not a valid Win32 application

Y

ycchen100

New member
Dear All,

I think i really need some advice. Never had a problem like this before.

Well, I can't run HiJackThis because of "not a valid Win32 application". In fact, all the anti-virus programs became invalid in a similar way in my PC. On start up the windows defender complaints that the service is stopped. I want to activate the service in the control panel. It reports an error 1053. Not able to boot in a safe mode. But I can still go online with this PC. But I know it is not unprotected.

I suspect this has to do with the Mdelk.exe existed in the windows\ssytem32 folder. However, after reading sevaral similar threads in this forum, i found not much help as I couldn't locate the following files/folder in the system32 folder wintems.exe, \drivers\hldrrr.exe, mdelk.pif, \drivers\down, drivers\srosa.sys, ...

I can do DSS. will post the DSS reports in a following link.
 
DSS scan main.txt

Deckard's System Scanner v20071014.68
Run by ycchen100 on 2008-02-03 12:18:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 0.71 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-03 12:20:03
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\WINDOWS\vsnpstd2.exe
C:\WINDOWS\domino.exe
C:\WINDOWS\VMSnap1.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PPENSB\Win32\PPSHELL.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
D:\ycchen\downloads\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 連結
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://WWW.BenQ.COM/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: ThunderBHO - {06849E9E-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [domino] C:\WINDOWS\domino.exe
O4 - HKLM\..\Run: [VMSnap1] C:\WINDOWS\VMSnap1.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Internet Explorer.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Global Startup: 蒙恬快速啟動.lnk = C:\PPENSB\Win32\ppshell.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O4 - Global Startup: Google 更新器.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: 使用迅雷下載 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下載全部鏈接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E0DFFCF-27FF-4574-849B-55007349FEDA} (iTrusPTA Class) - https://img.alipay.com/download/1101/aliedit.cab
O16 - DPF: {272B8D21-5304-4529-BD3D-1CF392342F7D} (ICBC XCsp) - https://netbank.megabank.com.tw/natm/ICBCNetATM.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172239528665
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{9E8875A6-1C0A-44D8-BE56-9D49FD620A97}: NameServer = 139.175.55.244 139.175.252.16
O18 - Protocol: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - AppInit_DLLs: C:\PPENSB\win32\PPINKDLL.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\ESET\nod32krn.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\system32\PAStiSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


--
End of file - 11631 bytes
 
DSS scan main.txt-2

-- Files created between 2008-01-03 and 2008-02-03 -----------------------------

2008-02-03 11:41:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-03 11:41:40 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-03 11:41:35 0 d-------- C:\WINDOWS\LastGood
2008-02-03 10:33:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-02-03 10:32:58 0 d-------- C:\Documents and Settings\ycchen100\Application Data\PrevxCSI
2008-02-03 10:17:58 0 d--hs---- C:\FOUND.003
2008-02-02 20:29:01 0 d--h----- C:\WINDOWS\PIF
2008-02-02 20:09:03 298104 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>
2008-02-02 19:49:33 71172 --a------ C:\WINDOWS\system32\mdelk.exe
2008-02-02 16:42:00 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; PandaR Antivirus>
2008-02-02 15:25:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-02 15:16:40 0 d--hs---- C:\FOUND.002
2008-01-29 15:59:12 49152 -ra------ C:\WINDOWS\VMSnap1.exe <Not Verified; Vimicro; BIGDOG>
2008-01-29 15:59:12 49152 -ra------ C:\WINDOWS\domino.exe <Not Verified; ; Domino>
2008-01-29 15:59:11 94208 -ra------ C:\WINDOWS\VMCap.exe <Not Verified; www.zsmc.com.cn; www.zsmc.com.cn StillCap>
2008-01-29 15:59:11 176128 -ra------ C:\WINDOWS\amcap.exe <Not Verified; Microsoft Corporation; DirectX 9.0 Sample>
2008-01-29 15:59:10 61440 -ra------ C:\WINDOWS\system32\VM31bSTI.dll <Not Verified; VM; >
2008-01-29 15:59:09 195299 -ra------ C:\WINDOWS\system32\drivers\usbVM31b.sys <Not Verified; VM; >
2008-01-11 21:37:32 0 d-------- C:\Program Files\Taobao
2008-01-09 22:06:58 0 d-------- C:\Program Files\TransMac
2008-01-09 21:56:06 0 d-------- C:\Program Files\Windows Media Connect 2
2008-01-09 21:46:53 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-09 20:05:41 0 d-------- C:\Documents and Settings\ycchen100\Application Data\Synergy Software
2008-01-09 20:04:51 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-01-09 20:04:41 0 d-------- C:\Documents and Settings\All Users\「開始」
2008-01-09 20:04:37 0 d-------- C:\Program Files\KaleidaGraph 4.0
2008-01-06 16:28:59 0 d-------- C:\WINDOWS\system32\aliedit
2008-01-06 00:20:14 0 d-------- C:\Documents and Settings\ycchen100\Application Data\Media Player Classic
2008-01-06 00:18:30 164352 --a------ C:\WINDOWS\system32\unrar.dll
2008-01-06 00:18:20 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-01-06 00:18:17 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-01-06 00:05:05 0 d-------- C:\Documents and Settings\ycchen100\Application Data\skypePM
2008-01-06 00:05:05 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-06 00:03:48 0 d-------- C:\Program Files\Common Files\Skype
2008-01-05 22:50:19 0 d-------- C:\Program Files\Glary Utilities


-- Find3M Report ---------------------------------------------------------------

2008-02-03 11:14:56 12341 --a------ C:\WINDOWS\system32\Tablet.dat
2008-02-02 21:33:18 1292 --a------ C:\WINDOWS\system32\cid_store.dat
2008-01-10 02:23:24 134494 --a------ C:\WINDOWS\system32\prfh0404.dat
2008-01-10 02:23:24 47220 --a------ C:\WINDOWS\system32\prfc0404.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004/08/04 afternoon 08:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004/08/04 afternoon 08:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004/08/04 afternoon 08:00]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004/02/10 morning 10:55]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004/02/10 morning 10:51]
"SoundMan"="SOUNDMAN.EXE" [2003/12/19 afternoon 05:53 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003/11/19 afternoon 03:41 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003/09/26 morning 11:01]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003/09/26 morning 11:01]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001/07/09 morning 11:50]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003/10/31 afternoon 07:42]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2008/02/03 morning 11:15]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004/08/04 afternoon 08:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004/08/04 afternoon 08:00]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2004/02/05 afternoon 04:33]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005/04/15 afternoon 03:54]
"MediafourGettingStartedWithMacDrive6"="C:\Program Files\Mediafour\MacDrive\MacDrive.exe" [2004/08/26 afternoon 02:12]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002/12/17 afternoon 04:43]
"SNPSTD2"="C:\WINDOWS\vsnpstd2.exe" [2004/08/30 afternoon 04:37]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007/10/10 afternoon 07:51]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006/11/03 afternoon 07:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007/09/25 morning 01:11]
"domino"="C:\WINDOWS\domino.exe" [2006/07/04 afternoon 02:16]
"VMSnap1"="C:\WINDOWS\VMSnap1.exe" [2006/07/17 morning 11:27]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008/02/03 morning 11:47]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006/09/08 morning 01:19]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008/02/02 afternoon 11:52]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004/08/04 afternoon 08:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2006/02/20 morning 10:10]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007/12/07 afternoon 03:11]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008/02/02 afternoon 10:17]

