View Full Version : not a valid Win32 application
ycchen100
2008-02-03, 05:17
Dear All,
I think i really need some advice. Never had a problem like this before.
Well, I can't run HiJackThis because of "not a valid Win32 application". In fact, all the anti-virus programs became invalid in a similar way in my PC. On start up the windows defender complaints that the service is stopped. I want to activate the service in the control panel. It reports an error 1053. Not able to boot in a safe mode. But I can still go online with this PC. But I know it is not unprotected.
I suspect this has to do with the Mdelk.exe existed in the windows\ssytem32 folder. However, after reading sevaral similar threads in this forum, i found not much help as I couldn't locate the following files/folder in the system32 folder wintems.exe, \drivers\hldrrr.exe, mdelk.pif, \drivers\down, drivers\srosa.sys, ...
I can do DSS. will post the DSS reports in a following link.
ycchen100
2008-02-03, 05:31
Deckard's System Scanner v20071014.68
Run by ycchen100 on 2008-02-03 12:18:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------
System Drive C: has 0.71 GiB (less than 15%) free.
-- HijackThis Clone ------------------------------------------------------------
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-03 12:20:03
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\WINDOWS\vsnpstd2.exe
C:\WINDOWS\domino.exe
C:\WINDOWS\VMSnap1.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PPENSB\Win32\PPSHELL.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
D:\ycchen\downloads\dss.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 連結
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://WWW.BenQ.COM/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: ThunderBHO - {06849E9E-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [domino] C:\WINDOWS\domino.exe
O4 - HKLM\..\Run: [VMSnap1] C:\WINDOWS\VMSnap1.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Internet Explorer.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Global Startup: 蒙恬快速啟動.lnk = C:\PPENSB\Win32\ppshell.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O4 - Global Startup: Google 更新器.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: 使用迅雷下載 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下載全部鏈接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E0DFFCF-27FF-4574-849B-55007349FEDA} (iTrusPTA Class) - https://img.alipay.com/download/1101/aliedit.cab
O16 - DPF: {272B8D21-5304-4529-BD3D-1CF392342F7D} (ICBC XCsp) - https://netbank.megabank.com.tw/natm/ICBCNetATM.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172239528665
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{9E8875A6-1C0A-44D8-BE56-9D49FD620A97}: NameServer = 139.175.55.244 139.175.252.16
O18 - Protocol: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - AppInit_DLLs: C:\PPENSB\win32\PPINKDLL.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\ESET\nod32krn.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\system32\PAStiSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 11631 bytes
ycchen100
2008-02-03, 05:32
-- Files created between 2008-01-03 and 2008-02-03 -----------------------------
2008-02-03 11:41:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-03 11:41:40 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-03 11:41:35 0 d-------- C:\WINDOWS\LastGood
2008-02-03 10:33:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-02-03 10:32:58 0 d-------- C:\Documents and Settings\ycchen100\Application Data\PrevxCSI
2008-02-03 10:17:58 0 d--hs---- C:\FOUND.003
2008-02-02 20:29:01 0 d--h----- C:\WINDOWS\PIF
2008-02-02 20:09:03 298104 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>
2008-02-02 19:49:33 71172 --a------ C:\WINDOWS\system32\mdelk.exe
2008-02-02 16:42:00 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; PandaR Antivirus>
2008-02-02 15:25:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-02 15:16:40 0 d--hs---- C:\FOUND.002
2008-01-29 15:59:12 49152 -ra------ C:\WINDOWS\VMSnap1.exe <Not Verified; Vimicro; BIGDOG>
2008-01-29 15:59:12 49152 -ra------ C:\WINDOWS\domino.exe <Not Verified; ; Domino>
2008-01-29 15:59:11 94208 -ra------ C:\WINDOWS\VMCap.exe <Not Verified; www.zsmc.com.cn; www.zsmc.com.cn StillCap>
2008-01-29 15:59:11 176128 -ra------ C:\WINDOWS\amcap.exe <Not Verified; Microsoft Corporation; DirectX 9.0 Sample>
2008-01-29 15:59:10 61440 -ra------ C:\WINDOWS\system32\VM31bSTI.dll <Not Verified; VM; >
2008-01-29 15:59:09 195299 -ra------ C:\WINDOWS\system32\drivers\usbVM31b.sys <Not Verified; VM; >
2008-01-11 21:37:32 0 d-------- C:\Program Files\Taobao
2008-01-09 22:06:58 0 d-------- C:\Program Files\TransMac
2008-01-09 21:56:06 0 d-------- C:\Program Files\Windows Media Connect 2
2008-01-09 21:46:53 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-09 20:05:41 0 d-------- C:\Documents and Settings\ycchen100\Application Data\Synergy Software
2008-01-09 20:04:51 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-01-09 20:04:41 0 d-------- C:\Documents and Settings\All Users\「開始」
2008-01-09 20:04:37 0 d-------- C:\Program Files\KaleidaGraph 4.0
2008-01-06 16:28:59 0 d-------- C:\WINDOWS\system32\aliedit
2008-01-06 00:20:14 0 d-------- C:\Documents and Settings\ycchen100\Application Data\Media Player Classic
2008-01-06 00:18:30 164352 --a------ C:\WINDOWS\system32\unrar.dll
2008-01-06 00:18:20 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-01-06 00:18:17 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-01-06 00:05:05 0 d-------- C:\Documents and Settings\ycchen100\Application Data\skypePM
2008-01-06 00:05:05 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-06 00:03:48 0 d-------- C:\Program Files\Common Files\Skype
2008-01-05 22:50:19 0 d-------- C:\Program Files\Glary Utilities
-- Find3M Report ---------------------------------------------------------------
2008-02-03 11:14:56 12341 --a------ C:\WINDOWS\system32\Tablet.dat
2008-02-02 21:33:18 1292 --a------ C:\WINDOWS\system32\cid_store.dat
2008-01-10 02:23:24 134494 --a------ C:\WINDOWS\system32\prfh0404.dat
2008-01-10 02:23:24 47220 --a------ C:\WINDOWS\system32\prfc0404.dat
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004/08/04 afternoon 08:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004/08/04 afternoon 08:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004/08/04 afternoon 08:00]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004/02/10 morning 10:55]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004/02/10 morning 10:51]
"SoundMan"="SOUNDMAN.EXE" [2003/12/19 afternoon 05:53 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003/11/19 afternoon 03:41 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003/09/26 morning 11:01]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003/09/26 morning 11:01]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001/07/09 morning 11:50]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003/10/31 afternoon 07:42]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2008/02/03 morning 11:15]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004/08/04 afternoon 08:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004/08/04 afternoon 08:00]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2004/02/05 afternoon 04:33]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005/04/15 afternoon 03:54]
"MediafourGettingStartedWithMacDrive6"="C:\Program Files\Mediafour\MacDrive\MacDrive.exe" [2004/08/26 afternoon 02:12]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002/12/17 afternoon 04:43]
"SNPSTD2"="C:\WINDOWS\vsnpstd2.exe" [2004/08/30 afternoon 04:37]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007/10/10 afternoon 07:51]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006/11/03 afternoon 07:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007/09/25 morning 01:11]
"domino"="C:\WINDOWS\domino.exe" [2006/07/04 afternoon 02:16]
"VMSnap1"="C:\WINDOWS\VMSnap1.exe" [2006/07/17 morning 11:27]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008/02/03 morning 11:47]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006/09/08 morning 01:19]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008/02/02 afternoon 11:52]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004/08/04 afternoon 08:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2006/02/20 morning 10:10]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007/12/07 afternoon 03:11]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008/02/02 afternoon 10:17]
C:\Documents and Settings\ycchen100\「開始」功能表\程式集\啟動\
Internet Explorer.lnk - C:\Program Files\Internet Explorer\IEXPLORE.EXE [2005/5/31 afternoon 12:23:18]
C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
蒙恬快速啟動.lnk - C:\PPENSB\Win32\ppshell.exe [2007/2/22 afternoon 02:50:59]
TabUserW.exe.lnk - C:\WINDOWS\system32\Wtablet\TabUserW.exe [2003/11/19 afternoon 12:11:16]
Google 更新器.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007/7/16 afternoon 08:16:56]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\system32\LgNotify.dll 2004/03/03 afternoon 04:48 110592 c:\WINDOWS\system32\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PPENSB\win32\PPINKDLL.DLL
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
-- End of Deckard's System Scanner: finished at 2008-02-03 12:20:44 ------------
ycchen100
2008-02-03, 05:48
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: Chinese
CPU 0: Intel(R) Celeron(R) M processor 1.30GHz
Percentage of Memory in Use: 42%
Physical Memory (total/avail): 735.48 MiB / 420.99 MiB
Pagefile Memory (total/avail): 1395.2 MiB / 1120.34 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1918.34 MiB
C: is Fixed (FAT32) - 23.43 GiB total, 0.71 GiB free.
