Problem to remove Virtumonde virus

T

tony6725

New member
Here is my lod of Karpersky and Hijack below. Could someone help me to look whether the virus has been completely killed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at と 02:13:30, on 2008/5/31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ezHelper\ezHelper.exe
C:\Program Files\Foxy\Foxy.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! ㄣ - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1B4801D3-9A53-4618-8E45-BED464CE2CBC} - C:\WINDOWS\system32\opnkhhge.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {522E0112-EDD9-413D-A99E-C311A54B6676} - C:\WINDOWS\system32\ljJDSKAP.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {91446146-892A-4C2C-9809-C3F9DD58CA35} - C:\WINDOWS\system32\mlJBTkLe.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {BE4D7D2A-2A38-4F2B-AAAC-0FD83BD73F7E} - C:\WINDOWS\system32\cbXOGYPH.dll (file missing)
O2 - BHO: (no name) - {E6345D5D-4DD5-4EDF-87EA-1B62542F9B5D} - C:\WINDOWS\system32\byXPJYoo.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [186c03cd] rundll32.exe "C:\WINDOWS\system32\ydosfanl.dll",b
O4 - HKLM\..\Run: [BM1b5f3051] Rundll32.exe "C:\WINDOWS\system32\qvwnvmfa.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ezHelper] C:\Program Files\ezHelper\ezHelper.exe 300
O4 - HKCU\..\Run: [foxy] "C:\Program Files\Foxy\Foxy.exe" -tray
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Foxy 更 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 穓碝 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 蹲 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java 北 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: 把σ戈 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.webmail.hinet.net
O15 - Trusted Zone: webmail.hinet.net
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1159CFA4-6BEA-4ED4-8166-5556B1BFB232} (pocx Control) - http://202.133.245.200/iCF20071025.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} (TVAnts ActiveX Control) - http://download.tvants.com/pub/tvants/tvants1/win32/cab/tvants.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} (PowerPlayer Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {5F4D222D-5EEE-40A8-8810-5642B4E4F441} (KENCAPI Class) - https://ebank.tcb-bank.com.tw/netbank/html/ib/pages/FSCAPIATL.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1185374795424
O16 - DPF: {C01170CC-AF05-46C3-88BC-2C120DCEE288} (KooPlayer Control) - http://www.im.tv/IMTVPlayer.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://extranet.cranfield.ac.uk/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40233121-6B0E-4121-8A54-6B29E63F652F}: NameServer = 138.250.1.75,138.250.1.67
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: ljJDSKAP - C:\WINDOWS\SYSTEM32\ljJDSKAP.dll
O21 - SSODL: MsnShell32 - {35CEC8A3-2BE6-11D2-8773-92E220524250} - C:\WINDOWS\system32\MsnShell32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod 狝叭 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 15327 bytes


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 30, 2008 10:16:42 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/05/2008
Kaspersky Anti-Virus database records: 815162
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\

Scan Statistics:
Total number of scanned objects: 102669
Number of viruses found: 18
Number of infected objects: 29
Number of suspicious objects: 0
Duration of the scan process: 02:20:15

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Kontiki\error.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\TOSHIBA\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\appLauncher_all_log.txt Object is locked skipped
C:\Documents and Settings\TOSHIBA\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\DM_log.txt Object is locked skipped
C:\Documents and Settings\TOSHIBA\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\HookStarter_log.txt Object is locked skipped
C:\Documents and Settings\TOSHIBA\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
C:\Documents and Settings\TOSHIBA\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\TlibCmnDlgs_log.txt Object is locked skipped
C:\Documents and Settings\TOSHIBA\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\ApplicationHistory\PDNotes.exe.36dea9c6.ini.inuse Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\dbdam Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\dbdao Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\dbeam Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\dbeao Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\dbm Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\fii.cf1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\fiih.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\hp Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\rpm.cf1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000002.pst/Hotmail/Infected Items/15 Jan 2007 05:16 from Onechina:price 15-Jan-2007/price15-Jan-2007.zip/bqqfbwcj.exe Infected: Email-Worm.Win32.Bagle.gt skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000002.pst/Hotmail/Infected Items/15 Jan 2007 05:16 from Onechina:price 15-Jan-2007/price15-Jan-2007.zip Infected: Email-Worm.Win32.Bagle.gt skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000002.pst MailMSMaill: infected - 2 skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Temp\Perflib_Perfdata_d64.dat Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Temp\~DFEFCA.tmp Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Temporary Internet Files\Content.IE5\85S4CUHB\kb456456[1] Infected: Trojan.Win32.Monder.le skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Temporary Internet Files\Content.IE5\8G0B3YZ6\install_en[1].cab/UGA6P_0001_N122M2802NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Temporary Internet Files\Content.IE5\8G0B3YZ6\install_en[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Temporary Internet Files\Content.IE5\WQAS7XII\index[2].htm Infected: Trojan.JS.Pakes.l skipped
C:\Documents and Settings\TOSHIBA\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\TOSHIBA\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Eset\cache\CACHE.NDB Object is locked skipped
C:\Program Files\Eset\infected\23RGQNCA.NQF Infected: Trojan.Win32.Agent.hfr skipped
C:\Program Files\Eset\infected\CKDPTXBA.NQF Infected: Trojan.Win32.Agent.cnm skipped
C:\Program Files\Eset\infected\ESVQV5AA.NQF/nodfix.exe Infected: Trojan-Downloader.Win32.Agent.qzz skipped
C:\Program Files\Eset\infected\ESVQV5AA.NQF CAB: infected - 1 skipped
C:\Program Files\Eset\infected\ESVQV5AA.NQF PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\Eset\infected\MJKO1RBA.NQF Infected: Trojan.Win32.Inject.ud skipped
C:\Program Files\Eset\infected\QKKCMDAA.NQF Infected: Worm.Win32.Skipi.c skipped
C:\Program Files\Eset\infected\TJ4YF0DA.NQF Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Program Files\Eset\infected\XGG0DGAA.NQF Infected: Trojan-Dropper.Win32.Agent.bdj skipped
C:\Program Files\Eset\logs\virlog.dat Object is locked skipped
C:\Program Files\Eset\logs\warnlog.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{FE01E12C-C4D0-4F4E-80E6-4A25B7882A1A}\RP229\A0040913.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vjr skipped
C:\System Volume Information\_restore{FE01E12C-C4D0-4F4E-80E6-4A25B7882A1A}\RP240\A0042194.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vps skipped
C:\System Volume Information\_restore{FE01E12C-C4D0-4F4E-80E6-4A25B7882A1A}\RP240\A0042197.dll Object is locked skipped
C:\System Volume Information\_restore{FE01E12C-C4D0-4F4E-80E6-4A25B7882A1A}\RP240\A0042257.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqd skipped
C:\System Volume Information\_restore{FE01E12C-C4D0-4F4E-80E6-4A25B7882A1A}\RP240\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D9C30512-377F-4959-B375-14863BD90F81}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\eorroyyp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqh skipped
C:\WINDOWS\system32\fsungpdg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqd skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\iifgEvSL.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trt skipped
C:\WINDOWS\system32\ijptwxet.dll Infected: Trojan.Win32.Monder.le skipped
C:\WINDOWS\system32\jpcwoogm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vnb skipped
C:\WINDOWS\system32\ljJDSKAP.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trt skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\MsnShell32.dll Infected: Backdoor.Win32.Agent.gkf skipped
C:\WINDOWS\system32\qvwnvmfa.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqf skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\ydosfanl.dll Infected: Trojan.Win32.Monder.le skipped
C:\WINDOWS\system32\yvhrwowj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqh skipped
C:\WINDOWS\Temp\Perflib_Perfdata_4dc.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.
 
Hi,

Welcome to Safer Networking.

Bittorrent is installed on your computer and I see that it's running. While Bittorrent is a clean P2P program, there's no guarantee that the files downloaded are. Please refrain from using it /them while cleaning your computer to prevent getting more infections.

A list of clean and infected P2P programs can be found at Malware Removal and Spyware Info.

The risks of using a P2P program are stated in this Sourceforge website and Information Week article.
____________________

Do you work or study in Cranfield University ?

Do you also do banking online at this bank - http://www.tcb-bank.com.tw/wps/portal ?

Please also read this sticky.

Run ATF Cleaner

Download ATF Cleaner and save it to your desktop.

Double click on ATF-Cleaner.exe to run it.

  • Click on Main at the top.
  • Tick all the boxes except the Prefetch and Cookies box.
  • Click on Empty Selected button.

If you use Firefox

  • Click on Firefox at the top.
  • Tick all the boxes except Firefox Cookies and Firefox Saved Passwords.
  • Click on Empty Selected button.

If you use Opera

  • Click on Opera at the top.
  • Tick all the boxes except Opera Cookies and Opera Saved Passwords.
  • Click on Empty Selected button.

Close ATF Cleaner when you are done.

Disable NOD32 Antivirus temporarily

Please disable NOD#2 Antivirus temporarily as it may interfere with the fixes. Remember to re-enable it back before posting the logs!

Please navigate to the system tray on the bottom right hand corner and look for a
nod32.png
icon.

  • Open it and click on the
    nod32_quit.png
    button.
  • A popup will warn that protection will now be disabled. Click on Yes to disable the Antivirus guard.

Run Combofix

If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once Recovery Console is installed, you should see a blue screen prompt like the one below:

RC_whatnext.gif


Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced. Please post that log and a new HijackThis log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Create Uninstall list

In your next reply, please post:

  1. Combofix log (C:\Combofix.txt)
  2. A new HijackThis log
  3. Uninstall list
 
here they are:

ComboFix 08-05-29.1 - TOSHIBA 2008-05-31 15:20:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.347 [GMT 1:00]
磅︽竚?: C:\Documents and Settings\TOSHIBA\\ComboFix.exe
* Resident AV is active

.

(((((((((((((((((((((((((((((((((((((( Other files have been deleted ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM1b5f3051.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dxitpbqh.dll
C:\WINDOWS\system32\eghhknpo.ini
C:\WINDOWS\system32\eghhknpo.ini2
C:\WINDOWS\system32\eLkTBJlm.ini
C:\WINDOWS\system32\eLkTBJlm.ini2
C:\WINDOWS\system32\eorroyyp.dll
C:\WINDOWS\system32\fsungpdg.dll
C:\WINDOWS\system32\gdpgnusf.ini
C:\WINDOWS\system32\HPYGOXbc.ini
C:\WINDOWS\system32\HPYGOXbc.ini2
C:\WINDOWS\system32\hqbptixd.ini
C:\WINDOWS\system32\ikRsDJlm.ini
C:\WINDOWS\system32\ikRsDJlm.ini2
C:\WINDOWS\system32\lbjjqrbt.dll
C:\WINDOWS\system32\mlJDsRki.dll
C:\WINDOWS\system32\ooYJPXyb.ini
C:\WINDOWS\system32\ooYJPXyb.ini2
C:\WINDOWS\system32\qvwnvmfa.dll
C:\WINDOWS\system32\yvhrwowj.dll
.
---- Previous Run -------
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\mcrh.tmp

.
(((((((((((((((((((((((((((( Files created from 2008-04-28 - 2008-05-31 )))))))))))))))))))))))))))))))))
.

C:\ComboFix\CreateD00.bat .
2008-05-31 02:12 . 2008-05-31 02:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-30 19:46 . 2008-05-30 19:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-30 19:46 . 2008-05-30 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-30 19:43 . 2008-05-31 03:10 1,486,198 --ahs---- C:\WINDOWS\system32\lnafsody.ini
2008-05-30 19:35 . 2008-05-30 19:35 2,795 --a------ C:\WINDOWS\system32\jwchjnxv.dll
2008-05-30 14:16 . 2008-05-30 19:43 1,474,015 --ahs---- C:\WINDOWS\system32\texwtpji.ini
2008-05-30 13:50 . 2008-05-31 01:25 326 --a------ C:\WINDOWS\wininit.ini
2008-05-30 01:25 . 2008-05-30 14:06 646 --ahs---- C:\WINDOWS\system32\eyiqflsg.ini
2008-05-29 18:57 . 2008-05-29 18:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-29 18:57 . 2008-05-29 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 02:48 . 2007-08-13 18:52 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-05-29 01:19 . 2008-05-29 01:19 <DIR> d-------- C:\Documents and Settings\TOSHIBA\Application Data\Lavasoft
2008-05-29 01:17 . 2008-05-29 01:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-29 00:15 . 2008-05-29 00:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-28 13:41 . 2008-05-28 13:42 1,454,391 --ahs---- C:\WINDOWS\system32\mgoowcpj.ini
2008-05-28 02:25 . 2008-05-28 02:25 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-28 02:25 . 2008-05-28 02:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-28 01:24 . 2008-05-28 13:43 1,463,858 --ahs---- C:\WINDOWS\system32\wcvayejn.ini
2008-05-28 01:16 . 2007-07-12 22:33 87,552 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2008-05-28 01:13 . 2008-05-28 01:13 <DIR> d-------- C:\Program Files\Acro Software
2008-05-28 01:13 . 2008-05-28 01:13 58,880 --a------ C:\WINDOWS\system32\ljJDSKAP.dll
2008-05-28 01:13 . 2008-05-28 01:13 58,880 --a------ C:\WINDOWS\system32\iifgEvSL.dll
2008-05-24 21:01 . 2008-05-24 21:03 <DIR> d-------- C:\Program Files\Zattoo
2008-05-24 03:08 . 2008-05-24 03:08 <DIR> d-------- C:\Program Files\PPLive
2008-05-24 03:08 . 2008-05-24 03:08 <DIR> d-------- C:\Program Files\Common Files\Synacast
2008-05-22 01:16 . 2008-05-22 01:16 <DIR> d-------- C:\Documents and Settings\TOSHIBA\Application Data\LinkedIn
2008-04-29 01:34 . 2008-04-29 14:47 <DIR> d-------- C:\Program Files\TVAnts
2008-04-27 20:29 . 2007-04-16 12:02 100,736 -ra------ C:\WINDOWS\system32\drivers\ewusbmdm.sys
2008-04-27 20:28 . 2008-04-27 20:29 11,381 --a------ C:\WINDOWS\E220AutoRunLog.tmp
2008-04-24 21:51 . 2008-04-24 21:51 <DIR> d-------- C:\Documents and Settings\TOSHIBA\Application Data\3M
2008-04-24 21:50 . 2008-04-24 21:50 <DIR> d-------- C:\Program Files\3M
2008-04-20 01:52 . 2008-04-20 01:52 <DIR> d-------- C:\Program Files\Kontiki
2008-04-20 01:52 . 2008-05-31 15:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2008-04-20 01:14 . 2008-05-31 15:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-20 01:14 . 2008-04-20 01:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-20 01:03 . 2008-04-20 01:29 <DIR> d-------- C:\WINDOWS\system32\undefined
2008-04-17 20:23 . 2008-04-17 20:23 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-17 00:45 . 2008-05-26 01:45 1,160 --a------ C:\WINDOWS\powerplayer.ini
2008-04-17 00:44 . 2008-05-26 01:48 627 --a------ C:\WINDOWS\psnetwork.ini
2008-04-17 00:11 . 2008-04-17 00:11 <DIR> d-------- C:\Program Files\TVAntsX
2008-04-13 01:58 . 2008-04-14 00:20 <DIR> d-------- C:\Documents and Settings\TOSHIBA\Application Data\foobar2000
2008-04-08 00:57 . 2008-04-08 00:57 <DIR> d-------- C:\Program Files\iPod
2008-04-05 20:20 . 2008-04-05 20:20 46,000 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-01 10:01 . 2007-02-12 12:41 2,732,032 -ra------ C:\WINDOWS\system32\Netw2r32.dll
2008-04-01 10:01 . 2007-02-12 12:40 557,056 -ra------ C:\WINDOWS\system32\Netw2c32.dll

.
(((((((((((((((((((((((((((((((((((( るず笆郎 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 14:31 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\DNA
2008-05-31 11:56 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\Skype
2008-05-31 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-30 15:34 --------- d-----w C:\Program Files\Foxy
2008-05-29 20:05 --------- d-----w C:\Program Files\Eset
2008-05-28 15:22 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\BitTorrent
2008-05-28 01:25 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-28 17:15 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-04-28 00:10 49,864 ----a-w C:\Documents and Settings\TOSHIBA\Application Data\GDIPFONTCACHEV1.DAT
2008-04-22 23:45 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\ppstream
2008-04-20 00:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-17 17:03 --------- d-----w C:\Program Files\Google
2008-04-07 23:59 --------- d-----w C:\Program Files\iTunes
2008-04-07 23:54 --------- d-----w C:\Program Files\QuickTime
2008-04-07 00:23 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\toshiba
2008-03-25 04:49 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:49 158,496 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:03 1,844,864 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:50 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:33 45,056 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-01 11:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
.

