Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dcy.exe Removed


  • Please log in to reply
23 replies to this topic

#1 cburgess

cburgess

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 20 June 2008 - 07:56 PM

Hello everyone. This is my first post ever, so please forgive me if I haven't followed protocol properly. I'm running Windows XP (Japanese OS) with the latest Kaspersky internet security. Kaspersky picked up and deleted a couple of trojans - Trojan-Dropper.Win32.Agent. Stb and Trojan.WIN32.VB.dkn. It seems that something got through though, initially via ipodaccess_setup.exe. I ran Spybot and Adaware but the thing starting recyling with password protected files - looks like DC7.exe. Also, 41 password protected zip files appeared in my spybot recovery folder (mostly DSOExploit but a few others such as Alexa and Grok Loader). By this time I was getting pretty terrified, so I disabled system restore (which I presumed was responsible for the recyling) and ran full scans with everything I could think of in safe mode with no internet connection: Kaspersky, Adaware, Spybot, Panda, and Superantispyware. This picked up bits and pieces, including 3 MRUs. Finally, I put system restore back on and re-booted and everything SEEMS ok, but I took a HijackThis log just in case. I really hate to impose on all you busy volunteers out there, but if someone could just have a quick look over my log and reassure me that I'm safe I would be so very grateful. Work deadlines loom and without my computer I am lost...not to mention the worry of getting ripped off while internet banking. A million thanks in advance. (Chris)

O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: アンチバナーへ追加 - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun の Java コンソール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ウェブアンチウイルスの状態 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: リサーチ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: フレッツ接続ツール - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\NTTE\Flets\app\TangoIEBar.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://vpn.tsuda.ac.jp/vdesk/terminal/urxv...,2007,1001,2147
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vpn.tsuda.ac.jp/vdesk/terminal/urTe...,2007,1001,2136
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://vpn.tsuda.ac.jp/vdesk/terminal/urxs...,2007,1001,2141
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn.tsuda.ac.jp/vdesk/terminal/urxh...,2007,1001,2140
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup144.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O20 - AppInit_DLLs: ?粕?,C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour サービス (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod サービス (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PLANEX GW-NS54CW 54Mbps Wireless LAN CardBus Adapter (PLANEX GW-NS54CW Service) - Unknown owner - C:\Program Files\Planex\GW-NS54CW\WLService.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE

--
End of file - 9676 bytes

BC AdBot (Login to Remove)

 


#2 cburgess

cburgess
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 25 June 2008 - 11:49 PM

Topic title was: Trojan-dropper, Dns Changer..., Desperately need help in removing these ~ OB

Hello everyone. This is my first ever post, so please forgive me if I haven't followed protocol properly. I'm running Windows XP (Japanese OS) with the latest Kaspersky internet security. Kaspersky picked up and deleted four trojans - Trojan-Dropper.Win32.Agent. Stb and 3 x Trojan.WIN32.VB.dkn. It seems that something got through though, initially via ipodaccess_setup.exe. I ran Spybot and Adaware but the thing starting recyling with password protected files - looks like DC7.exe. Also, 41 password protected zip files appeared in my spybot recovery folder (mostly DSOExploit but a few others such as Alexa and Grok Loader - see attached jpeg) though spybot didn't tell me it had found these! By this time I was getting pretty panicky, so I disabled system restore (which I presumed was responsible for the recyling) and ran full scans with everything I could think of in safe mode with no internet connection: Kaspersky, Adaware, Spybot, Panda, and Superantispyware. This picked up bits and pieces, including 3 MRUs. Finally, I put system restore back on and re-booted and everything SEEMS ok - or so I thought...

Despite Kaspersky firewall on high I got hit by a Trojan.Win32.DNSChanger.ewf which Kaspersky was unable to delete so I had to delete manually. I've also noticed that Kaspersky doesn't seem to be updating properly - it often fails. Where do these trojans come from - I'm not even browsing the web and definitely don't download anything or look at any dodgy sites (though I usually keep Mozilla Firefox on in the background)?

I really need some help here. The online Kaspersky scan shows zilch (attached) but something nasty has got into my computer and quite frankly I'm terrified. I've also attached my kaspersky event log which is full of all sorts of odd suspicious activity - it's in Japanese but should be easy to figure out. for an expert Please please help. DSS logs are below.

Deckard's System Scanner v20071014.68
Run by Chris on 2008-06-26 14:24:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
7: 2008-06-26 04:24:47 UTC - RP7 - Deckard's System Scanner Restore Point
6: 2008-06-26 04:23:06 UTC - RP6 - new
5: 2008-06-25 03:28:36 UTC - RP5 - システム チェックポイント
4: 2008-06-22 12:13:56 UTC - RP4 - 復元操作
3: 2008-06-22 09:06:01 UTC - RP3 - システム チェックポイント


-- First Restore Point --
1: 2008-06-20 23:08:16 UTC - RP1 - システム チェックポイント


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Chris.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:26:57, on 2008/06/26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Planex\GW-NS54CW\WLService.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Planex\GW-NS54CW\GW-NS54CW.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Chris\デスクトップ\dss.exe
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Chris.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ShowTangoBar Class - {603EC267-504E-4BD4-97F3-5DD71A271EAF} - C:\Program Files\NTTE\Flets\app\TangoIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: フレッツ接続ツール - {831AA893-5930-4A2B-8D38-B881AD1764E2} - C:\Program Files\NTTE\Flets\app\TangoIEBar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: アンチバナーへ追加 - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun の Java コンソール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ウェブアンチウイルスの状態 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: リサーチ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: フレッツ接続ツール - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\NTTE\Flets\app\TangoIEBar.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://vpn.tsuda.ac.jp/vdesk/terminal/urxv...,2007,1001,2147
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vpn.tsuda.ac.jp/vdesk/terminal/urTe...,2007,1001,2136
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://vpn.tsuda.ac.jp/vdesk/terminal/urxs...,2007,1001,2141
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn.tsuda.ac.jp/vdesk/terminal/urxh...,2007,1001,2140
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup144.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O20 - AppInit_DLLs: ?粕?,C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour サービス (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod サービス (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PLANEX GW-NS54CW 54Mbps Wireless LAN CardBus Adapter (PLANEX GW-NS54CW Service) - Unknown owner - C:\Program Files\Planex\GW-NS54CW\WLService.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE

--
End of file - 9741 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ASMBATT - c:\windows\system32\drivers\asmbatt.sys <Not Verified; Quanta Computer,Inc.; Battery Information Driver>
R1 IBMTPCHK - c:\windows\system32\drivers\ibmbldid.sys
R1 Smapint - c:\windows\system32\drivers\smapint.sys <Not Verified; Microsoft Corporation; Microsoftョ Windows NT™ Operating System>
R1 TDSMAPI - c:\windows\system32\drivers\tdsmapi.sys
R1 TPHKDRV - c:\windows\system32\drivers\tphkdrv.sys <Not Verified; IBM Corporation; ThinkPad OnScreenDisplay>
R1 TPPWR - c:\windows\system32\drivers\tppwr.sys <Not Verified; IBM Corp.; IBM ThinkPad Utility>
R1 TSMAPIP - c:\windows\system32\drivers\tsmapip.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>
R2 enodpl - c:\windows\system32\drivers\enodpl.sys
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoftョ Windows NT™ Operating System>
R2 tandpl - c:\windows\system32\drivers\tandpl.sys
R3 ENETNT5 (Efficient Networks, tango Access PPPoE WAN Miniport) - c:\windows\system32\drivers\enetnt.sys <Not Verified; Siemens Subscriber Networks, LLC; tango>
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 Pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S0 sptd - c:\windows\system32\drivers\sptd.sys (file missing)
S3 AR5211 (PLANEX GW-NS54CW 54Mbps Wireless LAN CardBus Adapter Service) - c:\windows\system32\drivers\ar5211.sys <Not Verified; Atheros Communications, Inc.; Atheros AR5001 Wireless Network Adapter>
S3 ESSIDSET - c:\windows\system32\essidset.sys <Not Verified; MELCO INC.; Client Manager>
S3 iComp (BUFFALO PC-MDVD/U2 WDM Encoder) - c:\windows\system32\drivers\p2usbwdm.sys <Not Verified; Conexant Systems Inc.; USB Mpeg>
S3 LOGNT - c:\program files\ntte\flets\app\lognt.sys <Not Verified; Efficient Networks, Inc.; tango>
S3 musbehco - c:\docume~1\chris\locals~1\temp\musbehco.sys (file missing)
S3 NTSTPL2 - c:\program files\ntte\flets\app\ntstpl2.sys <Not Verified; Network TeleSystems, Inc.; TCP Pro>
S3 PCDRDRV (Pcdr Helper Driver) - c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys (file missing)
S3 RAWESR - d:\release\rawesr.sys (file missing)
S3 TAPBIND - c:\program files\ntte\flets\app\tapbind1.sys <Not Verified; Network TeleSystems, Inc.; TCP Pro>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service (Bonjour サービス) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 PLANEX GW-NS54CW Service (PLANEX GW-NS54CW 54Mbps Wireless LAN CardBus Adapter) - c:\program files\planex\gw-ns54cw\wlservice.exe
R2 QCONSVC - system32\qconsvc.exe

