Jump to content


Photo

WhDO you know what they are?


  • This topic is locked This topic is locked
37 replies to this topic

#1 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 20 November 2007 - 11:41 PM

Hello.

I apologize for the error in the title.
It was supposed to be "Do you know what they are?"

I had a scan with AVG Anti-Rootkit 'sandboxed',
using Sandboxie.

AVG showed me results:
C\WINDOWS\system32\drivers\bkoxmfwelldw.sys
C\WINDOWS\system32\Drivers\mchInjDrv.sys
both as the Hidden Driver Files.

I looked up with Google about them.
Nothing showed up about the first one("bkoxmfwelldw"),
but there were comments about the latter("mchInjDrv").

Some warned that "mchInjDrv" may be a trojan,
others commented that it may be something to do with a legitimate software,
like 'a squared' or 'Prevx'(,which I am not using).

I recall that there was some comment like
"Whatch the malicious actions 'mchInjDrv' take when trapped in sandbox",
so proberbly it was not a component of the Sandboxie,
and I suppose Sandboxie defines it as malicious,too.

It is strange the last comment had disappeared the next time I looked up with Google.

I clicked 'Remove selected' in AVG,
but I suppose Sandboxie prevented the removal.
I guess Sandbox was just doing its job;
to prevent the attempt to make changes in the 'sandboxed' area.
AVG Anti-Rootkit presented that I have to reboot the PC to complete the deletion,
and after I allowed the action,
Sandboxie displayed a message that the attempt to re-start the computer had failed.

I rebooted the PC and then scanned the PC after that with AVG Anti-Rootkit 'without' the Sandboxie,
and it detected nothing.
However,when I used the AVG -Anti-Rootkit 'sandboxed' again,
it immediately detected
C\WINDOWS\system32\Drivers\mchInjDrv.sys
again.

I stopped the scan in the middle,
to post this message here.
I don't know if there were more to be detected.


In the first scan,
there were many more detected in the 'c' drive(not 'C'),
all including the name "Firefox".
I was using Firefox during that time,
also 'sandboxed',
so I guess attempts to catch the signal related with Firefox from the Drive
was prevented by Sandboxie.
Maybe I should ignore this one...but I'm not sure.

(I posted here because there was some error in my previous post.
After I edited it,
I found it was stopped in the middle.
The later half of the post had disappeared,
the first half ended with a "#"or something.
When I returned to the previous editing page,
it was normal.
The message was all displayed there down to the last sentence.
So I think it was not because of the mistake in typing.
I copied the full message there,
pasted it to a new editing screen,
and when I submitted it,
the beginning of the message started from the middle of some sentence,
and the last part of the message also ended in the middle of a sentence,
a sentence that was far away from the real ending part.
After I posted this message here,
and edited the previous post with this message deleted,
it recovered to the normal state.)

Edited by Prh, 21 November 2007 - 12:22 AM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,476 posts

Posted 23 November 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 47,832 posts

Posted 27 November 2007 - 04:49 PM

Hi,

Please read this article and follow the protocol.
http://forums.spywar...showtopic=23382
Then submit a fresh HijackThis log. It's the only way we can give you sound advice.

Make sure you have this latest version of HijackThis. If not,

Please download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:
  • Save HJTInstall.exe to your desktop.
  • Double-click on HJTInstall.exe to run the program.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Accept the license agreement by clicking the "I Accept" button.
  • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  • Click "Save log" to save the log file and then the log will open in Notepad.
  • Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste the log in your next reply.
  • Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Delete the older version once you have successfully downloaded and installed the latest version.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 27 November 2007 - 09:49 PM

Thank you.

I had a scan with HiJackThis I installed with the installer which I downloaded from the link that was shown.

This is the log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:02, on 2007/11/28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\InfoProcess\AntiHook\3.0\HipService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\I-O DATA\IoDevMgrService\IoDevMgrService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Fujitsu\PCKARTE\PCKTESVC.EXE
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Fujitsu\sa\api\SBRSVC.EXE
C:\WINDOWS\system32\sdpasvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCSRVC.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Sandboxie\SandboxieRpcSs.exe
C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Sandbox\Owner\DefaultBox\drive\C\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O8 - Extra context menu item: Bookshelfで検索(&L) - res://C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\bsdef.dll/#1001
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://update.microsoft.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1191034797690
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1191034768428
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: InfoProcess HipService Workstation Service (HipService) - InfoProcess Pty Ltd. - C:\Program Files\InfoProcess\AntiHook\3.0\HipService.exe
O23 - Service: I-O DATA Device Management Service (IoDevMgrService) - I-O DATA DEVICE,INC. - C:\Program Files\I-O DATA\IoDevMgrService\IoDevMgrService.exe
O23 - Service: PCKarte Client Tool Service (PCKarte) - FUJITSU LIMITED - C:\Program Files\Fujitsu\PCKARTE\PCKTESVC.EXE
O23 - Service: PowerUtility Schedule (PUSCSRVC) - FUJITSU LIMITED - C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCSRVC.exe
O23 - Service: PowerUtility Remote Power Management Service (putlrsrv) - FUJITSU LIMITED - C:\PROGRA~1\Fujitsu\POWERU~1\remote\PUTLRSRV.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SBRLLA For FM Advisor (SBRLLA) - FUJITSU LIMITED - C:\Program Files\Fujitsu\sa\api\SBRSVC.EXE
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: WTITBJWUADMI - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\WTITBJWUADMI.exe

--
End of file - 5685 bytes



Also,I wrote in my other post about some other problems that occurred.
(I was not sure if I should post it here,
since it doesn't seem to be directly involved with the topic title here.
But I'll post the message here,too.
In the previous post,I posted about any problems that occurred to my PC.)

"I saw 'gbaA.exe' when I opened the task manager.
It was using over 10,000 KB of memory.
When I searched for the name,
there was
GBAA.EXE-0990AE26.pf C\WINDOWS\Prefetch
found in my PC.
During the search,'gbaA.exe' had dissapeared from the task manager screen,to my surprise.

I looked up for 'gbaA.exe' in Google,
but nothing appeared.

Also,the PC was moving very slowly these days,
and I thought it was because of 'ThreatFire'.
After I disabled it,
the CPU dropped down from 100 percent to about 50 percent(as I recall),
so I thought that the problem was solved.
But the PC became slow again,so then I thought it was because of the AVG Resident Shield,
and I disabled it also.
After AVG disappeared from the task tray,
the CPU dropped down to about 20 percent,
so I thought this time the problem was solved.

However,even though I disabled the ThreatFire and AVG yesterday,
the CPU was used up to 100 percent again.
In addition,the Windows LiveOneCare was disabled,
so I had to activate the AVG Resident Shield for the security of my PC.

Today,I checked the AVG and the Resident Shield was on.
It was remaining in the tray icon after I clicked '×'.
Strangely,however,when I was having a search with Google for 'AVG Resident Shield conflict',
the AVG icon in the task bar had dissapeared. "

Edited by Prh, 27 November 2007 - 11:02 PM.


#5 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 47,832 posts

Posted 28 November 2007 - 11:15 AM

Hi,

Nothing suspicious was found on your log. Run this tool and let me see the log.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#6 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 28 November 2007 - 11:22 PM

Hello.

Thank you for checking the HiJackThis log.

I downloaded the SDFix from the link shown,
and have had RunThis.bat run in safe mode.

This is the result:



SDFix: Version 1.116

Run by Owner on 2007/11/29 at 12:44

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 12:57:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"\xff910\xff710\xff830\xff880 ?\xff790\xff710\xff780\x30fb\x30fb\x30fb ?\xff9f0\xff8b0\xff9d0\x30fb\xff880????"=str(7):"102\"
"\xe326\xff65c\xff910\x30fb\x30fb\x30fb????"=str(7):"1\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"\xff910\xff710\xff830\xff880 ?\xff790\xff710\xff780\x30fb\x30fb\x30fb ?\xff9f0\xff8b0\xff9d0\x30fb\xff880????"=str(7):"102\"
"\xe326\xff65c\xff910\x30fb\x30fb\x30fb????"=str(7):"1\"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\J0\27l\xf8f1\x6089\x695d\x30fbP}i\x95dc]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,00,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\f0M0q0M0\xff76[\b\x30fb|\xff9e0\x30fb\23\xf8f3]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,f0,98,42,01,3a,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\xff810\xff670\xff790X]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,80,cd,00,00,00,00,00,70,63,ea,4c,44,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\yrSb\21\xf8f3i]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,80,f8,02,00,00,00,00,90,bc,64,57,3a,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\xf8f3#\xf8f3\xff890\xff6d0\x30fb\x30fb\x30fb\xff880\xff8a0\xff930\xff720\x30fb\xff7f0]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,00,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\C:\\xff750\x30fb\xff710\xff640n]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\31j\x58a8n0D}0\bT\x30fb[0??"="",,,,,,,,,,,,,""
"Kb ?1?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\hand.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\hnodrop.cur,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
"Kb ?2?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\handwait.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\handno.ani,C:\WINDOWS\Cursors\handns.ani,C:\WINDOWS\Cursors\handwe.ani,C:\WINDOWS\Cursors\handnwse.ani,C:\WINDOWS\Cursors\handnesw.ani,C:\WINDOWS\Cursors\hmove.cur,""
"P`\xff9cz"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\dinosaur.ani,C:\WINDOWS\Cursors\dinosau2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\banana.ani,C:\WINDOWS\Cursors\3dsns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dsnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dsmove.cur,""
"\xff6a0\x30fb\x30fb\xff890 ?\xff950\xff610\xff830\xff770\x30fb\x30fb????"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\horse.ani,C:\WINDOWS\Cursors\barber.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\coin.ani,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
"\xff730\x30fb\xff800\xff6f0\xff7f0?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\drum.ani,C:\WINDOWS\Cursors\metronom.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\piano.ani,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
"\x7578'Y\xff9d0\xff640\x30fb\xff7f0??"=""C:\WINDOWS\Cursors\larrow.cur,,C:\WINDOWS\Cursors\lappstrt.cur,C:\WINDOWS\Cursors\lwait.cur,C:\WINDOWS\Cursors\lcross.cur,C:\WINDOWS\Cursors\libeam.cur,,C:\WINDOWS\Cursors\lnodrop.cur,C:\WINDOWS\Cursors\lns.cur,C:\WINDOWS\Cursors\lwe.cur,C:\WINDOWS\Cursors\lnwse.cur,C:\WINDOWS\Cursors\lnesw.cur,C:\WINDOWS\Cursors\lmove.cur,""
"D0\x30fbD0\x30fbj0\xff9d0\xff640\x30fb\xff7f0???"=""C:\WINDOWS\Cursors\fillitup.ani,,C:\WINDOWS\Cursors\raindrop.ani,C:\WINDOWS\Cursors\counter.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\wagtail.ani,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\\xff620\x30fb\xff640\x30fb\xff790\xff880\x30fb\x30fbn0\xff900\xff830\xff6f0\xff620\xff830\xff970 ]
@="{67cf8cbd-e5c0-44f7-9de5-e1d599d626d8}"
"Description"="\x3053\x306e\x30d0\x30fc\x30b8\x30e7\x30f3\x306e Windows \x3092\x30a2\x30f3\x30a4\x30f3\x30b9\x30c8\x30fc\x30eb\x3057\x3066\x524d\x306e\x30aa\x30da\x30ec\x30fc\x30c6\x30a3\x30f3\x30b0 \x30b7\x30b9\x30c6\x30e0\x306b\x623b\x308b\x5834\x5408\x306f\x3001\x3053\x308c\x3089\x306e\x30d5\x30a1\x30a4\x30eb\x304c\x5fc5\x8981\x3067\x3059\x3002"
"Display"="\x524d\x306e\x30aa\x30da\x30ec\x30fc\x30c6\x30a3\x30f3\x30b0 \x30b7\x30b9\x30c6\x30e0\x306e\x30d0\x30c3\x30af\x30a2\x30c3\x30d7 \x30d5\x30a1\x30a4\x30eb"
"IconPath"=str(2):"%SystemRoot%\system32\osuninst.EXE,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\J0\27l\xf8f1\x6089\x695d\x30fbP}i\x95dc]
"DisplayName"="\x304a\x6c17\x8efd\x9ebb\x96c0\x5036\x697d\x90e8"
"UninstallString"="C:\WINDOWS\YsWorksUNINST.exe "C:\Program Files\OKIMJ\uninst.ini""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\f0M0q0M0\xff76[\b\x30fb|\xff9e0\x30fb\23\xf8f3]
"DisplayName"="\x3066\x304d\x3071\x304d\x5bb6\x8a08\x7c3f\x30de\x30e0\xff13"
"UninstallString"="C:\PROGRA~1\mom3\UNINST.EXE C:\PROGRA~1\mom3\mom3INST.LOG"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\xff810\xff670\xff790X]
"DisplayName"="\x30c1\x30a7\x30b9XP"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\yrSb\21\xf8f3i]
"UninstallString"="C:\WINDOWS\IsUn0411.exe -f"C:\Program Files\SOURCENEXT\\x7279\x6253\xff11in\T1IN.isu""
"DisplayName"="\x7279\x6253\xff11in"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\xf8f3#\xf8f3\xff890\xff6d0\x30fb\x30fb\x30fb\xff880\xff8a0\xff930\xff720\x30fb\xff7f0]
"UninstallString"="C:\WINDOWS\IsUn0411.exe -f"C:\Program Files\pcdNavi\Uninst.isu""
"DisplayName"="\xff30\xff23\x30c9\x30ad\x30e5\x30e1\x30f3\x30c8\x30ca\x30d3\x30b2\x30fc\x30bf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"OfflineDetectionPending"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper]
"-\xf8f33\xf8f3 ?\16f\35g"=dword:0000c080
"-\xf8f33\xf8f3 ?0\xf8f3\16f\35g"=dword:00004080
"-\xf8f33\xf8f3 ?\xff740\xff770\xff830\xff6f0"=dword:00008080
"-\xf8f33\xf8f3 ?0\xf8f3\xff740\xff770\xff830\xff6f0"=dword:00000080
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"-\xf8f33\xf8f3 ?\xff740\xff770\xff830\xff6f0 ?&? ?-\xf8f33\xf8f3 ?0\xf8f3\xff740\xff770\xff830\xff6f0 ?&? ?M?S? ?U?I? ?G?o?t?h?i?c? ?(?T?r?u?e?T?y?p?e?)?"="MSGOTHIC.TTC"
"-\xf8f33\xf8f3 ?\16f\35g ?&? ?-\xf8f33\xf8f3 ?0\xf8f3\16f\35g ?(?T?r?u?e?T?y?p?e?)?"="MSMINCHO.TTC"
"ck\xff7f\x5404yWSL\x5f15fSO ?&? ?ck\xff7f\x5404yWSL\x5f15fSOP? ?(?T?r?u?e?T?y?p?e?)?????"="FGTshgyU.ttc"
"ck\xff7f\x5404yWSL\x5f15fSOE?X? ?&? ?ck\xff7f\x5404yWSL\x5f15fSOE?X?P? ?(?T?r?u?e?T?y?p?e?)?????"="SyGyEx.ttc"
"\x7483Am\xff77\x9453f ?(?T?r?u?e?T?y?p?e?)???"="BGREIRR.TTF"
"_l8b\xff98R\xff6dNAm ?&? ?_l8b\xff98R\xff6dNAm0\xf8f3 ?(?T?r?u?e?T?y?p?e?)?"="Edokan.ttc"
"\tg\xff64oL\x5f15f ?(?T?r?u?e?T?y?p?e?)??"="FAGGM_0.TTF"
"\tg\xff64owi\xe606 ?(?T?r?u?e?T?y?p?e?)??"="FAKAIM_0.TTF"
"Z\x5e76wL\x5f15f ?(?T?r?u?e?T?y?p?e?)???"="FGGYM_0.TTF"
"eyWSL\x5f15fSO ?&? ?eyWSL\x5f15fSOP? ?(?T?r?u?e?T?y?p?e?)???"="FGTshgyo.ttc"
"K`\x3303\xff9a0\x30fbW[ ?(?T?r?u?e?T?y?p?e?)???"="BGPENKB.TTF"
"\xff8c[\x30fb\xff9d0\xff830\xff970 ?&? ?\xff8c[\x30fb\xff9d0\xff830\xff9700\xf8f3 ?(?T?r?u?e?T?y?p?e?)???"="FUJIPOP.TTC"
"\tg\xff64o*Ywi\xe606 ?&? ?\tg\xff64o*Ywi\xe606P? ?(?T?r?u?e?T?y?p?e?)???"="Fakaib_0.ttc"
"u00\xff740\xff770\xff830\xff6f0 ?(?T?r?u?e?T?y?p?e?)?"="FgFumi.ttf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes]
"\31j\x58a8\16f\35g?"="\xff2d\xff33 \x660e\x671d"
"\31j\x58a8\xff740\xff770\xff830\xff6f0?"="\xff2d\xff33 \x30b4\x30b7\x30c3\x30af"
"\xff740\xff770\xff830\xff6f0"="\xff2d\xff33 \x30b4\x30b7\x30c3\x30af"
"z\xf8f3\x30fb|\xf8f3o\xf8f3x\xf8f3?"="\xff2d\xff33 \x30b4\x30b7\x30c3\x30af"
"x\xf8f3p\xf8f3\x30fbt\xf8f3?"="Courier"
"\x80\xf8f3r\xf8f3\x30fb}\xf8f3\x30fb\x30fb\x30fb\x30fb?????"="Times New Roman"
"\x30fb\x30fb\x30fb\x30fb\x30fbv\xf8f3?????"="Arial"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control\ALi Audio Wave\\xff9e0\xff790\xff7f0\xe28a\xff8f]
"LineStates"=hex:00,00,00,00,de,30,b9,30,bf,30,f3,97,cf,91,00,00,00,00,00,00,00,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MapGroups]
"}\xf8f3\x80\xf8f3p\xf8f3\x30fbq\xf8f3o\xf8f3\x30fb\x30fb???"="\x30b9\x30bf\x30fc\x30c8\x30a2\x30c3\x30d7"
"q\xf8f3x\xf8f3~\xf8f3{\xf8f3\x30fb?"="\x30a2\x30af\x30bb\x30b5\x30ea"
"y\xf8f3\x30fbp\xf8f3\x30fb??"="\x30b2\x30fc\x30e0"
"\x30fbr\xf8f3\x30fb??"="\x30e1\x30a4\x30f3"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\\x30fb\x30fb\xff6f0]
"Order"=hex:08,00,00,00,02,00,00,00,8a,01,00,00,01,00,00,00,04,00,00,00,68,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\J0\27l\xf8f1\x6089\x695d\x30fbP}i\x95dc]
"Order"=hex:08,00,00,00,02,00,00,00,82,01,00,00,01,00,00,00,03,00,00,00,7e,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xff620\xff6f0\xff7b0\xff750\x30fb]
"Order"=hex:08,00,00,00,02,00,00,00,1c,06,00,00,01,00,00,00,0b,00,00,00,86,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xff620\xff6f0\xff7b0\xff750\x30fb\\xff680\x30fb\xff7f0\x30fb\xff860\xff640\x30fb\x30fb\xff880]
"Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xff620\xff6f0\xff7b0\xff750\x30fb\\xff770\xff790\xff860\x30fb ]
"Order"=hex:08,00,00,00,02,00,00,00,aa,00,00,00,01,00,00,00,01,00,00,00,9e,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xff790\xff7f0\x30fb\xff880\xff620\xff830\xff970]
"Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups]
"\xff720\x30fb\x30fb??"="\x30a2\x30af\x30bb\x30b5\x30ea\\x30b2\x30fc\x30e0"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\UnreadMail\\x30fb\x30fb\xff6b0\x30fb]
"MessageCount"=dword:00000000
"TimeStamp"=hex:00,6a,9e,c1,9f,07,c8,01
"Application"="%ProgramFiles%\Fujitsu\\xff20\x30e1\x30fc\x30eb\AtMail.exe"

