Author Topic: INF:Autorun-G [Trj] DSS log (Read 15063 times)

cfisco · « **on:** November 27, 2007, 12:49:13 AM »

Here's my log from the DSS. Pardon the random Chinese characters, as the infected laptop has the Chinese version of Windows installed.

Deckard's System Scanner v20071014.68
Run by MoChaNiNi on 2007-11-26 15:32:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2007-11-26 07:33:01 UTC - RP1 - 系統檢查點

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 247 MiB (512 MiB recommended).

-- HijackThis (run as MoChaNiNi.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 03:35:34, on 2007/11/26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Documents and Settings\MoChaNiNi\桌面\dss.exe
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\MoChaNiNi.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Progra~1\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [pccguide.exe] "c:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "c:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "c:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [tasa] C:\DOCUME~1\MOCHAN~1\LOCALS~1\Temp\taso.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [KeyMapperStarup] "C:\Program Files\K\KeyRemapper.exe" /background
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195292530796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195350208250
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - c:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - c:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

--
End of file - 6763 bytes

cfisco · « **Reply #1 on:** November 27, 2007, 12:51:20 AM »

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.2.1.0) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.2>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 Tmfilter - c:\windows\system32\drivers\tmxpflt.sys <Not Verified; Trend Micro Inc.; TMFilter for XP>
R2 Tmpreflt - c:\windows\system32\drivers\tmpreflt.sys <Not Verified; Trend Micro Inc.; TMFilter for XP>
R2 Vsapint - c:\windows\system32\drivers\vsapint.sys <Not Verified; Trend Micro Inc.; vsapi>

S3 PCC_PFW (PC-Cillin Personal Firewall) - c:\windows\system32\drivers\pcc_pfw.sys <Not Verified; Trend Micro Inc.; Trend Micro Personal Firewall 1.5>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RegSrvc - c:\windows\system32\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 Tmntsrv (Trend NT Realtime Service) - "c:\program files\trend micro\pc-cillin 2002\tmntsrv.exe" <Not Verified; Trend Micro Inc.; Trend Pc-cillin 9.0>

S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>
S3 PCCPFW (PC-cillin PersonalFirewall) - c:\program files\trend micro\pc-cillin 2002\pccpfw.exe <Not Verified; Trend Micro Inc.; Trend Pc-cillin 9.0>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\322706FE01800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\322706FE01800
Service: NIC1394

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_10451043&REV_10\4&22270378&0&20F0
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_10451043&REV_10\4&22270378&0&20F0
Service: RTL8023

-- Files created between 2007-10-26 and 2007-11-26 -----------------------------

2007-11-25 16:10:59 0 d-------- C:\Documents and Settings\Administrator\桌面
2007-11-25 16:10:59 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-11-25 16:10:59 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-11-25 16:10:59 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-25 16:10:59 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-25 16:10:59 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-25 16:10:59 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-11-25 16:10:59 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-11-25 16:10:59 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-25 16:10:59 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-11-25 16:10:59 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-11-25 16:10:59 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-25 16:10:59 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-25 16:10:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-11-25 16:10:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-25 16:10:59 0 dr------- C:\Documents and Settings\Administrator\「開始」功能表
2007-11-25 16:10:58 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-25 15:55:21 5824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2007-11-21 10:43:32 84992 -r-hs---- C:\WINDOWS\system32\kavo1.dll
2007-11-19 21:36:16 117199 -r-hs---- C:\ntdelect.com
2007-11-19 21:35:44 92672 -r-hs---- C:\WINDOWS\system32\kavo0.dll
2007-11-19 21:35:41 117199 -r-hs---- C:\WINDOWS\system32\kavo.exe
2007-11-19 19:59:19 0 d-------- C:\Documents and Settings\MoChaNiNi\Contacts
2007-11-19 19:58:28 0 d-------- C:\WINDOWS\system32\DRVSTORE
2007-11-18 11:22:17 0 d-------- C:\Program Files\Ares
2007-11-18 10:39:09 0 d-------- C:\Documents and Settings\MoChaNiNi\Application Data\Adobe
2007-11-18 09:42:23 0 d-------- C:\Documents and Settings\MoChaNiNi\Application Data\Yahoo!
2007-11-18 09:42:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-18 09:41:36 0 dr-h----- C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-18 09:39:02 0 d-------- C:\Program Files\Yahoo!
2007-11-18 09:38:11 0 d-------- C:\WINDOWS\cache
2007-11-18 09:31:01 0 d-------- C:\Documents and Settings\MoChaNiNi\Application Data\Macromedia
2007-11-18 09:28:08 0 d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-18 09:27:30 0 d-------- C:\Program Files\Windows Live
2007-11-18 09:27:16 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-18 00:43:25 0 d-------- C:\Documents and Settings\LocalService\「開始」功能表
2007-11-18 00:41:36 0 d-------- C:\WINDOWS\Prefetch
2007-11-18 00:05:07 0 d-------- C:\WINDOWS\peernet
2007-11-18 00:05:06 0 d-------- C:\WINDOWS\provisioning
2007-11-18 00:02:44 0 d-------- C:\WINDOWS\ServicePackFiles
2007-11-17 23:55:56 0 d-------- C:\WINDOWS\EHome