D: is Fixed (FAT32) - 11.85 GiB total, 7.19 GiB free.
E: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - FUJITSU MHT2040AT - 37.26 GiB - 3 partitions
\PARTITION0 (bootable) - Unknown - 23.44 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 11.87 GiB - D:
\PARTITION2 - Unknown - 2000.28 MiB
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.
FirstRunDisabled is set.
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\rundll32.exe"="C:\\WINDOWS\\System32\\rundll32.exe:*:Disabled:Run a DLL as an App"
"C:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"="C:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe:*:Enabled:Thunder"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:PChome-Skype"
"C:\\WINDOWS\\System32\\dpvsetup.exe"="C:\\WINDOWS\\System32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\ycchen100\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BENQ-WK6ZITF0OR
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\ycchen100
LOGONSERVER=\\BENQ-WK6ZITF0OR
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Ulead Systems\DVD
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ycchen100\LOCALS~1\Temp
TMP=C:\DOCUME~1\ycchen100\LOCALS~1\Temp
USERDOMAIN=BENQ-WK6ZITF0OR
USERNAME=ycchen100
USERPROFILE=C:\Documents and Settings\ycchen100
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
ycchen100 (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> MsiExec.exe /I{B5D8CCBF-08D8-46C0-8B04-3BC0CAEDA094}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8.1.1 - Chinese Traditional --> MsiExec.exe /I{AC76BA86-7AD7-1028-7B44-A81000000003}
Adobe Reader Japanese Fonts --> MsiExec.exe /I{AC76BA86-7AD7-5A76-5A64-7E8A45000001}
AFPL Ghostscript 8.53 --> C:\Program Files\gs\uninstgs.exe "C:\Program Files\gs\gs8.53\uninstal.txt"
AFPL Ghostscript Fonts --> C:\Program Files\gs\uninstgs.exe "C:\Program Files\gs\fonts\uninstal.txt"
Agere Systems AC'97 Modem --> agrsmdel
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Chinese Simplified Fonts Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-2447-0000-800000000003}
Citrix Web Client --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
CoreFLAC Audio Decoder+Source Filter (remove only) --> "C:\WINDOWS\system32\CoreFLACDecoder-uninstall.exe"
DC3410 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BADD5396-9881-4348-9CB4-60621971D78A}\Setup.exe" -l0x9
eMule --> "C:\Program Files\eMule\Uninstall.exe"
EZSuite 2.0 For BestOn --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76fa3956-dacc-4bd8-9a2b-784892226332}\SETUP.EXE" -l0x404
ffvfw (uninstall only) --> "C:\Program Files\ffvfw\uninstall.exe"
Glary Utilities 2.4 --> "C:\Program Files\Glary Utilities\unins000.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
Google 更新器 --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
GSview 4.8 --> C:\Program Files\Ghostgum\gsview\uninstgs.exe "C:\Program Files\Ghostgum\gsview\uninstal.txt"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP DeskJet 610C 系列 (僅限移除) --> C:\Program Files\HP DeskJet 610C Series\hpfiui.exe -c -vdivid=HPF -vpnum=20 -vproduct=610C -huninstall
Intel(R) Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
Intel(R) PROSet for Wireless --> MsiExec.exe /I{5380063E-2909-4d72-BFA3-625881F2E78B}
ISO Recorder --> MsiExec.exe /I{DFC6573E-124D-4026-BFA4-B433C9D3FF21}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
K-Lite Codec Pack 3.6.5 Standard --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
KaleidaGraph 4.0 --> C:\WINDOWS\unvise32.exe C:\Program Files\KaleidaGraph 4.0\uninstal.log
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
MacDrive 6 --> MsiExec.exe /I {EE4E7E75-A4A6-4C3D-9F70-C276FA43205A}
Macromedia Shockwave Player --> C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\INSTALL.LOG
MD1000 PCSYNC --> "C:\Program Files\MD1000 PCSYNC\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office PowerPoint Viewer 2003 --> MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word Viewer 2003 --> MsiExec.exe /I{90850409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NOD32 FiX --> "C:\Program Files\Eset\unins000.exe"
NOD32防毒系統 --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Skype(TM) 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
StuffIt 7.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7374C760-F6DC-11D3-B526-006097B06BE3}\Setup.exe"
SWF Opener --> "C:\Program Files\SWF Opener\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Tablet --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{D643A9C5-EAAA-4681-8EDE-6B3462F3ACE3} /l1028
TransMac version 7.5 --> "C:\Program Files\TransMac\unins000.exe"
Ulead Photo Explorer 8.0 SE Basic --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D271DAE0-8D68-4C97-8356-A126D48A1D8C}\setup.exe" -l0x404
Ulead VideoStudio 8.0 SE DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F1DA6BF-3614-48A1-9970-9E90F646789E}\Setup.exe" -l0x404
Uniblue RegistryBooster2 --> "C:\Program Files\RegistryBooster2\unins000.exe"
Unlocker 1.8.5 --> C:\Program Files\Unlocker\uninst.exe
USB PC Camera (SN9C103) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EADAA6F7-991F-4CE9-B5CE-FCF3D81F7C7D}\Setup.exe" -l0x404
VGA USB Camera --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1DDF840B-A50A-491E-BF44-6D6964C451A8}\Setup.exe" -l0x404
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB883939) --> "C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB893066) --> "C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896422) --> "C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896424) --> "C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896688) --> "C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB899588) --> "C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB901190) --> "C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB903235) --> "C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB905915) --> "C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB911567) --> "C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB912812) --> "C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB912919) --> "C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB913446) --> "C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB916281) --> "C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB917159) --> "C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB917422) --> "C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB918899) --> "C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB920214) --> "C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
ycchen100
2008-02-03, 05:49