scanning hidden files ...

C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Ent.dat 4168 bytes
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\prov.xml 250 bytes
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml 6692 bytes
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml.bak 6692 bytes
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml 1503 bytes
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml.bak 1503 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 7


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Panasonic\\SD-JukeboxV5\\sd-jukebox.exe"="C:\\Program Files\\Panasonic\\SD-JukeboxV5\\sd-jukebox.exe:*:Enabled:SD-JukeboxV5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Panasonic\\SD-JukeboxV5\\sd-jukebox.exe"="C:\\Program Files\\Panasonic\\SD-JukeboxV5\\sd-jukebox.exe:*:Enabled:SD-JukeboxV5"

Remaining Files:
---------------


Files with Hidden Attributes:

Thu 18 Apr 2002 372,224 A..HR --- "C:\Documents and Settings\Owner\My Documents\@NetHome.exe"
Sun 14 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!



Also,this is the new HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:18:16, on 2007/11/29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\InfoProcess\AntiHook\3.0\HipService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\I-O DATA\IoDevMgrService\IoDevMgrService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Fujitsu\PCKARTE\PCKTESVC.EXE
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Fujitsu\sa\api\SBRSVC.EXE
C:\WINDOWS\system32\sdpasvc.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCSRVC.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sandboxie\SandboxieRpcSs.exe
C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O8 - Extra context menu item: Bookshelfで検索(&L) - res://C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\bsdef.dll/#1001
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://update.microsoft.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1191034797690
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1191034768428
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: InfoProcess HipService Workstation Service (HipService) - InfoProcess Pty Ltd. - C:\Program Files\InfoProcess\AntiHook\3.0\HipService.exe
O23 - Service: I-O DATA Device Management Service (IoDevMgrService) - I-O DATA DEVICE,INC. - C:\Program Files\I-O DATA\IoDevMgrService\IoDevMgrService.exe
O23 - Service: PCKarte Client Tool Service (PCKarte) - FUJITSU LIMITED - C:\Program Files\Fujitsu\PCKARTE\PCKTESVC.EXE
O23 - Service: PowerUtility Schedule (PUSCSRVC) - FUJITSU LIMITED - C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCSRVC.exe
O23 - Service: PowerUtility Remote Power Management Service (putlrsrv) - FUJITSU LIMITED - C:\PROGRA~1\Fujitsu\POWERU~1\remote\PUTLRSRV.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SBRLLA For FM Advisor (SBRLLA) - FUJITSU LIMITED - C:\Program Files\Fujitsu\sa\api\SBRSVC.EXE
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: WTITBJWUADMI - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\WTITBJWUADMI.exe (file missing)

--
End of file - 6227 bytes


After I pasted this,I noticed
O23 - Service: WTITBJWUADMI - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\WTITBJWUADMI.exe (file missing)
at the bottom of the log.
I wonder what 'WTITBJWUADMI - Unknown owner' is...

#7 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 29 November 2007 - 02:01 AM

After I posted the logs here,
I began a scan with AVG Anti-Spyware
and left the room.

When I came back to the room after quite a long time,
I saw the Spybot TeaTimer giving me a warning
that an important change was made to the registry,
in the 'NT Start Up - load'.

I tried to post a message about this here,
but the screen was frozen
(I thought it was because of the heavy memory usage of AVG,but I wasn't sure.)

I clicked 'deny' for the change made,
and rebooted the PC.

I hope the 'NT Start Up - load' wasn't involved with malware or something...

(I tried to post this message in my previous post also,
but it turned out to appear as a message cut in the middle,
like what happened the other time.)



--------------------------------------------------------------------



Hello.

I noticed that Sandboxie wouldn't work.
I can have it show the main window,
but I can't have a program run 'sandboxed'.
I thought,maybe it's because I disabled (with Spybot S&D)
the change in the registry ('NT Start Up - load'),
as I have written above.

Also,the Spybot S&D TeaTimer isn't appearing in the task tray.
I thought maybe this also has something to do with it,but I wasn't sure.
(TeaTimer have been failing sometimes in starting up automatically these days,
before I disabled 'NT Start Up - load').


I remembered also that during the scan with SDFix,
I mouce-clicked parts of the screen to see the lines below.
I worried later that this clicking may have interfered with the normal procedure of the scan.


Finally,about the WTITBJWUADMI.exe:

I noticed that in the first HiJackThis log I posted here,
it appeared as

O23 - Service: WTITBJWUADMI - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\WTITBJWUADMI.exe

while in the second log it appeared as

O23 - Service: WTITBJWUADMI - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\WTITBJWUADMI.exe (file missing)

Trojan Remover warned me that some file(I recall it was similar to the name 'WTITBJWUADMI.exe')
doesn't seem to exist anymore,
and some registry key was directed to it(or something).
I had the TrojanRemover to remove the key.

No other problem seems to be occuring.
I'll go back using the internet :thumbup: .

Edited by Prh, 29 November 2007 - 03:41 AM.


#8 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 47,832 posts

Posted 29 November 2007 - 08:53 AM

Nice work. Clean this item from the registry.

Please run Notepad and copy the following text into a new file:

sc config WTITBJWUADMI start= disabled
sc stop WTITBJWUADMI
sc delete WTITBJWUADMI


Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files". Locate remove.bat on the Desktop and double-click on it to run it. Please note any errors encountered.
*/*

Please read this Prevention page with lots of info and tips how to prevent this in the future.
http://users.telenet...prevention.html
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#9 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 29 November 2007 - 11:52 PM

Hello.

I encountered some problems.

It may be because I disabled 'NT Start Up - logon' yesterday.

According to Threat Fire,there were 'two' Suspicious Actions detected in 'the last 7 days'.
The number of times I disabled the 'NT Start Up - logon' yesterday was 'two',too.
The two suspicious actions were not listed in the 'today' tab.
These are the first errors I saw being detected by Threat Fire since I installed it.

When I checked the Start Up list with 'msconfig',
I noticed that most of the programs that used to be listed were gone.
Only four of them are left:
・ctfmon
・TeaTimer
・SbieCtrl
・FMVLauncherKicker
(※The last one is disabled.)
All of the programs of Microsoft has disappeared.

According to Spybot S&D,
there are others activated as Start Up programs,
other than those four:

・WinLogon(Current System) crypt32chain
・WinLogon(Current System) cryptnet
・WinLogon(Current System) cscdll
・WinLogon(Current System) ScCertProp
・WinLogon(Current System) Schedule
・WinLogon(Current System) sclgntfy
・WinLogon(Current System) SensLogn
・WinLogon(Current System) termsrv
・WinLogon(Current System) wlbaloon

but still,many others have disappeared from the list totally.


On the other hand,
running the remove.bat file of
sc config WTITBJWUADMI start= disabled
sc stop WTITBJWUADMI
sc delete WTITBJWUADMI
succeded partly.

Though the later two
(sc stop WTITBJWUADMI
sc delete WTITBJWUADMI)
seemed to have failed(eror message 'Failed 1006',or something like that was displayed),
the first one (sc config WTITBJWUADMI start= disabled)had been completed successfully.

I also read the sentences in the link shown.
I'll be careful about the conflicts between Resident Shields :thumbup: .

Edited by Prh, 29 November 2007 - 11:53 PM.


#10 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 47,832 posts

Posted 30 November 2007 - 10:17 AM

Download WinKRootKitRemover
http://secured2k.hom...tKitRemover.exe
and save it on your desktop.
Double click WinKRootKitRemover.exe to start the tool.
It will reboot your computer. This is normal.
It will create a log on your desktop. Save it.

Post the contents of the log to this topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#11 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 30 November 2007 - 08:05 PM

Hello.

Before reading the post here,
I was thinking what else I could do,
and downloaded some registry cleaners.

Registry Medic detected about 100 errors in the registry.
Because it was a eveluation version,
I could only delete several errors at a time,
but still after many deletions,
I arrived to a state in which there were no more errors to be detected by it.