------- Sigcheck -------

2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-12 13:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-11-06 23:42 359808 b4e29943b4b04bd5e7381546848e6669 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 18:20 360064 ed06c31200714e734118f9a47f5df5ce C:\WINDOWS\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((((((((((((((( 璶祅魁郎 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*猔種* フ┪猭祅魁盢ぃ穦陪ボ

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1B4801D3-9A53-4618-8E45-BED464CE2CBC}]
C:\WINDOWS\system32\opnkhhge.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{522E0112-EDD9-413D-A99E-C311A54B6676}]
2008-05-28 01:13 58880 --a------ C:\WINDOWS\system32\ljJDSKAP.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91446146-892A-4C2C-9809-C3F9DD58CA35}]
C:\WINDOWS\system32\mlJBTkLe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE4D7D2A-2A38-4F2B-AAAC-0FD83BD73F7E}]
C:\WINDOWS\system32\cbXOGYPH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6345D5D-4DD5-4EDF-87EA-1B62542F9B5D}]
C:\WINDOWS\system32\byXPJYoo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 18:21 68856]
"ezHelper"="C:\Program Files\ezHelper\ezHelper.exe" [2006-11-30 03:59 456192]
"foxy"="C:\Program Files\Foxy\Foxy.exe" [2008-05-29 19:37 1160704]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 13:45 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-12 13:00 208952]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2004-06-28 10:24 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 13:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-04-06 17:19 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-04-06 17:07 114688]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 03:52 1368064]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 09:46 192512]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-06-13 10:21 122880]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 08:00 88363 C:\WINDOWS\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2003-12-02 07:15 73728 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2004-06-01 13:43 278528 C:\WINDOWS\system32\TPSMain.exe]
"NDSTray.exe"="NDSTray.exe" []
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 06:45 135168]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-12 13:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 13:00 59392]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003-07-14 14:57 63040]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003-07-14 14:57 95296]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-01-26 06:36 495616]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-08 15:16 921600]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 22:45 279912]
"VX1000"="C:\WINDOWS\vVX1000.exe" [2007-04-10 22:46 709992]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-24 16:37 185632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-17 18:03 29744]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Device Detector"="DevDetect.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 13:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [ ]

C:\Documents and Settings\All Users\秨﹍\祘Α栋\币笆\
Google 穝竟.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-25 18:21:28 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 18:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{522E0112-EDD9-413D-A99E-C311A54B6676}"= C:\WINDOWS\system32\ljJDSKAP.dll [2008-05-28 01:13 58880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"MsnShell32"= {35CEC8A3-2BE6-11D2-8773-92E220524250} - C:\WINDOWS\system32\MsnShell32.dll [2004-08-12 13:00 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJDSKAP]
ljJDSKAP.dll 2008-05-28 01:13 58880 C:\WINDOWS\system32\ljJDSKAP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ASUS\\WL-330 Utilities\\Discovery330.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\ezPeerPlus\\ezPeerPlus.exe"=
"C:\\Program Files\\Foxy\\Foxy.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Zattoo\\zattood.exe"=
"C:\\Program Files\\Zattoo\\Zattoo2.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6494:TCP"= 6494:TCP:Foxy (127.0.0.1:6494) 6494 TCP
"6494:UDP"= 6494:UDP:Foxy (127.0.0.1:6494) 6494 UDP

S3 ASINDIS5;ASINDIS5 Protocol Driver;C:\WINDOWS\system32\ASINDIS5.SYS [2002-09-10 12:35]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys [2007-02-08 05:55]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys [2007-02-08 05:55]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys [2007-02-08 05:55]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys [2007-02-08 05:56]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys [2007-02-08 05:56]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys [2007-02-08 05:56]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys [2007-02-08 05:56]

.
逼祘戈Жず甧
"2008-05-29 15:03:40 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 15:34:22
Windows 5.1.2600 Service Pack 2 NTFS

苯磞留旅祘...

苯磞留旅秈祘...

苯磞留旅郎...


folder error: C:\Documents and Settings\All Users\秨﹍\祘Α栋\币笆\
folder error: C:\Documents and Settings\TOSHIBA\秨﹍\祘Α栋\币笆\
C:\Documents and Settings\TOSHIBA\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1440111801-1623072934-2751514922-1006\de72adef885537255121e63e575be015_34649e78-0466-4518-a584-882733689d40

苯磞ЧΘ
留旅郎?: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ljJDSKAP.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
ЧΘ丁?: 2008-05-31 15:45:41 - machine was rebooted [TOSHIBA]
ComboFix-quarantined-files.txt 2008-05-31 14:44:31

13 ヘ魁 15,255,920,640 じ舱ノ
17 ヘ魁 15,207,010,304 じ舱ノ

275 --- E O F --- 2008-05-16 11:35:20





Logfile of Trend Micro HijackThis v2.0.2Scan saved at と 03:50:11, on 2008/5/31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\vVX1000.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\ezHelper\ezHelper.exe
C:\Program Files\Foxy\Foxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! ㄣ - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1B4801D3-9A53-4618-8E45-BED464CE2CBC} - C:\WINDOWS\system32\opnkhhge.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {522E0112-EDD9-413D-A99E-C311A54B6676} - C:\WINDOWS\system32\ljJDSKAP.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {91446146-892A-4C2C-9809-C3F9DD58CA35} - C:\WINDOWS\system32\mlJBTkLe.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {BE4D7D2A-2A38-4F2B-AAAC-0FD83BD73F7E} - C:\WINDOWS\system32\cbXOGYPH.dll (file missing)
O2 - BHO: (no name) - {E6345D5D-4DD5-4EDF-87EA-1B62542F9B5D} - C:\WINDOWS\system32\byXPJYoo.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ezHelper] C:\Program Files\ezHelper\ezHelper.exe 300
O4 - HKCU\..\Run: [foxy] "C:\Program Files\Foxy\Foxy.exe" -tray
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Foxy 更 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 穓碝 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 蹲 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java 北 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: 把σ戈 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.webmail.hinet.net
O15 - Trusted Zone: webmail.hinet.net
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1159CFA4-6BEA-4ED4-8166-5556B1BFB232} (pocx Control) - http://202.133.245.200/iCF20071025.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} (TVAnts ActiveX Control) - http://download.tvants.com/pub/tvants/tvants1/win32/cab/tvants.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {5F4D222D-5EEE-40A8-8810-5642B4E4F441} (KENCAPI Class) - https://ebank.tcb-bank.com.tw/netbank/html/ib/pages/FSCAPIATL.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1185374795424
O16 - DPF: {C01170CC-AF05-46C3-88BC-2C120DCEE288} (KooPlayer Control) - http://www.im.tv/IMTVPlayer.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://extranet.cranfield.ac.uk/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40233121-6B0E-4121-8A54-6B29E63F652F}: NameServer = 138.250.1.75,138.250.1.67
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: ljJDSKAP - C:\WINDOWS\SYSTEM32\ljJDSKAP.dll
O21 - SSODL: MsnShell32 - {35CEC8A3-2BE6-11D2-8773-92E220524250} - C:\WINDOWS\system32\MsnShell32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod 狝叭 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 14708 bytes


Also, I am studying Cranfield University, while the bank has not used it any more. But will both of them affect the procedure of scanning virus?

BTW, I do not know how to create an uninstall list? Could you kind ly tell me how to create it?

Thanks for your help.
 
Sorry for that.

Here's it.

  1. Open HijackThis.
  2. Click on the Open the Misc Tools section button.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Click on the Save list... button.
  6. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  7. Notepad will open. Please post this log in your next reply.
 
Hi,

Please go to Virus Total or Jotti and upload C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys for scanning.

For Virus Total

  1. Please copy and paste C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys in the text box next to the Browse button.
  2. Click on Send File.

For Jotti

  1. Please copy and paste C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys in the text box next to the Browse button.
  2. Click on Submit.

Repeat for these files.

C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
C:\WINDOWS\system32\dllcache\tcpip.sys
C:\WINDOWS\system32\drivers\tcpip.sys

Please post back the scan results of these files, together with the Uninstall list.

Also, I am studying Cranfield University, while the bank has not used it any more. But will both of them affect the procedure of scanning virus?
Click to expand...

No, they will not. I just need to confirm with you as I'm not sure.
 
Hi again,

We need to send some sample for analyzing.

Please download Suspicious File Packer from Safer Networking and save it to your desktop.

  1. Locate sfp.zip.
  2. Right click on sfp.zip and select Extract All....
  3. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  4. Click on the Browse button. Click on Desktop. Then click OK.
  5. Once done, check (tick) the Show extracted files box and click Finish.
  6. Double click on sfp.exe to run it.
  7. Copy and paste in the following file into Suspicious File Packer.

    C:\WINDOWS\system32\MsnShell32.dll

  8. Click Continue.
  9. It will start packing.
  10. Once done, click here to go to Spykiller.
  11. In the Name box, type in your name.
  12. In the Email box, type in your email address.
  13. In the Subject box, copy and paste in File for Metallica.
  14. In the big text box, copy and paste this in: Link to log: http://forums.spybot.info/showthread.php?t=28830
  15. Type in the Visual Verification.
  16. In the first Attach box, browse to this file - requested-files[date].cab, where date are numbers. Select this file and click Open. (This file can be found on your desktop if you extracted sfp.exe to your desktop.)
  17. Click on Post to post the message.
 
<table border="1"><tr><td colspan="4">檔案 tcpip.sys_ 接收於 2007.01.09 12:09:51 (CET)</td></tr><tr><td>反病毒引擎</td><td>版本</td><td>最後更新</td><td>掃瞄結果</td</tr><tr><td>AntiVir</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Authentium</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Avast</td><td>-</td><td>-</td><td>-</td</tr><tr><td>AVG</td><td>-</td><td>-</td><td>-</td</tr><tr><td>BitDefender</td><td>-</td><td>-</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>-</td><td>-</td><td>-</td</tr><tr><td>ClamAV</td><td>-</td><td>-</td><td>-</td</tr><tr><td>DrWeb</td><td>-</td><td>-</td><td>-</td</tr><tr><td>eSafe</td><td>-</td><td>-</td><td>-</td</tr><tr><td>eTrust-InoculateIT</td><td>-</td><td>-</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Ewido</td><td>-</td><td>-</td><td>-</td</tr><tr><td>F-Prot</td><td>-</td><td>-</td><td>-</td</tr><tr><td>F-Prot4</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Fortinet</td><td>-</td><td>-</td><td style="color: red;">suspicious</td</tr><tr><td>Ikarus</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Kaspersky</td><td>-</td><td>-</td><td>-</td</tr><tr><td>McAfee</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Microsoft</td><td>-</td><td>-</td><td>-</td</tr><tr><td>NOD32v2</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Norman</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Panda</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Prevx1</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Sophos</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Sunbelt</td><td>-</td><td>-</td><td>-</td</tr><tr><td>TheHacker</td><td>-</td><td>-</td><td>-</td</tr><tr><td>UNA</td><td>-</td><td>-</td><td>-</td</tr><tr><td>VBA32</td><td>-</td><td>-</td><td>-</td</tr><tr><td>VirusBuster</td><td>-</td><td>-</td><td>-</td</tr><tr><td colspan="4"> </td></tr><tr><td colspan="4">附加訊息</td></tr><tr><td colspan="4">MD5: b2220c618b42a2212a59d91ebd6fc4b4</td></tr><tr><td colspan="4">SHA1: 038bd2e0fb3074ef2e9e277047fc37bc247dc79f</td></tr><tr><td colspan="4">SHA256: d0fa3c6c9f9f487ece7e5ae76b91715c71847b9713bb6817fe8239c67e60bd95</td></tr><tr><td colspan="4">SHA512: c1daa80a3a0cc69dee0899aed469b40e16fbaae8000ae479e9a522a1591ae0638b70d1fd98043acecc50fff03bb2da7ffe07f412b23915e63b893e0faf5f76f4</td></tr></table>

<table border="1"><tr><td colspan="4">檔案 tcpip.sys 接收於 2008.04.20 12:33:42 (CET)</td></tr><tr><td>反病毒引擎</td><td>版本</td><td>最後更新</td><td>掃瞄結果</td</tr><tr><td>AhnLab-V3</td><td>2008.4.19.0</td><td>2008.04.18</td><td>-</td</tr><tr><td>AntiVir</td><td>7.8.0.8</td><td>2008.04.18</td><td>-</td</tr><tr><td>Authentium</td><td>4.93.8</td><td>2008.04.19</td><td>-</td</tr><tr><td>Avast</td><td>4.8.1169.0</td><td>2008.04.19</td><td>-</td</tr><tr><td>AVG</td><td>7.5.0.516</td><td>2008.04.19</td><td>-</td</tr><tr><td>BitDefender</td><td>7.2</td><td>2008.04.20</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>9.50</td><td>2008.04.19</td><td>-</td</tr><tr><td>ClamAV</td><td>0.92.1</td><td>2008.04.20</td><td>-</td</tr><tr><td>DrWeb</td><td>4.44.0.09170</td><td>2008.04.19</td><td>-</td</tr><tr><td>eSafe</td><td>7.0.15.0</td><td>2008.04.17</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>31.3.5714</td><td>2008.04.19</td><td>-</td</tr><tr><td>Ewido</td><td>4.0</td><td>2008.04.19</td><td>-</td</tr><tr><td>F-Prot</td><td>4.4.2.54</td><td>2008.04.20</td><td>-</td</tr><tr><td>F-Secure</td><td>6.70.13260.0</td><td>2008.04.19</td><td>-</td</tr><tr><td>FileAdvisor</td><td>1</td><td>2008.04.20</td><td>-</td</tr><tr><td>Fortinet</td><td>3.14.0.0</td><td>2008.04.20</td><td>-</td</tr><tr><td>Ikarus</td><td>T3.1.1.26.0</td><td>2008.04.20</td><td>-</td</tr><tr><td>Kaspersky</td><td>7.0.0.125</td><td>2008.04.20</td><td>-</td</tr><tr><td>McAfee</td><td>5277</td><td>2008.04.18</td><td>-</td</tr><tr><td>Microsoft</td><td>1.3408</td><td>2008.04.20</td><td>-</td</tr><tr><td>NOD32v2</td><td>3041</td><td>2008.04.19</td><td>-</td</tr><tr><td>Norman</td><td>5.80.02</td><td>2008.04.18</td><td>-</td</tr><tr><td>Panda</td><td>9.0.0.4</td><td>2008.04.19</td><td>-</td</tr><tr><td>Prevx1</td><td>V2</td><td>2008.04.20</td><td>-</td</tr><tr><td>Rising</td><td>20.40.62.00</td><td>2008.04.20</td><td>-</td</tr><tr><td>Sophos</td><td>4.28.0</td><td>2008.04.20</td><td>-</td</tr><tr><td>Sunbelt</td><td>3.0.1056.0</td><td>2008.04.17</td><td>-</td</tr><tr><td>Symantec</td><td>10</td><td>2008.04.20</td><td>-</td</tr><tr><td>TheHacker</td><td>6.2.92.285</td><td>2008.04.19</td><td>-</td</tr><tr><td>VBA32</td><td>3.12.6.4</td><td>2008.04.16</td><td>-</td</tr><tr><td>VirusBuster</td><td>4.3.26:9</td><td>2008.04.19</td><td>-</td</tr><tr><td>Webwasher-Gateway</td><td>6.6.2</td><td>2008.04.18</td><td>-</td</tr><tr><td colspan="4"> </td></tr><tr><td colspan="4">附加訊息</td></tr><tr><td colspan="4">File size: 360832 bytes</td></tr><tr><td colspan="4">MD5...: 64798ecfa43d78c7178375fcdd16d8c8</td></tr><tr><td colspan="4">SHA1..: 9f864005ebb9147012db4c2fbc0b23d8dae6cb68</td></tr><tr><td colspan="4">SHA256: 0866341a50166200ff82781125dad1c6ebc4593abfbadde5d45e32d32b0fe903</td></tr><tr><td colspan="4">SHA512: ec6b3fa6d7851f12aa87b30fe35797d934109f8618462fe5020d567f5206a1d3<BR>2fd89489487e91bccc50c61f2abbed614892dad0f8c237bbaff65565a1498b94</td></tr><tr><td colspan="4">PEiD..: -</td></tr><tr><td colspan="4">PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x60aa3<BR>timedatestamp.....: 0x47276189 (Tue Oct 30 16:53:29 2007)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 10 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x380 0x3ee0e 0x3ee80 6.59 fa66bf829c9ddddc255d1ce20eee8bc5<BR>.rdata 0x3f200 0x574 0x580 4.44 083e9d9bf06df4b3767e6d58ef4b263f<BR>.data 0x3f780 0xa4a4 0xa500 0.06 bc99afb1d65abc54dfba01f9847a8ee4<BR>PAGE 0x49c80 0x1f2b 0x1f80 6.38 c71600990ce103daee008973fbba0b30<BR>PAGELK 0x4bc00 0x6f2 0x700 6.21 33f8928f23d0d348c2179e13cfda242d<BR>PAGEIPMc 0x4c300 0x2781 0x2800 6.43 ebb829c092776199cfaf9458fbbef604<BR>.edata 0x4eb00 0x341 0x380 5.22 6bd092a4adbde8e251da39ff2705a069<BR>INIT 0x4ee80 0x5926 0x5980 6.19 878aed9caa342caf97f74bc4cc308955<BR>.rsrc 0x54800 0x3f0 0x400 3.41 99a26048cfca1fdf299ceabf9424a634<BR>.reloc 0x54c00 0x357c 0x3580 6.82 1e24cbade6e3ce7b4e8a9a8dc2291b8c<BR><BR>( 4 imports ) <BR>> HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel, KfReleaseSpinLock, KfAcquireSpinLock, KfRaiseIrql, KeGetCurrentIrql, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex<BR>> NDIS.SYS: NdisCloseAdapter, NdisCancelSendPackets, NdisFreePacket, NdisUnchainBufferAtFront, NdisCompletePnPEvent, NdisFreePacketPool, NdisRequest, NdisAllocatePacket, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisGetDriverHandle, NdisOpenAdapter, NdisAllocatePacketPoolEx, NdisGetReceivedPacket, NdisRegisterProtocol, NdisAllocateBuffer, NdisSetPacketPoolProtocolId, NdisReturnPackets, NdisCopyBuffer, NdisAllocateBufferPool, NdisFreeBufferPool, NdisReEnumerateProtocolBindings, NdisCompleteBindAdapter<BR>> ntoskrnl.exe: IoCreateDevice, _wcsicmp, wcscpy, wcsncpy, wcschr, ZwSetInformationThread, KeLeaveCriticalRegion, KeEnterCriticalRegion, KeQueryTimeIncrement, KeSetEvent, IoDeleteSymbolicLink, ExDeleteNPagedLookasideList, KeDelayExecutionThread, ZwOpenKey, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, ExInitializeNPagedLookasideList, MmLockPagableSectionByHandle, ZwQueryValueKey, ZwSetValueKey, InterlockedPopEntrySList, InterlockedPushEntrySList, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, IoCreateSymbolicLink, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, KeInitializeMutex, MmIsThisAnNtAsSystem, KeWaitForSingleObject, KeReleaseMutex, KeReadStateEvent, IoDeleteDevice, ZwEnumerateValueKey, RtlUnicodeStringToInteger, RtlIpv4StringToAddressW, RtlTimeToTimeFields, ExLocalTimeToSystemTime, RtlExtendedMagicDivide, RtlAppendUnicodeToString, ZwClose, _allmul, MmQuerySystemSize, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, ExfInterlockedAddUlong, MmMapLockedPagesSpecifyCache, IoFreeMdl, ExfInterlockedInsertTailList, RtlInitUnicodeString, MmMapLockedPages, KeNumberProcessors, RtlUnicodeStringToAnsiString, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlCompareMemory, ExAllocatePoolWithTag, KeCancelTimer, KeClearEvent, RtlAnsiStringToUnicodeString, IoRaiseInformationalHardError, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeInitializeSpinLock, _alldiv, KeQuerySystemTime, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile<BR>> TDI.SYS: CTESystemUpTime, CTEBlock, CTELogEvent, CTESignal, CTEBlockWithTracker, CTEStartTimer, CTEInitEvent, CTEScheduleDelayedEvent, CTEInitTimer, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiDeregisterProvider, TdiRegisterProvider, TdiPnPPowerRequest, TdiCopyMdlChainToMdlChain, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel<BR><BR>( 31 exports ) <BR>ARPRcv, ARPRcvPacket, FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRcvComplete, IPRcvPacket, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum<BR></td></tr><tr><td colspan="4">Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=64798ecfa43d78c7178375fcdd16d8c8</td></tr></table>