cfisco · « **Reply #2 on:** November 27, 2007, 12:51:44 AM »

2007-11-17 23:50:03 348160 --a------ C:\WINDOWS\system32\MSVCR71.dll <Not Verified; Microsoft Corporation; MicrosoftR Visual Studio .NET>
2007-11-17 23:50:03 499712 --a------ C:\WINDOWS\system32\MSVCP71.dll <Not Verified; Microsoft Corporation; MicrosoftR Visual Studio .NET>
2007-11-17 23:50:03 1060864 --a------ C:\WINDOWS\system32\MFC71.dll <Not Verified; Microsoft Corporation; MicrosoftR Visual Studio .NET>
2007-11-17 23:49:59 0 d-------- C:\Program Files\Alwil Software
2007-11-17 23:44:16 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-11-17 23:44:12 0 d-------- C:\Program Files\ASUSTek
2007-11-17 23:44:06 0 d-------- C:\Program Files\CyberLink
2007-11-17 23:41:16 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-11-17 23:40:50 0 d-------- C:\WINDOWS\SHELLNEW
2007-11-17 23:37:35 0 dr-h----- C:\MSOCache
2007-11-17 21:04:09 0 d-------- C:\Documents and Settings\MoChaNiNi\Application Data\U3
2007-11-17 18:12:01 171280 --a------ C:\WINDOWS\system32\jit.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-11-17 18:12:01 139536 --a------ C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-11-17 18:12:01 46352 --a------ C:\WINDOWS\setdebug.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-11-17 18:12:01 6550 --a------ C:\WINDOWS\jautoexp.dat
2007-11-17 18:12:00 313856 --a------ C:\WINDOWS\system32\dx3j.dll <Not Verified; Microsoft Corporation; MicrosoftR DirectX for Java>
2007-11-17 18:11:53 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-11-17 18:11:53 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-11-17 18:11:52 171792 --a------ C:\WINDOWS\system32\wjview.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-17 18:11:52 286992 --a------ C:\WINDOWS\system32\vmhelper.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-17 18:11:52 21264 --a------ C:\WINDOWS\system32\msjdbc10.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-11-17 18:11:51 947472 --a------ C:\WINDOWS\system32\msjava.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-11-17 18:11:51 154384 --a------ C:\WINDOWS\system32\msawt.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-11-17 18:11:51 172304 --a------ C:\WINDOWS\system32\jview.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-17 18:11:51 15120 --a------ C:\WINDOWS\system32\jdbgmgr.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-11-17 18:11:50 404752 --a------ C:\WINDOWS\system32\javart.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-11-17 18:11:50 63248 --a------ C:\WINDOWS\system32\javaprxy.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-11-17 18:11:50 187152 --a------ C:\WINDOWS\system32\javacypt.dll <Not Verified; Microsoft Corporation; MicrosoftR WindowsR Operating System>
2007-11-17 18:11:49 49424 --a------ C:\WINDOWS\system32\clspack.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-11-17 17:57:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-11-17 17:46:49 0 d-------- C:\WINDOWS\system32\PreInstall
2007-11-17 17:46:45 0 d--h----- C:\WINDOWS\$hf_mig$
2007-11-17 17:45:53 0 d-------- C:\WINDOWS\system32\bits
