Windows Police Pro
Started by
jay_sohhn
, Oct 25 2009 11:06 AM
#16
Posted 08 November 2009 - 10:44 AM
jay_sohhn
- Topic Starter
-
- Member
-
- 92 posts
Member
#17
Posted 08 November 2009 - 07:09 PM
Raktor
-
- Member
-
- 268 posts
Member
Try this one then. 
1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:
cd erdnt\hiv-backup
6. At the next prompt, type the following bolded text, and press Enter:
batch erdnt.con
7. The erunt backups will begin copying.
8. At the next prompt, type the following bolded text, and press Enter:
exit
Windows will now begin loading.
1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:
cd erdnt\hiv-backup
6. At the next prompt, type the following bolded text, and press Enter:
batch erdnt.con
7. The erunt backups will begin copying.
8. At the next prompt, type the following bolded text, and press Enter:
exit
Windows will now begin loading.
#18
Posted 10 November 2009 - 10:59 PM
jay_sohhn
- Topic Starter
-
- Member
-
- 92 posts
Member
Excellent, your suggestions worked. When I went to c:\combofix.txt the txt file was incomplete, so I ran combofix again as per your last suggestion on November 6. I used what was in the quote box from your post then. Here's the text file from my run today.
ComboFix 09-11-09.02 - Amy Chen 11/10/2009 23:39.4.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.371 [GMT -5:00]
Running from: c:\documents and settings\Amy Chen\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Amy Chen\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
file zipped: c:\windows\system32\igfxtray.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Amy Chen\rthdcpl.exe
c:\windows\Install.txt
c:\windows\rcdrive32 .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\ctfmon.exe.tmp
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\Install.txt
c:\windows\system32\rthdcpl.exe
c:\windows\TEMP\mta13187.dll
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\90489939
c:\documents and settings\All Users\Application Data\90489939\90489939.bat
c:\documents and settings\All Users\Application Data\90489939\90489939.exe
c:\documents and settings\Amy Chen\alcmtr.exe
c:\documents and settings\Amy Chen\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
c:\documents and settings\Amy Chen\Desktop\Advanced Virus Remover.lnk
c:\documents and settings\Amy Chen\Desktop\exeHelper.com
c:\documents and settings\Amy Chen\ntuser.dll
c:\documents and settings\Amy Chen\rthdcpl .exe
c:\documents and settings\Amy Chen\rthdcpl.exe
c:\documents and settings\Amy Chen\Start Menu\Advanced Virus Remover.lnk
c:\documents and settings\Amy Chen\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Amy Chen\Start Menu\Programs\Startup\scandisk.lnk
C:\ldvx.exe
c:\program files\ewmnru\ibpmsysguard.exe
c:\program files\ewmnru\ibpmsysguard.exe145
c:\program files\ewmnru\ibpmsysguard.exe147
c:\program files\xhonsl\yqspsysguard.exe
c:\program files\xhonsl\yqspsysguard.exe126
c:\program files\xhonsl\yqspsysguard.exe143
c:\recycler\S-1-5-21-0243556031-888888379-781863308-1455
c:\recycler\S-1-5-21-6840411219-3145855342-124954199-7283
c:\windows\Install.txt
c:\windows\msa.exe
c:\windows\rcdrive32 .exe
c:\windows\system32\~.exe
c:\windows\system32\41.exe
c:\windows\system32\bametusi.dll
c:\windows\system32\bebaluno.dll
c:\windows\system32\ctfmon .exe
c:\windows\system32\fonoriga.dll
c:\windows\system32\h2w8l.dll
c:\windows\system32\hagebuzi.exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\Install.txt
c:\windows\system32\kenayiba.dll
c:\windows\system32\kusewovi.dll.tmp
c:\windows\system32\logon.exe
c:\windows\system32\migitiho.dll
c:\windows\system32\nakuteye.dll
c:\windows\system32\rthdcpl.exe
c:\windows\system32\tavahozu.dll
c:\windows\system32\tosikuli.dll
c:\windows\system32\turenugu.dll.tmp
c:\windows\system32\vamegeye.dll
c:\windows\system32\viwawobi.dll.tmp
c:\windows\system32\yiyigini.dll
c:\windows\system32\zasepago.exe
c:\windows\system32\zevofito.dll
c:\windows\TEMP\mta13187.dll
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_BTWSRV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_BtwSrv
-------\Legacy_BTWSRV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_BtwSrv
((((((((((((((((((((((((( Files Created from 2009-10-11 to 2009-11-11 )))))))))))))))))))))))))))))))
.
2011-02-27 04:02 . 2009-10-29 13:31 -------- d-----w- c:\program files\Elantech
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 18:34 . 2010-02-19 18:34 -------- d-----w- c:\program files\microsoft frontpage
2010-02-19 18:34 . 2010-02-19 18:33 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-19 18:32 . 2010-02-19 18:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-11 04:48 . 2009-11-11 04:48 30720 ----a-w- c:\documents and settings\Amy Chen\rthdcpl.exe
2009-11-11 04:36 . 2009-06-04 05:45 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-11 04:17 . 2009-11-07 04:23 30720 ----a-w- c:\windows\rcdrive32.exe
2009-11-11 04:17 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxpers.exe
2009-11-11 04:17 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\hkcmd.exe
2009-11-11 04:17 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxtray.exe
2009-11-07 04:49 . 2009-10-29 13:47 -------- d-----w- c:\program files\xhonsl
2009-11-07 04:49 . 2009-10-31 14:06 -------- d-----w- c:\program files\ewmnru
2009-11-04 14:48 . 2009-11-04 14:48 0 ----a-r- c:\windows\win32k.sys
2009-10-28 17:47 . 2009-10-09 03:45 407062 ----a-w- c:\windows\system32\raidmg.dll
2009-10-26 14:59 . 2009-10-26 14:59 0 ----a-w- c:\documents and settings\Amy Chen\settings.dat
2009-10-26 14:56 . 2009-06-07 16:21 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\U3
2009-10-10 00:33 . 2010-02-19 17:21 14336 ------w- c:\windows\system32\svchost.exe
2009-10-09 03:45 . 2009-10-09 03:45 98304 ----a-w- c:\windows\system32\kbdatat4.dll
2009-09-24 04:55 . 2009-02-19 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-14 01:57 . 2009-06-03 15:38 92344 ----a-w- c:\documents and settings\Amy Chen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-14 01:57 . 2009-09-14 01:57 126970 ----a-w- c:\documents and settings\Amy Chen\Application Data\Move Networks\uninstall.exe
2009-09-14 01:57 . 2009-07-20 20:37 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\Move Networks
2009-09-14 01:57 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Amy Chen\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-11 14:18 . 2010-02-19 17:21 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2010-02-19 17:21 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 03:51 . 2009-09-01 03:51 152576 ----a-w- c:\documents and settings\Amy Chen\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-29 08:08 . 2010-02-19 17:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2010-02-19 17:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-05-07 08:34 . 2009-02-19 19:07 15523560 ----a-w- c:\program files\U1 Setup.exe
.