I also used Registry Fixer,Wise Registry Cleaner,Check PC For Errors in the intervals.
Each of them detected some errors too,
and I had them fix those.

However,
RegSeeker and Free Wndows Registry Repair listed many more errors.
They detected many errors again after the deletion.

There were some trial softwares too which listed many errors,
but wouldn't fix the problem until I pay for it.

I tried Baku after that,
which detected and fixed many problems,
but I'm not sure whether the registry is clean.

I began using Registry Optimizer today,
which already is detecting some errors.
This trial version allows me to fix 10 problems at a time.


And now ,I read your message.

I downloaded WinKRootKitRemover.

This is the result of the scan:


12/01/2007, 9:40:31 - Starting Process
12/01/2007, 9:40:31 - Could not detect the service installed. Nothing else to do!

#12 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 47,832 posts

Posted 30 November 2007 - 08:43 PM

I'm trying to find out if you have a rootkit infection.

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#13 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 01 December 2007 - 10:40 AM

Hello.

I was out for a day.
I am sorry for the delay.

Before reading the post here,
I scanned with the registry cleaning softwares(again).
They detected many errors,
and still detected more when used in safe mode.

Then I noticed your message here,
and I downloaded GMER from the link shown.
After I clicked GMER,
it already showed me the results
(before I clicked 'Scan'),
and after I clicked 'Scan',
it began to list down many more detections
(mainly including the name of either 'AntiHook' or 'SandBox'),
and suddenly a blue screen appeared,
and the PC shut itself down.


This is the result shown by GMER the next time I opened it
(without pressing 'Scan' button,in case it wouldn't shut itself down again.
In the past it also shut the PC down when it was used in my PC. ):


GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-12-02 00:23:45
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT \??\C:\Program Files\InfoProcess\AntiHook\3.0\HipEnforceDriver.sys ZwEnumerateKey
SSDT \??\C:\Program Files\InfoProcess\AntiHook\3.0\HipEnforceDriver.sys ZwEnumerateValueKey
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwQueryDirectoryFile
SSDT \??\C:\Program Files\InfoProcess\AntiHook\3.0\HipEnforceDriver.sys ZwQuerySystemInformation

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F771004A] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F7710572] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F770EA78] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F770E778] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F770E700] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7710572] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F770EBC2] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7710572] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7710572] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7710572] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7710572] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7710572] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7710572] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7715176] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F77148E0] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7710572] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7710572] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7710572] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F770E7CA] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F7710572] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F7710572] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7710572] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7710572] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7710572] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7710572] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7710572] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7710572] TfFsMon.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F773C1DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F773C1DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F773C454] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F773C1DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F772FF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F772FF4C] fltmgr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [EE156718] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [EE156718] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [EE156718] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [EE156718] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [EE142968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [ED384D46] TfNetMon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [ED384D46] TfNetMon.sys

---- EOF - GMER 1.0.13 ----




Maybe this is not a proper result,
because it was done in the condition I wrote above,
so if it's not satisfactory,
I'll have a scan in safe mode.

#14 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 47,832 posts

Posted 01 December 2007 - 04:12 PM

Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthis log.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#15 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 01 December 2007 - 09:27 PM

Hello.

I downloaded ComboFix from the link shown,
and double clicked it.

Windows Live OneCare gave me a warning message that it had blocked 'NirCmd' ,
which was trying to access the internet.
I was puzzled why it needed access to the internet,
but because I read somewhere before that 'NirCmd' had something to do with ComboFix,
I changed the settings to allow it.
But then I remembered that I shouldn't click a file during the ComboFix scan,
so I cancelled the scan.

ComboFix gave me a warning message (which I don't remember accurately now),
and listed several lines.
I guess it was trying to tell me that it couldn't access to those properly or something.

I rebooted the PC and had another scan.

This is the result
('デスクトップ' means 'desktop'
'スタートメニュー' means 'start menu'
'プログラム' means 'program'
'スタートアップ' means 'start up'):

ComboFix 07-12-02.5 - Owner 2007-12-02 10:14:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.932.1.1041.18.353 [GMT 9:00]Running from: C:\Documents and Settings\Owner\デスクトップ\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-12-02 00:17 . 2007-12-02 00:23 250 --a------ C:\WINDOWS\gmer.ini
2007-12-02 00:05 . 2007-12-02 00:05 <DIR> d-------- C:\Sandbox
2007-12-01 23:36 . 2007-12-02 10:32 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-01 23:35 . 2007-12-01 23:35 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-12-01 23:35 . 2007-12-01 23:35 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-12-01 22:33 . 2007-12-01 22:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PCToolsFirewallPlus
2007-12-01 22:17 . 2007-12-01 23:44 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-01 22:17 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-01 22:12 . 2007-12-01 22:12 <DIR> d-------- C:\Program Files\DrvCareVista
2007-12-01 22:01 . 2007-12-01 22:05 <DIR> d-------- C:\Program Files\DupKiller
2007-12-01 21:23 . 2007-12-01 21:23 38 --a------ C:\machine.ini
2007-12-01 19:33 . 2007-12-01 19:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Agnitum
2007-12-01 19:32 . 2007-12-01 22:58 <DIR> d-------- C:\WINDOWS\system32\Filt
2007-12-01 19:32 . 2007-12-01 19:32 <DIR> d-------- C:\Program Files\Agnitum
2007-12-01 19:32 . 2007-12-01 19:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Agnitum
2007-12-01 19:32 . 2007-11-02 13:55 435,232 --a------ C:\WINDOWS\system32\drivers\SandBox.sys
2007-12-01 19:32 . 2007-11-02 19:14 198,416 --a------ C:\WINDOWS\system32\drivers\afw.sys
2007-12-01 19:32 . 2007-10-25 18:17 49 --a------ C:\WINDOWS\transp.gif
2007-12-01 18:40 . 2002-12-02 10:08 <DIR> dr------- C:\Documents and Settings\Administrator\スタート メニュー
2007-12-01 11:50 . 2007-12-01 11:50 <DIR> d-------- C:\WINDOWS\Lavasoft
2007-12-01 11:50 . 2007-12-01 11:50 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-01 11:49 . 2007-12-01 11:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-01 11:31 . 2007-12-01 22:58 <DIR> d-------- C:\Program Files\Wise Disk Cleaner
2007-12-01 11:28 . 2007-12-01 23:04 <DIR> d-------- C:\Program Files\Wise Registry Cleaner
2007-12-01 10:58 . 2007-12-01 11:14 <DIR> d-------- C:\Program Files\PC Doc Pro
2007-12-01 10:40 . 2007-12-01 10:40 9,652 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2007-12-01 10:39 . 2007-12-01 11:08 <DIR> d--h----- C:\Documents and Settings\Owner\Application Data\GTek
2007-12-01 10:39 . 2007-12-01 10:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gtek
2007-12-01 10:35 . 2007-12-01 10:35 <DIR> d-------- C:\Program Files\SmartPCTools
2007-11-30 22:10 . 2007-11-30 22:10 <DIR> d-------- C:\Program Files\WinASO
2007-11-30 21:59 . 2007-12-01 22:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Registry Cleaner
2007-11-30 21:45 . 2007-11-30 21:45 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2007-11-30 21:45 . 2007-11-30 21:45 856 --a------ C:\Microsoft Baseline Security Analyzer 2.0.1.lnk
2007-11-30 21:22 . 2007-11-30 21:50 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer
2007-11-30 21:22 . 2007-12-01 11:44 <DIR> d-------- C:\Documents and Settings\Owner\SecurityScans
2007-11-30 21:05 . 2007-11-30 21:05 <DIR> d-------- C:\Downloads
2007-11-30 21:05 . 2007-11-30 21:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\GetRightToGo
2007-11-30 19:42 . 2007-11-30 19:42 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Pmcc
2007-11-30 19:00 . 2007-11-30 19:00 <DIR> d-------- C:\Program Files\Pmcc
2007-11-30 18:37 . 2007-11-30 19:33 <DIR> d-------- C:\Program Files\AusLogics Registry Defrag
2007-11-30 18:36 . 2007-11-30 18:36 <DIR> d-------- C:\Program Files\ToniArts
2007-11-30 18:22 . 2007-11-30 18:29 <DIR> d-------- C:\Program Files\Free Window Registry Repair
2007-11-30 18:12 . 2007-11-30 18:12 <DIR> d-------- C:\Program Files\CleanMyPC
2007-11-30 17:16 . 2007-11-30 18:07 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2007-11-30 15:23 . 2007-11-30 19:33 <DIR> d-------- C:\Program Files\AMUST
2007-11-30 15:23 . 2006-11-09 19:32 149,248 --a------ C:\WINDOWS\system32\RegCompact.dll
2007-11-30 15:18 . 2007-11-30 15:18 <DIR> d-------- C:\Program Files\Ss-Tools
2007-11-30 15:14 . 2007-12-01 22:56 <DIR> d-------- C:\Program Files\TweakNow RegCleaner Std
2007-11-30 15:07 . 2007-12-01 19:58 <DIR> d-------- C:\Program Files\RegVac Registry Cleaner
2007-11-30 15:02 . 2007-11-30 15:02 <DIR> d-------- C:\Program Files\Registry Medic 5
2007-11-30 15:02 . 2007-11-30 15:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Iomatic
2007-11-30 14:38 . 2007-11-30 14:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2007-11-30 14:17 . 2007-11-30 14:17 <DIR> d-------- C:\Program Files\PCPitstop
2007-11-29 18:23 . 2007-11-29 18:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2007-11-29 12:43 . 2007-11-29 12:44 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-28 12:02 . 2007-11-30 17:31 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-21 09:22 . 2007-11-21 09:22 <DIR> d-------- C:\Documents and Settings\Owner\Pavark
2007-11-20 11:47 . 2007-11-20 11:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2007-11-20 11:47 . 2007-05-30 21:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-20 10:54 . 2007-11-20 10:54 <DIR> d-------- C:\Program Files\ThreatFire
2007-11-20 10:54 . 2007-11-20 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2007-11-20 10:54 . 2007-11-12 17:24 52,032 --a------ C:\WINDOWS\system32\drivers\TfFsMon.sys
2007-11-20 10:54 . 2007-11-12 17:24 39,232 --a------ C:\WINDOWS\system32\drivers\TfSysMon.sys
2007-11-20 10:54 . 2007-11-12 17:24 34,624 --a------ C:\WINDOWS\system32\drivers\TfNetMon.sys
2007-11-20 10:54 . 2007-11-12 17:03 12,608 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2007-11-20 10:53 . 2003-03-19 06:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-11-20 10:53 . 2007-09-06 19:09 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-11-20 10:53 . 2003-03-19 05:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-11-20 10:53 . 2004-01-09 19:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-11-20 10:53 . 2003-02-21 13:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-11-20 10:30 . 2007-11-20 10:30 <DIR> d-------- C:\Program Files\Sandboxie
2007-11-20 10:30 . 2007-12-01 21:19 1,406 --a------ C:\WINDOWS\Sandboxie.ini
2007-11-19 16:33 . 2007-11-19 16:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-19 12:16 . 2007-11-19 12:16 <DIR> d-------- C:\Program Files\InfoProcess
2007-11-19 12:16 . 2006-11-04 10:47 114,688 --a------ C:\WINDOWS\system32\LogonMonitor.dll
2007-11-19 12:11 . 2007-11-20 10:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-19 12:09 . 2007-11-19 12:09 <DIR> d-------- C:\Program Files\RootKit Hook Analyzer
2007-11-19 12:09 . 2007-07-07 00:39 19,248 --a------ C:\WINDOWS\system32\drivers\rspsc32.sys
2007-11-18 19:35 . 2007-01-18 21:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-11-18 15:28 . 2007-11-18 15:30 8,110,597 --a------ C:\WINDOWS\system32\ENGSZZVFPY
2007-11-18 14:35 . 2007-11-30 09:44 <DIR> d-------- C:\Program Files\Trojan Remover
2007-11-18 14:35 . 2007-11-18 14:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Simply Super Software
2007-11-18 14:35 . 2007-11-18 14:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2007-11-18 14:35 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-11-18 14:35 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-11-18 14:35 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-11-18 14:35 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-11-18 14:35 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-11-18 08:53 . 2007-11-18 08:53 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-11-18 08:51 . 2007-11-18 08:51 <DIR> d-------- C:\Program Files\MSECACHE
2007-11-16 09:52 . 2007-11-19 12:08 32 --a------ C:\WINDOWS\system32\thxcfg.ini
2007-11-12 12:27 . 2007-08-08 20:02 235,008 --a------ C:\WINDOWS\UNBOC.EXE
2007-11-12 12:27 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2007-11-12 12:27 . 2004-08-04 16:55 31,744 --a------ C:\WINDOWS\system32\wsock32.dlb
2007-11-07 09:04 . 2007-11-07 09:04 <DIR> d-------- C:\Program Files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 00:00 --------- d-----w C:\Program Files\Microsoft Windows OneCare Live
2007-12-01 13:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-01 13:56 --------- d-----w C:\Program Files\pcdNavi
2007-12-01 13:56 --------- d-----w C:\Program Files\MyBook Editor
2007-12-01 13:56 --------- d-----w C:\Program Files\IBM Homepage Builder V7 Light
2007-12-01 02:36 --------- d-----w C:\Program Files\OKIMJ
2007-11-14 09:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-01 01:18 --------- d-----w C:\Program Files\Common Files\Real
2007-11-01 01:13 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-24 00:40 --------- d-----w C:\Program Files\InterVideo
2007-10-23 23:54 --------- d-----w C:\Program Files\Secunia
2007-10-17 11:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\TrojanHunter
2007-10-14 08:50 --------- d-----w C:\Program Files\LabelGate
2007-10-14 08:31 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-14 08:30 --------- d-----w C:\Program Files\SUCCESS
2007-10-14 07:34 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-13 06:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\ArcSoft
2007-10-08 02:47 --------- d-----w C:\Program Files\TLTSR081
2007-10-08 02:41 --------- d-----w C:\Program Files\TLTSH08
2007-10-06 00:16 --------- d-----w C:\Program Files\PowerX
2007-10-06 00:10 --------- d-----w C:\Program Files\I-O DATA
2007-10-05 22:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\Fujitsu
2007-09-09 23:28 7,808 ----a-w C:\WINDOWS\system32\psi_mf.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:55]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"SandboxieControl"="C:\Program Files\Sandboxie\SbieCtrl.exe" [2007-11-18 04:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RegCompact]
RegCompact.dll 2006-11-09 19:32 149248 C:\WINDOWS\system32\RegCompact.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\agnitum\outpos~1\wl_hook.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^hatchInn.exe.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^InterVideo WinCinema Manager.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^LUMIX Simple Viewer.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^TVfunSTUDIO タイマー.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^富士通サービスアシスタント.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^スタート メニュー^プログラム^スタートアップ^Secunia PSI (BETA).lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FMVランチャー]
2002-09-28 14:49 45056 --a------ C:\fjuty\wallbtn\FMVLauncherKicker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OutpostMonitor]
C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IoDevMgrService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"acssrv"=2 (0x2)