2007-11-17 17:42:18 0 d-------- C:\WINDOWS\SoftwareDistribution
2007-11-17 17:42:07 0 d---s---- C:\Documents and Settings\MoChaNiNi\UserData
2007-11-17 17:31:23 0 d--h----- C:\Documents and Settings\MoChaNiNi\WLANProfiles
2007-11-17 17:31:13 0 dr------- C:\Documents and Settings\MoChaNiNi\桌面
2007-11-17 17:31:13 0 d-------- C:\Documents and Settings\MoChaNiNi\WINDOWS
2007-11-17 17:31:13 0 d--h----- C:\Documents and Settings\MoChaNiNi\Templates
2007-11-17 17:31:13 0 dr-h----- C:\Documents and Settings\MoChaNiNi\SendTo
2007-11-17 17:31:13 0 dr-h----- C:\Documents and Settings\MoChaNiNi\Recent
2007-11-17 17:31:13 0 d--h----- C:\Documents and Settings\MoChaNiNi\PrintHood
2007-11-17 17:31:13 1572864 --ah----- C:\Documents and Settings\MoChaNiNi\NTUSER.DAT
2007-11-17 17:31:13 0 d--h----- C:\Documents and Settings\MoChaNiNi\NetHood
2007-11-17 17:31:13 0 dr------- C:\Documents and Settings\MoChaNiNi\My Documents
2007-11-17 17:31:13 0 d--h----- C:\Documents and Settings\MoChaNiNi\Local Settings
2007-11-17 17:31:13 0 dr------- C:\Documents and Settings\MoChaNiNi\Favorites
2007-11-17 17:31:13 0 d---s---- C:\Documents and Settings\MoChaNiNi\Cookies
2007-11-17 17:31:13 0 dr-h----- C:\Documents and Settings\MoChaNiNi\Application Data
2007-11-17 17:31:13 0 d-------- C:\Documents and Settings\MoChaNiNi\Application Data\InterTrust
2007-11-17 17:31:13 0 d-------- C:\Documents and Settings\MoChaNiNi\Application Data\Identities
2007-11-17 17:31:13 0 dr------- C:\Documents and Settings\MoChaNiNi\「開始」功能表
2007-11-17 17:30:58 262144 --a------ C:\Documents and Settings\All Users\NTUSER.DAT
2007-11-17 17:30:55 0 d-------- C:\Documents and Settings\Default User\WINDOWS
2007-11-17 17:30:55 0 d-------- C:\Documents and Settings\Default User\Application Data\InterTrust
2007-11-17 17:30:55 0 d-------- C:\Documents and Settings\Default User\Application Data\Identities
2007-11-17 17:24:37 0 d--hs---- C:\Recycled
2007-11-17 17:24:02 14037 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.2>
2007-11-17 17:23:57 0 d-------- C:\WINDOWS\system32\LogFiles
2007-11-17 16:58:54 0 d---s---- C:\WINDOWS\system32\Microsoft
2007-11-17 16:55:20 26112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe <Not Verified; Microsoft Corporation; MicrosoftR WindowsR Operating System>
2007-11-17 16:54:07 0 d-------- C:\Program Files\Intel
2007-11-17 16:52:35 0 d-------- C:\Program Files\Trend Micro
2007-11-17 16:52:33 0 d--hs---- C:\WINDOWS\Installer
2007-11-17 16:51:39 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-11-17 16:51:30 0 d-------- C:\Program Files\Synaptics
2007-11-17 16:50:58 996872 -----n--- C:\WINDOWS\system32\CP3240MT.DLL <Not Verified; Borland International; Borland C++ Builder 3.0>
2007-11-17 16:50:58 25600 -----n--- C:\WINDOWS\system32\BORLNDMM.DLL <Not Verified; Inprise Corporation; Borland Memory Manager>
2007-11-17 16:50:58 6272 -----n--- C:\WINDOWS\system32\ASLM75.SYS
2007-11-17 16:50:57 6272 --a------ C:\WINDOWS\system32\drivers\ASLM75.SYS
2007-11-17 16:50:43 0 d-------- C:\WINDOWS\Profiles

cfisco · « **Reply #3 on:** November 27, 2007, 12:52:11 AM »