C:\Documents and Settings\ycchen100\「開始」功能表\程式集\啟動\
Internet Explorer.lnk - C:\Program Files\Internet Explorer\IEXPLORE.EXE [2005/5/31 afternoon 12:23:18]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
蒙恬快速啟動.lnk - C:\PPENSB\Win32\ppshell.exe [2007/2/22 afternoon 02:50:59]
TabUserW.exe.lnk - C:\WINDOWS\system32\Wtablet\TabUserW.exe [2003/11/19 afternoon 12:11:16]
Google 更新器.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007/7/16 afternoon 08:16:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\system32\LgNotify.dll 2004/03/03 afternoon 04:48 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PPENSB\win32\PPINKDLL.DLL

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"




-- End of Deckard's System Scanner: finished at 2008-02-03 12:20:44 ------------
 
DSS scan extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: Chinese

CPU 0: Intel(R) Celeron(R) M processor 1.30GHz
Percentage of Memory in Use: 42%
Physical Memory (total/avail): 735.48 MiB / 420.99 MiB
Pagefile Memory (total/avail): 1395.2 MiB / 1120.34 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1918.34 MiB

C: is Fixed (FAT32) - 23.43 GiB total, 0.71 GiB free.
D: is Fixed (FAT32) - 11.85 GiB total, 7.19 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHT2040AT - 37.26 GiB - 3 partitions
\PARTITION0 (bootable) - Unknown - 23.44 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 11.87 GiB - D:
\PARTITION2 - Unknown - 2000.28 MiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\rundll32.exe"="C:\\WINDOWS\\System32\\rundll32.exe:*:Disabled:Run a DLL as an App"
"C:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"="C:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe:*:Enabled:Thunder"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:PChome-Skype"
"C:\\WINDOWS\\System32\\dpvsetup.exe"="C:\\WINDOWS\\System32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\ycchen100\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BENQ-WK6ZITF0OR
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\ycchen100
LOGONSERVER=\\BENQ-WK6ZITF0OR
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Ulead Systems\DVD
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ycchen100\LOCALS~1\Temp
TMP=C:\DOCUME~1\ycchen100\LOCALS~1\Temp
USERDOMAIN=BENQ-WK6ZITF0OR
USERNAME=ycchen100
USERPROFILE=C:\Documents and Settings\ycchen100
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

ycchen100 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{B5D8CCBF-08D8-46C0-8B04-3BC0CAEDA094}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8.1.1 - Chinese Traditional --> MsiExec.exe /I{AC76BA86-7AD7-1028-7B44-A81000000003}
Adobe Reader Japanese Fonts --> MsiExec.exe /I{AC76BA86-7AD7-5A76-5A64-7E8A45000001}
AFPL Ghostscript 8.53 --> C:\Program Files\gs\uninstgs.exe "C:\Program Files\gs\gs8.53\uninstal.txt"
AFPL Ghostscript Fonts --> C:\Program Files\gs\uninstgs.exe "C:\Program Files\gs\fonts\uninstal.txt"
Agere Systems AC'97 Modem --> agrsmdel
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Chinese Simplified Fonts Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-2447-0000-800000000003}
Citrix Web Client --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
CoreFLAC Audio Decoder+Source Filter (remove only) --> "C:\WINDOWS\system32\CoreFLACDecoder-uninstall.exe"
DC3410 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BADD5396-9881-4348-9CB4-60621971D78A}\Setup.exe" -l0x9
eMule --> "C:\Program Files\eMule\Uninstall.exe"
EZSuite 2.0 For BestOn --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76fa3956-dacc-4bd8-9a2b-784892226332}\SETUP.EXE" -l0x404
ffvfw (uninstall only) --> "C:\Program Files\ffvfw\uninstall.exe"
Glary Utilities 2.4 --> "C:\Program Files\Glary Utilities\unins000.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
Google 更新器 --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
GSview 4.8 --> C:\Program Files\Ghostgum\gsview\uninstgs.exe "C:\Program Files\Ghostgum\gsview\uninstal.txt"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP DeskJet 610C 系列 (僅限移除) --> C:\Program Files\HP DeskJet 610C Series\hpfiui.exe -c -vdivid=HPF -vpnum=20 -vproduct=610C -huninstall
Intel(R) Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
Intel(R) PROSet for Wireless --> MsiExec.exe /I{5380063E-2909-4d72-BFA3-625881F2E78B}
ISO Recorder --> MsiExec.exe /I{DFC6573E-124D-4026-BFA4-B433C9D3FF21}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
K-Lite Codec Pack 3.6.5 Standard --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
KaleidaGraph 4.0 --> C:\WINDOWS\unvise32.exe C:\Program Files\KaleidaGraph 4.0\uninstal.log
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
MacDrive 6 --> MsiExec.exe /I {EE4E7E75-A4A6-4C3D-9F70-C276FA43205A}
Macromedia Shockwave Player --> C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\INSTALL.LOG
MD1000 PCSYNC --> "C:\Program Files\MD1000 PCSYNC\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office PowerPoint Viewer 2003 --> MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word Viewer 2003 --> MsiExec.exe /I{90850409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NOD32 FiX --> "C:\Program Files\Eset\unins000.exe"
NOD32防毒系統 --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Skype(TM) 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
StuffIt 7.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7374C760-F6DC-11D3-B526-006097B06BE3}\Setup.exe"
SWF Opener --> "C:\Program Files\SWF Opener\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Tablet --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{D643A9C5-EAAA-4681-8EDE-6B3462F3ACE3} /l1028
TransMac version 7.5 --> "C:\Program Files\TransMac\unins000.exe"
Ulead Photo Explorer 8.0 SE Basic --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D271DAE0-8D68-4C97-8356-A126D48A1D8C}\setup.exe" -l0x404
Ulead VideoStudio 8.0 SE DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F1DA6BF-3614-48A1-9970-9E90F646789E}\Setup.exe" -l0x404
Uniblue RegistryBooster2 --> "C:\Program Files\RegistryBooster2\unins000.exe"
Unlocker 1.8.5 --> C:\Program Files\Unlocker\uninst.exe
USB PC Camera (SN9C103) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EADAA6F7-991F-4CE9-B5CE-FCF3D81F7C7D}\Setup.exe" -l0x404
VGA USB Camera --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1DDF840B-A50A-491E-BF44-6D6964C451A8}\Setup.exe" -l0x404
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB883939) --> "C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB893066) --> "C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896422) --> "C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896424) --> "C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896688) --> "C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB899588) --> "C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB901190) --> "C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB903235) --> "C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB905915) --> "C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB911567) --> "C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB912812) --> "C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB912919) --> "C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB913446) --> "C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB916281) --> "C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB917159) --> "C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB917422) --> "C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB918899) --> "C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB920214) --> "C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
 
