INF:Autorun-G [Trj] Trojan Horse?

Viruses and worms
81

Hi there are a couple of solutions posted in this thread

using the tools in this thread

http://forum.avast.com/index.php?topic=31671.msg264502#msg264502

with my suggested procedure here

http://forum.avast.com/index.php?topic=31671.msg264870#msg264870

manual reg key removal instructions

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NSPM.JS&VSect=T

or just posting a DSS log

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

82

might worth a try to run with avg anti virus.
frens of mine using avg are quite successful in eliminating the autorun-g as well as other virus that came along wt it.
only setback wt AVG is unable to modify back the registry that has been modify by the virus.
at least, u will be free fr the autoruns 1st.

all the best to u,
michaelong

83

The virus come from a trojan downloader…
I forgot the application…but u can try spyware terminator…
The other av detect this downloader are kaspersky as i know…
If i not miss out it is kavo.exe…
anyway try to use antispyware to remove this virus…

Gud luck…
Sori 4 bad languages… :stuck_out_tongue:

84

hi guys, i have the same problem with my laptop… i already followed the manual removal instruction and it works for me… i know the source of this virus came from my PSP, when i connect my PSP and run in usb mode, the virus came back !!! i notice some strange illegal operation box popping up saying some “zz.exe” runs abnormally, after which the virus comes back… can any1 help me? my DSS log file is as follows:

Deckard’s System Scanner v20071014.68
Run by Shi Qing on 2007-12-18 01:08:33
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

Successfully created a Deckard’s System Scanner Restore Point.

– Last 3 Restore Point(s) –
3: 2007-12-17 17:08:44 UTC - RP3 - Deckard’s System Scanner Restore Point
2: 2007-12-17 16:43:47 UTC - RP2 - ComboFix created restore point
1: 2007-12-17 16:43:28 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 383 MiB (512 MiB recommended).

85

– HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-18 01:12:53
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
D:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Thunder Network\WebThunder\WebThunder.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Shi Qing\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pacific.net.sg/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
O2 - BHO: WebThunderBHO - {00000AAA-A363-466E-BEF5-9BB68697AA7F} - C:\Program Files\Thunder Network\WebThunder\WebThunderBHO_Now.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [WebThunder] C:\Program Files\Thunder Network\WebThunder\WebThunder.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = D:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: ʹÓÃWebѸÀ×ÏÂÔØ - C:\Program Files\Thunder Network\WebThunder\GetUrl.htm
O8 - Extra context menu item: ʹÓÃWebѸÀ×ÏÂÔØÈ«²¿Á´½Ó - C:\Program Files\Thunder Network\WebThunder\GetAllUrl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Æô¶¯WEBѸÀ× - {962EFB8E-2683-42d4-AC74-AAA4C759B9C6} - http://my.xunlei.com (file missing)
O9 - Extra ‘Tools’ menuitem: Æô¶¯WEBѸÀ× - {962EFB8E-2683-42d4-AC74-AAA4C759B9C6} - http://my.xunlei.com (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


End of file - 7585 bytes

86

– File Associations -----------------------------------------------------------

All associations okay.

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 catchme - c:\docume~1\shiqin~1\locals~1\temp\catchme.sys (file missing)

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R3 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe <Not Verified; Hewlett-Packard Development Company, L.P.; hpqwmi Module>

– Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_3091103C&REV_10\4&13826118&0&00A4
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_3091103C&REV_10\4&13826118&0&00A4
Service: RTL8023xp

– Scheduled Tasks -------------------------------------------------------------

2007-12-18 01:11:00 366 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job

– Files created between 2007-11-18 and 2007-12-18 -----------------------------

2007-12-18 01:05:58 88576 -r-hs---- C:\WINDOWS\system32\kavo1.dll
2007-12-18 01:05:39 115964 -r-hs---- C:\WINDOWS\system32\kavo.exe
2007-12-17 23:12:41 115964 -r-hs---- C:\ntdeIect.com
2007-12-10 18:56:50 0 d-------- C:\Documents and Settings\All Users\Application Data\thunder_dctemp
2007-12-01 15:34:42 1156 --a------ C:\WINDOWS\mozver.dat
2007-12-01 15:33:08 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-01 15:33:02 0 d-------- C:\Documents and Settings\Shi Qing\Application Data\Mozilla
2007-11-27 19:53:22 0 d—s---- C:\Xunlei
2007-11-27 19:50:07 0 d-------- C:\Documents and Settings\All Users\Application Data\thunder_vod_cache
2007-11-27 19:50:07 0 d-------- C:\Documents and Settings\All Users\Application Data\mvcache
2007-11-27 19:50:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Thunder Network
2007-11-27 19:46:37 417 --a------ C:\WINDOWS\system32\cid_store.dat
2007-11-27 19:46:21 0 d-------- C:\Program Files\Thunder Network