<table border="1"><tr><td colspan="4">檔案 tcpip.sys 接收於 2008.04.28 20:15:49 (CET)</td></tr><tr><td>反病毒引擎</td><td>版本</td><td>最後更新</td><td>掃瞄結果</td</tr><tr><td>AhnLab-V3</td><td>2008.4.29.0</td><td>2008.04.28</td><td>-</td</tr><tr><td>AntiVir</td><td>7.8.0.10</td><td>2008.04.28</td><td>-</td</tr><tr><td>Authentium</td><td>4.93.8</td><td>2008.04.27</td><td>-</td</tr><tr><td>Avast</td><td>4.8.1169.0</td><td>2008.04.28</td><td>-</td</tr><tr><td>AVG</td><td>7.5.0.516</td><td>2008.04.28</td><td>-</td</tr><tr><td>BitDefender</td><td>7.2</td><td>2008.04.28</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>9.50</td><td>2008.04.28</td><td>-</td</tr><tr><td>ClamAV</td><td>0.92.1</td><td>2008.04.28</td><td>-</td</tr><tr><td>DrWeb</td><td>4.44.0.09170</td><td>2008.04.28</td><td>-</td</tr><tr><td>eSafe</td><td>7.0.15.0</td><td>2008.04.27</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>31.3.5741</td><td>2008.04.28</td><td>-</td</tr><tr><td>Ewido</td><td>4.0</td><td>2008.04.28</td><td>-</td</tr><tr><td>F-Prot</td><td>4.4.2.54</td><td>2008.04.27</td><td>-</td</tr><tr><td>F-Secure</td><td>6.70.13260.0</td><td>2008.04.28</td><td>-</td</tr><tr><td>FileAdvisor</td><td>1</td><td>2008.04.28</td><td style="color: red;">No threat detected, but known vulnerabilities exist</td</tr><tr><td>Fortinet</td><td>3.14.0.0</td><td>2008.04.28</td><td>-</td</tr><tr><td>Ikarus</td><td>T3.1.1.26</td><td>2008.04.28</td><td>-</td</tr><tr><td>Kaspersky</td><td>7.0.0.125</td><td>2008.04.28</td><td>-</td</tr><tr><td>McAfee</td><td>5282</td><td>2008.04.25</td><td>-</td</tr><tr><td>Microsoft</td><td>1.3408</td><td>2008.04.22</td><td>-</td</tr><tr><td>NOD32v2</td><td>3060</td><td>2008.04.28</td><td>-</td</tr><tr><td>Panda</td><td>9.0.0.4</td><td>2008.04.27</td><td>-</td</tr><tr><td>Prevx1</td><td>V2</td><td>2008.04.28</td><td>-</td</tr><tr><td>Rising</td><td>20.42.01.00</td><td>2008.04.28</td><td>-</td</tr><tr><td>Sophos</td><td>4.28.0</td><td>2008.04.28</td><td>-</td</tr><tr><td>Sunbelt</td><td>3.0.1056.0</td><td>2008.04.17</td><td>-</td</tr><tr><td>Symantec</td><td>10</td><td>2008.04.28</td><td>-</td</tr><tr><td>TheHacker</td><td>6.2.92.294</td><td>2008.04.26</td><td>-</td</tr><tr><td>VBA32</td><td>3.12.6.5</td><td>2008.04.28</td><td>-</td</tr><tr><td>VirusBuster</td><td>4.3.26:9</td><td>2008.04.28</td><td>-</td</tr><tr><td>Webwasher-Gateway</td><td>6.6.2</td><td>2008.04.28</td><td>-</td</tr><tr><td colspan="4"> </td></tr><tr><td colspan="4">附加訊息</td></tr><tr><td colspan="4">File size: 359040 bytes</td></tr><tr><td colspan="4">MD5...: 9f4b36614a0fc234525ba224957de55c</td></tr><tr><td colspan="4">SHA1..: c4f3d44361a2afbc309db6993ee0ecf12b6666d1</td></tr><tr><td colspan="4">SHA256: 56766ef576479367c29b2ee16cf232ede2569ceb0a72bf8e38fbabc9bf7c1bec</td></tr><tr><td colspan="4">SHA512: cb94857fa99771ebe7bd70a2a462b2c032bea74eb3f7278faa3c233bc25dd4a3<BR>4988bb87708d16b947627db15268674d7d069c6554fe115d3d3865c8f0704e9d</td></tr><tr><td colspan="4">PEiD..: -</td></tr><tr><td colspan="4">PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x61196<BR>timedatestamp.....: 0x41107ecf (Wed Aug 04 06:14:39 2004)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 10 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x380 0x3e946 0x3e980 6.60 643853ade61026df88ede2edb9ec7c33<BR>.rdata 0x3ed00 0x57c 0x580 4.42 f8464eba6b02d00de9e773b0204cee78<BR>.data 0x3f280 0xa4a4 0xa500 0.06 b3fc32b281b47111d104f80e77996f6c<BR>PAGE 0x49780 0x1f27 0x1f80 6.39 ea783b68f5cf42f310a6c23aa5236d34<BR>PAGEIPMc 0x4b700 0x2783 0x2800 6.41 b9863a636b93f57fa3f39bc70defcb54<BR>PAGELK 0x4df00 0x6f2 0x700 6.17 98b56ac9253dac973c411a2217b1124b<BR>.edata 0x4e600 0x2eb 0x300 5.30 bf33e66921dae71729e1c48f47faaf0b<BR>INIT 0x4e900 0x57f2 0x5800 6.21 194323979adbbb6a88673d8e797463ee<BR>.rsrc 0x54100 0x3f0 0x400 3.40 3ce484e663e0c007ee6a8661022ec6f2<BR>.reloc 0x54500 0x3548 0x3580 6.80 242690837b0b00c1aa768245bd09bb33<BR><BR>( 4 imports ) <BR>> ntoskrnl.exe: MmLockPagableSectionByHandle, _wcsicmp, wcscpy, wcsncpy, wcschr, RtlAppendUnicodeToString, RtlExtendedMagicDivide, ExLocalTimeToSystemTime, RtlTimeToTimeFields, RtlIpv4StringToAddressW, RtlUnicodeStringToInteger, ZwEnumerateValueKey, KeReadStateEvent, KeReleaseMutex, MmIsThisAnNtAsSystem, KeInitializeMutex, IoRaiseInformationalHardError, RtlAnsiStringToUnicodeString, RtlUnicodeStringToAnsiString, InterlockedPopEntrySList, InterlockedPushEntrySList, ZwQueryValueKey, ZwSetValueKey, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, MmLockPagableDataSection, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, _aulldvrm, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, ExInitializeNPagedLookasideList, KeInitializeDpc, KeInitializeTimer, KeSetTimerEx, ZwClose, IoCreateDevice, IoDeleteDevice, ZwOpenKey, KeDelayExecutionThread, KeWaitForSingleObject, ExDeleteNPagedLookasideList, MmUnlockPagableImageSection, RtlInitUnicodeString, IoCreateSymbolicLink, IoDeleteSymbolicLink, KeSetEvent, KeQueryTimeIncrement, KeEnterCriticalRegion, KeLeaveCriticalRegion, ZwSetInformationThread, KeQuerySystemTime, _allmul, _alldiv, MmQuerySystemSize, ExfInterlockedInsertTailList, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlCompareMemory, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, KeCancelTimer, KeClearEvent, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, MmMapLockedPages, KeInitializeSpinLock, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, KeInitializeEvent, ExfInterlockedAddUlong, ExAllocatePoolWithTag, MmMapLockedPagesSpecifyCache, IoFreeMdl, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeNumberProcessors, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile<BR>> HAL.dll: KfLowerIrql, KfRaiseIrql, KfReleaseSpinLock, KfAcquireSpinLock, KeGetCurrentIrql, KeRaiseIrqlToDpcLevel, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex<BR>> NDIS.SYS: NdisUnchainBufferAtFront, NdisAllocateBuffer, NdisFreePacket, NdisAllocatePacket, NdisSetPacketPoolProtocolId, NdisAllocatePacketPoolEx, NdisReturnPackets, NdisCompleteBindAdapter, NdisReEnumerateProtocolBindings, NdisFreeBufferPool, NdisFreePacketPool, NdisAllocateBufferPool, NdisCompletePnPEvent, NdisCloseAdapter, NdisCancelSendPackets, NdisRequest, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisCopyBuffer, NdisRegisterProtocol, NdisGetReceivedPacket, NdisOpenAdapter, NdisGetDriverHandle<BR>> TDI.SYS: CTESignal, CTESystemUpTime, CTEScheduleDelayedEvent, CTEInitEvent, CTEStartTimer, CTEInitTimer, CTEBlock, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, CTEBlockWithTracker, CTELogEvent, TdiRegisterDeviceObject, TdiCopyMdlChainToMdlChain, TdiPnPPowerRequest, TdiDeregisterProvider, TdiRegisterProvider, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel<BR><BR>( 27 exports ) <BR>FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum<BR></td></tr><tr><td colspan="4">Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=9f4b36614a0fc234525ba224957de55c</td></tr></table>

<table border="1"><tr><td colspan="4">檔案 tcpip.sys 接收於 2008.03.21 15:08:48 (CET)</td></tr><tr><td>反病毒引擎</td><td>版本</td><td>最後更新</td><td>掃瞄結果</td</tr><tr><td>AhnLab-V3</td><td>-</td><td>-</td><td>-</td</tr><tr><td>AntiVir</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Authentium</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Avast</td><td>-</td><td>-</td><td>-</td</tr><tr><td>AVG</td><td>-</td><td>-</td><td>-</td</tr><tr><td>BitDefender</td><td>-</td><td>-</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>-</td><td>-</td><td>-</td</tr><tr><td>ClamAV</td><td>-</td><td>-</td><td>-</td</tr><tr><td>DrWeb</td><td>-</td><td>-</td><td>-</td</tr><tr><td>eSafe</td><td>-</td><td>-</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Ewido</td><td>-</td><td>-</td><td>-</td</tr><tr><td>F-Prot</td><td>-</td><td>-</td><td>-</td</tr><tr><td>F-Secure</td><td>-</td><td>-</td><td>-</td</tr><tr><td>FileAdvisor</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Fortinet</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Ikarus</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Kaspersky</td><td>-</td><td>-</td><td>-</td</tr><tr><td>McAfee</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Microsoft</td><td>-</td><td>-</td><td>-</td</tr><tr><td>NOD32v2</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Norman</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Panda</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Prevx1</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Rising</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Sophos</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Sunbelt</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Symantec</td><td>-</td><td>-</td><td>-</td</tr><tr><td>TheHacker</td><td>-</td><td>-</td><td>-</td</tr><tr><td>VBA32</td><td>-</td><td>-</td><td style="color: red;">Trojan-PSW.Win32.OnLineGames</td</tr><tr><td>VirusBuster</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Webwasher-Gateway</td><td>-</td><td>-</td><td>-</td</tr><tr><td colspan="4"> </td></tr><tr><td colspan="4">附加訊息</td></tr><tr><td colspan="4">MD5: b4e29943b4b04bd5e7381546848e6669</td></tr><tr><td colspan="4">SHA1: 134f6e92e0474a32490dc169ae5ac168fa96c2b1</td></tr><tr><td colspan="4">SHA256: b87f7bbbf007e19f6d9fc11815425d2f404c0693c49713b449c1a773c9512472</td></tr><tr><td colspan="4">SHA512: e0429039376390a724d3059d864de726ee283389b636ca801d970c05d7aa667f004161f51ba1f7526628a0700c861fe3c7a200df17998740f37347773ffc8200</td></tr></table>