2007-11-17 16:50:41 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-17 16:50:10 0 d-------- C:\Program Files\ASUS
2007-11-17 16:50:09 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShieldR unInstaller>
2007-11-17 16:49:42 0 d-------- C:\WINDOWS\RegisteredPackages
2007-11-17 16:48:30 30208 --a------ C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2007-11-17 16:48:30 1285632 --a------ C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2007-11-17 16:48:29 0 d-------- C:\WINDOWS\VirtualEar
2007-11-17 16:48:29 45056 --a------ C:\WINDOWS\system32\SynthCore11Resources.dll <Not Verified; Analog Devices, Inc.; Analog Devices, Inc. SynthCore11Resources>
2007-11-17 16:48:29 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2007-11-17 16:48:29 49152 --a------ C:\WINDOWS\system32\S11thk32.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2007-11-17 16:48:29 765952 --a------ C:\WINDOWS\system\crlds3d.dll <Not Verified; Sensaura Ltd; Sensaura 3DPA>
2007-11-17 16:48:29 978944 --a------ C:\WINDOWS\SynthCoreA.Dll <Not Verified; Analog Devices, Inc.; SoundMAX Wavetable>
2007-11-17 16:48:29 380928 --a------ C:\WINDOWS\SynCor.exe <Not Verified; Analog Devices, Inc.; SynthCore>
2007-11-17 16:48:28 44 --a------ C:\WINDOWS\system32\msssc.dll
2007-11-17 16:48:28 49152 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2007-11-17 16:48:28 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2007-11-17 16:48:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-17 16:48:28 0 d-------- C:\Program Files\Analog Devices
2007-11-17 16:48:26 0 d-------- C:\Program Files\Common Files\InstallShield
2007-11-17 16:48:07 0 d-------- C:\Documents and Settings\All Users\Application Data\SBSI
2007-11-17 16:47:40 306688 --a------ C:\WINDOWS\IsUn0404.exe <Not Verified; InstallShield Software Corporation; InstallShield (R) unInstaller>
2007-11-17 16:47:17 0 d--hs---- C:\System Volume Information
2007-11-17 16:47:15 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2007-11-17 16:47:15 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2007-11-17 16:47:15 0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-11-17 16:47:15 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-11-17 16:47:14 233472 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-11-17 16:47:14 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2007-11-17 16:47:14 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2007-11-17 16:47:14 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-11-17 16:47:14 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-11-17 16:47:14 233472 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2007-11-17 16:45:01 0 d-------- C:\WINDOWS\system32\xircom
2007-11-17 16:45:01 0 d-------- C:\Program Files\microsoft frontpage
2007-11-17 16:44:58 786432 --ah----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-11-17 16:44:52 0 -rahs---- C:\MSDOS.SYS
2007-11-17 16:44:52 0 -rahs---- C:\IO.SYS
2007-11-17 16:44:52 0 --a------ C:\CONFIG.SYS
2007-11-17 16:44:52 0 --a------ C:\AUTOEXEC.BAT
2007-11-17 16:43:59 0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-11-17 16:43:51 0 dr------- C:\WINDOWS\Offline Web Pages
2007-11-17 16:43:51 0 d---s---- C:\WINDOWS\Downloaded Program Files
2007-11-17 16:43:29 0 d-------- C:\WINDOWS\system32\DirectX
2007-11-17 16:43:13 0 d---s---- C:\WINDOWS\Tasks
2007-11-17 16:43:12 0 d-------- C:\Program Files\Common Files\MSSoap
2007-11-17 16:43:10 0 d-------- C:\WINDOWS\system32\Macromed
2007-11-17 16:43:10 0 d-------- C:\WINDOWS\srchasst
2007-11-17 16:43:09 0 d-------- C:\Program Files\Movie Maker
2007-11-17 16:43:08 0 d-------- C:\WINDOWS\system32\Restore
2007-11-17 16:43:08 0 d-------- C:\WINDOWS\PCHealth
2007-11-17 16:42:58 21456 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-11-17 16:42:39 0 d-------- C:\WINDOWS\Registration
2007-11-17 16:42:17 0 d--h----- C:\Program Files\WindowsUpdate
2007-11-17 16:42:17 0 d-------- C:\Program Files\Online Services
2007-11-17 16:42:12 0 d-------- C:\Program Files\Messenger
2007-11-17 16:42:10 0 d-------- C:\Program Files\MSN Gaming Zone
2007-11-17 16:41:54 0 d-------- C:\Program Files\Windows NT
2007-11-17 16:41:53 0 d-------- C:\WINDOWS\system32\MsDtc
2007-11-17 16:41:53 0 d-------- C:\WINDOWS\system32\Com
2007-11-17 16:39:39 0 d-------- C:\Program Files\CONEXANT
2007-11-17 16:39:19 0 d-------- C:\WINDOWS\ATK0100
2007-11-17 16:38:55 0 d-------- C:\Program Files\Common Files\ODBC
2007-11-17 16:38:53 0 dr------- C:\Program Files
2007-11-17 16:38:53 0 d-------- C:\Program Files\Common Files
2007-11-17 16:38:53 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-11-17 16:37:47 0 d-------- C:\Documents and Settings\Default User\桌面
2007-11-17 16:37:47 0 d--h----- C:\Documents and Settings\Default User\Templates
2007-11-17 16:37:47 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-11-17 16:37:47 0 dr-h----- C:\Documents and Settings\Default User\Recent
2007-11-17 16:37:47 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2007-11-17 16:37:47 0 d--h----- C:\Documents and Settings\Default User\NetHood
2007-11-17 16:37:47 0 dr------- C:\Documents and Settings\Default User\My Documents
2007-11-17 16:37:47 0 d--h----- C:\Documents and Settings\Default User\Local Settings
2007-11-17 16:37:47 0 dr------- C:\Documents and Settings\Default User\Favorites
2007-11-17 16:37:47 0 d---s---- C:\Documents and Settings\Default User\Cookies
2007-11-17 16:37:47 0 dr------- C:\Documents and Settings\Default User\「開始」功能表
2007-11-17 16:37:47 0 d-------- C:\Documents and Settings\All Users\桌面
2007-11-17 16:37:47 0 d--h----- C:\Documents and Settings\All Users\Templates
2007-11-17 16:37:47 0 d-------- C:\Documents and Settings\All Users\Favorites
2007-11-17 16:37:47 0 dr------- C:\Documents and Settings\All Users\Documents
2007-11-17 16:37:47 0 dr------- C:\Documents and Settings\All Users\「開始」功能表
2007-11-17 16:37:36 0 d-------- C:\WINDOWS\system32\CatRoot2
2007-11-17 16:37:36 0 d-------- C:\WINDOWS\system32\CatRoot
2007-11-17 16:37:31 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-11-17 16:37:31 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2007-11-17 16:37:31 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2007-11-17 16:37:31 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2007-11-17 16:37:20 0 d-------- C:\Documents and Settings
2007-11-17 16:36:52 0 d-------- C:\VALUEADD
2007-11-17 16:36:52 0 d-------- C:\SUPPORT

