Problem to remove Virtumonde virus [Archive]

View Full Version : Problem to remove Virtumonde virus

tony6725

2008-05-31, 03:32

Here is my lod of Karpersky and Hijack below. Could someone help me to look whether the virus has been completely killed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at と 02:13:30, on 2008/5/31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ezHelper\ezHelper.exe
C:\Program Files\Foxy\Foxy.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! ㄣ - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1B4801D3-9A53-4618-8E45-BED464CE2CBC} - C:\WINDOWS\system32\opnkhhge.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {522E0112-EDD9-413D-A99E-C311A54B6676} - C:\WINDOWS\system32\ljJDSKAP.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {91446146-892A-4C2C-9809-C3F9DD58CA35} - C:\WINDOWS\system32\mlJBTkLe.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {BE4D7D2A-2A38-4F2B-AAAC-0FD83BD73F7E} - C:\WINDOWS\system32\cbXOGYPH.dll (file missing)
O2 - BHO: (no name) - {E6345D5D-4DD5-4EDF-87EA-1B62542F9B5D} - C:\WINDOWS\system32\byXPJYoo.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [186c03cd] rundll32.exe "C:\WINDOWS\system32\ydosfanl.dll",b
O4 - HKLM\..\Run: [BM1b5f3051] Rundll32.exe "C:\WINDOWS\system32\qvwnvmfa.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ezHelper] C:\Program Files\ezHelper\ezHelper.exe 300
O4 - HKCU\..\Run: [foxy] "C:\Program Files\Foxy\Foxy.exe" -tray
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Foxy 更 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 穓碝 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 蹲 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java 北 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: 把σ戈 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.webmail.hinet.net
O15 - Trusted Zone: webmail.hinet.net
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1159CFA4-6BEA-4ED4-8166-5556B1BFB232} (pocx Control) - http://202.133.245.200/iCF20071025.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} (TVAnts ActiveX Control) - http://download.tvants.com/pub/tvants/tvants1/win32/cab/tvants.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} (PowerPlayer Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {5F4D222D-5EEE-40A8-8810-5642B4E4F441} (KENCAPI Class) - https://ebank.tcb-bank.com.tw/netbank/html/ib/pages/FSCAPIATL.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185374795424
O16 - DPF: {C01170CC-AF05-46C3-88BC-2C120DCEE288} (KooPlayer Control) - http://www.im.tv/IMTVPlayer.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://extranet.cranfield.ac.uk/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40233121-6B0E-4121-8A54-6B29E63F652F}: NameServer = 138.250.1.75,138.250.1.67
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: ljJDSKAP - C:\WINDOWS\SYSTEM32\ljJDSKAP.dll
O21 - SSODL: MsnShell32 - {35CEC8A3-2BE6-11D2-8773-92E220524250} - C:\WINDOWS\system32\MsnShell32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod 狝叭 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 15327 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 30, 2008 10:16:42 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/05/2008
Kaspersky Anti-Virus database records: 815162
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\

Scan Statistics:
Total number of scanned objects: 102669
Number of viruses found: 18
Number of infected objects: 29
Number of suspicious objects: 0
Duration of the scan process: 02:20:15