– Find3M Report ---------------------------------------------------------------

2007-12-08 16:07:13 0 d-------- C:\Program Files\Google

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IMJPMIG8.1”=“C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe” [2004-08-04 20:00]
“PHIME2002ASync”=“C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe” [2004-08-04 20:00]
“PHIME2002A”=“C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe” [2004-08-04 20:00]
“SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [2005-02-02 20:12]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2005-02-02 20:11]
“ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2005-04-11 10:00]
“Cpqset”=“C:\Program Files\HPQ\Default Settings\cpqset.exe” [2005-02-17 14:01]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2004-10-13 16:04]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-04-29 14:35]
“eabconfg.cpl”=“C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe” [2004-12-03 13:24]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11]
“hpWirelessAssistant”=“C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe” [2005-04-01 15:11]
“HP Software Update”=“C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe” [2005-02-16 23:11]
“avast!”=“D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 21:00]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-05-06 17:09]
“WebThunder”=“C:\Program Files\Thunder Network\WebThunder\WebThunder.exe” [2007-12-10 09:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 20:00]

C:\Documents and Settings\Shi Qing\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - D:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk - D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
AutoRun\command- ntdelect.com
explore\Command- C:\ntdeIect.com
open\Command- C:\ntdeIect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- ntdelect.com
explore\Command- D:\ntdeIect.com
open\Command- D:\ntdeIect.com

– End of Deckard’s System Scanner: finished at 2007-12-18 01:14:35 ------------

87

from extra.txt:

Deckard’s System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

– System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Mobile AMD Sempron™ Processor 3000+
Percentage of Memory in Use: 82%
Physical Memory (total/avail): 382.48 MiB / 68.19 MiB
Pagefile Memory (total/avail): 919.66 MiB / 538.09 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1913.27 MiB

C: is Fixed (NTFS) - 9.77 GiB total, 2.3 GiB free.
D: is Fixed (NTFS) - 27.49 GiB total, 25.16 GiB free.
E: is CDROM (No Media)

\.\PHYSICALDRIVE0 - HTS424040M9AT00 - 37.26 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 9.77 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 27.49 GiB - D:

– Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.7.1098 [VPS 071217-0] v4.7.1098 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“C:\Program Files\Thunder Network\WebThunder\WebThunder.exe”=“C:\Program Files\Thunder Network\WebThunder\WebThunder.exe:*:Enabled:WEB??”

88

– Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Shi Qing\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SQ-LEE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Shi Qing
LOGONSERVER=\SQ-LEE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 44 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2c02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\SHIQIN~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\SHIQIN~1\LOCALS~1\Temp
USERDOMAIN=SQ-LEE
USERNAME=Shi Qing
USERPROFILE=C:\Documents and Settings\Shi Qing
windir=C:\WINDOWS

– User Profiles ---------------------------------------------------------------

Shi Qing I[/I]

– Add/Remove Programs ---------------------------------------------------------

→ C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
→ C:\WINDOWS\system32\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
→ C:\WINDOWS\system32\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
→ C:\WINDOWS\system32\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
→ rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX → C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0.1 → MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Athlon 64 Processor Driver → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe” -l0x9
ATI - Software Uninstall Utility → C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe”
ATI Display Driver → rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
avast! Antivirus → rundll32 D:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Broadcom 802.11 Wireless LAN Adapter → C:\WINDOWS\system32\BCMWLU00.exe verbose /rootkey=Software\Broadcom\802.11\UninstallInfo
Conexant AC-Link Audio → C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -Iqta3091.inf
Data Fax SoftModem with SmartCP → C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_3091103C\HXFSETUP.EXE -U -IVEN_1002&DEV_4378&SUBSYS_3091103C
DivX Codec → D:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
ERUNT 1.1j → “D:\Program Files\ERUNT\unins000.exe”
Hotfix for Windows Media Format 11 SDK (KB929399) → “C:\WINDOWS$NtUninstallKB929399$\spuninst\spuninst.exe”
HP Help and Support → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}\setup.exe” -l0x9 -removeonly
HP Imaging Device Functions 5.3 → D:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential → MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}
HP PSC & OfficeJet 5.3.B → “D:\Program Files\HP\Digital Imaging{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\hpzscr01.exe” -datfile hposcr07.dat
HP Software Update → MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.3 → D:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update → MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
HP User Guides 0002 → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{D1E8DC27-C3CD-4DD8-B37B-D26D7D7CFCBD}\setup.exe” -l0x9 -removeonly
HP Wireless Assistant 1.01 A2 → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\setup.exe” -l0x9 hpquninst
iTunes → C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE20E2F5-1903-4AAE-B1AF-2046E586C925}
J2SE Runtime Environment 5.0 Update 2 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Java™ 6 Update 2 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Microsoft Compression Client Pack 1.0 for Windows XP → “C:\WINDOWS$NtUninstallMSCompPackV1$\spuninst\spuninst.exe”
Microsoft Office XP Professional with FrontPage → MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 → “C:\WINDOWS$NtUninstallWudf01000$\spuninst\spuninst.exe”
muvee autoProducer 4.0 - SE → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{534AA552-E1F1-4965-B2AA-FBDEB0730D60}\setup.exe” -l0x9
PSP ISO Compressor → MsiExec.exe /X{D47087E7-AA15-4D1D-8C0A-60F7E446D597}
Quick Launch Buttons 5.10 B2 → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe” -l0x9 -uninst
QuickTime → C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer → C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
REALTEK Gigabit and Fast Ethernet NIC Driver → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe” -l0x9 REMOVE
Sonic Audio Module → MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic Copy Module → MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic Data Module → MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Express Labeler → MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus → MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic Update Manager → MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Synaptics Pointing Device Driver → rundll32.exe “C:\Program Files\Synaptics\SynTP\SynISDLL.dll”,standAloneUninstall
Texas Instruments PCIxx21/x515 drivers. → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{612DC38A-B36A-4699-88EB-12C7394DE2FC} /l1033
WEBѸÀ× → C:\Program Files\Thunder Network\WebThunder\uninst.exe
Windows Media Format 11 runtime → “C:\WINDOWS$NtUninstallWMFDist11$\spuninst\spuninst.exe”
WinRAR archiver → C:\Program Files\WinRAR\uninstall.exe