R0 FJGPNV;FJGPNV;C:\WINDOWS\system32\drivers\FJGPNV.SYS
R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys
R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys
R1 HipEnforceDriver;InfoProcess - Host Intrusion Prevention Driver;\??\C:\Program Files\InfoProcess\AntiHook\3.0\HipEnforceDriver.sys
R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
R1 SandBox;SandBox;C:\WINDOWS\system32\DRIVERS\SandBox.sys
R2 Audsub3;Audsub3;\??\C:\WINDOWS\SYSTEM32\Drivers\Audsub3.sys
R2 FlashDrv;FlashDrv;\??\C:\PROGRA~1\Fujitsu\FlashAid\FlashDrv.sys
R2 HipService;InfoProcess HipService Workstation Service;C:\Program Files\InfoProcess\AntiHook\3.0\HipService.exe
R2 MSFWDrv;MSFWDrv;C:\WINDOWS\system32\DRIVERS\msfwdrv.sys
R2 msfwsvc;OneCare Firewall;"C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"
R2 OneCareMP;OneCare AntiSpyware and AntiVirus;"C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"
R2 PCKarte;PCKarte Client Tool Service;C:\Program Files\Fujitsu\PCKARTE\PCKTESVC.EXE
R2 PUSCSYS;PUSCSYS;\??\C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCSYS.sys
R2 RVI04;RVI04;\??\C:\Program Files\Common Files\RVI04\RVI04.sys
R2 SBRLLA;SBRLLA For FM Advisor;C:\Program Files\Fujitsu\sa\api\SBRSVC.EXE
R2 SDPASVC;SDPAUMS server service;C:\WINDOWS\system32\sdpasvc.exe -service
R2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service
R3 ASWFilt;ASWFilt;C:\WINDOWS\system32\Filt\ASWFilt.dll
R3 Cap7134;TVFM 503 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys
R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys
R3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys
R3 PhTVTune;TVFM WDM TVTuner (SAA713x);C:\WINDOWS\system32\DRIVERS\PhTVTune.sys
R3 SbieDrv;SbieDrv;\??\C:\Program Files\Sandboxie\SbieDrv.sys
R3 TfNetMon;TfNetMon;\??\C:\WINDOWS\system32\drivers\TfNetMon.sys
S3 MEI006E;MEI006E;C:\WINDOWS\system32\drivers\MEI006E.sys
S3 MS1000;MS1000;C:\WINDOWS\system32\DRIVERS\MS1000.sys
S3 PRISM;Intersil PRISM Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\PRISMNDS.sys
S3 PSI;PSI;C:\WINDOWS\system32\DRIVERS\psi_mf.sys
S3 putlrsrv;PowerUtility Remote Power Management Service;C:\PROGRA~1\Fujitsu\POWERU~1\remote\PUTLRSRV.exe
S4 acssrv;Agnitum Client Security Service;C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
S4 IoDevMgrService;I-O DATA Device Management Service;"C:\Program Files\I-O DATA\IoDevMgrService\IoDevMgrService.exe"

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-11-30 06:23:23 C:\WINDOWS\Tasks\Owner backup.job"
- C:\Program Files\AMUST\Registry Cleaner\RegCleaner.exe
"2007-11-30 06:23:24 C:\WINDOWS\Tasks\Owner scan and fix.job"
- C:\Program Files\AMUST\Registry Cleaner\RegCleaner.exe
"2007-10-06 01:10:49 C:\WINDOWS\Tasks\Paragon Archive name arc_061007010814194.job"
- C:\Program Files\PowerX\Hard Disk Manager 8.1 for I-O DATA\Program\scripts.exe
"2007-12-01 02:17:00 C:\WINDOWS\Tasks\TC_A.job"
- C:\Program Files\The Cleaner\cleaner.exe
"2007-12-01 02:25:00 C:\WINDOWS\Tasks\TC_B.job"
- C:\Program Files\The Cleaner\cleaner.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 10:31:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-02 10:38:36
.
--- E O F ---




Also, when I tried to start a scan with HiJackThis,
I accidentally clicked the icon twice,
which resulted in gaving me a message something like "Another instance of HiJackThis is running."
Because I thought this might lead to some error,
I disabled both of them.
However,when I tried to start it for the third time,
the same message appeared.

I rebooted the PC,and had another scan.
In the middle of the scan,
a warning message showed up:
"For some reason your system denied write access to the Hosts file.If any hijacked domains are in this file,HiJackThis may NOT able to fix this.

If that happens,you need to edit the file yourself.To do this, click Start,Run and type

notepad C:\WINDOWS\System32\drivers\etc\hosts

and press Entre.Find the line(s) HiJackThis reports and delete them.Save the file as 'hosts.'
(with quotes),and reboot."

After that,it completed the scan.

This is the result:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:23, on 2007/12/02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\InfoProcess\AntiHook\3.0\HipService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Fujitsu\PCKARTE\PCKTESVC.EXE
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Fujitsu\sa\api\SBRSVC.EXE
C:\WINDOWS\system32\sdpasvc.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCSRVC.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O8 - Extra context menu item: Bookshelfで検索(&L) - res://C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\bsdef.dll/#1001
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall Pro\ie_bar.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://update.microsoft.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1191034797690
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1191034768428
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InfoProcess HipService Workstation Service (HipService) - InfoProcess Pty Ltd. - C:\Program Files\InfoProcess\AntiHook\3.0\HipService.exe
O23 - Service: PCKarte Client Tool Service (PCKarte) - FUJITSU LIMITED - C:\Program Files\Fujitsu\PCKARTE\PCKTESVC.EXE
O23 - Service: PowerUtility Schedule (PUSCSRVC) - FUJITSU LIMITED - C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCSRVC.exe
O23 - Service: PowerUtility Remote Power Management Service (putlrsrv) - FUJITSU LIMITED - C:\PROGRA~1\Fujitsu\POWERU~1\remote\PUTLRSRV.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SBRLLA For FM Advisor (SBRLLA) - FUJITSU LIMITED - C:\Program Files\Fujitsu\sa\api\SBRSVC.EXE
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 5386 bytes




Thank you.




----------------------------




Hello.

I tried to download iTunes,
but it failed agian.
The installer displayed that it couldn't "access the iTunes\ that exists in the network"
('\' should have been the mark of the yen).

When I opened the task manager I saw unfimiliar proccesses working during the installation.

First,it was 'ygf2.exe'.
There were two of them.
After the error message,
both of them disappeared.
I checked for it with Google,but there were no articles about it.

The next time(and then on),it was 'mciex.exe'.
There were also two of them.
They appeared and disappeared in a way just like ' ygf2.exe'.

On one occasion,when I disbled one of the 'mciex.exe's,
the installer that was trying to start
immediately disappeared.

Edited by Prh, 02 December 2007 - 01:13 AM.


#16 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 47,832 posts

Posted 02 December 2007 - 10:41 AM

I rebooted the PC,and had another scan.
In the middle of the scan,
a warning message showed up:
"For some reason your system denied write access to the Hosts file.If any hijacked domains are in this file,HiJackThis may NOT able to fix this.

If that happens,you need to edit the file yourself.To do this, click Start,Run and type

notepad C:\WINDOWS\System32\drivers\etc\hosts

and press Entre.Find the line(s) HiJackThis reports and delete them.Save the file as 'hosts.'
(with quotes),and reboot."

After that,it completed the scan.


Go to: http://www.funkytoad...ontent/view/13/
Download the program HostsXpert to restore the default hosts file back onto your machine.
Unzip the program and execute it.
Select
"Restore MS Hosts File".
Close the application.
*/*

Try to download itunes now.
*/*

Run Hijack This, Choose Open the Misc tools section, On the StartUp List area at the top, place a check next to List Also Minor Sections (full) and List Empty Sections (complete) then press Generate StartUp List Log and Yes at the prompt. Please post the text file that opens into your next reply.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#17 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 03 December 2007 - 12:04 AM

Hello.

I downloaded HostsXpert from the link shown,
and pressed "Restore MS Hosts File".

An error occurred.

ERROR:Cannot create file C:WINDOWS\system32\Drivers\ETC\hosts



(I tried to contact the Apple store after I posted the previous message,
but errors occurred then too.

When creating an account (to be able to post in a message),
I was told that the password I typed in twice didn't match,
then I was told to enter the 'question' in case I forgot the password,
and I was asked to do that even after I typed that in.

I was then told that some trouble occurred but the account information
was stored.
However,when I tried to log in to the iTunes forum with that account,
it was displayed that the birth day I typed in didn't match with the stored information,
and log in was denied.)


But I was able to run HiJackThis,
and followed your instructions.

This is the log
("スタート メニュー\プログラム\スタートアップ" means"start menu/program/startup"
"ネットワーク サポート環境" means "network support environment"
"プロトコル" means "protocol"
”標準” means ”standard"
”ハード ディスク コントローラ” means ”hard disk controller”
"クライアント " means "client"
"オーディオ スタブ ドライバ" means "audio stub driver"
"クローズド キャプション デコーダ" means "closed caption decoder"
"ディスク ドライバ" means "disk driver"
"ボリューム マネージャ ドライバ" means "volume manager driver"
"キーボードと PS/2 マウス ポート ドライバ" proberbly means "keybord and PS/2 mouse port driver"
"書き込み" means "writeing in"
"フィルタ" means "filter"
"バス ドライバ" proberbly means "bus/pass driver"
"ボリューム マネージャ ドライバ" means "volume manager driver"
"クラス" means "class"
"リダイレクタ" means "redirector"
"ビデオ接続" means "video connection"
"インターフェイス" means "interface"
"ネット" means "net"
"プロセッサ" means "proccessor"
"パケット スケジューラ" means "packet scheduler"
"デジタル CD オーディオ再生" means "digital CD audio play"
”高密度フロッピー ディスク ドライブ” proberbly means ”high density floppy disk drive”
"ソフトウェア" means "software”
"ターミナル " means "terminal"
"大容量記憶装置" proberbly means "massive volumed memory device "
"自動更新" means "automatic update"):



StartupList report, 2007/12/03, 13:50:32
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16544)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\InfoProcess\AntiHook\3.0\HipService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Fujitsu\PCKARTE\PCKTESVC.EXE
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Fujitsu\sa\api\SBRSVC.EXE
C:\WINDOWS\system32\sdpasvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCSRVC.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\ToniArts\EasyCleaner\EasyClea.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\スタート メニュー\プログラム\スタートアップ]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
*Folder not found*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
SandboxieControl = "C:\Program Files\Sandboxie\SbieCtrl.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=c:\progra~1\agnitum\outpos~1\wl_hook.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssbezier.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Owner backup.job
Owner scan and fix.job
Paragon Archive name arc_061007010814194.job
TC_A.job
TC_B.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitstop.dll
CODEBASE = http://www.pcpitstop...p/PCPitStop.CAB

[YInstStarter Class]
InProcServer32 = C:\PROGRA~1\Yahoo!\Common\yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\Common\yinsthelper.dll

[{556DDE35-E955-11D0-A707-000000521957}]
CODEBASE = http://www.xblock.co...clean_micro.exe

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://www.update.mi...b?1191034797690

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://www.update.mi...b?1191034768428