cfisco · « **Reply #4 on:** November 27, 2007, 12:52:58 AM »

2007-11-17 16:36:52 0 d-------- C:\RICOH_593
2007-11-17 16:35:30 0 d-------- C:\WINDOWS\WinSxS
2007-11-17 16:35:30 0 d-------- C:\WINDOWS\system32\usmt
2007-11-17 16:35:30 0 d-------- C:\WINDOWS\system32\inetsrv
2007-11-17 16:35:30 0 d-------- C:\WINDOWS\system32\IME
2007-11-17 16:35:30 0 d-------- C:\WINDOWS\system32\3com_dmi
2007-11-17 16:35:30 0 d-------- C:\WINDOWS\mui
2007-11-17 16:35:30 0 d-------- C:\WINDOWS\ime
2007-11-17 16:35:29 0 d-------- C:\WINDOWS
2007-11-17 16:35:29 0 dr------- C:\WINDOWS\Web
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\twain_32
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\wins
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\wbem
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\spool
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\ShellExt
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\Setup
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\ras
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\oobe
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\npp
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\mui
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\icsxml
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\ias
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\export
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\drivers
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\drivers\etc
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\drivers\disdn
2007-11-17 16:35:29 0 dr-hs---- C:\WINDOWS\system32\dllcache
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\dhcp
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\config
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\3076
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\2052
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\1054
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\1042
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\1041
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\1037
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\1033
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\1031
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\1028
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system32\1025
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\system
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\security
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\Resources
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\repair
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\msapps
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\msagent
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\Media
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\java
2007-11-17 16:35:29 0 d--h----- C:\WINDOWS\inf
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\Help
2007-11-17 16:35:29 0 dr--s---- C:\WINDOWS\Fonts
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\Driver Cache
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\Debug
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\Cursors
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\Connection Wizard
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\Config
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\AppPatch
2007-11-17 16:35:29 0 d-------- C:\WINDOWS\addins
2007-11-17 16:29:58 24 --a------ C:\RECOVERY.DAT