– Application Event Log -------------------------------------------------------

Event Record #/Type527 / Error
Event Submitted/Written: 12/08/2007 09:43:56 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application WebThunder.exe, version 1.11.1.188, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

– Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

– System Event Log ------------------------------------------------------------

Event Record #/Type6311 / Error
Event Submitted/Written: 12/18/2007 00:07:36 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error “%%1084” attempting to start the service EventSystem with arguments “”
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type6310 / Error
Event Submitted/Written: 12/18/2007 00:07:21 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error “%%1084” attempting to start the service StiSvc with arguments “”
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type6309 / Error
Event Submitted/Written: 12/18/2007 00:07:18 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error “%%1084” attempting to start the service StiSvc with arguments “”
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type6308 / Error
Event Submitted/Written: 12/18/2007 00:05:43 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error “%%1084” attempting to start the service StiSvc with arguments “”
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type6307 / Error
Event Submitted/Written: 12/18/2007 00:05:40 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error “%%1084” attempting to start the service StiSvc with arguments “”
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

– End of Deckard’s System Scanner: finished at 2007-12-18 01:14:35 ------------

89

Try this

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\kavo0.dll C:\ntdeIect.com C:\WINDOWS\system32\kavo1.dll C:\WINDOWS\system32\kavo.exe C:\WINDOWS\system32\kavo3.dll C:\WINDOWS\system32\kavo2.dll C:\WINDOWS\system32\kavo4.dll C:\WINDOWS\system32\kavo5.dll C:\WINDOWS\system32\kavo6.dll C:\WINDOWS\system32\kavo7.dll C:\WINDOWS\system32\kavo8.dll C:\WINDOWS\system32\kavo9.dll

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new DSS log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Backup your registry and do the following fix

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

REGISTRY FIX

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“kava”=-

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
Make sure that in the top box Save in is set to desktop
This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

Do the manual reset of the registry keys that you did before.

Also find and remove all the AUTORUN.INF per the instructions you found earlier.

Remember to post OTMOVEIT results and a new DSS log.

90

Hi everybody!

Great respect for your work as I read every line of the tread.

I have a laptop with an external USB hard drive that is also infected by the same virus. The data on the USB HD are extremely important, I can’t lose them! I started to burn DVDs but it just take forever! And I also wonder if the virus will hook himself on every DVD I am burning.

The Taiwanese program “del_kavo” seems to have kill the virus on the laptop. I didn’t execute “del_kavo” with the USB drive on since somebody on the thread lost his data, the drive wasn’t accessible anymore.

I did several Boot-time Scan with Avast and Norton on the USB HD but it always comes back to life!

My father lost 2000$ from a fraud in his bank account with a Trojan virus 2 weeks ago.

Please, help me to kill this virus!

Here is a DSS of my laptop on the following post.

Thank you!

91

Deckard’s System Scanner v20071014.68
Run by Pierre on 2007-12-21 09:19:33
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

Successfully created a Deckard’s System Scanner Restore Point.

– Last 5 Restore Point(s) –
71: 2007-12-21 01:19:48 UTC - RP327 - Deckard’s System Scanner Restore Point
70: 2007-12-20 02:21:33 UTC - RP326 - System Checkpoint
69: 2007-12-18 13:24:24 UTC - RP325 - System Checkpoint
68: 2007-12-15 12:42:55 UTC - RP324 - System Checkpoint
67: 2007-12-14 05:32:21 UTC - RP323 - System Checkpoint

– First Restore Point –
1: 2007-09-28 00:29:58 UTC - RP257 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

– HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-21 09:24:42
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\PTC - Wildfire 3.0\i486_nt\obj\lmgrd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PTC - Wildfire 3.0\i486_nt\obj\lmgrd.exe
C:\Program Files\PTC - Wildfire 3.0\i486_nt\obj\ptc_d.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\agrsmmsg.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Pierre\Desktop\Download\dss.exe

92

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shoptoshiba.ca/welcome
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - C:\DOCUME~1\Pierre\LOCALS~1\Temp~DP5C.dll (file missing)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM..\Run: [TPSMain] TPSMain.exe
O4 - HKLM..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM..\Run: [TFncKy] TFncKy.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [WinampAgent] “C:\Program Files\Winamp\Winampa.exe”
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [Acrobat Assistant 7.0] “C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe”
O4 - HKLM..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM..\Run: [EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P23 “EPSON Stylus C67 Series” /O6 “USB001” /M “Stylus C67”
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [osCheck] “C:\Program Files\Norton Internet Security\osCheck.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: RAMASST.lnk = ?