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.ma...t/ultrashim.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx
CODEBASE = http://fpdownload2.m...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Ad-Aware 2007 Service: "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe" (autostart)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Embedded Controller Driver: System32\DRIVERS\ACPIEC.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
PPdus ASPI Shell: system32\drivers\Afc.sys (manual start)
AFD ネットワーク サポート環境: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
ALi Audio Accelerator WDM driver: system32\drivers\ac97ali.sys (manual start)
AliIde: System32\DRIVERS\aliide.sys (system)
Alps Pointing-device Filter Driver: System32\DRIVERS\Apfiltr.sys (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client プロトコル: System32\DRIVERS\arp1394.sys (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
ASWFilt: system32\Filt\ASWFilt.dll (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
標準 IDE/ESDI ハード ディスク コントローラ: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (disabled)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP クライアント プロトコル: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
オーディオ スタブ ドライバ: System32\DRIVERS\audstub.sys (manual start)
Audsub3: \??\C:\WINDOWS\SYSTEM32\Drivers\Audsub3.sys (autostart)
AVG Anti-Rootkit: System32\DRIVERS\avgarkt.sys (system)
AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
Avg Anti-Rootkit Clean Driver: System32\DRIVERS\AvgArCln.sys (system)
AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BtnHnd: \??\C:\Program Files\Fujitsu\BtnHnd\BtnHnd.sys (autostart)
ATI Cabo AGP Filter: System32\DRIVERS\atisgkaf.sys (system)
TVFM 503 WDM Video Capture: System32\DRIVERS\Cap7134.sys (manual start)
クローズド キャプション デコーダ: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM ドライバ: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
Microsoft AC Adapter Driver: System32\DRIVERS\CmBatt.sys (manual start)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
CONAN: system32\drivers\o2mmb.sys (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
ディスク ドライバ: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Fujitsu 3-mode floppy controller driver (Type 00): System32\DRIVERS\fjfdc00.sys (manual start)
FJGPNV: System32\drivers\FJGPNV.SYS (system)
FlashDrv: \??\C:\PROGRA~1\Fujitsu\FlashAid\FlashDrv.sys (autostart)
Fujitsu 3-mode floppy disk driver: System32\DRIVERS\fjflpy.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
FsVga: System32\DRIVERS\fsvga.sys (system)
ボリューム マネージャ ドライバ: System32\DRIVERS\ftdisk.sys (system)
Fujitsu FUJ02B1 Device Driver: System32\DRIVERS\FUJ02B1.sys (manual start)
gmer: System32\DRIVERS\gmer.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
InfoProcess - Host Intrusion Prevention Driver: \??\C:\Program Files\InfoProcess\AntiHook\3.0\HipEnforceDriver.sys (system)
InfoProcess HipService Workstation Service: C:\Program Files\InfoProcess\AntiHook\3.0\HipService.exe (autostart)
hotcore3: system32\drivers\hotcore3.sys (system)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 キーボードと PS/2 マウス ポート ドライバ: System32\DRIVERS\i8042prt.sys (system)
書き込みフィルタ ドライバ: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
I-O DATA Device Management Service: "C:\Program Files\I-O DATA\IoDevMgrService\IoDevMgrService.exe" (disabled)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (autostart)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA バス ドライバ: System32\DRIVERS\isapnp.sys (system)
キーボード クラス ドライバ: System32\DRIVERS\kbdclass.sys (system)
キーボード HID ドライバ: system32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Lucent Technologies Soft Modem: System32\DRIVERS\LTSM.sys (manual start)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
マウス クラス ドライバ: System32\DRIVERS\mouclass.sys (system)
マウス HID ドライバ: System32\DRIVERS\mouhid.sys (manual start)
Microsoft Malware Protection Driver: system32\DRIVERS\MpFilter.sys (manual start)
WebDav クライアント リダイレクタ: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
MS1000: System32\DRIVERS\MS1000.sys (manual start)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
MSFWDrv: system32\DRIVERS\msfwdrv.sys (autostart)
MSFWHLPR: system32\DRIVERS\msfwhlpr.sys (system)
OneCare Firewall: "C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe" (autostart)
Windows Installer: %systemroot%\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/ビデオ接続: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O プロトコル: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS インターフェイス: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 ネット ドライバ: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
NEC FireWarden OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
OneCare AntiSpyware and AntiVirus: "C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe" (autostart)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCKarte Client Tool Service: C:\Program Files\Fujitsu\PCKARTE\PCKTESVC.EXE (autostart)
Pcmcia: System32\DRIVERS\pcmcia.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
TVFM WDM TVTuner (SAA713x): System32\DRIVERS\PhTVTune.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Intersil PRISM Wireless LAN Driver: System32\DRIVERS\PRISMNDS.sys (manual start)
プロセッサ ドライバ: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS パケット スケジューラ: System32\DRIVERS\psched.sys (manual start)
PSI: system32\DRIVERS\psi_mf.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PowerUtility Schedule: C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCSRVC.exe (autostart)
PUSCSYS: \??\C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCSYS.sys (autostart)
PowerUtility Remote Power Management Service: C:\PROGRA~1\Fujitsu\POWERU~1\remote\PUTLRSRV.exe (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
デジタル CD オーディオ再生フィルタ ドライバ: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver: System32\DRIVERS\R8139n51.SYS (manual start)
RVI04: \??\C:\Program Files\Common Files\RVI04\RVI04.sys (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SandBox: system32\DRIVERS\SandBox.sys (system)
SbieDrv: \??\C:\Program Files\Sandboxie\SbieDrv.sys (manual start)
Sandboxie Service: C:\Program Files\Sandboxie\SbieSvc.exe (autostart)
SBRLLA For FM Advisor: C:\Program Files\Fujitsu\sa\api\SBRSVC.EXE (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SDPAUMS server service: C:\WINDOWS\system32\sdpasvc.exe -service (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
高密度フロッピー ディスク ドライブ: System32\DRIVERS\sfloppy.sys (manual start)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
ソフトウェア バス ドライバ: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{D5843C39-4700-4B15-B05C-C6EB4E1F4EEE} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP プロトコル ドライバ: System32\DRIVERS\tcpip.sys (system)
ターミナル デバイス ドライバ: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
TfFsMon: system32\drivers\TfFsMon.sys (system)
TfKbMon: System32\Drivers\TfKbMon.sys (manual start)
TfNetMon: \??\C:\WINDOWS\system32\drivers\TfNetMon.sys (manual start)
TfSysMon: system32\drivers\TfSysMon.sys (system)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
ThreatFire: C:\Program Files\ThreatFire\TFService.exe service (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB オーディオ ドライバ (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB 大容量記憶装置ドライバ: System32\DRIVERS\USBSTOR.SYS (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Live OneCare: C:\Program Files\Microsoft Windows OneCare Live\winss.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: "C:\Program Files\Windows Media Player\WMPNetwk.exe" (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
自動更新: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 36,114 bytes
Report generated in 0.330 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only



Thank you for reading.




-------------------------------------------------------------------------




Hello.

When I tried to update Trojan Remover,
an error occurred:

I/O ERROR 1224


When I opened the task manager,
I noticed that two "jna.exe"s were working.

When the iTunes' download failed ,
it was two "ygf2.exe"s,
or two "mciex.exe" that were working.

I feel like there is something in my PC,
that take actions in two,
and prevent some softwares to function normally...

I'll re-install Trojan remover and see if it works properly.

Edited by Prh, 03 December 2007 - 04:10 AM.


#18 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 47,832 posts

Posted 03 December 2007 - 09:02 AM

Remove your current version(s) of combofix and download this new version.

Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthis log.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#19 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 04 December 2007 - 07:42 AM

Hello.

There are some other things I noticed,
but I will post the ComboFix log and HiJackThis log first:


ComboFix 07-12-02.6 - Owner 2007-12-04 20:27:47.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.932.1.1041.18.296 [GMT 9:00]
Running from: C:\Documents and Settings\Owner\デスクトップ\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-04 20:15 . 2007-12-04 20:15 <DIR> d-------- C:\Sandbox
2007-12-04 20:09 . 2007-12-04 20:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2007-12-03 21:22 . 2007-12-03 21:22 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-12-03 21:22 . 2007-12-03 21:22 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-12-03 21:22 . 2007-12-04 20:09 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-03 18:49 . 2007-12-03 18:49 <DIR> d-------- C:\Program Files\Malware Removal Tool
2007-12-03 18:33 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-12-03 18:33 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-12-03 18:33 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-12-03 18:33 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-12-03 18:33 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-12-02 12:26 . 2007-12-02 12:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Pmcc
2007-12-02 00:17 . 2007-12-02 12:06 250 --a------ C:\WINDOWS\gmer.ini
2007-12-01 22:33 . 2007-12-01 22:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PCToolsFirewallPlus
2007-12-01 22:17 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-01 22:12 . 2007-12-01 22:12 <DIR> d-------- C:\Program Files\DrvCareVista
2007-12-01 22:01 . 2007-12-01 22:05 <DIR> d-------- C:\Program Files\DupKiller
2007-12-01 21:23 . 2007-12-01 21:23 38 --a------ C:\machine.ini
2007-12-01 19:33 . 2007-12-01 19:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Agnitum
2007-12-01 19:32 . 2007-12-01 22:58 <DIR> d-------- C:\WINDOWS\system32\Filt
2007-12-01 19:32 . 2007-12-01 19:32 <DIR> d-------- C:\Program Files\Agnitum
2007-12-01 19:32 . 2007-12-01 19:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Agnitum
2007-12-01 19:32 . 2007-11-02 13:55 435,232 --a------ C:\WINDOWS\system32\drivers\SandBox.sys
2007-12-01 19:32 . 2007-11-02 19:14 198,416 --a------ C:\WINDOWS\system32\drivers\afw.sys
2007-12-01 19:32 . 2007-10-25 18:17 49 --a------ C:\WINDOWS\transp.gif
2007-12-01 18:40 . 2002-12-02 10:08 <DIR> dr------- C:\Documents and Settings\Administrator\スタート メニュー
2007-12-01 11:50 . 2007-12-01 11:50 <DIR> d-------- C:\WINDOWS\Lavasoft
2007-12-01 11:50 . 2007-12-01 11:50 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-01 11:49 . 2007-12-01 11:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-01 11:28 . 2007-12-03 19:45 <DIR> d-------- C:\Program Files\Wise Registry Cleaner
2007-12-01 10:58 . 2007-12-01 11:14 <DIR> d-------- C:\Program Files\PC Doc Pro
2007-12-01 10:40 . 2007-12-01 10:40 9,652 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2007-12-01 10:39 . 2007-12-01 11:08 <DIR> d--h----- C:\Documents and Settings\Owner\Application Data\GTek
2007-12-01 10:39 . 2007-12-01 10:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gtek
2007-12-01 10:35 . 2007-12-01 10:35 <DIR> d-------- C:\Program Files\SmartPCTools
2007-11-30 22:10 . 2007-11-30 22:10 <DIR> d-------- C:\Program Files\WinASO
2007-11-30 21:59 . 2007-12-01 22:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Registry Cleaner
2007-11-30 21:45 . 2007-11-30 21:45 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2007-11-30 21:45 . 2007-11-30 21:45 856 --a------ C:\Microsoft Baseline Security Analyzer 2.0.1.lnk
2007-11-30 21:22 . 2007-11-30 21:50 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer
2007-11-30 21:22 . 2007-12-03 13:02 <DIR> d-------- C:\Documents and Settings\Owner\SecurityScans
2007-11-30 21:05 . 2007-11-30 21:05 <DIR> d-------- C:\Downloads
2007-11-30 21:05 . 2007-11-30 21:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\GetRightToGo
2007-11-30 19:42 . 2007-11-30 19:42 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Pmcc
2007-11-30 19:00 . 2007-11-30 19:00 <DIR> d-------- C:\Program Files\Pmcc
2007-11-30 18:37 . 2007-11-30 19:33 <DIR> d-------- C:\Program Files\AusLogics Registry Defrag
2007-11-30 18:36 . 2007-11-30 18:36 <DIR> d-------- C:\Program Files\ToniArts
2007-11-30 18:22 . 2007-11-30 18:29 <DIR> d-------- C:\Program Files\Free Window Registry Repair
2007-11-30 18:12 . 2007-11-30 18:12 <DIR> d-------- C:\Program Files\CleanMyPC
2007-11-30 17:16 . 2007-11-30 18:07 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2007-11-30 15:18 . 2007-11-30 15:18 <DIR> d-------- C:\Program Files\Ss-Tools
2007-11-30 15:14 . 2007-12-01 22:56 <DIR> d-------- C:\Program Files\TweakNow RegCleaner Std
2007-11-30 15:07 . 2007-12-02 12:44 <DIR> d-------- C:\Program Files\RegVac Registry Cleaner
2007-11-30 15:02 . 2007-11-30 15:02 <DIR> d-------- C:\Program Files\Registry Medic 5
2007-11-30 15:02 . 2007-11-30 15:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Iomatic
2007-11-30 14:38 . 2007-11-30 14:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2007-11-29 18:23 . 2007-11-29 18:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2007-11-29 12:43 . 2007-11-29 12:44 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-28 12:02 . 2007-11-30 17:31 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-21 09:22 . 2007-11-21 09:22 <DIR> d-------- C:\Documents and Settings\Owner\Pavark
2007-11-20 11:47 . 2007-05-30 21:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-20 10:54 . 2007-11-20 10:54 <DIR> d-------- C:\Program Files\ThreatFire
2007-11-20 10:54 . 2007-11-20 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2007-11-20 10:54 . 2007-11-12 17:24 52,032 --a------ C:\WINDOWS\system32\drivers\TfFsMon.sys
2007-11-20 10:54 . 2007-11-12 17:24 39,232 --a------ C:\WINDOWS\system32\drivers\TfSysMon.sys
2007-11-20 10:54 . 2007-11-12 17:24 34,624 --a------ C:\WINDOWS\system32\drivers\TfNetMon.sys
2007-11-20 10:54 . 2007-11-12 17:03 12,608 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2007-11-20 10:53 . 2003-03-19 06:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-11-20 10:53 . 2007-09-06 19:09 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-11-20 10:53 . 2003-03-19 05:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-11-20 10:53 . 2004-01-09 19:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-11-20 10:53 . 2003-02-21 13:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-11-20 10:30 . 2007-11-20 10:30 <DIR> d-------- C:\Program Files\Sandboxie
2007-11-20 10:30 . 2007-12-02 15:16 1,588 --a------ C:\WINDOWS\Sandboxie.ini
2007-11-19 16:33 . 2007-11-19 16:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-19 12:16 . 2007-11-19 12:16 <DIR> d-------- C:\Program Files\InfoProcess
2007-11-19 12:16 . 2006-11-04 10:47 114,688 --a------ C:\WINDOWS\system32\LogonMonitor.dll
2007-11-19 12:11 . 2007-11-20 10:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-19 12:09 . 2007-11-19 12:09 <DIR> d-------- C:\Program Files\RootKit Hook Analyzer
2007-11-19 12:09 . 2007-07-07 00:39 19,248 --a------ C:\WINDOWS\system32\drivers\rspsc32.sys
2007-11-18 19:35 . 2007-01-18 21:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-11-18 15:28 . 2007-11-18 15:30 8,110,597 --a------ C:\WINDOWS\system32\ENGSZZVFPY
2007-11-18 14:35 . 2007-12-04 20:09 <DIR> d-------- C:\Program Files\Trojan Remover
2007-11-18 14:35 . 2007-11-18 14:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Simply Super Software
2007-11-18 08:53 . 2007-11-18 08:53 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-11-18 08:51 . 2007-11-18 08:51 <DIR> d-------- C:\Program Files\MSECACHE
2007-11-16 09:52 . 2007-11-19 12:08 32 --a------ C:\WINDOWS\system32\thxcfg.ini
2007-11-12 12:27 . 2007-08-08 20:02 235,008 --a------ C:\WINDOWS\UNBOC.EXE
2007-11-12 12:27 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2007-11-12 12:27 . 2004-08-04 16:55 31,744 --a------ C:\WINDOWS\system32\wsock32.dlb
2007-11-07 09:04 . 2007-11-07 09:04 <DIR> d-------- C:\Program Files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 10:42 --------- d-----w C:\Program Files\Microsoft Windows OneCare Live
2007-12-02 03:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 03:28 --------- d-----w C:\Program Files\Common Files\Real
2007-12-01 13:56 --------- d-----w C:\Program Files\pcdNavi
2007-12-01 13:56 --------- d-----w C:\Program Files\MyBook Editor
2007-12-01 13:56 --------- d-----w C:\Program Files\IBM Homepage Builder V7 Light
2007-12-01 02:36 --------- d-----w C:\Program Files\OKIMJ
2007-11-14 09:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-01 01:13 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-24 00:40 --------- d-----w C:\Program Files\InterVideo
2007-10-23 23:54 --------- d-----w C:\Program Files\Secunia
2007-10-17 11:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\TrojanHunter
2007-10-14 08:50 --------- d-----w C:\Program Files\LabelGate
2007-10-14 08:31 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-14 08:30 --------- d-----w C:\Program Files\SUCCESS
2007-10-14 07:34 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-13 06:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\ArcSoft
2007-10-08 02:47 --------- d-----w C:\Program Files\TLTSR081
2007-10-08 02:41 --------- d-----w C:\Program Files\TLTSH08
2007-10-06 00:16 --------- d-----w C:\Program Files\PowerX
2007-10-06 00:10 --------- d-----w C:\Program Files\I-O DATA
2007-10-05 22:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\Fujitsu
2007-09-09 23:28 7,808 ----a-w C:\WINDOWS\system32\psi_mf.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:55]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"SandboxieControl"="C:\Program Files\Sandboxie\SbieCtrl.exe" [2007-11-18 04:20]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^hatchInn.exe.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^InterVideo WinCinema Manager.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^LUMIX Simple Viewer.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^TVfunSTUDIO タイマー.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^富士通サービスアシスタント.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^スタート メニュー^プログラム^スタートアップ^Secunia PSI (BETA).lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FMVランチャー]
2002-09-28 14:49 45056 --a------ C:\fjuty\wallbtn\FMVLauncherKicker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OutpostMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IoDevMgrService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"acssrv"=2 (0x2)