DSS scan extra.txt-2

Windows XP 安全性更新 (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB921398) --> "C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB921503) --> "C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB921883) --> "C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB922616) --> "C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB922760) --> "C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923694) --> "C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB925454) --> "C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB925486) --> "C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB928090) --> "C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB929969) --> "C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB931768) --> "C:\WINDOWS\$NtUninstallKB931768$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB933566) --> "C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB937143) --> "C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB938127) --> "C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB939653) --> "C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB941202) --> "C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB941568) --> "C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB941644) --> "C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB942615) --> "C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB943485) --> "C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB944653) --> "C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Windows XP 更新 (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Windows XP 更新 (KB896727) --> "C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Windows XP 更新 (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Windows XP 更新 (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Windows XP 更新 (KB904942) --> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Windows XP 更新 (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Windows XP 更新 (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Windows XP 更新 (KB920342) --> "C:\WINDOWS\$NtUninstallKB920342$\spuninst\spuninst.exe"
Windows XP 更新 (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Windows XP 更新 (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Windows XP 更新 (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Windows XP 更新 (KB929338) --> "C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Windows XP 更新 (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Windows XP 更新 (KB931836) --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Windows XP 更新 (KB933360) --> "C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Windows XP 更新 (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Windows XP 更新 (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Windows XP 更新 (KB942763) --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Windows XP 更新 (KB942840) --> "C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Windows XP 更新 (KB946627) --> "C:\WINDOWS\$NtUninstallKB946627$\spuninst\spuninst.exe"
WinRAR 壓縮工具 --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WMPTagSupportExtender --> MsiExec.exe /I{7AEBFFF0-15A1-48A9-88F3-06604486C7C9}
Yahoo!奇摩Messenger --> C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
迅雷5 --> "C:\Program Files\Thunder Network\Thunder\unins000.exe"
淘寶旺旺 --> "C:\Program Files\淘寶網\淘寶旺旺\Unwise.exe" "C:\Program Files\淘寶網\淘寶旺旺\INSTALL.LOG"
蒙恬筆 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{92F9A035-46D1-4F41-8FCB-B12797586B06}\setup.exe" -l0x404 -removeonly
蒙恬認識王專業版 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F92C708B-9CB2-4460-8B5B-13EA895859F3}\Setup.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type3843 / Error
Event Submitted/Written: 02/03/2008 10:19:35 AM
Event ID/Source: 1004 / Application Error
Event Description:
失敗的應用程式 svchost.exe,版本 0.0.0.0,失敗的模組 unknown,版本 0.0.0.0,錯誤位址 0x00000000。
建立結果 PEAP-TLV 以回應接收的 PEAP-TLV (svchost.exe!ld!) 時發生錯誤

Event Record #/Type3829 / Error
Event Submitted/Written: 02/02/2008 04:45:08 PM
Event ID/Source: 1000 / Application Error
Event Description:
失敗的應用程式 ,版本 0.0.0.0,失敗的模組 unknown,版本 0.0.0.0,錯誤位址 0x00000000。
正在為 [!ws!] 處理媒體相關的事件

Event Record #/Type3808 / Error
Event Submitted/Written: 01/30/2008 08:10:06 PM
Event ID/Source: 1000 / Application Error
Event Description:
失敗的應用程式 iexplore.exe,版本 6.0.2900.2180,失敗的模組 urlmon.dll,版本 6.0.2900.3231,錯誤位址 0x0003a176。
正在為 [iexplore.exe!ws!] 處理媒體相關的事件

Event Record #/Type3796 / Warning
Event Submitted/Written: 01/29/2008 04:11:00 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows 無法將您的類別登錄檔解除載入 - 有其他應用程式或服務還在使用它。如果檔案不在使用中將會被解除載入。

Event Record #/Type3795 / Error
Event Submitted/Written: 01/29/2008 11:49:34 AM
Event ID/Source: 1000 / Application Error
Event Description:
失敗的應用程式 iexplore.exe,版本 6.0.2900.2180,失敗的模組 ntdll.dll,版本 5.1.2600.2180,錯誤位址 0x000122ba。
正在為 [iexplore.exe!ws!] 處理媒體相關的事件



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type138387 / Warning
Event Submitted/Written: 02/03/2008 11:47:31 AM
Event ID/Source: 1007 / Dhcp
Event Description:
您的電腦已自動設定網路位址為 0040D0756F25 的網路卡的 IP 位址。
目前使用的 IP 位址是 169.254.95.201。

Event Record #/Type138380 / Error
Event Submitted/Written: 02/03/2008 11:20:02 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
Computer Browser 服務因下列錯誤而終止:
%%1460

Event Record #/Type138367 / Error
Event Submitted/Written: 02/03/2008 11:15:16 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
AVG Anti-Spyware Guard 服務無法啟動,因為發生下列錯誤:
%%193

Event Record #/Type138362 / Error
Event Submitted/Written: 02/03/2008 11:15:16 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
下列開機啟動或系統啟動驅動程式無法載入:
IKFileSec

Event Record #/Type138361 / Error
Event Submitted/Written: 02/03/2008 11:15:16 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
DC3410 Video Camera Device 服務無法啟動,因為發生下列錯誤:
%%1058



-- End of Deckard's System Scanner: finished at 2008-02-03 11:47:38 ------------
 
ycchen100 said:
Dear All,

I think i really need some advice. Never had a problem like this before.

Well, I can't run HiJackThis because of "not a valid Win32 application". In fact, all the anti-virus programs became invalid in a similar way in my PC. On start up the windows defender complaints that the service is stopped. I want to activate the service in the control panel. It reports an error 1053. Not able to boot in a safe mode. But I can still go online with this PC. But I know it is now unprotected.

I suspect this has to do with the Mdelk.exe existed in the windows\ssytem32 folder. However, after reading sevaral similar threads in this forum, i found not much help as I couldn't locate the following files/folder in the system32 folder wintems.exe, \drivers\hldrrr.exe, mdelk.pif, \drivers\down, drivers\srosa.sys, ...

I can do DSS. will post the DSS reports in a following link.
Click to expand...

I can't run ComboFix either due to the same problem "not a valid Win32 application." Also, the Kapersky online scanner cannot continue due to "update process FAILED."

It looks to me very bad...: sad:
 
some updates

ok. the following is what I have tried to solve the problem by myself.

1. I have tried to run the IceSward. But the same problem "not a valid Win32 application."
It seems that if I can get rid of this annoying problem. I be much better. But i really don't know how.