S4 TangoService (Tango Service) - c:\program files\ntte\flets\app\tangoservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-05-26 and 2008-06-26 -----------------------------

2008-06-22 22:14:42 0 d-------- C:\Documents and Settings\Chris\Application Data\Symantec
2008-06-22 19:05:45 8675328 --a------ C:\Documents and Settings\Chris\ntuser.dat
2008-06-21 10:10:30 0 d-------- C:\Program Files\Trend Micro
2008-06-20 16:46:58 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-20 16:45:42 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-20 16:45:42 0 d-------- C:\Documents and Settings\Chris\Application Data\SUPERAntiSpyware.com
2008-06-20 14:12:52 0 d-------- C:\Program Files\Panda Security
2008-06-20 12:47:30 0 d-------- C:\Program Files\Lavasoft
2008-06-20 12:47:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-20 10:42:49 0 d-------- C:\Documents and Settings\Chris\Application Data\DivX
2008-06-20 10:40:12 0 d-------- C:\Program Files\DivX
2008-06-12 22:36:00 52736 --a------ C:\WINDOWS\ipuninst.exe <Not Verified; Interplay Productions; Interplay Uninstaller for Windows 95>
2008-06-12 22:28:54 0 d-------- C:\Program Files\BlackIsle
2008-06-12 22:09:49 0 d--hs---- C:\WINDOWS\ftpcache
2008-06-04 11:30:53 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-04 11:30:53 88774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-04 11:29:55 79904 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-04 11:29:55 7798816 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat


-- Find3M Report ---------------------------------------------------------------

2008-06-26 14:21:58 0 d-------- C:\Documents and Settings\Chris\Application Data\EndNote
2008-06-20 16:45:24 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 22:09:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-12 21:00:35 0 d-------- C:\Program Files\Kaspersky Lab
2008-06-09 15:03:40 0 d-------- C:\Program Files\MozyHome
2008-06-05 14:04:46 0 d-------- C:\Program Files\Common Files
2008-06-05 09:58:49 0 d-------- C:\Program Files\Bonjour
2008-05-27 20:27:32 0 d-------- C:\Documents and Settings\Chris\Application Data\Vso
2008-05-21 21:02:41 0 d-------- C:\Program Files\Common Files\Thomson ResearchSoft
2008-05-21 21:00:07 0 d-------- C:\Program Files\EndNote X1
2008-05-21 20:30:56 0 d-------- C:\Program Files\Common Files\Risxtd
2008-05-19 16:32:30 0 d-------- C:\Program Files\EndNote
2008-05-15 11:20:35 3185 --a------ C:\WINDOWS\mozver.dat
2008-05-09 21:37:35 0 d-------- C:\Program Files\PC-Doctor for Windows
2008-05-09 21:37:34 0 d-------- C:\Program Files\Movie Maker
2008-05-09 21:37:31 0 d-------- C:\Program Files\Free CD-DA Extractor 4.8
2008-05-09 21:37:30 0 d-------- C:\Program Files\eTypist
2008-04-12 21:38:05 194430 --a------ C:\WINDOWS\system32\perfh011.dat
2008-04-12 21:38:05 59368 --a------ C:\WINDOWS\system32\perfc011.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004/08/04 17:55]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002/08/31 22:00]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002/08/31 22:00]
"S3TRAY2"="S3Tray2.exe" [2001/10/12 08:32 C:\WINDOWS\system32\S3Tray2.exe]
"TrackPointSrv"="tp4serv.exe" [2002/12/03 04:09 C:\WINDOWS\system32\tp4serv.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003/02/14 12:59 C:\WINDOWS\AGRSMMSG.exe]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004/08/04 17:56 C:\WINDOWS\system32\irprops.cpl]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2002/12/24 03:01]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003/02/24 03:06]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2003/01/24 18:37]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003/02/17 02:33]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003/02/17 02:33]
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2003/03/11 13:17]
"TP4EX"="tp4ex.exe" [2002/09/04 02:05 C:\WINDOWS\system32\TP4EX.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003/05/05 02:04]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2002/08/31 22:00]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002/08/31 22:00]
"IMJPMIG9.0"="C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.exe" [2003/07/14 23:57]
"QCTray"="C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe" [2003/02/24 03:06]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002/03/07 10:50]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2004/03/19 14:37]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2004/03/19 14:33]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006/02/07 09:40]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004/03/19 14:33]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008/02/01 00:13]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008/02/04 15:18]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008/01/11 22:16]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008/02/08 18:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004/08/04 17:55]
"tgcmd"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004/10/14 02:24]
"Steam"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008/01/28 11:43]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008/05/28 10:33]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"=ctfmon.exe

C:\Documents and Settings\All Users\スタート メニュー\プログラム\スタートアップ\
NETGEAR WG111v2 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2008/04/12 22:23:32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2004/10/09 16:18 49152]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008/05/13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007/04/19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=?粕?,C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\スタート メニュー\プログラム\スタートアップ\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users\スタート メニュー\プログラム\スタートアップ\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^Office スタートアップ.lnk]
path=C:\Documents and Settings\All Users\スタート メニュー\プログラム\スタートアップ\Office スタートアップ.lnk
backup=C:\WINDOWS\pss\Office スタートアップ.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Chris^スタート メニュー^プログラム^スタートアップ^PCastVIDEOスケジューラ.lnk]
path=C:\Documents and Settings\Chris\スタート メニュー\プログラム\スタートアップ\PCastVIDEOスケジューラ.lnk
backup=C:\WINDOWS\pss\PCastVIDEOスケジューラ.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Quick-Drop]
"C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=2 (0x2)
"TangoService"=2 (0x2)
"iPodService"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2afaafeb-7b7a-11dc-94b6-54414e474f31}]
AutoRun\command- G:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87de8222-6d35-11db-bfbb-54414e474f31}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs




-- End of Deckard's System Scanner: finished at 2008-06-26 14:28:27 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Japanese

CPU 0: Intelョ Pentiumョ 4 CPU 3.00GHz
Percentage of Memory in Use: 55%
Physical Memory (total/avail): 1014.42 MiB / 446.45 MiB
Pagefile Memory (total/avail): 1676.04 MiB / 1168.11 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.39 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 42.18 GiB total, 9.2 GiB free.
D: is CDROM (UDF)
E: is Fixed (FAT32) - 10.54 GiB total, 4.14 GiB free.
G: is Removable (FAT)

\\.\PHYSICALDRIVE0 - IC25N060ATMR04-0 - 52.73 GiB - 2 partitions
\PARTITION0 (bootable) - インストールできるファイル システム - 42.18 GiB - C:
\PARTITION1 - Unknown - 10.55 GiB - E:

\\.\PHYSICALDRIVE1 - Kingston DataTraveler 2.0 USB Device - 949.15 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 953.38 MiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton Internet Worm Protection v2006 (Symantec) Disabled
FW: カスペルスキーインターネットセキュリティ v7.0.1.325 (Kaspersky Lab)
AV: カスペルスキーインターネットセキュリティ v7.0.1.325 (Kaspersky Lab)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\kdx\\khost.exe"="C:\\WINDOWS\\kdx\\khost.exe:*:Disabled:Secure Delivery Plug-In"
"C:\\Program Files\\Total War\\Medieval - Total War\\Medieval_TW.exe"="C:\\Program Files\\Total War\\Medieval - Total War\\Medieval_TW.exe:*:Disabled:Medieval_TW"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"
"C:\\Program Files\\Ubi Soft\\XIII\\System\\XIII.exe"="C:\\Program Files\\Ubi Soft\\XIII\\System\\XIII.exe:*:Disabled:XIII"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Disabled:Windows Media Player"
"C:\\Sierra\\Counter-Strike\\cstrike.exe"="C:\\Sierra\\Counter-Strike\\cstrike.exe:*:Disabled:CounterStrike Launcher"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\cburgess2106\\deathmatch classic\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\cburgess2106\\deathmatch classic\\hl.exe:*:Disabled:Half-Life Launcher"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\cburgess2106\\day of defeat\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\cburgess2106\\day of defeat\\hl.exe:*:Disabled:Half-Life Launcher"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\cburgess2106\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\cburgess2106\\counter-strike\\hl.exe:*:Disabled:Half-Life Launcher"
"C:\\Program Files\\BUFFALO\\PCtVIDEO\\PCtVShd.exe"="C:\\Program Files\\BUFFALO\\PCtVIDEO\\PCtVShd.exe:*:Enabled:PCasVShd"
"C:\\Program Files\\Valve\\Steam\\Steam.exe"="C:\\Program Files\\Valve\\Steam\\Steam.exe:*:Disabled:Steam"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Documents and Settings\\Chris\\デスクトップ\\kis71\\setup\\setup.exe"="C:\\Documents and Settings\\Chris\\デスクトップ\\kis71\\setup\\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Chris\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_11\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=IBM-D6661E68561
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Chris
LOGONSERVER=\\IBM-D6661E68561
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\PROGRAM FILES\THINKPAD\UTILITIES;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\PC-Doctor for Windows\services;C:\Program Files\WinSCP3\;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_11\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Chris\LOCALS~1\Temp
TMP=C:\DOCUME~1\Chris\LOCALS~1\Temp
USERDOMAIN=IBM-D6661E68561
USERNAME=Chris
USERPROFILE=C:\Documents and Settings\Chris
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Chris (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\InstallShield Installation Information\{F37167DD-4436-4641-90B6-329D60632DDA}\Setup.exe" REMOVEALL --u:{F37167DD-4436-4641-90B6-329D60632DDA}
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUn0411.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> c:\WINDOWS\System32\\MSIEXEC.EXE /x {8214CC02-6271-4DC8-B8DD-779933450264}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\SETUP.EXE"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\SETUP.EXE"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\SETUP.EXE"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
「MyEPSON」アシスタント --> C:\Program Files\EPSON\MYEPSON\DOCUNINS.EXE
Abacast Client --> C:\PROGRA~1\Abacast\UNWISE.EXE C:\PROGRA~1\Abacast\client.LOG
Access IBM --> MsiExec.exe /X{B5599ECB-DA72-43EE-8A30-2C80396FF8BB}
Access IBM Message Center --> MsiExec.exe /X{710C0BB2-FE39-484E-BB23-C9B96835A14A}
Access IBM Tools --> C:\Program Files\IBM\Access IBM\IBMUINST.EXE
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 - Japanese --> MsiExec.exe /I{AC76BA86-7AD7-1041-7B44-A81200000003}
Agere Systems AC'97 Modem --> agrsmdel
alm --> MsiExec.exe /I{CF44C7A5-5705-41E4-BE84-A9A42977AB05}
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
BUFFALO PCastVIDEO --> C:\WINDOWS\UN040819.EXE /U
Camera RAW Plug-In for EPSON Creativity Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8DAC1AE4-33D1-4A78-8A42-00E09EDECC3E}\SETUP.EXE" -l0x11 UNINST
Canon MP Toolbox 4.1.1.0.mp10 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4669544E-20E4-4E56-8B44-2E6E1200051F}\Setup.exe" -l0x11 -Uninstall
Canon MP ドライバ --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58F8C6D9-5B55-486A-A322-4E8D87670031}\Setup.exe" -l0x11 -Uninstall
Canon Utilities Easy-PhotoPrint --> C:\WINDOWS\ISUN0411.EXE -f"C:\Program Files\Canon\Easy-PhotoPrint\Uninst.isu" -c"C:\Program Files\Canon\Easy-PhotoPrint\EZUNINST.DLL"
Default --> MsiExec.exe /I{349E1A87-7491-400E-87EF-A3E31816D79E}
DVD Region+CSS Free Lite 5.9.8.5 --> "C:\Program Files\DVD Region+CSS Free Lite\unins000.exe"
DVDFab Platinum 2.84 --> "C:\Program Files\DVDFab Platinum\unins000.exe"
DVDFab Platinum 4.0.6.2 --> "C:\Program Files\DVDFab Platinum 4\unins000.exe"
e.Typistエントリー for Windows --> C:\WINDOWS\IsUn0411.exe -f"C:\Program Files\eTypist\DelEntry.isu"
EndNote X1 --> MsiExec.exe /I{87F7773C-EC9C-461A-AA7B-4AF8EF54DF49}
EPSON Attach To Email --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1041 ADDREMOVEDLG
EPSON E-500 活用+サポートガイド --> C:\Program Files\EPSON\TPMANUAL\E-500\JPN\DOCUNINS.EXE
EPSON Easy Photo Print --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B66E665A-DF96-4C38-9422-C7F74BC1B4E5}\SETUP.EXE" -l0x11 UNINST
EPSON File Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{55A85A24-9C86-48C7-B15A-AB2FF8911E6A}\Setup.exe" -l0x11 UNINST
EPSON PRINT Image Framer Tool --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{956673F5-0C6B-4428-A5D1-277AF533E098}\SETUP.EXE" -l0x11 anything
EPSON Scan Assistant --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x11 -u
EPSONプリンタドライバ・ユーティリティ --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Fallout2 --> C:\WINDOWS\ipuninst.exe -fC:\Program Files\BlackIsle\Fallout2\uninst.log
Free CD-DA Extractor 4.8 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Free CD-DA Extractor 4.8\irunin.ini"
Half-Life 2 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/220
Half-Life 2: Episode One --> "C:\Program Files\Steam\steam.exe" steam://uninstall/380
Half-Life 2: Lost Coast --> "C:\Program Files\Steam\steam.exe" steam://uninstall/340
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
IBM Access Connections --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{22B71A00-4DED-11D4-A5E5-0004AC564F43}\SETUP.EXE" -l0x11 anything
IBM DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
IBM Rapid Restore PC Setup --> MsiExec.exe /X{3B7B3B4A-AF8C-4671-A92E-3E7E9ABCB22B}
IBM RecordNow --> MsiExec.exe /I{8214CC02-6271-4DC8-B8DD-779933450264}
IBM Themes --> MsiExec.exe /I{6CE96A14-61E2-48CC-837E-22710A953ADE}
IBM ThinkPad EasyEject ユーティリティ --> C:\WINDOWS\IsUn0411.exe -f"C:\Program Files\ThinkPad\Utilities\Unezej.isu" -c"C:\Program Files\ThinkPad\Utilities\Tpinsej.dll"
IBM ThinkPad Power Management Driver --> RunDll32.exe tpinspm.dll,Uninstall
IBM ThinkPad キーボード カスタマイズ・ユーティリティー --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2111B23F-7FDA-4A41-8309-E5A1663CA296}\SETUP.EXE" -l0x11 anything
IBM ThinkPad バッテリー省電力機能設定 --> C:\WINDOWS\IsUn0411.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\Unbmm.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsbmm.dll"
IBM ThinkPad プレゼンテーション・ディレクター --> C:\WINDOWS\IsUn0411.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNNPDR.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsnpd.dll"
IBM ThinkPad 機能設定 --> C:\WINDOWS\IsUn0411.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNTPUW.ISU -c"C:\Program Files\ThinkPad\Utilities\Tpinswin.dll"
IBM TrackPoint Support --> C:\WINDOWS\System32\tp4unins.exe
IBM トラックポイント ユーザー補助 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA664480-3844-11D5-8C25-444553540000}\SETUP.EXE"
IBMお客様登録 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4CC10F27-DDED-46F9-B94C-D16305683F7A}\SETUP.EXE" -l0x11
Intelョ Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iPod for Windows 2005-02-22 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{B6ACFF51-248A-4290-B50B-E50C81F25B97} /l1033
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
ISI ResearchSoft - Export Helper --> C:\PROGRA~1\COMMON~1\Risxtd\_UNINST.EXE
iTunes --> MsiExec.exe /I{02DFB3FD-CF52-4183-8BCA-2A127D4888F4}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Logitech MouseWare 9.50 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.exe" -l0x9 -l0009 UNINSTALL
Logitech User's Guide --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CBE0FCA1-4E95-11D4-9875-00105ACE7734}\Setup.exe" -l0x9 UNINSTALL
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Encarta Encyclopedia Standard - WE 2004 --> MsiExec.exe /I{045A0040-9149-45C6-A806-F2BF9CFCE762}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110411-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Word 98 --> C:\Program Files\Microsoft Office\Office\Setup\AcmeWord.exe /w Word97.stf
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NETGEAR WG111v2 wireless USB 2.0 adapter --> C:\Program Files\InstallShield Installation Information\{4102037D-E8E0-48E0-B203-E521D194FB71}\setup.exe -runfromtemp -l0x0009 -removeonly
Obscure --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{95633EBE-216B-48B5-B103-0C9919787F46} /l1033
OpenOffice.org 2.0 --> MsiExec.exe /I{A04E6A2B-1665-4946-879A-159ED7DFDA93}
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\SETUP.EXE"
PLANEX GW-NS54CW 54Mbps Wireless LAN CardBus Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BF69B915-B432-4FA1-B0E8-ED805FA540F0}\Setup.exe" -l0x11
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RT-200NE まるごと設定ツール --> C:\Program Files\RT-200NE\RT200NEUninst.exe /delete
Secure Delivery --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\kdx\kdx.inf,DefaultUninstall,5
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Step by Step Interactive Training 用セキュリティ更新プログラム (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Step by Step Interactive Training 用セキュリティ更新プログラム (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
ThinkPad FullScreen Magnifier --> RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.inf
ThinkPad ソフトウェア導入支援 --> _tpiu000.exe /U
Ulead DVD MovieWriter 4.0 SE for SANYO --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{448AB2CB-C94A-47DE-80B8-9D7824DEFA57}\setup.exe" -l0x11
WinAVIVideoConverter --> "C:\Program Files\WinAVIVideoConverter\unins000.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media エンコーダ 9 シリーズ --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media エンコーダ 9 シリーズ --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows XP (KB923689) セキュリティ問題の修正プログラム --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Windows XP (KB941569) セキュリティ問題の修正プログラム --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB883939) --> "C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB896422) --> "C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB896424) --> "C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB896688) --> "C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB899588) --> "C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB899589) --> "C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB901190) --> "C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB903235) --> "C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB905915) --> "C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB911567) --> "C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB912812) --> "C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB912919) --> "C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB913446) --> "C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Windows XP セキュリテB更新 (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB916281) --> "C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB917159) --> "C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB917422) --> "C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB918899) --> "C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB920214) --> "C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB921398) --> "C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB921503) --> "C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB921883) --> "C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB922616) --> "C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB922760) --> "C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB923694) --> "C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB925454) --> "C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB925486) --> "C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB937894) --> "C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB941202) --> "C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB941568) --> "C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB941644) --> "C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB941693) --> "C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB943055) --> "C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB943485) --> "C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB944653) --> "C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB945553) --> "C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB946026) --> "C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB948590) --> "C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB948881) --> "C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB950749) --> "C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB950760) --> "C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB950762) --> "C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB951376-v2) --> "C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB951376) --> "C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Windows XP セキュリティ更新 (KB951698) --> "C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Windows XP ホットフィックス - KB834707 --> C:\WINDOWS\$NtUninstallKB834707$\spuninst\spuninst.exe
Windows XP ホットフィックス - KB867282 --> C:\WINDOWS\$NtUninstallKB867282$\spuninst\spuninst.exe
Windows XP ホットフィックス - KB873333 --> C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP ホットフィックス - KB873339 --> C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP ホットフィックス - KB885250 --> C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP ホットフィックス - KB885835 --> C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP ホットフィックス - KB885836 --> C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP ホットフィックス - KB886185 --> C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP ホットフィックス - KB886677 --> C:\WINDOWS\$NtUninstallKB886677$\spuninst\spuninst.exe
Windows XP ホットフィックス - KB887472 --> C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP ホットフィックス - KB887742 --> C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP ホットフィックス - KB888113 --> C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP ホットフィックス - KB888302 --> C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP ホットフィックス - KB890047 --> C:\WINDOWS\$NtUninstallKB890047$\spuninst\spuninst.exe
Windows XP ホットフィックス - KB890175 --> C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP ホットフィックス - KB890859 --> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP ホットフィックス - KB890923 --> "C:\WINDOWS\$NtUninstallKB890923$\spuninst\spuninst.exe"
Windows XP ホットフィックス - KB891781 --> C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP ホットフィックス - KB893066 --> "C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP ホットフィックス - KB893086 --> "C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"
Windows XP ホットフィックス (KB914440) --> "C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Windows XP 更新 (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Windows XP 更新 (KB896727) --> "C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Windows XP 更新 (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Windows XP 更新 (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Windows XP 更新 (KB904942) --> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Windows XP 更新 (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Windows XP 更新 (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Windows XP 更新 (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Windows XP 更新 (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Windows XP 更新 (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Windows XP 更新 (KB929338) --> "C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Windows XP 更新 (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Windows XP 更新 (KB931836) --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Windows XP 更新 (KB932823-v3) --> "C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Windows XP 更新 (KB933360) --> "C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Windows XP 更新 (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Windows XP 更新 (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Windows XP 更新 (KB942763) --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinSCP 3.7.1 --> "C:\Program Files\WinSCP3\unins000.exe"
アクセスインターネット --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D56ABD14-7E8B-4C51-A995-B6B71779A460}\SETUP.EXE" -l0x11
できるThinkPad --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FA1E8CC8-33CC-4C26-9577-9F3DBF51D7C8}\SETUP.EXE" -l0x11
フレッツ接続ツール --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F63BF3C0-D774-11D5-9241-444553540000}\setup.exe" -l0x11 -removeonly -AUNINSTALL_ONLY
戦略将棋 for Windows95 version 1.00 --> D:\uninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type23366 / Warning
Event Submitted/Written: 06/23/2008 08:49:21 AM
Event ID/Source: 1524 / Userenv
Event Description:
クラス レジストリ ファイルをアンロードできません。ほかのアプリケーションまたはサービスによって使用されています。ファイルが使用されなくなった後にアンロードされます。