Windows XP 安全性更新 (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB921398) --> "C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB921503) --> "C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB921883) --> "C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB922616) --> "C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB922760) --> "C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923694) --> "C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB925454) --> "C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB925486) --> "C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB928090) --> "C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB929969) --> "C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB931768) --> "C:\WINDOWS\$NtUninstallKB931768$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB933566) --> "C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB937143) --> "C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB938127) --> "C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB939653) --> "C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB941202) --> "C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB941568) --> "C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB941644) --> "C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB942615) --> "C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB943485) --> "C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB944653) --> "C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Windows XP 更新 (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Windows XP 更新 (KB896727) --> "C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Windows XP 更新 (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Windows XP 更新 (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Windows XP 更新 (KB904942) --> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Windows XP 更新 (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Windows XP 更新 (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Windows XP 更新 (KB920342) --> "C:\WINDOWS\$NtUninstallKB920342$\spuninst\spuninst.exe"
Windows XP 更新 (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Windows XP 更新 (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Windows XP 更新 (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Windows XP 更新 (KB929338) --> "C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Windows XP 更新 (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Windows XP 更新 (KB931836) --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Windows XP 更新 (KB933360) --> "C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Windows XP 更新 (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Windows XP 更新 (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Windows XP 更新 (KB942763) --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Windows XP 更新 (KB942840) --> "C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Windows XP 更新 (KB946627) --> "C:\WINDOWS\$NtUninstallKB946627$\spuninst\spuninst.exe"
WinRAR 壓縮工具 --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WMPTagSupportExtender --> MsiExec.exe /I{7AEBFFF0-15A1-48A9-88F3-06604486C7C9}
Yahoo!奇摩Messenger --> C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
迅雷5 --> "C:\Program Files\Thunder Network\Thunder\unins000.exe"
淘寶旺旺 --> "C:\Program Files\淘寶網\淘寶旺旺\Unwise.exe" "C:\Program Files\淘寶網\淘寶旺旺\INSTALL.LOG"
蒙恬筆 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{92F9A035-46D1-4F41-8FCB-B12797586B06}\setup.exe" -l0x404 -removeonly
蒙恬認識王專業版 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F92C708B-9CB2-4460-8B5B-13EA895859F3}\Setup.exe"
-- Application Event Log -------------------------------------------------------
Event Record #/Type3843 / Error
Event Submitted/Written: 02/03/2008 10:19:35 AM
Event ID/Source: 1004 / Application Error
Event Description:
失敗的應用程式 svchost.exe,版本 0.0.0.0,失敗的模組 unknown,版本 0.0.0.0,錯誤位址 0x00000000。
建立結果 PEAP-TLV 以回應接收的 PEAP-TLV (svchost.exe!ld!) 時發生錯誤
Event Record #/Type3829 / Error
Event Submitted/Written: 02/02/2008 04:45:08 PM
Event ID/Source: 1000 / Application Error
Event Description:
失敗的應用程式 ,版本 0.0.0.0,失敗的模組 unknown,版本 0.0.0.0,錯誤位址 0x00000000。
正在為 [!ws!] 處理媒體相關的事件
Event Record #/Type3808 / Error
Event Submitted/Written: 01/30/2008 08:10:06 PM
Event ID/Source: 1000 / Application Error
Event Description:
失敗的應用程式 iexplore.exe,版本 6.0.2900.2180,失敗的模組 urlmon.dll,版本 6.0.2900.3231,錯誤位址 0x0003a176。
正在為 [iexplore.exe!ws!] 處理媒體相關的事件
Event Record #/Type3796 / Warning
Event Submitted/Written: 01/29/2008 04:11:00 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows 無法將您的類別登錄檔解除載入 - 有其他應用程式或服務還在使用它。如果檔案不在使用中將會被解除載入。
Event Record #/Type3795 / Error
Event Submitted/Written: 01/29/2008 11:49:34 AM
Event ID/Source: 1000 / Application Error
Event Description:
失敗的應用程式 iexplore.exe,版本 6.0.2900.2180,失敗的模組 ntdll.dll,版本 5.1.2600.2180,錯誤位址 0x000122ba。
正在為 [iexplore.exe!ws!] 處理媒體相關的事件
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type138387 / Warning
Event Submitted/Written: 02/03/2008 11:47:31 AM
Event ID/Source: 1007 / Dhcp
Event Description:
您的電腦已自動設定網路位址為 0040D0756F25 的網路卡的 IP 位址。
目前使用的 IP 位址是 169.254.95.201。
Event Record #/Type138380 / Error
Event Submitted/Written: 02/03/2008 11:20:02 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
Computer Browser 服務因下列錯誤而終止:
%%1460
Event Record #/Type138367 / Error
Event Submitted/Written: 02/03/2008 11:15:16 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
AVG Anti-Spyware Guard 服務無法啟動,因為發生下列錯誤:
%%193
Event Record #/Type138362 / Error
Event Submitted/Written: 02/03/2008 11:15:16 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
下列開機啟動或系統啟動驅動程式無法載入:
IKFileSec
Event Record #/Type138361 / Error
Event Submitted/Written: 02/03/2008 11:15:16 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
DC3410 Video Camera Device 服務無法啟動,因為發生下列錯誤:
%%1058
-- End of Deckard's System Scanner: finished at 2008-02-03 11:47:38 ------------
ycchen100
2008-02-03, 06:01
Dear All,
I think i really need some advice. Never had a problem like this before.
Well, I can't run HiJackThis because of "not a valid Win32 application". In fact, all the anti-virus programs became invalid in a similar way in my PC. On start up the windows defender complaints that the service is stopped. I want to activate the service in the control panel. It reports an error 1053. Not able to boot in a safe mode. But I can still go online with this PC. But I know it is now unprotected.
I suspect this has to do with the Mdelk.exe existed in the windows\ssytem32 folder. However, after reading sevaral similar threads in this forum, i found not much help as I couldn't locate the following files/folder in the system32 folder wintems.exe, \drivers\hldrrr.exe, mdelk.pif, \drivers\down, drivers\srosa.sys, ...
I can do DSS. will post the DSS reports in a following link.
I can't run ComboFix either due to the same problem "not a valid Win32 application." Also, the Kapersky online scanner cannot continue due to "update process FAILED."
It looks to me very bad...: sad:
ycchen100
2008-02-03, 11:26
ok. the following is what I have tried to solve the problem by myself.
1. I have tried to run the IceSward. But the same problem "not a valid Win32 application."
It seems that if I can get rid of this annoying problem. I be much better. But i really don't know how.
2. I have tried Panda ActiveScan online scan and remove some virus. The scan report is as follwos:
Incident Location
Virus:w32/bagle.hx.worm Operating system
Virus:W32/Bagle.BA.worm DC:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\DOWN\a.bat.vir
Virus:W32/Bagle.RC.worm DiC:\WINDOWS\SYSTEM32\DRIVERS\DOWN\291499.EXE
Virus:W32/Bagle.RC.worm C:\WINDOWS\SYSTEM32\DRIVERS\DOWN\411762.EXE
Virus:W32/Bagle.RC.worm C:\WINDOWS\SYSTEM32\MDELK.EXE
Virus:W32/Bagle.RC.worm C:\WINDOWS\SYSTEM32\WINTEMS.EXE
Potentially unwanted tool:Application/NirCmd.A C:\WINDOWS\Nircmd.exe
3. I couldn't locate the folowing files in the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hldrrr.exe"="C:\\WINDOWS\\System32\\igfxtray.exe"
"wintems.exe"="C:\\WINDOWS\\System32\\igfxtray.exe"
not in "HKEY_CURRENT_USER\..." nor in "HKEY_LOCAL_MACHINE\...",
The only thing I found related is
"igfxtray.exe"="C:\\WINDOWS\\System32\\igfxtray.exe"
4. The following is what I think maybe malicious in my computer:
1. C:\WINDOWS\System32\mdelk.exe. It was about 70K. After panda online scan, it is left with 0K, but not removed.
2. In the registry,
HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_SROSA
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srosa
HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\Root\LEGACY_SROSA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srosa