<table border="1"><tr><td colspan="4">檔案 tcpip.sys 接收於 2008.03.03 11:58:32 (CET)</td></tr><tr><td>反病毒引擎</td><td>版本</td><td>最後更新</td><td>掃瞄結果</td</tr><tr><td>AhnLab-V3</td><td>2008.2.29.1</td><td>2008.03.03</td><td>-</td</tr><tr><td>AntiVir</td><td>7.6.0.73</td><td>2008.03.03</td><td>-</td</tr><tr><td>Authentium</td><td>4.93.8</td><td>2008.03.02</td><td>-</td</tr><tr><td>Avast</td><td>4.7.1098.0</td><td>2008.03.02</td><td>-</td</tr><tr><td>AVG</td><td>7.5.0.516</td><td>2008.03.02</td><td>-</td</tr><tr><td>BitDefender</td><td>7.2</td><td>2008.03.03</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>9.50</td><td>2008.03.01</td><td>-</td</tr><tr><td>ClamAV</td><td>0.92.1</td><td>2008.03.03</td><td>-</td</tr><tr><td>DrWeb</td><td>4.44.0.09170</td><td>2008.03.03</td><td>-</td</tr><tr><td>eSafe</td><td>7.0.15.0</td><td>2008.02.28</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>31.3.5582</td><td>2008.03.03</td><td>-</td</tr><tr><td>Ewido</td><td>4.0</td><td>2008.03.02</td><td>-</td</tr><tr><td>F-Prot</td><td>4.4.2.54</td><td>2008.03.02</td><td>-</td</tr><tr><td>F-Secure</td><td>6.70.13260.0</td><td>2008.03.03</td><td>-</td</tr><tr><td>FileAdvisor</td><td>1</td><td>2008.03.03</td><td>-</td</tr><tr><td>Fortinet</td><td>3.14.0.0</td><td>2008.03.03</td><td>-</td</tr><tr><td>Ikarus</td><td>T3.1.1.20</td><td>2008.03.03</td><td>-</td</tr><tr><td>Kaspersky</td><td>7.0.0.125</td><td>2008.03.03</td><td>-</td</tr><tr><td>McAfee</td><td>5242</td><td>2008.02.29</td><td>-</td</tr><tr><td>Microsoft</td><td>1.3301</td><td>2008.03.03</td><td>-</td</tr><tr><td>NOD32v2</td><td>2916</td><td>2008.03.03</td><td>-</td</tr><tr><td>Norman</td><td>5.80.02</td><td>2008.02.29</td><td>-</td</tr><tr><td>Panda</td><td>9.0.0.4</td><td>2008.03.02</td><td>-</td</tr><tr><td>Prevx1</td><td>V2</td><td>2008.03.03</td><td>-</td</tr><tr><td>Rising</td><td>20.34.00.00</td><td>2008.03.03</td><td>-</td</tr><tr><td>Sophos</td><td>4.27.0</td><td>2008.03.03</td><td>-</td</tr><tr><td>Sunbelt</td><td>3.0.906.0</td><td>2008.02.28</td><td>-</td</tr><tr><td>Symantec</td><td>10</td><td>2008.03.03</td><td>-</td</tr><tr><td>TheHacker</td><td>6.2.92.231</td><td>2008.03.02</td><td>-</td</tr><tr><td>VBA32</td><td>3.12.6.2</td><td>2008.02.27</td><td>-</td</tr><tr><td>VirusBuster</td><td>4.3.26:9</td><td>2008.03.02</td><td>-</td</tr><tr><td>Webwasher-Gateway</td><td>6.6.2</td><td>2008.03.03</td><td>-</td</tr><tr><td colspan="4"> </td></tr><tr><td colspan="4">附加訊息</td></tr><tr><td colspan="4">File size: 360064 bytes</td></tr><tr><td colspan="4">MD5: 90caff4b094573449a0872a0f919b178</td></tr><tr><td colspan="4">SHA1: 01c29459e70719163d78add6b7098b8550292824</td></tr><tr><td colspan="4">PEiD: -</td></tr></table>

<table border="1"><tr><td colspan="4">檔案 tcpip.sys 接收於 2008.05.19 09:32:30 (CET)</td></tr><tr><td>反病毒引擎</td><td>版本</td><td>最後更新</td><td>掃瞄結果</td</tr><tr><td>AhnLab-V3</td><td>2008.5.16.0</td><td>2008.05.19</td><td>-</td</tr><tr><td>AntiVir</td><td>7.8.0.19</td><td>2008.05.18</td><td>-</td</tr><tr><td>Authentium</td><td>5.1.0.4</td><td>2008.05.18</td><td>-</td</tr><tr><td>Avast</td><td>4.8.1195.0</td><td>2008.05.18</td><td>-</td</tr><tr><td>AVG</td><td>7.5.0.516</td><td>2008.05.18</td><td>-</td</tr><tr><td>BitDefender</td><td>7.2</td><td>2008.05.19</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>9.50</td><td>2008.05.17</td><td>-</td</tr><tr><td>ClamAV</td><td>0.92.1</td><td>2008.05.19</td><td>-</td</tr><tr><td>DrWeb</td><td>4.44.0.09170</td><td>2008.05.19</td><td>-</td</tr><tr><td>eSafe</td><td>7.0.15.0</td><td>2008.05.18</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>31.4.5798</td><td>2008.05.16</td><td>-</td</tr><tr><td>Ewido</td><td>4.0</td><td>2008.05.18</td><td>-</td</tr><tr><td>F-Prot</td><td>4.4.2.54</td><td>2008.05.16</td><td>-</td</tr><tr><td>F-Secure</td><td>6.70.13260.0</td><td>2008.05.19</td><td>-</td</tr><tr><td>Fortinet</td><td>3.14.0.0</td><td>2008.05.19</td><td>-</td</tr><tr><td>GData</td><td>2.0.7306.1023</td><td>2008.05.19</td><td>-</td</tr><tr><td>Ikarus</td><td>T3.1.1.26.0</td><td>2008.05.19</td><td>-</td</tr><tr><td>Kaspersky</td><td>7.0.0.125</td><td>2008.05.19</td><td>-</td</tr><tr><td>McAfee</td><td>5297</td><td>2008.05.17</td><td>-</td</tr><tr><td>Microsoft</td><td>1.3408</td><td>2008.05.13</td><td>-</td</tr><tr><td>NOD32v2</td><td>3107</td><td>2008.05.18</td><td>-</td</tr><tr><td>Norman</td><td>5.80.02</td><td>2008.05.16</td><td>-</td</tr><tr><td>Panda</td><td>9.0.0.4</td><td>2008.05.18</td><td>-</td</tr><tr><td>Prevx1</td><td>V2</td><td>2008.05.19</td><td>-</td</tr><tr><td>Rising</td><td>20.44.62.00</td><td>2008.05.18</td><td>-</td</tr><tr><td>Sophos</td><td>4.29.0</td><td>2008.05.19</td><td>-</td</tr><tr><td>Sunbelt</td><td>3.0.1123.1</td><td>2008.05.17</td><td>-</td</tr><tr><td>Symantec</td><td>10</td><td>2008.05.19</td><td>-</td</tr><tr><td>TheHacker</td><td>6.2.92.313</td><td>2008.05.19</td><td>-</td</tr><tr><td>VBA32</td><td>3.12.6.6</td><td>2008.05.18</td><td>-</td</tr><tr><td>VirusBuster</td><td>4.3.26:9</td><td>2008.05.18</td><td>-</td</tr><tr><td>Webwasher-Gateway</td><td>6.6.2</td><td>2008.05.19</td><td>-</td</tr><tr><td colspan="4"> </td></tr><tr><td colspan="4">附加訊息</td></tr><tr><td colspan="4">File size: 360064 bytes</td></tr><tr><td colspan="4">MD5...: ed06c31200714e734118f9a47f5df5ce</td></tr><tr><td colspan="4">SHA1..: 8afdb73bee49158d6f78256e921d9502f2391b4a</td></tr><tr><td colspan="4">SHA256: 7c419b505f34c66700720d3722a24a1b03a3c7d18926482e76f89601a84f15b2</td></tr><tr><td colspan="4">SHA512: dd1e2f4dcb9ccdd62366e37bd85e6ec7d9a5b575bd6c515c735b68149adf27e5<BR>b19f21b24aad55b20a0a552d8435ed837e6f28f3baab2fe07fa7ada38d5d3cdf</td></tr><tr><td colspan="4">PEiD..: -</td></tr><tr><td colspan="4">PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x61516<BR>timedatestamp.....: 0x472767f4 (Tue Oct 30 17:20:52 2007)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 10 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x380 0x3ec36 0x3ec80 6.59 bf3727cc30fc9381405d704fc48cf298<BR>.rdata 0x3f000 0x57c 0x580 4.44 8e59e52de3e5dbcbceb5a3ef5f649f6e<BR>.data 0x3f580 0xa4a4 0xa500 0.06 b9a573e33adfdced8dd26084f4c34980<BR>PAGE 0x49a80 0x1f2b 0x1f80 6.39 62835585c6d5d5460c7937ca9a24a666<BR>PAGELK 0x4ba00 0x6f2 0x700 6.23 b006a6a497bb9c46495fbf448e59f7d0<BR>PAGEIPMc 0x4c100 0x2781 0x2800 6.43 f388ecb2e9459286d1f285da46acd63e<BR>.edata 0x4e900 0x341 0x380 5.22 8712af1a96dac3a5cc93d8600aeab255<BR>INIT 0x4ec80 0x5836 0x5880 6.21 6b00b0dbb4853c21ff203b0ab0e968b4<BR>.rsrc 0x54500 0x3f0 0x400 3.41 f7e220f2cc645366d35917b1d898d5a1<BR>.reloc 0x54900 0x3554 0x3580 6.80 70106385f23ac6f4e01fd4b1e2558fad<BR><BR>( 4 imports ) <BR>> HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel, KfReleaseSpinLock, KfAcquireSpinLock, KfRaiseIrql, KeGetCurrentIrql, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex<BR>> NDIS.SYS: NdisCloseAdapter, NdisCancelSendPackets, NdisFreePacket, NdisUnchainBufferAtFront, NdisCompletePnPEvent, NdisFreePacketPool, NdisRequest, NdisAllocatePacket, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisGetDriverHandle, NdisOpenAdapter, NdisAllocatePacketPoolEx, NdisGetReceivedPacket, NdisRegisterProtocol, NdisAllocateBuffer, NdisSetPacketPoolProtocolId, NdisReturnPackets, NdisCopyBuffer, NdisAllocateBufferPool, NdisFreeBufferPool, NdisReEnumerateProtocolBindings, NdisCompleteBindAdapter<BR>> ntoskrnl.exe: IoCreateDevice, _wcsicmp, wcscpy, wcsncpy, wcschr, ZwSetInformationThread, KeLeaveCriticalRegion, KeEnterCriticalRegion, KeQueryTimeIncrement, KeSetEvent, IoDeleteSymbolicLink, ExDeleteNPagedLookasideList, KeDelayExecutionThread, ZwOpenKey, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, ExInitializeNPagedLookasideList, MmLockPagableSectionByHandle, ZwQueryValueKey, ZwSetValueKey, InterlockedPopEntrySList, InterlockedPushEntrySList, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, IoCreateSymbolicLink, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, _aulldvrm, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, KeInitializeMutex, MmIsThisAnNtAsSystem, KeWaitForSingleObject, KeReleaseMutex, KeReadStateEvent, IoDeleteDevice, ZwEnumerateValueKey, RtlUnicodeStringToInteger, RtlIpv4StringToAddressW, RtlTimeToTimeFields, ExLocalTimeToSystemTime, RtlExtendedMagicDivide, RtlAppendUnicodeToString, ZwClose, _allmul, MmQuerySystemSize, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, ExfInterlockedAddUlong, MmMapLockedPagesSpecifyCache, IoFreeMdl, ExfInterlockedInsertTailList, RtlInitUnicodeString, MmMapLockedPages, KeNumberProcessors, RtlUnicodeStringToAnsiString, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlCompareMemory, ExAllocatePoolWithTag, KeCancelTimer, KeClearEvent, RtlAnsiStringToUnicodeString, IoRaiseInformationalHardError, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeInitializeSpinLock, _alldiv, KeQuerySystemTime, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile<BR>> TDI.SYS: CTESystemUpTime, CTEBlock, CTELogEvent, CTESignal, CTEBlockWithTracker, CTEStartTimer, CTEInitEvent, CTEScheduleDelayedEvent, CTEInitTimer, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiDeregisterProvider, TdiRegisterProvider, TdiPnPPowerRequest, TdiCopyMdlChainToMdlChain, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel<BR><BR>( 31 exports ) <BR>ARPRcv, ARPRcvPacket, FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRcvComplete, IPRcvPacket, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum<BR></td></tr></table>

Hello, I tried to create Uninstall List by following your instruction. But however, when I clicked on "Save List", it did not prompt me to save, instead the software shut off quickly without any feedback. Also I tried to use default name "uninstall_list.txt" to search in my computer, there is no any result. Did I do wrong?

BTW, sometimes my computer would pop out the windows which said " Buffer Overrun Detetced". After that, my minitor would show up a lot of wrong code to cover my original window. Does it associate with virus?

Thanks so much for your assistance.
 
反病毒引擎 版本 最後更新 掃瞄結果
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-InoculateIT - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Prot4 - - -
Fortinet - - suspicious
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Sophos - - -
Sunbelt - - -
TheHacker - - -
UNA - - -
VBA32 - - -
VirusBuster - - -

附加訊息
MD5: b2220c618b42a2212a59d91ebd6fc4b4
SHA1: 038bd2e0fb3074ef2e9e277047fc37bc247dc79f
SHA256: d0fa3c6c9f9f487ece7e5ae76b91715c71847b9713bb6817fe8239c67e60bd95
SHA512: c1daa80a3a0cc69dee0899aed469b40e16fbaae8000ae479e9a522a1591ae0638b70d1fd98043acecc50fff03bb2da7ffe07f412b23915e63b893e0faf5f76f4

檔案 tcpip.sys 接收於 2008.04.20 12:33:42 (CET)反病毒引擎 版本 最後更新 掃瞄結果
AhnLab-V3 2008.4.19.0 2008.04.18 -
AntiVir 7.8.0.8 2008.04.18 -
Authentium 4.93.8 2008.04.19 -
Avast 4.8.1169.0 2008.04.19 -
AVG 7.5.0.516 2008.04.19 -
BitDefender 7.2 2008.04.20 -
CAT-QuickHeal 9.50 2008.04.19 -
ClamAV 0.92.1 2008.04.20 -
DrWeb 4.44.0.09170 2008.04.19 -
eSafe 7.0.15.0 2008.04.17 -
eTrust-Vet 31.3.5714 2008.04.19 -
Ewido 4.0 2008.04.19 -
F-Prot 4.4.2.54 2008.04.20 -
F-Secure 6.70.13260.0 2008.04.19 -
FileAdvisor 1 2008.04.20 -
Fortinet 3.14.0.0 2008.04.20 -
Ikarus T3.1.1.26.0 2008.04.20 -
Kaspersky 7.0.0.125 2008.04.20 -
McAfee 5277 2008.04.18 -
Microsoft 1.3408 2008.04.20 -
NOD32v2 3041 2008.04.19 -
Norman 5.80.02 2008.04.18 -
Panda 9.0.0.4 2008.04.19 -
Prevx1 V2 2008.04.20 -
Rising 20.40.62.00 2008.04.20 -
Sophos 4.28.0 2008.04.20 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.20 -
TheHacker 6.2.92.285 2008.04.19 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.19 -
Webwasher-Gateway 6.6.2 2008.04.18 -

附加訊息
File size: 360832 bytes
MD5...: 64798ecfa43d78c7178375fcdd16d8c8
SHA1..: 9f864005ebb9147012db4c2fbc0b23d8dae6cb68
SHA256: 0866341a50166200ff82781125dad1c6ebc4593abfbadde5d45e32d32b0fe903
SHA512: ec6b3fa6d7851f12aa87b30fe35797d934109f8618462fe5020d567f5206a1d3<BR>2fd89489487e91bccc50c61f2abbed614892dad0f8c237bbaff65565a1498b94
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x60aa3<BR>timedatestamp.....: 0x47276189 (Tue Oct 30 16:53:29 2007)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 10 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x380 0x3ee0e 0x3ee80 6.59 fa66bf829c9ddddc255d1ce20eee8bc5<BR>.rdata 0x3f200 0x574 0x580 4.44 083e9d9bf06df4b3767e6d58ef4b263f<BR>.data 0x3f780 0xa4a4 0xa500 0.06 bc99afb1d65abc54dfba01f9847a8ee4<BR>PAGE 0x49c80 0x1f2b 0x1f80 6.38 c71600990ce103daee008973fbba0b30<BR>PAGELK 0x4bc00 0x6f2 0x700 6.21 33f8928f23d0d348c2179e13cfda242d<BR>PAGEIPMc 0x4c300 0x2781 0x2800 6.43 ebb829c092776199cfaf9458fbbef604<BR>.edata 0x4eb00 0x341 0x380 5.22 6bd092a4adbde8e251da39ff2705a069<BR>INIT 0x4ee80 0x5926 0x5980 6.19 878aed9caa342caf97f74bc4cc308955<BR>.rsrc 0x54800 0x3f0 0x400 3.41 99a26048cfca1fdf299ceabf9424a634<BR>.reloc 0x54c00 0x357c 0x3580 6.82 1e24cbade6e3ce7b4e8a9a8dc2291b8c<BR><BR>( 4 imports ) <BR>> HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel, KfReleaseSpinLock, KfAcquireSpinLock, KfRaiseIrql, KeGetCurrentIrql, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex<BR>> NDIS.SYS: NdisCloseAdapter, NdisCancelSendPackets, NdisFreePacket, NdisUnchainBufferAtFront, NdisCompletePnPEvent, NdisFreePacketPool, NdisRequest, NdisAllocatePacket, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisGetDriverHandle, NdisOpenAdapter, NdisAllocatePacketPoolEx, NdisGetReceivedPacket, NdisRegisterProtocol, NdisAllocateBuffer, NdisSetPacketPoolProtocolId, NdisReturnPackets, NdisCopyBuffer, NdisAllocateBufferPool, NdisFreeBufferPool, NdisReEnumerateProtocolBindings, NdisCompleteBindAdapter<BR>> ntoskrnl.exe: IoCreateDevice, _wcsicmp, wcscpy, wcsncpy, wcschr, ZwSetInformationThread, KeLeaveCriticalRegion, KeEnterCriticalRegion, KeQueryTimeIncrement, KeSetEvent, IoDeleteSymbolicLink, ExDeleteNPagedLookasideList, KeDelayExecutionThread, ZwOpenKey, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, ExInitializeNPagedLookasideList, MmLockPagableSectionByHandle, ZwQueryValueKey, ZwSetValueKey, InterlockedPopEntrySList, InterlockedPushEntrySList, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, IoCreateSymbolicLink, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, KeInitializeMutex, MmIsThisAnNtAsSystem, KeWaitForSingleObject, KeReleaseMutex, KeReadStateEvent, IoDeleteDevice, ZwEnumerateValueKey, RtlUnicodeStringToInteger, RtlIpv4StringToAddressW, RtlTimeToTimeFields, ExLocalTimeToSystemTime, RtlExtendedMagicDivide, RtlAppendUnicodeToString, ZwClose, _allmul, MmQuerySystemSize, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, ExfInterlockedAddUlong, MmMapLockedPagesSpecifyCache, IoFreeMdl, ExfInterlockedInsertTailList, RtlInitUnicodeString, MmMapLockedPages, KeNumberProcessors, RtlUnicodeStringToAnsiString, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlCompareMemory, ExAllocatePoolWithTag, KeCancelTimer, KeClearEvent, RtlAnsiStringToUnicodeString, IoRaiseInformationalHardError, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeInitializeSpinLock, _alldiv, KeQuerySystemTime, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile<BR>> TDI.SYS: CTESystemUpTime, CTEBlock, CTELogEvent, CTESignal, CTEBlockWithTracker, CTEStartTimer, CTEInitEvent, CTEScheduleDelayedEvent, CTEInitTimer, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiDeregisterProvider, TdiRegisterProvider, TdiPnPPowerRequest, TdiCopyMdlChainToMdlChain, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel<BR><BR>( 31 exports ) <BR>ARPRcv, ARPRcvPacket, FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRcvComplete, IPRcvPacket, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum<BR>
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=64798ecfa43d78c7178375fcdd16d8c8