2. I have tried Panda ActiveScan online scan and remove some virus. The scan report is as follwos:

Incident Location

Virus:w32/bagle.hx.worm Operating system

Virus:W32/Bagle.BA.worm DC:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\DOWN\a.bat.vir
Virus:W32/Bagle.RC.worm DiC:\WINDOWS\SYSTEM32\DRIVERS\DOWN\291499.EXE

Virus:W32/Bagle.RC.worm C:\WINDOWS\SYSTEM32\DRIVERS\DOWN\411762.EXE

Virus:W32/Bagle.RC.worm C:\WINDOWS\SYSTEM32\MDELK.EXE

Virus:W32/Bagle.RC.worm C:\WINDOWS\SYSTEM32\WINTEMS.EXE

Potentially unwanted tool:Application/NirCmd.A C:\WINDOWS\Nircmd.exe

3. I couldn't locate the folowing files in the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hldrrr.exe"="C:\\WINDOWS\\System32\\igfxtray.exe"
"wintems.exe"="C:\\WINDOWS\\System32\\igfxtray.exe"

not in "HKEY_CURRENT_USER\..." nor in "HKEY_LOCAL_MACHINE\...",

The only thing I found related is
"igfxtray.exe"="C:\\WINDOWS\\System32\\igfxtray.exe"

4. The following is what I think maybe malicious in my computer:

1. C:\WINDOWS\System32\mdelk.exe. It was about 70K. After panda online scan, it is left with 0K, but not removed.

2. In the registry,
HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_SROSA
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srosa
HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\Root\LEGACY_SROSA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srosa

3. There may be some other hidden files that i have overlooked.

4. All the virus come back after restart. So Panda active scan did not really solve the problem.

5. I am stuck here again.
 
ComboFix

ok. I manage to run ComboFix once after repeated Panda active online scan. It doesn't help much as the Mdelk.exe comes back again and ComboFix is again not a valid Win32 application (as I can see the icon is "blinking", if you knwo what I mean)

The following is the ComboFix.txt

ComboFix 08-02.03.1 - ycchen100 2008-02-03 15:07:45.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.414 [GMT 8:00]
執行位置?: D:\ycchen\downloads\ComboFix.exe
* 已建立新的還原點

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 4
/wow section unfinished

(((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\boot.ini
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\down\1000819.exe
C:\WINDOWS\system32\drivers\down\1011364.exe
C:\WINDOWS\system32\drivers\down\1020847.exe
C:\WINDOWS\system32\drivers\down\11456263.exe
C:\WINDOWS\system32\drivers\down\11458446.exe
C:\WINDOWS\system32\drivers\down\11466127.exe
C:\WINDOWS\system32\drivers\down\11471124.exe
C:\WINDOWS\system32\drivers\down\11477874.exe
C:\WINDOWS\system32\drivers\down\11480938.exe
C:\WINDOWS\system32\drivers\down\11516359.exe
C:\WINDOWS\system32\drivers\down\11527615.exe
C:\WINDOWS\system32\drivers\down\11538060.exe
C:\WINDOWS\system32\drivers\down\121334.exe
C:\WINDOWS\system32\drivers\down\14913744.exe
C:\WINDOWS\system32\drivers\down\14955464.exe
C:\WINDOWS\system32\drivers\down\15033236.exe
C:\WINDOWS\system32\drivers\down\15033917.exe
C:\WINDOWS\system32\drivers\down\15049950.exe
C:\WINDOWS\system32\drivers\down\15059744.exe
C:\WINDOWS\system32\drivers\down\15067996.exe
C:\WINDOWS\system32\drivers\down\15071291.exe
C:\WINDOWS\system32\drivers\down\15093863.exe
C:\WINDOWS\system32\drivers\down\15111939.exe
C:\WINDOWS\system32\drivers\down\15120912.exe
C:\WINDOWS\system32\drivers\down\15123085.exe
C:\WINDOWS\system32\drivers\down\15125599.exe
C:\WINDOWS\system32\drivers\down\15132118.exe
C:\WINDOWS\system32\drivers\down\15149674.exe
C:\WINDOWS\system32\drivers\down\15152548.exe
C:\WINDOWS\system32\drivers\down\15201328.exe
C:\WINDOWS\system32\drivers\down\15222909.exe
C:\WINDOWS\system32\drivers\down\15231381.exe
C:\WINDOWS\system32\drivers\down\157676.exe
C:\WINDOWS\system32\drivers\down\170234.exe
C:\WINDOWS\system32\drivers\down\204874.exe
C:\WINDOWS\system32\drivers\down\210202.exe
C:\WINDOWS\system32\drivers\down\259713.exe
C:\WINDOWS\system32\drivers\down\273122.exe
C:\WINDOWS\system32\drivers\down\280433.exe
C:\WINDOWS\system32\drivers\down\281314.exe
C:\WINDOWS\system32\drivers\down\313881.exe
C:\WINDOWS\system32\drivers\down\318427.exe
C:\WINDOWS\system32\drivers\down\325848.exe
C:\WINDOWS\system32\drivers\down\327020.exe
C:\WINDOWS\system32\drivers\down\334060.exe
C:\WINDOWS\system32\drivers\down\336854.exe
C:\WINDOWS\system32\drivers\down\345366.exe
C:\WINDOWS\system32\drivers\down\366677.exe
C:\WINDOWS\system32\drivers\down\378824.exe
C:\WINDOWS\system32\drivers\down\381879.exe
C:\WINDOWS\system32\drivers\down\382790.exe
C:\WINDOWS\system32\drivers\down\384953.exe
C:\WINDOWS\system32\drivers\down\390511.exe
C:\WINDOWS\system32\drivers\down\392394.exe
C:\WINDOWS\system32\drivers\down\393455.exe
C:\WINDOWS\system32\drivers\down\400676.exe
C:\WINDOWS\system32\drivers\down\402719.exe
C:\WINDOWS\system32\drivers\down\403249.exe
C:\WINDOWS\system32\drivers\down\407075.exe
C:\WINDOWS\system32\drivers\down\407325.exe
C:\WINDOWS\system32\drivers\down\409468.exe
C:\WINDOWS\system32\drivers\down\423559.exe
C:\WINDOWS\system32\drivers\down\427705.exe
C:\WINDOWS\system32\drivers\down\432291.exe
C:\WINDOWS\system32\drivers\down\436016.exe
C:\WINDOWS\system32\drivers\down\436117.exe
C:\WINDOWS\system32\drivers\down\441665.exe
C:\WINDOWS\system32\drivers\down\443667.exe
C:\WINDOWS\system32\drivers\down\445510.exe
C:\WINDOWS\system32\drivers\down\447533.exe
C:\WINDOWS\system32\drivers\down\454273.exe
C:\WINDOWS\system32\drivers\down\456456.exe
C:\WINDOWS\system32\drivers\down\458749.exe
C:\WINDOWS\system32\drivers\down\461854.exe
C:\WINDOWS\system32\drivers\down\467612.exe
C:\WINDOWS\system32\drivers\down\476094.exe
C:\WINDOWS\system32\drivers\down\483014.exe
C:\WINDOWS\system32\drivers\down\487330.exe
C:\WINDOWS\system32\drivers\down\500339.exe
C:\WINDOWS\system32\drivers\down\507389.exe
C:\WINDOWS\system32\drivers\down\515030.exe
C:\WINDOWS\system32\drivers\down\517434.exe
C:\WINDOWS\system32\drivers\down\525285.exe
C:\WINDOWS\system32\drivers\down\543301.exe
C:\WINDOWS\system32\drivers\down\551342.exe
C:\WINDOWS\system32\drivers\down\553355.exe
C:\WINDOWS\system32\drivers\down\563340.exe
C:\WINDOWS\system32\drivers\down\574786.exe
C:\WINDOWS\system32\drivers\down\589948.exe
C:\WINDOWS\system32\drivers\down\597138.exe
C:\WINDOWS\system32\drivers\down\600173.exe
C:\WINDOWS\system32\drivers\down\602135.exe
C:\WINDOWS\system32\drivers\down\608194.exe
C:\WINDOWS\system32\drivers\down\608334.exe
C:\WINDOWS\system32\drivers\down\608875.exe
C:\WINDOWS\system32\drivers\down\624157.exe
C:\WINDOWS\system32\drivers\down\624998.exe
C:\WINDOWS\system32\drivers\down\628133.exe
C:\WINDOWS\system32\drivers\down\633090.exe
C:\WINDOWS\system32\drivers\down\644136.exe
C:\WINDOWS\system32\drivers\down\662813.exe
C:\WINDOWS\system32\drivers\down\673458.exe
C:\WINDOWS\system32\drivers\down\680909.exe
C:\WINDOWS\system32\drivers\down\729228.exe
C:\WINDOWS\system32\drivers\down\739673.exe
C:\WINDOWS\system32\drivers\down\747755.exe
C:\WINDOWS\system32\drivers\down\749677.exe
C:\WINDOWS\system32\drivers\down\7728783.exe
C:\WINDOWS\system32\drivers\down\7730165.exe
C:\WINDOWS\system32\drivers\down\7744866.exe
C:\WINDOWS\system32\drivers\down\7755551.exe
C:\WINDOWS\system32\drivers\down\7761780.exe
C:\WINDOWS\system32\drivers\down\7765195.exe
C:\WINDOWS\system32\drivers\down\7796851.exe
C:\WINDOWS\system32\drivers\down\7846102.exe
C:\WINDOWS\system32\drivers\down\799048.exe
C:\WINDOWS\system32\drivers\down\799770.exe
C:\WINDOWS\system32\drivers\down\802073.exe
C:\WINDOWS\system32\drivers\down\802934.exe
C:\WINDOWS\system32\drivers\down\812948.exe
C:\WINDOWS\system32\drivers\down\818647.exe
C:\WINDOWS\system32\drivers\down\821801.exe
C:\WINDOWS\system32\drivers\down\826668.exe
C:\WINDOWS\system32\drivers\down\827069.exe
C:\WINDOWS\system32\drivers\down\829652.exe
C:\WINDOWS\system32\drivers\down\836713.exe
C:\WINDOWS\system32\drivers\down\837324.exe
C:\WINDOWS\system32\drivers\down\839587.exe
C:\WINDOWS\system32\drivers\down\852776.exe
C:\WINDOWS\system32\drivers\down\861689.exe
C:\WINDOWS\system32\drivers\down\863752.exe
C:\WINDOWS\system32\drivers\down\865865.exe
C:\WINDOWS\system32\drivers\down\867727.exe
C:\WINDOWS\system32\drivers\down\878182.exe
C:\WINDOWS\system32\drivers\down\881337.exe
C:\WINDOWS\system32\drivers\down\909748.exe
C:\WINDOWS\system32\drivers\down\915846.exe
C:\WINDOWS\system32\drivers\down\923417.exe
C:\WINDOWS\system32\drivers\down\927523.exe
C:\WINDOWS\system32\drivers\down\931479.exe
C:\WINDOWS\system32\drivers\down\939671.exe
C:\WINDOWS\system32\drivers\down\941623.exe
C:\WINDOWS\system32\drivers\down\943446.exe
C:\WINDOWS\system32\drivers\down\948563.exe
C:\WINDOWS\system32\drivers\down\956094.exe
C:\WINDOWS\system32\drivers\down\959960.exe
C:\WINDOWS\system32\drivers\down\a.bat

