Windows Police Pro
#16
Posted 08 November 2009 - 10:44 AM
#17
Posted 08 November 2009 - 07:09 PM
1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:
cd erdnt\hiv-backup
6. At the next prompt, type the following bolded text, and press Enter:
batch erdnt.con
7. The erunt backups will begin copying.
8. At the next prompt, type the following bolded text, and press Enter:
exit
Windows will now begin loading.
#18
Posted 10 November 2009 - 10:59 PM
ComboFix 09-11-09.02 - Amy Chen 11/10/2009 23:39.4.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.371 [GMT -5:00]
Running from: c:\documents and settings\Amy Chen\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Amy Chen\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
file zipped: c:\windows\system32\igfxtray.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Amy Chen\rthdcpl.exe
c:\windows\Install.txt
c:\windows\rcdrive32 .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\ctfmon.exe.tmp
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\Install.txt
c:\windows\system32\rthdcpl.exe
c:\windows\TEMP\mta13187.dll
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\90489939
c:\documents and settings\All Users\Application Data\90489939\90489939.bat
c:\documents and settings\All Users\Application Data\90489939\90489939.exe
c:\documents and settings\Amy Chen\alcmtr.exe
c:\documents and settings\Amy Chen\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
c:\documents and settings\Amy Chen\Desktop\Advanced Virus Remover.lnk
c:\documents and settings\Amy Chen\Desktop\exeHelper.com
c:\documents and settings\Amy Chen\ntuser.dll
c:\documents and settings\Amy Chen\rthdcpl .exe
c:\documents and settings\Amy Chen\rthdcpl.exe
c:\documents and settings\Amy Chen\Start Menu\Advanced Virus Remover.lnk
c:\documents and settings\Amy Chen\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Amy Chen\Start Menu\Programs\Startup\scandisk.lnk
C:\ldvx.exe
c:\program files\ewmnru\ibpmsysguard.exe
c:\program files\ewmnru\ibpmsysguard.exe145
c:\program files\ewmnru\ibpmsysguard.exe147
c:\program files\xhonsl\yqspsysguard.exe
c:\program files\xhonsl\yqspsysguard.exe126
c:\program files\xhonsl\yqspsysguard.exe143
c:\recycler\S-1-5-21-0243556031-888888379-781863308-1455
c:\recycler\S-1-5-21-6840411219-3145855342-124954199-7283
c:\windows\Install.txt
c:\windows\msa.exe
c:\windows\rcdrive32 .exe
c:\windows\system32\~.exe
c:\windows\system32\41.exe
c:\windows\system32\bametusi.dll
c:\windows\system32\bebaluno.dll
c:\windows\system32\ctfmon .exe
c:\windows\system32\fonoriga.dll
c:\windows\system32\h2w8l.dll
c:\windows\system32\hagebuzi.exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\Install.txt
c:\windows\system32\kenayiba.dll
c:\windows\system32\kusewovi.dll.tmp
c:\windows\system32\logon.exe
c:\windows\system32\migitiho.dll
c:\windows\system32\nakuteye.dll
c:\windows\system32\rthdcpl.exe
c:\windows\system32\tavahozu.dll
c:\windows\system32\tosikuli.dll
c:\windows\system32\turenugu.dll.tmp
c:\windows\system32\vamegeye.dll
c:\windows\system32\viwawobi.dll.tmp
c:\windows\system32\yiyigini.dll
c:\windows\system32\zasepago.exe
c:\windows\system32\zevofito.dll
c:\windows\TEMP\mta13187.dll
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_BTWSRV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_BtwSrv
-------\Legacy_BTWSRV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_BtwSrv
((((((((((((((((((((((((( Files Created from 2009-10-11 to 2009-11-11 )))))))))))))))))))))))))))))))
.