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Kontiki\error.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\TOSHIBA\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\appLauncher_all_log.txt Object is locked skipped
C:\Documents and Settings\TOSHIBA\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\DM_log.txt Object is locked skipped
C:\Documents and Settings\TOSHIBA\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\HookStarter_log.txt Object is locked skipped
C:\Documents and Settings\TOSHIBA\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
C:\Documents and Settings\TOSHIBA\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\TlibCmnDlgs_log.txt Object is locked skipped
C:\Documents and Settings\TOSHIBA\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\ApplicationHistory\PDNotes.exe.36dea9c6.ini.inuse Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\dbdam Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\dbdao Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\dbeam Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\dbeao Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\dbm Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\fii.cf1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\fiih.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\hp Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\rpm.cf1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Google\Google Desktop\9bee3ebc48b2\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000002.pst/Hotmail/Infected Items/15 Jan 2007 05:16 from Onechina:price 15-Jan-2007/price15-Jan-2007.zip/bqqfbwcj.exe Infected: Email-Worm.Win32.Bagle.gt skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000002.pst/Hotmail/Infected Items/15 Jan 2007 05:16 from Onechina:price 15-Jan-2007/price15-Jan-2007.zip Infected: Email-Worm.Win32.Bagle.gt skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000002.pst MailMSMaill: infected - 2 skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Temp\Perflib_Perfdata_d64.dat Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Temp\~DFEFCA.tmp Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Temporary Internet Files\Content.IE5\85S4CUHB\kb456456[1] Infected: Trojan.Win32.Monder.le skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Temporary Internet Files\Content.IE5\8G0B3YZ6\install_en[1].cab/UGA6P_0001_N122M2802NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Temporary Internet Files\Content.IE5\8G0B3YZ6\install_en[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\TOSHIBA\Local Settings\Temporary Internet Files\Content.IE5\WQAS7XII\index[2].htm Infected: Trojan.JS.Pakes.l skipped
C:\Documents and Settings\TOSHIBA\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\TOSHIBA\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Eset\cache\CACHE.NDB Object is locked skipped
C:\Program Files\Eset\infected\23RGQNCA.NQF Infected: Trojan.Win32.Agent.hfr skipped
C:\Program Files\Eset\infected\CKDPTXBA.NQF Infected: Trojan.Win32.Agent.cnm skipped
C:\Program Files\Eset\infected\ESVQV5AA.NQF/nodfix.exe Infected: Trojan-Downloader.Win32.Agent.qzz skipped
C:\Program Files\Eset\infected\ESVQV5AA.NQF CAB: infected - 1 skipped
C:\Program Files\Eset\infected\ESVQV5AA.NQF PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\Eset\infected\MJKO1RBA.NQF Infected: Trojan.Win32.Inject.ud skipped
C:\Program Files\Eset\infected\QKKCMDAA.NQF Infected: Worm.Win32.Skipi.c skipped
C:\Program Files\Eset\infected\TJ4YF0DA.NQF Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Program Files\Eset\infected\XGG0DGAA.NQF Infected: Trojan-Dropper.Win32.Agent.bdj skipped
C:\Program Files\Eset\logs\virlog.dat Object is locked skipped
C:\Program Files\Eset\logs\warnlog.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{FE01E12C-C4D0-4F4E-80E6-4A25B7882A1A}\RP229\A0040913.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vjr skipped
C:\System Volume Information\_restore{FE01E12C-C4D0-4F4E-80E6-4A25B7882A1A}\RP240\A0042194.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vps skipped
C:\System Volume Information\_restore{FE01E12C-C4D0-4F4E-80E6-4A25B7882A1A}\RP240\A0042197.dll Object is locked skipped
C:\System Volume Information\_restore{FE01E12C-C4D0-4F4E-80E6-4A25B7882A1A}\RP240\A0042257.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqd skipped
C:\System Volume Information\_restore{FE01E12C-C4D0-4F4E-80E6-4A25B7882A1A}\RP240\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D9C30512-377F-4959-B375-14863BD90F81}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\eorroyyp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqh skipped
C:\WINDOWS\system32\fsungpdg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqd skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\iifgEvSL.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trt skipped
C:\WINDOWS\system32\ijptwxet.dll Infected: Trojan.Win32.Monder.le skipped
C:\WINDOWS\system32\jpcwoogm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vnb skipped
C:\WINDOWS\system32\ljJDSKAP.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trt skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\MsnShell32.dll Infected: Backdoor.Win32.Agent.gkf skipped
C:\WINDOWS\system32\qvwnvmfa.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqf skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\ydosfanl.dll Infected: Trojan.Win32.Monder.le skipped
C:\WINDOWS\system32\yvhrwowj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqh skipped
C:\WINDOWS\Temp\Perflib_Perfdata_4dc.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.

ndmmxiaomayi

2008-05-31, 10:40

Hi,

Welcome to Safer Networking.

