|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
02-15-2007, 02:20 AM
|
#1 (permalink) | |
|
Registered User
|
Random switching off...
Recently my computer's been switching itself off as if the power's been cut. AVG and AdAware aren't picking up anything. I've managed to isolate 2 instances that seem to trigger it...
1. Running Spybot. It gets somewhere between 13,000 and 17,000 on the bot check and the computer cuts out. AV-Gold was the last checkpoint I remember it hanging on. 2. Running Football Manager 2006. It wasn't doing it in the first place, but recently I've gone back to playing it and every time I try the computer eventually switches off. Here's my ComboScan... Quote:
Last edited by Zeokage; 02-15-2007 at 02:22 AM. |
|
|
     |
| Sponsored Links |
|
02-17-2007, 02:29 PM
|
#2 (permalink) | |
|
Registered User
|
With the warning about ComboScan, and the inability for Panda Scan to get through the scan without the computer switching off, here's the HJT log. Was the analyzer discontinued?
I think it's got something to do with Football Manager 2006, but I have no idea what as this is a recent problem and I've had the game for a long while now. Quote:
Last edited by Zeokage; 02-17-2007 at 02:32 PM. |
|
|
|
|
|
02-20-2007, 12:07 PM
|
#4 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,957
OS: WinXP and Vista
|
Hello Zeokage,
Careful with the names of the tools--ComboScan is OK to use. It's Combofix that has been pulled temporarily.  Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. *************************************************** Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Ezthemes_WhenUSaveNow_Installer -------------------------------------------------------------------- Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Open notepad and copy/paste the text in the quotebox below: (don't forget to copy and paste REGEDIT4) Quote:
Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files" It should look like this:  Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. -------------------------------------------------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. *Also, make sure there is no checkmark beside Hide file extensions for known file types. * Click OK. -------------------------------------------------------------------- Using 'My Computer', navigate to and delete the following Folder if it still exists. C:\Program Files\ Ezthemes_WhenUSaveNow_Installer -------------------------------------------------------------------- Please download SmitfraudFix (by S!Ri) to your Desktop. Double-click smitfraudfix.exe to start the tool.
|
|
|
|
|
|
02-21-2007, 05:16 AM
|
#5 (permalink) | |
|
Registered User
|
Thanks for the tip. I saw "Combo" and panicked slightly, especially as I hadn't seen Combofix mentioned anywhere before. I assumed they were the same thing.
Anyhoo, here's the text tile. It's a Japanese computer, so I hope those サ symbols are just a substitute for another key and don't disrupt what you're checking. What do you think has caused the problem? Quote:
|
|
|
|
|
|
02-21-2007, 05:53 PM
|
#7 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,957
OS: WinXP and Vista
|
Hi,
Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. ****************************************************** Download HostsXpert v3.7 Extract all files and double click HostsXpert.exe.
Download AVG Anti Spyware Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows" 
-------------------------------------------------------------------- Download and install CleanUp! but do not run it yet. (Not Recommended for XP64). (Alternate Link if main link doesn't work - http://www.greyknight17.com/spy/CleanUp.exe ) -------------------------------------------------------------------- Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. -------------------------------------------------------------------- *WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: *Click "Options..." *Move the arrow down to "Custom CleanUp!" *Put a check next to the following:
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted. -------------------------------------------------------------------- IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess: Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
-------------------------------------------------------------------- Reboot into Normal Mode. -------------------------------------------------------------------- Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Perform an online scan with Internet Explorer with Panda ActiveScan
* Turn off the real time scanner of any existing antivirus program while performing the online scan -------------------------------------------------------------------- Close all applications and windows.Double-click on comboscan.exe to run it, and follow the prompts.
Run a new scan with HijackThis and save the log. -------------------------------------------------------------------- Please include the following in your next reply: AVG Anti-Spyware results Panda results ComboScan.txt Attach the Supplementary.txt Last edited by Ried; 02-21-2007 at 06:16 PM. |
|
|
|
|
02-23-2007, 07:41 AM
|
#8 (permalink) |
|
Registered User
|
---------------------------------------------------------
AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 11:01:41 2007/02/23 + Scan result: HKLM\SOFTWARE\Classes\CLSID\{6ECDB36B-1205-5DE1-F02E-335C36B4124F} -> Adware.CoolWebSearch : Cleaned with backup (quarantined). HKLM\SOFTWARE\Classes\CLSID\{C07C138C-3550-6D41-1B01-76F790035395} -> Adware.CoolWebSearch : Cleaned with backup (quarantined). C:\Program Files\filesubmit\biob.zip\NNWDAC638.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\Program Files\filesubmit\forestgreenxs.exe\NNWDAC638.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\Program Files\filesubmit\biob.zip\Ezthemes_WhenUSaveNowCrunch_InstallerInst.exe -> Adware.SaveNow : Cleaned with backup (quarantined). C:\Program Files\filesubmit\biob.zip\Ezthemes_WhenUSaveNow_InstallerInst.exe -> Adware.SaveNow : Cleaned with backup (quarantined). C:\Program Files\filesubmit\forestgreenxs.exe\Ezthemes_WhenUSaveNowCrunch_InstallerInst.exe -> Adware.SaveNow : Cleaned with backup (quarantined). C:\Program Files\filesubmit\forestgreenxs.exe\Ezthemes_WhenUSaveNow_InstallerInst.exe -> Adware.SaveNow : Cleaned with backup (quarantined). C:\System Volume Information\_restore{F8A424DD-51E1-4693-ACA2-781625F98C1D}\RP379\A0081275.exe -> Adware.SaveNow : Cleaned with backup (quarantined). C:\WINDOWS\Downloaded Program Files\CONFLICT.1\WinCtlAdX.dll -> Adware.WinAD : Cleaned with backup (quarantined). ::Report end ---------------------------------------------------------------------- Panda didn't complete after two attempts due to computer cutting out, so I guess the problem still exists. *sigh* ---------------------------------------------------------------------- ComboScan v20070221.16 run by Owner on 2007-02-23 at 13:03:46 Computer is in Normal Mode. -------------------------------------------------------------------------------- Successfully created restore point. Performed disk cleanup. -- HijackThis (run as Owner.exe) ------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 13:04:58, on 2007/02/23 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\NTMETER.EXE C:\Smdata\ReadSctService.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\necmfk\necmfk.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\LiquidView\lviewj.exe C:\WINDOWS\System32\hfsmop.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\PCGATE Personal\pcgate.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Yahoo!J\Messenger\ymsgr_tray.exe C:\Program Files\子画面設定ユーティリティ\piputil.exe C:\Program Files\SpywareGuard\sgmain.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\HJT\comboscan.exe C:\HJT\Owner.exe O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [SHRunOnce] C:\Program Files\SmartHobby\SHRunOnce.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [LiquidView] C:\Program Files\LiquidView\lviewj.exe O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [HFSMOP] C:\WINDOWS\System32\hfsmop.exe O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!J\Messenger\ypagerj.exe" -quiet O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun の Java コンソール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Yahoo!メッセンジャー - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerj.exe O9 - Extra 'Tools' menuitem: Yahoo!メッセンジャー - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerj.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O14 - IERESET.INF: START_PAGE_URL=http://www.biglobe.ne.jp/ O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (ウイルスバスター On-Line Scan) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NT Meter - Unknown owner - C:\WINDOWS\system32\NTMETER.EXE O23 - Service: BroadPass Manager (Poling_Service) - 日本電気株式会社 - c:\Program Files\BIGLOBE\BroadPass\base\base.exe O23 - Service: ReadSector (ReadSctService) - Unknown owner - C:\Smdata\ReadSctService.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- HijackThis Fixed Entries (C:\HJT\backups\) ----------------------------------- backup-20050325-185129-273 O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://fastsearchweb.com/counter/new/x.chm::/update.exe backup-20050325-185129-278 O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - backup-20050325-185129-649 O1 - Hosts: 64.91.255.87 www.dcsresearch.com backup-20050325-185129-877 O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM) backup-20050325-185129-907 O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - backup-20050325-185130-207 O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/dialer/internazionale_ver4.CAB backup-20050325-192034-155 O15 - Trusted IP range: 206.161.125.149 backup-20051006-092533-269 O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe backup-20051006-092533-373 O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u backup-20051007-022857-671 R3 - Default URLSearchHook is missing -- File Associations ------------------------------------------------------------ .bat - batfile - "%1" %* .chm - chm.file - "C:\WINDOWS\hh.exe" %1 .cmd - cmdfile - "%1" %* .com - comfile - "%1" %* .exe - exefile - "%1" %* .hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1 .inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1 .ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1 .js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %* .lnk - lnkfile - {00021401-0000-0000-C000-000000000046} .pif - piffile - "%1" %* .reg - regfile - regedit.exe "%1" .scr - scrfile - "%1" /S .txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1 .vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %* -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------- 3R aeaudio - C:\WINDOWS\system32\drivers\aeaudio.sys 3R AgereSoftModem (Agere Systems Soft Modem) - C:\WINDOWS\system32\drivers\AGRSM.sys 1R AmdK7 (AMD K7 Processor Driver) - C:\WINDOWS\system32\drivers\amdk7.sys 3S AMIJMDMC (AMIJMDMC Driver) - C:\WINDOWS\system32\drivers\amijmdmc.sys 3S AMIJUSBC (AMIJUSBC Driver) - C:\WINDOWS\system32\drivers\amijusbc.sys 1R AVG Anti-Spyware Driver - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys 1R Avg7Core (AVG7 Kernel) - C:\WINDOWS\system32\drivers\avg7core.sys 1R Avg7RsW (AVG7 Wrap Driver) - C:\WINDOWS\system32\drivers\avg7rsw.sys 1R Avg7RsXP (AVG7 Rezident Driver) - C:\WINDOWS\system32\drivers\avg7rsxp.sys 1R AvgAsCln (AVG Anti-Spyware Clean Driver) - C:\WINDOWS\system32\drivers\AvgAsCln.sys 1R AvgClean (AVG7 Clean Driver) - C:\WINDOWS\system32\drivers\avgclean.sys 2R AvgTdi (AVG Network Redirector) - C:\WINDOWS\system32\drivers\avgtdi.sys 3S CCDECODE (クローズド キャプション デコーダ) - C:\WINDOWS\system32\drivers\ccdecode.sys 1R FsVga - C:\WINDOWS\system32\drivers\fsvga.sys 