2011-02-27 04:02 . 2009-10-29 13:31 -------- d-----w- c:\program files\Elantech
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 18:34 . 2010-02-19 18:34 -------- d-----w- c:\program files\microsoft frontpage
2010-02-19 18:34 . 2010-02-19 18:33 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-19 18:32 . 2010-02-19 18:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-11 04:48 . 2009-11-11 04:48 30720 ----a-w- c:\documents and settings\Amy Chen\rthdcpl.exe
2009-11-11 04:36 . 2009-06-04 05:45 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-11 04:17 . 2009-11-07 04:23 30720 ----a-w- c:\windows\rcdrive32.exe
2009-11-11 04:17 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxpers.exe
2009-11-11 04:17 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\hkcmd.exe
2009-11-11 04:17 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxtray.exe
2009-11-07 04:49 . 2009-10-29 13:47 -------- d-----w- c:\program files\xhonsl
2009-11-07 04:49 . 2009-10-31 14:06 -------- d-----w- c:\program files\ewmnru
2009-11-04 14:48 . 2009-11-04 14:48 0 ----a-r- c:\windows\win32k.sys
2009-10-28 17:47 . 2009-10-09 03:45 407062 ----a-w- c:\windows\system32\raidmg.dll
2009-10-26 14:59 . 2009-10-26 14:59 0 ----a-w- c:\documents and settings\Amy Chen\settings.dat
2009-10-26 14:56 . 2009-06-07 16:21 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\U3
2009-10-10 00:33 . 2010-02-19 17:21 14336 ------w- c:\windows\system32\svchost.exe
2009-10-09 03:45 . 2009-10-09 03:45 98304 ----a-w- c:\windows\system32\kbdatat4.dll
2009-09-24 04:55 . 2009-02-19 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-14 01:57 . 2009-06-03 15:38 92344 ----a-w- c:\documents and settings\Amy Chen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-14 01:57 . 2009-09-14 01:57 126970 ----a-w- c:\documents and settings\Amy Chen\Application Data\Move Networks\uninstall.exe
2009-09-14 01:57 . 2009-07-20 20:37 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\Move Networks
2009-09-14 01:57 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Amy Chen\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-11 14:18 . 2010-02-19 17:21 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2010-02-19 17:21 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 03:51 . 2009-09-01 03:51 152576 ----a-w- c:\documents and settings\Amy Chen\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-29 08:08 . 2010-02-19 17:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2010-02-19 17:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-05-07 08:34 . 2009-02-19 19:07 15523560 ----a-w- c:\program files\U1 Setup.exe
.
------- Sigcheck -------
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . D9F19E78F98834CB411D6AD3C68D181A . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2009-10-29_13.31.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-11 04:47 . 2009-11-11 04:47 16384 c:\windows\temp\Perflib_Perfdata_244.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 87552 c:\windows\system32\wmdtc.exe
+ 2010-02-19 17:21 . 2009-11-11 04:28 71810 c:\windows\system32\perfc009.dat
- 2010-02-19 17:21 . 2009-10-28 18:31 71810 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 87552 c:\windows\system32\opeia.exe
+ 2008-04-14 12:00 . 2008-04-14 12:00 36864 c:\windows\system32\lsm32.sys
+ 2008-04-14 12:00 . 2008-04-14 12:00 45056 c:\windows\system32\FastNetSrv.exe
+ 2009-02-19 20:51 . 2009-11-07 04:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-19 20:51 . 2009-10-28 18:12 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-19 20:51 . 2009-10-28 18:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-19 20:51 . 2009-11-07 04:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-26 14:48 . 2009-11-07 04:19 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-10-26 14:48 . 2009-10-28 17:30 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-10-31 13:55 . 2009-11-07 04:19 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 45568 c:\windows\system32\BtwSrv.dll
- 2007-07-27 14:41 . 2007-07-27 14:41 16760 c:\windows\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df\spmsg.dll
- 2009-10-28 18:12 . 2009-08-29 08:01 12800 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3QFE\xpshims.dll
- 2009-10-28 18:13 . 2009-08-29 08:01 25600 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3QFE\jsproxy.dll
- 2009-10-28 18:12 . 2009-08-29 08:08 12800 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3GDR\xpshims.dll
- 2009-10-28 18:13 . 2009-08-29 08:08 25600 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3GDR\jsproxy.dll
- 2009-09-04 20:57 . 2009-09-04 20:57 58880 c:\windows\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\sp3qfe\msasn1.dll