R0 FJGPNV;FJGPNV;C:\WINDOWS\system32\drivers\FJGPNV.SYS
R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys
R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys
R1 HipEnforceDriver;InfoProcess - Host Intrusion Prevention Driver;\??\C:\Program Files\InfoProcess\AntiHook\3.0\HipEnforceDriver.sys
R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
R1 SandBox;SandBox;C:\WINDOWS\system32\DRIVERS\SandBox.sys
R2 Audsub3;Audsub3;\??\C:\WINDOWS\SYSTEM32\Drivers\Audsub3.sys
R2 FlashDrv;FlashDrv;\??\C:\PROGRA~1\Fujitsu\FlashAid\FlashDrv.sys
R2 HipService;InfoProcess HipService Workstation Service;C:\Program Files\InfoProcess\AntiHook\3.0\HipService.exe
R2 MSFWDrv;MSFWDrv;C:\WINDOWS\system32\DRIVERS\msfwdrv.sys
R2 msfwsvc;OneCare Firewall;"C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"
R2 OneCareMP;OneCare AntiSpyware and AntiVirus;"C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"
R2 PCKarte;PCKarte Client Tool Service;C:\Program Files\Fujitsu\PCKARTE\PCKTESVC.EXE
R2 PUSCSYS;PUSCSYS;\??\C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCSYS.sys
R2 RVI04;RVI04;\??\C:\Program Files\Common Files\RVI04\RVI04.sys
R2 SBRLLA;SBRLLA For FM Advisor;C:\Program Files\Fujitsu\sa\api\SBRSVC.EXE
R2 SDPASVC;SDPAUMS server service;C:\WINDOWS\system32\sdpasvc.exe -service
R3 ASWFilt;ASWFilt;C:\WINDOWS\system32\Filt\ASWFilt.dll
R3 Cap7134;TVFM 503 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys
R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys
R3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys
R3 PhTVTune;TVFM WDM TVTuner (SAA713x);C:\WINDOWS\system32\DRIVERS\PhTVTune.sys
R3 SbieDrv;SbieDrv;\??\C:\Program Files\Sandboxie\SbieDrv.sys
R3 TfNetMon;TfNetMon;\??\C:\WINDOWS\system32\drivers\TfNetMon.sys
S2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service
S3 MEI006E;MEI006E;C:\WINDOWS\system32\drivers\MEI006E.sys
S3 MS1000;MS1000;C:\WINDOWS\system32\DRIVERS\MS1000.sys
S3 PRISM;Intersil PRISM Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\PRISMNDS.sys
S3 PSI;PSI;C:\WINDOWS\system32\DRIVERS\psi_mf.sys
S3 putlrsrv;PowerUtility Remote Power Management Service;C:\PROGRA~1\Fujitsu\POWERU~1\remote\PUTLRSRV.exe
S4 IoDevMgrService;I-O DATA Device Management Service;"C:\Program Files\I-O DATA\IoDevMgrService\IoDevMgrService.exe"

.
Contents of the 'Scheduled Tasks' folder
"2007-11-30 06:23:23 C:\WINDOWS\Tasks\Owner backup.job"
- C:\Program Files\AMUST\Registry Cleaner\RegCleaner.exe
"2007-11-30 06:23:24 C:\WINDOWS\Tasks\Owner scan and fix.job"
- C:\Program Files\AMUST\Registry Cleaner\RegCleaner.exe
"2007-10-06 01:10:49 C:\WINDOWS\Tasks\Paragon Archive name arc_061007010814194.job"
- C:\Program Files\PowerX\Hard Disk Manager 8.1 for I-O DATA\Program\scripts.exe
"2007-12-02 02:17:00 C:\WINDOWS\Tasks\TC_A.job"
- C:\Program Files\The Cleaner\cleaner.exe
"2007-12-02 02:25:00 C:\WINDOWS\Tasks\TC_B.job"
- C:\Program Files\The Cleaner\cleaner.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 20:40:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 20:45:32
C:\ComboFix2.txt ... 2007-12-02 10:38
.
--- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:47:23, on 2007/12/04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\InfoProcess\AntiHook\3.0\HipService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Fujitsu\PCKARTE\PCKTESVC.EXE
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Fujitsu\sa\api\SBRSVC.EXE
C:\WINDOWS\system32\sdpasvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCSRVC.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O8 - Extra context menu item: Bookshelfで検索(&L) - res://C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\bsdef.dll/#1001
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://update.microsoft.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1191034797690
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1191034768428
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InfoProcess HipService Workstation Service (HipService) - InfoProcess Pty Ltd. - C:\Program Files\InfoProcess\AntiHook\3.0\HipService.exe
O23 - Service: PCKarte Client Tool Service (PCKarte) - FUJITSU LIMITED - C:\Program Files\Fujitsu\PCKARTE\PCKTESVC.EXE
O23 - Service: PowerUtility Schedule (PUSCSRVC) - FUJITSU LIMITED - C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCSRVC.exe
O23 - Service: PowerUtility Remote Power Management Service (putlrsrv) - FUJITSU LIMITED - C:\PROGRA~1\Fujitsu\POWERU~1\remote\PUTLRSRV.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SBRLLA For FM Advisor (SBRLLA) - FUJITSU LIMITED - C:\Program Files\Fujitsu\sa\api\SBRSVC.EXE
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 5288 bytes




(After the scan with ComboFix,
it told me that there was some error
that a directory could not be accessed,
something like c:\Windows\Microsoft\Current....,
and that such file did not exist.
There were two of them.
Also ,HiJackThis gave me a caution again:

For some reason your system denied write access to the Hosts file.If any hijacked domains are in this file,HiJackThis may NOT able to fix this.

If that happens,you need to edit the file yourself.To do this, click Start,Run and type

notepad C:\WINDOWS\System32\drivers\etc\hosts

and press Entre.Find the line(s) HiJackThis reports and delete them.Save the file as 'hosts.'
(with quotes),and reboot.



After I posted the message yesterday,
I uninstalled Trojan Remover once and downloaded it again from Major Geeks.
The update of Trojan Remover then succeeded.

I downloaded other softwares like
Norman Malware Cleaner and Malware Removal Tool etc.

'Trojan Guarder Golden Edition' told me that it had found an infection,
but I have to buy the software to remove it.
I didn't buy it.

I expected other softwares to detect the infection,
but Anti-Trojan Elite I downloaded
seemed to have been contaminated.
The screen was full of '?'marks and unreadable figurues,
and I immediately uninstalled it.

I rebooted the PC in safe mode,
and had a scan with Registry Cleaners like
RegSeeker,Free Windows Registry Repair,Registry Medic etc,
and also the new Norman Malware Cleaner.

RegSeeker,Free Windows Registry Repair
found and fixed problems which over 100,
and other softwares detected some errors too.

Scan with Norman Malware Cleaner took a long time ,
but it gave me a result that there were no files infected.
However,it displayed that there were about 48 files that were 'not' scanned.

When I started the Trojan Remover today,
two 'isd3.exe's were working.
I exited Trojan Remover,and restarted it.
The 'isd3.exe's disappeared after the exit,
and two 'smr.exe's appeared after the restart.
While I went on exiting and restarting Trojan Remover,
I saw the 'smr.exe's disappearing and 'jmo.exe' appearing,
the 'jmo.exe' disappearing and the 'sxo.exe' appearing.
When I disabled one of them with the task manager,
Trojan Remover disappeared also.

So now it seems to be a component of Trojan Remover.

I felt that this unfimiliar program has somehow
attached itself to the proccess of Trojan Remover.

I thought that if it was a component of Trojan Remover from the first place,
I cannot quite understand why
this unfimiliar program working in twos
appeared during the installation of iTunes the other day also.
(The installation which eventually failed.)
Or was it a component of Trojan Remover from the beginning,
but happened to have been in conflict with iTunes installer?
But why did the update of Trojan Remover failed yesterday?
I'm puzzled...

The CCleaner showed me that
the MUI history of
C:\Documents and Settings\owner\Application Data\Simply Super Software\isd3.exe
C:\Documents and Settings\owner\Application Data\Simply Super Software\smr.exe
C:\Documents and Settings\owner\Application Data\Simply Super Software\jmo.exe
C:\Documents and Settings\owner\Application Data\Simply Super Software\sxo.exe
were missing.






,
I syarted the Trojan Remover.

#20 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 47,832 posts

Posted 04 December 2007 - 10:56 AM

Both logs are clean.

Nothing wrong about the MRU not found by CCleaner.
Read about MRU's
http://en.wikipedia....t_Recently_Used
*/*

I do not know what you are looking for but in my mind your computer is clean.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#21 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 05 December 2007 - 07:14 AM

Hello.

Thank you for checking the log.

I used a-squared to scan the PC in safe mode yesterday,
after I posted the previous message.

I had downloaded a-squared,but it failed to have an update.
AVG Anti-Spyware also failed in updating,
and I thought the PC had become infected in some way
(like,maybe during the download ,for instance).

It had found two infections in the Administrator account:
C:\Program Files\APP\AtFtpAL.exe   Heuristic Dialer.RAS (Unknown risk)
C:\SDFix\apps\Process.exe Riskware.RiskTool.Win32.Processor.20
and one infection in the Owner account:
c:\documents and settings\owner\application data\registry cleaner Trace.Directory.RegistryCleaner

I deleted them.


I also had a scan with Free Window Registry Repair,
which detcted fewer errors than usual.
It used to give me a result of about 150 errors each time,
but this time it was only about 70.
Maybe it was because I deleted the files that a-squared had detected,
but I'm not sure.
Today,the update in a-squared succeeded,
which downloaded files up to 16910KB of size.
Maybe it would detect even more infections in the next scan.


Also,when I scanned with 'Catchme' found in the 'SDFix' folder,
it gave me a result that there were over 2700 hidden files.
I hope they're safe.
Registry Cleaning softwares still detect some errors in my PC,
and the update in a-squared today sometimes stuck in the middle,
even though the CPU usage was only about 18 percent.


Though there were problems like these,
the PC seems to be working fine in other aspects.
I'll use my PC as usual again.
Thank you.

Edited by Prh, 05 December 2007 - 07:33 AM.


#22 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 06 December 2007 - 05:13 AM

Hello.

With the a-squared newly updated,I had a scan in safe mode again.

It detected another infection in the 'Owner' account:

C:\WINDOWS\i386\DLLHOST.EX_/dllhost.exe Backdoor.Win32.Rbot.buf

and I had it deleted.

Free Windows Registry Repair showed me the scan result of 33 errors.
It has reduced from 70.
I repeated the scan,
and found that it continues to detect 7 to 10 errors each time,
all in HKEY_USERS S-15-21...

RegMedic detected no more errors.

However,
Wise Registry Cleaner detcted some registry errors that might not be safe to fix.
TweakNow RegCleaner Std also detected one section that might not be safe.

I updated Spybot S&D,
and noticed that for the first time the immunization wouldn't be completed.
No matter how many times I click 'Immunize',
there are still about 19 in the Internet Explorer \Software(plugins) that are 'Not protected'.

I then deleted the files quarantined by Threat Fire:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content IE.5in...
It was detected as suspicious in 2007/11/30.

'Malware Scan' that I downloaded from SoftPedia,
also detected two infections.
I can't remember accurately,but one of them included phrases like 'PCPitstop' and 'dll'.

I'll try to see if there are any other ways to check the PC.

#23 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 10 December 2007 - 04:55 AM

Hello.