.
(((((((((((((((((((((((((((( Files Created from 2008-01-03 - 2008-02-03 )))))))))))))))))))))))))))))))))
.

2008-02-03 13:15 . 2006-06-30 14:13 8,704 --a------ C:\WINDOWS\system32\pfdnnt.exe
2008-02-03 11:44 . 2008-02-03 11:44 <DIR> d-------- C:\Deckard
2008-02-03 11:41 . 2008-02-03 11:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-03 11:41 . 2008-02-03 11:41 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-03 11:41 . 2008-02-03 11:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-03 10:33 . 2008-02-03 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-02-03 10:32 . 2008-02-03 10:33 <DIR> d-------- C:\Documents and Settings\ycchen100\Application Data\PrevxCSI
2008-02-03 10:17 . 2008-02-03 10:17 <DIR> d--hs---- C:\FOUND.003
2008-02-02 21:33 . 2008-02-02 21:33 <DIR> d-------- C:\Program Files\Unlocker
2008-02-02 20:29 . 2008-02-02 20:29 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-02 20:09 . 2008-02-02 20:08 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-02-02 20:09 . 2008-02-02 20:08 298,104 --a------ C:\WINDOWS\system32\imon.dll
2008-02-02 20:09 . 2008-02-02 20:07 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-02-02 19:49 . 2008-02-03 13:32 0 --------- C:\WINDOWS\system32\mdelk.exe
2008-02-02 16:42 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-02 15:29 . 2006-09-06 00:03 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 15:25 . 2008-02-02 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-02 15:16 . 2008-02-02 15:16 <DIR> d--hs---- C:\FOUND.002
2008-01-29 15:59 . 2004-12-24 11:15 225,357 -ra------ C:\WINDOWS\system32\VM31bPrp.Ax
2008-01-29 15:59 . 2006-05-24 13:39 195,299 -ra------ C:\WINDOWS\system32\drivers\usbVM31b.sys
2008-01-29 15:59 . 2006-04-11 13:25 176,128 -ra------ C:\WINDOWS\amcap.exe
2008-01-29 15:59 . 2006-05-24 13:39 94,208 -ra------ C:\WINDOWS\VMCap.exe
2008-01-29 15:59 . 2006-05-24 13:39 61,440 -ra------ C:\WINDOWS\system32\VM31bSTI.dll
2008-01-29 15:59 . 2006-07-17 11:27 49,152 -ra------ C:\WINDOWS\VMSnap1.exe
2008-01-29 15:59 . 2006-07-04 14:16 49,152 -ra------ C:\WINDOWS\domino.exe
2008-01-11 21:37 . 2008-01-11 21:37 <DIR> d-------- C:\Program Files\Taobao
2008-01-09 22:06 . 2008-01-09 22:07 <DIR> d-------- C:\Program Files\TransMac
2008-01-09 21:59 . 2006-10-04 22:06 1,197,294 --------- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-01-09 21:59 . 2006-10-04 22:06 764,868 --------- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-01-09 21:59 . 2006-10-04 22:06 217,118 --------- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-01-09 21:56 . 2008-01-09 21:56 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-09 21:46 . 2008-01-09 21:46 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-09 20:05 . 2008-01-09 20:05 <DIR> d-------- C:\Documents and Settings\ycchen100\Application Data\Synergy Software
2008-01-09 20:05 . 2008-01-09 20:05 0 --a------ C:\WINDOWS\KGOleSrv.INI
2008-01-09 20:04 . 2008-01-09 20:04 <DIR> d-------- C:\Program Files\KaleidaGraph 4.0
2008-01-09 20:04 . 2008-01-09 20:04 <DIR> d-------- C:\Documents and Settings\All Users\「開始」
2008-01-09 20:04 . 2004-03-29 15:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-01-06 16:28 . 2008-01-06 16:29 <DIR> d-------- C:\WINDOWS\system32\aliedit
2008-01-06 00:20 . 2008-01-06 00:20 <DIR> d-------- C:\Documents and Settings\ycchen100\Application Data\Media Player Classic
2008-01-06 00:18 . 2008-01-06 00:18 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-01-06 00:18 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-01-06 00:18 . 2007-12-24 13:49 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-01-06 00:18 . 2007-07-10 17:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-01-06 00:05 . 2008-01-06 00:05 <DIR> d-------- C:\Documents and Settings\ycchen100\Application Data\skypePM
2008-01-06 00:05 . 2008-01-06 00:05 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-06 00:03 . 2008-01-06 00:03 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-01-05 22:50 . 2008-01-05 22:50 <DIR> d-------- C:\Program Files\Glary Utilities