- 2009-09-04 21:03 . 2009-09-04 21:03 58880 c:\windows\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\sp3gdr\msasn1.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 47616 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveWriter\6e2e535510bede2ff7c15d8ae53098c0\WindowsLiveWriter.ni.exe
+ 2009-11-07 04:47 . 2009-11-07 04:47 99840 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\a0a93ff86fb946104e90221f5791eb91\WindowsLive.Writer.Api.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 15872 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\1ded203bd27031c3a5e3441f94b528c0\Microsoft.VisualC.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\c5d504724d7f351b1d034615dbb72a2a\Microsoft.Build.Framework.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\a664ccab020f93f1d533919f57131190\dfsvc.ni.exe
+ 2009-10-29 13:35 . 2009-10-29 13:35 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\e63d6d26b8a664cfdfbd4ad75e03c14d\Accessibility.ni.dll
+ 2010-02-19 17:21 . 2009-11-11 04:28 442024 c:\windows\system32\perfh009.dat
- 2010-02-19 17:21 . 2009-10-28 18:31 442024 c:\windows\system32\perfh009.dat
+ 2009-11-07 04:37 . 2008-09-12 05:32 327192 c:\windows\system32\drivers\iaStor.sys
- 2010-02-19 17:21 . 2008-09-12 05:32 327192 c:\windows\system32\drivers\iaStor.sys
- 2009-10-28 18:13 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\fbdd9f75315c1cf9ff63f37aaca267d3\update\updspapi.dll
- 2009-10-28 18:12 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\e15760431e46367ca5a3dfd40a9d03e3\update\updspapi.dll
- 2009-10-28 18:13 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\update\updspapi.dll
- 2009-04-02 03:02 . 2009-04-02 03:02 604160 c:\windows\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df\wm11\wmspdmod.dll
- 2009-04-10 05:01 . 2009-04-10 05:01 530280 c:\windows\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df\wm10\wmspdmod.dll
- 2007-07-27 14:41 . 2007-07-27 14:41 382840 c:\windows\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df\update\updspapi.dll
- 2009-10-28 18:12 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\update\updspapi.dll
- 2009-10-28 18:12 . 2009-08-29 08:01 916480 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3QFE\wininet.dll
- 2009-10-28 18:12 . 2009-08-29 08:01 184320 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3QFE\iepeers.dll
- 2009-10-28 18:12 . 2009-08-29 08:08 916480 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3GDR\wininet.dll
- 2009-10-28 18:12 . 2009-08-29 08:08 184320 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3GDR\iepeers.dll
- 2009-10-28 18:13 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\update\updspapi.dll
- 2009-10-28 18:09 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\8fa1ad7968e63408057364ad07aa482c\update\updspapi.dll
- 2009-10-28 18:13 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\update\updspapi.dll
- 2009-10-28 18:09 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\71668abe67b6d77ebac6750f25908a6e\update\updspapi.dll
- 2009-10-28 18:13 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\update\updspapi.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\e2098e43d115155d6ba91ba3a7e577cf\WsatConfig.ni.exe
+ 2009-11-07 04:47 . 2009-11-07 04:47 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveLocal.Wr#\e5fa3693acb5b4c1790edff45ee18351\WindowsLiveLocal.WriterPlugin.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 118784 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\fa99a5d10584b4d2d8836396e512fbfb\WindowsLive.Writer.Extensibility.ni.dll
+ 2009-10-29 14:05 . 2009-10-29 14:05 174080 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\f82f25e143c306491dcfdcea845ada91\WindowsLive.Writer.BrowserControl.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\f013d5f8178aea1f66ce25eb59f2dcfe\WindowsLive.Writer.Mshtml.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 594944 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\df6d8f820d3e6270a946e81d0524a7f4\WindowsLive.Writer.HtmlEditor.ni.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 843776 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\cf709e807175721fbfa4809a21142a51\WindowsLive.Writer.Controls.ni.dll
+ 2009-11-04 15:16 . 2009-11-04 15:16 152064 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\c68b6c592966c7a2b975a8baf71b1703\WindowsLive.Writer.HtmlParser.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 108544 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\c25eea93a159ff547be11a457a656548\WindowsLive.Writer.Passport.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 428032 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\8579b5b4f162eb3f960302b9499508ab\WindowsLive.Writer.Localization.ni.dll