'NoAdware' warned me that my PC was infected,
but I have to buy it in order to remove it.

'STOPzilla' also detected 15 infections,and asked me to buy it.
Among the results listed there(trojans ,adwares,etc...),
I saw the one located in the registry,
which was similar to the name 'HKEY_USERS S-15-21..',
the one which Free Windows Registry Repair detected the other day.

Also,there were 'Zlob's.

I'll go out and see if there are free softwares that can repair them.

#24 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 47,832 posts

Posted 10 December 2007 - 08:53 AM

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
Don't worry about these items in the registry. They cannot do any damage. They are images of what was.

'HKEY_USERS S-15-21..',


For Zlob if any this tool will report them.
*/*

Please download SmitfraudFix (by S!Ri)
Extract all the content (to a folder named SmitfraudFix) on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#25 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 12 December 2007 - 05:07 AM

Hello.

Thank you for the reply and I am sorry for the delay.
I was seaching the web these days for softwares.


I just noticed now that you gave me a reply.

I had downloaded SmitFraudFix from the place you showed me,
and had a scan:


SmitFraudFix v2.264

Scan done at 18:32:35.66, 2007/12/12
Run from C:\Documents and Settings\Owner\デスクトップ\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
ササササササササササササササササササササササササ Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\InfoProcess\AntiHook\3.0\HipService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Fujitsu\PCKARTE\PCKTESVC.EXE
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Fujitsu\sa\api\SBRSVC.EXE
C:\WINDOWS\system32\sdpasvc.exe
C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCSRVC.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Sandboxie\SandboxieRpcSs.exe
C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\Notepad.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\conime.exe

ササササササササササササササササササササササササ hosts


ササササササササササササササササササササササササ C:\


ササササササササササササササササササササササササ C:\WINDOWS


ササササササササササササササササササササササササ C:\WINDOWS\system


ササササササササササササササササササササササササ C:\WINDOWS\Web


ササササササササササササササササササササササササ C:\WINDOWS\system32


ササササササササササササササササササササササササ C:\Documents and Settings\Owner


ササササササササササササササササササササササササ C:\Documents and Settings\Owner\Application Data


ササササササササササササササササササササササササ Start Menu


ササササササササササササササササササササササササ


ササササササササササササササササササササササササ Desktop


ササササササササササササササササササササササササ C:\Program Files


ササササササササササササササササササササササササ Corrupted keys


ササササササササササササササササササササササササ Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="現在のホーム ページ"


ササササササササササササササササササササササササ Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


ササササササササササササササササササササササササ AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


ササササササササササササササササササササササササ Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


ササササササササササササササササササササササササ Rustock



ササササササササササササササササササササササササ DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - パケット スケジューラ ミニポート
DNS Server Search Order: 220.152.38.201
DNS Server Search Order: 220.152.38.233

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7DC704BD-A2A9-4F70-971E-DC367EB7F24F}: DhcpNameServer=220.152.38.201 220.152.38.233
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7DC704BD-A2A9-4F70-971E-DC367EB7F24F}: DhcpNameServer=220.152.38.201 220.152.38.233
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=220.152.38.201 220.152.38.233
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=220.152.38.201 220.152.38.233


ササササササササササササササササササササササササ Scanning for wininet.dll infection


ササササササササササササササササササササササササ End




("パケット スケジューラ ミニポート" means "Packet Scheduler mini port")



(The following lines are about what happened before I read your post:

I downloaded "1-2-3 spyware free" and had a scan.
It detcted no infections.

However when I had a scan with a-squared in safe mode,
it detected many infections,
all that seemed to be somthing to do with "1-2-3 spyware free".
I don't know whether it was detcting "1-2-3 spyware free" itself as malicious,
or the files included in "1-2-3 spyware free" were themslves victims of the infection:


a-squared Free - バージョン 3.0
Last update: 2007/12/11 7:20:38

スキャン設定

オブジェクト: メモリ, 形跡, クッキー, C:\, D:\
アーカイブ スキャン: オン
ヒューリスティック: オン
ADS スキャン: オン

スキャン開始: 2007/12/11 8:03:48

c:\program files\smart pc solutions\1-2-3 spyware free 検出: Trace.Directory.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base 検出: Trace.Directory.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\help 検出: Trace.Directory.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\language 検出: Trace.Directory.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\quarantine 検出: Trace.Directory.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\update 検出: Trace.Directory.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\animation.avi 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\asc4.dll 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\backdoor.avb 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\ca.avb 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\daily.avb 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\kernel4.avb 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\malware.avb 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\trojan.avb 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\virusdos.avb 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\virusw32.avb 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\weekly.avb 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\worm.avb 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\help\spywarefree_de.chm 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\help\spywarefree_en.chm 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\help\spywarefree_es.chm 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\help\spywarefree_fr.chm 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\help\spywarefree_it.chm 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\history.txt 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\homepage.url 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\kernel40.dll 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\language\english.ini 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\language\french.ini 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\language\german.ini 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\language\italian.ini 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\language\spanish.ini 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\my privacy.url 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\oe4.api 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\pl.dll 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\quarantine\quarantine.ini 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\reach-a-mail.url 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\readme.txt 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\smart data recovery.url 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\smart pc.url 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\smartpc.ico 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\sound.wav 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\spywarefree.exe 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\spywarefreemonitor.exe 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\spywarefreeschedule.exe 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\stop.set 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\stopapi4.dll 検出: Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\thebat.api 検出: Trace.File.1-2-3 Spyware Free
Value: HKEY_USERS\S-1-5-21-4234328190-622249540-1753046143-1003\Software\Smart PC Solutions\1-2-3 Spyware Free --> Language 検出: Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> DisplayName 検出: Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> DisplayVersion 検出: Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> HelpLink 検出: Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> Inno Setup: App Path 検出: Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> Inno Setup: Deselected Tasks 検出: Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> Inno Setup: Icon Group 検出: Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> Inno Setup: Selected Tasks 検出: Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> Inno Setup: Setup Version 検出: Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> Inno Setup: User 検出: Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> InstallLocation 検出: Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> NoModify 検出: Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> NoRepair 検出: Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> Publisher 検出: Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> QuietUninstallString 検出: Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> UninstallString 検出: Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> URLInfoAbout 検出: Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> URLUpdateInfo 検出: Trace.Registry.1-2-3 Spyware Free

スキャン数

ファイル数: 1499
形跡数: 347302
クッキー数: 8
プロセス数: 31

検出

ファイル数: 0
形跡数: 65
クッキー数: 0
プロセス数: 0
レジストリ キー数: 0

スキャン終了: 2007/12/11 8:07:15
スキャン時間: 0:03:27

Value: HKEY_USERS\S-1-5-21-4234328190-622249540-1753046143-1003\Software\Smart PC Solutions\1-2-3 Spyware Free --> Language 削除 Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> DisplayName 削除 Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> DisplayVersion 削除 Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> HelpLink 削除 Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> Inno Setup: App Path 削除 Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> Inno Setup: Deselected Tasks 削除 Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> Inno Setup: Icon Group 削除 Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> Inno Setup: Selected Tasks 削除 Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> Inno Setup: Setup Version 削除 Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> Inno Setup: User 削除 Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> InstallLocation 削除 Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> NoModify 削除 Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> NoRepair 削除 Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> Publisher 削除 Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> QuietUninstallString 削除 Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> UninstallString 削除 Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> URLInfoAbout 削除 Trace.Registry.1-2-3 Spyware Free
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1-2-3 Spyware Free_is1 --> URLUpdateInfo 削除 Trace.Registry.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\animation.avi 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\asc4.dll 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\backdoor.avb 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\ca.avb 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\daily.avb 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\kernel4.avb 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\malware.avb 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\trojan.avb 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\virusdos.avb 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\virusw32.avb 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\weekly.avb 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base\worm.avb 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\help\spywarefree_de.chm 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\help\spywarefree_en.chm 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\help\spywarefree_es.chm 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\help\spywarefree_fr.chm 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\help\spywarefree_it.chm 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\history.txt 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\homepage.url 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\kernel40.dll 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\language\english.ini 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\language\french.ini 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\language\german.ini 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\language\italian.ini 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\language\spanish.ini 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\my privacy.url 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\oe4.api 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\pl.dll 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\quarantine\quarantine.ini 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\reach-a-mail.url 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\readme.txt 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\smart data recovery.url 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\smart pc.url 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\smartpc.ico 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\sound.wav 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\spywarefree.exe 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\spywarefreemonitor.exe 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\spywarefreeschedule.exe 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\stop.set 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\stopapi4.dll 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\thebat.api 削除 Trace.File.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free 削除 Trace.Directory.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\base 削除 Trace.Directory.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\help 削除 Trace.Directory.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\language 削除 Trace.Directory.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\quarantine 削除 Trace.Directory.1-2-3 Spyware Free
c:\program files\smart pc solutions\1-2-3 spyware free\update 削除 Trace.Directory.1-2-3 Spyware Free

削除

ファイル数: 0
形跡数: 65
クッキー数: 0
)



"検出" means "detection" and "削除" means "deletion";
this report seems to be describing that all those files were detected and deleted.


Also today,
before reading this post,
I visited somewhere like "Five Star...",
and downloaded "Spysweeper","Rogue Remover Pro" etc..

Most of them didn't work in my PC.
During the installation an error message told me that the addition to the regitry key failed(or something),
but I ignored it .
Though the icon of the software appeared,they wouldn't work.
Each of them displayed that some error has occurred and the program couldn't be started.

However the installation of "spyaudit" happened to have succeeded,
and after I started it to have a scan ,
it told me that there were no infections found.

On the other hand "Glarysoft Registry Repair" told me that it had found over 100 errors in my PC
(it was 46 the other day),
but maybe it was caused by the corrupted downloads I had today
(but I'm not sure).
And ,as you told me,
because thery are the images of the past,
and are not the ones that causes direct damage,
maybe I'll pay attention to other aspects of the PC...

Thank you if you for reading .

Edited by Prh, 12 December 2007 - 05:11 AM.


#26 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 47,832 posts

Posted 12 December 2007 - 11:36 AM

1-2-3 spyware free if not recommended.
http://ca.com/us/sec...px?id=453099133

As far as Im concerned you computer is clean.
You are rendering worst by download anything that you can find.
I'm longer checking any new tools that you feel may help your find something that is not there.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#27 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 13 December 2007 - 12:10 AM

Hello.

Thank you.
I read http://ca.com/us/sec...px?id=453099133.
So 1-2-3 spyware free was a trojan...


When I download softwares,
I mainly download them from
MajorGeeks
SoftPedia
CNet
5 Star Shareware(※)
Tucows

※This was the site I tried to describe as "Five Star...” in the previous post,
where I downloaded Spysweeper etc...

I hear most of them are well known,
and some say they check the softwares they upload.

But downloads from these sites sometimes fail in my PC...

Every time I face such problems
I feel I was directed to a site disguised to famous sites
(and what I downloaded was a fake one disguised to the real one),
or there was some internal process blocking the download from the inside of my PC,
or else there was some error in the system that accidentally was leading my PC to failures.


I haven't mentioned in this post,
but there were several times when symptoms were found in my PC
that seemed to show that the PC was hacked..
(I described it in my previous post.)

The attempts seemed to have been done not only once,
and I'm causious that some hacker was (or maybe still is) targeting this computer.

The security softwares I have are doubtful too.
Though I downloaded 'Windows Live OneCare' from Microsoft,
and 'Adaware 2007' from Lavasoft,
both of them are displayed as having been published by publishers 'unknown'.
(When I checked it with 'Run'>'msconfig'.)

Most of the other softwares were displayed with names of companies,
so I felt awkward about this.


But maybe I downloaded "1-2-3 spyware" from a site different from usual,
which I cannot put any blame on except myself.
I followed the link from a trusted site,
but maybe that was not enough.


I want to be sure that the PC is not infected,
otherwise the PC might automatically infect others every time I visit their homepage etc,
and I don't want that to happen.
(I guess other people have the same feeling about this to a certain degree...)

Thank you for reading,
and for your continuing help.

Edited by Prh, 13 December 2007 - 12:11 AM.


#28 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 15 December 2007 - 10:27 PM

Hello.

I noticed that a firewall software I tried to install failed in installation,
but succeeded in installation when I used the Administrator account in safe mode.

It was because of the error message
(something like "The installation is banned by the Administator")
that I thought I'd try this.
I copied and pasted the file to the Administrator's desktop,
and rebooted in safemode.

I don't know what was added to the system to pevent installations,
but it somehow worked.


On the other hand,
it didn't work with iTunes.


But I also noticed that the 'Run' entry in the registry is completly missing.
That may be another reason that some installations of softwares fail;
they display that they cannot add an entry to the registry
(and in one occasion when I looked carefully ,it was the 'Run'entry that they cannot change).
It's strange because some softwares that claimed the installation failed because of this error,
seemes to be working anyway.
They even start up automatically,
though they don't appear in the 'start up' tab in the 'Starter'.
All of them seems to be well known softwares(like 'BitDefender').

I recall that one day,quite a long time ago,
'Teatimer' warned me that the 'Winlogon - Run' was about to be added.
I disabled it because I didn't want any changes to be made to the system
that may seem to cause serious errors.
It was proberbly while fixing registry errors with some software.

As a result,the 'Run' entry remained disappearing,
and I may have been mistaken disabling the addition of the key,
but I don't know what had eliminated the key in the first place...


I also had a scan with a-squared,
which detected infections:
C:\Documents and Settings\Owner\desktop\security\SmitfraudFix\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\Documents and Settings\Owner\desktop\security\SmitfraudFix\Reboot.exe detected: Riskware.RiskTool.Win32.Reboot.f

Yesterday I had a scan with another software.
One trojan was found.
It was explained that it sends the hacker the information about the vulnerbility in the PC.

When I connected to the internet,
I noticed that there were several attempts to connect to my PC in a dangerous way,
all from the same address.
One was detected as 'severe';
it was sending packets (or something).
The address of the PC was very similar to the address of my PC,
only slightly different.
Maybe someone using the same network connection was doing this.
(I aplogize if it's wrong,
I still don't quite understand properly about IP addresses.)