Event Record #/Type23339 / Warning
Event Submitted/Written: 06/20/2008 05:22:18 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
サーバーに接続できませんでした。エラー: 0x8007043C

Event Record #/Type23337 / Error
Event Submitted/Written: 06/20/2008 02:01:04 PM
Event ID/Source: 1000 / Microsoft Office 11
Event Description:
Faulting application winword.exe, version 11.0.5604.0, stamp 3f314a2f, faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address 0x005c0045.

Event Record #/Type23328 / Error
Event Submitted/Written: 06/20/2008 10:03:48 AM
Event ID/Source: 1000 / Application Error
Event Description:
エラー発生アプリケーション windvd.exe、バージョン 4.0.11.264、エラー発生モジュール quartz.dll、バージョン 6.5.2600.3367、エラー発生アドレス 0x000484a5
[windvd.exe!ws!] のメディア特有のイベントを処理しています

Event Record #/Type23277 / Error
Event Submitted/Written: 06/11/2008 09:10:29 PM
Event ID/Source: 1002 / Application Hang
Event Description:
ハングしているアプリケーション firefox.exe、バージョン 1.8.20080.40413、ハング モジュール hungapp、バージョン 0.0.0.0、ハング アドレス 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type71961 / Warning
Event Submitted/Written: 06/26/2008 09:43:28 AM / 06/26/2008 09:43:56 AM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom NetXtreme Fast Ethernet: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type71954 / Error
Event Submitted/Written: 06/25/2008 08:28:07 PM
Event ID/Source: 14103 / PSched
Event Description:
QoS [アダプタ {26E466EE-F99F-4AA1-AAF8-3852CD98DD9B}]:
ネットカードのドライバは OID_GEN_LINK_SPEED のクエリができませんでした。

Event Record #/Type71952 / Error
Event Submitted/Written: 06/25/2008 08:28:03 PM
Event ID/Source: 1000 / Dhcp
Event Description:
ネットワーク アドレスが 001E2AE7D6E0 のネットワーク カードの
IP アドレス 192.168.0.11 のリースを失いました。

Event Record #/Type71951 / Warning
Event Submitted/Written: 06/25/2008 08:28:03 PM
Event ID/Source: 1003 / Dhcp
Event Description:
ネットワーク アドレスが 001E2AE7D6E0 のネットワーク カードに対して、ネットワーク (DHCP
サーバー) から割り当てられたアドレスを書き換えることができませんでした。
次のエラーが発生しました:
%%121
ネットワーク アドレス (DHCP) サーバーから引き続き、アドレスの取得を
試みます。

Event Record #/Type71929 / Warning
Event Submitted/Written: 06/25/2008 09:46:06 AM / 06/25/2008 09:46:34 AM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom NetXtreme Fast Ethernet: The network link is down. Check to make sure the network cable is properly connected.