+ 2009-11-04 15:16 . 2009-11-04 15:16 334848 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\69801f07023bb93335d7b2ee1d9f06f9\WindowsLive.Writer.Interop.Mshtml.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 851968 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\5e2e32999db49ca703dde8cdb853e307\WindowsLive.Writer.BlogClient.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 119296 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\590e62c09e8ce5cae4a887d2d873d82d\WindowsLive.Writer.FileDestinations.ni.dll
+ 2009-10-29 14:04 . 2009-10-29 14:04 319488 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\56562b3fab90b3b5d4ac6931118d8b3f\WindowsLive.Writer.Interop.ni.dll
+ 2009-10-29 14:05 . 2009-10-29 14:05 313856 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\551d4211cde9574615ad847741667699\WindowsLive.Writer.Interop.SHDocVw.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 117760 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\26307209b32171fbdf5c0bac64eac6f7\WindowsLive.Writer.Instrumentation.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 322048 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\12069ef1883e43e5a8ff387d5503ffae\WindowsLive.Writer.SpellChecker.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 145920 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Client\e24024d52bd85aeadcea859acf2f10d7\WindowsLive.Client.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\b5f1b8791e6c47e5bd5e7018c346c586\System.Web.RegularExpressions.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 625664 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\9d58688a10292063636c86442d29ee9c\System.Transactions.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\1f61bccb700d687775cf778dd77752e9\System.ServiceProcess.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 676352 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\a9e9b885a6601469c4058375cc74d856\System.Security.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\9bc34a79af9c3ed2cf17a0226c769b4c\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\af21e3011fb4e107b13ea5c40c351ec4\System.Runtime.Remoting.ni.dll
+ 2009-10-29 13:35 . 2009-10-29 13:35 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\6c273eb9d1ee8b66b5ecb073de4b785d\System.IO.Log.ni.dll
+ 2009-10-29 13:35 . 2009-10-29 13:35 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\7222db518afb4eaaa138824278249bc7\System.IdentityModel.Selectors.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\a601f47a98ee67df424685c9a66ea449\System.DirectoryServices.Protocols.ni.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\7c743462baccf29b3567b0e3ec9ac134\System.Configuration.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\443e3a85c491b2de4a2ac654cb957484\System.Configuration.Install.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\6af32fe5cbec0aa54e2efa6910c73651\SMSvcHost.ni.exe
+ 2009-11-07 04:47 . 2009-11-07 04:47 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\7602d7687fb9bd21cd9ae60d2b187c99\SMDiagnostics.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\a23dc25782df04533a13e348203e4dc5\ServiceModelReg.ni.exe
+ 2009-11-07 04:47 . 2009-11-07 04:47 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\eade8c1c9c1e8e5ffb50e6c9b9af0f6a\MSBuild.ni.exe
+ 2009-11-07 04:47 . 2009-11-07 04:47 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\fc4d66e0a92b3767006a84f2519d2457\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 376320 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\382cc2ce9fcd975eed81a7183c2d8f81\ComSvcConfig.ni.exe
+ 2009-10-29 13:35 . 2009-10-29 13:35 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\85d7c111956b478766d90625b35d963f\AspNetMMCExt.ni.dll
- 2009-10-28 18:09 . 2009-08-04 13:54 2145280 c:\windows\SoftwareDistribution\Download\8fa1ad7968e63408057364ad07aa482c\SP3QFE\ntkrnlmp.exe
- 2009-10-28 18:09 . 2009-08-04 15:13 2145280 c:\windows\SoftwareDistribution\Download\8fa1ad7968e63408057364ad07aa482c\SP3GDR\ntkrnlmp.exe
- 2009-10-28 18:09 . 2009-08-04 12:49 2142720 c:\windows\SoftwareDistribution\Download\8fa1ad7968e63408057364ad07aa482c\SP2QFE\ntkrnlmp.exe
+ 2009-11-07 04:47 . 2009-11-07 04:47 1105920 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\6acc6f61fe15553bdb89e21a6a720578\WindowsLive.Writer.ApplicationFramework.ni.dll
+ 2009-10-29 14:04 . 2009-10-29 14:04 2002944 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\1f8439062cab1a14f351974092e09e16\WindowsLive.Writer.CoreServices.ni.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 6392832 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\0b96d8eb446d23637b38c72e2215d0ff\WindowsLive.Writer.PostEditor.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 1838080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\ee59632d392e85b5a0b10ed2f9cdaa34\System.Web.Services.ni.dll
