Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows Police Pro

Started by jay_sohhn , Oct 25 2009 11:06 AM

  • Please log in to reply

#1
jay_sohhn
Posted 25 October 2009 - 11:06 AM

jay_sohhn

    Member

  • Member
  • PipPip
  • 92 posts
I've gotten infected with windows police pro. I've tried downloading the tools you recommend before posting to this forum, however the virus simply does not let me do anything. I tried logging into windows using safe mode, safe mode with networking, and safe mode with command prompt, all of which do not allow me to get to my desktop. I also tried logging in with last known good configuration, which gets me to the desktop, but Police Pro immediately pops up and freezes me up. Once I get to the desktop, the virus starts up and I am completely paralyzed ... nothing runs. Once, by a stroke of luck, I suppose, I was able to get to My Computer and access my flash drive. But when I tried running TFC, the virus prevented the program from running. I am running Windows XP on an Asus EeePC. And since I'm unable to get on the internet from that computer, I'm using another computer to write this post. Any help would be GREATLY appreciated!
  • 0

Advertisements

#2
Raktor
Posted 25 October 2009 - 10:20 PM

Raktor

    Member

  • Member
  • PipPipPip
  • 268 posts
Hi, welcome to the G2G Forums. My username is Raktor, and I would be glad to help you with your malware issues. I'd be grateful if you would note the following:

  • Absence of symptoms does not always mean the computer is clean
  • Please do not run any scans or fixes without my direction.
  • Finally, stay with this topic until I give you the final 'All clear' post.

I'll give you these instructions, hoping that you get that stroke of luck again and you get to your desktop. If not, let me know, and we'll go for something a little more complex to try and stop the malware from loading on boot.

1) exeHelper
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

2) DDS
Posted Image
Please download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.

3) RR
Please download RootRepeal.zip.
Save it to your Desktop. Alternate download links here or here.
Please print these instructions, you will not have an Internet connection!
If you have a 3rd party "unzipping" program...use it to open the zipped file...then skip to Step 5. Otherwise...
  • Right click on RootRepeal.zip and select "Extract All"....
  • Click Next on the "Welcome to the Compressed (zipped) Folders Extraction Wizard."
  • Click on the Browse...button, then click on Desktop, then click OK.
  • Once done, check (tick) the Show extracted files box and click Finish.
  • Before running RootRepeal:
    • Disconnect from the Internet as your system will be unprotected while using this tool.
      Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
  • Open the RootRepeal folder and double-click on RootRepeal.exe to launch it.
  • When the program opens, click the Report tab at the bottom, then click the Scan button.
  • In the Select Scan, dialog which asks What do you want to include in the scan?, check ALL the boxes.
    Posted Image
  • Click OK.
  • In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
    The scan can take some time to finish. Do not use the computer while the scan is running.
    When the scan has completed, a list of files will be generated in the RootRepeal window.
  • Click on the Save Report button and save it as "rootrepeal.txt" to your desktop.
  • Close and exit RootRepeal
  • Double-click on the file rootrepeal.txt... Notepad will open... copy/paste the file contents in your next reply.

Make sure to enable your anti-virus, Firewall and any other security programs you disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "safe mode".

4) What You Will Need To Post:
  • exeHelper log
  • DDS logs
  • RR log

  • 0

#3
jay_sohhn
Posted 26 October 2009 - 09:14 AM

jay_sohhn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
Hi, Raktor -
Here's what I was able to do: I downloaded exehelper to my flashdrive from another computer (the one I'm using now) since my infected computer cannot get onto the internet reliably. I was able to save exehelper to the desktop of my infected computer and run it. The txt file for this is posted below.

I saved DDS to my flashdrive too and was also able to save it to the desktop of the infected computer. It ran, however, no txt files were generated. I tried multiple times and all I was able to get was the black screen for the DDS program...it just seemed to pause there. After 15 minutes, I gave up on it. So there are no txt files posted from DDS.

I then tried the RootRepeal. Downloaded it to flashdrive and ran it from the infected computer. It ran, it seemed to have scanned. It seemed to have scanned for about 30 seconds, and then the RootRepeal screen disappeared and no txt files were generated.

exeHelper by Raktor
Build 20091021
Run at 10:29:22 on 10/26/09
Now searching...
Checking for numerical processes...
Deleting file C:\Documents and Settings\All Users\Application Data\26326423\26326423.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\26326423
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\svchast.exe
Deleting file C:\WINDOWS\system32\AVR09.exe
Deleting file C:\WINDOWS\system32\~.exe
Deleting file C:\WINDOWS\system32\winupdate.exe
Deleting file C:\WINDOWS\system32\winhelper.dll
Deleting file C:\WINDOWS\system32\pump.exe
Deleting file C:\WINDOWS\system32\calc.dll
Deleting file C:\WINDOWS\system32\lsm32.sys
Deleting file C:\WINDOWS\system32\opeia.exe
Deleting file C:\WINDOWS\system32\BtwSrv.dll
Error deleting C:\WINDOWS\system32\BtwSrv.dll
Deleting file C:\WINDOWS\wf3.dat
Deleting file C:\WINDOWS\wf4.dat
Deleting file C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe
Deleting file C:\Program Files\AdvancedVirusRemover\PAVRM.exe
Deleting file C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.cfg
Deleting file C:\Program Files\Windows Police Pro\msvcm80.dll
Deleting file C:\Program Files\Windows Police Pro\msvcp80.dll
Deleting file C:\Program Files\Windows Police Pro\msvcr80.dll
Deleting file C:\Documents and Settings\Amy Chen\Desktop\Windows Police Pro.lnk
Deleting file C:\Documents and Settings\Amy Chen\Desktop\AntivirusPro_2010.lnk
Deleting file C:\Documents and Settings\Amy Chen\ntuser.dll
Deleting file C:\Documents and Settings\Amy Chen\Start Menu\Programs\Startup\scandisk.dll
Deleting file C:\Documents and Settings\Amy Chen\Start Menu\Programs\Startup\scandisk.lnk
Deleting file C:\Documents and Settings\Amy Chen\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
Deleting file C:\Documents and Settings\Amy Chen\Application Data\svcst.exe
Deleting file C:\Documents and Settings\Amy Chen\Application Data\seres.exe
Checking for bad registry entries...
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antivirus Pro 2010
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Login Software 2009
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mserv
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

After I finished doing the RootRepeal scan, it seemed like the virus just opened up a billion "scanning for virus" windows and my computer completely froze. I forced it to shut down. That's where I am now. THANKS!

Edited by jay_sohhn, 26 October 2009 - 09:16 AM.

  • 0

#4
Raktor
Posted 26 October 2009 - 05:39 PM

Raktor

    Member

  • Member
  • PipPipPip
  • 268 posts
We put a dint in it anyway - which is a good start. :)

Download Combofix from any of the links below but rename it to jay.com before saving it to your desktop.