反病毒引擎 版本 最後更新 掃瞄結果
AhnLab-V3 2008.4.19.0 2008.04.18 -
AntiVir 7.8.0.8 2008.04.18 -
Authentium 4.93.8 2008.04.19 -
Avast 4.8.1169.0 2008.04.19 -
AVG 7.5.0.516 2008.04.19 -
BitDefender 7.2 2008.04.20 -
CAT-QuickHeal 9.50 2008.04.19 -
ClamAV 0.92.1 2008.04.20 -
DrWeb 4.44.0.09170 2008.04.19 -
eSafe 7.0.15.0 2008.04.17 -
eTrust-Vet 31.3.5714 2008.04.19 -
Ewido 4.0 2008.04.19 -
F-Prot 4.4.2.54 2008.04.20 -
F-Secure 6.70.13260.0 2008.04.19 -
FileAdvisor 1 2008.04.20 -
Fortinet 3.14.0.0 2008.04.20 -
Ikarus T3.1.1.26.0 2008.04.20 -
Kaspersky 7.0.0.125 2008.04.20 -
McAfee 5277 2008.04.18 -
Microsoft 1.3408 2008.04.20 -
NOD32v2 3041 2008.04.19 -
Norman 5.80.02 2008.04.18 -
Panda 9.0.0.4 2008.04.19 -
Prevx1 V2 2008.04.20 -
Rising 20.40.62.00 2008.04.20 -
Sophos 4.28.0 2008.04.20 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.20 -
TheHacker 6.2.92.285 2008.04.19 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.19 -
Webwasher-Gateway 6.6.2 2008.04.18 -

附加訊息
File size: 360832 bytes
MD5...: 64798ecfa43d78c7178375fcdd16d8c8
SHA1..: 9f864005ebb9147012db4c2fbc0b23d8dae6cb68
SHA256: 0866341a50166200ff82781125dad1c6ebc4593abfbadde5d45e32d32b0fe903
SHA512: ec6b3fa6d7851f12aa87b30fe35797d934109f8618462fe5020d567f5206a1d3<BR>2fd89489487e91bccc50c61f2abbed614892dad0f8c237bbaff65565a1498b94
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x60aa3<BR>timedatestamp.....: 0x47276189 (Tue Oct 30 16:53:29 2007)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 10 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x380 0x3ee0e 0x3ee80 6.59 fa66bf829c9ddddc255d1ce20eee8bc5<BR>.rdata 0x3f200 0x574 0x580 4.44 083e9d9bf06df4b3767e6d58ef4b263f<BR>.data 0x3f780 0xa4a4 0xa500 0.06 bc99afb1d65abc54dfba01f9847a8ee4<BR>PAGE 0x49c80 0x1f2b 0x1f80 6.38 c71600990ce103daee008973fbba0b30<BR>PAGELK 0x4bc00 0x6f2 0x700 6.21 33f8928f23d0d348c2179e13cfda242d<BR>PAGEIPMc 0x4c300 0x2781 0x2800 6.43 ebb829c092776199cfaf9458fbbef604<BR>.edata 0x4eb00 0x341 0x380 5.22 6bd092a4adbde8e251da39ff2705a069<BR>INIT 0x4ee80 0x5926 0x5980 6.19 878aed9caa342caf97f74bc4cc308955<BR>.rsrc 0x54800 0x3f0 0x400 3.41 99a26048cfca1fdf299ceabf9424a634<BR>.reloc 0x54c00 0x357c 0x3580 6.82 1e24cbade6e3ce7b4e8a9a8dc2291b8c<BR><BR>( 4 imports ) <BR>> HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel, KfReleaseSpinLock, KfAcquireSpinLock, KfRaiseIrql, KeGetCurrentIrql, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex<BR>> NDIS.SYS: NdisCloseAdapter, NdisCancelSendPackets, NdisFreePacket, NdisUnchainBufferAtFront, NdisCompletePnPEvent, NdisFreePacketPool, NdisRequest, NdisAllocatePacket, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisGetDriverHandle, NdisOpenAdapter, NdisAllocatePacketPoolEx, NdisGetReceivedPacket, NdisRegisterProtocol, NdisAllocateBuffer, NdisSetPacketPoolProtocolId, NdisReturnPackets, NdisCopyBuffer, NdisAllocateBufferPool, NdisFreeBufferPool, NdisReEnumerateProtocolBindings, NdisCompleteBindAdapter<BR>> ntoskrnl.exe: IoCreateDevice, _wcsicmp, wcscpy, wcsncpy, wcschr, ZwSetInformationThread, KeLeaveCriticalRegion, KeEnterCriticalRegion, KeQueryTimeIncrement, KeSetEvent, IoDeleteSymbolicLink, ExDeleteNPagedLookasideList, KeDelayExecutionThread, ZwOpenKey, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, ExInitializeNPagedLookasideList, MmLockPagableSectionByHandle, ZwQueryValueKey, ZwSetValueKey, InterlockedPopEntrySList, InterlockedPushEntrySList, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, IoCreateSymbolicLink, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, KeInitializeMutex, MmIsThisAnNtAsSystem, KeWaitForSingleObject, KeReleaseMutex, KeReadStateEvent, IoDeleteDevice, ZwEnumerateValueKey, RtlUnicodeStringToInteger, RtlIpv4StringToAddressW, RtlTimeToTimeFields, ExLocalTimeToSystemTime, RtlExtendedMagicDivide, RtlAppendUnicodeToString, ZwClose, _allmul, MmQuerySystemSize, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, ExfInterlockedAddUlong, MmMapLockedPagesSpecifyCache, IoFreeMdl, ExfInterlockedInsertTailList, RtlInitUnicodeString, MmMapLockedPages, KeNumberProcessors, RtlUnicodeStringToAnsiString, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlCompareMemory, ExAllocatePoolWithTag, KeCancelTimer, KeClearEvent, RtlAnsiStringToUnicodeString, IoRaiseInformationalHardError, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeInitializeSpinLock, _alldiv, KeQuerySystemTime, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile<BR>> TDI.SYS: CTESystemUpTime, CTEBlock, CTELogEvent, CTESignal, CTEBlockWithTracker, CTEStartTimer, CTEInitEvent, CTEScheduleDelayedEvent, CTEInitTimer, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiDeregisterProvider, TdiRegisterProvider, TdiPnPPowerRequest, TdiCopyMdlChainToMdlChain, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel<BR><BR>( 31 exports ) <BR>ARPRcv, ARPRcvPacket, FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRcvComplete, IPRcvPacket, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum<BR>
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=64798ecfa43d78c7178375fcdd16d8c8


檔案 tcpip.sys 接收於 2008.04.28 20:15:49 (CET)反病毒引擎 版本 最後更新 掃瞄結果
AhnLab-V3 2008.4.29.0 2008.04.28 -
AntiVir 7.8.0.10 2008.04.28 -
Authentium 4.93.8 2008.04.27 -
Avast 4.8.1169.0 2008.04.28 -
AVG 7.5.0.516 2008.04.28 -
BitDefender 7.2 2008.04.28 -
CAT-QuickHeal 9.50 2008.04.28 -
ClamAV 0.92.1 2008.04.28 -
DrWeb 4.44.0.09170 2008.04.28 -
eSafe 7.0.15.0 2008.04.27 -
eTrust-Vet 31.3.5741 2008.04.28 -
Ewido 4.0 2008.04.28 -
F-Prot 4.4.2.54 2008.04.27 -
F-Secure 6.70.13260.0 2008.04.28 -
FileAdvisor 1 2008.04.28 No threat detected, but known vulnerabilities exist
Fortinet 3.14.0.0 2008.04.28 -
Ikarus T3.1.1.26 2008.04.28 -
Kaspersky 7.0.0.125 2008.04.28 -
McAfee 5282 2008.04.25 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3060 2008.04.28 -
Panda 9.0.0.4 2008.04.27 -
Prevx1 V2 2008.04.28 -
Rising 20.42.01.00 2008.04.28 -
Sophos 4.28.0 2008.04.28 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.28 -
TheHacker 6.2.92.294 2008.04.26 -
VBA32 3.12.6.5 2008.04.28 -
VirusBuster 4.3.26:9 2008.04.28 -
Webwasher-Gateway 6.6.2 2008.04.28 -

附加訊息
File size: 359040 bytes
MD5...: 9f4b36614a0fc234525ba224957de55c
SHA1..: c4f3d44361a2afbc309db6993ee0ecf12b6666d1
SHA256: 56766ef576479367c29b2ee16cf232ede2569ceb0a72bf8e38fbabc9bf7c1bec
SHA512: cb94857fa99771ebe7bd70a2a462b2c032bea74eb3f7278faa3c233bc25dd4a3<BR>4988bb87708d16b947627db15268674d7d069c6554fe115d3d3865c8f0704e9d
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x61196<BR>timedatestamp.....: 0x41107ecf (Wed Aug 04 06:14:39 2004)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 10 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x380 0x3e946 0x3e980 6.60 643853ade61026df88ede2edb9ec7c33<BR>.rdata 0x3ed00 0x57c 0x580 4.42 f8464eba6b02d00de9e773b0204cee78<BR>.data 0x3f280 0xa4a4 0xa500 0.06 b3fc32b281b47111d104f80e77996f6c<BR>PAGE 0x49780 0x1f27 0x1f80 6.39 ea783b68f5cf42f310a6c23aa5236d34<BR>PAGEIPMc 0x4b700 0x2783 0x2800 6.41 b9863a636b93f57fa3f39bc70defcb54<BR>PAGELK 0x4df00 0x6f2 0x700 6.17 98b56ac9253dac973c411a2217b1124b<BR>.edata 0x4e600 0x2eb 0x300 5.30 bf33e66921dae71729e1c48f47faaf0b<BR>INIT 0x4e900 0x57f2 0x5800 6.21 194323979adbbb6a88673d8e797463ee<BR>.rsrc 0x54100 0x3f0 0x400 3.40 3ce484e663e0c007ee6a8661022ec6f2<BR>.reloc 0x54500 0x3548 0x3580 6.80 242690837b0b00c1aa768245bd09bb33<BR><BR>( 4 imports ) <BR>> ntoskrnl.exe: MmLockPagableSectionByHandle, _wcsicmp, wcscpy, wcsncpy, wcschr, RtlAppendUnicodeToString, RtlExtendedMagicDivide, ExLocalTimeToSystemTime, RtlTimeToTimeFields, RtlIpv4StringToAddressW, RtlUnicodeStringToInteger, ZwEnumerateValueKey, KeReadStateEvent, KeReleaseMutex, MmIsThisAnNtAsSystem, KeInitializeMutex, IoRaiseInformationalHardError, RtlAnsiStringToUnicodeString, RtlUnicodeStringToAnsiString, InterlockedPopEntrySList, InterlockedPushEntrySList, ZwQueryValueKey, ZwSetValueKey, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, MmLockPagableDataSection, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, _aulldvrm, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, ExInitializeNPagedLookasideList, KeInitializeDpc, KeInitializeTimer, KeSetTimerEx, ZwClose, IoCreateDevice, IoDeleteDevice, ZwOpenKey, KeDelayExecutionThread, KeWaitForSingleObject, ExDeleteNPagedLookasideList, MmUnlockPagableImageSection, RtlInitUnicodeString, IoCreateSymbolicLink, IoDeleteSymbolicLink, KeSetEvent, KeQueryTimeIncrement, KeEnterCriticalRegion, KeLeaveCriticalRegion, ZwSetInformationThread, KeQuerySystemTime, _allmul, _alldiv, MmQuerySystemSize, ExfInterlockedInsertTailList, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlCompareMemory, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, KeCancelTimer, KeClearEvent, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, MmMapLockedPages, KeInitializeSpinLock, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, KeInitializeEvent, ExfInterlockedAddUlong, ExAllocatePoolWithTag, MmMapLockedPagesSpecifyCache, IoFreeMdl, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeNumberProcessors, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile<BR>> HAL.dll: KfLowerIrql, KfRaiseIrql, KfReleaseSpinLock, KfAcquireSpinLock, KeGetCurrentIrql, KeRaiseIrqlToDpcLevel, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex<BR>> NDIS.SYS: NdisUnchainBufferAtFront, NdisAllocateBuffer, NdisFreePacket, NdisAllocatePacket, NdisSetPacketPoolProtocolId, NdisAllocatePacketPoolEx, NdisReturnPackets, NdisCompleteBindAdapter, NdisReEnumerateProtocolBindings, NdisFreeBufferPool, NdisFreePacketPool, NdisAllocateBufferPool, NdisCompletePnPEvent, NdisCloseAdapter, NdisCancelSendPackets, NdisRequest, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisCopyBuffer, NdisRegisterProtocol, NdisGetReceivedPacket, NdisOpenAdapter, NdisGetDriverHandle<BR>> TDI.SYS: CTESignal, CTESystemUpTime, CTEScheduleDelayedEvent, CTEInitEvent, CTEStartTimer, CTEInitTimer, CTEBlock, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, CTEBlockWithTracker, CTELogEvent, TdiRegisterDeviceObject, TdiCopyMdlChainToMdlChain, TdiPnPPowerRequest, TdiDeregisterProvider, TdiRegisterProvider, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel<BR><BR>( 27 exports ) <BR>FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum<BR>
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=9f4b36614a0fc234525ba224957de55c

反病毒引擎;版本;最後更新;掃瞄結果
AhnLab-V3;2008.4.29.0;2008.04.28;-
AntiVir;7.8.0.10;2008.04.28;-
Authentium;4.93.8;2008.04.27;-
Avast;4.8.1169.0;2008.04.28;-
AVG;7.5.0.516;2008.04.28;-
BitDefender;7.2;2008.04.28;-
CAT-QuickHeal;9.50;2008.04.28;-
ClamAV;0.92.1;2008.04.28;-
DrWeb;4.44.0.09170;2008.04.28;-
eSafe;7.0.15.0;2008.04.27;-
eTrust-Vet;31.3.5741;2008.04.28;-
Ewido;4.0;2008.04.28;-
F-Prot;4.4.2.54;2008.04.27;-
F-Secure;6.70.13260.0;2008.04.28;-
FileAdvisor;1;2008.04.28;No threat detected, but known vulnerabilities exist
Fortinet;3.14.0.0;2008.04.28;-
Ikarus;T3.1.1.26;2008.04.28;-
Kaspersky;7.0.0.125;2008.04.28;-
McAfee;5282;2008.04.25;-
Microsoft;1.3408;2008.04.22;-
NOD32v2;3060;2008.04.28;-
Panda;9.0.0.4;2008.04.27;-
Prevx1;V2;2008.04.28;-
Rising;20.42.01.00;2008.04.28;-
Sophos;4.28.0;2008.04.28;-
Sunbelt;3.0.1056.0;2008.04.17;-
Symantec;10;2008.04.28;-
TheHacker;6.2.92.294;2008.04.26;-
VBA32;3.12.6.5;2008.04.28;-
VirusBuster;4.3.26:9;2008.04.28;-
Webwasher-Gateway;6.6.2;2008.04.28;-

