Jump to content

UDady

Member
  • Posts

    9
  • Joined

  • Last visited

Posts posted by UDady

  1. OA autoruns can't block it

     

    VT:https://www.virustotal.com/file/5f76a7cb629c366001e4cddd53c68bb2a4c38bbe756f9a6cf7b04817ff946626/analysis/1355570309/

     

    Whenever I start XP i will see this

     

    Created:      2012-12-16 17:57:56
    Summary:      Program Guard: 999.dll -> IEXPLORE.EXE
    Description:  C:\Documents and Settings\Administrator\桌面\999.dll(0) wants to start C:\Program Files\Internet Explorer\IEXPLORE.EXE(0)
    Event type:   Program Guard(9)
    Event action: Blocked(3)

     

    System Repair Engineer 2.8.4.1331
    Smallfrogs (http://www.KZTechs.com)

    Windows XP Professional Service Pack 3 (Build 2600) - 管理权限用户 - 完整功能

    以下内容被选中:
        所有的启动项目(包括注册表、启动文件夹、服务等)
      


    启动项目
    注册表
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
        <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Component Publisher]
        <Process Hacker 2><"C:\Program Files\Process Hacker 2\ProcessHacker.exe" -hide>  [wj32]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
        <load><>  [N/A]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
        <IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Windows Component Publisher]
        <PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Windows Component Publisher]
        <PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Windows Component Publisher]
        <VMware User Process><"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr>  [(Verified)VMware, Inc.]
        <@OnlineArmor GUI><"C:\Program Files\Online Armor\OAui.exe">  [(Verified)Emsisoft GmbH]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
        <shell><Explorer.exe>  [(Verified)Microsoft Windows Component Publisher]
        <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
        <AppInit_DLLs><>  [N/A]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
        <UIHost><logonui.exe>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
        <{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
        <{4F07DA45-8170-4859-9B5F-037EF2970034}><C:\PROGRA~1\ONLINE~2\oaevent.dll>  [(Verified)Emsisoft GmbH]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
        <PostBootReminder><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
        <CDBurn><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
        <WebCheck><%SystemRoot%\system32\webcheck.dll>  [(Verified)Microsoft Windows Component Publisher]
        <SysTray><C:\WINDOWS\system32\stobject.dll>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
        <WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
        <WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
        <WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
        <WinlogonNotify: dimsntfy><%SystemRoot%\System32\dimsntfy.dll>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
        <WinlogonNotify: ScCertProp><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
        <WinlogonNotify: Schedule><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
        <WinlogonNotify: sclgntfy><sclgntfy.dll>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
        <WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
        <WinlogonNotify: termsrv><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\TPSvc]
        <WinlogonNotify: TPSvc><TPSvc.dll>  [(Verified)Cortado AG]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\VMUpgradeAtShutdown]
        <WinlogonNotify: VMUpgradeAtShutdown><VMUpgradeAtShutdownWXP.dll>  [(Verified)VMware, Inc.]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
        <WinlogonNotify: wlballoon><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
        <{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
        <{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
        <Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
        <Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [File is missing]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
        <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [File is missing]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
        <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
        <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
        <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
        <Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
        <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
        <通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
        <Windows 桌面更新><regsvr32.exe /s /n /i:U shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
        <Internet Explorer 6><%SystemRoot%\system32\ie4uinit.exe>  [(Verified)Microsoft Windows Component Publisher]
    [HKEY_CURRENT_USER\Control Panel\Desktop]
        <SCRNSAVE.EXE><C:\WINDOWS\System32\logon.scr>  [(Verified)Microsoft Windows Component Publisher]

    ==================================
    启动文件夹
    [runctf]
      <C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\runctf.lnk --> C:\WINDOWS\system32\rundll32.exe [Microsoft Corporation]><N>


    ==================================
    服务
    [Human Interface Device Access / HidServ][stopped/Disabled]
      <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
    [Online Armor Helper Service / OAcat][Running/Auto Start]
      <"C:\Program Files\Online Armor\OAcat.exe"><Emsisoft GmbH>
    [Online Armor / SvcOnlineArmor][Running/Auto Start]
      <C:\Program Files\Online Armor\oasrv.exe><Emsisoft GmbH>
    [TP AutoConnect Service / TPAutoConnSvc][Running/Manual Start]
      <"C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe"><Cortado AG>
    [TP VC Gateway Service / TPVCGateway][stopped/Manual Start]
      <"C:\Program Files\VMware\VMware Tools\TPVCGateway.exe"><Cortado AG>
    [VMware Tools / VMTools][Running/Auto Start]
      <"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"><VMware, Inc.>
    [VMware 物理磁盘助手服务 / VMware Physical Disk Helper Service][Running/Auto Start]
      <"C:\Program Files\VMware\VMware Tools\vmacthlp.exe"><VMware, Inc.>

    ==================================
    驱动程序
    [Creative AudioPCI (ES1371,ES1373) (WDM) / es1371][Running/Manual Start]
      <system32\drivers\es1371mp.sys><Creative Technology Ltd.>
    [OADriver / OADevice][Running/System Start]
      <\??\C:\WINDOWS\system32\drivers\OADriver.sys><N/A>
    [Online Armor helper driver / oahlpXX][Running/System Start]
      <\??\C:\WINDOWS\system32\drivers\oahlp32.sys><N/A>
    [OAmon / OAmon][Running/System Start]
      <\??\C:\WINDOWS\system32\drivers\OAmon.sys><Emsisoft>
    [OAnet / OAnet][Running/System Start]
      <\??\C:\WINDOWS\system32\drivers\OAnet.sys><Emsisoft>
    [AMD PCNET Compatable Adapter Driver / PCnet][stopped/Manual Start]
      <system32\DRIVERS\pcntpci5.sys><AMD Inc.>
    [Direct Parallel Link Driver / Ptilink][Running/Manual Start]
      <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
    [secdrv / Secdrv][stopped/Manual Start]
      <system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
    [VMware VMCI Bus Driver / vmci][Running/Boot Start]
      <\SystemRoot\system32\DRIVERS\vmci.sys><VMware, Inc.>
    [VMware Host Guest Client 重新定向器 / vmhgfs][Running/System Start]
      <system32\drivers\vmhgfs.sys><VMware, Inc.>
    [内存控制驱动程序 / VMMEMCTL][Running/Auto Start]
      <\??\C:\Program Files\Common Files\VMware\Drivers\memctl\vmmemctl.sys><VMware, Inc.>
    [VMware Pointing Device / vmmouse][Running/Manual Start]
      <system32\DRIVERS\vmmouse.sys><VMware, Inc.>
    [VMware Storage Controller Driver / vmscsi][Running/Boot Start]
      <\SystemRoot\system32\drivers\vmscsi.sys><VMware, Inc.>
    [VMware USB Pointing Device / vmusbmouse][Running/Manual Start]
      <system32\DRIVERS\vmusbmouse.sys><VMware, Inc.>
    [VMware Ethernet Adapter Driver / vmxnet][Running/Manual Start]
      <system32\DRIVERS\vmxnet.sys><VMware, Inc.>
    [vmx_svga / vmx_svga][Running/Manual Start]
      <system32\DRIVERS\vmx_svga.sys><VMware, Inc.>
    [vSockets Driver / vsock][Running/Boot Start]
      <\SystemRoot\system32\drivers\vsock.sys><VMware, Inc.>
    [KProcessHacker2 / KProcessHacker2][Running/Disabled]
      <\??\C:\Program Files\Process Hacker 2\kprocesshacker.sys><wj32>

     

     

×
×
  • Create New...