+ 2009-10-29 13:58 . 2009-10-29 13:58 2338304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\67ad55827f2542552b576170f0a7dc56\System.Runtime.Serialization.ni.dll
+ 2009-10-29 13:35 . 2009-10-29 13:35 1056768 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\c3b18fef5c6dc3bcdbe5df699fd21a55\System.IdentityModel.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\f47ebb9db460874b1bcbfc391dc970b1\System.DirectoryServices.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\c94a427baa7683f4221b91f90c18461b\System.Deployment.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\272152f0cc139490729e215611a4b244\System.Data.SqlXml.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 1115136 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\e5b1899d48f01303824dc96ecf877b42\System.Data.OracleClient.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\f19e9b439636d0744597fff1331cad04\Microsoft.Transactions.Bridge.ni.dll
- 2009-10-28 18:12 . 2009-08-29 08:08 11069440 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3GDR\ieframe.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 11794944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\4f02f14c2268762d5d05b3227276f309\System.Web.ni.dll
+ 2009-10-29 14:01 . 2009-10-29 14:01 17317888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\06d6eab93282d2b136a377bd50b7c5a9\System.ServiceModel.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4e232aa-bd80-4ce2-896f-f0b02c7accc7}]
fupipivo.dll [BU]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"Microsoft Driver Setup"="c:\windows\rcdrive32.exe" [2009-11-11 30720]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-13 17508864]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-2-19 376832]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [4/14/2008 7:00 AM 45056]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2/19/2009 2:22 PM 55136]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 4:41 PM 116664]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2/19/2009 2:02 PM 10752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 10:49 PM 102448]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [7/31/2008 9:24 PM 93696]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [11/4/2008 4:28 AM 38400]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/19/2009 1:56 PM 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/8/2008 5:01 PM 533344]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Amy Chen\Application Data\Mozilla\Firefox\Profiles\6qm4eeji.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Amy Chen\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
SharedTaskScheduler-<NO NAME> - (no file)
SharedTaskScheduler-{2ecf8c98-2d82-409d-a89f-a5d9b15415cd} - c:\windows\system32\kenayiba.dll
SSODL-nimejewet-{2ecf8c98-2d82-409d-a89f-a5d9b15415cd} - c:\windows\system32\kenayiba.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-10 23:49
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\Install.txt
c:\windows\system32\Install.txt 268 bytes
scan completed successfully
hidden files: 2
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,44,2c,d8,a1,66,c2,4f,93,d6,8e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,44,2c,d8,a1,66,c2,4f,93,d6,8e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(700)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wmdtc.exe
.
**************************************************************************
.
Completion time: 2009-11-11 23:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-11 04:54
ComboFix2.txt 2009-11-04 15:31
ComboFix3.txt 2009-10-29 13:36
ComboFix4.txt 2009-10-28 18:12
Pre-Run: 28,139,474,944 bytes free
Post-Run: 27,921,182,720 bytes free
- - End Of File - - 120240EE58F7F10AC6C26B65A210EC7A
#19
Posted 10 November 2009 - 11:10 PM
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
File::
c:\windows\system32\opeia.exe
c:\windows\system32\wmdtc.exe
c:\windows\system32\lsm32.sys
c:\windows\system32\FastNetSrv.exe
c:\windows\system32\BtwSrv.dll
c:\windows\system32\msv1_0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msasn1.dll
c:\program files\U1 Setup.exe
c:\documents and settings\Amy Chen\rthdcpl.exe
c:\windows\rcdrive32.exe
c:\windows\system32\igfxpers.exe
c:\windows\system32\hkcmd.exe
c:\windows\system32\igfxtray.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4e232aa-bd80-4ce2-896f-f0b02c7accc7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Driver Setup"=-
Driver::
fastnetsrv
FCopy::