-- End of Deckard's System Scanner: finished at 2008-06-26 14:28:27 ------------

Merged topics. ~ OB

Attached Files


Edited by Orange Blossom, 26 June 2008 - 03:26 PM.


#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:47 AM

Posted 10 July 2008 - 11:37 AM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When following the instructions please install the Windows XP Recovery Console if you are using XP.

After running ComboFix, please post the ComboFix log as well as a brand new HijackThis as a reply to this topic.

#4 cburgess

cburgess
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 11 July 2008 - 06:10 AM

Dear Grinler,

First, thank-you so much for taking the time (no doubt very valuable time) to help a computer beginner like me. I can't tell you how much I appreciate it. I've been losing sleep over these problems. I followed the instructions for the combo fix log, but I'm afraid I messed up with the Windows recovery console. I dragged the windows XP download to combo fix as detailed but hadn't turned off my anti-virus programmes at that point so hit no, at which point combo fix disappeared. I downloaded it again but figured windows recovery console had already been installed, so didn't bother doing it again - but looking at the log, it looks like I should have done it again. Anyway, I've pasted the combofix log and a new hijack this log (not a dss one) as requested. If you need me to run through the process again and install windows recovery properly please let me know.

After running combofix, I noticed my screensaver was off so tried to turn it back on, during which a black square appeared in the top left of the screen and kaspersky came up with lots of pop ups asking for permission for registry changes (such as the attached jpeg). After approving these (I wish I knew how to set kaspersky so it doesn't ask me permission for every little change) the screensaver control panel wouldn't close, froze, and eventually I had to forcefully close rundll32.exe. Hope this isn't related to viruses/combo fix...

Anyway, if you confirm that my computer is now OK (and tell me if/with what I was infected), I will be so so grateful. This has been running on for weeks and driving me crazy. What I really want to know is how to stop infections in the future. Recently, I've had trojan pop-ups when browsing URLs I've browsed a hundred times before and even when I'm not browsing at all (ie finding infections after coming back from my lunch break), even though Kaspersky firewall was jacked up to strong. Any advice on best settings for kaspersky or advice in general would hopefully stop me from bothering you guys again.

Again, thank you so much and apologies for taking up your expert time. You truly are a life-saver.

Chris

ComboFix 08-07-10.1 - Chris 2008-07-11 18:13:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.932.1.1041.18.640 [GMT 10:00]
Running from: G:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Chris\Application Data\inst.exe
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\oeminfo.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-11 to 2008-07-11 )))))))))))))))))))))))))))))))
.

2008-06-26 14:24 . 2008-06-26 14:24 <DIR> d-------- C:\Deckard
2008-06-22 22:14 . 2008-06-22 22:14 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Symantec
2008-06-21 10:10 . 2008-06-21 10:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-20 20:44 . 2008-06-20 20:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 16:46 . 2008-06-20 16:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-20 16:45 . 2008-06-20 16:45 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-20 16:45 . 2008-06-20 16:45 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\SUPERAntiSpyware.com
2008-06-20 14:12 . 2008-06-20 14:14 <DIR> d-------- C:\Program Files\Panda Security
2008-06-20 13:24 . 2008-06-20 13:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-20 12:47 . 2008-06-20 12:47 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-20 12:47 . 2008-06-20 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-20 12:38 . 2008-07-08 19:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-20 12:38 . 2008-06-20 12:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-20 10:42 . 2008-06-20 10:43 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\DivX
2008-06-12 22:36 . 2008-06-12 22:36 52,736 --a------ C:\WINDOWS\ipuninst.exe
2008-06-12 22:09 . 2008-06-12 22:09 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-06-11 19:40 . 2008-06-15 03:57 270,464 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-11 08:22 8,078,368 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-11 08:21 104,736 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-11 08:20 109,220 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-11 08:20 10,820 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-11 07:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-10 07:49 --------- d-----w C:\Documents and Settings\Chris\Application Data\EndNote
2008-06-20 12:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 06:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-14 17:57 270,464 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 12:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-12 11:00 --------- d-----w C:\Program Files\Kaspersky Lab
2008-06-09 05:03 --------- d-----w C:\Program Files\MozyHome
2008-06-04 23:58 --------- d-----w C:\Program Files\Bonjour
2008-06-04 02:14 96,966 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-06-04 02:14 88,774 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-06-04 02:14 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-30 17:22 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-05-27 10:27 --------- d-----w C:\Documents and Settings\Chris\Application Data\Vso
2008-05-21 11:02 --------- d-----w C:\Program Files\Common Files\Thomson ResearchSoft
2008-05-21 11:00 --------- d-----w C:\Program Files\EndNote X1
2008-05-21 10:30 --------- d-----w C:\Program Files\Common Files\Risxtd
2008-05-19 06:32 --------- d-----w C:\Program Files\EndNote
2008-03-02 06:05 47,360 ----a-w C:\Documents and Settings\Chris\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:55 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 17:55 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-31 22:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-31 22:00 455168]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2002-12-24 03:01 204800]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-02-24 03:06 53248]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2003-01-24 18:37 94208]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-02-17 02:33 76288]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-02-17 02:33 20480]
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2003-03-11 13:17 32835]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-05-05 02:04 114741]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-31 22:00 44032]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-31 22:00 59392]
"IMJPMIG9.0"="C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE" [2003-07-14 23:57 118840]
"QCTray"="C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe" [2003-02-24 03:06 520192]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-03-07 10:50 35328]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2004-03-19 14:37 155648]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2004-03-19 14:33 118784]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 09:40 118784]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-03-19 14:33 118784]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 08:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"TrackPointSrv"="tp4serv.exe" [2002-12-03 04:09 87552 C:\WINDOWS\system32\tp4serv.exe]
"TP4EX"="tp4ex.exe" [2002-09-04 02:05 53248 C:\WINDOWS\system32\TP4EX.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2004-08-04 17:55 15360 C:\WINDOWS\system32\ctfmon.exe]

C:\Documents and Settings\All Users\スタート メニュー\プログラム\スタートアップ\
NETGEAR WG111v2 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2008-04-12 22:23:32 1261568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "C:\PROGRA~1\DVDREG~1\DVDShell.dll" [2004-10-09 16:18 49152]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= C:\WINDOWS\System32\ir32_32.dll
"vidc.iv32"= C:\WINDOWS\System32\ir32_32.dll
"vidc.ir41"= C:\WINDOWS\System32\ir41_32.ax
"vidc.xvid"= xvid.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\スタート メニュー\プログラム\スタートアップ\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users\スタート メニュー\プログラム\スタートアップ\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^Office スタートアップ.lnk]
path=C:\Documents and Settings\All Users\スタート メニュー\プログラム\スタートアップ\Office スタートアップ.lnk
backup=C:\WINDOWS\pss\Office スタートアップ.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Chris^スタート メニュー^プログラム^スタートアップ^PCastVIDEOスケジューラ.lnk]
path=C:\Documents and Settings\Chris\スタート メニュー\プログラム\スタートアップ\PCastVIDEOスケジューラ.lnk
backup=C:\WINDOWS\pss\PCastVIDEOスケジューラ.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
--a------ 2003-02-28 13:49 532480 C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 15:18 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-14 02:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-12-15 04:23 75520 C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-02-14 12:59 88107 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 17:56 379904 C:\WINDOWS\system32\irprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\kdx\\khost.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\BUFFALO\\PCtVIDEO\\PCtVShd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 ASMBATT;ASMBATT;C:\WINDOWS\system32\drivers\ASMBATT.SYS [2003-01-24 15:02]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2003-02-24 03:06]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-02-17 02:33]
R2 PLANEX GW-NS54CW Service;PLANEX GW-NS54CW 54Mbps Wireless LAN CardBus Adapter;C:\Program Files\Planex\GW-NS54CW\WLService.exe [2004-03-29 16:08]
R3 AEIWL;IBM High Rate Wireless LAN MiniPCI Combo Card Driver;C:\WINDOWS\system32\DRIVERS\AEIWLNDS.sys [2002-09-23 20:16]
R3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;C:\WINDOWS\system32\DRIVERS\enetnt.sys [2006-01-06 15:31]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\urvpndrv.sys [2007-10-02 07:49]
S3 ESSIDSET;ESSIDSET;C:\WINDOWS\system32\ESSIDSET.SYS [2003-01-29 17:56]
S3 f5ipfw;F5 Networks StoneWall Filter;C:\WINDOWS\system32\drivers\urfltw2k.sys [2007-10-02 07:49]
S3 iComp;BUFFALO PC-MDVD/U2 WDM Encoder;C:\WINDOWS\system32\DRIVERS\p2usbwdm.sys [2004-12-03 16:13]
S3 LOGNT;LOGNT;C:\PROGRA~1\NTTE\Flets\app\lognt.sys [2005-06-24 14:46]
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-08-17 14:28]
S3 musbehco;musbehco;C:\DOCUME~1\Chris\LOCALS~1\Temp\musbehco.sys []
S3 NTSTPL2;NTSTPL2;C:\PROGRA~1\NTTE\Flets\app\NTSTPL2.SYS [2006-01-06 14:41]
S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []
S3 RAWESR;RAWESR;D:\Release\RAWESR.SYS []
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2007-02-06 22:22]
S3 TAPBIND;TAPBIND;C:\PROGRA~1\NTTE\Flets\app\TAPBIND1.SYS [2006-01-06 14:41]
S3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys [2002-12-03 04:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2afaafeb-7b7a-11dc-94b6-54414e474f31}]
\Shell\AutoRun\command - G:\USBNB.exe