3. There may be some other hidden files that i have overlooked.
4. All the virus come back after restart. So Panda active scan did not really solve the problem.
5. I am stuck here again.
ycchen100
2008-02-03, 16:18
ok. I manage to run ComboFix once after repeated Panda active online scan. It doesn't help much as the Mdelk.exe comes back again and ComboFix is again not a valid Win32 application (as I can see the icon is "blinking", if you knwo what I mean)
The following is the ComboFix.txt
ComboFix 08-02.03.1 - ycchen100 2008-02-03 15:07:45.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.414 [GMT 8:00]
執行位置?: D:\ycchen\downloads\ComboFix.exe
* 已建立新的還原點
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 4
/wow section unfinished
(((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\boot.ini
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\down\1000819.exe
C:\WINDOWS\system32\drivers\down\1011364.exe
C:\WINDOWS\system32\drivers\down\1020847.exe
C:\WINDOWS\system32\drivers\down\11456263.exe
C:\WINDOWS\system32\drivers\down\11458446.exe
C:\WINDOWS\system32\drivers\down\11466127.exe
C:\WINDOWS\system32\drivers\down\11471124.exe
C:\WINDOWS\system32\drivers\down\11477874.exe
C:\WINDOWS\system32\drivers\down\11480938.exe
C:\WINDOWS\system32\drivers\down\11516359.exe
C:\WINDOWS\system32\drivers\down\11527615.exe
C:\WINDOWS\system32\drivers\down\11538060.exe
C:\WINDOWS\system32\drivers\down\121334.exe
C:\WINDOWS\system32\drivers\down\14913744.exe
C:\WINDOWS\system32\drivers\down\14955464.exe
C:\WINDOWS\system32\drivers\down\15033236.exe
C:\WINDOWS\system32\drivers\down\15033917.exe
C:\WINDOWS\system32\drivers\down\15049950.exe
C:\WINDOWS\system32\drivers\down\15059744.exe
C:\WINDOWS\system32\drivers\down\15067996.exe
C:\WINDOWS\system32\drivers\down\15071291.exe
C:\WINDOWS\system32\drivers\down\15093863.exe
C:\WINDOWS\system32\drivers\down\15111939.exe
C:\WINDOWS\system32\drivers\down\15120912.exe
C:\WINDOWS\system32\drivers\down\15123085.exe
C:\WINDOWS\system32\drivers\down\15125599.exe
C:\WINDOWS\system32\drivers\down\15132118.exe
C:\WINDOWS\system32\drivers\down\15149674.exe
C:\WINDOWS\system32\drivers\down\15152548.exe
C:\WINDOWS\system32\drivers\down\15201328.exe
C:\WINDOWS\system32\drivers\down\15222909.exe
C:\WINDOWS\system32\drivers\down\15231381.exe
C:\WINDOWS\system32\drivers\down\157676.exe
C:\WINDOWS\system32\drivers\down\170234.exe
C:\WINDOWS\system32\drivers\down\204874.exe
C:\WINDOWS\system32\drivers\down\210202.exe
C:\WINDOWS\system32\drivers\down\259713.exe
C:\WINDOWS\system32\drivers\down\273122.exe
C:\WINDOWS\system32\drivers\down\280433.exe
C:\WINDOWS\system32\drivers\down\281314.exe
C:\WINDOWS\system32\drivers\down\313881.exe
C:\WINDOWS\system32\drivers\down\318427.exe
C:\WINDOWS\system32\drivers\down\325848.exe
C:\WINDOWS\system32\drivers\down\327020.exe
C:\WINDOWS\system32\drivers\down\334060.exe
C:\WINDOWS\system32\drivers\down\336854.exe
C:\WINDOWS\system32\drivers\down\345366.exe
C:\WINDOWS\system32\drivers\down\366677.exe
C:\WINDOWS\system32\drivers\down\378824.exe
C:\WINDOWS\system32\drivers\down\381879.exe
C:\WINDOWS\system32\drivers\down\382790.exe
C:\WINDOWS\system32\drivers\down\384953.exe
C:\WINDOWS\system32\drivers\down\390511.exe
C:\WINDOWS\system32\drivers\down\392394.exe
C:\WINDOWS\system32\drivers\down\393455.exe
C:\WINDOWS\system32\drivers\down\400676.exe
C:\WINDOWS\system32\drivers\down\402719.exe
C:\WINDOWS\system32\drivers\down\403249.exe
C:\WINDOWS\system32\drivers\down\407075.exe
C:\WINDOWS\system32\drivers\down\407325.exe
C:\WINDOWS\system32\drivers\down\409468.exe
C:\WINDOWS\system32\drivers\down\423559.exe
C:\WINDOWS\system32\drivers\down\427705.exe
C:\WINDOWS\system32\drivers\down\432291.exe
C:\WINDOWS\system32\drivers\down\436016.exe
C:\WINDOWS\system32\drivers\down\436117.exe
C:\WINDOWS\system32\drivers\down\441665.exe
C:\WINDOWS\system32\drivers\down\443667.exe
C:\WINDOWS\system32\drivers\down\445510.exe
C:\WINDOWS\system32\drivers\down\447533.exe
C:\WINDOWS\system32\drivers\down\454273.exe
C:\WINDOWS\system32\drivers\down\456456.exe
C:\WINDOWS\system32\drivers\down\458749.exe
C:\WINDOWS\system32\drivers\down\461854.exe
C:\WINDOWS\system32\drivers\down\467612.exe
C:\WINDOWS\system32\drivers\down\476094.exe
C:\WINDOWS\system32\drivers\down\483014.exe
C:\WINDOWS\system32\drivers\down\487330.exe
C:\WINDOWS\system32\drivers\down\500339.exe
C:\WINDOWS\system32\drivers\down\507389.exe
C:\WINDOWS\system32\drivers\down\515030.exe
C:\WINDOWS\system32\drivers\down\517434.exe
C:\WINDOWS\system32\drivers\down\525285.exe
C:\WINDOWS\system32\drivers\down\543301.exe
C:\WINDOWS\system32\drivers\down\551342.exe
C:\WINDOWS\system32\drivers\down\553355.exe
C:\WINDOWS\system32\drivers\down\563340.exe
C:\WINDOWS\system32\drivers\down\574786.exe
C:\WINDOWS\system32\drivers\down\589948.exe
C:\WINDOWS\system32\drivers\down\597138.exe
C:\WINDOWS\system32\drivers\down\600173.exe
C:\WINDOWS\system32\drivers\down\602135.exe
C:\WINDOWS\system32\drivers\down\608194.exe
C:\WINDOWS\system32\drivers\down\608334.exe
C:\WINDOWS\system32\drivers\down\608875.exe
C:\WINDOWS\system32\drivers\down\624157.exe
C:\WINDOWS\system32\drivers\down\624998.exe
C:\WINDOWS\system32\drivers\down\628133.exe
C:\WINDOWS\system32\drivers\down\633090.exe
C:\WINDOWS\system32\drivers\down\644136.exe
C:\WINDOWS\system32\drivers\down\662813.exe
C:\WINDOWS\system32\drivers\down\673458.exe
C:\WINDOWS\system32\drivers\down\680909.exe
C:\WINDOWS\system32\drivers\down\729228.exe
C:\WINDOWS\system32\drivers\down\739673.exe
C:\WINDOWS\system32\drivers\down\747755.exe
C:\WINDOWS\system32\drivers\down\749677.exe
C:\WINDOWS\system32\drivers\down\7728783.exe
C:\WINDOWS\system32\drivers\down\7730165.exe
C:\WINDOWS\system32\drivers\down\7744866.exe
C:\WINDOWS\system32\drivers\down\7755551.exe
C:\WINDOWS\system32\drivers\down\7761780.exe
C:\WINDOWS\system32\drivers\down\7765195.exe
C:\WINDOWS\system32\drivers\down\7796851.exe
C:\WINDOWS\system32\drivers\down\7846102.exe
C:\WINDOWS\system32\drivers\down\799048.exe
C:\WINDOWS\system32\drivers\down\799770.exe
C:\WINDOWS\system32\drivers\down\802073.exe
C:\WINDOWS\system32\drivers\down\802934.exe
C:\WINDOWS\system32\drivers\down\812948.exe
C:\WINDOWS\system32\drivers\down\818647.exe
C:\WINDOWS\system32\drivers\down\821801.exe
C:\WINDOWS\system32\drivers\down\826668.exe
C:\WINDOWS\system32\drivers\down\827069.exe
C:\WINDOWS\system32\drivers\down\829652.exe
C:\WINDOWS\system32\drivers\down\836713.exe
C:\WINDOWS\system32\drivers\down\837324.exe
C:\WINDOWS\system32\drivers\down\839587.exe
C:\WINDOWS\system32\drivers\down\852776.exe
C:\WINDOWS\system32\drivers\down\861689.exe
C:\WINDOWS\system32\drivers\down\863752.exe
C:\WINDOWS\system32\drivers\down\865865.exe
C:\WINDOWS\system32\drivers\down\867727.exe
C:\WINDOWS\system32\drivers\down\878182.exe
C:\WINDOWS\system32\drivers\down\881337.exe
C:\WINDOWS\system32\drivers\down\909748.exe
C:\WINDOWS\system32\drivers\down\915846.exe
C:\WINDOWS\system32\drivers\down\923417.exe
C:\WINDOWS\system32\drivers\down\927523.exe
C:\WINDOWS\system32\drivers\down\931479.exe
C:\WINDOWS\system32\drivers\down\939671.exe
C:\WINDOWS\system32\drivers\down\941623.exe
C:\WINDOWS\system32\drivers\down\943446.exe
C:\WINDOWS\system32\drivers\down\948563.exe
C:\WINDOWS\system32\drivers\down\956094.exe
C:\WINDOWS\system32\drivers\down\959960.exe
C:\WINDOWS\system32\drivers\down\a.bat
.