Link 1
Link 2


==================================

Double click on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

  • 0

#5
jay_sohhn
Posted 28 October 2009 - 12:47 PM

jay_sohhn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
Thanks for your help so far, Raktor. I was able to download Combofix.exe and was also able to rename it as Jay.com before saving it to the desktop. I should note that at first the virus was creating a massive amount of pop-ups, so I closed them as they came up since the Combofix program kept telling me that I needed to close all windows while it ran. It forced me to restart windows, and once it did that, it seemed like combofix just took over from there because it was very smooth sailing after that restart. It asked me to download something so that it could get rid of the infections, which I let it do. Below, you'll see the output from the log. I look forward to the next set of instructions ... thanks again!
------------------------------------------------------------------------------------

ComboFix 09-10-27.08 - Amy Chen 10/28/2009 13:54.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.492 [GMT -4:00]
Running from: c:\documents and settings\Amy Chen\Desktop\Jay.com.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
ADS - svchost.exe: deleted 31744 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\AMYCHE~1\LOCALS~1\Temp\502.exe
c:\docume~1\AMYCHE~1\LOCALS~1\Temp\lsass.exe
c:\docume~1\AMYCHE~1\LOCALS~1\Temp\services.exe
c:\documents and settings\All Users\Application Data\31858934
c:\documents and settings\All Users\Application Data\31858934\31858934 .exe
c:\documents and settings\All Users\Application Data\31858934\31858934.exe
c:\documents and settings\All Users\Application Data\mykypevad.exe
c:\documents and settings\All Users\Documents\atuzyjel.reg
c:\documents and settings\All Users\Documents\fuzaxycuxe._sy
c:\documents and settings\All Users\Documents\uratihezi.dl
c:\documents and settings\Amy Chen\alcmtr .exe
c:\documents and settings\Amy Chen\Application Data\gysap.com
c:\documents and settings\Amy Chen\Application Data\iniasd.txt
c:\documents and settings\Amy Chen\Application Data\lizkavd.exe
c:\documents and settings\Amy Chen\Application Data\svcst .exe
c:\documents and settings\Amy Chen\Application Data\yhipyfypu.dl
c:\documents and settings\Amy Chen\Desktop\Security Tool.lnk
c:\documents and settings\Amy Chen\Local Settings\Application Data\ehywofybyz.dll
c:\documents and settings\Amy Chen\Local Settings\Application Data\fovexapy.dl
c:\documents and settings\Amy Chen\Local Settings\Application Data\fozuqa.exe
c:\documents and settings\Amy Chen\Local Settings\Temporary Internet Files\xalibe._dl
c:\documents and settings\Amy Chen\Local Settings\Temporary Internet Files\yvaciqa.pif
c:\documents and settings\Amy Chen\ntuser.dll
c:\documents and settings\Amy Chen\rthdcpl .exe
c:\documents and settings\Amy Chen\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Amy Chen\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Amy Chen\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\Amy Chen\Start Menu\Programs\Security Tool.lnk
c:\documents and settings\Amy Chen\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Amy Chen\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\Amy Chen\Start Menu\Programs\Windows Police Pro
c:\documents and settings\Amy Chen\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\documents and settings\NetworkService\ntuser.dll
C:\houkh.exe
C:\iopuabg.exe
C:\ntldrs
c:\program files\AntivirusPro_2010
c:\program files\Common Files\silix.dl
c:\program files\Windows Police Pro
c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1811
c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1858
c:\recycler\S-1-5-21-3262063871-891380153-889118470-1003
c:\recycler\S-1-5-21-3937801559-8808261763-161498522-5729
c:\windows\elorej.inf
c:\windows\enex._dl
c:\windows\ganug.vbs
c:\windows\iceg.inf
c:\windows\Install.txt
c:\windows\oryvopin.bin
c:\windows\pamalyxe.dll
c:\windows\rikofoseh.dl
c:\windows\system32\_scui.cpl
c:\windows\system32\6to4v32.dll
c:\windows\system32\api.dat
c:\windows\system32\api32.dll
c:\windows\system32\bedo.scr
c:\windows\system32\buvujano.dll
c:\windows\system32\calc.dll
c:\windows\system32\certstore.dat
c:\windows\system32\ctfmon .exe
c:\windows\system32\dafanose.dll
c:\windows\system32\ebari.reg
c:\windows\system32\ejsut89.dll
c:\windows\system32\fehamito.dll
c:\windows\system32\FInstall.sys
c:\windows\system32\fisalunu.exe
c:\windows\system32\ftbusk54.dll
c:\windows\system32\giwovumo.dll
c:\windows\system32\govegomu.exe
c:\windows\system32\higubuli.dll
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\Install.txt
c:\windows\system32\isasdk.sys
c:\windows\system32\mofawulo.dll
c:\windows\system32\mumehuve.dll
c:\windows\system32\nunupofa.dll
c:\windows\system32\ritelo.inf
c:\windows\system32\sosafimi.dll
c:\windows\system32\titodopu.dll
c:\windows\system32\todolaze.dll
c:\windows\system32\ulabazequ.bat
c:\windows\system32\updatenf.dll
c:\windows\system32\viyiyini.dll
c:\windows\system32\vubuvuha.exe
c:\windows\system32\wewefove.exe
c:\windows\system32\wibakihi.dll
c:\windows\system32\winupdate .exe
c:\windows\system32\wispex.html
c:\windows\system32\wojajugi.dll
c:\windows\system32\xa7Wdel.dll
c:\windows\TEMP\mta13187.dll
c:\windows\xavyk.reg

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_ANTIPOL
-------\Legacy_ICF
-------\Legacy_ISASDK
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_6to4
-------\Service_ICF
-------\Service_isasdk


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2011-02-27 04:02 . 2009-10-28 18:05 -------- d-----w- c:\program files\Elantech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 18:34 . 2010-02-19 18:34 -------- d-----w- c:\program files\microsoft frontpage
2010-02-19 18:32 . 2010-02-19 18:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-28 18:05 . 2009-06-04 05:45 -------- d-----w- c:\program files\Symantec AntiVirus
2009-10-28 18:05 . 2009-10-10 00:34 30720 ----a-w- c:\documents and settings\Amy Chen\rthdcpl.exe
2009-10-28 18:05 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxpers.exe
2009-10-28 18:05 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\hkcmd.exe
2009-10-28 18:05 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxtray.exe
2009-10-28 18:03 . 2009-10-28 17:49 46640 ----a-w- c:\windows\system32\msln.exe
2009-10-28 17:47 . 2009-10-09 03:45 407062 ----a-w- c:\windows\system32\raidmg.dll
2009-10-28 17:32 . 2009-07-28 17:32 39424 --sha-w- c:\windows\system32\migitiho.dll
2009-10-28 17:31 . 2009-10-10 00:34 30720 ----a-w- c:\documents and settings\Amy Chen\alcmtr.exe
2009-10-28 17:29 . 2009-10-10 00:33 0 ----a-r- c:\windows\win32k.sys
2009-10-26 14:59 . 2009-10-26 14:59 0 ----a-w- c:\documents and settings\Amy Chen\settings.dat
2009-10-26 14:56 . 2009-06-07 16:21 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\U3
2009-10-26 14:48 . 2009-10-26 14:48 79360 ----a-w- C:\jfmyjbqy.exe
2009-10-26 14:48 . 2009-10-26 14:48 52736 ----a-w- C:\xgmqcrh.exe
2009-10-26 14:48 . 2009-10-26 14:48 96256 ----a-w- C:\fospdj.exe
2009-10-26 14:29 . 2009-10-10 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\26326423
2009-10-10 18:20 . 2009-10-10 01:51 131731 ----a-w- c:\windows\system32\dbsinit.exe
2009-10-10 17:56 . 2009-07-10 17:56 1050147 --sha-w- c:\windows\system32\luravufa.exe
2009-10-10 00:33 . 2010-02-19 17:21 14336 ----a-w- c:\windows\system32\svchost.exe
2009-10-10 00:33 . 2010-02-19 17:21 30720 ----a-w- c:\windows\system32\ctfmon.exe
2009-10-10 00:33 . 2009-10-10 00:33 207872 ----a-w- C:\pnmykhft.exe
2009-10-10 00:33 . 2009-10-10 00:33 79360 ----a-w- C:\xcnq.exe
2009-10-10 00:33 . 2009-10-10 00:33 30720 ----a-w- C:\qvnvkmid.exe
2009-10-10 00:33 . 2009-10-10 00:33 24576 ----a-w- C:\giyoijfx.exe
2009-10-09 03:45 . 2009-10-09 03:45 98304 ----a-w- c:\windows\system32\kbdatat4.dll
2009-10-09 03:45 . 2009-10-09 03:45 19456 ----a-w- C:\dslagxb.exe
2009-10-09 03:45 . 2009-10-09 03:45 52224 ----a-w- C:\elboofy.exe
2009-10-09 03:45 . 2009-10-09 03:45 21504 ----a-w- C:\tixqapi.exe
2009-10-09 03:45 . 2009-10-09 03:45 39936 ----a-w- C:\mkjjnwwp.exe
2009-09-24 04:55 . 2009-02-19 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-14 01:57 . 2009-06-03 15:38 92344 ----a-w- c:\documents and settings\Amy Chen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-14 01:57 . 2009-07-20 20:37 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\Move Networks
2009-09-10 03:34 . 2009-07-03 15:34 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\Skype
2009-09-09 23:30 . 2009-07-03 15:35 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\skypePM
2009-09-01 04:24 . 2009-06-10 23:55 -------- d-----w- c:\program files\Java
2009-08-29 19:44 . 2009-06-04 05:38 -------- d-----w- c:\program files\MSBuild
2009-08-29 19:44 . 2009-08-29 19:44 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2010-02-19 17:21 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2008-05-07 08:34 . 2009-02-19 19:07 15523560 ----a-w- c:\program files\U1 Setup.exe
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . D9F19E78F98834CB411D6AD3C68D181A . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