附加訊息
File size: 359040 bytes
MD5...: 9f4b36614a0fc234525ba224957de55c
SHA1..: c4f3d44361a2afbc309db6993ee0ecf12b6666d1
SHA256: 56766ef576479367c29b2ee16cf232ede2569ceb0a72bf8e38fbabc9bf7c1bec
SHA512: cb94857fa99771ebe7bd70a2a462b2c032bea74eb3f7278faa3c233bc25dd4a3<BR>4988bb87708d16b947627db15268674d7d069c6554fe115d3d3865c8f0704e9d
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x61196<BR>timedatestamp.....: 0x41107ecf (Wed Aug 04 06:14:39 2004)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 10 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x380 0x3e946 0x3e980 6.60 643853ade61026df88ede2edb9ec7c33<BR>.rdata 0x3ed00 0x57c 0x580 4.42 f8464eba6b02d00de9e773b0204cee78<BR>.data 0x3f280 0xa4a4 0xa500 0.06 b3fc32b281b47111d104f80e77996f6c<BR>PAGE 0x49780 0x1f27 0x1f80 6.39 ea783b68f5cf42f310a6c23aa5236d34<BR>PAGEIPMc 0x4b700 0x2783 0x2800 6.41 b9863a636b93f57fa3f39bc70defcb54<BR>PAGELK 0x4df00 0x6f2 0x700 6.17 98b56ac9253dac973c411a2217b1124b<BR>.edata 0x4e600 0x2eb 0x300 5.30 bf33e66921dae71729e1c48f47faaf0b<BR>INIT 0x4e900 0x57f2 0x5800 6.21 194323979adbbb6a88673d8e797463ee<BR>.rsrc 0x54100 0x3f0 0x400 3.40 3ce484e663e0c007ee6a8661022ec6f2<BR>.reloc 0x54500 0x3548 0x3580 6.80 242690837b0b00c1aa768245bd09bb33<BR><BR>( 4 imports ) <BR>> ntoskrnl.exe: MmLockPagableSectionByHandle, _wcsicmp, wcscpy, wcsncpy, wcschr, RtlAppendUnicodeToString, RtlExtendedMagicDivide, ExLocalTimeToSystemTime, RtlTimeToTimeFields, RtlIpv4StringToAddressW, RtlUnicodeStringToInteger, ZwEnumerateValueKey, KeReadStateEvent, KeReleaseMutex, MmIsThisAnNtAsSystem, KeInitializeMutex, IoRaiseInformationalHardError, RtlAnsiStringToUnicodeString, RtlUnicodeStringToAnsiString, InterlockedPopEntrySList, InterlockedPushEntrySList, ZwQueryValueKey, ZwSetValueKey, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, MmLockPagableDataSection, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, _aulldvrm, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, ExInitializeNPagedLookasideList, KeInitializeDpc, KeInitializeTimer, KeSetTimerEx, ZwClose, IoCreateDevice, IoDeleteDevice, ZwOpenKey, KeDelayExecutionThread, KeWaitForSingleObject, ExDeleteNPagedLookasideList, MmUnlockPagableImageSection, RtlInitUnicodeString, IoCreateSymbolicLink, IoDeleteSymbolicLink, KeSetEvent, KeQueryTimeIncrement, KeEnterCriticalRegion, KeLeaveCriticalRegion, ZwSetInformationThread, KeQuerySystemTime, _allmul, _alldiv, MmQuerySystemSize, ExfInterlockedInsertTailList, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlCompareMemory, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, KeCancelTimer, KeClearEvent, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, MmMapLockedPages, KeInitializeSpinLock, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, KeInitializeEvent, ExfInterlockedAddUlong, ExAllocatePoolWithTag, MmMapLockedPagesSpecifyCache, IoFreeMdl, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeNumberProcessors, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile<BR>> HAL.dll: KfLowerIrql, KfRaiseIrql, KfReleaseSpinLock, KfAcquireSpinLock, KeGetCurrentIrql, KeRaiseIrqlToDpcLevel, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex<BR>> NDIS.SYS: NdisUnchainBufferAtFront, NdisAllocateBuffer, NdisFreePacket, NdisAllocatePacket, NdisSetPacketPoolProtocolId, NdisAllocatePacketPoolEx, NdisReturnPackets, NdisCompleteBindAdapter, NdisReEnumerateProtocolBindings, NdisFreeBufferPool, NdisFreePacketPool, NdisAllocateBufferPool, NdisCompletePnPEvent, NdisCloseAdapter, NdisCancelSendPackets, NdisRequest, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisCopyBuffer, NdisRegisterProtocol, NdisGetReceivedPacket, NdisOpenAdapter, NdisGetDriverHandle<BR>> TDI.SYS: CTESignal, CTESystemUpTime, CTEScheduleDelayedEvent, CTEInitEvent, CTEStartTimer, CTEInitTimer, CTEBlock, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, CTEBlockWithTracker, CTELogEvent, TdiRegisterDeviceObject, TdiCopyMdlChainToMdlChain, TdiPnPPowerRequest, TdiDeregisterProvider, TdiRegisterProvider, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel<BR><BR>( 27 exports ) <BR>FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum<BR>
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=9f4b36614a0fc234525ba224957de55c

檔案 tcpip.sys 接收於 2008.03.21 15:08:48 (CET)反病毒引擎 版本 最後更新 掃瞄結果
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
FileAdvisor - - -
Fortinet - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - Trojan-PSW.Win32.OnLineGames
VirusBuster - - -
Webwasher-Gateway - - -

附加訊息
MD5: b4e29943b4b04bd5e7381546848e6669
SHA1: 134f6e92e0474a32490dc169ae5ac168fa96c2b1
SHA256: b87f7bbbf007e19f6d9fc11815425d2f404c0693c49713b449c1a773c9512472
SHA512: e0429039376390a724d3059d864de726ee283389b636ca801d970c05d7aa667f004161f51ba1f7526628a0700c861fe3c7a200df17998740f37347773ffc8200

反病毒引擎;版本;最後更新;掃瞄結果
AhnLab-V3;-;-;-
AntiVir;-;-;-
Authentium;-;-;-
Avast;-;-;-
AVG;-;-;-
BitDefender;-;-;-
CAT-QuickHeal;-;-;-
ClamAV;-;-;-
DrWeb;-;-;-
eSafe;-;-;-
eTrust-Vet;-;-;-
Ewido;-;-;-
F-Prot;-;-;-
F-Secure;-;-;-
FileAdvisor;-;-;-
Fortinet;-;-;-
Ikarus;-;-;-
Kaspersky;-;-;-
McAfee;-;-;-
Microsoft;-;-;-
NOD32v2;-;-;-
Norman;-;-;-
Panda;-;-;-
Prevx1;-;-;-
Rising;-;-;-
Sophos;-;-;-
Sunbelt;-;-;-
Symantec;-;-;-
TheHacker;-;-;-
VBA32;-;-;Trojan-PSW.Win32.OnLineGames
VirusBuster;-;-;-
Webwasher-Gateway;-;-;-

附加訊息
MD5: b4e29943b4b04bd5e7381546848e6669
SHA1: 134f6e92e0474a32490dc169ae5ac168fa96c2b1
SHA256: b87f7bbbf007e19f6d9fc11815425d2f404c0693c49713b449c1a773c9512472
SHA512: e0429039376390a724d3059d864de726ee283389b636ca801d970c05d7aa667f004161f51ba1f7526628a0700c861fe3c7a200df17998740f37347773ffc8200


檔案 tcpip.sys 接收於 2008.03.03 11:58:32 (CET)反病毒引擎 版本 最後更新 掃瞄結果
AhnLab-V3 2008.2.29.1 2008.03.03 -
AntiVir 7.6.0.73 2008.03.03 -
Authentium 4.93.8 2008.03.02 -
Avast 4.7.1098.0 2008.03.02 -
AVG 7.5.0.516 2008.03.02 -
BitDefender 7.2 2008.03.03 -
CAT-QuickHeal 9.50 2008.03.01 -
ClamAV 0.92.1 2008.03.03 -
DrWeb 4.44.0.09170 2008.03.03 -
eSafe 7.0.15.0 2008.02.28 -
eTrust-Vet 31.3.5582 2008.03.03 -
Ewido 4.0 2008.03.02 -
F-Prot 4.4.2.54 2008.03.02 -
F-Secure 6.70.13260.0 2008.03.03 -
FileAdvisor 1 2008.03.03 -
Fortinet 3.14.0.0 2008.03.03 -
Ikarus T3.1.1.20 2008.03.03 -
Kaspersky 7.0.0.125 2008.03.03 -
McAfee 5242 2008.02.29 -
Microsoft 1.3301 2008.03.03 -
NOD32v2 2916 2008.03.03 -
Norman 5.80.02 2008.02.29 -
Panda 9.0.0.4 2008.03.02 -
Prevx1 V2 2008.03.03 -
Rising 20.34.00.00 2008.03.03 -
Sophos 4.27.0 2008.03.03 -
Sunbelt 3.0.906.0 2008.02.28 -
Symantec 10 2008.03.03 -
TheHacker 6.2.92.231 2008.03.02 -
VBA32 3.12.6.2 2008.02.27 -
VirusBuster 4.3.26:9 2008.03.02 -
Webwasher-Gateway 6.6.2 2008.03.03 -

附加訊息
File size: 360064 bytes
MD5: 90caff4b094573449a0872a0f919b178
SHA1: 01c29459e70719163d78add6b7098b8550292824
PEiD: -

反病毒引擎;版本;最後更新;掃瞄結果
AhnLab-V3;2008.2.29.1;2008.03.03;-
AntiVir;7.6.0.73;2008.03.03;-
Authentium;4.93.8;2008.03.02;-
Avast;4.7.1098.0;2008.03.02;-
AVG;7.5.0.516;2008.03.02;-
BitDefender;7.2;2008.03.03;-
CAT-QuickHeal;9.50;2008.03.01;-
ClamAV;0.92.1;2008.03.03;-
DrWeb;4.44.0.09170;2008.03.03;-
eSafe;7.0.15.0;2008.02.28;-
eTrust-Vet;31.3.5582;2008.03.03;-
Ewido;4.0;2008.03.02;-
F-Prot;4.4.2.54;2008.03.02;-
F-Secure;6.70.13260.0;2008.03.03;-
FileAdvisor;1;2008.03.03;-
Fortinet;3.14.0.0;2008.03.03;-
Ikarus;T3.1.1.20;2008.03.03;-
Kaspersky;7.0.0.125;2008.03.03;-
McAfee;5242;2008.02.29;-
Microsoft;1.3301;2008.03.03;-
NOD32v2;2916;2008.03.03;-
Norman;5.80.02;2008.02.29;-
Panda;9.0.0.4;2008.03.02;-
Prevx1;V2;2008.03.03;-
Rising;20.34.00.00;2008.03.03;-
Sophos;4.27.0;2008.03.03;-
Sunbelt;3.0.906.0;2008.02.28;-
Symantec;10;2008.03.03;-
TheHacker;6.2.92.231;2008.03.02;-
VBA32;3.12.6.2;2008.02.27;-
VirusBuster;4.3.26:9;2008.03.02;-
Webwasher-Gateway;6.6.2;2008.03.03;-

附加訊息
File size: 360064 bytes
MD5: 90caff4b094573449a0872a0f919b178
SHA1: 01c29459e70719163d78add6b7098b8550292824
PEiD: -


檔案 tcpip.sys 接收於 2008.05.19 09:32:30 (CET)反病毒引擎 版本 最後更新 掃瞄結果
AhnLab-V3 2008.5.16.0 2008.05.19 -
AntiVir 7.8.0.19 2008.05.18 -
Authentium 5.1.0.4 2008.05.18 -
Avast 4.8.1195.0 2008.05.18 -
AVG 7.5.0.516 2008.05.18 -
BitDefender 7.2 2008.05.19 -
CAT-QuickHeal 9.50 2008.05.17 -
ClamAV 0.92.1 2008.05.19 -
DrWeb 4.44.0.09170 2008.05.19 -
eSafe 7.0.15.0 2008.05.18 -
eTrust-Vet 31.4.5798 2008.05.16 -
Ewido 4.0 2008.05.18 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.19 -
Fortinet 3.14.0.0 2008.05.19 -
GData 2.0.7306.1023 2008.05.19 -
Ikarus T3.1.1.26.0 2008.05.19 -
Kaspersky 7.0.0.125 2008.05.19 -
McAfee 5297 2008.05.17 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3107 2008.05.18 -
Norman 5.80.02 2008.05.16 -
Panda 9.0.0.4 2008.05.18 -
Prevx1 V2 2008.05.19 -
Rising 20.44.62.00 2008.05.18 -
Sophos 4.29.0 2008.05.19 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.19 -
TheHacker 6.2.92.313 2008.05.19 -
VBA32 3.12.6.6 2008.05.18 -
VirusBuster 4.3.26:9 2008.05.18 -
Webwasher-Gateway 6.6.2 2008.05.19 -

附加訊息
File size: 360064 bytes
MD5...: ed06c31200714e734118f9a47f5df5ce
SHA1..: 8afdb73bee49158d6f78256e921d9502f2391b4a
SHA256: 7c419b505f34c66700720d3722a24a1b03a3c7d18926482e76f89601a84f15b2
SHA512: dd1e2f4dcb9ccdd62366e37bd85e6ec7d9a5b575bd6c515c735b68149adf27e5<BR>b19f21b24aad55b20a0a552d8435ed837e6f28f3baab2fe07fa7ada38d5d3cdf
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x61516<BR>timedatestamp.....: 0x472767f4 (Tue Oct 30 17:20:52 2007)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 10 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x380 0x3ec36 0x3ec80 6.59 bf3727cc30fc9381405d704fc48cf298<BR>.rdata 0x3f000 0x57c 0x580 4.44 8e59e52de3e5dbcbceb5a3ef5f649f6e<BR>.data 0x3f580 0xa4a4 0xa500 0.06 b9a573e33adfdced8dd26084f4c34980<BR>PAGE 0x49a80 0x1f2b 0x1f80 6.39 62835585c6d5d5460c7937ca9a24a666<BR>PAGELK 0x4ba00 0x6f2 0x700 6.23 b006a6a497bb9c46495fbf448e59f7d0<BR>PAGEIPMc 0x4c100 0x2781 0x2800 6.43 f388ecb2e9459286d1f285da46acd63e<BR>.edata 0x4e900 0x341 0x380 5.22 8712af1a96dac3a5cc93d8600aeab255<BR>INIT 0x4ec80 0x5836 0x5880 6.21 6b00b0dbb4853c21ff203b0ab0e968b4<BR>.rsrc 0x54500 0x3f0 0x400 3.41 f7e220f2cc645366d35917b1d898d5a1<BR>.reloc 0x54900 0x3554 0x3580 6.80 70106385f23ac6f4e01fd4b1e2558fad<BR><BR>( 4 imports ) <BR>> HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel, KfReleaseSpinLock, KfAcquireSpinLock, KfRaiseIrql, KeGetCurrentIrql, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex<BR>> NDIS.SYS: NdisCloseAdapter, NdisCancelSendPackets, NdisFreePacket, NdisUnchainBufferAtFront, NdisCompletePnPEvent, NdisFreePacketPool, NdisRequest, NdisAllocatePacket, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisGetDriverHandle, NdisOpenAdapter, NdisAllocatePacketPoolEx, NdisGetReceivedPacket, NdisRegisterProtocol, NdisAllocateBuffer, NdisSetPacketPoolProtocolId, NdisReturnPackets, NdisCopyBuffer, NdisAllocateBufferPool, NdisFreeBufferPool, NdisReEnumerateProtocolBindings, NdisCompleteBindAdapter<BR>> ntoskrnl.exe: IoCreateDevice, _wcsicmp, wcscpy, wcsncpy, wcschr, ZwSetInformationThread, KeLeaveCriticalRegion, KeEnterCriticalRegion, KeQueryTimeIncrement, KeSetEvent, IoDeleteSymbolicLink, ExDeleteNPagedLookasideList, KeDelayExecutionThread, ZwOpenKey, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, ExInitializeNPagedLookasideList, MmLockPagableSectionByHandle, ZwQueryValueKey, ZwSetValueKey, InterlockedPopEntrySList, InterlockedPushEntrySList, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, IoCreateSymbolicLink, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, _aulldvrm, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, KeInitializeMutex, MmIsThisAnNtAsSystem, KeWaitForSingleObject, KeReleaseMutex, KeReadStateEvent, IoDeleteDevice, ZwEnumerateValueKey, RtlUnicodeStringToInteger, RtlIpv4StringToAddressW, RtlTimeToTimeFields, ExLocalTimeToSystemTime, RtlExtendedMagicDivide, RtlAppendUnicodeToString, ZwClose, _allmul, MmQuerySystemSize, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, ExfInterlockedAddUlong, MmMapLockedPagesSpecifyCache, IoFreeMdl, ExfInterlockedInsertTailList, RtlInitUnicodeString, MmMapLockedPages, KeNumberProcessors, RtlUnicodeStringToAnsiString, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlCompareMemory, ExAllocatePoolWithTag, KeCancelTimer, KeClearEvent, RtlAnsiStringToUnicodeString, IoRaiseInformationalHardError, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeInitializeSpinLock, _alldiv, KeQuerySystemTime, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile<BR>> TDI.SYS: CTESystemUpTime, CTEBlock, CTELogEvent, CTESignal, CTEBlockWithTracker, CTEStartTimer, CTEInitEvent, CTEScheduleDelayedEvent, CTEInitTimer, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiDeregisterProvider, TdiRegisterProvider, TdiPnPPowerRequest, TdiCopyMdlChainToMdlChain, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel<BR><BR>( 31 exports ) <BR>ARPRcv, ARPRcvPacket, FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRcvComplete, IPRcvPacket, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum<BR>