(((((((((((((((((((((((((((( Files Created from 2008-01-03 - 2008-02-03 )))))))))))))))))))))))))))))))))
.
2008-02-03 13:15 . 2006-06-30 14:13 8,704 --a------ C:\WINDOWS\system32\pfdnnt.exe
2008-02-03 11:44 . 2008-02-03 11:44 <DIR> d-------- C:\Deckard
2008-02-03 11:41 . 2008-02-03 11:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-03 11:41 . 2008-02-03 11:41 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-03 11:41 . 2008-02-03 11:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-03 10:33 . 2008-02-03 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-02-03 10:32 . 2008-02-03 10:33 <DIR> d-------- C:\Documents and Settings\ycchen100\Application Data\PrevxCSI
2008-02-03 10:17 . 2008-02-03 10:17 <DIR> d--hs---- C:\FOUND.003
2008-02-02 21:33 . 2008-02-02 21:33 <DIR> d-------- C:\Program Files\Unlocker
2008-02-02 20:29 . 2008-02-02 20:29 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-02 20:09 . 2008-02-02 20:08 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-02-02 20:09 . 2008-02-02 20:08 298,104 --a------ C:\WINDOWS\system32\imon.dll
2008-02-02 20:09 . 2008-02-02 20:07 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-02-02 19:49 . 2008-02-03 13:32 0 --------- C:\WINDOWS\system32\mdelk.exe
2008-02-02 16:42 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-02 15:29 . 2006-09-06 00:03 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 15:25 . 2008-02-02 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-02 15:16 . 2008-02-02 15:16 <DIR> d--hs---- C:\FOUND.002
2008-01-29 15:59 . 2004-12-24 11:15 225,357 -ra------ C:\WINDOWS\system32\VM31bPrp.Ax
2008-01-29 15:59 . 2006-05-24 13:39 195,299 -ra------ C:\WINDOWS\system32\drivers\usbVM31b.sys
2008-01-29 15:59 . 2006-04-11 13:25 176,128 -ra------ C:\WINDOWS\amcap.exe
2008-01-29 15:59 . 2006-05-24 13:39 94,208 -ra------ C:\WINDOWS\VMCap.exe
2008-01-29 15:59 . 2006-05-24 13:39 61,440 -ra------ C:\WINDOWS\system32\VM31bSTI.dll
2008-01-29 15:59 . 2006-07-17 11:27 49,152 -ra------ C:\WINDOWS\VMSnap1.exe
2008-01-29 15:59 . 2006-07-04 14:16 49,152 -ra------ C:\WINDOWS\domino.exe
2008-01-11 21:37 . 2008-01-11 21:37 <DIR> d-------- C:\Program Files\Taobao
2008-01-09 22:06 . 2008-01-09 22:07 <DIR> d-------- C:\Program Files\TransMac
2008-01-09 21:59 . 2006-10-04 22:06 1,197,294 --------- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-01-09 21:59 . 2006-10-04 22:06 764,868 --------- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-01-09 21:59 . 2006-10-04 22:06 217,118 --------- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-01-09 21:56 . 2008-01-09 21:56 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-09 21:46 . 2008-01-09 21:46 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-09 20:05 . 2008-01-09 20:05 <DIR> d-------- C:\Documents and Settings\ycchen100\Application Data\Synergy Software
2008-01-09 20:05 . 2008-01-09 20:05 0 --a------ C:\WINDOWS\KGOleSrv.INI
2008-01-09 20:04 . 2008-01-09 20:04 <DIR> d-------- C:\Program Files\KaleidaGraph 4.0
2008-01-09 20:04 . 2008-01-09 20:04 <DIR> d-------- C:\Documents and Settings\All Users\「開始」
2008-01-09 20:04 . 2004-03-29 15:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-01-06 16:28 . 2008-01-06 16:29 <DIR> d-------- C:\WINDOWS\system32\aliedit
2008-01-06 00:20 . 2008-01-06 00:20 <DIR> d-------- C:\Documents and Settings\ycchen100\Application Data\Media Player Classic
2008-01-06 00:18 . 2008-01-06 00:18 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-01-06 00:18 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-01-06 00:18 . 2007-12-24 13:49 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-01-06 00:18 . 2007-07-10 17:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-01-06 00:05 . 2008-01-06 00:05 <DIR> d-------- C:\Documents and Settings\ycchen100\Application Data\skypePM
2008-01-06 00:05 . 2008-01-06 00:05 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-06 00:03 . 2008-01-06 00:03 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-01-05 22:50 . 2008-01-05 22:50 <DIR> d-------- C:\Program Files\Glary Utilities
.
(((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 07:07 6,815,744 ---ha-w C:\Documents and Settings\ycchen100\NTUSER.DAT
2008-02-03 07:07 6,815,744 ---ha-w C:\Documents and Settings\ycchen100\NTUSER.DAT
2008-02-03 02:33 --------- d-----w C:\Documents and Settings\ycchen100\Application Data\PrevxCSI
2008-01-11 13:37 --------- d-----w C:\Program Files\Taobao
2008-01-09 12:05 --------- d-----w C:\Documents and Settings\ycchen100\Application Data\Synergy Software
2008-01-05 16:20 --------- d-----w C:\Documents and Settings\ycchen100\Application Data\Media Player Classic
2008-01-05 16:05 --------- d-----w C:\Documents and Settings\ycchen100\Application Data\skypePM
2007-11-14 07:27 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26 699,904 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 699,904 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
.