-- Find3M Report ---------------------------------------------------------------

2007-11-19 12:14:56 131072 --a------ C:\WINDOWS\system32\prfh0404.dat
2007-11-19 12:14:56 43200 --a------ C:\WINDOWS\system32\prfc0404.dat
2007-11-17 16:37:48 62 --ahs---- C:\Documents and Settings\MoChaNiNi\Application Data\desktop.ini

cfisco · « **Reply #5 on:** November 27, 2007, 12:53:43 AM »

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004/08/04 下午 01:32]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004/08/04 下午 03:48]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004/08/04 下午 03:48]
"Hcontrol"="C:\WINDOWS\ATK0100\Hcontrol.exe" [2004/01/13 下午 09:27]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003/12/12 下午 12:17]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003/12/12 下午 12:17]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003/07/30 上午 09:08]
"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [2003/09/19 下午 12:54]
"Power_Gear"="C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe" [2002/11/29 上午 11:14]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004/02/06 下午 12:05]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004/02/06 下午 12:05]
"pccguide.exe"="c:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe" [2003/04/29 上午 02:59]
"PCCClient.exe"="c:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe" [2003/04/29 上午 02:59]
"Pop3trap.exe"="c:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe" [2003/04/29 上午 02:59]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003/12/10 上午 02:36]
"RemoteControl"="C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe" [2003/10/31 下午 07:42]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007/09/06 下午 06:06]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007/06/08 下午 10:59]
"tasa"="C:\DOCUME~1\MOCHAN~1\LOCALS~1\Temp\taso.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004/08/04 下午 03:47]
"KeyMapperStarup"="C:\Program Files\K\KeyRemapper.exe" []
"kava"="C:\WINDOWS\system32\kavo.exe" [2007/11/26 下午 03:33]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1DBD6574-D6D0-4782-94C3-69619E719765}"= C:\WINDOWS\HELP\F3C74E3FA248.dll [2007/11/19 下午 09:28 140288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\System32\LgNotify.dll 2003/12/16 下午 04:49 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{915325f2-950d-11dc-927c-00112fcbfa8c}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad853fa4-97dc-11dc-9289-000e352bda4a}]
verb1\command- afx.exe

-- End of Deckard's System Scanner: finished at 2007-11-26 15:36:48 ------------

cfisco · « **Reply #6 on:** November 27, 2007, 01:00:08 AM »

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: Chinese

CPU 0: Intel(R) Pentium(R) M processor 1.70GHz
Percentage of Memory in Use: 79%
Physical Memory (total/avail): 246.8 MiB / 50.89 MiB
Pagefile Memory (total/avail): 606.2 MiB / 337.45 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1904.47 MiB

C: is Fixed (FAT32) - 32.51 GiB total, 23.53 GiB free.
D: is Fixed (FAT32) - 21.6 GiB total, 19.57 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC25N060ATMR04-0 - 55.89 GiB - 3 partitions
\PARTITION0 - Unknown - 1804.14 MiB
\PARTITION1 (bootable) - Unknown - 32.52 GiB - C:
\PARTITION2 - Extended w/Extended Int 13 - 21.61 GiB - D:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: avast! antivirus 4.7.1043 [VPS 071125-0] v4.7.1043 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Documents and Settings\\MoChaNiNi\\桌面\\dss.exe"="C:\\Documents and Settings\\MoChaNiNi\\桌面\\dss.exe:*:Enabled:dss"

cfisco · « **Reply #7 on:** November 27, 2007, 01:00:50 AM »

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\MoChaNiNi\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=M
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\MoChaNiNi
LOGONSERVER=\\M
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d06
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MOCHAN~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\MOCHAN~1\LOCALS~1\Temp
USERDOMAIN=M
USERNAME=MoChaNiNi
USERPROFILE=C:\Documents and Settings\MoChaNiNi
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

MoChaNiNi (admin)
Administrator (admin)

cfisco · « **Reply #8 on:** November 27, 2007, 01:11:40 AM »