反病毒引擎;版本;最後更新;掃瞄結果
AhnLab-V3;2008.5.16.0;2008.05.19;-
AntiVir;7.8.0.19;2008.05.18;-
Authentium;5.1.0.4;2008.05.18;-
Avast;4.8.1195.0;2008.05.18;-
AVG;7.5.0.516;2008.05.18;-
BitDefender;7.2;2008.05.19;-
CAT-QuickHeal;9.50;2008.05.17;-
ClamAV;0.92.1;2008.05.19;-
DrWeb;4.44.0.09170;2008.05.19;-
eSafe;7.0.15.0;2008.05.18;-
eTrust-Vet;31.4.5798;2008.05.16;-
Ewido;4.0;2008.05.18;-
F-Prot;4.4.2.54;2008.05.16;-
F-Secure;6.70.13260.0;2008.05.19;-
Fortinet;3.14.0.0;2008.05.19;-
GData;2.0.7306.1023;2008.05.19;-
Ikarus;T3.1.1.26.0;2008.05.19;-
Kaspersky;7.0.0.125;2008.05.19;-
McAfee;5297;2008.05.17;-
Microsoft;1.3408;2008.05.13;-
NOD32v2;3107;2008.05.18;-
Norman;5.80.02;2008.05.16;-
Panda;9.0.0.4;2008.05.18;-
Prevx1;V2;2008.05.19;-
Rising;20.44.62.00;2008.05.18;-
Sophos;4.29.0;2008.05.19;-
Sunbelt;3.0.1123.1;2008.05.17;-
Symantec;10;2008.05.19;-
TheHacker;6.2.92.313;2008.05.19;-
VBA32;3.12.6.6;2008.05.18;-
VirusBuster;4.3.26:9;2008.05.18;-
Webwasher-Gateway;6.6.2;2008.05.19;-

附加訊息
File size: 360064 bytes
MD5...: ed06c31200714e734118f9a47f5df5ce
SHA1..: 8afdb73bee49158d6f78256e921d9502f2391b4a
SHA256: 7c419b505f34c66700720d3722a24a1b03a3c7d18926482e76f89601a84f15b2
SHA512: dd1e2f4dcb9ccdd62366e37bd85e6ec7d9a5b575bd6c515c735b68149adf27e5<BR>b19f21b24aad55b20a0a552d8435ed837e6f28f3baab2fe07fa7ada38d5d3cdf
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x61516<BR>timedatestamp.....: 0x472767f4 (Tue Oct 30 17:20:52 2007)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 10 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x380 0x3ec36 0x3ec80 6.59 bf3727cc30fc9381405d704fc48cf298<BR>.rdata 0x3f000 0x57c 0x580 4.44 8e59e52de3e5dbcbceb5a3ef5f649f6e<BR>.data 0x3f580 0xa4a4 0xa500 0.06 b9a573e33adfdced8dd26084f4c34980<BR>PAGE 0x49a80 0x1f2b 0x1f80 6.39 62835585c6d5d5460c7937ca9a24a666<BR>PAGELK 0x4ba00 0x6f2 0x700 6.23 b006a6a497bb9c46495fbf448e59f7d0<BR>PAGEIPMc 0x4c100 0x2781 0x2800 6.43 f388ecb2e9459286d1f285da46acd63e<BR>.edata 0x4e900 0x341 0x380 5.22 8712af1a96dac3a5cc93d8600aeab255<BR>INIT 0x4ec80 0x5836 0x5880 6.21 6b00b0dbb4853c21ff203b0ab0e968b4<BR>.rsrc 0x54500 0x3f0 0x400 3.41 f7e220f2cc645366d35917b1d898d5a1<BR>.reloc 0x54900 0x3554 0x3580 6.80 70106385f23ac6f4e01fd4b1e2558fad<BR><BR>( 4 imports ) <BR>> HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel, KfReleaseSpinLock, KfAcquireSpinLock, KfRaiseIrql, KeGetCurrentIrql, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex<BR>> NDIS.SYS: NdisCloseAdapter, NdisCancelSendPackets, NdisFreePacket, NdisUnchainBufferAtFront, NdisCompletePnPEvent, NdisFreePacketPool, NdisRequest, NdisAllocatePacket, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisGetDriverHandle, NdisOpenAdapter, NdisAllocatePacketPoolEx, NdisGetReceivedPacket, NdisRegisterProtocol, NdisAllocateBuffer, NdisSetPacketPoolProtocolId, NdisReturnPackets, NdisCopyBuffer, NdisAllocateBufferPool, NdisFreeBufferPool, NdisReEnumerateProtocolBindings, NdisCompleteBindAdapter<BR>> ntoskrnl.exe: IoCreateDevice, _wcsicmp, wcscpy, wcsncpy, wcschr, ZwSetInformationThread, KeLeaveCriticalRegion, KeEnterCriticalRegion, KeQueryTimeIncrement, KeSetEvent, IoDeleteSymbolicLink, ExDeleteNPagedLookasideList, KeDelayExecutionThread, ZwOpenKey, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, ExInitializeNPagedLookasideList, MmLockPagableSectionByHandle, ZwQueryValueKey, ZwSetValueKey, InterlockedPopEntrySList, InterlockedPushEntrySList, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, IoCreateSymbolicLink, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, _aulldvrm, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, KeInitializeMutex, MmIsThisAnNtAsSystem, KeWaitForSingleObject, KeReleaseMutex, KeReadStateEvent, IoDeleteDevice, ZwEnumerateValueKey, RtlUnicodeStringToInteger, RtlIpv4StringToAddressW, RtlTimeToTimeFields, ExLocalTimeToSystemTime, RtlExtendedMagicDivide, RtlAppendUnicodeToString, ZwClose, _allmul, MmQuerySystemSize, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, ExfInterlockedAddUlong, MmMapLockedPagesSpecifyCache, IoFreeMdl, ExfInterlockedInsertTailList, RtlInitUnicodeString, MmMapLockedPages, KeNumberProcessors, RtlUnicodeStringToAnsiString, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlCompareMemory, ExAllocatePoolWithTag, KeCancelTimer, KeClearEvent, RtlAnsiStringToUnicodeString, IoRaiseInformationalHardError, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeInitializeSpinLock, _alldiv, KeQuerySystemTime, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile<BR>> TDI.SYS: CTESystemUpTime, CTEBlock, CTELogEvent, CTESignal, CTEBlockWithTracker, CTEStartTimer, CTEInitEvent, CTEScheduleDelayedEvent, CTEInitTimer, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiDeregisterProvider, TdiRegisterProvider, TdiPnPPowerRequest, TdiCopyMdlChainToMdlChain, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel<BR><BR>( 31 exports ) <BR>ARPRcv, ARPRcvPacket, FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRcvComplete, IPRcvPacket, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum<BR>
 
Hello,

Sorry for the delay. We shall skip the Uninstall list for now.

Run CFScript

Please open a new Notepad file and copy and paste the following in the Code box into Notepad:

Code: 
http://forums.spybot.info/showthread.php?p=197702#post197702

File::
C:\WINDOWS\system32\lnafsody.ini
C:\WINDOWS\system32\texwtpji.ini
C:\WINDOWS\system32\eyiqflsg.ini
C:\WINDOWS\system32\mgoowcpj.ini
C:\WINDOWS\system32\wcvayejn.ini

Collect::
C:\WINDOWS\system32\jwchjnxv.dll
C:\WINDOWS\system32\ljJDSKAP.dll
C:\WINDOWS\system32\iifgEvSL.dll
C:\WINDOWS\system32\MsnShell32.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1B4801D3-9A53-4618-8E45-BED464CE2CBC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{522E0112-EDD9-413D-A99E-C311A54B6676}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91446146-892A-4C2C-9809-C3F9DD58CA35}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE4D7D2A-2A38-4F2B-AAAC-0FD83BD73F7E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6345D5D-4DD5-4EDF-87EA-1B62542F9B5D}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{522E0112-EDD9-413D-A99E-C311A54B6676}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"MsnShell32"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJDSKAP]

Warning: The above script is just for tony6725. If you are not tony6725, please do not use this script as it may damage the workings of your system.

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript into Combofix.

CFScript.gif


Combofix will start running. When done, a log will be produced. Please post this log in your next reply.

In addition, it will prompt you to submit some files for analyzing.

CF-Submit_notice.gif


Click OK.

Copy and paste the file path into the text box next to the Browse button (boxed up in red).

cfsumbit320.png


Click on Send File.

Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please post:

  1. Combofix log (C:\Combofix.txt)
  2. A new HijackThis log
 
ComboFix 08-05-29.1 - TOSHIBA 2008-06-01 16:28:39.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.291 [GMT 1:00]
執行位置?: C:\Documents and Settings\TOSHIBA\桌面\ComboFix.exe
Command switches used :: C:\Documents and Settings\TOSHIBA\桌面\CFScript.txt
* 已建立新的還原點
* Resident AV is active


FILE ::
C:\WINDOWS\system32\eyiqflsg.ini
C:\WINDOWS\system32\lnafsody.ini
C:\WINDOWS\system32\mgoowcpj.ini
C:\WINDOWS\system32\texwtpji.ini
C:\WINDOWS\system32\wcvayejn.ini
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM1b5f3051.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ddcDwxxw.dll
C:\WINDOWS\system32\fpjoafdj.ini
C:\WINDOWS\system32\jbxgsbdc.dll
C:\WINDOWS\system32\jdfaojpf.dll
C:\WINDOWS\system32\wxxwDcdd.ini
C:\WINDOWS\system32\wxxwDcdd.ini2
.
---- Previous Run -------
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\eyiqflsg.ini
C:\WINDOWS\system32\iifgEvSL.dll
C:\WINDOWS\system32\jwchjnxv.dll
C:\WINDOWS\system32\ljJDSKAP.dll
C:\WINDOWS\system32\lnafsody.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mgoowcpj.ini
C:\WINDOWS\system32\MsnShell32.dll
C:\WINDOWS\system32\texwtpji.ini
C:\WINDOWS\system32\wcvayejn.ini

.
(((((((((((((((((((((((((((( 2008-05-01 - 2008-06-01 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-05-31 02:12 . 2008-05-31 02:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-30 19:46 . 2008-05-30 19:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-30 19:46 . 2008-05-30 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-30 13:50 . 2008-05-31 01:25 326 --a------ C:\WINDOWS\wininit.ini
2008-05-29 18:57 . 2008-05-29 18:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-29 18:57 . 2008-05-29 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 02:48 . 2007-08-13 18:52 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-05-29 01:19 . 2008-05-29 01:19 <DIR> d-------- C:\Documents and Settings\TOSHIBA\Application Data\Lavasoft
2008-05-29 01:17 . 2008-05-29 01:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-29 00:15 . 2008-05-29 00:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-28 02:25 . 2008-05-28 02:25 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-28 02:25 . 2008-05-28 02:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-28 01:16 . 2007-07-12 22:33 87,552 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2008-05-28 01:13 . 2008-05-28 01:13 <DIR> d-------- C:\Program Files\Acro Software
2008-05-24 21:01 . 2008-05-24 21:03 <DIR> d-------- C:\Program Files\Zattoo
2008-05-24 03:08 . 2008-05-24 03:08 <DIR> d-------- C:\Program Files\PPLive
2008-05-24 03:08 . 2008-05-24 03:08 <DIR> d-------- C:\Program Files\Common Files\Synacast
2008-05-22 01:16 . 2008-05-22 01:16 <DIR> d-------- C:\Documents and Settings\TOSHIBA\Application Data\LinkedIn

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 15:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-06-01 15:35 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\DNA
2008-06-01 14:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-31 19:30 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\Skype
2008-05-30 15:34 --------- d-----w C:\Program Files\Foxy
2008-05-29 20:05 --------- d-----w C:\Program Files\Eset
2008-05-28 15:22 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\BitTorrent
2008-05-28 01:25 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-29 13:47 --------- d-----w C:\Program Files\TVAnts
2008-04-28 17:15 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-04-28 00:10 49,864 ----a-w C:\Documents and Settings\TOSHIBA\Application Data\GDIPFONTCACHEV1.DAT
2008-04-27 19:29 11,381 ----a-w C:\WINDOWS\E220AutoRunLog.tmp
2008-04-24 20:51 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\3M
2008-04-24 20:50 --------- d-----w C:\Program Files\3M
2008-04-22 23:45 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\ppstream
2008-04-20 00:52 --------- d-----w C:\Program Files\Kontiki
2008-04-20 00:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-17 19:23 --------- d-----w C:\Program Files\Apple Software Update
2008-04-17 17:03 --------- d-----w C:\Program Files\Google
2008-04-16 23:11 --------- d-----w C:\Program Files\TVAntsX
2008-04-13 23:20 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\foobar2000
2008-04-07 23:59 --------- d-----w C:\Program Files\iTunes
2008-04-07 23:57 --------- d-----w C:\Program Files\iPod
2008-04-07 23:54 --------- d-----w C:\Program Files\QuickTime
2008-04-07 00:23 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\toshiba
.

------- Sigcheck -------

2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-12 13:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-11-06 23:42 359808 b4e29943b4b04bd5e7381546848e6669 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 18:20 360064 ed06c31200714e734118f9a47f5df5ce C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-05-31_15.42.00.41 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-31 14:32:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 15:37:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 15:37:25 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_240.dat
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 18:21 68856]
"ezHelper"="C:\Program Files\ezHelper\ezHelper.exe" [2006-11-30 03:59 456192]
"foxy"="C:\Program Files\Foxy\Foxy.exe" [2008-05-29 19:37 1160704]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 13:45 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-12 13:00 208952]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2004-06-28 10:24 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 13:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-04-06 17:19 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-04-06 17:07 114688]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 03:52 1368064]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 09:46 192512]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-06-13 10:21 122880]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 08:00 88363 C:\WINDOWS\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2003-12-02 07:15 73728 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2004-06-01 13:43 278528 C:\WINDOWS\system32\TPSMain.exe]
"NDSTray.exe"="NDSTray.exe" []
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 06:45 135168]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-12 13:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 13:00 59392]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003-07-14 14:57 63040]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003-07-14 14:57 95296]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-01-26 06:36 495616]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-08 15:16 921600]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 22:45 279912]
"VX1000"="C:\WINDOWS\vVX1000.exe" [2007-04-10 22:46 709992]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-24 16:37 185632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-17 18:03 29744]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Device Detector"="DevDetect.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 13:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [ ]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
Google 更新器.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-25 18:21:28 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 18:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ASUS\\WL-330 Utilities\\Discovery330.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\ezPeerPlus\\ezPeerPlus.exe"=
"C:\\Program Files\\Foxy\\Foxy.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Zattoo\\zattood.exe"=
"C:\\Program Files\\Zattoo\\Zattoo2.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10018:TCP"= 10018:TCP:Foxy (192.168.1.43:10018) 10018 TCP
"10018:UDP"= 10018:UDP:Foxy (192.168.1.43:10018) 10018 UDP

R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 22:45]
S3 ASINDIS5;ASINDIS5 Protocol Driver;C:\WINDOWS\system32\ASINDIS5.SYS [2002-09-10 12:35]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-17 18:03]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys [2007-02-08 05:55]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys [2007-02-08 05:55]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys [2007-02-08 05:55]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys [2007-02-08 05:56]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys [2007-02-08 05:56]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys [2007-02-08 05:56]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys [2007-02-08 05:56]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2007-04-10 22:46]

.
排程工作資料夾的內容
"2008-05-29 15:03:40 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 16:38:16
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...


folder error: C:\Documents and Settings\TOSHIBA\「開始」功能表\程式集\啟動\
folder error: C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\File Manager\SendToDevice.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\SoftwareDistribution\Download\21c6169d3e46f366cb5d1751adb8cb13\update\update.exe
.
**************************************************************************
.
完成時間?: 2008-06-01 16:49:25 - machine was rebooted [TOSHIBA]
ComboFix-quarantined-files.txt 2008-06-01 15:48:07
ComboFix2.txt 2008-05-31 14:45:43

13 個目錄 15,433,850,880 位元組可用
17 個目錄 15,417,511,936 位元組可用

240 --- E O F --- 2008-05-16 11:35:20


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 04:56:49, on 2008/6/1
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\File Manager\SendToDevice.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ezHelper] C:\Program Files\ezHelper\ezHelper.exe 300
O4 - HKCU\..\Run: [foxy] "C:\Program Files\Foxy\Foxy.exe" -tray
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.webmail.hinet.net
O15 - Trusted Zone: webmail.hinet.net
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1159CFA4-6BEA-4ED4-8166-5556B1BFB232} (pocx Control) - http://202.133.245.200/iCF20071025.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} (TVAnts ActiveX Control) - http://download.tvants.com/pub/tvants/tvants1/win32/cab/tvants.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {5F4D222D-5EEE-40A8-8810-5642B4E4F441} (KENCAPI Class) - https://ebank.tcb-bank.com.tw/netbank/html/ib/pages/FSCAPIATL.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1185374795424
O16 - DPF: {C01170CC-AF05-46C3-88BC-2C120DCEE288} (KooPlayer Control) - http://www.im.tv/IMTVPlayer.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://extranet.cranfield.ac.uk/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40233121-6B0E-4121-8A54-6B29E63F652F}: NameServer = 138.250.1.75,138.250.1.67
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 14183 bytes


BTW, Combo did not prompt me to send any file to analyse. When it finished, the blue window shut off automatically. Then windows update function which has been out of work for a while, has worked. Are these phenonmena above right?
 