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2006-02-20 10:10 678769]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:11 21777704]
"SpybotSD TeaTimer"="D:\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 10:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 10:51 118784]
"SoundMan"="SOUNDMAN.EXE" [2003-12-19 17:53 65024 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 15:41 88363 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-09-26 11:01 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-09-26 11:01 503808]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2008-02-03 11:15 45056]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 20:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 20:00 59392]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2004-02-05 16:33 86016]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 15:54 106496]
"MediafourGettingStartedWithMacDrive6"="C:\Program Files\Mediafour\MacDrive\MacDrive.exe" [2004-08-26 14:12 86016]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-12-17 16:43 61440]
"SNPSTD2"="C:\WINDOWS\vsnpstd2.exe" [2004-08-30 16:37 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"domino"="C:\WINDOWS\domino.exe" [2006-07-04 14:16 49152]
"VMSnap1"="C:\WINDOWS\VMSnap1.exe" [2006-07-17 11:27 49152]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-03 13:10 949376]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-08 01:19 15872]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-02-02 23:52 6731312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Panda_cleaner"="C:\WINDOWS\system32\ACTIVE~1\pavdr.exe" [2006-07-14 13:04 45056]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]
C:\Documents and Settings\ycchen100\「開始」功能表\程式集\啟動\
Internet Explorer.lnk - C:\Program Files\Internet Explorer\IEXPLORE.EXE [2005-05-31 12:23:18 93184]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\system32\LgNotify.dll 2004-03-03 16:48 110592 c:\WINDOWS\system32\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PPENSB\win32\PPINKDLL.DLL
R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2006-04-30 22:57]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-09-14 02:53]
R1 srosa;Megadrv3;C:\WINDOWS\system32\drivers\srosa.sys [2008-02-03 11:15]
R3 EMCR;EMCR;C:\WINDOWS\system32\DRIVERS\EMCR7SK.sys [2004-05-03 14:12]
S2 VCapture;DC3410 Video Camera Device;C:\WINDOWS\system32\Drivers\VCapture.sys [2002-10-21 11:37]
S3 MD1000;GSL MD1000 Electronic Dictionary;C:\WINDOWS\system32\Drivers\MD1000.sys [2004-10-08 16:39]
S3 PAC7311;VGA USB Camera;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS [2005-10-18 11:48]
S3 snpstd2;USB PC Camera (SN9C103);C:\WINDOWS\system32\DRIVERS\snpstd2.sys [2004-10-14 17:12]
S3 USBCamera;DC3410 Still Camera Device;C:\WINDOWS\system32\Drivers\CamBulk.sys [2002-12-04 14:38]
.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 17:37:04 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 15:09:49
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
? [1956]
? [3968]
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files?: 0
**************************************************************************
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"drvsyskit"="C:\\WINDOWS\\system32\\drivers\\hldrrr.exe"
"german.exe"="C:\\WINDOWS\\system32\\wintems.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time?: 2008-02-03 15:11:06
ComboFix-quarantined-files.txt 2008-02-03 07:11:04
.
2008-02-01 01:38:53 --- E O F ---
ycchen100
2008-02-04, 13:26
ok. the following is what I have found out from yesterday.
1. The mdelk.exe et al virus targets specific programs and makes them "not a valid Win32 aplication", including mainly anti-virus programs and some useful tools, such as HiJackThis.
2. To get around with it, I have to download the HiJackThis directly from the internet and during download name it a different name, such as HiJackThis2. I can't use the installer to install a "valid" copy. So, now I CAN run HiJackThis and will post the log in a following link.
3. A question. What if this malicious virus is able to make ALL applications "not a valid Win32 application" even with several anti-virus programs running actively? Is this the user's blame or should there be a fix for it quickly?
ycchen100
2008-02-04, 13:28
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at afternoon 08:15:20, on 2008/2/4
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\WINDOWS\vsnpstd2.exe
C:\WINDOWS\domino.exe
C:\WINDOWS\VMSnap1.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PPENSB\Win32\ppshell.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\internet explorer\iexplore.exe
D:\ycchen\downloads\HiJackThis2.exe
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: ThunderBHO - {06849E9E-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [domino] C:\WINDOWS\domino.exe
O4 - HKLM\..\Run: [VMSnap1] C:\WINDOWS\VMSnap1.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 使用迅雷下載 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下載全部鏈接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://WWW.BenQ.COM/
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E0DFFCF-27FF-4574-849B-55007349FEDA} (iTrusPTA Class) - https://img.alipay.com/download/1101/aliedit.cab
O16 - DPF: {272B8D21-5304-4529-BD3D-1CF392342F7D} (ICBC XCsp) - https://netbank.megabank.com.tw/natm/ICBCNetATM.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172239528665
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E8875A6-1C0A-44D8-BE56-9D49FD620A97}: NameServer = 139.175.55.244 139.175.252.16
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PPENSB\win32\PPINKDLL.DLL
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 9510 bytes
ycchen100
2008-02-05, 07:24
not much progress. But I also manage to get the IcsSword working. Because i can only download the zip file, I have to be "careful" to produce a Icesword2 to avoid it become "not a valid Win32 application". Basically, i purposely unzip the application to voerwrite the invalid one and while popup, i can rename as icesword2. will post the required log in the folowing links.
1. I also found a malicious file named ban_list.txt in the system32 folder. This one keeps comng back after removral.
2. while running Icesword, I did found the wintems.exe and \drivers\hldrrr.exe in the processes but they are not to found in the system32 folder. The wintems.exe may be disguised by the name mdelk.exe. no wonder it always reports not found when i want to delete mdelk.exe.
ycchen100
2008-02-05, 07:25
Process:
System Idle Process
System
C:\PPENSB\Win32\PPSHELL.EXE
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\System32\SMSS.EXE
C:\WINDOWS\System32\CSRSS.EXE
C:\WINDOWS\System32\WINLOGON.EXE
C:\WINDOWS\System32\SERVICES.EXE
C:\WINDOWS\System32\LSASS.EXE
C:\WINDOWS\System32\SVCHOST.EXE
C:\WINDOWS\System32\SVCHOST.EXE
C:\WINDOWS\System32\SVCHOST.EXE
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\SVCHOST.EXE
D:\ycchen\downloads\IceSword122en\IceSword2.exe
C:\WINDOWS\System32\SVCHOST.EXE
C:\WINDOWS\System32\SPOOLSV.EXE
C:\WINDOWS\System32\ZCfgSvc.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\IGFXTRAY.EXE
C:\WINDOWS\System32\HKCMD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\WINDOWS\VSNPSTD2.EXE
C:\WINDOWS\DOMINO.EXE
C:\WINDOWS\VMSnap1.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\System32\CTFMON.EXE
C:\WINDOWS\System32\DRIVERS\HLDRRR.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\SVCHOST.EXE
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\wintems.exe
ycchen100
2008-02-05, 07:26
Started Service:
Service Name:AudioSrv Display Name:Windows Audio
Service Name:BITS Display Name:Background Intelligent Transfer Service
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:gusvc Display Name:Google Updater Service
Service Name:helpsvc Display Name:Help and Support
Service Name:HidServ Display Name:HID Input Service
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RegSrvc Display Name:RegSrvc
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:S24EventMonitor Display Name:Spectrum24 Event Monitor
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:srservice Display Name:System Restore Service
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:STI Simulator Display Name:STI Simulator
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:TabletService Display Name:TabletService
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:UleadBurningHelper Display Name:Ulead Burning Helper
Service Name:W32Time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:WZCSVC Display Name:Wireless Zero Configuration
ycchen100
2008-02-05, 07:28
Startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IMJPMIG8.1
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PHIME2002ASync
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PHIME2002A
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IgfxTray
C:\WINDOWS\system32\igfxtray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotKeysCmds
C:\WINDOWS\system32\hkcmd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SoundMan
SOUNDMAN.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AGRSMMSG
AGRSMMSG.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPLpr
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPEnh
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NeroFilterCheck
C:\WINDOWS\system32\NeroCheck.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RemoteControl
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Ulead AutoDetector
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IMEKRMIG6.1
C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSPY2002
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PRONoMgr.exe
c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MDDiskProtect.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MediafourGettingStartedWithMacDrive6
"C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Mediafour Mac Volume Notifications
"C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SNPSTD2
C:\WINDOWS\vsnpstd2.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Reader Speed Launcher
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
"C:\Program Files\Windows Defender\MSASCui.exe" -hide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
domino
C:\WINDOWS\domino.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VMSnap1
C:\WINDOWS\VMSnap1.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nod32kui
"C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UnlockerAssistant
"C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KernelFaultCheck
%systemroot%\system32\dumprep 0 -k
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
!AVG Anti-Spyware
"C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Skype
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hldrrr.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
german.exe
C:\WINDOWS\system32\wintems.exe
C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動
desktop.ini
C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動
蒙恬快速啟動.lnk
C:\PPENSB\Win32\PPSHELL.exe (Remarkㄩ)
C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動
TabUserW.exe.lnk
C:\WINDOWS\system32\Wtablet\TabUserW.exe (Remarkㄩ)
C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動
Google 更新器.lnk
C:\Program Files\Google\Google Updater\GoogleUpdater.exe (RemarkㄩGoogle 更新器)
C:\Documents and Settings\ycchen100\「開始」功能表\程式集\啟動
desktop.ini
C:\Documents and Settings\ycchen100\「開始」功能表\程式集\啟動
Internet Explorer.lnk
C:\Program Files\Internet Explorer\IEXPLORE.EXE (Remarkㄩ尋找和顯示網際網路上的資訊和網站。)
ycchen100
2008-02-05, 07:35
1. I didn't find any red entry during the icesword scan. The wintems.exe process occurs while i did the icesword scan. I can terminate this process easily from the task manager.