*Newly Created Service* - GTNDIS5
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-tgcmd - (no file)
HKCU-Run-Steam - (no file)
HKLM-Run-ISUSPM - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
MSConfigStartUp-Ulead Quick-Drop - C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 18:21:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Planex\GW-NS54CW\GW-NS54CW.exe
C:\WINDOWS\system32\QCONSVC.EXE
C:\Program Files\NTTE\Flets\app\TangoService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\ThinkPad\Utilities\EzEjMnAp.Exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-11 18:30:28 - machine was rebooted [Chris]
ComboFix-quarantined-files.txt 2008-07-11 08:29:22

30 個のディレクトリ 9,640,443,904 バイトの空き領域
36 個のディレクトリ 9,560,051,712 バイトの空き領域

222 --- E O F --- 2008-07-09 01:39:25

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:33:59, on 2008/07/11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Planex\GW-NS54CW\WLService.exe
C:\Program Files\Planex\GW-NS54CW\GW-NS54CW.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NTTE\Flets\app\TangoService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ShowTangoBar Class - {603EC267-504E-4BD4-97F3-5DD71A271EAF} - C:\Program Files\NTTE\Flets\app\TangoIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: フレッツ接続ツール - {831AA893-5930-4A2B-8D38-B881AD1764E2} - C:\Program Files\NTTE\Flets\app\TangoIEBar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun の Java コンソール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ウェブアンチウイルスの状態 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: リサーチ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: フレッツ接続ツール - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\NTTE\Flets\app\TangoIEBar.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://vpn.tsuda.ac.jp/vdesk/terminal/urxv...,2007,1001,2147
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vpn.tsuda.ac.jp/vdesk/terminal/urTe...,2007,1001,2136
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://vpn.tsuda.ac.jp/vdesk/terminal/urxs...,2007,1001,2141
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn.tsuda.ac.jp/vdesk/terminal/urxh...,2007,1001,2140
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup144.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour サービス (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod サービス (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PLANEX GW-NS54CW 54Mbps Wireless LAN CardBus Adapter (PLANEX GW-NS54CW Service) - Unknown owner - C:\Program Files\Planex\GW-NS54CW\WLService.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\NTTE\Flets\app\TangoService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8854 bytes

Attached Files



#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:47 AM

Posted 14 July 2008 - 07:10 AM

Let's clean up the rest and then we will go over the screen saver and other issues.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\DOCUME~1\Chris\LOCALS~1\Temp\musbehco.sys

Driver::
musbehco


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#6 cburgess

cburgess
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 14 July 2008 - 08:48 PM

Dear Grinler,

Thank you again for your time and patience with someone who is way out of his depth. Since the first combofix, I had begun to think that things were improved, but yesterday I left my computer on and when I came back found that the screen saver had frozen. When I eventually got back in, Kaspersky told me my computer was infected again, this time by Trojan.Win32.FakeGina.ao and I had to manually remove it. The kaspersky log said something like NT AUTHORITY\NETWORK SERVICE、PC名: localhost after the FakeGina trojan entry. I also lost half a days work. It's almost as if someone is waiting for a chance when my computer is not in use and then attacks and infects it. What on earth is it? I'm not sure if you had a chance to look at the Kaspersky log I attached earlier. Although it's in Japanese, you can easily see the pattern of infection starting with a hidden installation which seems to have hijacked/invaded 3 legit programs: C:\WINDOWS\system32\rundll32.exe, C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe, and C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE. If you skim through the event log, Kaspersky keeps noting suspicious activity in the mouseware but lets it go. Should I delete the mouseware?? One final thing: when closing down Spybot comes up (briefly) with a message like 'browser menu extension - value deleted'
Anyway, I've done as you asked and have pasted the new combofix log and hijackthis log below. I have also added the 14 infected entries from the (Japanese) Kaspersky log at the bottom just in case. This thing is eating me up and I can't tell you how grateful I will be if you manage to help me get rid of it. A million thanks in advance.

Chris

P.S. I never did install the windows recovery console thing - is that OK?

ComboFix 08-07-10.1 - Chris 2008-07-15 11:09:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.932.1.1041.18.652 [GMT 10:00]
Running from: C:\Documents and Settings\Chris\デスクトップ\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chris\デスクトップ\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\DOCUME~1\Chris\LOCALS~1\Temp\musbehco.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MUSBEHCO
-------\Service_musbehco


((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.

2008-06-26 14:24 . 2008-06-26 14:24 <DIR> d-------- C:\Deckard
2008-06-21 10:10 . 2008-06-21 10:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-20 20:44 . 2008-06-20 20:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 16:46 . 2008-06-20 16:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-20 16:45 . 2008-06-20 16:45 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-20 16:45 . 2008-06-20 16:45 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\SUPERAntiSpyware.com
2008-06-20 14:12 . 2008-06-20 14:14 <DIR> d-------- C:\Program Files\Panda Security
2008-06-20 13:24 . 2008-06-20 13:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-20 12:47 . 2008-06-20 12:47 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-20 12:47 . 2008-06-20 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-20 12:38 . 2008-07-08 19:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-20 12:38 . 2008-06-20 12:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-20 10:42 . 2008-06-20 10:43 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 01:21 8,193,056 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-15 01:17 113,440 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-15 01:16 110,756 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-15 01:16 11,660 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-15 00:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-14 11:10 --------- d-----w C:\Documents and Settings\Chris\Application Data\EndNote
2008-06-20 17:39 243,200 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:39 243,200 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:39 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 12:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-20 06:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-14 17:57 270,464 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-14 17:57 270,464 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 12:36 52,736 ----a-w C:\WINDOWS\ipuninst.exe
2008-06-12 12:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-12 11:00 --------- d-----w C:\Program Files\Kaspersky Lab
2008-06-09 05:03 --------- d-----w C:\Program Files\MozyHome
2008-06-04 23:58 --------- d-----w C:\Program Files\Bonjour
2008-06-04 02:14 96,966 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-06-04 02:14 88,774 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-06-04 02:14 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-30 17:22 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-05-30 17:18 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-27 10:27 --------- d-----w C:\Documents and Settings\Chris\Application Data\Vso
2008-05-21 11:02 --------- d-----w C:\Program Files\Common Files\Thomson ResearchSoft
2008-05-21 11:00 --------- d-----w C:\Program Files\EndNote X1
2008-05-21 10:30 --------- d-----w C:\Program Files\Common Files\Risxtd
2008-05-19 06:32 --------- d-----w C:\Program Files\EndNote
2008-05-16 01:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:15 1,275,904 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:15 1,275,904 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 12:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:42 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:42 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-03-02 06:05 47,360 ----a-w C:\Documents and Settings\Chris\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@2008-07-11_18.29.03.02 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-11 08:21:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-15 01:17:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:55 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 17:55 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-31 22:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-31 22:00 455168]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2002-12-24 03:01 204800]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-02-24 03:06 53248]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2003-01-24 18:37 94208]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-02-17 02:33 76288]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-02-17 02:33 20480]
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2003-03-11 13:17 32835]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-05-05 02:04 114741]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-31 22:00 44032]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-31 22:00 59392]
"IMJPMIG9.0"="C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE" [2003-07-14 23:57 118840]
"QCTray"="C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe" [2003-02-24 03:06 520192]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-03-07 10:50 35328]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2004-03-19 14:37 155648]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2004-03-19 14:33 118784]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 09:40 118784]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-03-19 14:33 118784]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 08:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"TrackPointSrv"="tp4serv.exe" [2002-12-03 04:09 87552 C:\WINDOWS\system32\tp4serv.exe]
"TP4EX"="tp4ex.exe" [2002-09-04 02:05 53248 C:\WINDOWS\system32\TP4EX.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2004-08-04 17:55 15360 C:\WINDOWS\system32\ctfmon.exe]