Hi,

I'm not sure for the Windows Update part, but Combofix should ask you to upload some files for analysis.

On your desktop, can you find this file - [4]-Submit_date@time.zip ?

date@time is the date and time Combofix created this file.

If so, please visit this website and upload this file - http://www.bleepingcomputer.com/submit-malware.php?channel=4

In the Link to topic where this file was requested:, copy and paste in http://forums.spybot.info/showthread.php?p=197702#post197702

Find files

Please open Notepad and copy and paste the following in the Code box into Notepad:

Code: 
dir C:\*.* /L /A /B /S|Find "USBKey.exe" >> "%userprofile%\desktop\look.txt"
dir C:\*.* /L /A /B /S|Find "MsnHelp.exe" >> "%userprofile%\desktop\look.txt"
notepad "%userprofile%\desktop\look.txt"

Click on File > Save As....

In the File Name box, copy and paste in find.bat

In the Save As Type box, select All Files from the drop-down list.

Click Save.

Double click on find.bat to run it. Command Prompt will open, followed by Notepad afterwards. Please post the contents of this Notepad file in your next reply.

Note: Searching for files can take some time. Please be patient.
 
Hello I cant really find the file created by combo. What I can find on my desktop is "requested-files[2008-06-01_00_10].cab". In order to make sure this is right file, I run combo again, and the result is still the same. Hence, I upload the file, you can see if it is right one.

Also, I tried to do what you insruct me, running fat.bat. But the pop-out windows tells me it can not find the path, so apparently there is no forthcoming instructions coming out.

Waht can I do?
 
Hi,

The files have been deleted, that's why no zipped files are created.

Show hidden files

  1. Open My Computer.
  2. Go to Tools > Folder Options.
  3. Select the View tab.
  4. Scroll down to Hidden files and folders.
  5. Select Show hidden files and folders.
  6. Uncheck (untick) Hide extensions of known file types.
  7. Uncheck (untick) Hide protected operating system files (Recommended).
  8. Click Yes when prompted.
  9. Click OK.

Navigate to this folder - C:\Windows\Downloaded Program Files

If a file named USBKey.exe is present, please let me know.

Find a file

  1. Download FileFind.zip by Atribune and save it to your desktop.
  2. Locate the FileFind.zip that you've downloaded earlier.
  3. Right click on FileFind.zip and select Extract All....
  4. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  5. Click on the Browse button. Click on Desktop. Then click OK.
  6. Once done, check (tick) the Show extracted files box and click Finish.
  7. Double click on FileFind.exe to run it.
  8. Enter MsnHelp.exe into the File: box.
  9. Click on the Search button.
  10. After a while a list of file locations will appear in the List of Files: box.
  11. Click on the Export button.
  12. This will create a Notepad file named Export.txt located in C drive.
  13. Please copy and paste it to your next reply.
 
Sorry for my late response coz of my business trip. I had checked, there is no USBKEY file in the place where u mentioned above.

However, I tried to download FileFind, the webpage seems to be removed already(can't display the webpage).

Thanks for your help
 
The website is down for the moment.

Please check all your hard disk drives for the presence of this file:

C:\RECYCLER\MsnHelp.exe

If you have more hard disk drives (example, D:\ and E:\) , make sure that MsnHelp.exe is not present.

If it's present, please delete the files.
 
Sounds good.

Delete your current copy of Combofix and download it from one of these links:

Bleeping Computer
Forospyware
Geeks to Go

Save it to your desktop.

Disable NOD32 Antivirus temporarily

Please disable NOD32 Antivirus temporarily as it may interfere with the fixes. Remember to re-enable it back before posting the logs!

Please navigate to the system tray on the bottom right hand corner and look for a
nod32.png
icon.

  • Open it and click on the
    nod32_quit.png
    button.
  • A popup will warn that protection will now be disabled. Click on Yes to disable the Antivirus guard.

Run Combofix

Double on ComboFix.exe to run it. When done, a log will be produced. Please post this log, together with a new HijackThis log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please post:

  1. Combofix log (C:\Combofix.txt)
  2. A new HijackThis log
 
ComboFix 08-06-07.1 - TOSHIBA 2008-06-07 23:37:48.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.297 [GMT 1:00]
執行位置?: C:\Documents and Settings\TOSHIBA\桌面\ComboFix.exe
* 已建立新的還原點
* Resident AV is active

.

(((((((((((((((((((((((((((( 2008-05-07 - 2008-06-07 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-06-05 03:12 . 2008-06-05 03:12 <DIR> d-------- C:\WINDOWS\Visca Barcelona! Uninstaller
2008-06-05 03:12 . 2008-02-20 16:50 903,680 --a------ C:\WINDOWS\Visca Barcelona!.scr
2008-06-05 03:12 . 2008-05-29 01:52 657,837 --a------ C:\WINDOWS\Visca Barcelona!.swf
2008-06-05 03:12 . 2008-05-29 01:49 640,056 --a------ C:\WINDOWS\Visca Barcelona!.bmp
2008-06-05 03:12 . 2008-02-20 16:49 495,104 --a------ C:\WINDOWS\Visca Barcelona!.exe
2008-06-05 03:12 . 2008-05-29 01:43 42,422 --a------ C:\WINDOWS\Visca Barcelona!.ico
2008-06-05 03:12 . 2008-05-29 01:52 678 --a------ C:\WINDOWS\Visca Barcelona!.c3
2008-06-05 03:12 . 2008-05-29 01:52 678 --a------ C:\WINDOWS\Visca Barcelona!.c1
2008-06-05 03:12 . 2006-10-24 17:06 639 --a------ C:\WINDOWS\Visca Barcelona!.c4
2008-06-05 03:12 . 2006-10-08 19:33 0 --a------ C:\WINDOWS\Visca Barcelona!.ini
2008-05-31 02:12 . 2008-05-31 02:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-30 19:46 . 2008-05-30 19:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-30 19:46 . 2008-05-30 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-30 13:50 . 2008-05-31 01:25 326 --a------ C:\WINDOWS\wininit.ini
2008-05-29 18:57 . 2008-05-29 18:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-29 18:57 . 2008-05-29 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 02:48 . 2007-08-13 18:52 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-05-29 01:19 . 2008-05-29 01:19 <DIR> d-------- C:\Documents and Settings\TOSHIBA\Application Data\Lavasoft
2008-05-29 01:17 . 2008-05-29 01:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-29 00:15 . 2008-05-29 00:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-28 02:25 . 2008-05-28 02:25 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-28 02:25 . 2008-05-28 02:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-28 01:16 . 2007-07-12 22:33 87,552 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2008-05-28 01:13 . 2008-05-28 01:13 <DIR> d-------- C:\Program Files\Acro Software
2008-05-24 21:01 . 2008-06-05 21:20 <DIR> d-------- C:\Program Files\Zattoo
2008-05-24 03:08 . 2008-05-24 03:08 <DIR> d-------- C:\Program Files\PPLive
2008-05-24 03:08 . 2008-05-24 03:08 <DIR> d-------- C:\Program Files\Common Files\Synacast
2008-05-22 01:16 . 2008-05-22 01:16 <DIR> d-------- C:\Documents and Settings\TOSHIBA\Application Data\LinkedIn

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 22:35 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\BitTorrent
2008-06-07 22:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-06-07 16:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-06 09:40 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\Skype
2008-06-05 21:28 --------- d-----w C:\Program Files\Google
2008-06-05 07:38 50,720 ----a-w C:\Documents and Settings\TOSHIBA\Application Data\GDIPFONTCACHEV1.DAT
2008-05-30 15:34 --------- d-----w C:\Program Files\Foxy
2008-05-29 20:05 --------- d-----w C:\Program Files\Eset
2008-05-28 01:25 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-29 13:47 --------- d-----w C:\Program Files\TVAnts
2008-04-28 17:15 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-04-27 19:29 11,381 ----a-w C:\WINDOWS\E220AutoRunLog.tmp
2008-04-24 20:51 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\3M
2008-04-24 20:50 --------- d-----w C:\Program Files\3M
2008-04-22 23:45 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\ppstream
2008-04-20 00:52 --------- d-----w C:\Program Files\Kontiki
2008-04-20 00:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-17 19:23 --------- d-----w C:\Program Files\Apple Software Update
2008-04-16 23:11 --------- d-----w C:\Program Files\TVAntsX
2008-04-13 23:20 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\foobar2000
2008-04-07 23:59 --------- d-----w C:\Program Files\iTunes
2008-04-07 23:57 --------- d-----w C:\Program Files\iPod
2008-04-07 23:54 --------- d-----w C:\Program Files\QuickTime
2008-04-07 00:23 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\toshiba
2008-03-25 04:49 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:49 158,496 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:03 1,844,864 ----a-w C:\WINDOWS\system32\win32k.sys
.

------- Sigcheck -------

2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-12 13:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-11-06 23:42 359808 b4e29943b4b04bd5e7381546848e6669 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 18:20 360064 ed06c31200714e734118f9a47f5df5ce C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot_2008-06-01_21.23.22.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-26 11:48:56 296,960 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\SP2QFE\msctf.dll
+ 2007-03-06 03:45:38 12,000 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spmsg.dll
+ 2007-03-06 03:45:43 207,072 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spuninst.exe
+ 2007-03-06 03:45:37 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\spcustom.dll
+ 2007-03-06 03:46:01 690,912 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\update.exe
+ 2007-03-06 03:46:53 328,928 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\updspapi.dll
- 2008-06-01 20:05:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-07 19:58:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-02-26 11:59:27 293,888 -c----w C:\WINDOWS\system32\dllcache\msctf.dll
- 2007-08-13 17:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:30:24 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2004-08-12 12:00:00 293,376 ----a-w C:\WINDOWS\system32\MSCTF.dll
+ 2008-02-26 11:59:27 293,888 ----a-w C:\WINDOWS\system32\msctf.dll
+ 2008-06-07 20:00:14 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_340.dat
+ 2008-06-05 02:12:29 728,911 ----a-w C:\WINDOWS\Visca Barcelona! Uninstaller\unins000.exe
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 18:21 68856]
"ezHelper"="C:\Program Files\ezHelper\ezHelper.exe" [2006-11-30 03:59 456192]
"foxy"="C:\Program Files\Foxy\Foxy.exe" [2008-05-29 19:37 1160704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-12 13:00 208952]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2004-06-28 10:24 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 13:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-04-06 17:19 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-04-06 17:07 114688]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 03:52 1368064]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 09:46 192512]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-06-13 10:21 122880]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 08:00 88363 C:\WINDOWS\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2003-12-02 07:15 73728 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2004-06-01 13:43 278528 C:\WINDOWS\system32\TPSMain.exe]
"NDSTray.exe"="NDSTray.exe" []
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 06:45 135168]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-12 13:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 13:00 59392]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003-07-14 14:57 63040]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003-07-14 14:57 95296]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-01-26 06:36 495616]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-08 15:16 921600]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 22:45 279912]
"VX1000"="C:\WINDOWS\vVX1000.exe" [2007-04-10 22:46 709992]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-24 16:37 185632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-17 18:03 29744]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Device Detector"="DevDetect.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 13:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [ ]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
Google 更新器.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-25 18:21:28 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 18:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ASUS\\WL-330 Utilities\\Discovery330.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\ezPeerPlus\\ezPeerPlus.exe"=
"C:\\Program Files\\Foxy\\Foxy.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Zattoo\\zattood.exe"=
"C:\\Program Files\\Zattoo\\Zattoo2.exe"=
"C:\\Program Files\\Zattoo\\Zattoo.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10018:TCP"= 10018:TCP:Foxy (192.168.1.43:10018) 10018 TCP
"10018:UDP"= 10018:UDP:Foxy (192.168.1.43:10018) 10018 UDP

R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 22:45]
S3 ASINDIS5;ASINDIS5 Protocol Driver;C:\WINDOWS\system32\ASINDIS5.SYS [2002-09-10 12:35]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-17 18:03]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys [2007-02-08 05:55]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys [2007-02-08 05:55]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys [2007-02-08 05:55]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys [2007-02-08 05:56]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys [2007-02-08 05:56]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys [2007-02-08 05:56]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys [2007-02-08 05:56]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2007-04-10 22:46]

.
排程工作資料夾的內容
"2008-06-05 15:03:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 23:41:42
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

C:\WINDOWS\explorer.exe [2100] 0x817E5020

掃描隱藏的進程...

掃描隱藏的檔案...


folder error: C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
folder error: C:\Documents and Settings\TOSHIBA\「開始」功能表\程式集\啟動\

掃描完成
隱藏檔案?: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
完成時間?: 2008-06-07 23:43:36
ComboFix-quarantined-files.txt 2008-06-07 22:42:50

13 個目錄 14,782,140,416 位元組可用
16 個目錄 15,124,828,160 位元組可用

206 --- E O F --- 2008-06-02 08:42:22


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 11:53:41, on 2008/6/7
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ezHelper] C:\Program Files\ezHelper\ezHelper.exe 300
O4 - HKCU\..\Run: [foxy] "C:\Program Files\Foxy\Foxy.exe" -tray
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.webmail.hinet.net
O15 - Trusted Zone: webmail.hinet.net
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1159CFA4-6BEA-4ED4-8166-5556B1BFB232} (pocx Control) - http://202.133.245.200/iCF20071025.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} (TVAnts ActiveX Control) - http://download.tvants.com/pub/tvants/tvants1/win32/cab/tvants.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {5F4D222D-5EEE-40A8-8810-5642B4E4F441} (KENCAPI Class) - https://ebank.tcb-bank.com.tw/netbank/html/ib/pages/FSCAPIATL.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1185374795424
O16 - DPF: {C01170CC-AF05-46C3-88BC-2C120DCEE288} (KooPlayer Control) - http://www.im.tv/IMTVPlayer.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://extranet.cranfield.ac.uk/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40233121-6B0E-4121-8A54-6B29E63F652F}: NameServer = 138.250.1.75,138.250.1.67
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 13616 bytes
 
Did you install these ?

C:\WINDOWS\Visca Barcelona! Uninstaller
C:\WINDOWS\Visca Barcelona!.scr
C:\WINDOWS\Visca Barcelona!.swf
C:\WINDOWS\Visca Barcelona!.bmp
C:\WINDOWS\Visca Barcelona!.exe
C:\WINDOWS\Visca Barcelona!.ico
C:\WINDOWS\Visca Barcelona!.c3
C:\WINDOWS\Visca Barcelona!.c1
C:\WINDOWS\Visca Barcelona!.c4
C:\WINDOWS\Visca Barcelona!.ini

2008-06-07 22:35 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\BitTorrent
Click to expand...

Reminder: Don't use P2P programs while we are still cleaning the computer.

http://forums.spybot.info/showpost.php?p=197452&postcount=2
 
You must log in or register to reply here.
Back
Top