3R GEARAspiWDM (GEAR CDRom Filter) - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys 1R HFSMCHK - C:\WINDOWS\system32\drivers\hfsmchk.sys 3R HidUsb (Microsoft HID Class Driver) - C:\WINDOWS\system32\drivers\hidusb.sys 3S LVUSBSta (Logitech USB Monitor Filter) - C:\WINDOWS\system32\drivers\LVUSBSta.sys 3R mouhid (マウス HID ドライバ) - C:\WINDOWS\system32\drivers\mouhid.sys 3S MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - C:\WINDOWS\system32\drivers\mstee.sys 3S NABTSFEC (NABTS/FEC VBI Codec) - C:\WINDOWS\system32\drivers\nabtsfec.sys 3S NdisIP (Microsoft TV/ビデオ接続) - C:\WINDOWS\system32\drivers\ndisip.sys 2R NwlnkIpx (NWLink IPX/SPX/NetBIOS 互換トランスポート プロトコル) - C:\WINDOWS\system32\drivers\nwlnkipx.sys 2R NwlnkNb (NWLink NetBIOS) - C:\WINDOWS\system32\drivers\nwlnknb.sys 2R NwlnkSpx (NWLink SPX/SPXII プロトコル) - C:\WINDOWS\system32\drivers\nwlnkspx.sys 3S pepifilter (Volume Adapter) - C:\WINDOWS\system32\drivers\lv302af.sys 3S PID_08A0 (QuickCam IM(PID_08A0)) - C:\WINDOWS\system32\drivers\LV302AV.SYS 3R Ps2Led (NEC Note Keyboard with One-touch start buttons) - C:\WINDOWS\system32\drivers\Ps2Led.sys 1R Ps2LedIF - C:\WINDOWS\system32\drivers\Ps2LedIF.sys 0R PxHelp20 - C:\WINDOWS\system32\drivers\pxhelp20.sys 3R SiS315 - C:\WINDOWS\system32\drivers\sisgrp.sys 0R sisagp (SiS AGP Filter) - C:\WINDOWS\system32\drivers\SISAGPX.SYS 1R SiSkp - C:\WINDOWS\system32\drivers\srvkp.sys 3R SISNIC (SiS PCI Fast Ethernet Adapter Driver) - C:\WINDOWS\system32\drivers\sisnic.sys 3S SLIP (BDA Slip De-Framer) - C:\WINDOWS\system32\drivers\slip.sys 3R smwdm - C:\WINDOWS\system32\drivers\smwdm.sys 3S streamip (BDA IPSink) - C:\WINDOWS\system32\drivers\streamip.sys 1R StyleXPHelper - C:\Program Files\TGTSoft\StyleXP\StyleXPHelper.exe 3S SymEvent - C:\Program Files\Symantec\SYMEVENT.SYS 3S usbaudio (USB オーディオ ドライバ (WDM)) - C:\WINDOWS\system32\drivers\USBAUDIO.sys 3S usbccgp (Microsoft USB Generic Parent Driver) - C:\WINDOWS\system32\drivers\usbccgp.sys 3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys 3R usbohci (Microsoft USB Open Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbohci.sys 3S usbscan (USB スキャナ ドライバ) - C:\WINDOWS\system32\drivers\usbscan.sys 3S USBSTOR (USB 大容量記憶装置ドライバ) - C:\WINDOWS\system32\drivers\usbstor.sys 2R vsdatant - C:\WINDOWS\system32\vsdatant.sys 3S WSTCODEC (World Standard Teletext Codec) - C:\WINDOWS\system32\drivers\wstcodec.sys -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- 4S Alerter - C:\WINDOWS\System32\svchost.exe -k LocalService 3R ALG (Application Layer Gateway Service) - C:\WINDOWS\System32\alg.exe 3S Apache - "C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice 3S AppMgmt (Application Management) - C:\WINDOWS\system32\svchost.exe -k netsvcs 3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe 2R AudioSrv (Windows Audio) - C:\WINDOWS\System32\svchost.exe -k netsvcs 2R AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe 2R Avg7Alrt (AVG7 Alert Manager Server) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe 2R Avg7UpdSvc (AVG7 Update Service) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe 2R AVGEMS (AVG E-mail Scanner) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe 3S BITS (Background Intelligent Transfer Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs 2R Browser (Computer Browser) - C:\WINDOWS\System32\svchost.exe -k netsvcs 3S CiSvc (Indexing Service) - C:\WINDOWS\system32\cisvc.exe 4S ClipSrv (ClipBook) - C:\WINDOWS\system32\clipsrv.exe 3S clr_optimization_v2.0.50727_32 (.NET Runtime Optimization Service v2.0.50727_X86) - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 3S COMSysApp (COM+ System Application) - C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} 2R CryptSvc (Cryptographic Services) - C:\WINDOWS\system32\svchost.exe -k netsvcs 2R DcomLaunch (DCOM Server Process Launcher) - C:\WINDOWS\system32\svchost -k DcomLaunch 2R Dhcp (DHCP Client) - C:\WINDOWS\System32\svchost.exe -k netsvcs 3S dmadmin (Logical Disk Manager Administrative Service) - C:\WINDOWS\System32\dmadmin.exe /com 3S dmserver (Logical Disk Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs 2R Dnscache (DNS Client) - C:\WINDOWS\System32\svchost.exe -k NetworkService 2R ERSvc (Error Reporting Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs 2R Eventlog (Event Log) - C:\WINDOWS\system32\services.exe 3R EventSystem (COM+ Event System) - C:\WINDOWS\System32\svchost.exe -k netsvcs 3R FastUserSwitchingCompatibility (Fast User Switching Compatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs 2R helpsvc (Help and Support) - C:\WINDOWS\System32\svchost.exe -k netsvcs 4S HidServ (Human Interface Device Access) - C:\WINDOWS\System32\svchost.exe -k netsvcs 3S HTTPFilter (HTTP SSL) - C:\WINDOWS\System32\svchost.exe -k HTTPFilter 3S IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" 3S ImapiService (IMAPI CD-Burning COM Service) - C:\WINDOWS\System32\imapi.exe 3S iPodService - C:\Program Files\iPod\bin\iPodService.exe 2R lanmanserver (Server) - C:\WINDOWS\System32\svchost.exe -k netsvcs 2R lanmanworkstation (Workstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs 2R LmHosts (TCP/IP NetBIOS Helper) - C:\WINDOWS\System32\svchost.exe -k LocalService 4S Messenger - C:\WINDOWS\System32\svchost.exe -k netsvcs 3S mnmsrvc (NetMeeting Remote Desktop Sharing) - C:\WINDOWS\System32\mnmsrvc.exe 3S MSDTC (Distributed Transaction Coordinator) - C:\WINDOWS\System32\msdtc.exe 3S MSIServer (Windows Installer) - C:\WINDOWS\system32\msiexec.exe /V 4S NetDDE (Network DDE) - C:\WINDOWS\system32\netdde.exe 4S NetDDEdsdm (Network DDE DSDM) - C:\WINDOWS\system32\netdde.exe 3S Netlogon (Net Logon) - C:\WINDOWS\System32\lsass.exe 3R Netman (Network Connections) - C:\WINDOWS\System32\svchost.exe -k netsvcs 3R Nla (Network Location Awareness (NLA)) - C:\WINDOWS\System32\svchost.exe -k netsvcs 2R NT Meter - C:\WINDOWS\system32\NTMETER.EXE 3S NtLmSsp (NT LM Security