C:\Documents and Settings\All Users\スタート メニュー\プログラム\スタートアップ\
NETGEAR WG111v2 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2008-04-12 22:23:32 1261568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "C:\PROGRA~1\DVDREG~1\DVDShell.dll" [2004-10-09 16:18 49152]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= C:\WINDOWS\System32\ir32_32.dll
"vidc.iv32"= C:\WINDOWS\System32\ir32_32.dll
"vidc.ir41"= C:\WINDOWS\System32\ir41_32.ax
"vidc.xvid"= xvid.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\スタート メニュー\プログラム\スタートアップ\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users\スタート メニュー\プログラム\スタートアップ\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^スタート メニュー^プログラム^スタートアップ^Office スタートアップ.lnk]
path=C:\Documents and Settings\All Users\スタート メニュー\プログラム\スタートアップ\Office スタートアップ.lnk
backup=C:\WINDOWS\pss\Office スタートアップ.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Chris^スタート メニュー^プログラム^スタートアップ^PCastVIDEOスケジューラ.lnk]
path=C:\Documents and Settings\Chris\スタート メニュー\プログラム\スタートアップ\PCastVIDEOスケジューラ.lnk
backup=C:\WINDOWS\pss\PCastVIDEOスケジューラ.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
--a------ 2003-02-28 13:49 532480 C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 15:18 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-14 02:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-12-15 04:23 75520 C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-02-14 12:59 88107 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 17:56 379904 C:\WINDOWS\system32\irprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\kdx\\khost.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\BUFFALO\\PCtVIDEO\\PCtVShd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 ASMBATT;ASMBATT;C:\WINDOWS\system32\drivers\ASMBATT.SYS [2003-01-24 15:02]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2003-02-24 03:06]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-02-17 02:33]
R2 PLANEX GW-NS54CW Service;PLANEX GW-NS54CW 54Mbps Wireless LAN CardBus Adapter;C:\Program Files\Planex\GW-NS54CW\WLService.exe [2004-03-29 16:08]
R3 AEIWL;IBM High Rate Wireless LAN MiniPCI Combo Card Driver;C:\WINDOWS\system32\DRIVERS\AEIWLNDS.sys [2002-09-23 20:16]
R3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;C:\WINDOWS\system32\DRIVERS\enetnt.sys [2006-01-06 15:31]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\urvpndrv.sys [2007-10-02 07:49]
S3 ESSIDSET;ESSIDSET;C:\WINDOWS\system32\ESSIDSET.SYS [2003-01-29 17:56]
S3 f5ipfw;F5 Networks StoneWall Filter;C:\WINDOWS\system32\drivers\urfltw2k.sys [2007-10-02 07:49]
S3 iComp;BUFFALO PC-MDVD/U2 WDM Encoder;C:\WINDOWS\system32\DRIVERS\p2usbwdm.sys [2004-12-03 16:13]
S3 LOGNT;LOGNT;C:\PROGRA~1\NTTE\Flets\app\lognt.sys [2005-06-24 14:46]
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-08-17 14:28]
S3 NTSTPL2;NTSTPL2;C:\PROGRA~1\NTTE\Flets\app\NTSTPL2.SYS [2006-01-06 14:41]
S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []
S3 RAWESR;RAWESR;D:\Release\RAWESR.SYS []
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2007-02-06 22:22]
S3 TAPBIND;TAPBIND;C:\PROGRA~1\NTTE\Flets\app\TAPBIND1.SYS [2006-01-06 14:41]
S3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys [2002-12-03 04:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2afaafeb-7b7a-11dc-94b6-54414e474f31}]
\Shell\AutoRun\command - G:\USBNB.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 11:18:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Planex\GW-NS54CW\GW-NS54CW.exe
C:\WINDOWS\system32\QCONSVC.EXE
C:\Program Files\NTTE\Flets\app\TangoService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\ThinkPad\Utilities\EzEjMnAp.Exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-15 11:27:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-15 01:26:11
ComboFix2.txt 2008-07-11 08:30:29

30 個のディレクトリ 9,513,222,144 バイトの空き領域
36 個のディレクトリ 9,493,635,072 バイトの空き領域

237 --- E O F --- 2008-07-09 01:39:25


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:16, on 2008/07/15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Planex\GW-NS54CW\WLService.exe
C:\Program Files\Planex\GW-NS54CW\GW-NS54CW.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NTTE\Flets\app\TangoService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ShowTangoBar Class - {603EC267-504E-4BD4-97F3-5DD71A271EAF} - C:\Program Files\NTTE\Flets\app\TangoIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: フレッツ接続ツール - {831AA893-5930-4A2B-8D38-B881AD1764E2} - C:\Program Files\NTTE\Flets\app\TangoIEBar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun の Java コン\ール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ウェブアン`ウイルスの状態 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: リサー` - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: フレッツ接続ツール - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\NTTE\Flets\app\TangoIEBar.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://vpn.tsuda.ac.jp/vdesk/terminal/urxv...,2007,1001,2147
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vpn.tsuda.ac.jp/vdesk/terminal/urTe...,2007,1001,2136
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://vpn.tsuda.ac.jp/vdesk/terminal/urxs...,2007,1001,2141
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn.tsuda.ac.jp/vdesk/terminal/urxh...,2007,1001,2140
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup144.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour サービス (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod サービス (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PLANEX GW-NS54CW 54Mbps Wireless LAN CardBus Adapter (PLANEX GW-NS54CW Service) - Unknown owner - C:\Program Files\Planex\GW-NS54CW\WLService.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\NTTE\Flets\app\TangoService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8887 bytes

KASPERSKY INFECTED LOG (Japanese)
検知
----
ステータス オブジェクト
---------- ------------
検知しました: リスクウェア Hidden install プロセスを実行します: C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe
削除しました: トロイの木馬 Trojan.Win32.VB.dkn ファイル: C:\WINDOWS\Installer\{87F7773C-EC9C-461A-AA7B-4AF8EF54DF49}\Icon87F7773C5.ico
削除しました: トロイの木馬 Trojan.Win32.VB.dkn ファイル: C:\System Volume Information\_restore{23753BD9-0548-4973-A924-D8681FDCBFA4}\RP1159\A0121832.ico
削除しました: トロイの木馬 Trojan.Win32.VB.dkn ファイル: G:\ENX1Inst.msi//Icon87F7773C5.ico
削除しました: トロイの木馬 Trojan-Dropper.Win32.Agent.stb ファイル: C:\Documents and Settings\Chris\My Documents\download\IPODACCESS_SETUP.EXE//Stream//data0007
削除しました: トロイの木馬 Trojan-Dropper.Win32.Agent.stb ファイル: C:\Documents and Settings\Chris\My Documents\download\IPODACCESS_SETUP.EXE//Stream//data0008
検知しました: リスクウェア Invader (loader) プロセスを実行します: C:\WINDOWS\system32\rundll32.exe
検知しました: リスクウェア Invader (loader) プロセスを実行します: C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
検知しました: リスクウェア Invader (loader) プロセスを実行します: C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
削除しました: トロイの木馬 Trojan.Win32.DNSChanger.ewf ファイル: C:\WINDOWS\system32\PCANDIS5.SYS
検知しました: トロイの木馬 Trojan-Downloader.JS.Agent.rn URL: http://etds0.net/lc326.html//lc326
検知しました: トロイの木馬 Trojan-Downloader.JS.Agent.ccv URL: http://www.destbnp.com/ngg.js
検知しました: トロイの木馬 Trojan-Downloader.JS.Agent.ccu URL: http://www.tertad.mobi/ngg.js
削除しました: トロイの木馬 Trojan.Win32.FakeGina.ao ファイル: C:\WINDOWS\system32\RtlGina2.dll

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:47 AM

Posted 15 July 2008 - 04:39 PM

Download this program:

Suspicious files packer

Highlight the files listed below in bold and right-click and selecting copy.

C:\Documents and Settings\Chris\My Documents\download\IPODACCESS_SETUP.EXE
C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe
C:\WINDOWS\Installer\{87F7773C-EC9C-461A-AA7B-4AF8EF54DF49}\Icon87F7773C5.ico
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\WINDOWS\system32\RtlGina2.dll
C:\WINDOWS\system32\PCANDIS5.SYS


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go here
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.

