09-24 04:55 . 2009-02-19 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-14 01:57 . 2009-06-03 15:38 92344 ----a-w- c:\documents and settings\Amy Chen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-14 01:57 . 2009-07-20 20:37 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\Move Networks
2009-09-11 14:18 . 2010-02-19 17:21 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 03:34 . 2009-07-03 15:34 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\Skype
2009-09-09 23:30 . 2009-07-03 15:35 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\skypePM
2009-09-04 21:03 . 2010-02-19 17:21 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2010-02-19 17:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2010-02-19 17:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-05-07 08:34 . 2009-02-19 19:07 15523560 ----a-w- c:\program files\U1 Setup.exe
2009-07-29 13:43 . 2009-07-29 13:43 53760 --sha-w- c:\windows\system32\fonoriga.dll
2009-07-29 13:43 . 2009-07-29 13:43 1011618 --sha-w- c:\windows\system32\hagebuzi.exe
2009-07-29 13:43 . 2009-07-29 13:43 92160 --sha-w- c:\windows\system32\kenayiba.dll
2009-07-29 13:42 . 2009-07-29 13:42 52736 --sha-w- c:\windows\system32\kusewovi.dll.tmp
2009-07-29 13:43 . 2009-07-29 13:43 39424 --sha-w- c:\windows\system32\tavahozu.dll
2009-07-29 13:42 . 2009-07-29 13:42 52736 --sha-w- c:\windows\system32\turenugu.dll.tmp
2009-07-29 13:45 . 2009-07-29 13:45 53760 --sha-w- c:\windows\system32\vamegeye.dll
2009-07-29 13:42 . 2009-07-29 13:42 52736 --sha-w- c:\windows\system32\viwawobi.dll.tmp
2009-07-29 13:45 . 2009-07-29 13:45 53760 --sha-w- c:\windows\system32\yiyigini.dll
2009-07-29 13:43 . 2009-07-29 13:43 1052192 --sha-w- c:\windows\system32\zasepago.exe
.
------- Sigcheck -------
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . D9F19E78F98834CB411D6AD3C68D181A . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2009-10-29_13.31.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-04 15:12 . 2009-11-04 15:12 16384 c:\windows\temp\Perflib_Perfdata_4ac.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 87552 c:\windows\system32\wmdtc.exe
- 2010-02-19 17:21 . 2009-10-28 18:31 71810 c:\windows\system32\perfc009.dat
+ 2010-02-19 17:21 . 2009-11-04 15:05 71810 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 87552 c:\windows\system32\opeia.exe
+ 2008-04-14 12:00 . 2008-04-14 12:00 47616 c:\windows\system32\FastNetSrv.exe
+ 2009-02-19 20:51 . 2009-11-04 15:00 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-19 20:51 . 2009-10-28 18:12 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-19 20:51 . 2009-11-04 15:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-19 20:51 . 2009-10-28 18:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-26 14:48 . 2009-11-04 15:00 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-10-26 14:48 . 2009-10-28 17:30 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-10-31 13:55 . 2009-11-04 15:00 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 45568 c:\windows\system32\BtwSrv.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 47616 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveWriter\6e2e535510bede2ff7c15d8ae53098c0\WindowsLiveWriter.ni.exe
+ 2009-10-29 13:35 . 2009-10-29 13:35 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\e63d6d26b8a664cfdfbd4ad75e03c14d\Accessibility.ni.dll
- 2010-02-19 17:21 . 2009-10-28 18:31 442024 c:\windows\system32\perfh009.dat
+ 2010-02-19 17:21 . 2009-11-04 15:05 442024 c:\windows\system32\perfh009.dat
+ 2009-10-29 13:41 . 2009-10-29 13:41 302080 c:\windows\system32\~.exe
+ 2009-10-29 14:05 . 2009-10-29 14:05 174080 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\f82f25e143c306491dcfdcea845ada91\WindowsLive.Writer.BrowserControl.ni.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 843776 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\cf709e807175721fbfa4809a21142a51\WindowsLive.Writer.Controls.ni.dll
+ 2009-10-29 14:04 . 2009-10-29 14:04 319488 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\56562b3fab90b3b5d4ac6931118d8b3f\WindowsLive.Writer.Interop.ni.dll