.
(((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 07:07 6,815,744 ---ha-w C:\Documents and Settings\ycchen100\NTUSER.DAT
2008-02-03 07:07 6,815,744 ---ha-w C:\Documents and Settings\ycchen100\NTUSER.DAT
2008-02-03 02:33 --------- d-----w C:\Documents and Settings\ycchen100\Application Data\PrevxCSI
2008-01-11 13:37 --------- d-----w C:\Program Files\Taobao
2008-01-09 12:05 --------- d-----w C:\Documents and Settings\ycchen100\Application Data\Synergy Software
2008-01-05 16:20 --------- d-----w C:\Documents and Settings\ycchen100\Application Data\Media Player Classic
2008-01-05 16:05 --------- d-----w C:\Documents and Settings\ycchen100\Application Data\skypePM
2007-11-14 07:27 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26 699,904 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 699,904 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
.

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2006-02-20 10:10 678769]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:11 21777704]
"SpybotSD TeaTimer"="D:\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 10:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 10:51 118784]
"SoundMan"="SOUNDMAN.EXE" [2003-12-19 17:53 65024 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 15:41 88363 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-09-26 11:01 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-09-26 11:01 503808]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2008-02-03 11:15 45056]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 20:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 20:00 59392]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2004-02-05 16:33 86016]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 15:54 106496]
"MediafourGettingStartedWithMacDrive6"="C:\Program Files\Mediafour\MacDrive\MacDrive.exe" [2004-08-26 14:12 86016]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-12-17 16:43 61440]
"SNPSTD2"="C:\WINDOWS\vsnpstd2.exe" [2004-08-30 16:37 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"domino"="C:\WINDOWS\domino.exe" [2006-07-04 14:16 49152]
"VMSnap1"="C:\WINDOWS\VMSnap1.exe" [2006-07-17 11:27 49152]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-03 13:10 949376]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-08 01:19 15872]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-02-02 23:52 6731312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Panda_cleaner"="C:\WINDOWS\system32\ACTIVE~1\pavdr.exe" [2006-07-14 13:04 45056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]

C:\Documents and Settings\ycchen100\「開始」功能表\程式集\啟動\
Internet Explorer.lnk - C:\Program Files\Internet Explorer\IEXPLORE.EXE [2005-05-31 12:23:18 93184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\system32\LgNotify.dll 2004-03-03 16:48 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PPENSB\win32\PPINKDLL.DLL

R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2006-04-30 22:57]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-09-14 02:53]
R1 srosa;Megadrv3;C:\WINDOWS\system32\drivers\srosa.sys [2008-02-03 11:15]
R3 EMCR;EMCR;C:\WINDOWS\system32\DRIVERS\EMCR7SK.sys [2004-05-03 14:12]
S2 VCapture;DC3410 Video Camera Device;C:\WINDOWS\system32\Drivers\VCapture.sys [2002-10-21 11:37]
S3 MD1000;GSL MD1000 Electronic Dictionary;C:\WINDOWS\system32\Drivers\MD1000.sys [2004-10-08 16:39]
S3 PAC7311;VGA USB Camera;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS [2005-10-18 11:48]
S3 snpstd2;USB PC Camera (SN9C103);C:\WINDOWS\system32\DRIVERS\snpstd2.sys [2004-10-14 17:12]
S3 USBCamera;DC3410 Still Camera Device;C:\WINDOWS\system32\Drivers\CamBulk.sys [2002-12-04 14:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 17:37:04 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 15:09:49
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

? [1956]
? [3968]
scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files?: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"drvsyskit"="C:\\WINDOWS\\system32\\drivers\\hldrrr.exe"
"german.exe"="C:\\WINDOWS\\system32\\wintems.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time?: 2008-02-03 15:11:06
ComboFix-quarantined-files.txt 2008-02-03 07:11:04
.
2008-02-01 01:38:53 --- E O F ---
 
some updates - day 2

ok. the following is what I have found out from yesterday.

1. The mdelk.exe et al virus targets specific programs and makes them "not a valid Win32 aplication", including mainly anti-virus programs and some useful tools, such as HiJackThis.

2. To get around with it, I have to download the HiJackThis directly from the internet and during download name it a different name, such as HiJackThis2. I can't use the installer to install a "valid" copy. So, now I CAN run HiJackThis and will post the log in a following link.

3. A question. What if this malicious virus is able to make ALL applications "not a valid Win32 application" even with several anti-virus programs running actively? Is this the user's blame or should there be a fix for it quickly?
 
HiJackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at afternoon 08:15:20, on 2008/2/4
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\WINDOWS\vsnpstd2.exe
C:\WINDOWS\domino.exe
C:\WINDOWS\VMSnap1.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PPENSB\Win32\ppshell.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\internet explorer\iexplore.exe
D:\ycchen\downloads\HiJackThis2.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: ThunderBHO - {06849E9E-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [domino] C:\WINDOWS\domino.exe
O4 - HKLM\..\Run: [VMSnap1] C:\WINDOWS\VMSnap1.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 使用迅雷下載 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下載全部鏈接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://WWW.BenQ.COM/
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E0DFFCF-27FF-4574-849B-55007349FEDA} (iTrusPTA Class) - https://img.alipay.com/download/1101/aliedit.cab
O16 - DPF: {272B8D21-5304-4529-BD3D-1CF392342F7D} (ICBC XCsp) - https://netbank.megabank.com.tw/natm/ICBCNetATM.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172239528665
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E8875A6-1C0A-44D8-BE56-9D49FD620A97}: NameServer = 139.175.55.244 139.175.252.16
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PPENSB\win32\PPINKDLL.DLL
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9510 bytes
 
some updates - day 3

not much progress. But I also manage to get the IcsSword working. Because i can only download the zip file, I have to be "careful" to produce a Icesword2 to avoid it become "not a valid Win32 application". Basically, i purposely unzip the application to voerwrite the invalid one and while popup, i can rename as icesword2. will post the required log in the folowing links.

1. I also found a malicious file named ban_list.txt in the system32 folder. This one keeps comng back after removral.

2. while running Icesword, I did found the wintems.exe and \drivers\hldrrr.exe in the processes but they are not to found in the system32 folder. The wintems.exe may be disguised by the name mdelk.exe. no wonder it always reports not found when i want to delete mdelk.exe.
 