[-] 2009-10-10 00:33 . 0334B4EB4FBFB33C0F821D94BD30C7FA . 30720 . . [------] . . c:\windows\system32\ctfmon.exe
[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-10-28 30720]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-10-28 30720]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-10-28 30720]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-10-28 30720]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-10-28 30720]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-10-28 30720]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-10-28 30720]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2009-10-28 30720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-13 17508864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-2-19 376832]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2/19/2010 1:21 PM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [4/14/2008 8:00 AM 47104]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2/19/2009 3:22 PM 55136]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 9:09 PM 11032]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 5:41 PM 116664]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2/19/2009 3:02 PM 10752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 11:49 PM 102448]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [7/31/2008 10:24 PM 93696]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [11/4/2008 5:28 AM 38400]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/19/2009 2:56 PM 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/8/2008 6:01 PM 533344]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BTWSRV
*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-08-14 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-08-14 01:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Amy Chen\Application Data\Mozilla\Firefox\Profiles\6qm4eeji.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Amy Chen\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{a4e232aa-bd80-4ce2-896f-f0b02c7accc7} - mumehuve.dll
HKLM-Run-31858934 - c:\docume~1\ALLUSE~1\APPLIC~1\31858934\31858934.exe
HKLM-Run-jedohapoj - c:\windows\system32\titodopu.dll
HKLM-Run-seyisevede - higubuli.dll
SharedTaskScheduler-<NO NAME> - (no file)
SharedTaskScheduler-{2a6d6a57-e02c-4c36-9a08-6d1f7170a48b} - c:\windows\system32\titodopu.dll
SSODL-sifiroyiz-{2a6d6a57-e02c-4c36-9a08-6d1f7170a48b} - c:\windows\system32\titodopu.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 14:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\Install.txt 265 bytes
c:\windows\system32\BtwSrv.dllx 46592 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2688)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\jay.com\CF14337.exe
c:\program files\EeePC\ACPI\AsTray .exe
c:\program files\EeePC\ACPI\AsEPCMon .exe
c:\program files\EeePC\ACPI\AsAcpiSvr .exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Elantech\ETDCtrl .exe
c:\progra~1\SYMANT~1\VPTray .exe
c:\windows\system32\wmdtc.exe
c:\windows\system32\wscntfy.exe
c:\docume~1\AMYCHE~1\LOCALS~1\Temp\ctv213.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\lsm32.sys
c:\jay.com\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-28 14:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-28 18:12

Pre-Run: 28,485,570,560 bytes free
Post-Run: 28,366,045,184 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 45297387D4265896916768CD975480C8
  • 0

#6
Raktor
Posted 28 October 2009 - 04:45 PM

Raktor

    Member

  • Member
  • PipPipPip
  • 268 posts
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo...ro-t256562.html

Collect::
c:\windows\win32k.sys
C:\jfmyjbqy.exe
C:\xgmqcrh.exe
C:\fospdj.exe
c:\windows\system32\dbsinit.exe
c:\windows\system32\luravufa.exe
C:\pnmykhft.exe
C:\xcnq.exe
C:\qvnvkmid.exe
C:\giyoijfx.exe
C:\dslagxb.exe
C:\elboofy.exe
C:\tixqapi.exe
C:\mkjjnwwp.exe
c:\windows\system32\BtwSrv.dllx

Folder::
c:\documents and settings\All Users\Application Data\26326423

Driver::
BtwSrv

NetSvcs::
BtwSrv

FCopy::
c:\windows\system32\dllcache\ctfmon.exe | c:\windows\system32\ctfmon.exe


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#7
jay_sohhn
Posted 29 October 2009 - 07:48 AM

jay_sohhn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
Hi, Raktor -
I followed the above instructions you provided. The txt report you requested is pasted below.

------------------------------------------------

ComboFix 09-10-27.08 - Amy Chen 10/29/2009 9:19.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.446 [GMT -4:00]
Running from: c:\documents and settings\Amy Chen\Desktop\Jay.com.exe
Command switches used :: c:\documents and settings\Amy Chen\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

file zipped: C:\dslagxb.exe
file zipped: C:\elboofy.exe
file zipped: C:\fospdj.exe
file zipped: C:\giyoijfx.exe
file zipped: C:\jfmyjbqy.exe
file zipped: C:\mkjjnwwp.exe
file zipped: C:\pnmykhft.exe
file zipped: C:\qvnvkmid.exe
file zipped: C:\tixqapi.exe
file zipped: c:\windows\system32\dbsinit.exe
file zipped: c:\windows\system32\luravufa.exe
file zipped: c:\windows\win32k.sys
file zipped: C:\xcnq.exe
file zipped: C:\xgmqcrh.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\26326423
c:\documents and settings\All Users\Application Data\26326423\26326423 .exe
c:\documents and settings\All Users\Application Data\26326423\26326423.bat
c:\documents and settings\Amy Chen\rthdcpl .exe
C:\dslagxb.exe
C:\elboofy.exe
C:\fospdj.exe
C:\giyoijfx.exe
C:\jfmyjbqy.exe
C:\mkjjnwwp.exe
C:\pnmykhft.exe
C:\qvnvkmid.exe
C:\tixqapi.exe
c:\windows\Install.txt
c:\windows\system32\dbsinit.exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\Install.txt
c:\windows\system32\luravufa.exe
c:\windows\TEMP\mta13187.dll
c:\windows\TEMP\t4m0_241771713460.bk.old
c:\windows\TEMP\x1c65584.dll
c:\windows\win32k.sys
C:\xcnq.exe
C:\xgmqcrh.exe

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\ctfmon.exe --> c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BTWSRV
-------\Service_BtwSrv