2. Somehow I am not able to save the log file for the SSDT scan. But I found out that all the entries are pointing to the same Kmodule name, which is windows\system32\ntkrnlpa.exe. I found this file in the system32 folder.
ok. this is pretty much what i guess i can do before i start to remove the virus myself based on other similar threads in this forum.
ycchen100
2008-02-06, 06:47
Although I cannot do the Kapersky online scan due to the update process FAILED, I can do Total scan. The report is as follows:
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-02-06 13:40:39
PROTECTIONS: 2
MALWARE: 6
SUSPECTS: 8
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
NOD32 Antivirus 2.70.32 No No
Windows Defender 1.1.3109.0 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00047872 W32/Bagle.BA.worm Virus/Worm No 0 Yes No C:\WINDOWS\SYSTEM32\DRIVERS\DOWN\A.BAT
00263780 w32/bagle.hx.worm Virus/Worm No 1 Yes No hkey_current_user\software\datetime4
00263780 w32/bagle.hx.worm Virus/Worm No 1 Yes No c:\windows\system32\wintems.exe
02890982 W32/Bagle.QV.worm Virus/Worm No 0 Yes No C:\WINDOWS\SYSTEM32\DRIVERS\DOWN\14806801.EXE
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No C:\WINDOWS\SYSTEM32\DRIVERS\DOWN\14857413.EXE
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No C:\Documents and Settings\ycchen100 Local Settings\Temporary Internet Files\Content.IE5\86IQAPYI\b64_1[1].jpg
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No C:\WINDOWS\SYSTEM32\DRIVERS\DOWN\145138.EXE
02895391 W32/Bagle.RC.worm Virus/Worm No 0 Yes No C:\WINDOWS\SYSTEM32\DRIVERS\DOWN\179428.EXE
02895391 W32/Bagle.RC.worm Virus/Worm No 0 Yes No C:\Documents and Settings\ycchen100 Local Settings\Temporary Internet Files\Content.IE5\N8ECWR51\b64_31[1].jpg
02895391 W32/Bagle.RC.worm Virus/Worm No 0 Yes No C:\WINDOWS\SYSTEM32\MDELK.EXE
02895391 W32/Bagle.RC.worm Virus/Worm Yes 1 Yes No C:\WINDOWS\SYSTEM32\WINTEMS.EXE
02895391 W32/Bagle.RC.worm Virus/Worm No 0 Yes No C:\WINDOWS\SYSTEM32\DRIVERS\DOWN\14895198.EXE
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
C:\WINDOWS\SYSTEM32\DLLCACHE\NTKRNLPA.EXE
C:\WINDOWS\Driver Cache\I386\NTKRNLPA.EXE
C:\WINDOWS\$HF_MIG$\KB890859\SP2QFE\NTKRNLPA.EXE
C:\WINDOWS\$HF_MIG$\KB929338\SP2QFE\NTKRNLPA.EXE
C:\WINDOWS\$HF_MIG$\KB931784\SP2QFE\NTKRNLPA.EXE
C:\WINDOWS\$NtUninstallKB890859$\NTKRNLPA.EXE
C:\WINDOWS\$NtUninstallKB929338$\NTKRNLPA.EXE
C:\WINDOWS\$NtUninstallKB931784$\NTKRNLPA.EXE
;===================================================================================================================================================================================
ycchen100
2008-02-06, 07:01
ok. THe total scan tells a clear story that the problem is related to system32\mdelk.exe and system32\wintems.exe and the folder \system32\drivers\down.
However, I can only see the file system32\mdelk.exe, but not hte other two. And I am not able to delete mdelk.exe. So, pretty much stuck again.
Is there a fix for this virus? and solution for the "not a valid win32 application" issue?
Hi
Remove old ComboFix.exe file and download Combo-Fix.exe (http://download.bleepingcomputer.com/sUBs/Combo-Fix.exe) to your desktop. Run it and post the log it produces.
ycchen100
2008-02-09, 03:25
Hi Blade81,
Thanks for offering your help. I had already done some cleanup yesterday using IcsSword targeting the malicious files/registry named in other similar threads in this forum.
It appears to me that the mdelk.exe file does not appear again, but I am not sure if the PC is now really virus-free. So i did the Combo-Fix scan adn the log will be posted in a following link.
ycchen100
2008-02-09, 03:26
ComboFix 08-01-30.1 - ycchen100 2008-02-09 9:57:18.2 - FAT32x86
Running from: C:\Documents and Settings\ycchen100\Desktop\Combo-Fix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
(((((((((((((((((((((((((((( Files Created from 2008-01-09 - 2008-02-09 )))))))))))))))))))))))))))))))))
.
2008-02-09 09:00 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\ceesgmrosgcy.sys
2008-02-09 08:55 . 2008-02-09 08:55 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-02-05 20:48 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-05 14:41 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\rtpjckmnvjny.sys
2008-02-04 20:01 . 2008-02-09 08:55 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-03 19:03 . 2008-02-03 19:03 <DIR> d-------- C:\Program Files\Panda Security
2008-02-03 15:06 . 2000-08-31 08:00 98,816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-03 15:06 . 2000-08-31 08:00 80,412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-03 15:06 . 2000-08-31 08:00 73,728 --a------ C:\WINDOWS\system32\fdsv.exe
2008-02-03 15:06 . 2000-08-31 08:00 68,096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-03 11:41 . 2008-02-03 11:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-03 11:41 . 2008-02-03 11:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-03 10:33 . 2008-02-03 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-02-03 10:32 . 2008-02-03 10:33 <DIR> d-------- C:\Documents and Settings\ycchen100\Application Data\PrevxCSI
2008-02-03 10:17 . 2008-02-03 10:17 <DIR> d--hs---- C:\FOUND.003
2008-02-02 20:29 . 2008-02-02 20:29 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-02 20:09 . 2008-02-02 20:08 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-02-02 20:09 . 2008-02-02 20:08 298,104 --a------ C:\WINDOWS\system32\imon.dll
2008-02-02 20:09 . 2008-02-02 20:07 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-02-02 15:29 . 2006-09-06 00:03 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 15:25 . 2008-02-02 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-02 15:16 . 2008-02-02 15:16 <DIR> d--hs---- C:\FOUND.002
2008-01-29 15:59 . 2004-12-24 11:15 225,357 -ra------ C:\WINDOWS\system32\VM31bPrp.Ax
2008-01-29 15:59 . 2006-05-24 13:39 195,299 -ra------ C:\WINDOWS\system32\drivers\usbVM31b.sys
2008-01-29 15:59 . 2006-04-11 13:25 176,128 -ra------ C:\WINDOWS\amcap.exe
2008-01-29 15:59 . 2006-05-24 13:39 94,208 -ra------ C:\WINDOWS\VMCap.exe
2008-01-29 15:59 . 2006-05-24 13:39 61,440 -ra------ C:\WINDOWS\system32\VM31bSTI.dll
2008-01-29 15:59 . 2006-07-17 11:27 49,152 -ra------ C:\WINDOWS\VMSnap1.exe
2008-01-29 15:59 . 2006-07-04 14:16 49,152 -ra------ C:\WINDOWS\domino.exe
2008-01-11 21:37 . 2008-01-11 21:37 <DIR> d-------- C:\Program Files\Taobao
2008-01-09 22:06 . 2008-01-09 22:07 <DIR> d-------- C:\Program Files\TransMac
2008-01-09 21:59 . 2006-10-04 22:06 1,197,294 --------- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-01-09 21:59 . 2006-10-04 22:06 764,868 --------- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-01-09 21:59 . 2006-10-04 22:06 217,118 --------- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-01-09 21:56 . 2008-01-09 21:56 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-09 21:46 . 2008-01-09 21:46 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-09 20:05 . 2008-01-09 20:05 <DIR> d-------- C:\Documents and Settings\ycchen100\Application Data\Synergy Software
2008-01-09 20:05 . 2008-01-09 20:05 0 --a------ C:\WINDOWS\KGOleSrv.INI
2008-01-09 20:04 . 2008-01-09 20:04 <DIR> d-------- C:\Program Files\KaleidaGraph 4.0
2008-01-09 20:04 . 2008-01-09 20:04 <DIR> d-------- C:\Documents and Settings\All Users\start
2008-01-09 20:04 . 2004-03-29 15:23 90,112 --a------ C:\WINDOWS\unvise32.exe
.