Support Provider) - C:\WINDOWS\System32\lsass.exe 3S NtmsSvc (Removable Storage) - C:\WINDOWS\system32\svchost.exe -k netsvcs 2R PlugPlay (Plug and Play) - C:\WINDOWS\system32\services.exe 2R PolicyAgent (IPSEC Services) - C:\WINDOWS\System32\lsass.exe 3S Poling_Service (BroadPass Manager) - c:\Program Files\BIGLOBE\BroadPass\base\base.exe 2R ProtectedStorage (Protected Storage) - C:\WINDOWS\system32\lsass.exe 3S RasAuto (Remote Access Auto Connection Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs 3R RasMan (Remote Access Connection Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs 3S RDSessMgr (Remote Desktop Help Session Manager) - C:\WINDOWS\system32\sessmgr.exe 2R ReadSctService (ReadSector) - C:\Smdata\ReadSctService.exe 4S RemoteAccess (Routing and Remote Access) - C:\WINDOWS\System32\svchost.exe -k netsvcs 3S RpcLocator (Remote Procedure Call (RPC) Locator) - C:\WINDOWS\System32\locator.exe 2R RpcSs (Remote Procedure Call (RPC)) - C:\WINDOWS\system32\svchost -k rpcss 3S RSVP (QoS RSVP) - C:\WINDOWS\System32\rsvp.exe 2R SamSs (Security Accounts Manager) - C:\WINDOWS\system32\lsass.exe 3S SCardSvr (Smart Card) - C:\WINDOWS\System32\SCardSvr.exe 2R Schedule (Task Scheduler) - C:\WINDOWS\System32\svchost.exe -k netsvcs 2R seclogon (Secondary Logon) - C:\WINDOWS\System32\svchost.exe -k netsvcs 2R SENS (System Event Notification) - C:\WINDOWS\system32\svchost.exe -k netsvcs 2R SharedAccess (Windows Firewall/Internet Connection Sharing (ICS)) - C:\WINDOWS\System32\svchost.exe -k netsvcs 2R ShellHWDetection (Shell Hardware Detection) - C:\WINDOWS\System32\svchost.exe -k netsvcs 2R SoundMAX Agent Service (default) (SoundMAX Agent Service) - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe 2R Spooler (Print Spooler) - C:\WINDOWS\system32\spoolsv.exe 3S SPTISRV (Sony SPTI Service) - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe 2R srservice (System Restore Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs 3R SSDPSRV (SSDP Discovery Service) - C:\WINDOWS\System32\svchost.exe -k LocalService 2R stisvc (Windows Image Acquisition (WIA)) - C:\WINDOWS\System32\svchost.exe -k imgsvc 2R StyleXPService - "C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe" 3S SwPrv (MS Software Shadow Copy Provider) - C:\WINDOWS\System32\dllhost.exe /Processid:{2A60B84A-E511-49AA-A9B9-CF0C7F5B3932} 3S SysmonLog (Performance Logs and Alerts) - C:\WINDOWS\system32\smlogsvc.exe 3R TapiSrv (Telephony) - C:\WINDOWS\System32\svchost.exe -k netsvcs 3R TermService (Terminal Services) - C:\WINDOWS\System32\svchost -k DComLaunch 2R Themes - C:\WINDOWS\System32\svchost.exe -k netsvcs 2R TrkWks (Distributed Link Tracking Client) - C:\WINDOWS\system32\svchost.exe -k netsvcs 2R UMWdf (Windows User Mode Driver Framework) - C:\WINDOWS\system32\wdfmgr.exe 3S upnphost (Universal Plug and Play Device Host) - C:\WINDOWS\System32\svchost.exe -k LocalService 3S UPS (Uninterruptible Power Supply) - C:\WINDOWS\System32\ups.exe 2R vsmon (TrueVector Internet Monitor) - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service 3S VSS (Volume Shadow Copy) - C:\WINDOWS\System32\vssvc.exe 2R W32Time (Windows Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs 2R WebClient - C:\WINDOWS\System32\svchost.exe -k LocalService 2R winmgmt (Windows Management Instrumentation) - C:\WINDOWS\system32\svchost.exe -k netsvcs 3S WmdmPmSN (Portable Media Serial Number Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs 3S WmiApSrv (WMI Performance Adapter) - C:\WINDOWS\System32\wbem\wmiapsrv.exe 2R wscsvc (Security Center) - C:\WINDOWS\System32\svchost.exe -k netsvcs 2R wuauserv (Automatic Updates) - C:\WINDOWS\system32\svchost.exe -k netsvcs 2R WZCSVC (Wireless Zero Configuration) - C:\WINDOWS\System32\svchost.exe -k netsvcs 3S xmlprov (Network Provisioning Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs -- Scheduled Tasks -------------------------------------------------------------- 2007-02-23 13:02:03 474 --a------ C:\WINDOWS\Tasks\McAfee.com製品のアップデート確認 (COMPUTERNAME-Owner).job<MCAFEE~1.JOB> 2007-02-23 13:00:41 254 --a------ C:\WINDOWS\Tasks\Windows Live Toolbar の更新プログラムを確認します.job<WINDOW~1.JOB> 2005-10-07 00:28:17 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job<SYMANT~1.JOB> -- :: 0 --------- C:\WINDOWS\Tasks\McAfee.com?≫?i?I?A?b?v?f?[?g?m”F (COMPUTERNAME-Owner).job -- Files created between 2007-01-23 and 2007-02-23 ------------------------------ 2007-02-22 19:54:01 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-02-21 13:10:58 3262 --a------ C:\WINDOWS\system32\tmp.reg 2007-02-17 01  54 0 d-------- C:\WINDOWS\ie7updates<IE7UPD~1>2007-02-13 15:11:38 178408 --a------ C:\WINDOWS\system32\muweb.dll 2007-02-13 15:11:36 127208 --a------ C:\WINDOWS\system32\mucltui.dll 2007-02-12 19:59:37 0 d-------- C:\Program Files\Windows Live Favorites<WI48FA~1> 2007-02-12 19:58:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar<WINDOW~2> 2007-02-12 19:55:14 0 d-------- C:\Program Files\Windows Live Toolbar<WINDOW~4> 2007-02-12 19:39:06 0 d-------- C:\WINDOWS\WBEM 2007-02-12 19:39:02 0 d-------- C:\WINDOWS\system32\ja-jp 2007-02-12 19:34:30 0 d--h---c- C:\WINDOWS\ie7 2007-02-12 19:25:17 121856 -----n--- C:\WINDOWS\system32\xmllite.dll 2007-02-12 19:17:35 0 d-------- C:\WINDOWS\network diagnostic<NETWOR~1> 2007-02-12 18:49:52 0 d-------- C:\3852cd9f2400c99f99<3852CD~1> 2007-02-12 18:47:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage<WINDOW~1> 2007-01-29 08:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe 2007-01-27 17:14:06 0 d-------- C:\Program Files\SplendidCity5<SPLEND~2> -- Find3M Report ---------------------------------------------------------------- 2007-02-23 12:28:50 0 d-------- C:\Program Files\MessengerPlus! 