#8 cburgess

cburgess
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 15 July 2008 - 07:27 PM

Hi Grinler,

Thanks again for your contuinued - and very thorough - help. I've sent the cab log as requested. Nothing much else to report except that after I did the combofix you asked for yesterday I did another full Kaspersky scan and it found one infection:

Trojan.Win32.FakeGina.ao ファイル: C:\System Volume Information\_restore{23753BD9-0548-4973-A924-D8681FDCBFA4}\RP14\A0003801.dll

This looks like it's related to the Gina Trojan and - more worryingly - looks like it might be using system restore to restore itself?? Also, on boot up today Kaspersky noted suspicious activity in the mouseware file but allowed it (as before). Anyway, sorry if all my comments are not helpful - I figure you can always ignore them if they're irrelevant. Just one final thing that occurred to me - if my security has been compromised do I need to change all banking, e-mail passwords everyhwhere and alert banks etc?

Thanks again,

Chris

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:47 AM

Posted 16 July 2008 - 04:58 PM

The stuff in the system volume information is part of the system restore. We will get rid of that later after we are all cleaned up. I will be looking at the submitted files tonight.

#10 cburgess

cburgess
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 18 July 2008 - 03:35 AM

Hi Grinler,

Just been thinking of what I might have downloaded to cause the problems and I remembered that I downloaded DivX player from cnet (http://www.download.com/divx-player/?tag=lst-4&cdlPid=10781289) on the 20th - the day I started noticing problems. Looking closer at the reviews, quite a few people mention spyware. I uninstalled the programme soon after but looking around there is still a DivXCodeVersionChecker.exe in C/Windows/system32 and also folders remaining in C/documents and Settings/Chris/Application Data (including a dat file and a dlq file). The funny thing is that I just did a search for anything with DivX in the name and the computer starting run at 100%CPU, avp.exe and explorer.exe being the main culprits. Even more strangely, the search results missed the DivX folders in the application data. Maybe I just didn't search properly.
Looking at the c/Windows file there are loads of funny looking folders with (blue) titles like $NtUninstallB929399$ (probably nothing?), and then that DivXCodec exe is sitting in the middle of System 32.
Anyway, not sure if this info is of any use but just on the off chance. Thanks for looking over the submitted files.

Chris

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:47 AM

Posted 18 July 2008 - 06:42 AM

I analyzed those files and I am not seeing anything wrong with them. They were checked against about 15 antivirus programs and they are all saying they are fine. I also looked into the Divx player and it seems to only be bundling yahoo toolbar..

Please do this:


Please download Malwarebytes' Anti-Malware from Here[/color]

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

#12 cburgess

cburgess
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 20 July 2008 - 02:12 AM

Hi Grinler

Thanks for looking over my files. I'm really sorry if this is taking up too much of your time. I'm not sure whether to be relieved or disappointed about you not finding anything. I had a year with Kaspersky 6.0 alerting me to nothing - no infections, pretty much empty event log. I am pretty internet safe. However, with Kaspersky 7.0 (which I downloaded on June 4th) it's been non-stop. The only other thing I can think that I have downloaded was a small file to sort out problems caused with netgear - see - http://www.dougknox.com/xp/scripts_desc/fix_xp_logon.htm (interesting because this is related to Gina, which was also the name of one of the trojans...)

Anyway, I did what you asked with the malwarebytes program. Actually, an error occured during the scan - error code 731 (0,6) with a message to notify the company - apparently caused by something called C/windows/bnetunin.exe (though this doesn't seem to appear in the log below which appears to only list 2 of the 3 infections found). Please also find a new hijack this log. Here's hoping you find something.

Chris

Malwarebytes' Anti-Malware 1.21
Database version: 969
Windows 5.1.2600 Service Pack 2

16:51:25 2008/07/20
mbam-log-7-20-2008 (16-51-25).txt

Scan type: Quick Scan
Objects scanned: 41059
Time elapsed: 9 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Chris\results.txt (Malware.Trace) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:54:25, on 2008/07/20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Planex\GW-NS54CW\WLService.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Planex\GW-NS54CW\GW-NS54CW.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NTTE\Flets\app\TangoService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ShowTangoBar Class - {603EC267-504E-4BD4-97F3-5DD71A271EAF} - C:\Program Files\NTTE\Flets\app\TangoIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: フレッツ接続ツール - {831AA893-5930-4A2B-8D38-B881AD1764E2} - C:\Program Files\NTTE\Flets\app\TangoIEBar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: アンチバナーへ追加 - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun の Java コンソール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ウェブアンチウイルスの状態 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: リサーチ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: フレッツ接続ツール - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\NTTE\Flets\app\TangoIEBar.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://vpn.tsuda.ac.jp/vdesk/terminal/urxv...,2007,1001,2147
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vpn.tsuda.ac.jp/vdesk/terminal/urTe...,2007,1001,2136
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://vpn.tsuda.ac.jp/vdesk/terminal/urxs...,2007,1001,2141
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn.tsuda.ac.jp/vdesk/terminal/urxh...,2007,1001,2140
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup144.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour サービス (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod サービス (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PLANEX GW-NS54CW 54Mbps Wireless LAN CardBus Adapter (PLANEX GW-NS54CW Service) - Unknown owner - C:\Program Files\Planex\GW-NS54CW\WLService.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\NTTE\Flets\app\TangoService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9097 bytes

#13 cburgess

cburgess
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 20 July 2008 - 02:32 AM

P.S. 2008/07/20 Soon after I sent the logs, Kaspersky starts flashing like mad again, slowing down the computer and reporting that (bad translation from Japanese):

16:39:05 Process (PID 3492) attempted the following action。:Kaspersky process (PID 484) was accessed。Self-defence function successfully protected against this. This has been dealt with so no action on your part is necessary.
16:39:05 Process (PID 3492) attempted the following action。:Kaspersky process (PID 1948)was accessed。Self-defence function successfully protected against this. This has been dealt with so no action on your part is necessary.

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:47 AM

Posted 21 July 2008 - 10:25 AM

Dougknox is perfectly safe. He is a well known and respected person on the net, so do not worry about that file.

The malwarebytes stuff doesnt show much to be concerned about. In fact, the results.txt is most likely a false positive.

Let's try something else.

Do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post the Kaspersky report together with a fresh HijackThis log for review.

#15 cburgess

cburgess
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 22 July 2008 - 03:27 AM

Dear Grinler,

Please find below a new Kaspersky scan (plus a new hijackthis log). The Kaspersky scan was clean. I appear to have the cleanest computer around, which makes all the weird stuff in the Kaspersky event log (starting June 9th, a few days after installing version 7.0) unfathomable. Is someone targetting or attempting to hack my computer? My wife installed the same kaspersky file on the same day and is using the same network, though has had no problems. This is like something out of the x-files! Anyway, here's hoping and praying you come up with something. Thanks again for all your help.

Chris

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 22, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, July 21, 2008 23:45:46
Records in database: 982350
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 87684
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:44:14

No malware has been detected. The scan area is clean.

The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:36:04, on 2008/07/22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Planex\GW-NS54CW\WLService.exe
C:\Program Files\Planex\GW-NS54CW\GW-NS54CW.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NTTE\Flets\app\TangoService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ShowTangoBar Class - {603EC267-504E-4BD4-97F3-5DD71A271EAF} - C:\Program Files\NTTE\Flets\app\TangoIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: フレッツ接続ツール - {831AA893-5930-4A2B-8D38-B881AD1764E2} - C:\Program Files\NTTE\Flets\app\TangoIEBar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: アン`バナーへ追加 - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun の Java コン\ール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ウェブアン`ウイルスの状態 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: リサー` - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: フレッツ接続ツール - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\NTTE\Flets\app\TangoIEBar.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://vpn.tsuda.ac.jp/vdesk/terminal/urxv...,2007,1001,2147
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vpn.tsuda.ac.jp/vdesk/terminal/urTe...,2007,1001,2136
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://vpn.tsuda.ac.jp/vdesk/terminal/urxs...,2007,1001,2141
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn.tsuda.ac.jp/vdesk/terminal/urxh...,2007,1001,2140
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup144.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour サービス (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod サービス (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PLANEX GW-NS54CW 54Mbps Wireless LAN CardBus Adapter (PLANEX GW-NS54CW Service) - Unknown owner - C:\Program Files\Planex\GW-NS54CW\WLService.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\NTTE\Flets\app\TangoService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8984 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users