Bittorrent is installed on your computer and I see that it's running. While Bittorrent is a clean P2P program, there's no guarantee that the files downloaded are. Please refrain from using it /them while cleaning your computer to prevent getting more infections.

A list of clean and infected P2P programs can be found at Malware Removal (http://p2p.malwareremoval.com/) and Spyware Info (http://www.spywareinfo.com/articles/p2p/).

The risks of using a P2P program are stated in this Sourceforge website (http://aresgalaxy.sourceforge.net/p2prisks.htm) and Information Week article (http://www.informationweek.com/security/showArticle.jhtml?articleID=53200209&pgno=2&queryText=).
____________________

Do you work or study in Cranfield University ?

Do you also do banking online at this bank - http://www.tcb-bank.com.tw/wps/portal ?

Please also read this sticky (http://forums.spybot.info/showthread.php?t=282).

Run ATF Cleaner

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) and save it to your desktop.

Double click on ATF-Cleaner.exe to run it.

Click on Main at the top.
Tick all the boxes except the Prefetch and Cookies box.
Click on Empty Selected button.

If you use Firefox

Click on Firefox at the top.
Tick all the boxes except Firefox Cookies and Firefox Saved Passwords.
Click on Empty Selected button.

If you use Opera

Click on Opera at the top.
Tick all the boxes except Opera Cookies and Opera Saved Passwords.
Click on Empty Selected button.

Close ATF Cleaner when you are done.

Disable NOD32 Antivirus temporarily

Please disable NOD#2 Antivirus temporarily as it may interfere with the fixes. Remember to re-enable it back before posting the logs!

Please navigate to the system tray on the bottom right hand corner and look for a http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/nod32.png icon.

Open it and click on the http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/nod32_quit.png button.
A popup will warn that protection will now be disabled. Click on Yes to disable the Antivirus guard.

Run Combofix

If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once Recovery Console is installed, you should see a blue screen prompt like the one below:

http://img.photobucket.com/albums/v706/ried7/RC_whatnext.gif

Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced. Please post that log and a new HijackThis log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Create Uninstall list

In your next reply, please post:

Combofix log (C:\Combofix.txt)
A new HijackThis log
Uninstall list

tony6725

2008-05-31, 17:02

here they are:

ComboFix 08-05-29.1 - TOSHIBA 2008-05-31 15:20:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.347 [GMT 1:00]
磅︽竚?: C:\Documents and Settings\TOSHIBA\\ComboFix.exe
* Resident AV is active

.

(((((((((((((((((((((((((((((((((((((( Other files have been deleted ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM1b5f3051.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dxitpbqh.dll
C:\WINDOWS\system32\eghhknpo.ini
C:\WINDOWS\system32\eghhknpo.ini2
C:\WINDOWS\system32\eLkTBJlm.ini
C:\WINDOWS\system32\eLkTBJlm.ini2
C:\WINDOWS\system32\eorroyyp.dll
C:\WINDOWS\system32\fsungpdg.dll
C:\WINDOWS\system32\gdpgnusf.ini
C:\WINDOWS\system32\HPYGOXbc.ini
C:\WINDOWS\system32\HPYGOXbc.ini2
C:\WINDOWS\system32\hqbptixd.ini
C:\WINDOWS\system32\ikRsDJlm.ini
C:\WINDOWS\system32\ikRsDJlm.ini2
C:\WINDOWS\system32\lbjjqrbt.dll
C:\WINDOWS\system32\mlJDsRki.dll
C:\WINDOWS\system32\ooYJPXyb.ini
C:\WINDOWS\system32\ooYJPXyb.ini2
C:\WINDOWS\system32\qvwnvmfa.dll
C:\WINDOWS\system32\yvhrwowj.dll
.
---- Previous Run -------
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\mcrh.tmp

.
(((((((((((((((((((((((((((( Files created from 2008-04-28 - 2008-05-31 )))))))))))))))))))))))))))))))))
.