3<MESSEN~2> 2007-02-23 12:28:50 0 d-------- C:\Program Files\LiquidView<LIQUID~2> 2007-02-23 12:28:48 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2> 2007-02-23 12:28:39 0 d-------- C:\Program Files\NECMFK 2007-02-23 12:28:34 0 d-------- C:\Program Files\Winamp 2007-02-23 12:28:34 0 d-------- C:\Program Files\QuickTime<QUICKT~1> 2007-02-23 12:28:32 0 d-------- C:\Program Files\Messenger<MESSEN~1> 2007-02-23 12:28:28 0 d-------- C:\Program Files\子画面設定ユーティリティ<子画面~1> 2007-02-23 12:28:13 0 d-------- C:\Program Files\Google 2007-02-23 12:27:49 0 d-------- C:\Program Files\Opera 2007-02-22 19:53:54 0 d-------- C:\Program Files\Grisoft 2007-02-20 20:23:45 0 d-------- C:\Documents and Settings\Owner\Application Data\Microsoft<MICROS~1> 2007-02-17 21:33:47 0 d-------- C:\Program Files\PCGATE Personal<PCGATE~1> 2007-02-17 21:16:20 0 d-------- C:\Program Files\HighMAT CD Writing Wizard<HIGHMA~1> 2007-01-28 17:14:53 0 d-------- C:\Documents and Settings\Owner\Application Data\Help 2007-01-27 17:16:20 0 d--h----- C:\Program Files\Zero G Registry<ZEROGR~1> 2007-01-27 16:54:30 0 d-------- C:\Program Files\Splendid City<SPLEND~1> 2007-01-19 02:33:49 0 d-------- C:\Program Files\BitComet 2007-01-12 09:27:42 232960 --a------ C:\WINDOWS\system32\webcheck.dll 2007-01-12 09:27:42 51712 -----n--- C:\WINDOWS\system32\msfeedsbs.dll<MSFEED~1.DLL> 2007-01-12 09:27:42 458752 -----n--- C:\WINDOWS\system32\msfeeds.dll 2007-01-12 09:27:42 6054400 -----n--- C:\WINDOWS\system32\ieframe.dll 2007-01-08 19:04:54 105984 --a------ C:\WINDOWS\system32\url.dll 2007-01-08 19:04:08 102400 --a------ C:\WINDOWS\system32\occache.dll 2007-01-08 19:02:04 266752 --a------ C:\WINDOWS\system32\iertutil.dll 2007-01-08 19:02:04 44544 --a------ C:\WINDOWS\system32\iernonce.dll 2007-01-08 19:02:02 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll 2007-01-08 19:02:02 383488 -----n--- C:\WINDOWS\system32\ieapfltr.dll 2007-01-08 19:02:02 161792 --a------ C:\WINDOWS\system32\ieakui.dll 2007-01-08 19:02:02 230400 --a------ C:\WINDOWS\system32\ieaksie.dll 2007-01-08 19:02:02 153088 --a------ C:\WINDOWS\system32\ieakeng.dll 2007-01-08 19:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll 2007-01-08 19:00:48 124928 --a------ C:\WINDOWS\system32\advpack.dll 2007-01-08 18:08:14 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe 2007-01-08 18:08:10 13824 --a------ C:\WINDOWS\system32\ieudinit.exe 2006-12-19 21:49:44 134144 --a------ C:\WINDOWS\system32\shsvcs.dll 2006-12-19 18:17:08 332800 --a------ C:\WINDOWS\system32\wiaservc.dll 2006-12-07 05:29:34 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll 2006-11-27 14:54:18 433152 --a------ C:\WINDOWS\system32\riched20.dll 2006-11-27 14:54:18 539136 --a------ C:\WINDOWS\system32\msftedit.dll -- Registry Dump ---------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "STYLEXP"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide" "Yahoo! Pager"="\"C:\\Program Files\\Yahoo!J\\Messenger\\ypagerj.exe\" -quiet" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32" "PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC" "PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName" "NECMFK"="C:\\Program Files\\necmfk\\necmfk.exe" "AGRSMMSG"="AGRSMMSG.exe" "SHRunOnce"="C:\\Program Files\\SmartHobby\\SHRunOnce.exe" "StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r" "LiquidView"="C:\\Program Files\\LiquidView\\lviewj.exe" "SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe" "HFSMOP"="C:\\WINDOWS\\System32\\hfsmop.exe" "MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\"" "LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^ロジクール デスクトップ メッセンジャー.lnk] "path"="C:\\Documents and Settings\\All Users\\スタート メニュー\\プログラム\\スタートアップ\\ロジクール デスクトップ メッセンジャー.lnk" "backup"="C:\\WINDOWS\\pss\\ロジクール デスクトップ メッセンジャー.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start" "item"="ロジクール デスクトップ メッセンジャー" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="iTunesHelper" "hkey"="HKLM" "command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="BackWeb-8876480" "hkey"="HKCU" "command"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\BackWeb-8876480.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ManifestEngine" "hkey"="HKCU" "command"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ISStart" "hkey"="HKLM" "command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe " "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="LogiTray" "hkey"="HKLM" "command"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchM] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SearchM" "hkey"="HKCU" "command"="C:\\Program Files\\SmartHobby\\PlugIn\\CopyFromDigitalCamera\\SearchM.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "ctfmon.exe"="ctfmon.exe" "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "ctfmon.exe"="ctfmon.exe" "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=dword:00000000 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 -- End of ComboScan: finished at 2007-02-23 at 13:05:54 ------------------------- Last edited by Ried; 02-23-2007 at 06:48 PM. |
|
|
|
|
02-23-2007, 07:12 PM
|
#9 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,957
OS: WinXP and Vista
|
Hi,
Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. *Also, make sure there is no checkmark beside Hide file extensions for known file types. * Click OK. -------------------------------------------------------------------- Search for the following file via Start>Search>All files and folders. If found, please delete it: clfmon.exe -------------------------------------------------------------------- Uninstall the following outdated SunJava via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs): These are outdated, no longer needed on the system, and pose a security risk Java 2 Runtime Environment, SE v1.4.2_06 J2SE Runtime Environment 5.0 Update 2 J2SE Runtime Environment 5.0 Update 4 -------------------------------------------------------------------- We need to get an online scan done. Try Kaspersky: Please perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component.
**Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. -------------------------------------------------------------------- If your system still cuts out, please do the following: Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
|
|
|
|
|
02-24-2007, 03:14 PM
|
#10 (permalink) |
|
Registered User
|
There's a "C:\WINDOWS\system32\ctfmon.exe" in the Processes, but searching for clfmon.exe caused another cut around the "C:\WINDOWS\system32\wbem" area (that's all I could see on the search, whether it got to the next folder (Web) I don't know). Seacrhing specifically in that folder however didn't produce a cut.
Another AVG search resulted in a cut. :( Kapersky just didn't want to run, I tell it to install and it just goes to the welcome page, but without the accept/decline buttons. The computer also cut out during the Dr.Web CureIt scan. I forgot to mention that PandaScan found 9 problems before cutting out. 7 spyware, 1 hacking tool/rootkit, 1 dialer. Is there any hope (even a really long-winded file check)? :( |
|
|
|
|
02-26-2007, 06:22 AM
|
#12 (permalink) | |
|
Registered User
|
clfmon.exe wasn't in either of the folders suggested.
DrWeb ran perfectly on Safe Mode. 5+ hours later I get the report I've attached. Quote:
Last edited by Zeokage; 02-26-2007 at 06:23 AM. |
|
|
|
|
|
02-26-2007, 05:54 PM
|
#13 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,957
OS: WinXP and Vista
|
Long winded scan it is...
 Please download SilentRunners.vbs (299kb) - Right click & choose Save As... SilentRunners.vbs Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts Launch SilentRunners by double-clicking the downloaded file. In the ensuing Window, select 'No' to avoid skipping supplementary searches. Please be patient as the script requires a few minutes to complete. When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply. ------------------------------------------------ Download gmer and unzip it to your desktop. Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked. Press scan & when it has finished press copy & paste the log back here |
|
|
|
|
02-27-2007, 06:33 AM
|
#14 (permalink) |
|
Registered User
|
I noticed that the checks were hanging on one of the Football Manager skins for some reason. As I didn't really need it I deleted it and some other skins (as well as move some zip files to another folder in My Documents). Funnily enough Dr.Web worked on Normal Mode after that. So I checked with PandaScan again, and it worked! Shame that the search for clfmon.exe caused another short though... So did GMER. Could it be something to do with those zip files?
Incident Status Location Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\Owner\スタート メニュー\プログラム\スタートアップ\PowerReg Scheduler.exe Adware:adware/winprotect Not disinfected c:\windows\help\CHMRedir.chm Adware:adware/wintools Not disinfected Windows Registry Adware:adware/ist.istbar Not disinfected Windows Registry Adware:adware/sqwire Not disinfected Windows Registry Adware:adware/wupd Not disinfected Windows Registry Dialer:dialer.ok Not disinfected HKEY_CLASSES_ROOT\Interface\{66BD1BD0-3655-42E4-8CE9-16D3613B0B25} Spyware:spyware/betterinet Not disinfected Windows Registry Adware:adware/gator Not disinfected Windows Registry Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@com[1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\HJT\SmitfraudFix\Process.exe So here's the rest of the checks you asked for... ComboScan v20070221.16 run by Owner on 2007-02-27 at 13:25:04 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Owner.exe) ------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 13:25:47, on 2007/02/27 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\NTMETER.EXE C:\Smdata\ReadSctService.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\Program Files\necmfk\necmfk.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\LiquidView\lviewj.exe C:\WINDOWS\System32\hfsmop.exe C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\子画面設定ユーティリティ\piputil.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\HJT\comboscan.exe C:\HJT\Owner.exe O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [SHRunOnce] C:\Program Files\SmartHobby\SHRunOnce.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [LiquidView] C:\Program Files\LiquidView\lviewj.exe O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [HFSMOP] C:\WINDOWS\System32\hfsmop.exe O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!J\Messenger\ypagerj.exe" -quiet O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun の Java コンソール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Yahoo!メッセンジャー - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerj.exe O9 - Extra 'Tools' menuitem: Yahoo!メッセンジャー - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerj.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O14 - IERESET.INF: START_PAGE_URL=http://www.biglobe.ne.jp/ O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (ウイルスバスター On-Line Scan) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NT Meter - Unknown owner - C:\WINDOWS\system32\NTMETER.EXE O23 - Service: BroadPass Manager (Poling_Service) - 日本電気株式会社 - c:\Program Files\BIGLOBE\BroadPass\base\base.exe O23 - Service: ReadSector (ReadSctService) - Unknown owner - C:\Smdata\ReadSctService.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- Files created between 2007-01-27 and 2007-02-27 ------------------------------ 2007-02-24 09:42:46 0 d-------- C:\Documents and Settings\Owner\DoctorWeb<DOCTOR~1> 2007-02-22 19:54:01 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-02-21 13:10:58 3262 --a------ C:\WINDOWS\system32\tmp.reg 2007-02-17 01 54 0 d-------- C:\WINDOWS\ie7updates<IE7UPD~1>2007-02-13 15:11:38 178408 --a------ C:\WINDOWS\system32\muweb.dll 2007-02-13 15:11:36 127208 --a------ C:\WINDOWS\system32\mucltui.dll 2007-02-12 19:59:37 0 d-------- C:\Program Files\Windows Live Favorites<WI48FA~1> 2007-02-12 19:58:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar<WINDOW~2> 2007-02-12 19:55:14 0 d-------- C:\Program Files\Windows Live Toolbar<WINDOW~4> 2007-02-12 19:39:06 0 d-------- C:\WINDOWS\WBEM 2007-02-12 19:39:02 0 d-------- C:\WINDOWS\system32\ja-jp 2007-02-12 19:34:30 0 d--h---c- C:\WINDOWS\ie7 2007-02-12 19:25:17 121856 -----n--- C:\WINDOWS\system32\xmllite.dll 2007-02-12 19:17:35 0 d-------- C:\WINDOWS\network diagnostic<NETWOR~1> 2007-02-12 18:49:52 0 d-------- C:\3852cd9f2400c99f99<3852CD~1> 2007-02-12 18:47:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage<WINDOW~1> 2007-01-29 08:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe 2007-01-27 17:14:06 0 d-------- C:\Program Files\SplendidCity5<SPLEND~2> -- Find3M Report ---------------------------------------------------------------- 2007-02-27 12:05:34 0 d-------- C:\Program Files\子画面設定ユーティリティ<子画面~1> 2007-02-27 12:01:47 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2> 2007-02-27 11:31:38 0 d-------- C:\Program Files\NECMFK 2007-02-27 11:27:58 0 d-------- C:\Program Files\MessengerPlus! 