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2011-02-27 04:02 . 2009-10-29 13:31 -------- d-----w- c:\program files\Elantech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 18:34 . 2010-02-19 18:34 -------- d-----w- c:\program files\microsoft frontpage
2010-02-19 18:32 . 2010-02-19 18:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-29 13:32 . 2009-10-10 00:34 30720 ----a-w- c:\documents and settings\Amy Chen\rthdcpl.exe
2009-10-29 13:31 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxpers.exe
2009-10-29 13:31 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\hkcmd.exe
2009-10-29 13:31 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxtray.exe
2009-10-29 13:28 . 2009-06-04 05:45 -------- d-----w- c:\program files\Symantec AntiVirus
2009-10-29 13:07 . 2009-10-10 00:34 30720 ----a-w- c:\documents and settings\Amy Chen\rthdcpl .exe
2009-10-29 13:07 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxpers .exe
2009-10-28 18:05 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxtray .exe
2009-10-28 17:47 . 2009-10-09 03:45 407062 ----a-w- c:\windows\system32\raidmg.dll
2009-10-28 17:32 . 2009-07-28 17:32 39424 --sha-w- c:\windows\system32\migitiho.dll
2009-10-28 17:31 . 2009-10-10 00:34 30720 ----a-w- c:\documents and settings\Amy Chen\alcmtr.exe
2009-10-26 14:59 . 2009-10-26 14:59 0 ----a-w- c:\documents and settings\Amy Chen\settings.dat
2009-10-26 14:56 . 2009-06-07 16:21 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\U3
2009-10-10 00:33 . 2010-02-19 17:21 14336 ------w- c:\windows\system32\svchost.exe
2009-10-09 03:45 . 2009-10-09 03:45 98304 ----a-w- c:\windows\system32\kbdatat4.dll
2009-09-24 04:55 . 2009-02-19 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-14 01:57 . 2009-06-03 15:38 92344 ----a-w- c:\documents and settings\Amy Chen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-14 01:57 . 2009-07-20 20:37 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\Move Networks
2009-09-11 14:18 . 2010-02-19 17:21 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 03:34 . 2009-07-03 15:34 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\Skype
2009-09-09 23:30 . 2009-07-03 15:35 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\skypePM
2009-09-04 21:03 . 2010-02-19 17:21 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 04:24 . 2009-06-10 23:55 -------- d-----w- c:\program files\Java
2009-08-29 08:08 . 2010-02-19 17:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2010-02-19 17:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2010-02-19 17:21 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2008-04-14 00:54 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2008-04-14 00:01 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2008-05-07 08:34 . 2009-02-19 19:07 15523560 ----a-w- c:\program files\U1 Setup.exe
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . D9F19E78F98834CB411D6AD3C68D181A . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-10-28_18.05.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-29 13:30 . 2009-10-29 13:30 16384 c:\windows\temp\Perflib_Perfdata_1ac.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 86528 c:\windows\system32\wmdtc.exe
- 2010-02-19 17:21 . 2009-10-26 14:53 71810 c:\windows\system32\perfc009.dat
+ 2010-02-19 17:21 . 2009-10-28 18:31 71810 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 86528 c:\windows\system32\opeia.exe
+ 2007-08-13 23:54 . 2009-08-29 08:08 55296 c:\windows\system32\msfeedsbs.dll
- 2007-08-13 23:54 . 2009-07-03 17:09 55296 c:\windows\system32\msfeedsbs.dll
- 2010-02-19 17:21 . 2009-07-03 17:09 25600 c:\windows\system32\jsproxy.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 25600 c:\windows\system32\jsproxy.dll
+ 2008-04-14 12:00 . 2008-04-14 12:00 46592 c:\windows\system32\FastNetSrv.exe
+ 2009-07-12 16:20 . 2009-08-29 08:08 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-07-12 16:20 . 2009-07-03 17:09 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-02-19 19:29 . 2009-07-03 17:09 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-02-19 19:29 . 2009-08-29 08:08 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2010-02-19 17:21 . 2009-09-04 21:03 58880 c:\windows\system32\dllcache\msasn1.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2010-02-19 17:21 . 2009-07-03 17:09 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2010-02-19 17:21 . 2008-04-14 12:00 15360 c:\windows\system32\ctfmon .exe
+ 2009-02-19 20:51 . 2009-10-28 18:12 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-19 20:51 . 2009-10-28 17:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-19 20:51 . 2009-10-28 17:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-19 20:51 . 2009-10-28 18:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-06-24 23:56 . 2009-06-24 23:56 73728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
+ 2008-05-28 04:49 . 2008-05-28 04:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2007-04-14 01:58 . 2007-04-14 01:58 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2008-05-28 04:49 . 2008-05-28 04:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2008-05-28 04:49 . 2008-05-28 04:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2007-04-14 02:30 . 2007-04-14 02:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2008-05-28 05:30 . 2008-05-28 05:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2009-10-28 18:27 . 2009-07-03 17:09 12800 c:\windows\ie8updates\KB974455-IE8\xpshims.dll
+ 2009-10-28 18:27 . 2009-07-03 17:09 55296 c:\windows\ie8updates\KB974455-IE8\msfeedsbs.dll
+ 2009-10-28 18:27 . 2009-07-03 17:09 25600 c:\windows\ie8updates\KB974455-IE8\jsproxy.dll
+ 2009-10-28 18:23 . 2009-10-28 18:23 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_c9935a78\System.Drawing.Design.dll
+ 2009-10-28 18:23 . 2009-10-28 18:23 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_2477a54e\CustomMarshalers.dll
+ 2009-10-29 13:13 . 2009-10-29 13:13 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\b4a9e413d5cd6d6ec2d50aa05381e293\UIAutomationProvider.ni.dll
+ 2009-10-29 13:09 . 2009-10-29 13:09 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\3dd0f86c966c75755d62eab8ddf0634c\PresentationFontCache.ni.exe
+ 2009-10-29 13:08 . 2009-10-29 13:08 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\034d081fe294bab1ee1ecc98c1181424\PresentationCFFRasterizer.ni.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2010-02-19 17:21 . 2009-04-02 03:02 604160 c:\windows\system32\wmspdmod.dll
+ 2010-02-19 17:21 . 2009-10-28 18:31 442024 c:\windows\system32\perfh009.dat
- 2010-02-19 17:21 . 2009-10-26 14:53 442024 c:\windows\system32\perfh009.dat
+ 2010-02-19 17:21 . 2009-08-29 08:08 206848 c:\windows\system32\occache.dll
- 2010-02-19 17:21 . 2009-07-03 17:09 206848 c:\windows\system32\occache.dll
- 2007-08-13 23:54 . 2009-07-03 17:09 594432 c:\windows\system32\msfeeds.dll
+ 2007-08-13 23:54 . 2009-08-29 08:08 594432 c:\windows\system32\msfeeds.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 184320 c:\windows\system32\iepeers.dll
- 2010-02-19 17:21 . 2009-07-03 17:09 184320 c:\windows\system32\iepeers.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 387584 c:\windows\system32\iedkcs32.dll
- 2010-02-19 17:21 . 2009-07-03 11:01 173056 c:\windows\system32\ie4uinit.exe
+ 2010-02-19 17:21 . 2009-08-28 10:35 173056 c:\windows\system32\ie4uinit.exe
+ 2010-02-19 17:21 . 2009-04-02 03:02 604160 c:\windows\system32\dllcache\wmspdmod.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 916480 c:\windows\system32\dllcache\wininet.dll
+ 2010-02-19 17:21 . 2009-08-26 08:00 247326 c:\windows\system32\dllcache\strmdll.dll
- 2010-02-19 17:21 . 2008-10-03 10:02 247326 c:\windows\system32\dllcache\strmdll.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 206848 c:\windows\system32\dllcache\occache.dll
- 2010-02-19 17:21 . 2009-07-03 17:09 206848 c:\windows\system32\dllcache\occache.dll
+ 2010-02-19 17:21 . 2009-09-11 14:18 136192 c:\windows\system32\dllcache\msv1_0.dll
- 2010-02-19 17:21 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll
- 2009-02-19 19:29 . 2009-07-03 17:09 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-02-19 19:29 . 2009-08-29 08:08 594432 c:\windows\system32\dllcache\msfeeds.dll
- 2009-07-12 16:20 . 2009-07-03 17:09 246272 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-07-12 16:20 . 2009-08-29 08:08 246272 c:\windows\system32\dllcache\ieproxy.dll
- 2010-02-19 17:21 . 2009-07-03 17:09 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2010-02-19 17:21 . 2009-07-03 11:01 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2010-02-19 17:21 . 2009-08-28 10:35 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-08-08 03:51 . 2009-08-08 03:51 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2008-05-28 04:49 . 2008-05-28 04:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2007-04-14 01:58 . 2007-04-14 01:58 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2007-04-14 01:56 . 2007-04-14 01:56 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2008-05-28 04:48 . 2008-05-28 04:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2007-04-14 02:30 . 2007-04-14 02:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2008-05-28 05:30 . 2008-05-28 05:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2009-10-28 18:27 . 2009-07-03 17:09 915456 c:\windows\ie8updates\KB974455-IE8\wininet.dll
+ 2009-10-28 18:27 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB974455-IE8\spuninst\updspapi.dll
+ 2009-10-28 18:27 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB974455-IE8\spuninst\spuninst.exe
+ 2009-10-28 18:27 . 2009-07-03 17:09 206848 c:\windows\ie8updates\KB974455-IE8\occache.dll
+ 2009-10-28 18:27 . 2009-07-03 17:09 594432 c:\windows\ie8updates\KB974455-IE8\msfeeds.dll
+ 2009-10-28 18:27 . 2009-07-03 17:09 246272 c:\windows\ie8updates\KB974455-IE8\ieproxy.dll
+ 2009-10-28 18:27 . 2009-07-03 17:09 184320 c:\windows\ie8updates\KB974455-IE8\iepeers.dll
+ 2009-10-28 18:27 . 2009-07-03 17:09 386048 c:\windows\ie8updates\KB974455-IE8\iedkcs32.dll
+ 2009-10-28 18:27 . 2009-07-03 11:01 173056 c:\windows\ie8updates\KB974455-IE8\ie4uinit.exe
+ 2009-10-28 18:23 . 2009-10-28 18:23 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_ea5748e8\System.Drawing.dll
+ 2009-10-28 18:24 . 2009-10-28 18:24 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_e5dc6233\System.Drawing.Design.dll
+ 2009-10-28 18:24 . 2009-10-28 18:24 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_c8045b0c\CustomMarshalers.dll
+ 2009-10-29 13:13 . 2009-10-29 13:13 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\bf92bc207f927cbbd6dfc9dc0c3eae68\WindowsFormsIntegration.ni.dll
+ 2009-10-29 13:13 . 2009-10-29 13:13 187904 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\6f488b7644dc50a083868e91a4014466\UIAutomationTypes.ni.dll
+ 2009-10-29 13:13 . 2009-10-29 13:13 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\c2fbf25609b704061a93500efa6f241d\UIAutomationClient.ni.dll
+ 2009-10-29 13:12 . 2009-10-29 13:12 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\ca6d7208c0fb72ff97429f2636ced321\System.Drawing.Design.ni.dll
+ 2009-10-29 13:10 . 2009-10-29 13:10 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\96f74da5fc40b92f09069230bc0df4f0\PresentationFramework.Royale.ni.dll
+ 2009-10-29 13:10 . 2009-10-29 13:10 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\3bb4d16b042b72c2c85a0f8ac9d48f28\PresentationFramework.Luna.ni.dll
+ 2009-10-29 13:10 . 2009-10-29 13:10 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\30c5c2682d3c5bdaa83bb9a36ee48afa\PresentationFramework.Aero.ni.dll