When I looked up about the address,
it was warned that it was something to do with some dangerous site.

Edited by Prh, 15 December 2007 - 10:30 PM.


#29 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 22 December 2007 - 11:55 PM

Hello.

After posting the previous post,
a-squared detected another infection.

I bought a new PC(finally).

I connected to homepages of Microsoft,Spybot S&D and Security Wonks(followed a link from Spybot S&D),
C NET,MajorGeeks,filehippo.com.

I downloaded a-squared,and many registry cleaning softwares.

Registry Check Up repeatedly detected 59 errors.
Registry Distiller didn't work.
Abexo detected 137 errors,
and succeeded deleting up tp 40 errors.(The rest of them failed.)
TweakNow RegCleaner detected none.
EasyCleaner detected over 100 unneccessary files,
and deleted up to 30 files.(The rest of them failed.)

'a-squared' detected 3 infections,related to 'registry cleaner':
c:\users\kuramitsu\appdata\roaming\registry cleaner detected: Trace.Directory.RegistryCleaner
c:\programdata\microsoft\windows\start menu\programs\registry cleaner detected: Trace.Directory.RegistryCleaner
c:\program files\registry cleaner trial detected: Trace.Directory.RegistryCleaner

I deleted them.

Registry Cleaner turned out to be a rogue software,according to
http://www.castlecop...tartupList.html
I had downloaded from one of the sites I listed above.

I also had a scan with HiJack This after that,
and Registry Cleaner appeared again in the log (I pasted the log below),
in the (O4).
But because it wasn't appearing in the main screen of HiJack This,
I couldn't fix it.

Also,the 'Gopher prefix' in (O13) appeared again after I had fixed it once.

Also,according to StartUp List,
there are two items in HOSTS file in 'Protections & disabled items':
127.0.0.1 and ::1.
According to HiJackThis,the (O1) is,
O1 - Hosts: ::1 localhost

Do you think it is safe?
(Or am I redirected to somewhere?)




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:05, on 2007/12/23
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\system32\svchost.exe
C:\Program Files\SiteAdvisor\6145\SAService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\taskeng.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEJP\IMJPCMNT.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\SiteAdvisor\6145\SiteAdv.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEJP\IMJPCMNT.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6145\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6145\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [IME JPN 2007 Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEJP\IMJPKLMG.EXE /Preload
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6145\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [AntiSpyWare2Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\Regclean.exe" -startminimize
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: JWord プラグイン - {34D67ED2-C837-4627-838C-2264E347D291} - http://www.jword.jp/...&...tton&pver=2 (file missing)
O9 - Extra 'Tools' menuitem: JWord プラグインについて - {34D67ED2-C837-4627-838C-2264E347D291} - http://www.jword.jp/...&...tton&pver=2 (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [JWDSearch] JWord プラグイン
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SiteAdvisor サービス (SiteAdvisor Service) - Unknown owner - C:\Program Files\SiteAdvisor\6145\SAService.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 7660 bytes




Thank you for reading.

Edited by Prh, 22 December 2007 - 11:57 PM.


#30 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 47,832 posts

Posted 23 December 2007 - 10:31 AM

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Also,the 'Gopher prefix' in (O13) appeared again after I had fixed it once.

Also,according to StartUp List,
there are two items in HOSTS file in 'Protections & disabled items':
127.0.0.1 and ::1.
According to HiJackThis,the (O1) is,
O1 - Hosts: ::1 localhost


All this is good. It's how it is reported on a Vista Computer.
Do not touch it.
*/*


Open HijackThis
Click: None of the above, just start the program.
Click: Config
Click: Misc Tools
Click: Open Process Manager. Look for both these processes and click on Kill Process.

C:\Windows\system32\wininit.exe
Exit when finished.
*/*

Disable Microsoft Windows Defender:

We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
  • Click on Tools, General Settings.
  • Under Real-time protection options, unselect the Turn on real-time protection check box
  • Click Save

After all of the fixes are complete it is very important that you enable Real-time Protection again.

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\Regclean.exe" -startminimize
O9 - Extra button: JWord ????? - {34D67ED2-C837-4627-838C-2264E347D291} - http://www.jword.jp/...&...tton&pver=2 (file missing)
O9 - Extra 'Tools' menuitem: JWord ????????? - {34D67ED2-C837-4627-838C-2264E347D291} - http://www.jword.jp/...&...tton&pver=2 (file missing)
O11 - Options group: [JWDSearch] JWord ?????


Click on Fix Checked when finished and exit HijackThis.

Delete this file.
C:\Windows\system32\wininit.exe

Restart the computer normally to complete the fix.
*/*

Enable Windows Defender.

Submit a fresh HijackThis log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#31 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 24 December 2007 - 02:17 AM

Hello.

So
O1 - Hosts: ::1 localhost
O13 - Gopher prefix
were normal in Vista.
Thank you.


On the other hand,there were some things that didn't work properly.

I tried to follow your instructions.

Open HijackThis
Click: None of the above, just start the program.
Click: Config
Click: Misc Tools
Click: Open Process Manager..


I followed this.


Look for both these processes and click on Kill Process.

C:\Windows\system32\wininit.exe


This,I couldn not find.


I also disabled 'Real Time Protection'
of Windows Defender.


[*]Close all programs leaving only HijackThis running.


I was not sure if I was able to close all of them.
I closed the explorer window and the notepad I was using.
There were no applications appearing in the window,
but there were programs in the task tray,
like McAfee and ThreatFire,which were probably working in the background.

Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\Regclean.exe" -startminimize
O9 - Extra button: JWord confused.gif?? - {34D67ED2-C837-4627-838C-2264E347D291} - http://www.jword.jp/...&...tton&pver=2 (file missing)
O9 - Extra 'Tools' menuitem: JWord confused.gifconfused.gifconfused.gif - {34D67ED2-C837-4627-838C-2264E347D291} - http://www.jword.jp/...&...tton&pver=2 (file missing)
O11 - Options group: [JWDSearch] JWord confused.gif??

Click on Fix Checked when finished and exit HijackThis.


I tried to delete them by clicking the box and pressing the fix button,
but an error occurred:

Error #5 - Invalid procedure call or argument

Windows version:Windows NT 6.00.1904
MSIE version: 7.0.6000.16575
HiJackThis version:2.0.2



I thought it maybe because of the real-time protection function of softwares other than Windows Defender;
that of McAfee and ThreatFire.
I disabled both of them.
I had already disabled the function of Ashampoo.
But still, the deletion wouldn't work...


I also tried to have RegSeeker find the files associated with Registry Cleaner,
but the deletion somehow failed.


This is the log of HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:05, on 2007/12/23
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\system32\svchost.exe
C:\Program Files\SiteAdvisor\6145\SAService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\taskeng.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEJP\IMJPCMNT.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\SiteAdvisor\6145\SiteAdv.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEJP\IMJPCMNT.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6145\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6145\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [IME JPN 2007 Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEJP\IMJPKLMG.EXE /Preload
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6145\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [AntiSpyWare2Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\Regclean.exe" -startminimize
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: JWord プラグイン - {34D67ED2-C837-4627-838C-2264E347D291} - http://www.jword.jp/...&...tton&pver=2 (file missing)
O9 - Extra 'Tools' menuitem: JWord プラグインについて - {34D67ED2-C837-4627-838C-2264E347D291} - http://www.jword.jp/...&...tton&pver=2 (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [JWDSearch] JWord プラグイン
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SiteAdvisor サービス (SiteAdvisor Service) - Unknown owner - C:\Program Files\SiteAdvisor\6145\SAService.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 7660 bytes


Delete this file.
C:\Windows\system32\wininit.exe

I tried to find it with explorer,
but it didn't show up.

Maybe I'll look for 'Starter' and try to terminate 'wininit.exe' with it.

Again,thank you for reading.

Edited by Prh, 24 December 2007 - 02:19 AM.


#32 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 47,832 posts

Posted 24 December 2007 - 08:57 AM

Run combofix.exe again and let me see the log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#33 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 25 December 2007 - 12:22 AM

Hello.

I downloaded ComboFix from this thread.

While using it,warning messages were frequently displayed by McAfee and Threatfire.
(Is it because it deals with important areas in the system or something?)
I allowed the changes .

This is the result:


scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\explorer.exe [6.00.6000.16549]
-> C:\Program Files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
.
Completion time: 2007-12-25 14:12:01
.
2007-12-22 06:59:19 --- E O F ---





Thank you.

Edited by Prh, 25 December 2007 - 12:22 AM.


#34 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 25 December 2007 - 08:40 AM

Hello.

I had a scan with Spybot S&D in safe mode .
It found:
BPSSpyware Remover
and I deleted it.


I also noticed that registry cleaning succeeds during safe mode.

Easy Cleaner detected and removed 21 unnecessary files.
RegSeeker also succeeded in deleting.
It was also able to find entries involved with 'Registry Cleaner'(the rogue software I couldn't delete the other day).
McAfee deleted unnecessary files 217 MB of size.


Though in the normal account the Spybot S&D immunization function still doesn't function properly
(half of the list remains unprotected),
it was able to immunize all of the entries in the Administrator account.
Maybe something in the proccess I mentioned above had something to do with this change.

Edited by Prh, 25 December 2007 - 08:40 AM.


#35 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 27 December 2007 - 10:32 PM

Hello.

I visited C NET and downloaded more registry cleaning softwares.
I downloaded only the ones given more than three stars by C NET.

However,about three out of five turned out to be infected.
McAfee warned me during the installations each time,that a trojan was detected.
Most of the softwares infected seemed to be the ones added quite a long time ago,
during the years 2005 ~ 2006.

I scanned the PC in safe mode with a-squared.
It detected 99 infections.

I also used the Spyware Doctor trial version.
It found two critial infections,located in various areas.
I opened regedit and deleted those registry entries.

Spybot S&D found another infection.


I noticed that the D drive was missing.
I don't know since when this was happening.
I couldn't use CD ROMs.

I phoned the PC maker that my PC was already beginning to show errors.
They gave me a new one instead,and took away the old one.


I visited Microsoft,SoftPedia,
and downloaded Spybot S&D,Adaware 2007,
and also downloaded registry cleaning softwares from PC World,
and made sure that I only downloaded the ones that displayed it'd work with Vista
(except for RegSeeker).
They are softwares like Eusing Free Registry Cleaner,Smart PC,etc.

I had scans with them,sometimes in safe mode.

I realized somewhere during this process that suddenly the McAfee wasn't working properly.
It claimed that the Virus Scan component wasn't being insatalled properly,
but no matter how many times I re-installed it from the CD,
it displayed the same warnings.

Also,Adaware aborted in the middle of each scan.

A squared detected one infection.
It had something to do with what WinAce installed.
WinAce had displayed that it would offer the service free
if I had agreed to install a legitimate software from a company that it's related to;
it'd track the users habits and displays advertisements related to it,
but it was the only legitimate one in the market(,they said).

I deleted it and uninstalled WinAce.

I couldn't install Dark Spy because of that.
(The PC needed WinAce to open the file of Dark Spy.)


Also,because McAfee wasn't functioning anymore,
I looked for another firewall and anti-malware software,and installed it.

Ice Sword displayed a few lines in red,
and I wasn't sure whether I should delete it or not.
But after I had a scan with 'UnHackMe' and another anti-rootkit software(something to do with Prevx),
they somehow disappeared.
'UnHackMe' warned me that some component that was related with McAfee was bad.
I realized that the McAfee Personal Firewall was still functioning,
even after the uninstallation,
and that it was proberly competing with the other firewall.
I had 'UnHackMe' delete it.

Edited by Prh, 27 December 2007 - 10:34 PM.


#36 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 02 January 2008 - 02:40 AM

Hello.

I used the sytem restore point,and had the PC recover to the previous state.
McAfee still didn't work,but at last,
I was able to install iTunes.
There were no error messages this time.

WinASO Registry Optimizer detected about 200 errors during safe mode,and I'm still stuck about that,
but at least,I'm able to enjoy iTunes now:hyper: .

Thank you for reading.

Edited by Prh, 02 January 2008 - 02:41 AM.


#37 Prh

Prh

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 06 January 2008 - 02:53 PM

Hello.

I was surfing the internet,but after quite a long time the PC began to show some odd movements.

I scanned the PC in safe mode.
Several registry errors were found(as usual).

I accidentally started a scan with gmer while Adaware was still having the scan,
and when I right clicked one of the path displayed by gmer
including the name 'Adaware',
the PC suddenly shut itself down.
(Actually,I clicked it with the 'Shift' key on,
because I wanted to select all of the ones including the name.)
After the reboot,the desktop icons were completely missing.
An error message displayed that the PC couldn't access to the desktop.

I used the system restore point,
and had the PC recovered to the previous state.


When I scanned the PC with "avast! home edition" in safe mode,
it detected a file located in \threatfire as a trojan.
I deleted it,and after the reboot ThreatFire stopped functioning properly,
so I think it had something to do with the component of it.

I downloaded softwares from "PC Authority",and "PC World",but except for the first one or two,
but the downloading process became odd.
The green bar that appeared during download
started to move from the left to the right,
then kept on appearing from the left and sliding to the right again and again.
(Normally,the bar gradually accumulates and finally reaches the right side when it's time the download has completed.)

I couldn't guess when the download would end,
because it was displayed 'Remaining Time:File size Unknown'.

I tried to see what would happen if I downloaded a software that had been downloaded noramally on the first time.
It turned out that it showed the same error on this second time,
the green bar showed the same sliding movement as the others.

I don't know what was causing this,
and I'm not sure if I can trust these downloaded softwares.
I felt like,
if some hacker somehow knew how to change the appearance of the downloading process,
maybe the hacker knows how to change the state of the software itself too.
He/she may have changed it to some malicious state.

I'll go and check the PC again,
first without these newly downloaded softwares.
Maybe the old ones would detect something.


(On the other hand,iTunes was great.
Thank you for reading ^^.)

#38 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 47,832 posts

Posted 17 January 2008 - 10:52 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button