+ 2009-10-29 14:05 . 2009-10-29 14:05 313856 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\551d4211cde9574615ad847741667699\WindowsLive.Writer.Interop.SHDocVw.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 676352 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\a9e9b885a6601469c4058375cc74d856\System.Security.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\9bc34a79af9c3ed2cf17a0226c769b4c\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2009-10-29 13:35 . 2009-10-29 13:35 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\6c273eb9d1ee8b66b5ecb073de4b785d\System.IO.Log.ni.dll
+ 2009-10-29 13:35 . 2009-10-29 13:35 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\7222db518afb4eaaa138824278249bc7\System.IdentityModel.Selectors.ni.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\7c743462baccf29b3567b0e3ec9ac134\System.Configuration.ni.dll
+ 2009-10-29 13:35 . 2009-10-29 13:35 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\85d7c111956b478766d90625b35d963f\AspNetMMCExt.ni.dll
+ 2009-11-04 15:14 . 2009-08-29 08:08 1208832 c:\windows\temp\x1c91959.dll
+ 2009-11-04 15:11 . 2009-08-29 08:08 1208832 c:\windows\temp\mta13187.dll
+ 2009-10-29 14:04 . 2009-10-29 14:04 2002944 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\1f8439062cab1a14f351974092e09e16\WindowsLive.Writer.CoreServices.ni.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 6392832 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\0b96d8eb446d23637b38c72e2215d0ff\WindowsLive.Writer.PostEditor.ni.dll
+ 2009-10-29 13:58 . 2009-10-29 13:58 2338304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\67ad55827f2542552b576170f0a7dc56\System.Runtime.Serialization.ni.dll
+ 2009-10-29 13:35 . 2009-10-29 13:35 1056768 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\c3b18fef5c6dc3bcdbe5df699fd21a55\System.IdentityModel.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\c94a427baa7683f4221b91f90c18461b\System.Deployment.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\272152f0cc139490729e215611a4b244\System.Data.SqlXml.ni.dll
+ 2009-10-29 14:01 . 2009-10-29 14:01 17317888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\06d6eab93282d2b136a377bd50b7c5a9\System.ServiceModel.ni.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4e232aa-bd80-4ce2-896f-f0b02c7accc7}]
fupipivo.dll [BU]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Login Software 2009"="c:\docume~1\AMYCHE~1\LOCALS~1\Temp\sxrahn013s .exe" [2009-11-04 30720]
"Yjafosi8kdf98winmdkmnkmfnwe"="c:\docume~1\AMYCHE~1\LOCALS~1\Temp\cmd .exe" [2009-11-04 30720]
"wow64main.exe"="c:\docume~1\AMYCHE~1\LOCALS~1\Temp\wow64main.exe" [2009-11-04 30720]
"PopRock"="c:\docume~1\AMYCHE~1\LOCALS~1\Temp\b.exe" [2009-11-04 30720]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-04 30720]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-04 30720]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-04 30720]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-11-04 30720]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-11-04 30720]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-11-04 30720]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2009-11-04 30720]
"jedohapoj"="c:\windows\system32\kenayiba.dll" [2009-07-29 92160]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-13 17508864]
"seyisevede"="vamegeye.dll" - c:\windows\system32\vamegeye.dll [2009-07-29 53760]
c:\documents and settings\Amy Chen\Start Menu\Programs\Startup\
scandisk.dll [2009-3-21 23552]
scandisk.lnk - c:\windows\system32\rundll32.exe [2010-2-19 33280]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-2-19 376832]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{2ecf8c98-2d82-409d-a89f-a5d9b15415cd}"= "c:\windows\system32\kenayiba.dll" [2009-07-29 92160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"nimejewet"= {2ecf8c98-2d82-409d-a89f-a5d9b15415cd} - c:\windows\system32\kenayiba.dll [2009-07-29 92160]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe logon.exe"
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\system32\kenayiba.dll,yiyigini.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli vamegeye.dll yiyigini.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\explorer.exe"=
"c:\\WINDOWS\\system32\\logonui.exe"=
"c:\\WINDOWS\\system32\\winlogon.exe"=
"c:\\WINDOWS\\system32\\lsass.exe"=