+ 2009-10-29 13:10 . 2009-10-29 13:10 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\07e952efd70f5608e221a008e6231ace\PresentationFramework.Classic.ni.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2009-10-28 18:12 . 2009-08-13 13:55 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
- 2010-02-19 17:21 . 2009-07-03 17:09 1208832 c:\windows\system32\urlmon.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 1208832 c:\windows\system32\urlmon.dll
- 2010-02-19 17:21 . 2008-04-14 12:00 1435648 c:\windows\system32\query.dll
+ 2010-02-19 17:21 . 2009-07-17 16:22 1435648 c:\windows\system32\query.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 5940224 c:\windows\system32\mshtml.dll
- 2007-08-13 23:34 . 2009-07-03 17:09 1985536 c:\windows\system32\iertutil.dll
+ 2007-08-13 23:34 . 2009-08-29 08:08 1985536 c:\windows\system32\iertutil.dll
- 2010-02-19 17:21 . 2009-07-03 17:09 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2010-02-19 17:21 . 2009-08-29 08:08 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2010-02-19 17:21 . 2009-07-17 16:22 1435648 c:\windows\system32\dllcache\query.dll
- 2010-02-19 17:21 . 2008-04-14 12:00 1435648 c:\windows\system32\dllcache\query.dll
+ 2009-02-19 18:54 . 2009-08-05 00:44 2189184 c:\windows\system32\dllcache\ntoskrnl.exe
- 2009-02-19 18:54 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2009-02-19 18:54 . 2009-08-04 14:20 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
- 2009-02-19 18:54 . 2009-02-07 23:02 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2009-02-19 18:54 . 2009-08-04 14:20 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2009-02-19 18:54 . 2009-08-04 15:13 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2009-02-19 18:54 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2010-02-19 17:21 . 2009-08-29 08:08 5940224 c:\windows\system32\dllcache\mshtml.dll
- 2009-02-19 19:29 . 2009-07-03 17:09 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2009-02-19 19:29 . 2009-08-29 08:08 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2009-08-08 03:51 . 2009-08-08 03:51 5812560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
- 2008-11-25 08:59 . 2008-11-25 08:59 4546560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2009-08-08 03:51 . 2009-08-08 03:51 4546560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
- 2007-04-14 02:35 . 2007-04-14 02:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2008-05-28 05:35 . 2008-05-28 05:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2008-05-28 05:35 . 2008-05-28 05:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2007-04-14 02:35 . 2007-04-14 02:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2008-05-28 04:48 . 2008-05-28 04:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2008-05-28 04:48 . 2008-05-28 04:48 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2007-04-14 01:50 . 2007-04-14 01:50 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2008-05-28 04:43 . 2008-05-28 04:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2009-10-28 18:27 . 2009-07-03 17:09 1208832 c:\windows\ie8updates\KB974455-IE8\urlmon.dll
+ 2009-10-28 18:27 . 2009-07-19 13:18 5937152 c:\windows\ie8updates\KB974455-IE8\mshtml.dll
+ 2009-10-28 18:27 . 2009-07-03 17:09 1985536 c:\windows\ie8updates\KB974455-IE8\iertutil.dll
+ 2009-02-19 18:54 . 2009-08-05 00:44 2189184 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2009-02-19 18:54 . 2009-08-04 14:20 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2009-02-19 18:54 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2009-02-19 18:54 . 2009-08-04 14:20 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2009-02-19 18:54 . 2009-02-07 23:02 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2009-02-19 18:54 . 2009-08-04 15:13 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2009-02-19 18:54 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-10-28 18:23 . 2009-10-28 18:23 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_cb77ef9d\System.dll
+ 2009-10-28 18:24 . 2009-10-28 18:24 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_7d74987b\System.dll
+ 2009-10-28 18:24 . 2009-10-28 18:24 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_ba2f59d0\System.Xml.dll
+ 2009-10-28 18:23 . 2009-10-28 18:23 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_3d9a7d92\System.Xml.dll
+ 2009-10-28 18:24 . 2009-10-28 18:24 7884800 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_e188e126\System.Windows.Forms.dll
+ 2009-10-28 18:23 . 2009-10-28 18:23 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_8c82f25d\System.Windows.Forms.dll
+ 2009-10-28 18:24 . 2009-10-28 18:24 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_11b37e97\System.Drawing.dll
+ 2009-10-28 18:24 . 2009-10-28 18:24 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_8d698180\System.Design.dll
+ 2009-10-28 18:23 . 2009-10-28 18:23 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_41f6b818\System.Design.dll
+ 2009-10-28 18:24 . 2009-10-28 18:24 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_deb2f9d6\mscorlib.dll
+ 2009-10-28 18:24 . 2009-10-28 18:24 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_22bf4f49\mscorlib.dll
+ 2009-10-29 13:08 . 2009-10-29 13:08 3313664 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\204d6e5b335134f23ca37638b9227ecf\WindowsBase.ni.dll
+ 2009-10-29 13:13 . 2009-10-29 13:13 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\0f2ed6a204eb13841e99b77025464afc\UIAutomationClientsideProviders.ni.dll
+ 2009-10-29 13:08 . 2009-10-29 13:08 7868416 c:\windows\assembly\NativeImages_v2.0.50727_32\System\3de5bd01124463d7862bd173af90bc83\System.ni.dll
+ 2009-10-29 13:13 . 2009-10-29 13:13 5450752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\5913d3f81e77194ec833991b1047a532\System.Xml.ni.dll
+ 2009-10-29 13:12 . 2009-10-29 13:12 1917440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\99594bae1d022502925f5b9dfcdaae9a\System.Speech.ni.dll
+ 2009-10-29 13:12 . 2009-10-29 13:12 1035264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\e5313735a40c0800f116e27fba4754db\System.Printing.ni.dll
+ 2009-10-29 13:12 . 2009-10-29 13:12 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\abb2ac7e08bee026f857d8fa36f9fe6f\System.Drawing.ni.dll
+ 2009-10-29 13:11 . 2009-10-29 13:11 6616576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\694c07365e0fd6bba0bc304d4d2404a7\System.Data.ni.dll
+ 2009-10-29 13:11 . 2009-10-29 13:11 2516480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\32788c58ff9f8324460604cf1fe7681b\System.Data.Linq.ni.dll
+ 2009-10-29 13:11 . 2009-10-29 13:11 2295296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\c0a42d2ad8a4078040b334f6770ea11f\System.Core.ni.dll
+ 2009-10-29 13:10 . 2009-10-29 13:10 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\954685c29689d2a6126ceca1fd55e904\ReachFramework.ni.dll
+ 2009-10-29 13:10 . 2009-10-29 13:10 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\a3a6f52ce1d09a7bdccc8e7fc664792d\PresentationUI.ni.dll
+ 2009-10-29 13:08 . 2009-10-29 13:08 1451008 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\f906701365083c1473db31519147e263\PresentationBuildTasks.ni.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2009-10-28 18:30 . 2009-10-28 18:30 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2009-08-29 19:52 . 2009-08-29 19:52 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2009-10-28 18:31 . 2009-10-28 18:31 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2009-02-19 18:48 . 2009-02-19 18:48 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2009-10-28 18:23 . 2009-10-28 18:23 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2009-10-28 18:23 . 2009-10-28 18:23 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2009-02-19 18:48 . 2009-02-19 18:48 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-10-28 18:24 . 2009-10-02 15:01 25198016 c:\windows\system32\MRT.exe
+ 2007-08-13 23:54 . 2009-08-29 08:08 11069440 c:\windows\system32\ieframe.dll
+ 2009-02-19 19:29 . 2009-08-29 08:08 11069440 c:\windows\system32\dllcache\ieframe.dll
+ 2009-08-11 01:08 . 2009-08-11 01:08 11315712 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp
+ 2009-08-15 00:32 . 2009-08-15 00:32 11110912 c:\windows\Installer\1116e1.msp
+ 2009-08-10 18:09 . 2009-08-10 18:09 17254912 c:\windows\Installer\1116d8.msp
+ 2009-10-28 18:27 . 2009-07-19 22:48 11067392 c:\windows\ie8updates\KB974455-IE8\ieframe.dll
+ 2009-10-29 13:12 . 2009-10-29 13:12 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d2ea8d76f015817db1607075812b555f\System.Windows.Forms.ni.dll
+ 2009-10-29 13:12 . 2009-10-29 13:12 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\8b82e08c008924d51833cb0884bcbfc5\System.Design.ni.dll
+ 2009-10-29 13:10 . 2009-10-29 13:10 14327808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\58c7ac6b6054038dc9346d7ec8e32b4c\PresentationFramework.ni.dll
+ 2009-10-29 13:09 . 2009-10-29 13:09 12216320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\94badbd64df59de7da249f71da38b1c2\PresentationCore.ni.dll
+ 2009-10-29 13:08 . 2009-10-29 13:08 11486720 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7124a40b9998f7b63c86bd1a2125ce26\mscorlib.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-10-29 30720]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-10-29 30720]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-10-29 30720]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-10-29 30720]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-10-29 30720]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-10-29 30720]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2009-10-29 30720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-13 17508864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-2-19 376832]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2/19/2010 1:21 PM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [4/14/2008 8:00 AM 46592]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2/19/2009 3:22 PM 55136]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 9:09 PM 11032]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 5:41 PM 116664]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2/19/2009 3:02 PM 10752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 11:49 PM 102448]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [7/31/2008 10:24 PM 93696]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [11/4/2008 5:28 AM 38400]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/19/2009 2:56 PM 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/8/2008 6:01 PM 533344]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BTWSRV
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Amy Chen\Application Data\Mozilla\Firefox\Profiles\6qm4eeji.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Amy Chen\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ETDWare - c:\program files\Elantech\ETDCtrl.exe
SharedTaskScheduler-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 09:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\Install.txt
c:\windows\system32\igfxpers .exe 30720 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1684)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\jay.com\CF3750.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\EeePC\ACPI\AsTray .exe
c:\program files\EeePC\ACPI\AsAcpiSvr .exe
c:\program files\EeePC\ACPI\AsEPCMon .exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Elantech\ETDCtrl .exe
c:\progra~1\SYMANT~1\VPTray .exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wmdtc.exe
c:\docume~1\AMYCHE~1\LOCALS~1\Temp\ctv230.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\lsm32.sys
c:\jay.com\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-29 9:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-29 13:36
ComboFix2.txt 2009-10-28 18:12