------- Sigcheck -------
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . D9F19E78F98834CB411D6AD3C68D181A . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2009-10-29_13.31.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-11 04:47 . 2009-11-11 04:47 16384 c:\windows\temp\Perflib_Perfdata_244.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 87552 c:\windows\system32\wmdtc.exe
+ 2010-02-19 17:21 . 2009-11-11 04:28 71810 c:\windows\system32\perfc009.dat
- 2010-02-19 17:21 . 2009-10-28 18:31 71810 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 87552 c:\windows\system32\opeia.exe
+ 2008-04-14 12:00 . 2008-04-14 12:00 36864 c:\windows\system32\lsm32.sys
+ 2008-04-14 12:00 . 2008-04-14 12:00 45056 c:\windows\system32\FastNetSrv.exe
+ 2009-02-19 20:51 . 2009-11-07 04:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-19 20:51 . 2009-10-28 18:12 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-19 20:51 . 2009-10-28 18:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-19 20:51 . 2009-11-07 04:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-26 14:48 . 2009-11-07 04:19 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-10-26 14:48 . 2009-10-28 17:30 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-10-31 13:55 . 2009-11-07 04:19 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 45568 c:\windows\system32\BtwSrv.dll
- 2007-07-27 14:41 . 2007-07-27 14:41 16760 c:\windows\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df\spmsg.dll
- 2009-10-28 18:12 . 2009-08-29 08:01 12800 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3QFE\xpshims.dll
- 2009-10-28 18:13 . 2009-08-29 08:01 25600 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3QFE\jsproxy.dll
- 2009-10-28 18:12 . 2009-08-29 08:08 12800 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3GDR\xpshims.dll
- 2009-10-28 18:13 . 2009-08-29 08:08 25600 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3GDR\jsproxy.dll
- 2009-09-04 20:57 . 2009-09-04 20:57 58880 c:\windows\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\sp3qfe\msasn1.dll
- 2009-09-04 21:03 . 2009-09-04 21:03 58880 c:\windows\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\sp3gdr\msasn1.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 47616 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveWriter\6e2e535510bede2ff7c15d8ae53098c0\WindowsLiveWriter.ni.exe
+ 2009-11-07 04:47 . 2009-11-07 04:47 99840 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\a0a93ff86fb946104e90221f5791eb91\WindowsLive.Writer.Api.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 15872 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\1ded203bd27031c3a5e3441f94b528c0\Microsoft.VisualC.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\c5d504724d7f351b1d034615dbb72a2a\Microsoft.Build.Framework.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\a664ccab020f93f1d533919f57131190\dfsvc.ni.exe
+ 2009-10-29 13:35 . 2009-10-29 13:35 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\e63d6d26b8a664cfdfbd4ad75e03c14d\Accessibility.ni.dll
+ 2010-02-19 17:21 . 2009-11-11 04:28 442024 c:\windows\system32\perfh009.dat
- 2010-02-19 17:21 . 2009-10-28 18:31 442024 c:\windows\system32\perfh009.dat
+ 2009-11-07 04:37 . 2008-09-12 05:32 327192 c:\windows\system32\drivers\iaStor.sys
- 2010-02-19 17:21 . 2008-09-12 05:32 327192 c:\windows\system32\drivers\iaStor.sys
- 2009-10-28 18:13 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\fbdd9f75315c1cf9ff63f37aaca267d3\update\updspapi.dll
- 2009-10-28 18:12 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\e15760431e46367ca5a3dfd40a9d03e3\update\updspapi.dll
- 2009-10-28 18:13 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\update\updspapi.dll
- 2009-04-02 03:02 . 2009-04-02 03:02 604160 c:\windows\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df\wm11\wmspdmod.dll
- 2009-04-10 05:01 . 2009-04-10 05:01 530280 c:\windows\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df\wm10\wmspdmod.dll
- 2007-07-27 14:41 . 2007-07-27 14:41 382840 c:\windows\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df\update\updspapi.dll
- 2009-10-28 18:12 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\update\updspapi.dll
- 2009-10-28 18:12 . 2009-08-29 08:01 916480 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3QFE\wininet.dll
- 2009-10-28 18:12 . 2009-08-29 08:01 184320 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3QFE\iepeers.dll
- 2009-10-28 18:12 . 2009-08-29 08:08 916480 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3GDR\wininet.dll
- 2009-10-28 18:12 . 2009-08-29 08:08 184320 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3GDR\iepeers.dll
- 2009-10-28 18:13 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\update\updspapi.dll
- 2009-10-28 18:09 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\8fa1ad7968e63408057364ad07aa482c\update\updspapi.dll
- 2009-10-28 18:13 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\update\updspapi.dll
- 2009-10-28 18:09 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\71668abe67b6d77ebac6750f25908a6e\update\updspapi.dll
- 2009-10-28 18:13 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\update\updspapi.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\e2098e43d115155d6ba91ba3a7e577cf\WsatConfig.ni.exe
+ 2009-11-07 04:47 . 2009-11-07 04:47 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveLocal.Wr#\e5fa3693acb5b4c1790edff45ee18351\WindowsLiveLocal.WriterPlugin.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 118784 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\fa99a5d10584b4d2d8836396e512fbfb\WindowsLive.Writer.Extensibility.ni.dll
+ 2009-10-29 14:05 . 2009-10-29 14:05 174080 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\f82f25e143c306491dcfdcea845ada91\WindowsLive.Writer.BrowserControl.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\f013d5f8178aea1f66ce25eb59f2dcfe\WindowsLive.Writer.Mshtml.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 594944 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\df6d8f820d3e6270a946e81d0524a7f4\WindowsLive.Writer.HtmlEditor.ni.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 843776 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\cf709e807175721fbfa4809a21142a51\WindowsLive.Writer.Controls.ni.dll
+ 2009-11-04 15:16 . 2009-11-04 15:16 152064 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\c68b6c592966c7a2b975a8baf71b1703\WindowsLive.Writer.HtmlParser.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 108544 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\c25eea93a159ff547be11a457a656548\WindowsLive.Writer.Passport.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 428032 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\8579b5b4f162eb3f960302b9499508ab\WindowsLive.Writer.Localization.ni.dll
+ 2009-11-04 15:16 . 2009-11-04 15:16 334848 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\69801f07023bb93335d7b2ee1d9f06f9\WindowsLive.Writer.Interop.Mshtml.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 851968 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\5e2e32999db49ca703dde8cdb853e307\WindowsLive.Writer.BlogClient.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 119296 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\590e62c09e8ce5cae4a887d2d873d82d\WindowsLive.Writer.FileDestinations.ni.dll
+ 2009-10-29 14:04 . 2009-10-29 14:04 319488 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\56562b3fab90b3b5d4ac6931118d8b3f\WindowsLive.Writer.Interop.ni.dll