-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUn0404.exe -fC:\WINDOWS\orun32.isu
--> MsiExec.exe /I{B5D8CCBF-08D8-46C0-8B04-3BC0CAEDA094}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Ares 2.0.9 --> "C:\Program Files\Ares\uninstall.exe"
ASUS Live Update --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ASUS\ASUS Live Update\Uninst.isu" -c"C:\Program Files\ASUS\ASUS Live Update\Uninst.dll"
ASUS Probe V2.10 --> C:\WINDOWS\IsUninst.exe -f"C:\Progra~1\ASUS\ASUS Probe\Uninst.isu"
ASUSDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
ATK0100 ACPI UTILITY --> C:\WINDOWS\ATK0100\XPunin.exe
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Intel(R) Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
Intel(R) PROSet for Wireless --> MsiExec.exe /I{5380063E-2909-4d72-BFA3-625881F2E78B}
KB898458：Step by Step Interactive Training 筆記本檢視器安全性更新 --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
KB923723：Step by Step Interactive Training 筆記本檢視器安全性更新 --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
PC-cillin 2002 --> MsiExec.exe /X{C90F3E44-3BF6-11D4-A110-00500405613A}
Power4 Gear V1.07 --> C:\WINDOWS\IsUninst.exe -f"C:\Progra~1\ASUS\Power4 Gear\Uninst.isu"
SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_18261043\HXFSETUP.EXE -U -Iaus1826k.inf
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows XP 安全性更新 (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896424) --> "C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB901190) --> "C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB904706) -->

cfisco · « **Reply #9 on:** November 27, 2007, 01:17:09 AM »

Windows XP 安全性更新 (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB912919) --> "C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB913433) --> C:\WINDOWS\System32\MacroMed\Flash\genuinst.exe C:\WINDOWS\System32\MacroMed\Flash\KB913433.inf
Windows XP 安全性更新 (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB917422) --> "C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB921398) --> "C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB921503) --> "C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB921883) --> "C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB922616) --> "C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB938127) --> "C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB939653) --> "C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB941202) --> "C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Windows XP 更新 (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Windows XP 更新 (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Windows XP 更新 (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Windows XP 更新 (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Windows XP 更新 (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Windows XP 更新 (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Windows XP 更新 (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Windows XP 更新 (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Windows XP 更新 (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Windows XP 更新 (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Windows XP 更新 (KB933360) --> "C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Windows XP 更新 (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Windows XP 更新 (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
WINFLASH V2.11 --> C:\WINDOWS\IsUninst.exe -fC:\Progra~1\ASUS\WINFLASH\Uninst.isu
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\WINDOWS\cache\YINSTH~1.DLL
Yahoo! Search Protection --> C:\PROGRA~1\Yahoo!\SEARCH~1\UNINST~1.EXE
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe

cfisco · « **Reply #10 on:** November 27, 2007, 01:25:51 AM »

-- Application Event Log -------------------------------------------------------

Event Record #/Type125 / Error
Event Submitted/Written: 11/22/2007 10:31:19 PM
Event ID/Source: 485 / ESENT
Event Description:
wuauclt (1180) 嘗試刪除資料夾 "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb" 失敗並出現系統錯誤 5 (0x00000005): "存取被拒。 "。刪除資料夾作業將會失敗並出現錯誤 -1032 (0xfffffbf8)。

Event Record #/Type124 / Error
Event Submitted/Written: 11/22/2007 10:31:19 PM
Event ID/Source: 485 / ESENT
Event Description:
wuauclt (1180) 嘗試刪除資料夾 "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb" 失敗並出現系統錯誤 5 (0x00000005): "存取被拒。 "。刪除資料夾作業將會失敗並出現錯誤 -1032 (0xfffffbf8)。

Event Record #/Type123 / Error
Event Submitted/Written: 11/22/2007 10:31:19 PM
Event ID/Source: 485 / ESENT
Event Description:
wuauclt (1180) 嘗試刪除資料夾 "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb" 失敗並出現系統錯誤 5 (0x00000005): "存取被拒。 "。刪除資料夾作業將會失敗並出現錯誤 -1032 (0xfffffbf8)。