Icesword -processes

Process:

System Idle Process
System
C:\PPENSB\Win32\PPSHELL.EXE
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\System32\SMSS.EXE
C:\WINDOWS\System32\CSRSS.EXE
C:\WINDOWS\System32\WINLOGON.EXE
C:\WINDOWS\System32\SERVICES.EXE
C:\WINDOWS\System32\LSASS.EXE
C:\WINDOWS\System32\SVCHOST.EXE
C:\WINDOWS\System32\SVCHOST.EXE
C:\WINDOWS\System32\SVCHOST.EXE
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\SVCHOST.EXE
D:\ycchen\downloads\IceSword122en\IceSword2.exe
C:\WINDOWS\System32\SVCHOST.EXE
C:\WINDOWS\System32\SPOOLSV.EXE
C:\WINDOWS\System32\ZCfgSvc.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\IGFXTRAY.EXE
C:\WINDOWS\System32\HKCMD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\WINDOWS\VSNPSTD2.EXE
C:\WINDOWS\DOMINO.EXE
C:\WINDOWS\VMSnap1.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\System32\CTFMON.EXE
C:\WINDOWS\System32\DRIVERS\HLDRRR.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\SVCHOST.EXE
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\wintems.exe
 
Icesword - win32 services

Started Service:

Service Name:AudioSrv Display Name:Windows Audio
Service Name:BITS Display Name:Background Intelligent Transfer Service
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:gusvc Display Name:Google Updater Service
Service Name:helpsvc Display Name:Help and Support
Service Name:HidServ Display Name:HID Input Service
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RegSrvc Display Name:RegSrvc
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:S24EventMonitor Display Name:Spectrum24 Event Monitor
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:srservice Display Name:System Restore Service
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:STI Simulator Display Name:STI Simulator
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:TabletService Display Name:TabletService
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:UleadBurningHelper Display Name:Ulead Burning Helper
Service Name:W32Time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:WZCSVC Display Name:Wireless Zero Configuration
 
Icesword - StartUp

Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IMJPMIG8.1
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PHIME2002ASync
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PHIME2002A
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IgfxTray
C:\WINDOWS\system32\igfxtray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotKeysCmds
C:\WINDOWS\system32\hkcmd.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SoundMan
SOUNDMAN.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AGRSMMSG
AGRSMMSG.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPLpr
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPEnh
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NeroFilterCheck
C:\WINDOWS\system32\NeroCheck.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RemoteControl
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Ulead AutoDetector
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IMEKRMIG6.1
C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSPY2002
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PRONoMgr.exe
c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MDDiskProtect.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MediafourGettingStartedWithMacDrive6
"C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Mediafour Mac Volume Notifications
"C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SNPSTD2
C:\WINDOWS\vsnpstd2.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Reader Speed Launcher
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
domino
C:\WINDOWS\domino.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VMSnap1
C:\WINDOWS\VMSnap1.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nod32kui
"C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UnlockerAssistant
"C:\Program Files\Unlocker\UnlockerAssistant.exe" -H

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KernelFaultCheck
%systemroot%\system32\dumprep 0 -k

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
!AVG Anti-Spyware
"C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Skype
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hldrrr.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
german.exe
C:\WINDOWS\system32\wintems.exe

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動
desktop.ini


C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動
蒙恬快速啟動.lnk
C:\PPENSB\Win32\PPSHELL.exe (Remarkㄩ)

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動
TabUserW.exe.lnk
C:\WINDOWS\system32\Wtablet\TabUserW.exe (Remarkㄩ)

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動
Google 更新器.lnk
C:\Program Files\Google\Google Updater\GoogleUpdater.exe (RemarkㄩGoogle 更新器)

C:\Documents and Settings\ycchen100\「開始」功能表\程式集\啟動
desktop.ini


C:\Documents and Settings\ycchen100\「開始」功能表\程式集\啟動
Internet Explorer.lnk
C:\Program Files\Internet Explorer\IEXPLORE.EXE (Remarkㄩ尋找和顯示網際網路上的資訊和網站。)
 
some remarks

1. I didn't find any red entry during the icesword scan. The wintems.exe process occurs while i did the icesword scan. I can terminate this process easily from the task manager.

2. Somehow I am not able to save the log file for the SSDT scan. But I found out that all the entries are pointing to the same Kmodule name, which is windows\system32\ntkrnlpa.exe. I found this file in the system32 folder.

ok. this is pretty much what i guess i can do before i start to remove the virus myself based on other similar threads in this forum.
 
some updates - day 4

Although I cannot do the Kapersky online scan due to the update process FAILED, I can do Total scan. The report is as follows:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-02-06 13:40:39
PROTECTIONS: 2
MALWARE: 6
SUSPECTS: 8
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
NOD32 Antivirus 2.70.32 No No
Windows Defender 1.1.3109.0 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00047872 W32/Bagle.BA.worm Virus/Worm No 0 Yes No C:\WINDOWS\SYSTEM32\DRIVERS\DOWN\A.BAT
00263780 w32/bagle.hx.worm Virus/Worm No 1 Yes No hkey_current_user\software\datetime4
00263780 w32/bagle.hx.worm Virus/Worm No 1 Yes No c:\windows\system32\wintems.exe
02890982 W32/Bagle.QV.worm Virus/Worm No 0 Yes No C:\WINDOWS\SYSTEM32\DRIVERS\DOWN\14806801.EXE
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No C:\WINDOWS\SYSTEM32\DRIVERS\DOWN\14857413.EXE
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No C:\Documents and Settings\ycchen100 Local Settings\Temporary Internet Files\Content.IE5\86IQAPYI\b64_1[1].jpg
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No C:\WINDOWS\SYSTEM32\DRIVERS\DOWN\145138.EXE
02895391 W32/Bagle.RC.worm Virus/Worm No 0 Yes No C:\WINDOWS\SYSTEM32\DRIVERS\DOWN\179428.EXE
02895391 W32/Bagle.RC.worm Virus/Worm No 0 Yes No C:\Documents and Settings\ycchen100 Local Settings\Temporary Internet Files\Content.IE5\N8ECWR51\b64_31[1].jpg
02895391 W32/Bagle.RC.worm Virus/Worm No 0 Yes No C:\WINDOWS\SYSTEM32\MDELK.EXE
02895391 W32/Bagle.RC.worm Virus/Worm Yes 1 Yes No C:\WINDOWS\SYSTEM32\WINTEMS.EXE
02895391 W32/Bagle.RC.worm Virus/Worm No 0 Yes No C:\WINDOWS\SYSTEM32\DRIVERS\DOWN\14895198.EXE
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
C:\WINDOWS\SYSTEM32\DLLCACHE\NTKRNLPA.EXE
C:\WINDOWS\Driver Cache\I386\NTKRNLPA.EXE
C:\WINDOWS\$HF_MIG$\KB890859\SP2QFE\NTKRNLPA.EXE
C:\WINDOWS\$HF_MIG$\KB929338\SP2QFE\NTKRNLPA.EXE
C:\WINDOWS\$HF_MIG$\KB931784\SP2QFE\NTKRNLPA.EXE
C:\WINDOWS\$NtUninstallKB890859$\NTKRNLPA.EXE
C:\WINDOWS\$NtUninstallKB929338$\NTKRNLPA.EXE
C:\WINDOWS\$NtUninstallKB931784$\NTKRNLPA.EXE
;===================================================================================================================================================================================
 
what to do next?

ok. THe total scan tells a clear story that the problem is related to system32\mdelk.exe and system32\wintems.exe and the folder \system32\drivers\down.

However, I can only see the file system32\mdelk.exe, but not hte other two. And I am not able to delete mdelk.exe. So, pretty much stuck again.