+ 2009-10-29 14:05 . 2009-10-29 14:05 313856 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\551d4211cde9574615ad847741667699\WindowsLive.Writer.Interop.SHDocVw.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 117760 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\26307209b32171fbdf5c0bac64eac6f7\WindowsLive.Writer.Instrumentation.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 322048 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\12069ef1883e43e5a8ff387d5503ffae\WindowsLive.Writer.SpellChecker.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 145920 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Client\e24024d52bd85aeadcea859acf2f10d7\WindowsLive.Client.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\b5f1b8791e6c47e5bd5e7018c346c586\System.Web.RegularExpressions.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 625664 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\9d58688a10292063636c86442d29ee9c\System.Transactions.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\1f61bccb700d687775cf778dd77752e9\System.ServiceProcess.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 676352 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\a9e9b885a6601469c4058375cc74d856\System.Security.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\9bc34a79af9c3ed2cf17a0226c769b4c\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\af21e3011fb4e107b13ea5c40c351ec4\System.Runtime.Remoting.ni.dll
+ 2009-10-29 13:35 . 2009-10-29 13:35 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\6c273eb9d1ee8b66b5ecb073de4b785d\System.IO.Log.ni.dll
+ 2009-10-29 13:35 . 2009-10-29 13:35 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\7222db518afb4eaaa138824278249bc7\System.IdentityModel.Selectors.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\a601f47a98ee67df424685c9a66ea449\System.DirectoryServices.Protocols.ni.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\7c743462baccf29b3567b0e3ec9ac134\System.Configuration.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\443e3a85c491b2de4a2ac654cb957484\System.Configuration.Install.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\6af32fe5cbec0aa54e2efa6910c73651\SMSvcHost.ni.exe
+ 2009-11-07 04:47 . 2009-11-07 04:47 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\7602d7687fb9bd21cd9ae60d2b187c99\SMDiagnostics.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\a23dc25782df04533a13e348203e4dc5\ServiceModelReg.ni.exe
+ 2009-11-07 04:47 . 2009-11-07 04:47 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\eade8c1c9c1e8e5ffb50e6c9b9af0f6a\MSBuild.ni.exe
+ 2009-11-07 04:47 . 2009-11-07 04:47 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\fc4d66e0a92b3767006a84f2519d2457\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 376320 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\382cc2ce9fcd975eed81a7183c2d8f81\ComSvcConfig.ni.exe
+ 2009-10-29 13:35 . 2009-10-29 13:35 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\85d7c111956b478766d90625b35d963f\AspNetMMCExt.ni.dll
- 2009-10-28 18:09 . 2009-08-04 13:54 2145280 c:\windows\SoftwareDistribution\Download\8fa1ad7968e63408057364ad07aa482c\SP3QFE\ntkrnlmp.exe
- 2009-10-28 18:09 . 2009-08-04 15:13 2145280 c:\windows\SoftwareDistribution\Download\8fa1ad7968e63408057364ad07aa482c\SP3GDR\ntkrnlmp.exe
- 2009-10-28 18:09 . 2009-08-04 12:49 2142720 c:\windows\SoftwareDistribution\Download\8fa1ad7968e63408057364ad07aa482c\SP2QFE\ntkrnlmp.exe
+ 2009-11-07 04:47 . 2009-11-07 04:47 1105920 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\6acc6f61fe15553bdb89e21a6a720578\WindowsLive.Writer.ApplicationFramework.ni.dll
+ 2009-10-29 14:04 . 2009-10-29 14:04 2002944 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\1f8439062cab1a14f351974092e09e16\WindowsLive.Writer.CoreServices.ni.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 6392832 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\0b96d8eb446d23637b38c72e2215d0ff\WindowsLive.Writer.PostEditor.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 1838080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\ee59632d392e85b5a0b10ed2f9cdaa34\System.Web.Services.ni.dll
+ 2009-10-29 13:58 . 2009-10-29 13:58 2338304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\67ad55827f2542552b576170f0a7dc56\System.Runtime.Serialization.ni.dll
+ 2009-10-29 13:35 . 2009-10-29 13:35 1056768 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\c3b18fef5c6dc3bcdbe5df699fd21a55\System.IdentityModel.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\f47ebb9db460874b1bcbfc391dc970b1\System.DirectoryServices.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\c94a427baa7683f4221b91f90c18461b\System.Deployment.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\272152f0cc139490729e215611a4b244\System.Data.SqlXml.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 1115136 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\e5b1899d48f01303824dc96ecf877b42\System.Data.OracleClient.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\f19e9b439636d0744597fff1331cad04\Microsoft.Transactions.Bridge.ni.dll
- 2009-10-28 18:12 . 2009-08-29 08:08 11069440 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3GDR\ieframe.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 11794944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\4f02f14c2268762d5d05b3227276f309\System.Web.ni.dll
+ 2009-10-29 14:01 . 2009-10-29 14:01 17317888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\06d6eab93282d2b136a377bd50b7c5a9\System.ServiceModel.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4e232aa-bd80-4ce2-896f-f0b02c7accc7}]
fupipivo.dll [BU]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"Microsoft Driver Setup"="c:\windows\rcdrive32.exe" [2009-11-11 30720]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-13 17508864]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-2-19 376832]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [4/14/2008 7:00 AM 45056]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2/19/2009 2:22 PM 55136]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 4:41 PM 116664]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2/19/2009 2:02 PM 10752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 10:49 PM 102448]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [7/31/2008 9:24 PM 93696]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [11/4/2008 4:28 AM 38400]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/19/2009 1:56 PM 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/8/2008 5:01 PM 533344]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Amy Chen\Application Data\Mozilla\Firefox\Profiles\6qm4eeji.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Amy Chen\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
SharedTaskScheduler-<NO NAME> - (no file)
SharedTaskScheduler-{2ecf8c98-2d82-409d-a89f-a5d9b15415cd} - c:\windows\system32\kenayiba.dll
SSODL-nimejewet-{2ecf8c98-2d82-409d-a89f-a5d9b15415cd} - c:\windows\system32\kenayiba.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-10 23:49
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\Install.txt
c:\windows\system32\Install.txt 268 bytes
scan completed successfully
hidden files: 2
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,44,2c,d8,a1,66,c2,4f,93,d6,8e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,44,2c,d8,a1,66,c2,4f,93,d6,8e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(700)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wmdtc.exe
.
**************************************************************************
.
Completion time: 2009-11-11 23:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-11 04:54
ComboFix2.txt 2009-11-04 15:31
ComboFix3.txt 2009-10-29 13:36
ComboFix4.txt 2009-10-28 18:12
Pre-Run: 28,139,474,944 bytes free
Post-Run: 27,921,182,720 bytes free
- - End Of File - - 120240EE58F7F10AC6C26B65A210EC7A
ComboFix 09-11-09.02 - Amy Chen 11/10/2009 23:39.4.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.371 [GMT -5:00]
Running from: c:\documents and settings\Amy Chen\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Amy Chen\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
file zipped: c:\windows\system32\igfxtray.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Amy Chen\rthdcpl.exe
c:\windows\Install.txt
c:\windows\rcdrive32 .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\ctfmon.exe.tmp
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\Install.txt
c:\windows\system32\rthdcpl.exe
c:\windows\TEMP\mta13187.dll
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\90489939
c:\documents and settings\All Users\Application Data\90489939\90489939.bat
c:\documents and settings\All Users\Application Data\90489939\90489939.exe
c:\documents and settings\Amy Chen\alcmtr.exe
c:\documents and settings\Amy Chen\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
c:\documents and settings\Amy Chen\Desktop\Advanced Virus Remover.lnk
c:\documents and settings\Amy Chen\Desktop\exeHelper.com
c:\documents and settings\Amy Chen\ntuser.dll
c:\documents and settings\Amy Chen\rthdcpl .exe
c:\documents and settings\Amy Chen\rthdcpl.exe
c:\documents and settings\Amy Chen\Start Menu\Advanced Virus Remover.lnk
c:\documents and settings\Amy Chen\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Amy Chen\Start Menu\Programs\Startup\scandisk.lnk
C:\ldvx.exe
c:\program files\ewmnru\ibpmsysguard.exe
c:\program files\ewmnru\ibpmsysguard.exe145
c:\program files\ewmnru\ibpmsysguard.exe147
c:\program files\xhonsl\yqspsysguard.exe
c:\program files\xhonsl\yqspsysguard.exe126
c:\program files\xhonsl\yqspsysguard.exe143
c:\recycler\S-1-5-21-0243556031-888888379-781863308-1455
c:\recycler\S-1-5-21-6840411219-3145855342-124954199-7283
c:\windows\Install.txt
c:\windows\msa.exe
c:\windows\rcdrive32 .exe
c:\windows\system32\~.exe
c:\windows\system32\41.exe
c:\windows\system32\bametusi.dll
c:\windows\system32\bebaluno.dll
c:\windows\system32\ctfmon .exe
c:\windows\system32\fonoriga.dll
c:\windows\system32\h2w8l.dll
c:\windows\system32\hagebuzi.exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\Install.txt
c:\windows\system32\kenayiba.dll
c:\windows\system32\kusewovi.dll.tmp
c:\windows\system32\logon.exe
c:\windows\system32\migitiho.dll
c:\windows\system32\nakuteye.dll
c:\windows\system32\rthdcpl.exe
c:\windows\system32\tavahozu.dll
c:\windows\system32\tosikuli.dll
c:\windows\system32\turenugu.dll.tmp
c:\windows\system32\vamegeye.dll
c:\windows\system32\viwawobi.dll.tmp
c:\windows\system32\yiyigini.dll
c:\windows\system32\zasepago.exe
c:\windows\system32\zevofito.dll
c:\windows\TEMP\mta13187.dll
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_BTWSRV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_BtwSrv
-------\Legacy_BTWSRV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_BtwSrv
((((((((((((((((((((((((( Files Created from 2009-10-11 to 2009-11-11 )))))))))))))))))))))))))))))))
.
2011-02-27 04:02 . 2009-10-29 13:31 -------- d-----w- c:\program files\Elantech
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 18:34 . 2010-02-19 18:34 -------- d-----w- c:\program files\microsoft frontpage
2010-02-19 18:34 . 2010-02-19 18:33 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-19 18:32 . 2010-02-19 18:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-11 04:48 . 2009-11-11 04:48 30720 ----a-w- c:\documents and settings\Amy Chen\rthdcpl.exe
2009-11-11 04:36 . 2009-06-04 05:45 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-11 04:17 . 2009-11-07 04:23 30720 ----a-w- c:\windows\rcdrive32.exe
2009-11-11 04:17 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxpers.exe
2009-11-11 04:17 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\hkcmd.exe
2009-11-11 04:17 . 2009-02-19 18:57 30720 ----a-w- c:\windows\system32\igfxtray.exe
2009-11-07 04:49 . 2009-10-29 13:47 -------- d-----w- c:\program files\xhonsl
2009-11-07 04:49 . 2009-10-31 14:06 -------- d-----w- c:\program files\ewmnru
2009-11-04 14:48 . 2009-11-04 14:48 0 ----a-r- c:\windows\win32k.sys
2009-10-28 17:47 . 2009-10-09 03:45 407062 ----a-w- c:\windows\system32\raidmg.dll
2009-10-26 14:59 . 2009-10-26 14:59 0 ----a-w- c:\documents and settings\Amy Chen\settings.dat
2009-10-26 14:56 . 2009-06-07 16:21 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\U3
2009-10-10 00:33 . 2010-02-19 17:21 14336 ------w- c:\windows\system32\svchost.exe
2009-10-09 03:45 . 2009-10-09 03:45 98304 ----a-w- c:\windows\system32\kbdatat4.dll
2009-09-24 04:55 . 2009-02-19 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-14 01:57 . 2009-06-03 15:38 92344 ----a-w- c:\documents and settings\Amy Chen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-14 01:57 . 2009-09-14 01:57 126970 ----a-w- c:\documents and settings\Amy Chen\Application Data\Move Networks\uninstall.exe
2009-09-14 01:57 . 2009-07-20 20:37 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\Move Networks
2009-09-14 01:57 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Amy Chen\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-11 14:18 . 2010-02-19 17:21 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2010-02-19 17:21 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 03:51 . 2009-09-01 03:51 152576 ----a-w- c:\documents and settings\Amy Chen\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-29 08:08 . 2010-02-19 17:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2010-02-19 17:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-05-07 08:34 . 2009-02-19 19:07 15523560 ----a-w- c:\program files\U1 Setup.exe
.
------- Sigcheck -------
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . D9F19E78F98834CB411D6AD3C68D181A . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2009-10-29_13.31.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-11 04:47 . 2009-11-11 04:47 16384 c:\windows\temp\Perflib_Perfdata_244.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 87552 c:\windows\system32\wmdtc.exe
+ 2010-02-19 17:21 . 2009-11-11 04:28 71810 c:\windows\system32\perfc009.dat
- 2010-02-19 17:21 . 2009-10-28 18:31 71810 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 87552 c:\windows\system32\opeia.exe
+ 2008-04-14 12:00 . 2008-04-14 12:00 36864 c:\windows\system32\lsm32.sys
+ 2008-04-14 12:00 . 2008-04-14 12:00 45056 c:\windows\system32\FastNetSrv.exe
+ 2009-02-19 20:51 . 2009-11-07 04:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-19 20:51 . 2009-10-28 18:12 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-19 20:51 . 2009-10-28 18:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-19 20:51 . 2009-11-07 04:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-26 14:48 . 2009-11-07 04:19 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-10-26 14:48 . 2009-10-28 17:30 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-10-31 13:55 . 2009-11-07 04:19 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-14 12:00 . 2008-04-14 12:00 45568 c:\windows\system32\BtwSrv.dll
- 2007-07-27 14:41 . 2007-07-27 14:41 16760 c:\windows\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df\spmsg.dll
- 2009-10-28 18:12 . 2009-08-29 08:01 12800 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3QFE\xpshims.dll
- 2009-10-28 18:13 . 2009-08-29 08:01 25600 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3QFE\jsproxy.dll
- 2009-10-28 18:12 . 2009-08-29 08:08 12800 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3GDR\xpshims.dll
- 2009-10-28 18:13 . 2009-08-29 08:08 25600 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3GDR\jsproxy.dll
- 2009-09-04 20:57 . 2009-09-04 20:57 58880 c:\windows\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\sp3qfe\msasn1.dll
- 2009-09-04 21:03 . 2009-09-04 21:03 58880 c:\windows\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\sp3gdr\msasn1.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 47616 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveWriter\6e2e535510bede2ff7c15d8ae53098c0\WindowsLiveWriter.ni.exe
+ 2009-11-07 04:47 . 2009-11-07 04:47 99840 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\a0a93ff86fb946104e90221f5791eb91\WindowsLive.Writer.Api.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 15872 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\1ded203bd27031c3a5e3441f94b528c0\Microsoft.VisualC.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\c5d504724d7f351b1d034615dbb72a2a\Microsoft.Build.Framework.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\a664ccab020f93f1d533919f57131190\dfsvc.ni.exe
+ 2009-10-29 13:35 . 2009-10-29 13:35 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\e63d6d26b8a664cfdfbd4ad75e03c14d\Accessibility.ni.dll
+ 2010-02-19 17:21 . 2009-11-11 04:28 442024 c:\windows\system32\perfh009.dat
- 2010-02-19 17:21 . 2009-10-28 18:31 442024 c:\windows\system32\perfh009.dat
+ 2009-11-07 04:37 . 2008-09-12 05:32 327192 c:\windows\system32\drivers\iaStor.sys
- 2010-02-19 17:21 . 2008-09-12 05:32 327192 c:\windows\system32\drivers\iaStor.sys
- 2009-10-28 18:13 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\fbdd9f75315c1cf9ff63f37aaca267d3\update\updspapi.dll
- 2009-10-28 18:12 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\e15760431e46367ca5a3dfd40a9d03e3\update\updspapi.dll
- 2009-10-28 18:13 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\update\updspapi.dll
- 2009-04-02 03:02 . 2009-04-02 03:02 604160 c:\windows\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df\wm11\wmspdmod.dll
- 2009-04-10 05:01 . 2009-04-10 05:01 530280 c:\windows\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df\wm10\wmspdmod.dll
- 2007-07-27 14:41 . 2007-07-27 14:41 382840 c:\windows\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df\update\updspapi.dll
- 2009-10-28 18:12 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\update\updspapi.dll
- 2009-10-28 18:12 . 2009-08-29 08:01 916480 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3QFE\wininet.dll
- 2009-10-28 18:12 . 2009-08-29 08:01 184320 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3QFE\iepeers.dll
- 2009-10-28 18:12 . 2009-08-29 08:08 916480 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3GDR\wininet.dll
- 2009-10-28 18:12 . 2009-08-29 08:08 184320 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3GDR\iepeers.dll
- 2009-10-28 18:13 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\update\updspapi.dll
- 2009-10-28 18:09 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\8fa1ad7968e63408057364ad07aa482c\update\updspapi.dll
- 2009-10-28 18:13 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\update\updspapi.dll
- 2009-10-28 18:09 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\71668abe67b6d77ebac6750f25908a6e\update\updspapi.dll
- 2009-10-28 18:13 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\update\updspapi.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\e2098e43d115155d6ba91ba3a7e577cf\WsatConfig.ni.exe
+ 2009-11-07 04:47 . 2009-11-07 04:47 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveLocal.Wr#\e5fa3693acb5b4c1790edff45ee18351\WindowsLiveLocal.WriterPlugin.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 118784 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\fa99a5d10584b4d2d8836396e512fbfb\WindowsLive.Writer.Extensibility.ni.dll
+ 2009-10-29 14:05 . 2009-10-29 14:05 174080 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\f82f25e143c306491dcfdcea845ada91\WindowsLive.Writer.BrowserControl.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\f013d5f8178aea1f66ce25eb59f2dcfe\WindowsLive.Writer.Mshtml.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 594944 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\df6d8f820d3e6270a946e81d0524a7f4\WindowsLive.Writer.HtmlEditor.ni.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 843776 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\cf709e807175721fbfa4809a21142a51\WindowsLive.Writer.Controls.ni.dll
+ 2009-11-04 15:16 . 2009-11-04 15:16 152064 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\c68b6c592966c7a2b975a8baf71b1703\WindowsLive.Writer.HtmlParser.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 108544 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\c25eea93a159ff547be11a457a656548\WindowsLive.Writer.Passport.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 428032 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\8579b5b4f162eb3f960302b9499508ab\WindowsLive.Writer.Localization.ni.dll
+ 2009-11-04 15:16 . 2009-11-04 15:16 334848 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\69801f07023bb93335d7b2ee1d9f06f9\WindowsLive.Writer.Interop.Mshtml.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 851968 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\5e2e32999db49ca703dde8cdb853e307\WindowsLive.Writer.BlogClient.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 119296 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\590e62c09e8ce5cae4a887d2d873d82d\WindowsLive.Writer.FileDestinations.ni.dll
+ 2009-10-29 14:04 . 2009-10-29 14:04 319488 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\56562b3fab90b3b5d4ac6931118d8b3f\WindowsLive.Writer.Interop.ni.dll
+ 2009-10-29 14:05 . 2009-10-29 14:05 313856 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\551d4211cde9574615ad847741667699\WindowsLive.Writer.Interop.SHDocVw.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 117760 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\26307209b32171fbdf5c0bac64eac6f7\WindowsLive.Writer.Instrumentation.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 322048 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\12069ef1883e43e5a8ff387d5503ffae\WindowsLive.Writer.SpellChecker.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 145920 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Client\e24024d52bd85aeadcea859acf2f10d7\WindowsLive.Client.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\b5f1b8791e6c47e5bd5e7018c346c586\System.Web.RegularExpressions.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 625664 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\9d58688a10292063636c86442d29ee9c\System.Transactions.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\1f61bccb700d687775cf778dd77752e9\System.ServiceProcess.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 676352 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\a9e9b885a6601469c4058375cc74d856\System.Security.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\9bc34a79af9c3ed2cf17a0226c769b4c\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\af21e3011fb4e107b13ea5c40c351ec4\System.Runtime.Remoting.ni.dll
+ 2009-10-29 13:35 . 2009-10-29 13:35 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\6c273eb9d1ee8b66b5ecb073de4b785d\System.IO.Log.ni.dll
+ 2009-10-29 13:35 . 2009-10-29 13:35 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\7222db518afb4eaaa138824278249bc7\System.IdentityModel.Selectors.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\a601f47a98ee67df424685c9a66ea449\System.DirectoryServices.Protocols.ni.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\7c743462baccf29b3567b0e3ec9ac134\System.Configuration.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\443e3a85c491b2de4a2ac654cb957484\System.Configuration.Install.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\6af32fe5cbec0aa54e2efa6910c73651\SMSvcHost.ni.exe
+ 2009-11-07 04:47 . 2009-11-07 04:47 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\7602d7687fb9bd21cd9ae60d2b187c99\SMDiagnostics.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\a23dc25782df04533a13e348203e4dc5\ServiceModelReg.ni.exe
+ 2009-11-07 04:47 . 2009-11-07 04:47 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\eade8c1c9c1e8e5ffb50e6c9b9af0f6a\MSBuild.ni.exe
+ 2009-11-07 04:47 . 2009-11-07 04:47 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\fc4d66e0a92b3767006a84f2519d2457\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 376320 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\382cc2ce9fcd975eed81a7183c2d8f81\ComSvcConfig.ni.exe
+ 2009-10-29 13:35 . 2009-10-29 13:35 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\85d7c111956b478766d90625b35d963f\AspNetMMCExt.ni.dll
- 2009-10-28 18:09 . 2009-08-04 13:54 2145280 c:\windows\SoftwareDistribution\Download\8fa1ad7968e63408057364ad07aa482c\SP3QFE\ntkrnlmp.exe
- 2009-10-28 18:09 . 2009-08-04 15:13 2145280 c:\windows\SoftwareDistribution\Download\8fa1ad7968e63408057364ad07aa482c\SP3GDR\ntkrnlmp.exe
- 2009-10-28 18:09 . 2009-08-04 12:49 2142720 c:\windows\SoftwareDistribution\Download\8fa1ad7968e63408057364ad07aa482c\SP2QFE\ntkrnlmp.exe
+ 2009-11-07 04:47 . 2009-11-07 04:47 1105920 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\6acc6f61fe15553bdb89e21a6a720578\WindowsLive.Writer.ApplicationFramework.ni.dll
+ 2009-10-29 14:04 . 2009-10-29 14:04 2002944 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\1f8439062cab1a14f351974092e09e16\WindowsLive.Writer.CoreServices.ni.dll
+ 2009-10-29 14:02 . 2009-10-29 14:02 6392832 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\0b96d8eb446d23637b38c72e2215d0ff\WindowsLive.Writer.PostEditor.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 1838080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\ee59632d392e85b5a0b10ed2f9cdaa34\System.Web.Services.ni.dll
+ 2009-10-29 13:58 . 2009-10-29 13:58 2338304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\67ad55827f2542552b576170f0a7dc56\System.Runtime.Serialization.ni.dll
+ 2009-10-29 13:35 . 2009-10-29 13:35 1056768 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\c3b18fef5c6dc3bcdbe5df699fd21a55\System.IdentityModel.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\f47ebb9db460874b1bcbfc391dc970b1\System.DirectoryServices.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\c94a427baa7683f4221b91f90c18461b\System.Deployment.ni.dll
+ 2009-10-29 14:03 . 2009-10-29 14:03 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\272152f0cc139490729e215611a4b244\System.Data.SqlXml.ni.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 1115136 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\e5b1899d48f01303824dc96ecf877b42\System.Data.OracleClient.ni.dll
+ 2009-11-07 04:47 . 2009-11-07 04:47 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\f19e9b439636d0744597fff1331cad04\Microsoft.Transactions.Bridge.ni.dll
- 2009-10-28 18:12 . 2009-08-29 08:08 11069440 c:\windows\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\SP3GDR\ieframe.dll
+ 2009-11-07 04:46 . 2009-11-07 04:46 11794944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\4f02f14c2268762d5d05b3227276f309\System.Web.ni.dll
+ 2009-10-29 14:01 . 2009-10-29 14:01 17317888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\06d6eab93282d2b136a377bd50b7c5a9\System.ServiceModel.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4e232aa-bd80-4ce2-896f-f0b02c7accc7}]
fupipivo.dll [BU]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"Microsoft Driver Setup"="c:\windows\rcdrive32.exe" [2009-11-11 30720]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-13 17508864]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-2-19 376832]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [4/14/2008 7:00 AM 45056]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2/19/2009 2:22 PM 55136]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 4:41 PM 116664]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2/19/2009 2:02 PM 10752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 10:49 PM 102448]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [7/31/2008 9:24 PM 93696]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [11/4/2008 4:28 AM 38400]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/19/2009 1:56 PM 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/8/2008 5:01 PM 533344]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Amy Chen\Application Data\Mozilla\Firefox\Profiles\6qm4eeji.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Amy Chen\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
SharedTaskScheduler-<NO NAME> - (no file)
SharedTaskScheduler-{2ecf8c98-2d82-409d-a89f-a5d9b15415cd} - c:\windows\system32\kenayiba.dll
SSODL-nimejewet-{2ecf8c98-2d82-409d-a89f-a5d9b15415cd} - c:\windows\system32\kenayiba.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-10 23:49
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\Install.txt
c:\windows\system32\Install.txt 268 bytes
scan completed successfully
hidden files: 2
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,44,2c,d8,a1,66,c2,4f,93,d6,8e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,44,2c,d8,a1,66,c2,4f,93,d6,8e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(700)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wmdtc.exe
.
**************************************************************************
.
Completion time: 2009-11-11 23:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-11 04:54
ComboFix2.txt 2009-11-04 15:31
ComboFix3.txt 2009-10-29 13:36
ComboFix4.txt 2009-10-28 18:12
Pre-Run: 28,139,474,944 bytes free
Post-Run: 27,921,182,720 bytes free
- - End Of File - - 120240EE58F7F10AC6C26B65A210EC7A
#19
Posted 10 November 2009 - 11:10 PM
Raktor
-
- Member
-
- 268 posts
Member
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
4. Reconnect your internet.
5. Referring to the picture above, drag CFScript into ComboFix.exe
6. Once ComboFix has updated, and started to run its scans, unplug the internet connection again, and keep it unplugged until further notice.
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
File::
c:\windows\system32\opeia.exe
c:\windows\system32\wmdtc.exe
c:\windows\system32\lsm32.sys
c:\windows\system32\FastNetSrv.exe
c:\windows\system32\BtwSrv.dll
c:\windows\system32\msv1_0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msasn1.dll
c:\program files\U1 Setup.exe
c:\documents and settings\Amy Chen\rthdcpl.exe
c:\windows\rcdrive32.exe
c:\windows\system32\igfxpers.exe
c:\windows\system32\hkcmd.exe
c:\windows\system32\igfxtray.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4e232aa-bd80-4ce2-896f-f0b02c7accc7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Driver Setup"=-
Driver::
fastnetsrv
FCopy::
c:\windows\system32\dllcache\svchost.exe | c:\windows\system32\svchost.exe
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
4. Reconnect your internet.
5. Referring to the picture above, drag CFScript into ComboFix.exe
6. Once ComboFix has updated, and started to run its scans, unplug the internet connection again, and keep it unplugged until further notice.
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
#20
Posted 11 November 2009 - 04:36 PM
jay_sohhn
- Topic Starter
-
- Member
-
- 92 posts
Member
I did as you recommended. But after running combofix, the computer restarted and tried to run Windows. It went to the screen where you choose which operating system to run. After this screen, it goes to the windows starting up screen (with the blue dots moving across the bar). But then it goes back to the screen where you have to choose the OS to run. It keeps doing this in a never-ending loop. I forced it to shut down after about 30 minutes. I turned it back on and tried performing your suggestions from November 8, when I couldn't log on and get to my desktop. But, it proved unsuccessful.
#21
Posted 11 November 2009 - 09:51 PM
Raktor
-
- Member
-
- 268 posts
Member
Try these commands from the Recovery console, pressing enter at the end of each line. STOP if you encounter an error at any stage.
c:
cd \windows\system32
ren svchost.exe svchost.old
copy "c:\qoobox\quarantine\c\windows\system32\svchost.exe" "c:\windows\system32\svchost.exe"
copy "c:\qoobox\quarantine\c\windows\system32\wininet.dll" "c:\windows\system32\wininet.dll"
exit
c:
cd \windows\system32
ren svchost.exe svchost.old
copy "c:\qoobox\quarantine\c\windows\system32\svchost.exe" "c:\windows\system32\svchost.exe"
copy "c:\qoobox\quarantine\c\windows\system32\wininet.dll" "c:\windows\system32\wininet.dll"
exit
Edited by Raktor, 12 November 2009 - 04:28 AM.
#22
Posted 12 November 2009 - 12:57 PM
jay_sohhn
- Topic Starter
-
- Member
-
- 92 posts
Member
I tried your suggestions. The first 3 lines worked fine. But once I got to the line that says copy "c:\qoobox\quarantine\c\windows\system32\svchost.exe" "c:\windows\system32\svchost.exe" I got a message saying "Access is denied."
#23
Posted 13 November 2009 - 06:44 AM
Raktor
-
- Member
-
- 268 posts
Member
Let's go with these.
c:
copy "c:\qoobox\quarantine\c\windows\system32\svchost.exe.vir" "c:\windows\system32\svchost.exe"
copy "c:\qoobox\quarantine\c\windows\system32\wininet.dll.vir" "c:\windows\system32\wininet.dll"
exit
Also, see if in the F8 menu on boot, you can disable automatic reboot on bluescreen, then you can provide me with the STOP error code if it is still bluescreening after this.
c:
copy "c:\qoobox\quarantine\c\windows\system32\svchost.exe.vir" "c:\windows\system32\svchost.exe"
copy "c:\qoobox\quarantine\c\windows\system32\wininet.dll.vir" "c:\windows\system32\wininet.dll"
exit
Also, see if in the F8 menu on boot, you can disable automatic reboot on bluescreen, then you can provide me with the STOP error code if it is still bluescreening after this.
#24
Posted 13 November 2009 - 11:19 AM
jay_sohhn
- Topic Starter
-
- Member
-
- 92 posts
Member
Here's what I did:
1) went to windows recovery console
2) when it asked me "which windows installation would you like to log onto, I entered 1 for C:\WINDOWS.
3) at the C:\WINDOWS> prompt I entered C:
4) at the next C:\WINDOWS> prompt I entered copy "c:\qoobox\quarantine\c\windows\system32\svchost.exe.vir" "c:\windows\system32\svchost.exe"
When I performed the last step, I got the message "Access is denied."
Whew, sorry for all the problems!
1) went to windows recovery console
2) when it asked me "which windows installation would you like to log onto, I entered 1 for C:\WINDOWS.
3) at the C:\WINDOWS> prompt I entered C:
4) at the next C:\WINDOWS> prompt I entered copy "c:\qoobox\quarantine\c\windows\system32\svchost.exe.vir" "c:\windows\system32\svchost.exe"
When I performed the last step, I got the message "Access is denied."
Whew, sorry for all the problems!
#25
Posted 14 November 2009 - 07:27 PM
Raktor
-
- Member
-
- 268 posts
Member
Sorry to be a pain... 
dir c:\atapi.sys /s
I need a copy of the output from this, except there's no simple way to transfer it from Recovery Console, so I'm going to need you to type it up.
Remember, I'm here as long as you want me to keep trying, but if ever you want to reformat, just give the word.
dir c:\atapi.sys /s
I need a copy of the output from this, except there's no simple way to transfer it from Recovery Console, so I'm going to need you to type it up.
Remember, I'm here as long as you want me to keep trying, but if ever you want to reformat, just give the word.
#26
Posted 14 November 2009 - 09:42 PM
jay_sohhn
- Topic Starter
-
- Member
-
- 92 posts
Member
I typed in dir c:\atapi.sys /s (there's a space between the .sys and the /), but that was probably not what you wanted, so I tried it without the space and got the following output:
The volume in drive C has no label
The volme Serial Number is f48f-490d
Directory of c:\atapi.sys\s
So based on your last response, what exactly would reformatting entail? Wiping out all programs and files and stuff on the computer? If I opt not to do that, is there any hope at all of getting my computer back to normal?
Thanks for all your patience.
The volume in drive C has no label
The volme Serial Number is f48f-490d
Directory of c:\atapi.sys\s
So based on your last response, what exactly would reformatting entail? Wiping out all programs and files and stuff on the computer? If I opt not to do that, is there any hope at all of getting my computer back to normal?
Thanks for all your patience.
#27
Posted 14 November 2009 - 09:47 PM
Raktor
-
- Member
-
- 268 posts
Member
There is a space, and the slash must go the other way. Give it another shot.
We could most likely recover your data, but not programs.
We could most likely recover your data, but not programs.
#28
Posted 20 November 2009 - 11:36 AM
jay_sohhn
- Topic Starter
-
- Member
-
- 92 posts
Member
Hi, Raktor -
I tried it with a space and slash the other way. The result? "The parameter is not valid." One question: If it were your own computer, what would you do? Would you reformat? Or would you keep going with the debugging effort? I'm ok with either. Which method would be best given the circumstances? Thanks for all your patience and efforts.
I tried it with a space and slash the other way. The result? "The parameter is not valid." One question: If it were your own computer, what would you do? Would you reformat? Or would you keep going with the debugging effort? I'm ok with either. Which method would be best given the circumstances? Thanks for all your patience and efforts.
#29
Posted 20 November 2009 - 04:41 PM
Raktor
-
- Member
-
- 268 posts
Member
If it was me, I'd cut to the chase and format. Besides knowing that the system is clean, you'll get rid of the extra bloat that you don't use on the system anymore.
If you want to format...
a) Do you have the Windows XP CD?
b) Do you have any driver CDs from your hardware manufacturers?
c) Do you have relevant software installation CDs?
d) Do you need any data backed up before wiping the machine?
If you want to format...
a) Do you have the Windows XP CD?
b) Do you have any driver CDs from your hardware manufacturers?
c) Do you have relevant software installation CDs?
d) Do you need any data backed up before wiping the machine?
#30
Posted 21 November 2009 - 01:00 PM
jay_sohhn
- Topic Starter
-
- Member
-
- 92 posts
Member
OK, reformat it is, then. Here are the answers to your questions:
1) Do I have the Windows XP CD? Yes, I do.
2) Do I have driver CD's from manufacturer? No, I don't.
3) Do I have relevant software installation CD's? Yes, I do.
4) Do I need any data backed up before wiping machine? Yes, I do. I suppose, I could just save it onto my own external hard drive? Or not?
Thanks!
1) Do I have the Windows XP CD? Yes, I do.
2) Do I have driver CD's from manufacturer? No, I don't.
3) Do I have relevant software installation CD's? Yes, I do.
4) Do I need any data backed up before wiping machine? Yes, I do. I suppose, I could just save it onto my own external hard drive? Or not?
Thanks!
Similar Topics
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