Pre-Run: 28,250,202,112 bytes free
Post-Run: 28,233,273,344 bytes free

- - End Of File - - 9C27D2036EE335C46CBACCEA0E82031A
  • 0

#8
Raktor
Posted 30 October 2009 - 08:38 PM

Raktor

    Member

  • Member
  • PipPipPip
  • 268 posts
Please go to one of the below sites to scan the following files:
Jotti
Virus Total

Click on Browse, and upload the following file for analysis:
c:\program files\EeePC\ACPI\AsAcpiSvr.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.
Please also post the contents of C:\Qoobox\ComboFix-quarantined-files.txt.

Edited by Raktor, 31 October 2009 - 12:50 AM.

  • 0

#9
jay_sohhn
Posted 31 October 2009 - 08:23 AM

jay_sohhn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
I tried getting onto the internet with the infected computer, but was not able to. I tried IE and Firefox. IE just spits up a page that says "Internet Explorer cannot display the webpage." And an option is to "Diagnose Connection Problem," which I did. But IE says there is no problem, yet I'm not able to get onto the internet. With firefox, when I open it up I get a message saying that firefox crashed and needs to be restarted. When I restart firefox, nothing happens. I tried restarting my computer in safe mode but was not permitted to. Restarting with "last known good configuration" also does nothing to resolve the problem.
  • 0

#10
Raktor
Posted 01 November 2009 - 12:11 AM

Raktor

    Member

  • Member
  • PipPipPip
  • 268 posts
Let's try it this way then. :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo...ro-t256562.html

Suspect::[88]
c:\program files\EeePC\ACPI\AsAcpiSvr.exe


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

At the conclusion of the run, it should attempt to upload the file to my analysis channel... but this might not happen if the internet is not working properly from that computer. Instead...
1. Please copy C:\Qoobox\Quarantine\[88][email protected] (It will be similar to that filename, but with the date and time instead) onto a USB key, and take it to the computer that is working.
2. Please visit this site and follow the instructions for uploading that zip file.
  • 0

Advertisements

#11
jay_sohhn
Posted 04 November 2009 - 09:38 AM

jay_sohhn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
Hi, Raktor -
Sorry about the delay in response. I've posted the scan results below. I was able to get on the internet from the infected computer, so that file you were talking about earlier should have uploaded successfully to your analysis channel. I await your next response ... Thanks!