Is there a fix for this virus? and solution for the "not a valid win32 application" issue?
 
Combo-Fix log

Hi Blade81,

Thanks for offering your help. I had already done some cleanup yesterday using IcsSword targeting the malicious files/registry named in other similar threads in this forum.

It appears to me that the mdelk.exe file does not appear again, but I am not sure if the PC is now really virus-free. So i did the Combo-Fix scan adn the log will be posted in a following link.
 
Combo-Fix log

ComboFix 08-01-30.1 - ycchen100 2008-02-09 9:57:18.2 - FAT32x86
Running from: C:\Documents and Settings\ycchen100\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((( Files Created from 2008-01-09 - 2008-02-09 )))))))))))))))))))))))))))))))))
.

2008-02-09 09:00 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\ceesgmrosgcy.sys
2008-02-09 08:55 . 2008-02-09 08:55 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-02-05 20:48 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-05 14:41 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\rtpjckmnvjny.sys
2008-02-04 20:01 . 2008-02-09 08:55 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-03 19:03 . 2008-02-03 19:03 <DIR> d-------- C:\Program Files\Panda Security
2008-02-03 15:06 . 2000-08-31 08:00 98,816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-03 15:06 . 2000-08-31 08:00 80,412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-03 15:06 . 2000-08-31 08:00 73,728 --a------ C:\WINDOWS\system32\fdsv.exe
2008-02-03 15:06 . 2000-08-31 08:00 68,096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-03 11:41 . 2008-02-03 11:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-03 11:41 . 2008-02-03 11:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-03 10:33 . 2008-02-03 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-02-03 10:32 . 2008-02-03 10:33 <DIR> d-------- C:\Documents and Settings\ycchen100\Application Data\PrevxCSI
2008-02-03 10:17 . 2008-02-03 10:17 <DIR> d--hs---- C:\FOUND.003
2008-02-02 20:29 . 2008-02-02 20:29 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-02 20:09 . 2008-02-02 20:08 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-02-02 20:09 . 2008-02-02 20:08 298,104 --a------ C:\WINDOWS\system32\imon.dll
2008-02-02 20:09 . 2008-02-02 20:07 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-02-02 15:29 . 2006-09-06 00:03 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 15:25 . 2008-02-02 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-02 15:16 . 2008-02-02 15:16 <DIR> d--hs---- C:\FOUND.002
2008-01-29 15:59 . 2004-12-24 11:15 225,357 -ra------ C:\WINDOWS\system32\VM31bPrp.Ax
2008-01-29 15:59 . 2006-05-24 13:39 195,299 -ra------ C:\WINDOWS\system32\drivers\usbVM31b.sys
2008-01-29 15:59 . 2006-04-11 13:25 176,128 -ra------ C:\WINDOWS\amcap.exe
2008-01-29 15:59 . 2006-05-24 13:39 94,208 -ra------ C:\WINDOWS\VMCap.exe
2008-01-29 15:59 . 2006-05-24 13:39 61,440 -ra------ C:\WINDOWS\system32\VM31bSTI.dll
2008-01-29 15:59 . 2006-07-17 11:27 49,152 -ra------ C:\WINDOWS\VMSnap1.exe
2008-01-29 15:59 . 2006-07-04 14:16 49,152 -ra------ C:\WINDOWS\domino.exe
2008-01-11 21:37 . 2008-01-11 21:37 <DIR> d-------- C:\Program Files\Taobao
2008-01-09 22:06 . 2008-01-09 22:07 <DIR> d-------- C:\Program Files\TransMac
2008-01-09 21:59 . 2006-10-04 22:06 1,197,294 --------- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-01-09 21:59 . 2006-10-04 22:06 764,868 --------- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-01-09 21:59 . 2006-10-04 22:06 217,118 --------- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-01-09 21:56 . 2008-01-09 21:56 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-09 21:46 . 2008-01-09 21:46 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-09 20:05 . 2008-01-09 20:05 <DIR> d-------- C:\Documents and Settings\ycchen100\Application Data\Synergy Software
2008-01-09 20:05 . 2008-01-09 20:05 0 --a------ C:\WINDOWS\KGOleSrv.INI
2008-01-09 20:04 . 2008-01-09 20:04 <DIR> d-------- C:\Program Files\KaleidaGraph 4.0
2008-01-09 20:04 . 2008-01-09 20:04 <DIR> d-------- C:\Documents and Settings\All Users\start
2008-01-09 20:04 . 2004-03-29 15:23 90,112 --a------ C:\WINDOWS\unvise32.exe

.
(((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 01:59 6,815,744 ---ha-w C:\Documents and Settings\ycchen100\NTUSER.DAT
2008-02-09 01:59 6,815,744 ---ha-w C:\Documents and Settings\ycchen100\NTUSER.DAT
2008-02-03 02:33 --------- d-----w C:\Documents and Settings\ycchen100\Application Data\PrevxCSI
2008-01-11 13:37 --------- d-----w C:\Program Files\Taobao
2008-01-09 12:05 --------- d-----w C:\Documents and Settings\ycchen100\Application Data\Synergy Software
2008-01-05 16:20 --------- d-----w C:\Documents and Settings\ycchen100\Application Data\Media Player Classic
2008-01-05 16:18 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-01-05 16:05 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-05 16:05 --------- d-----w C:\Documents and Settings\ycchen100\Application Data\skypePM
2008-01-05 16:03 --------- d-----w C:\Program Files\Common Files\Skype
2008-01-05 14:50 --------- d-----w C:\Program Files\Glary Utilities
2007-12-24 05:49 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-11-14 07:27 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
.

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:11 21777704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 10:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 10:51 118784]
"SoundMan"="SOUNDMAN.EXE" [2003-12-19 17:53 65024 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 15:41 88363 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-09-26 11:01 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-09-26 11:01 503808]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2008-02-08 19:16 45056]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 20:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 20:00 59392]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2004-02-05 16:33 86016]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 15:54 106496]
"MediafourGettingStartedWithMacDrive6"="C:\Program Files\Mediafour\MacDrive\MacDrive.exe" [2004-08-26 14:12 86016]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-12-17 16:43 61440]
"SNPSTD2"="C:\WINDOWS\vsnpstd2.exe" [2004-08-30 16:37 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"domino"="C:\WINDOWS\domino.exe" [2006-07-04 14:16 49152]
"VMSnap1"="C:\WINDOWS\VMSnap1.exe" [2006-07-17 11:27 49152]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-08 19:11 949376]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-08 01:19 15872]
"!AVG Anti-Spyware"="C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 17:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]

C:\Documents and Settings\ycchen100\Start Menu\Programs\Startup\
Internet Explorer.lnk - C:\Program Files\Internet Explorer\IEXPLORE.EXE [2005-05-31 12:23:18 93184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\system32\LgNotify.dll 2004-03-03 16:48 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PPENSB\win32\PPINKDLL.DLL

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"


.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 18:28:02 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 10:01:17
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Eset\pr_imon.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\domino.exe
C:\WINDOWS\VMSnap1.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PPENSB\Win32\ppshell.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-02-09 10:02:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 02:02:40
ComboFix2.txt 2008-02-03 07:11:08
.
2008-02-01 01:38:53 --- E O F ---
 
You must log in or register to reply here.
Back
Top