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2/19/2010 12:21 PM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [4/14/2008 7:00 AM 47616]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2/19/2009 2:22 PM 55136]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 4:41 PM 116664]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2/19/2009 2:02 PM 10752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 10:49 PM 102448]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [7/31/2008 9:24 PM 93696]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [11/4/2008 4:28 AM 38400]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/19/2009 1:56 PM 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/8/2008 5:01 PM 533344]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - AEC
*NewlyCreated* - BTWSRV
*Deregistered* - mbr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder
2009-11-04 c:\windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
- c:\windows\msa.exe [2009-11-04 14:49]
2009-11-04 c:\windows\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
- c:\docume~1\AMYCHE~1\LOCALS~1\Temp\b.exe [2009-11-04 15:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Amy Chen\Application Data\Mozilla\Firefox\Profiles\6qm4eeji.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Amy Chen\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-Run-Yjafosi8kdf98winmdkmnkmfnwe - c:\windows\TEMP\svchost.exe
SharedTaskScheduler-<NO NAME> - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 10:13
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\Install.txt 266 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,44,2c,d8,a1,66,c2,4f,93,d6,8e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,44,2c,d8,a1,66,c2,4f,93,d6,8e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\WININET.dll
- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\WININET.dll
c:\windows\system32\vamegeye.dll
c:\windows\system32\yiyigini.dll
- - - - - - - > 'Explorer.exe'(3964)
c:\windows\system32\WININET.dll
c:\windows\system32\kenayiba.dll
c:\windows\system32\vamegeye.dll
c:\windows\system32\yiyigini.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\BTNEIG~1.DLL
c:\windows\system32\wbtapi.dll
c:\windows\system32\btwpimif.dll
c:\windows\system32\btosif.dll
c:\windows\system32\btrez.dll
c:\windows\system32\btwicons.dll
c:\windows\system32\BtXpPanel.Dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\jay.com\CF24451.exe
c:\program files\EeePC\ACPI\AsAcpiSvr .exe
c:\program files\EeePC\ACPI\AsEPCMon .exe
c:\program files\EeePC\ACPI\AsTray .exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\SYMANT~1\VPTray .exe
c:\windows\system32\wmdtc.exe
c:\program files\Adobe\Reader 8.0\Reader\AcroRd32.exe
c:\docume~1\AMYCHE~1\LOCALS~1\Temp\ctv1176.exe
c:\windows\system32\lsm32.sys
c:\jay.com\PEV.cfxxe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2009-11-04 10:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-04 15:31
ComboFix2.txt 2009-10-29 13:36
ComboFix3.txt 2009-10-28 18:12
Pre-Run: 28,310,196,224 bytes free
Post-Run: 28,305,600,512 bytes free
- - End Of File - - A2ECCEA317788474B03854418507F83C
#12
Posted 06 November 2009 - 02:05 AM
Edited by Raktor, 06 November 2009 - 02:09 AM.
#13
Posted 06 November 2009 - 02:08 AM
Download a new copy from one of the links below.
Link 1
Link 2
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Suspect::[88]
c:\windows\system32\igfxtray.exe
c:\windows\system32\igfxtray .exe
c:\program files\EeePC\ACPI\AsTray.exe
c:\program files\EeePC\ACPI\AsTray .exe
KillAll::
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=-
"HotKeysCmds"=-
"Persistence"=-
"AsusTray"=-
"AsusACPIServer"=-
"AsusEPCMonitor"=-
"vptray"=-
"jedohapoj"=-
"seyisevede"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe"
"Userinit"="c:\windows\system32\userinit.exe,"
Driver::
BtwSrv
NetSvcs::
BtwSrv
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
#14
Posted 06 November 2009 - 11:15 PM
Sorry for yet another problem!
#15
Posted 07 November 2009 - 12:30 AM
1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:
cd erdnt\subs
6. At the next prompt, type the following bolded text, and press Enter:
batch erdnt.con
7. The erunt backups will begin copying.
8. At the next prompt, type the following bolded text, and press Enter:
exit
Windows will now begin loading.
Edited by Raktor, 07 November 2009 - 01:04 AM.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users