ComboFix 09-10-27.08 - Amy Chen 11/04/2009 10:06.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.548 [GMT -5:00]
Running from: c:\documents and settings\Amy Chen\Desktop\Jay.com.exe
Command switches used :: E:\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\AMYCHE~1\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\AMYCHE~1\LOCALS~1\Temp\winlogon.exe
C:\ntldrs
c:\program files\AdvancedVirusRemover
c:\program files\AdvancedVirusRemover\PAVRM.exe
c:\windows\Install.txt
c:\windows\syssvc.exe
c:\windows\system32\calc.dll
c:\windows\system32\fupipivo.dll
c:\windows\system32\iehelper.dll
c:\windows\system32\Install.txt
c:\windows\system32\lsp.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2011-02-27 04:02 . 2009-10-29 13:31 -------- d-----w- c:\program files\Elantech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 18:34 . 2010-02-19 18:34 -------- d-----w- c:\program files\microsoft frontpage
2010-02-19 18:32 . 2010-02-19 18:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-04 15:15 . 2009-06-04 05:45 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-04 15:13 . 2009-10-10 00:34 30720 ----a-w- c:\documents and settings\Amy Chen\rthdcpl.exe
2009-11-04 15:13 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxpers.exe
2009-11-04 15:13 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\hkcmd.exe
2009-11-04 14:50 . 2009-11-04 14:50 39424 --sh--w- c:\windows\system32\zevofito.dll
2009-11-04 14:50 . 2009-11-04 14:50 92160 --sh--w- c:\windows\system32\tosikuli.dll
2009-11-04 14:50 . 2009-11-04 14:50 60928 --sh--w- c:\windows\system32\nakuteye.dll
2009-11-04 14:49 . 2009-11-04 14:49 169472 ----a-w- c:\windows\msa.exe
2009-11-04 14:48 . 2009-11-04 14:48 0 ----a-r- c:\windows\win32k.sys
2009-11-04 14:48 . 2009-11-04 14:48 95232 ----a-w- c:\windows\system32\41.exe
2009-11-04 14:44 . 2009-10-31 14:06 -------- d-----w- c:\program files\ewmnru
2009-11-04 14:43 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxtray.exe
2009-10-31 14:03 . 2009-10-29 13:47 -------- d-----w- c:\program files\xhonsl
2009-10-31 13:57 . 2009-10-31 13:57 91648 --sh--w- c:\windows\system32\bebaluno.dll
2009-10-29 13:44 . 2009-10-29 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\90489939
2009-10-29 13:42 . 2009-10-29 13:42 15000 ----a-w- c:\windows\system32\h2w8l.dll
2009-10-29 13:41 . 2009-10-29 13:41 52736 ----a-w- C:\ldvx.exe
2009-10-29 13:41 . 2009-10-29 13:41 302080 ----a-w- c:\windows\system32\~.exe
2009-10-29 13:31 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\hkcmd .exe
2009-10-29 13:07 . 2009-10-10 00:34 30720 ----a-w- c:\documents and settings\Amy Chen\rthdcpl .exe
2009-10-29 13:07 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxpers .exe
2009-10-28 18:05 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxtray .exe
2009-10-28 17:47 . 2009-10-09 03:45 407062 ----a-w- c:\windows\system32\raidmg.dll
2009-10-28 17:32 . 2009-07-28 17:32 39424 --sha-w- c:\windows\system32\migitiho.dll
2009-10-28 17:31 . 2009-10-10 00:34 30720 ----a-w- c:\documents and settings\Amy Chen\alcmtr.exe
2009-10-26 14:59 . 2009-10-26 14:59 0 ----a-w- c:\documents and settings\Amy Chen\settings.dat
2009-10-26 14:56 . 2009-06-07 16:21 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\U3
2009-10-10 00:33 . 2010-02-19 17:21 14336 ------w- c:\windows\system32\svchost.exe
2009-10-09 03:45 . 2009-10-09 03:45 98304 ----a-w- c:\windows\system32\kbdatat4.dll
2009-09-24 04:55 . 2009-02-19 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-14 01:57 . 2009-06-03 15:38 92344 ----a-w- c:\documents and settings\Amy Chen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-14 01:57 . 2009-07-20 20:37 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\Move Networks
2009-09-11 14:18 . 2010-02-19 17:21 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 03:34 . 2009-07-03 15:34 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\Skype
2009-09-09 23:30 . 2009-07-03 15:35 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\skypePM
2009-09-04 21:03 . 2010-02-19 17:21 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2010-02-19 17:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2010-02-19 17:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-05-07 08:34 . 2009-02-19 19:07 15523560 ----a-w- c:\program files\U1 Setup.exe
2009-07-29 13:43 . 2009-07-29 13:43 53760 --sha-w- c:\windows\system32\fonoriga.dll
2009-07-29 13:43 . 2009-07-29 13:43 1011618 --sha-w- c:\windows\system32\hagebuzi.exe
2009-07-29 13:43 . 2009-07-29 13:43 92160 --sha-w- c:\windows\system32\kenayiba.dll
2009-07-29 13:42 . 2009-07-29 13:42 52736 --sha-w- c:\windows\system32\kusewovi.dll.tmp
2009-07-29 13:43 . 2009-07-29 13:43 39424 --sha-w- c:\windows\system32\tavahozu.dll
2009-07-29 13:42 . 2009-07-29 13:42 52736 --sha-w- c:\windows\system32\turenugu.dll.tmp
2009-07-29 13:45 . 2009-07-29 13:45 53760 --sha-w- c:\windows\system32\vamegeye.dll
2009-07-29 13:42 . 2009-07-29 13:42 52736 --sha-w- c:\windows\system32\viwawobi.dll.tmp
2009-07-29 13:45 . 2009-07-29 13:45 53760 --sha-w- c:\windows\system32\yiyigini.dll
2009-07-29 13:43 . 2009-07-29 13:43 1052192 --sha-w- c:\windows\system32\zasepago.exe
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . D9F19E78F98834CB411D6AD3C68D181A . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2009-10-29_13.31.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-04 15:12 . 2009-11-04 15:12 16384 c:\windows\temp\Perflib_Perfdata_4ac.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 87552 c:\windows\system32\wmdtc.exe
- 2010-02-19 17:21 . 2009-10-28 18:31 71810 c:\windows\system32\perfc009.dat
+ 2010-02-19 17:21 . 2009-11-04 15:05 71810 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 87552 c:\windows\system32\opeia.exe
+ 2008-04-14 12:00 . 2008-04-14 12:00 47616 c:\windows\system32\FastNetSrv.exe
+ 2009-02-19 20:51 . 2009-11-04 15:00 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-19 20:51 . 2009-10-28 18:12 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-19 20:51 . 2009-11-04 15:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-19 20:51 . 2009-10-28 18:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-26 14:48 . 2009-11-04 15:00 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-10-26 14:48 . 2009-10-28 17:30 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-10-31 13:55 . 2009-11-04 15:00 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 45568 c:\windows\system32\BtwSrv.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 47616 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveWriter\6e2e535510bede2ff7c15d8ae53098c0\WindowsLiveWriter.ni.exe
+ 2009-10-29 13:35 . 2009-10-29 13:35 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\e63d6d26b8a664cfdfbd4ad75e03c14d\Accessibility.ni.dll
- 2010-02-19 17:21 . 2009-10-28 18:31 442024 c:\windows\system32\perfh009.dat
+ 2010-02-19 17:21 . 2009-11-04 15:05 442024 c:\windows\system32\perfh009.dat
+ 2009-10-29 13:41 . 2009-10-29 13:41 302080 c:\windows\system32\~.exe
+ 2009-10-29 14:05 . 2009-10-29 14:05 174080 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\f82f25e143c306491dcfdcea845ada91\WindowsLive.Writer.BrowserControl.ni.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 843776 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\cf709e807175721fbfa4809a21142a51\WindowsLive.Writer.Controls.ni.dll
+ 2009-10-29 14:04 . 2009-10-29 14:04 319488 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\56562b3fab90b3b5d4ac6931118d8b3f\WindowsLive.Writer.Interop.ni.dll
+ 2009-10-29 14:05 . 2009-10-29 14:05 313856 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\551d4211cde9574615ad847741667699\WindowsLive.Writer.Interop.SHDocVw.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 676352 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\a9e9b885a6601469c4058375cc74d856\System.Security.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\9bc34a79af9c3ed2cf17a0226c769b4c\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2009-10-29 13:35 . 2009-10-29 13:35 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\6c273eb9d1ee8b66b5ecb073de4b785d\System.IO.Log.ni.dll
+ 2009-10-29 13:35 . 2009-10-29 13:35 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\7222db518afb4eaaa138824278249bc7\System.IdentityModel.Selectors.ni.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\7c743462baccf29b3567b0e3ec9ac134\System.Configuration.ni.dll
+ 2009-10-29 13:35 . 2009-10-29 13:35 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\85d7c111956b478766d90625b35d963f\AspNetMMCExt.ni.dll
+ 2009-11-04 15:14 . 2009-08-29 08:08 1208832 c:\windows\temp\x1c91959.dll
+ 2009-11-04 15:11 . 2009-08-29 08:08 1208832 c:\windows\temp\mta13187.dll
+ 2009-10-29 14:04 . 2009-10-29 14:04 2002944 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\1f8439062cab1a14f351974092e09e16\WindowsLive.Writer.CoreServices.ni.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 6392832 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\0b96d8eb446d23637b38c72e2215d0ff\WindowsLive.Writer.PostEditor.ni.dll
+ 2009-10-29 13:58 . 2009-10-29 13:58 2338304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\67ad55827f2542552b576170f0a7dc56\System.Runtime.Serialization.ni.dll
+ 2009-10-29 13:35 . 2009-10-29 13:35 1056768 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\c3b18fef5c6dc3bcdbe5df699fd21a55\System.IdentityModel.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\c94a427baa7683f4221b91f90c18461b\System.Deployment.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\272152f0cc139490729e215611a4b244\System.Data.SqlXml.ni.dll
+ 2009-10-29 14:01 . 2009-10-29 14:01 17317888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\06d6eab93282d2b136a377bd50b7c5a9\System.ServiceModel.ni.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4e232aa-bd80-4ce2-896f-f0b02c7accc7}]
fupipivo.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Login Software 2009"="c:\docume~1\AMYCHE~1\LOCALS~1\Temp\sxrahn013s .exe" [2009-11-04 30720]
"Yjafosi8kdf98winmdkmnkmfnwe"="c:\docume~1\AMYCHE~1\LOCALS~1\Temp\cmd .exe" [2009-11-04 30720]
"wow64main.exe"="c:\docume~1\AMYCHE~1\LOCALS~1\Temp\wow64main.exe" [2009-11-04 30720]
"PopRock"="c:\docume~1\AMYCHE~1\LOCALS~1\Temp\b.exe" [2009-11-04 30720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-04 30720]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-04 30720]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-04 30720]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-11-04 30720]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-11-04 30720]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-11-04 30720]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2009-11-04 30720]
"jedohapoj"="c:\windows\system32\kenayiba.dll" [2009-07-29 92160]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-13 17508864]
"seyisevede"="vamegeye.dll" - c:\windows\system32\vamegeye.dll [2009-07-29 53760]