3<MESSEN~2> 2007-02-27 11:27:56 0 d-------- C:\Program Files\Messenger<MESSEN~1> 2007-02-27 11:27:10 0 d-------- C:\Program Files\LiquidView<LIQUID~2> 2007-02-27 11:23:25 0 d-------- C:\Program Files\Google 2007-02-27 10:22:20 0 d-------- C:\Program Files\Opera 2007-02-24 21:18:34 0 d-------- C:\Program Files\Winamp 2007-02-24 21:18:30 0 d-------- C:\Program Files\PCGATE Personal<PCGATE~1> 2007-02-24 09:20:55 0 d-------- C:\Program Files\Java 2007-02-23 12:28:34 0 d-------- C:\Program Files\QuickTime<QUICKT~1> 2007-02-22 19:53:54 0 d-------- C:\Program Files\Grisoft 2007-02-20 20:23:45 0 d-------- C:\Documents and Settings\Owner\Application Data\Microsoft<MICROS~1> 2007-02-17 21:16:20 0 d-------- C:\Program Files\HighMAT CD Writing Wizard<HIGHMA~1> 2007-01-28 17:14:53 0 d-------- C:\Documents and Settings\Owner\Application Data\Help 2007-01-27 17:16:20 0 d--h----- C:\Program Files\Zero G Registry<ZEROGR~1> 2007-01-27 16:54:30 0 d-------- C:\Program Files\Splendid City<SPLEND~1> 2007-01-19 02:33:49 0 d-------- C:\Program Files\BitComet 2007-01-12 09:27:42 232960 --a------ C:\WINDOWS\system32\webcheck.dll 2007-01-12 09:27:42 51712 -----n--- C:\WINDOWS\system32\msfeedsbs.dll<MSFEED~1.DLL> 2007-01-12 09:27:42 458752 -----n--- C:\WINDOWS\system32\msfeeds.dll 2007-01-12 09:27:42 6054400 -----n--- C:\WINDOWS\system32\ieframe.dll 2007-01-08 19:04:54 105984 --a------ C:\WINDOWS\system32\url.dll 2007-01-08 19:04:08 102400 --a------ C:\WINDOWS\system32\occache.dll 2007-01-08 19:02:04 266752 --a------ C:\WINDOWS\system32\iertutil.dll 2007-01-08 19:02:04 44544 --a------ C:\WINDOWS\system32\iernonce.dll 2007-01-08 19:02:02 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll 2007-01-08 19:02:02 383488 -----n--- C:\WINDOWS\system32\ieapfltr.dll 2007-01-08 19:02:02 161792 --a------ C:\WINDOWS\system32\ieakui.dll 2007-01-08 19:02:02 230400 --a------ C:\WINDOWS\system32\ieaksie.dll 2007-01-08 19:02:02 153088 --a------ C:\WINDOWS\system32\ieakeng.dll 2007-01-08 19:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll 2007-01-08 19:00:48 124928 --a------ C:\WINDOWS\system32\advpack.dll 2007-01-08 18:08:14 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe 2007-01-08 18:08:10 13824 --a------ C:\WINDOWS\system32\ieudinit.exe 2006-12-19 21:49:44 134144 --a------ C:\WINDOWS\system32\shsvcs.dll 2006-12-19 18:17:08 332800 --a------ C:\WINDOWS\system32\wiaservc.dll 2006-12-07 05:29:34 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll 2006-11-27 14:54:18 433152 --a------ C:\WINDOWS\system32\riched20.dll 2006-11-27 14:54:18 539136 --a------ C:\WINDOWS\system32\msftedit.dll -- Registry Dump ---------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "STYLEXP"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide" "Yahoo! Pager"="\"C:\\Program Files\\Yahoo!J\\Messenger\\ypagerj.exe\" -quiet" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32" "PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC" "PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName" "NECMFK"="C:\\Program Files\\necmfk\\necmfk.exe" "AGRSMMSG"="AGRSMMSG.exe" "SHRunOnce"="C:\\Program Files\\SmartHobby\\SHRunOnce.exe" "StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r" "LiquidView"="C:\\Program Files\\LiquidView\\lviewj.exe" "SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe" "HFSMOP"="C:\\WINDOWS\\System32\\hfsmop.exe" "MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\"" "LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^ロジクール デスクトップ メッセンジャー.lnk] "path"="C:\\Documents and Settings\\All Users\\スタート メニュー\\プログラム\\スタートアップ\\ロジクール デスクトップ メッセンジャー.lnk" "backup"="C:\\WINDOWS\\pss\\ロジクール デスクトップ メッセンジャー.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start" "item"="ロジクール デスクトップ メッセンジャー" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="iTunesHelper" "hkey"="HKLM" "command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="BackWeb-8876480" "hkey"="HKCU" "command"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\BackWeb-8876480.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ManifestEngine" "hkey"="HKCU" "command"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ISStart" "hkey"="HKLM" "command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe " "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="LogiTray" "hkey"="HKLM" "command"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchM] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SearchM" "hkey"="HKCU" "command"="C:\\Program Files\\SmartHobby\\PlugIn\\CopyFromDigitalCamera\\SearchM.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "ctfmon.exe"="ctfmon.exe" "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "ctfmon.exe"="ctfmon.exe" "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=dword:00000000 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E] Shell\AutoRun\command E:\autorun.exe -- End of ComboScan: finished at 2007-02-27 at 13:26:28 ------------------------- "Silent Runners.vbs", revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS] "STYLEXP" = "C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide" [empty string] "Yahoo! Pager" = ""C:\Program Files\Yahoo!J\Messenger\ypagerj.exe" -quiet" ["Yahoo! Japan Corporation."] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS] "PHIME2002ASync" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS] "PHIME2002A" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS] "NECMFK" = "C:\Program Files\necmfk\necmfk.exe" ["NEC"] "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"] "SHRunOnce" = "C:\Program Files\SmartHobby\SHRunOnce.exe" [null data] "StorageGuard" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"] "LiquidView" = "C:\Program Files\LiquidView\lviewj.exe" ["Portrait Displays, Inc."] "SiSUSBRG" = "C:\WINDOWS\SiSUSBrg.exe" ["Silicon Integrated Systems Corp."] "HFSMOP" = "C:\WINDOWS\System32\hfsmop.exe" ["NEC Personal Products, Ltd."] "MSPY2002" = "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] "MessengerPlus3" = ""C:\Program Files\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"] "LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Logitech Inc."] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."] "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection" -> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper" \InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided) -> {HKLM...CLSID} = "UberButton Class" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"] {65D886A2-7CA7-479B-BB95-14D1EFB7946A}\(Default) = (no title provided) -> {HKLM...CLSID} = "YahooTaggedBM Class" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YIeTagBm.dll" ["Yahoo! Inc."] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided) -> {HKLM...CLSID} = "Windows Live Toolbar Helper" \InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "****** ** CPL **" (unwritable string) -> {HKLM...CLSID} = "****** ** CPL **" (unwritable string) \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{AB314ECE-27C9-4703-8891-38914A228711}" = "Liquid Surf Explore Hook" -> {HKLM...CLSID} = "Liquid Surf Explore Hook" \InProcServer32\(Default) = "C:\Program Files\LiquidSurf\sybil.dll" [file not found] "{CC1DC91A-F90E-4906-B40E-FA1811DE4EFF}" = "Liquid Surf View" -> {HKLM...CLSID} = "Liquid Surf View" \InProcServer32\(Default) = "C:\Program Files\LiquidSurf\sybil.dll" [file not found] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Program Files\Real Alternative\rpshell.dll" ["RealNetworks, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {HKLM...CLSID} = "AVG7 Find Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard" -> {HKLM...CLSID} = "SpywareGuard.Handler" \InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data] "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail" -> {HKLM...CLSID} = "YMailShellExt Class" \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] "{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures" -> {HKLM...CLSID} = "My Logitech Pictures" \InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <<!>> "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard" -> {HKLM...CLSID} = "SpywareGuard.Handler" \InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data] <<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."] HKLM\System\CurrentControlSet\Control\WOW\ <<!>> "cmdline" = "C:\WINDOWS\system32\ntvdm.exe -o" [MS] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"] AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}" -> {HKLM...CLSID} = "YMailShellExt Class" \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"] AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "DisableRegistryTools" = (REG_DWORD) hex:0x00000000 {Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Startup items in "Owner" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\Owner\スタート メニュー\プログラム\スタートアップ <<!>> "PowerReg Scheduler.exe" [empty string] "SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data] C:\Documents and Settings\All Users\スタート メニュー\プログラム\スタートアップ "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS] "PCGATE Personal" -> shortcut to: "C:\Program Files\PCGATE Personal\pcgate.exe" ["Zone Labs Inc."] "子画面設定ユーティリティ" -> shortcut to: "C:\WINDOWS\Installer\{D045E1C6-FA20-4B32-BD65-CBFE4ED77C1E}\NewShortcut1.exe" [null data] Enabled Scheduled Tasks: ------------------------ "McAfee.com製品のアップデート確認 (COMPUTERNAME-Owner)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" [file not found] "Windows Live Toolbar の更新プログラムを確認します" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 20 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] "{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" -> {HKLM...CLSID} = "Windows Live Toolbar" \InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] "{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided) -> {HKLM...CLSID} = "Windows Live Toolbar" \InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided) -> {HKLM...CLSID} = "&Yahoo! Messenger" \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided) -> {HKLM...CLSID} = "&Yahoo! Messenger" \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."] HKLM\Software\Classes\CLSID\{CC1DC91A-F90E-4906-B40E-FA1811DE4EFF}\(Default) = "Liquid Surf View" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\Program Files\LiquidSurf\sybil.dll" [file not found] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun の Java コンソール" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."] {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\ "ButtonText" = "Yahoo! Services" "CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}" -> {HKLM...CLSID} = "UberButton Class" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"] {CEBF73C0-BA2E-11D4-A73A-00508B33FB82}\ "ButtonText" = "Yahoo!メッセンジャー" "MenuText" = "Yahoo!メッセンジャー" "Exec" = "C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerj.exe" ["Yahoo! Japan Corporation."] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ "MenuText" = "@xpsp3res.dll,-20001" "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."] AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."] AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."] NT Meter, NT Meter, "C:\WINDOWS\system32\NTMETER.EXE" [null data] ReadSector, ReadSctService, "C:\Smdata\ReadSctService.exe" [empty string] SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."] StyleXPService, StyleXPService, ""C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe"" [empty string] TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs Inc."] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] ---------- <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 385 seconds. ---------- (total run time: 477 seconds) Last edited by Ried; 02-27-2007 at 07:00 AM. Reason: removed quote tags and font--too hard to read :) |
|
|
|
|
02-27-2007, 07:09 AM
|
#15 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,957
OS: WinXP and Vista
|
gmer won't run?
Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Open notepad and copy/paste the text in the quotebox below: (don't forget to copy and paste REGEDIT4) Quote:
Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files" It should look like this: Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. --------------------------------------------- Delete this file: c:\windows\help\CHMRedir.chm --------------------------------------------- Reboot your system. Try gmer again. |
|
|
|
|
|
02-28-2007, 11:18 AM
|
#18 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,957
OS: WinXP and Vista
|
Hardware issues are my thoughts at this point, Zeokage.
 It's time for you to present this issue to the experts in the Hardware section of this forum. Perhaps the place to post this issue is in the RAM and Power Supply section (They will move your thread to the appropriate area if needed) Be sure to let them know that you've been cleared by the HijackThis section and provide them a link to this thread. |
|
|
|
|
02-28-2007, 12:45 PM
|
#20 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,957
OS: WinXP and Vista
|
Tell ya what...uninstall Football Manager 2006, reboot and try to run scans. If the scans run to completion without the computer shutting down, it's the program causing all this trouble.
If the same issue persists--post in the Hardware section. Please let me know what happens. 
|
|
|
|
| Thread Tools | |
|
|
located at the bottom of the page.
then click 