93

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d204.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196416602312
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://mariecoton.ourlinksys.com:1024/NetCamPlayerWeb11gv2.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\system32\textwareilluminatorbaseProtocol.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\PTC - Wildfire 3.0\i486_nt\obj\lmgrd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


End of file - 12271 bytes

94

– File Associations -----------------------------------------------------------

.bat - batfile - shell\edit\command - %SystemRoot%\System32\NOTEPAD.EXE %1"
.ini - inifile - shell\open\command - %SystemRoot%\System32\NOTEPAD.EXE %1"
.js - JSFile - DefaultIcon - “C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe”,2
.pif - piffile - shell\open\command - “%1” %*"

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R1 SrvcSSIOMngr - c:\windows\system32\drivers\ssiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 TPwSav (Common Driver) - c:\windows\system32\drivers\tpwsav.sys <Not Verified; TOSHIBA; >
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R3 LVPrcMon (Logitech LVPrcMon Driver) - c:\windows\system32\drivers\lvprcmon.sys
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 Tvs (Toshiba Virtual Sound with SRS technologies) - c:\windows\system32\drivers\tvs.sys <Not Verified; TOSHIBA Corporation; Audio Filter>

S3 bdfdll - c:\program files\softwin\bitdefender10\bdfdll.sys (file missing)
S3 dump_wmimmc - c:\program files\bots\gameguard\dump_wmimmc.sys (file missing)
S3 qcusbser (Qualcomm USB Device for Legacy Serial Communication) - c:\windows\system32\drivers\qcusbser.sys <Not Verified; QUALCOMM Incorporated; QUALCOMM Incorporated USB Modem/Serial Device Driver>
S3 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree™>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >
R2 FLEXlm server for PTC - “c:\program files\ptc - wildfire 3.0\i486_nt\obj\lmgrd.exe” <Not Verified; Macrovision Corporation; >

– Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

95

– Scheduled Tasks -------------------------------------------------------------

2007-12-19 20:43:42 624 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Pierre.job

– Files created between 2007-11-21 and 2007-12-21 -----------------------------

2007-12-19 20:44:56 0 d-------- C:\Program Files\Share Cracker
2007-12-19 20:44:22 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-12-19 20:26:27 0 d-------- C:\Documents and Settings\Pierre\Application Data\Symantec
2007-12-19 20:23:19 0 d-------- C:\Program Files\Windows Sidebar
2007-12-19 20:21:23 0 d-------- C:\Program Files\Norton Internet Security
2007-12-19 20:19:37 0 d-------- C:\Program Files\Symantec
2007-12-19 20:19:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-19 20:08:16 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-19 20:03:59 0 d-------- C:\Program Files\Norton Internet Security 2008
2007-12-18 16:00:49 0 d-------- C:\WINDOWS\system32\kav1.dll
2007-12-18 16:00:49 0 d-------- C:\WINDOWS\system32\kav0.dll
2007-12-18 15:54:16 0 dr-hs---- C:\autorun.inf
2007-12-18 13:47:20 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-12-18 13:47:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2007-12-18 13:47:20 0 d—s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-18 13:47:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-12-18 13:47:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-12-18 13:47:19 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-12-18 13:47:19 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-12-18 13:47:19 0 d–h----- C:\Documents and Settings\Administrator\PrintHood
2007-12-18 13:47:19 0 d–h----- C:\Documents and Settings\Administrator\NetHood
2007-12-18 13:47:19 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-12-18 13:47:19 0 d–h----- C:\Documents and Settings\Administrator\Local Settings
2007-12-18 13:47:19 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-12-18 13:47:19 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-12-18 13:47:19 0 d—s---- C:\Documents and Settings\Administrator\Cookies
2007-12-18 13:47:18 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-18 13:47:18 0 d–h----- C:\Documents and Settings\Administrator\Templates
2007-12-18 13:47:18 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-12-18 13:47:17 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-12-18 12:57:50 0 -r-hs---- C:\ntdeIect.com
2007-11-26 22:42:07 0 d-------- C:\Documents and Settings\Pierre\Application Data\1ClickDVDCopy
2007-11-21 21:55:43 0 d-------- C:\Program Files\VideoConverter3

– Find3M Report ---------------------------------------------------------------

2007-12-20 21:53:49 0 d-------- C:\Program Files\Wenlin3
2007-12-19 20:22:53 0 d-------- C:\Program Files\Common Files
2007-12-19 20:05:02 0 d-------- C:\Documents and Settings\Pierre\Application Data\uTorrent
2007-12-16 12:35:26 0 d-------- C:\Documents and Settings\Pierre\Application Data\Skype
2007-12-14 08:29:04 0 d-------- C:\Program Files\Avast4
2007-12-03 13:15:54 0 d-------- C:\Program Files\Java
2007-11-27 07:24:17 0 d-------- C:\Program Files\1Click DVD Copy 5
2007-11-20 14:30:24 0 d-------- C:\Program Files\ElcomSoft
2007-10-31 17:14:32 0 d-------- C:\Documents and Settings\Pierre\Application Data\Vso
2007-10-31 17:14:32 34 --a------ C:\Documents and Settings\Pierre\Application Data\pcouffin.log
2007-10-31 17:14:11 47360 --a------ C:\Documents and Settings\Pierre\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2007-10-31 17:14:11 1144 --a------ C:\Documents and Settings\Pierre\Application Data\pcouffin.inf
2007-10-31 17:14:11 7176 --a------ C:\Documents and Settings\Pierre\Application Data\pcouffin.cat
2007-10-31 17:14:11 81920 --a------ C:\Documents and Settings\Pierre\Application Data\ezpinst.exe
2007-10-31 14:09:06 0 d-------- C:\Program Files\FloorPlan3d
2007-10-26 10:19:39 0 d-------- C:\Documents and Settings\Pierre\Application Data\Macromedia
2007-10-01 18:00:48 31944 --a------ C:\Documents and Settings\Pierre\Application Data\GDIPFONTCACHEV1.DAT

96

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{598F4775-6FB6-477B-9842-E0426824E077}]
C:\DOCUME~1\Pierre\LOCALS~1\Temp~DP5C.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
08/25/2007 11:51 AM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
12/19/2007 08:22 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CeEKEY”=“C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe” [08/26/2005 09:49 AM]
“Apoint”=“C:\Program Files\Apoint2K\Apoint.exe” [03/23/2004 10:40 PM]
“TPNF”=“C:\Program Files\TOSHIBA\TouchPad\TPTray.exe” [08/26/2005 10:11 AM]
“NDSTray.exe”=“NDSTray.exe”
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [09/25/2007 01:11 AM]
“Tvs”=“C:\Program Files\Toshiba\Tvs\TvsTray.exe” [04/06/2005 07:25 AM]
“TPSMain”=“TPSMain.exe” [06/01/2005 08:16 AM C:\WINDOWS\system32\TPSMain.exe]
“ZoomingHook”=“ZoomingHook.exe” [06/07/2005 12:58 AM C:\WINDOWS\system32\ZoomingHook.exe]
“SmoothView”=“C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe” [04/27/2005 07:13 AM]
“HWSetup”=“C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe” [05/02/2004 04:45 AM]
“PadTouch”=“C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe” [07/16/2005 01:52 AM]
“SVPWUTIL”=“C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe” [05/02/2004 04:45 AM]
“AGRSMMSG”=“AGRSMMSG.exe” [12/22/2004 01:10 AM C:\WINDOWS\agrsmmsg.exe]
“TCtryIOHook”=“TCtrlIOHook.exe” [08/22/2005 04:49 PM C:\WINDOWS\system32\TCtrlIOHook.exe]
“TFncKy”=“TFncKy.exe”
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [07/09/2001 11:50 AM]
“WinampAgent”=“C:\Program Files\Winamp\Winampa.exe” [04/02/2003 10:20 AM]
“IMJPMIG8.1”=“C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe” [08/04/2004 08:00 PM]
“MSPY2002”=“C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe” [08/04/2004 08:00 PM]
“PHIME2002ASync”=“C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe” [08/04/2004 08:00 PM]
“PHIME2002A”=“C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe” [08/04/2004 08:00 PM]
“Acrobat Assistant 7.0”=“C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe” [01/12/2006 08:52 PM]
“LVCOMSX”=“C:\WINDOWS\system32\LVCOMSX.EXE” [12/09/2005 03:32 PM]
“avast!”=“C:\PROGRA~1\Avast4\ashDisp.exe” [12/04/2007 09:00 PM]
“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [11/02/2004 08:24 PM]
“LogitechCameraAssistant”=“C:\Program Files\Logitech\Video\CameraAssistant.exe” [12/07/2005 10:26 AM]
“LogitechVideo[inspector]”=“C:\Program Files\Logitech\Video\InstallHelper.exe” [12/07/2005 10:33 AM]
“LogitechCameraService(E)”=“C:\WINDOWS\system32\ElkCtrl.exe” [11/01/2004 05:22 PM]
“EPSON Stylus C67 Series”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.exe” [01/25/2005 04:00 AM]
“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [01/13/2007 09:47 AM]
“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [01/13/2007 09:47 AM]
“Persistence”=“C:\WINDOWS\system32\igfxpers.exe” [01/13/2007 09:46 AM]
“Adobe Photo Downloader”=“C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe” [08/30/2007 06:32 AM]
“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [06/29/2007 06:24 AM]
“ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [08/25/2007 01:07 PM]
“osCheck”=“C:\Program Files\Norton Internet Security\osCheck.exe” [08/25/2007 12:53 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [08/04/2004 08:00 PM]

C:\Documents and Settings\Pierre\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [9/1/2005 7:52:49 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoSMHelp”=01000000
“NoLogoff”=01000000
“NoRecentDocsMenu”=01000000
“NoActiveDesktop”=01000000
“NoRecentDocsHistory”=01000000
“NoRecentDocsNetHood”=01000000
“NoSMMyDocs”=01000000
“NoSMMyPictures”=01000000
“NoNetworkConnections”=01000000
“NoUserNameInStartMenu”=01000000

97

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{29247ffa-88c8-11db-af63-000fb0d85185}]
1\Command- .\RECYCLER\RECYCLER\autorun.exe
2\Command- .\RECYCLER\RECYCLER\autorun.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c360622a-8510-11db-af5c-000fb0d85185}]
1\Command- .\RECYCLER\RECYCLER\autorun.exe
2\Command- .\RECYCLER\RECYCLER\autorun.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d933d886-3f6c-11dc-b01e-000fb0d85185}]
AutoRun\command- F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{f4912d06-e358-11db-afb5-000fb0d85185}]
1\Command- F:.\RECYCLER\RECYCLER\autorun.exe
2\Command- F:.\RECYCLER\RECYCLER\autorun.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe

Newly Created Service - COMHOST

– End of Deckard’s System Scanner: finished at 2007-12-21 09:26:32 ------------

Deckard’s System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

– System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) M processor 1.73GHz
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 1526.42 MiB / 832.64 MiB
Pagefile Memory (total/avail): 2906.21 MiB / 2331.29 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.61 MiB

C: is Fixed (NTFS) - 74.33 GiB total, 31.09 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 298.09 GiB total, 90.31 GiB free.

\.\PHYSICALDRIVE0 - HTS541080G9SA00 - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 74.33 GiB - C:
\PARTITION1 - Unknown - 203.95 MiB

\.\PHYSICALDRIVE1 - Initio WD3200KS-00PFB0 USB Device - 298.09 GiB - 1 partition
\PARTITION0 - Installable File System - 298.09 GiB - F:

98

– Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Norton Internet Security v15.0.0.60 (Symantec Corporation)
AV: Norton Internet Security v15.0.0.60 (Symantec Corporation)
AV: avast! antivirus 4.7.1098 [VPS 071220-0] v4.7.1098 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\MSN Messenger\msncall.exe”="C:\Program Files\MSN Messenger\msncall.exe::Enabled:Windows Live Messenger 8.0 (Phone)”
“C:\Program Files\MSN Messenger\msnmsgr.exe”=“C:\Program Files\MSN Messenger\msnmsgr.exe::Enabled:Windows Live Messenger 8.1"
“C:\Program Files\MSN Messenger\livecall.exe”="C:\Program Files\MSN Messenger\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)”

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\BitComet\BitComet.exe”="C:\Program Files\BitComet\BitComet.exe::Enabled:BitComet - a BitTorrent Client”
“C:\Program Files\MSN Messenger\msncall.exe”=“C:\Program Files\MSN Messenger\msncall.exe::Enabled:Windows Live Messenger 8.0 (Phone)"
“C:\Program Files\RealVNC\VNC4\winvnc4.exe”="C:\Program Files\RealVNC\VNC4\winvnc4.exe::Enabled:VNC Server”
“C:\Program Files\uTorrent\uTorrent.exe”=“C:\Program Files\uTorrent\uTorrent.exe::Enabled:µTorrent"
“C:\Program Files\proeWildfire 3.0\i486_nt\nms\nmsd.exe”="C:\Program Files\proeWildfire 3.0\i486_nt\nms\nmsd.exe::Disabled:nmsd”
“C:\Program Files\proeWildfire 3.0\i486_nt\obj\xtop.exe”=“C:\Program Files\proeWildfire 3.0\i486_nt\obj\xtop.exe::Disabled:xtop"
“C:\Program Files\proeWildfire 3.0\i486_nt\obj\pro_comm_msg.exe”="C:\Program Files\proeWildfire 3.0\i486_nt\obj\pro_comm_msg.exe::Disabled:pro_comm_msg”
“C:\Program Files\MSN Messenger\msnmsgr.exe”=“C:\Program Files\MSN Messenger\msnmsgr.exe::Enabled:Windows Live Messenger 8.1"
“C:\Program Files\MSN Messenger\livecall.exe”="C:\Program Files\MSN Messenger\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)”
“C:\Program Files\Skype\Phone\Skype.exe”="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "

– Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Pierre\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TAIWANHOME
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Pierre
LOGONSERVER=\TAIWANHOME
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\Microsoft SQL Server\80\Tools\Binn;C:\Program Files\PTC - Wildfire 3.0\bin;C:\Program Files\proeWildfire 3.0\bin;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Pierre\LOCALS~1\Temp
TMP=C:\DOCUME~1\Pierre\LOCALS~1\Temp
USERDOMAIN=TAIWANHOME
USERNAME=Pierre
USERPROFILE=C:\Documents and Settings\Pierre
windir=C:\WINDOWS

99

– User Profiles ---------------------------------------------------------------

Pierre I[/I]
Administrator I[/I]

– Add/Remove Programs ---------------------------------------------------------

→ “C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE” /U
→ C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
→ C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
→ C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
→ rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent → “C:\Program Files\uTorrent\uTorrent.exe” /UNINSTALL
1Click DVD Copy 5.0.1.0 → “C:\Program Files\1Click DVD Copy 5\unins000.exe”
AC3Filter (remove only) → C:\Program Files\AC3Filter\uninstall.exe
Adobe Acrobat 7.0.9 Professional → msiexec /I {AC76BA86-1033-0000-7760-000000000002}
Adobe Common File Installer → MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5102}
Adobe Flash Player Plugin → C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 2.0 → MsiExec.exe /I{8FFC924C-ED06-44CB-8867-3CA778ECE903}
Adobe Photoshop CS2 → msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Photoshop Lightroom → MsiExec.exe /I{359D2A79-64C6-4824-83CE-B053297DED6A}
Adobe Shockwave Player → C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Advanced PDF Password Recovery → C:\Program Files\ElcomSoft\Advanced PDF Password Recovery\uninstall.exe
ALPS Touch Pad Driver → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe” UNINSTALL
AppCore → MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Software Update → MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
avast! Antivirus → rundll32 C:\PROGRA~1\Avast4\Setup\setiface.dll,RunSetup
AVS VideoConverter 3.1.1.151 → “C:\Program Files\VideoConverter3\unins000.exe”
BSPlayer → “C:\Program Files\BSplayer\uninstall.exe”
Cambridge Advanced Learner’s Dictionary → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Cambridge\CAL001CP\Uninst.isu"
Canon PowerShot A40 WIA Driver → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PowerShot A40 WIA\Uninst.isu" -c"C:\Program Files\Canon\PowerShot A40 WIA\UNSTD113.dll"
Canon Utilities Digital Photo Professional 2.1 → “C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe” “C:\Program Files\Canon\Digital Photo Professional\Uninst.ini”
Canon Utilities EOS Utility → “C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe” “C:\Program Files\Canon\EOS Utility\Uninst.ini”
ccCommon → MsiExec.exe /I{B24E05CC-46FF-4787-BBB8-5CD516AFB118}
CD/DVD Drive Acoustic Silencer → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\SETUP.EXE” -l0x9
Component Framework → MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}
DAEMON Tools → MsiExec.exe /I{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}
dBpowerAMP Music Converter → “C:\WINDOWS\system32\SpoonUninstall.exe” C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
DivX Codec → C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader → C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter → C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Web Player → C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD-RAM Driver → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\SETUP.EXE” -l0x9 DVD-RAM Driver
EPSON Printer Software → C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
ERUNT 1.1j → “C:\Program Files\ERUNT\unins000.exe”
ffdshow → “C:\Program Files\ffdshow\uninstall.exe”
Fraps (remove only) → “C:\Program Files\Fraps\uninstall.exe”
Google Earth → MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Haali Media Splitter → “C:\Program Files\Haali\MatroskaSplitter\uninstall.exe”
Huffyuv AVI lossless video codec (Remove Only) → rundll.exe setupx.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\HUFFYUV.INF
Intel(R) Graphics Media Accelerator Driver → C:\WINDOWS\system32\igxpun.exe -uninstall
J2SE Runtime Environment 5.0 Update 10 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 3 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
J2SE Runtime Environment 5.0 Update 9 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 2 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LiveUpdate (Symantec Corporation) → MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v “C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate”
LiveUpdate (Symantec Corporation) → MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206}
Logitech QuickCam Software → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{C191BE7C-8542-4A61-973A-714EF76C5995}\setup.exe” -l0x9
Logitech® Camera Driver → “C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE” UNINSTALL REMOVEPROMPT
Macromedia Dreamweaver 8 → MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager → MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Fireworks 8 → MsiExec.exe /I{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}
Macromedia Flash 8 → MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}