c:\documents and settings\Amy Chen\Start Menu\Programs\Startup\
scandisk.dll [2009-3-21 23552]
scandisk.lnk - c:\windows\system32\rundll32.exe [2010-2-19 33280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-2-19 376832]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{2ecf8c98-2d82-409d-a89f-a5d9b15415cd}"= "c:\windows\system32\kenayiba.dll" [2009-07-29 92160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"nimejewet"= {2ecf8c98-2d82-409d-a89f-a5d9b15415cd} - c:\windows\system32\kenayiba.dll [2009-07-29 92160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe logon.exe"
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\system32\kenayiba.dll,yiyigini.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli vamegeye.dll yiyigini.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\explorer.exe"=
"c:\\WINDOWS\\system32\\logonui.exe"=
"c:\\WINDOWS\\system32\\winlogon.exe"=
"c:\\WINDOWS\\system32\\lsass.exe"=

R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2/19/2010 12:21 PM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [4/14/2008 7:00 AM 47616]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2/19/2009 2:22 PM 55136]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 4:41 PM 116664]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2/19/2009 2:02 PM 10752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 10:49 PM 102448]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [7/31/2008 9:24 PM 93696]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [11/4/2008 4:28 AM 38400]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/19/2009 1:56 PM 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/8/2008 5:01 PM 533344]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AEC
*NewlyCreated* - BTWSRV
*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-11-04 c:\windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
- c:\windows\msa.exe [2009-11-04 14:49]

2009-11-04 c:\windows\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
- c:\docume~1\AMYCHE~1\LOCALS~1\Temp\b.exe [2009-11-04 15:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Amy Chen\Application Data\Mozilla\Firefox\Profiles\6qm4eeji.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Amy Chen\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Yjafosi8kdf98winmdkmnkmfnwe - c:\windows\TEMP\svchost.exe
SharedTaskScheduler-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 10:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\Install.txt 266 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,44,2c,d8,a1,66,c2,4f,93,d6,8e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,44,2c,d8,a1,66,c2,4f,93,d6,8e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\WININET.dll
c:\windows\system32\vamegeye.dll
c:\windows\system32\yiyigini.dll

- - - - - - - > 'Explorer.exe'(3964)
c:\windows\system32\WININET.dll
c:\windows\system32\kenayiba.dll
c:\windows\system32\vamegeye.dll
c:\windows\system32\yiyigini.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\BTNEIG~1.DLL
c:\windows\system32\wbtapi.dll
c:\windows\system32\btwpimif.dll
c:\windows\system32\btosif.dll
c:\windows\system32\btrez.dll
c:\windows\system32\btwicons.dll
c:\windows\system32\BtXpPanel.Dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\jay.com\CF24451.exe
c:\program files\EeePC\ACPI\AsAcpiSvr .exe
c:\program files\EeePC\ACPI\AsEPCMon .exe
c:\program files\EeePC\ACPI\AsTray .exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\SYMANT~1\VPTray .exe
c:\windows\system32\wmdtc.exe
c:\program files\Adobe\Reader 8.0\Reader\AcroRd32.exe
c:\docume~1\AMYCHE~1\LOCALS~1\Temp\ctv1176.exe
c:\windows\system32\lsm32.sys
c:\jay.com\PEV.cfxxe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2009-11-04 10:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-04 15:31
ComboFix2.txt 2009-10-29 13:36
ComboFix3.txt 2009-10-28 18:12

Pre-Run: 28,310,196,224 bytes free
Post-Run: 28,305,600,512 bytes free

- - End Of File - - A2ECCEA317788474B03854418507F83C
  • 0

#12
Raktor
Posted 06 November 2009 - 02:05 AM

Raktor

    Member

  • Member
  • PipPipPip
  • 268 posts
Double post, see below.

Edited by Raktor, 06 November 2009 - 02:09 AM.

  • 0

#13
Raktor
Posted 06 November 2009 - 02:08 AM

Raktor

    Member

  • Member
  • PipPipPip
  • 268 posts
Please delete your current copy of Combofix from your desktop.

Download a new copy from one of the links below.

Link 1
Link 2

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Suspect::[88]
c:\windows\system32\igfxtray.exe
c:\windows\system32\igfxtray .exe
c:\program files\EeePC\ACPI\AsTray.exe
c:\program files\EeePC\ACPI\AsTray .exe

KillAll::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=-
"HotKeysCmds"=-
"Persistence"=-
"AsusTray"=-
"AsusACPIServer"=-
"AsusEPCMonitor"=-
"vptray"=-
"jedohapoj"=-
"seyisevede"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe"
"Userinit"="c:\windows\system32\userinit.exe,"

Driver::
BtwSrv

NetSvcs::
BtwSrv


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#14
jay_sohhn
Posted 06 November 2009 - 11:15 PM

jay_sohhn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
I did everything you recommended. I ran combofix and it did its thing. After it had gone through one reboot, it did another one. The problem is that after the second reboot, the computer would not get past my login screen. I would click my user icon, and it would say, "loading your personal settings" and then promptly change to, "saving settings" and "logging off." But it would stay on the "logging off" part and get stuck there. I tried restarting manually, which proved unsuccessful (same thing happened). I tried powering off and then starting up again, but with the same result. I tried starting back up on safe mode, which was unsuccessful. I also tried logging in with "last known good configuration," which was also unsuccessful.

Sorry for yet another problem!
  • 0

#15
Raktor
Posted 07 November 2009 - 12:30 AM

Raktor

    Member

  • Member
  • PipPipPip
  • 268 posts
Please unplug the internet connection to your infected computer now, and do not reconnect it until advised to

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs

6. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

7. The erunt backups will begin copying.
8. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.

Edited by Raktor, 07 November 2009 - 01:04 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP