ComboFix 09-11-11.02 - Amy Chen 12/05/2009 18:18.5.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.553 [GMT -5:00] Running from: c:\documents and settings\Amy Chen\Desktop\ComboFix.exe AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . - REDUCED FUNCTIONALITY MODE - . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . c:\documents and settings\Amy Chen\rthdcpl.exe c:\program files\U1 Setup.exe c:\windows\system32\BtwSrv.dll c:\windows\system32\FastNetSrv.exe c:\windows\system32\hkcmd.exe c:\windows\system32\igfxpers.exe c:\windows\system32\igfxtray.exe c:\windows\system32\Install.txt c:\windows\system32\lsm32.sys c:\windows\system32\opeia.exe c:\windows\system32\wmdtc.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_FASTNETSRV -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Service_fastnetsrv ((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 ))))))))))))))))))))))))))))))) . 2011-02-27 04:02 . 2009-10-29 13:31 -------- d-----w- c:\program files\Elantech . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-19 18:34 . 2010-02-19 18:34 -------- d-----w- c:\program files\microsoft frontpage 2010-02-19 18:32 . 2010-02-19 18:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat 2009-11-11 20:53 . 2009-11-11 20:53 32928 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP2.EXE 2009-11-11 20:53 . 2009-11-11 20:53 32928 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP1.EXE 2009-11-11 20:53 . 2009-11-11 20:53 32928 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.EXE 2009-11-11 20:36 . 2009-06-04 05:45 -------- d-----w- c:\program files\Symantec AntiVirus 2009-11-11 20:35 . 2010-02-19 18:33 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-11-11 04:52 . 2009-11-11 04:52 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\NAVENG32.DLL 2009-11-11 04:52 . 2009-11-11 04:52 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\NAVEX32A.DLL 2009-11-11 04:52 . 2009-11-11 04:52 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\NAVEX15.SYS 2009-11-11 04:52 . 2009-11-11 04:52 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\NAVENG.SYS 2009-11-11 04:52 . 2009-11-11 04:52 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\EECTRL.SYS 2009-11-11 04:52 . 2009-11-11 04:52 2747952 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\CCERASER.DLL 2009-11-11 04:52 . 2009-11-11 04:52 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\ECMSVR32.DLL 2009-11-11 04:52 . 2009-11-11 04:52 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\ERASER.SYS 2009-11-07 04:49 . 2009-10-29 13:47 -------- d-----w- c:\program files\xhonsl 2009-11-07 04:49 . 2009-10-31 14:06 -------- d-----w- c:\program files\ewmnru 2009-11-04 14:48 . 2009-11-04 14:48 0 ----a-r- c:\windows\win32k.sys 2009-10-28 17:47 . 2009-10-09 03:45 407062 ----a-w- c:\windows\system32\raidmg.dll 2009-10-26 14:59 . 2009-10-26 14:59 0 ----a-w- c:\documents and settings\Amy Chen\settings.dat 2009-10-26 14:56 . 2009-06-07 16:21 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\U3 2009-10-10 00:33 . 2009-10-28 18:08 14336 ----a-w- c:\windows\system32\svchost.exe 2009-10-09 03:45 . 2009-10-09 03:45 98304 ----a-w- c:\windows\system32\kbdatat4.dll 2009-09-14 01:57 . 2009-06-03 15:38 92344 ----a-w- c:\documents and settings\Amy Chen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-14 01:57 . 2009-09-14 01:57 126970 ----a-w- c:\documents and settings\Amy Chen\Application Data\Move Networks\uninstall.exe 2009-09-14 01:57 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Amy Chen\Application Data\Move Networks\plugins\npqmp071505000010.dll 2009-09-11 14:18 . 2010-02-19 17:21 136192 ----a-w- c:\windows\system32\msv1_0.dll . ------- Sigcheck ------- Cryptography Services Error !! . ((((((((((((((((((((((((((((( SnapShot_2009-11-11_04.47.57 ))))))))))))))))))))))))))))))))))))))))) . + 2009-12-05 20:53 . 2009-12-05 20:53 16384 c:\windows\temp\Perflib_Perfdata_6b4.dat + 2010-02-19 17:21 . 2009-12-03 23:39 71810 c:\windows\system32\perfc009.dat - 2010-02-19 17:21 . 2009-11-11 04:28 71810 c:\windows\system32\perfc009.dat - 2008-04-14 00:10 . 2008-04-14 05:10 96512 c:\windows\system32\drivers\atapi.sys + 2009-11-11 04:51 . 2008-04-14 05:10 96512 c:\windows\system32\drivers\atapi.sys + 2009-12-05 18:44 . 2009-12-05 18:44 99840 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\a0a93ff86fb946104e90221f5791eb91\WindowsLive.Writer.Api.ni.dll - 2009-11-07 04:47 . 2009-11-07 04:47 99840 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\a0a93ff86fb946104e90221f5791eb91\WindowsLive.Writer.Api.ni.dll + 2009-12-05 18:50 . 2009-12-05 18:50 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\8acb476a0d4ee17a12881e17ae74a6af\System.Windows.Presentation.ni.dll + 2009-12-05 18:49 . 2009-12-05 18:49 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\4b87ca3482a3c0ee733e028ecee7de65\System.Web.DynamicData.Design.ni.dll + 2009-12-05 18:45 . 2009-12-05 18:45 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\a0c71055364bd356971791284c3fb910\System.ComponentModel.DataAnnotations.ni.dll + 2009-12-05 18:45 . 2009-12-05 18:45 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\f9a75bbdc2ce7db578b5977766a09b99\System.AddIn.Contract.ni.dll + 2009-12-05 18:47 . 2009-12-05 18:47 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\f2673aec397c52796aef05bb9d2668df\Microsoft.Vsa.ni.dll + 2009-12-05 18:43 . 2009-12-05 18:43 15872 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\704abb954db8c9a95118a8bde688d5c1\Microsoft.VisualC.ni.dll + 2009-12-05 18:45 . 2009-12-05 18:45 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\d513fe1a81c441e7656a9b062cff4e9f\Microsoft.Build.Framework.ni.dll + 2009-12-05 18:45 . 2009-12-05 18:45 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\c5d504724d7f351b1d034615dbb72a2a\Microsoft.Build.Framework.ni.dll - 2009-11-07 04:47 . 2009-11-07 04:47 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\c5d504724d7f351b1d034615dbb72a2a\Microsoft.Build.Framework.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\a664ccab020f93f1d533919f57131190\dfsvc.ni.exe - 2009-11-07 04:47 . 2009-11-07 04:47 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\a664ccab020f93f1d533919f57131190\dfsvc.ni.exe + 2010-02-19 18:33 . 2009-11-11 20:35 2442 c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin - 2010-02-19 17:21 . 2009-11-11 04:28 442024 c:\windows\system32\perfh009.dat + 2010-02-19 17:21 . 2009-12-03 23:39 442024 c:\windows\system32\perfh009.dat + 2009-12-05 18:45 . 2009-12-05 18:45 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\e2098e43d115155d6ba91ba3a7e577cf\WsatConfig.ni.exe - 2009-11-07 04:47 . 2009-11-07 04:47 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\e2098e43d115155d6ba91ba3a7e577cf\WsatConfig.ni.exe - 2009-11-07 04:47 . 2009-11-07 04:47 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveLocal.Wr#\e5fa3693acb5b4c1790edff45ee18351\WindowsLiveLocal.WriterPlugin.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveLocal.Wr#\e5fa3693acb5b4c1790edff45ee18351\WindowsLiveLocal.WriterPlugin.ni.dll - 2009-11-07 04:47 . 2009-11-07 04:47 118784 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\fa99a5d10584b4d2d8836396e512fbfb\WindowsLive.Writer.Extensibility.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 118784 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\fa99a5d10584b4d2d8836396e512fbfb\WindowsLive.Writer.Extensibility.ni.dll - 2009-11-07 04:46 . 2009-11-07 04:46 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\f013d5f8178aea1f66ce25eb59f2dcfe\WindowsLive.Writer.Mshtml.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\f013d5f8178aea1f66ce25eb59f2dcfe\WindowsLive.Writer.Mshtml.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 594944 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\df6d8f820d3e6270a946e81d0524a7f4\WindowsLive.Writer.HtmlEditor.ni.dll - 2009-11-07 04:47 . 2009-11-07 04:47 594944 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\df6d8f820d3e6270a946e81d0524a7f4\WindowsLive.Writer.HtmlEditor.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 108544 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\c25eea93a159ff547be11a457a656548\WindowsLive.Writer.Passport.ni.dll - 2009-11-07 04:46 . 2009-11-07 04:46 108544 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\c25eea93a159ff547be11a457a656548\WindowsLive.Writer.Passport.ni.dll - 2009-11-07 04:46 . 2009-11-07 04:46 428032 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\8579b5b4f162eb3f960302b9499508ab\WindowsLive.Writer.Localization.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 428032 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\8579b5b4f162eb3f960302b9499508ab\WindowsLive.Writer.Localization.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 851968 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\5e2e32999db49ca703dde8cdb853e307\WindowsLive.Writer.BlogClient.ni.dll - 2009-11-07 04:47 . 2009-11-07 04:47 851968 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\5e2e32999db49ca703dde8cdb853e307\WindowsLive.Writer.BlogClient.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 119296 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\590e62c09e8ce5cae4a887d2d873d82d\WindowsLive.Writer.FileDestinations.ni.dll - 2009-11-07 04:47 . 2009-11-07 04:47 119296 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\590e62c09e8ce5cae4a887d2d873d82d\WindowsLive.Writer.FileDestinations.ni.dll - 2009-11-07 04:47 . 2009-11-07 04:47 117760 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\26307209b32171fbdf5c0bac64eac6f7\WindowsLive.Writer.Instrumentation.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 117760 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\26307209b32171fbdf5c0bac64eac6f7\WindowsLive.Writer.Instrumentation.ni.dll - 2009-11-07 04:47 . 2009-11-07 04:47 322048 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\12069ef1883e43e5a8ff387d5503ffae\WindowsLive.Writer.SpellChecker.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 322048 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\12069ef1883e43e5a8ff387d5503ffae\WindowsLive.Writer.SpellChecker.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 145920 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Client\e24024d52bd85aeadcea859acf2f10d7\WindowsLive.Client.ni.dll - 2009-11-07 04:47 . 2009-11-07 04:47 145920 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Client\e24024d52bd85aeadcea859acf2f10d7\WindowsLive.Client.ni.dll + 2009-12-05 18:50 . 2009-12-05 18:50 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\eb23b78564687badff1bd1f1d0a0ec97\System.Xml.Linq.ni.dll + 2009-12-05 18:49 . 2009-12-05 18:49 130048 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\f28c400fcfac57fb1bfb2806cc1bfc76\System.Web.Routing.ni.dll - 2009-11-07 04:46 . 2009-11-07 04:46 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\b5f1b8791e6c47e5bd5e7018c346c586\System.Web.RegularExpressions.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\b5f1b8791e6c47e5bd5e7018c346c586\System.Web.RegularExpressions.ni.dll + 2009-12-05 18:49 . 2009-12-05 18:49 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\884eacddf339b8b342f66aedff5f8ef9\System.Web.Extensions.Design.ni.dll + 2009-12-05 18:49 . 2009-12-05 18:49 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\9e199645bd26f1afe58ebe185d1e7f0f\System.Web.Entity.ni.dll + 2009-12-05 18:49 . 2009-12-05 18:49 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\652017ebe962ab2eb271c2524f31cd61\System.Web.Entity.Design.ni.dll + 2009-12-05 18:49 . 2009-12-05 18:49 554496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\b196f14bd08eca634cc0c417553bed2a\System.Web.DynamicData.ni.dll + 2009-12-05 18:48 . 2009-12-05 18:48 153600 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\d89d8c6b08028100248ffe028e346a6b\System.Web.Abstractions.ni.dll + 2009-12-05 18:48 . 2009-12-05 18:48 625664 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\a43137a0c143b36978953e161da49600\System.Transactions.ni.dll + 2009-12-05 18:43 . 2009-12-05 18:43 625664 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\9d58688a10292063636c86442d29ee9c\System.Transactions.ni.dll - 2009-11-07 04:46 . 2009-11-07 04:46 625664 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\9d58688a10292063636c86442d29ee9c\System.Transactions.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\1f61bccb700d687775cf778dd77752e9\System.ServiceProcess.ni.dll - 2009-11-07 04:46 . 2009-11-07 04:46 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\1f61bccb700d687775cf778dd77752e9\System.ServiceProcess.ni.dll + 2009-12-05 18:43 . 2009-12-05 18:43 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\af21e3011fb4e107b13ea5c40c351ec4\System.Runtime.Remoting.ni.dll - 2009-11-07 04:46 . 2009-11-07 04:46 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\af21e3011fb4e107b13ea5c40c351ec4\System.Runtime.Remoting.ni.dll + 2009-12-05 18:47 . 2009-12-05 18:47 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\5f74a84e9d28c2332c51f6e30da0e125\System.Net.ni.dll + 2009-12-05 18:47 . 2009-12-05 18:47 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\2c208e4c5521f31057ea7d6e93c6a567\System.Management.ni.dll + 2009-12-05 18:47 . 2009-12-05 18:47 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\818b20a7c6f3b2fe97bf008ca24080c1\System.Management.Instrumentation.ni.dll + 2009-12-05 18:47 . 2009-12-05 18:47 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\8a7d0bd0057a8ed38291d5662248f7a1\System.EnterpriseServices.Wrapper.dll + 2009-12-05 18:47 . 2009-12-05 18:47 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\8a7d0bd0057a8ed38291d5662248f7a1\System.EnterpriseServices.ni.dll + 2009-12-05 18:47 . 2009-12-05 18:47 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\c92fc19800e701c90f90ab7a2ab44c47\System.DirectoryServices.AccountManagement.ni.dll - 2009-11-07 04:46 . 2009-11-07 04:46 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\a601f47a98ee67df424685c9a66ea449\System.DirectoryServices.Protocols.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\a601f47a98ee67df424685c9a66ea449\System.DirectoryServices.Protocols.ni.dll + 2009-12-05 18:47 . 2009-12-05 18:47 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\b91b44015859163646f210d284f7166a\System.Data.Services.Client.ni.dll + 2009-12-05 18:47 . 2009-12-05 18:47 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\1b35297e07b85071daecdb06f96750a1\System.Data.Services.Design.ni.dll + 2009-12-05 18:47 . 2009-12-05 18:47 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\cf906bf9146d1f0013451ec63b58e064\System.Data.Entity.Design.ni.dll + 2009-12-05 18:45 . 2009-12-05 18:45 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\4ff4134b0d490c090e03d74e104517c4\System.Data.DataSetExtensions.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\443e3a85c491b2de4a2ac654cb957484\System.Configuration.Install.ni.dll - 2009-11-07 04:46 . 2009-11-07 04:46 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\443e3a85c491b2de4a2ac654cb957484\System.Configuration.Install.ni.dll + 2009-12-05 18:45 . 2009-12-05 18:45 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\cba35f47925431a54d0e6ae147a292f1\System.AddIn.ni.dll + 2009-12-05 18:45 . 2009-12-05 18:45 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\6af32fe5cbec0aa54e2efa6910c73651\SMSvcHost.ni.exe - 2009-11-07 04:47 . 2009-11-07 04:47 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\6af32fe5cbec0aa54e2efa6910c73651\SMSvcHost.ni.exe + 2009-12-05 18:44 . 2009-12-05 18:44 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\7602d7687fb9bd21cd9ae60d2b187c99\SMDiagnostics.ni.dll - 2009-11-07 04:47 . 2009-11-07 04:47 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\7602d7687fb9bd21cd9ae60d2b187c99\SMDiagnostics.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\a23dc25782df04533a13e348203e4dc5\ServiceModelReg.ni.exe - 2009-11-07 04:47 . 2009-11-07 04:47 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\a23dc25782df04533a13e348203e4dc5\ServiceModelReg.ni.exe - 2009-11-07 04:47 . 2009-11-07 04:47 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\eade8c1c9c1e8e5ffb50e6c9b9af0f6a\MSBuild.ni.exe + 2009-12-05 18:45 . 2009-12-05 18:45 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\eade8c1c9c1e8e5ffb50e6c9b9af0f6a\MSBuild.ni.exe - 2009-11-07 04:47 . 2009-11-07 04:47 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\fc4d66e0a92b3767006a84f2519d2457\Microsoft.Transactions.Bridge.Dtc.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\fc4d66e0a92b3767006a84f2519d2457\Microsoft.Transactions.Bridge.Dtc.ni.dll + 2009-12-05 18:45 . 2009-12-05 18:45 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\58ca3ecc52b7246b448c109817198a0b\Microsoft.Build.Utilities.ni.dll + 2009-12-05 18:45 . 2009-12-05 18:45 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\4dd43724dd92026577c6f588270137a0\Microsoft.Build.Utilities.v3.5.ni.dll + 2009-12-05 18:45 . 2009-12-05 18:45 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\8c651f75bb741330370986dcad8e9e5b\Microsoft.Build.Engine.ni.dll + 2009-12-05 18:45 . 2009-12-05 18:45 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\a6dcbae619ccd938bfe808c54d6d3ae0\Microsoft.Build.Conversion.v3.5.ni.dll + 2009-12-05 18:45 . 2009-12-05 18:45 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\77688ce14f221ed94a9f442ae4736123\CustomMarshalers.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 376320 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\382cc2ce9fcd975eed81a7183c2d8f81\ComSvcConfig.ni.exe - 2009-11-07 04:47 . 2009-11-07 04:47 376320 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\382cc2ce9fcd975eed81a7183c2d8f81\ComSvcConfig.ni.exe + 2009-12-05 18:44 . 2009-12-05 18:44 1105920 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\6acc6f61fe15553bdb89e21a6a720578\WindowsLive.Writer.ApplicationFramework.ni.dll - 2009-11-07 04:47 . 2009-11-07 04:47 1105920 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\6acc6f61fe15553bdb89e21a6a720578\WindowsLive.Writer.ApplicationFramework.ni.dll + 2009-12-05 18:50 . 2009-12-05 18:50 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\fa48917b13629d8effa80dd4a2f2973d\System.WorkflowServices.ni.dll + 2009-12-05 18:50 . 2009-12-05 18:50 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\6fe66ee6f3c81996bc148f1ebe7ec030\System.Workflow.Runtime.ni.dll + 2009-12-05 18:50 . 2009-12-05 18:50 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\9d0b61f2f1ebdc300bd970f594c422ef\System.Workflow.ComponentModel.ni.dll + 2009-12-05 18:50 . 2009-12-05 18:50 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\65328898148a720d394f802f192fc2a0\System.Workflow.Activities.ni.dll - 2009-11-07 04:46 . 2009-11-07 04:46 1838080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\ee59632d392e85b5a0b10ed2f9cdaa34\System.Web.Services.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 1838080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\ee59632d392e85b5a0b10ed2f9cdaa34\System.Web.Services.ni.dll + 2009-12-05 18:50 . 2009-12-05 18:50 1838080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\292cce5fbb6a3508552c9cd43445f792\System.Web.Services.ni.dll + 2009-12-05 18:49 . 2009-12-05 18:49 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\29e2f8b1fb691ced973acf49fcee6ec1\System.Web.Mobile.ni.dll + 2009-12-05 18:49 . 2009-12-05 18:49 2428416 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\d66aaf3bcb7eba90ae54ac6105d025ba\System.Web.Extensions.ni.dll + 2009-12-05 18:48 . 2009-12-05 18:48 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\e182695d05ea57257568bc5f3208aca7\System.ServiceModel.Web.ni.dll + 2009-12-05 18:43 . 2009-12-05 18:43 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\f47ebb9db460874b1bcbfc391dc970b1\System.DirectoryServices.ni.dll - 2009-11-07 04:46 . 2009-11-07 04:46 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\f47ebb9db460874b1bcbfc391dc970b1\System.DirectoryServices.ni.dll + 2009-12-05 18:47 . 2009-12-05 18:47 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\112a48e34620a0210eb850040da8a31b\System.Data.Services.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 1115136 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\e5b1899d48f01303824dc96ecf877b42\System.Data.OracleClient.ni.dll - 2009-11-07 04:46 . 2009-11-07 04:46 1115136 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\e5b1899d48f01303824dc96ecf877b42\System.Data.OracleClient.ni.dll + 2009-12-05 18:47 . 2009-12-05 18:47 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\9012cac7819660f61f1c69cf8e4f2ccf\System.Data.Entity.ni.dll + 2009-12-05 18:45 . 2009-12-05 18:45 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\6eee9b772b6d12d3dbd82f118c2ab2e5\Microsoft.VisualBasic.ni.dll + 2009-12-05 18:44 . 2009-12-05 18:44 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\f19e9b439636d0744597fff1331cad04\Microsoft.Transactions.Bridge.ni.dll - 2009-11-07 04:47 . 2009-11-07 04:47 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\f19e9b439636d0744597fff1331cad04\Microsoft.Transactions.Bridge.ni.dll + 2009-12-05 18:47 . 2009-12-05 18:47 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\5b1af7b5be24c7ace065fe1c81c2b650\Microsoft.JScript.ni.dll + 2009-12-05 18:45 . 2009-12-05 18:45 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\9eec1cc7ac37e0c7f3205e8156149c5a\Microsoft.Build.Tasks.ni.dll + 2009-12-05 18:45 . 2009-12-05 18:45 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\28c0730288453d57d5dcd62903c4d31b\Microsoft.Build.Tasks.v3.5.ni.dll + 2009-12-05 18:45 . 2009-12-05 18:45 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\5dd4f58999eed37c12aee7ea9f9863ac\Microsoft.Build.Engine.ni.dll + 2009-12-05 18:32 . 2009-11-05 14:36 26768832 c:\windows\system32\MRT.exe + 2009-12-05 18:50 . 2009-12-05 18:50 11794944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\09267ab20349a706f353aed0c9baa864\System.Web.ni.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4e232aa-bd80-4ce2-896f-f0b02c7accc7}] fupipivo.dll [BU] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952] "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-13 17508864] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776] SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-2-19 376832] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2/19/2009 2:22 PM 55136] R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032] R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 4:41 PM 116664] R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2/19/2009 2:02 PM 10752] R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [7/31/2008 9:24 PM 93696] R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [11/4/2008 4:28 AM 38400] S2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe --> c:\windows\system32\FastNetSrv.exe [?] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/19/2009 1:56 PM 1684736] S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/8/2008 5:01 PM 533344] --- Other Services/Drivers In Memory --- *Deregistered* - mbr . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm FF - ProfilePath - c:\documents and settings\Amy Chen\Application Data\Mozilla\Firefox\Profiles\6qm4eeji.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - plugin: c:\documents and settings\Amy Chen\Application Data\Move Networks\plugins\npqmp071505000010.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - HKLM-Run-Microsoft Driver Setup - c:\windows\rcdrive32.exe SharedTaskScheduler- - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-12-05 18:19 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,44,2c,d8,a1,66,c2,4f,93,d6,8e,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,44,2c,d8,a1,66,c2,4f,93,d6,8e,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(672) c:\windows\system32\igfxdev.dll . Completion time: 2009-12-05 18:22 ComboFix-quarantined-files.txt 2009-12-05 23:22 ComboFix2.txt 2009-11-11 04:54 ComboFix3.txt 2009-11-04 15:31 ComboFix4.txt 2009-10-29 13:36 ComboFix5.txt 2009-11-11 20:38 Pre-Run: 27,779,760,128 bytes free Post-Run: 27,767,611,392 bytes free - - End Of File - - 1F60B65DAE5E0B0E842CDE62E54C0FA6