C:\ComboFix\CreateD00.bat .
2008-05-31 02:12 . 2008-05-31 02:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-30 19:46 . 2008-05-30 19:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-30 19:46 . 2008-05-30 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-30 19:43 . 2008-05-31 03:10 1,486,198 --ahs---- C:\WINDOWS\system32\lnafsody.ini
2008-05-30 19:35 . 2008-05-30 19:35 2,795 --a------ C:\WINDOWS\system32\jwchjnxv.dll
2008-05-30 14:16 . 2008-05-30 19:43 1,474,015 --ahs---- C:\WINDOWS\system32\texwtpji.ini
2008-05-30 13:50 . 2008-05-31 01:25 326 --a------ C:\WINDOWS\wininit.ini
2008-05-30 01:25 . 2008-05-30 14:06 646 --ahs---- C:\WINDOWS\system32\eyiqflsg.ini
2008-05-29 18:57 . 2008-05-29 18:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-29 18:57 . 2008-05-29 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 02:48 . 2007-08-13 18:52 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-05-29 01:19 . 2008-05-29 01:19 <DIR> d-------- C:\Documents and Settings\TOSHIBA\Application Data\Lavasoft
2008-05-29 01:17 . 2008-05-29 01:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-29 00:15 . 2008-05-29 00:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-28 13:41 . 2008-05-28 13:42 1,454,391 --ahs---- C:\WINDOWS\system32\mgoowcpj.ini
2008-05-28 02:25 . 2008-05-28 02:25 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-28 02:25 . 2008-05-28 02:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-28 01:24 . 2008-05-28 13:43 1,463,858 --ahs---- C:\WINDOWS\system32\wcvayejn.ini
2008-05-28 01:16 . 2007-07-12 22:33 87,552 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2008-05-28 01:13 . 2008-05-28 01:13 <DIR> d-------- C:\Program Files\Acro Software
2008-05-28 01:13 . 2008-05-28 01:13 58,880 --a------ C:\WINDOWS\system32\ljJDSKAP.dll
2008-05-28 01:13 . 2008-05-28 01:13 58,880 --a------ C:\WINDOWS\system32\iifgEvSL.dll
2008-05-24 21:01 . 2008-05-24 21:03 <DIR> d-------- C:\Program Files\Zattoo
2008-05-24 03:08 . 2008-05-24 03:08 <DIR> d-------- C:\Program Files\PPLive
2008-05-24 03:08 . 2008-05-24 03:08 <DIR> d-------- C:\Program Files\Common Files\Synacast
2008-05-22 01:16 . 2008-05-22 01:16 <DIR> d-------- C:\Documents and Settings\TOSHIBA\Application Data\LinkedIn
2008-04-29 01:34 . 2008-04-29 14:47 <DIR> d-------- C:\Program Files\TVAnts
2008-04-27 20:29 . 2007-04-16 12:02 100,736 -ra------ C:\WINDOWS\system32\drivers\ewusbmdm.sys
2008-04-27 20:28 . 2008-04-27 20:29 11,381 --a------ C:\WINDOWS\E220AutoRunLog.tmp
2008-04-24 21:51 . 2008-04-24 21:51 <DIR> d-------- C:\Documents and Settings\TOSHIBA\Application Data\3M
2008-04-24 21:50 . 2008-04-24 21:50 <DIR> d-------- C:\Program Files\3M
2008-04-20 01:52 . 2008-04-20 01:52 <DIR> d-------- C:\Program Files\Kontiki
2008-04-20 01:52 . 2008-05-31 15:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2008-04-20 01:14 . 2008-05-31 15:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-20 01:14 . 2008-04-20 01:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-20 01:03 . 2008-04-20 01:29 <DIR> d-------- C:\WINDOWS\system32\undefined
2008-04-17 20:23 . 2008-04-17 20:23 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-17 00:45 . 2008-05-26 01:45 1,160 --a------ C:\WINDOWS\powerplayer.ini
2008-04-17 00:44 . 2008-05-26 01:48 627 --a------ C:\WINDOWS\psnetwork.ini
2008-04-17 00:11 . 2008-04-17 00:11 <DIR> d-------- C:\Program Files\TVAntsX
2008-04-13 01:58 . 2008-04-14 00:20 <DIR> d-------- C:\Documents and Settings\TOSHIBA\Application Data\foobar2000
2008-04-08 00:57 . 2008-04-08 00:57 <DIR> d-------- C:\Program Files\iPod
2008-04-05 20:20 . 2008-04-05 20:20 46,000 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-01 10:01 . 2007-02-12 12:41 2,732,032 -ra------ C:\WINDOWS\system32\Netw2r32.dll
2008-04-01 10:01 . 2007-02-12 12:40 557,056 -ra------ C:\WINDOWS\system32\Netw2c32.dll