Event Record #/Type122 / Error
Event Submitted/Written: 11/22/2007 10:31:19 PM
Event ID/Source: 485 / ESENT
Event Description:
wuauclt (1180) 嘗試刪除資料夾 "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb" 失敗並出現系統錯誤 5 (0x00000005): "存取被拒。 "。刪除資料夾作業將會失敗並出現錯誤 -1032 (0xfffffbf8)。

Event Record #/Type121 / Error
Event Submitted/Written: 11/22/2007 10:31:19 PM
Event ID/Source: 485 / ESENT
Event Description:
wuauclt (1180) 嘗試刪除資料夾 "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb" 失敗並出現系統錯誤 5 (0x00000005): "存取被拒。 "。刪除資料夾作業將會失敗並出現錯誤 -1032 (0xfffffbf8)。

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type1073 / Error
Event Submitted/Written: 11/26/2007 03:33:17 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
ertfgvbh 服務無法啟動，因為發生下列錯誤:
%%2

Event Record #/Type1067 / Error
Event Submitted/Written: 11/26/2007 03:28:06 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
asadwaxcfvgr 服務無法啟動，因為發生下列錯誤:
%%2

Event Record #/Type1043 / Error
Event Submitted/Written: 11/25/2007 05:52:24 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
asadwaxcfvgr 服務無法啟動，因為發生下列錯誤:
%%2

Event Record #/Type1017 / Error
Event Submitted/Written: 11/25/2007 05:44:55 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM 遇到錯誤 "%%1084"，是當嘗試啟動服務 EventSystem 而引數為 ""，
為了執行伺服器:
{1BE1F766-5536-11D1-B726-00C04FB926AF} 之時

Event Record #/Type1016 / Warning
Event Submitted/Written: 11/25/2007 04:54:59 PM
Event ID/Source: 1073 / USER32
Event Description:
嘗試電源關閉鶶失敗

-- End of Deckard's System Scanner: finished at 2007-11-26 15:36:48 ------------

cfisco · « **Reply #11 on:** November 27, 2007, 06:06:28 AM »

I tried running the first step of the Trend Micro solution, which is to run their virus scanning program and note all files infected with WORM_NSPM.JS. I used their online scanner (http://housecall.antivirus.com) but it did not locate any viruses...

I still do not have the Windows XP disk with me, so I am unable to try the rcovery console. Does anyone have any ideas about what I should do?

Thanks!

oldman · « **Reply #12 on:** November 27, 2007, 07:05:42 PM »

Hi

I didn't intentionally ignore you. I was going to give you the link to the other thread, but saw you already found it and where willing to to give it a shot.

I'm interested in how well this program works, so after you use it, can you do the manual check of the reg keys and check for the autorun files? Fix any you have to and let me know how many where restored to default.

I've checked one DSS log after the program was used and it seemed to miss a wee bit.

So if you don't mind helping out with this, I'd appreciate it if you could post another DSS log after you have used the program.

I don't know what the instructions for the program are, but I think it may be best to turn system restore off.

Thanks.

cfisco · « **Reply #13 on:** November 27, 2007, 11:42:00 PM »

Can do. I won't be able the try the program until later though.

I'll post if I have have any luck.
Thanks for the reply!

oldman · « **Reply #14 on:** November 27, 2007, 11:47:01 PM »

That's fine. I'd like to thank you for helping with this. We may be able to find a solution that will help others.

Take care.

Author Topic: INF:Autorun-G [Trj] DSS log (Read 15063 times)

cfisco

INF:Autorun-G [Trj] DSS log

cfisco

Re: INF:Autorun-G [Trj] DSS log

cfisco

Re: INF:Autorun-G [Trj] DSS log

cfisco

Re: INF:Autorun-G [Trj] DSS log

cfisco

Re: INF:Autorun-G [Trj] DSS log

cfisco

Re: INF:Autorun-G [Trj] DSS log

cfisco

Re: INF:Autorun-G [Trj] DSS log

cfisco

Re: INF:Autorun-G [Trj] DSS log

cfisco

Re: INF:Autorun-G [Trj] DSS log

cfisco

Re: INF:Autorun-G [Trj] DSS log

cfisco

Re: INF:Autorun-G [Trj] DSS log

cfisco

Re: INF:Autorun-G [Trj] DSS log

oldman

Re: INF:Autorun-G [Trj] DSS log

cfisco

Re: INF:Autorun-G [Trj] DSS log

oldman

Re: INF:Autorun-G [Trj] DSS log