c:\windows\system32\dllcache\svchost.exe | c:\windows\system32\svchost.exe
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
4. Reconnect your internet.
5. Referring to the picture above, drag CFScript into ComboFix.exe
6. Once ComboFix has updated, and started to run its scans, unplug the internet connection again, and keep it unplugged until further notice.
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
#20
Posted 11 November 2009 - 04:36 PM
#21
Posted 11 November 2009 - 09:51 PM
c:
cd \windows\system32
ren svchost.exe svchost.old
copy "c:\qoobox\quarantine\c\windows\system32\svchost.exe" "c:\windows\system32\svchost.exe"
copy "c:\qoobox\quarantine\c\windows\system32\wininet.dll" "c:\windows\system32\wininet.dll"
exit
Edited by Raktor, 12 November 2009 - 04:28 AM.
#22
Posted 12 November 2009 - 12:57 PM
#23
Posted 13 November 2009 - 06:44 AM
c:
copy "c:\qoobox\quarantine\c\windows\system32\svchost.exe.vir" "c:\windows\system32\svchost.exe"
copy "c:\qoobox\quarantine\c\windows\system32\wininet.dll.vir" "c:\windows\system32\wininet.dll"
exit
Also, see if in the F8 menu on boot, you can disable automatic reboot on bluescreen, then you can provide me with the STOP error code if it is still bluescreening after this.
#24
Posted 13 November 2009 - 11:19 AM
1) went to windows recovery console
2) when it asked me "which windows installation would you like to log onto, I entered 1 for C:\WINDOWS.
3) at the C:\WINDOWS> prompt I entered C:
4) at the next C:\WINDOWS> prompt I entered copy "c:\qoobox\quarantine\c\windows\system32\svchost.exe.vir" "c:\windows\system32\svchost.exe"
When I performed the last step, I got the message "Access is denied."
Whew, sorry for all the problems!
#25
Posted 14 November 2009 - 07:27 PM
dir c:\atapi.sys /s
I need a copy of the output from this, except there's no simple way to transfer it from Recovery Console, so I'm going to need you to type it up.
Remember, I'm here as long as you want me to keep trying, but if ever you want to reformat, just give the word.
#26
Posted 14 November 2009 - 09:42 PM
The volume in drive C has no label
The volme Serial Number is f48f-490d
Directory of c:\atapi.sys\s
So based on your last response, what exactly would reformatting entail? Wiping out all programs and files and stuff on the computer? If I opt not to do that, is there any hope at all of getting my computer back to normal?
Thanks for all your patience.
#27
Posted 14 November 2009 - 09:47 PM
We could most likely recover your data, but not programs.
#28
Posted 20 November 2009 - 11:36 AM
I tried it with a space and slash the other way. The result? "The parameter is not valid." One question: If it were your own computer, what would you do? Would you reformat? Or would you keep going with the debugging effort? I'm ok with either. Which method would be best given the circumstances? Thanks for all your patience and efforts.
#29
Posted 20 November 2009 - 04:41 PM
If you want to format...
a) Do you have the Windows XP CD?
b) Do you have any driver CDs from your hardware manufacturers?
c) Do you have relevant software installation CDs?
d) Do you need any data backed up before wiping the machine?
#30
Posted 21 November 2009 - 01:00 PM
1) Do I have the Windows XP CD? Yes, I do.
2) Do I have driver CD's from manufacturer? No, I don't.
3) Do I have relevant software installation CD's? Yes, I do.
4) Do I need any data backed up before wiping machine? Yes, I do. I suppose, I could just save it onto my own external hard drive? Or not?
Thanks!
Similar Topics
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users