(((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 01:59 6,815,744 ---ha-w C:\Documents and Settings\ycchen100\NTUSER.DAT
2008-02-09 01:59 6,815,744 ---ha-w C:\Documents and Settings\ycchen100\NTUSER.DAT
2008-02-03 02:33 --------- d-----w C:\Documents and Settings\ycchen100\Application Data\PrevxCSI
2008-01-11 13:37 --------- d-----w C:\Program Files\Taobao
2008-01-09 12:05 --------- d-----w C:\Documents and Settings\ycchen100\Application Data\Synergy Software
2008-01-05 16:20 --------- d-----w C:\Documents and Settings\ycchen100\Application Data\Media Player Classic
2008-01-05 16:18 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-01-05 16:05 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-05 16:05 --------- d-----w C:\Documents and Settings\ycchen100\Application Data\skypePM
2008-01-05 16:03 --------- d-----w C:\Program Files\Common Files\Skype
2008-01-05 14:50 --------- d-----w C:\Program Files\Glary Utilities
2007-12-24 05:49 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-11-14 07:27 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
.
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:11 21777704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 10:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 10:51 118784]
"SoundMan"="SOUNDMAN.EXE" [2003-12-19 17:53 65024 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 15:41 88363 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-09-26 11:01 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-09-26 11:01 503808]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2008-02-08 19:16 45056]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 20:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 20:00 59392]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2004-02-05 16:33 86016]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 15:54 106496]
"MediafourGettingStartedWithMacDrive6"="C:\Program Files\Mediafour\MacDrive\MacDrive.exe" [2004-08-26 14:12 86016]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-12-17 16:43 61440]
"SNPSTD2"="C:\WINDOWS\vsnpstd2.exe" [2004-08-30 16:37 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"domino"="C:\WINDOWS\domino.exe" [2006-07-04 14:16 49152]
"VMSnap1"="C:\WINDOWS\VMSnap1.exe" [2006-07-17 11:27 49152]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-08 19:11 949376]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-08 01:19 15872]
"!AVG Anti-Spyware"="C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 17:25 6731312]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]
C:\Documents and Settings\ycchen100\Start Menu\Programs\Startup\
Internet Explorer.lnk - C:\Program Files\Internet Explorer\IEXPLORE.EXE [2005-05-31 12:23:18 93184]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\system32\LgNotify.dll 2004-03-03 16:48 110592 c:\WINDOWS\system32\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PPENSB\win32\PPINKDLL.DLL
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 18:28:02 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 10:01:17
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Eset\pr_imon.dll
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\domino.exe
C:\WINDOWS\VMSnap1.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PPENSB\Win32\ppshell.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-02-09 10:02:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 02:02:40
ComboFix2.txt 2008-02-03 07:11:08
.
2008-02-01 01:38:53 --- E O F ---
Hi
Upload following files to http://virusscan.jotti.org and post back the results:
C:\WINDOWS\system32\drivers\ceesgmrosgcy.sys
C:\WINDOWS\system32\drivers\rtpjckmnvjny.sys
C:\WINDOWS\system32\sed.exe
C:\WINDOWS\system32\zip.exe
Please download SafeBootKeyRepair.exe by sUBs to repair Safe Mode.
Download HERE (http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair.exe)
To run SafeBootKeyRepair.exe:
1. Close all programs/windows so that you have nothing open and are at your Desktop.
2. Double-click the SafeBootKeyRepair.exe file.
When finished, it shall produce a log for you.
3. Post the entire contents of C:\SafeBoot_Repair.txt in your next reply. Post also a fresh hjt log.
ycchen100
2008-02-10, 07:21
Hi,
I have uploaded the four files to the given webpage for scan. The scan appears normal. Details are as follows:
File: ceesgmrosgcy.sys
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: d7dbfbc453b645111e6d21142305e80b
Packers detected: -
Bit9 reports: File not found
File: rtpjckmnvjny.sys
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: d7dbfbc453b645111e6d21142305e80b
Packers detected: -
Bit9 reports: File not found
File: sed.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 2b657a67aebb84aea5632c53e61e23bf
Packers detected: -
Bit9 reports: No threat detected (more info)
File: zip.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 5e832f4faf5f481f2eaf3b3a48f603b8
Packers detected: -
Bit9 reports: No threat detected (more info)
I have since re-installed Spybot-SD, AVG Free, and AVG AV. All working ok. Windows Defender works ok as well. It appears to me that the PC is functioning ok again. This all thanks to the information available in this forum and the help from the experts. Will post the SafeBoot_Repair and HJT log in following links.
ycchen100
2008-02-10, 07:23
Reg export of SafeBoot key after repair:
========================
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AVG Anti-Spyware Driver]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AVG Anti-Spyware Guard]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AVG Anti-Spyware Driver]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AVG Anti-Spyware Guard]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"
========================
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\PSEXESVC
ycchen100
2008-02-10, 07:24
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 02:11:32, on 2008/2/10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\domino.exe
C:\WINDOWS\VMSnap1.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PPENSB\Win32\ppshell.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\conime.exe
C:\Documents and Settings\ycchen100\Desktop\HiJackThis2.exe
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: ThunderBHO - {06849E9E-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [domino] C:\WINDOWS\domino.exe
O4 - HKLM\..\Run: [VMSnap1] C:\WINDOWS\VMSnap1.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [foxy] "C:\Program Files\Foxy\Foxy.exe" -tray
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 使用迅雷下載 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下載全部鏈接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://WWW.BenQ.COM/
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E0DFFCF-27FF-4574-849B-55007349FEDA} (iTrusPTA Class) - https://img.alipay.com/download/1101/aliedit.cab
O16 - DPF: {272B8D21-5304-4529-BD3D-1CF392342F7D} (ICBC XCsp) - https://netbank.megabank.com.tw/natm/ICBCNetATM.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172239528665
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E8875A6-1C0A-44D8-BE56-9D49FD620A97}: NameServer = 139.175.55.244 139.175.252.16
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PPENSB\win32\PPINKDLL.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 10975 bytes
Hi
Do you have also Nod32 installed? If you do then you have to decide between AVG and Nod32 which one you want to keep. It's not recommended to have more than one antivirus product installed in same system.
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Next we remove all used tools.
Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and save it to desktop.
Double-click OTMoveIt2.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 4 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Download Adaware
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial (http://www.bleepingcomputer.com/forums/index.php?showtutorial=48)
The program is available for download here (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1)
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)
Download iespyad
It puts many bad webpages on your restricted zones list. This means that you can still view the
bad
webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
If you need help understanding how it works, there is a tutorial here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
Download it here (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
See here (http://www.freebyte.com/antivirus/#firewalls) to choose one
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
ycchen100
2008-02-11, 17:51
Hi,
Thanks for your help and reminds. The PC is up and running for the last few days. Everything appears normal as before. I will take your advice to secure the PC accordingly.
All the best,
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.