100

Macromedia Flash 8 Video Encoder → MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Microsoft Office XP Professional avec FrontPage → MsiExec.exe /I{9028040C-6000-11D3-8CFE-0050048383C9}
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR) → MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Visual C++ 2005 Redistributable → MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.11) → C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB925673) → MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}
Nero 6 Ultra Edition → C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nero BurnRights → C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
NextUp.com-NeoSpeech Chinese Wang16 Voice → MsiExec.exe /X{74ADAE9B-0301-4EFE-95A9-87229B08EBC4}
Norton AntiVirus → MsiExec.exe /X{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}
Norton AntiVirus Help → MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Confidential Core → MsiExec.exe /I{55A6283C-638A-4EE0-B491-51118554BDA2}
Norton Internet Security → MsiExec.exe /I{C1C185CA-C531-49F5-A6FA-B838405A049D}
Norton Internet Security (Symantec Corporation) → “C:\Program Files\Common Files\Symantec Shared\SymSetup{C1C185CA-C531-49F5-A6FA-B838405A049D}_15_0_0_60\Setup.exe” /X
Norton Protection Center → MsiExec.exe /I{62120008-8E1E-4807-860D-A8B48F8552DB}
PowerDVD → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe” -uninstall
PowerISO → “C:\Program Files\PowerISO\uninstall.exe”
Pro/ENGINEER Release Wildfire 3.0 Datecode M030 → “C:\Program Files\proeWildfire 3.0\uninstall\i486_nt\obj\psuninst.exe” “C:\Program Files\proeWildfire 3.0\uninstall\instlog.txt”
PTC License Server Release Wildfire 3.0 Datecode M030 → “C:\Program Files\PTC - Wildfire 3.0\uninstall\i486_nt\obj\psuninst.exe” “C:\Program Files\PTC - Wildfire 3.0\uninstall\instlog.txt”
QuickTime → MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer → C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC’97 Audio → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{FB08F381-6533-4108-B7DD-039E11FBC27E}\SETUP.exe” -l0x9 -removeonly
REALTEK Gigabit and Fast Ethernet NIC Driver → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{94FB906A-CF42-4128-A509-D353026A607E}\SETUP.EXE” -l0x9 REMOVE
Sansa Media Converter → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{D2A0F8F4-CE50-4857-A21C-3061682B2E87}\Setup.exe” -l0x9
SD Secure Module → MsiExec.exe /X{C45F4811-31D5-4786-801D-F79CD06EDD85}
Security Update for Step By Step Interactive Training (KB898458) → “C:\WINDOWS$NtUninstallKB898458$\spuninst\spuninst.exe”
Security Update for Step By Step Interactive Training (KB923723) → “C:\WINDOWS$NtUninstallKB923723$\spuninst\spuninst.exe”
Skype™ 3.5 → MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sony DVD Architect 3.0c → MsiExec.exe /X{19024EBA-7B29-4491-BB4E-ECF9446819E4}
Sony Media Manager 2.2 → MsiExec.exe /X{565286F6-CE28-45D5-A64B-DCDCD3130881}
Sony Sound Forge 8.0d → MsiExec.exe /X{5636E517-8100-4E2A-B69E-2B16AFFA2360}
Sony Vegas 7.0 → MsiExec.exe /X{0E27A421-0701-43D6-B214-D90C92821A7A}
Sony Vegas Pro 8.0 → MsiExec.exe /X{0F31532A-16F1-4812-8B7B-D321A4CE91A6}
SPBBC 32bit → MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SymNet → MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Texas Instruments PCIxx21/x515 drivers. → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E18E644D-4FC1-4E7F-87B7-A0288A14A322} /l1033
The Rosetta Stone → C:\WINDOWS\unvise32.exe C:\Program Files\The Rosetta Stone\TRS Support\uninstal.log
TMPGEnc Plus 2.5 → C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2A1E27FF-BE53-45B4-950F-060236E98E3D}
TOSHIBA Accessibility → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{3A57482F-BEBC-47E4-ADA1-6302403C7E50} /l1033
TOSHIBA Assist → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{12B3A009-A080-4619-9A2A-C6DB151D8D67}\setup.exe” -l0x9
TOSHIBA ConfigFree → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe” -l0x9 UNINSTALL
TOSHIBA Controls → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5BCA8D15-BCB6-421E-9654-238B43456A4F} /l1033
TOSHIBA Fn-esse → C:\WINDOWS\UnInst32.exe Fn-esse.UNI
TOSHIBA Hardware Setup → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5279374D-87FE-4879-9385-F17278EBB9D3} /l1033
TOSHIBA Hotkey Utility → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7900D3A6-A9E8-4954-ACCB-AB15867978BF} /l1033
TOSHIBA PC Diagnostic Tool → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\PCDiag\Uninst.isu"
TOSHIBA Power Saver → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A38D57D1-5F29-4691-B3DD-FE4B3A7B3AFE} /l1033
TOSHIBA SD Memory Card Format → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}\Setup.exe”
TOSHIBA Software Modem → Tosmreg -U
TOSHIBA Speech System Applications → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\Setup.exe” -l0x9
TOSHIBA Speech System SR Engine(U.S.) Version1.0 → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{008D69EB-70FF-46AB-9C75-924620DF191A}\Setup.exe” -l0x9 UNINSTALL
TOSHIBA Speech System TTS Engine(U.S.) Version1.0 → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\Setup.exe” -l0x9
TOSHIBA Supervisor Password → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE} /l1033
Toshiba Tbiosdrv Driver → C:\PROGRA~1\TOSHIBA\TOSHIB~4\UNWISE.EXE C:\PROGRA~1\TOSHIBA\TOSHIB~4\INSTALL.LOG
TOSHIBA Virtual Sound → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{8B12BA86-ADAC-4BA6-B441-FFC591087252}\Setup.exe” /uninstall
TOSHIBA Zooming Utility → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{02EED746-8C5A-43C8-BB3D-D29C8B363A4D} /l1033
Touch and Launch → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{5D96E2B1-D9AC-46E0-9073-425C5F63E338}\SETUP.EXE”
TouchPad On/Off Utility → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{80977342-27E8-4FF7-8B6A-D8D89461DA7F} /l1033
Tweak UI → “C:\WINDOWS\system32\mshta.exe” “res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta”
Wenlin 3.4.1 → “C:\Program Files\Wenlin3\unins000.exe”
Winamp (remove only) → “C:\Program Files\Winamp\UninstWA.exe”
Windows Communication Foundation → MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component → “C:\WINDOWS$NtUninstallWIC$\spuninst\spuninst.exe”
Windows Live Messenger → MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Presentation Foundation → MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation → MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinRAR archiver → C:\Program Files\WinRAR\uninstall.exe
XML Paper Specification Shared Components Pack 1.0 →
Xvid 1.1.2 final uninstall → “C:\Program Files\Xvid\unins000.exe”
ZTE USB to UART Bridge Controller Driver Set → C:\Program Files\Cygnal\ZTE USB to UART Bridge Controller\CYG_Uninstall.exe

– Application Event Log -------------------------------------------------------

Event Record #/Type1974 / Success
Event Submitted/Written: 12/20/2007 09:30:32 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type1935 / Success
Event Submitted/Written: 12/20/2007 10:46:57 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type1883 / Warning
Event Submitted/Written: 12/19/2007 09:08:38 PM
Event ID/Source: 101 / Automatic LiveUpdate Scheduler
Event Description:
Information Level: warning

A LiveUpdate session is already in progress; cannot launch Automatic LiveUpdate.