.
(((((((((((((((((((((((((((((((((((( るず笆郎 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 14:31 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\DNA
2008-05-31 11:56 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\Skype
2008-05-31 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-30 15:34 --------- d-----w C:\Program Files\Foxy
2008-05-29 20:05 --------- d-----w C:\Program Files\Eset
2008-05-28 15:22 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\BitTorrent
2008-05-28 01:25 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-28 17:15 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-04-28 00:10 49,864 ----a-w C:\Documents and Settings\TOSHIBA\Application Data\GDIPFONTCACHEV1.DAT
2008-04-22 23:45 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\ppstream
2008-04-20 00:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-17 17:03 --------- d-----w C:\Program Files\Google
2008-04-07 23:59 --------- d-----w C:\Program Files\iTunes
2008-04-07 23:54 --------- d-----w C:\Program Files\QuickTime
2008-04-07 00:23 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\toshiba
2008-03-25 04:49 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:49 158,496 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:03 1,844,864 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:50 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:33 45,056 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-01 11:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
.

------- Sigcheck -------

2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-12 13:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-11-06 23:42 359808 b4e29943b4b04bd5e7381546848e6669 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 18:20 360064 ed06c31200714e734118f9a47f5df5ce C:\WINDOWS\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((((((((((((((( 璶祅魁郎 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*猔種* フ┪猭祅魁盢ぃ穦陪ボ

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1B4801D3-9A53-4618-8E45-BED464CE2CBC}]
C:\WINDOWS\system32\opnkhhge.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{522E0112-EDD9-413D-A99E-C311A54B6676}]
2008-05-28 01:13 58880 --a------ C:\WINDOWS\system32\ljJDSKAP.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91446146-892A-4C2C-9809-C3F9DD58CA35}]
C:\WINDOWS\system32\mlJBTkLe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE4D7D2A-2A38-4F2B-AAAC-0FD83BD73F7E}]
C:\WINDOWS\system32\cbXOGYPH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6345D5D-4DD5-4EDF-87EA-1B62542F9B5D}]
C:\WINDOWS\system32\byXPJYoo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 18:21 68856]
"ezHelper"="C:\Program Files\ezHelper\ezHelper.exe" [2006-11-30 03:59 456192]
"foxy"="C:\Program Files\Foxy\Foxy.exe" [2008-05-29 19:37 1160704]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 13:45 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-12 13:00 208952]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2004-06-28 10:24 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 13:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-04-06 17:19 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-04-06 17:07 114688]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 03:52 1368064]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 09:46 192512]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-06-13 10:21 122880]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 08:00 88363 C:\WINDOWS\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2003-12-02 07:15 73728 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2004-06-01 13:43 278528 C:\WINDOWS\system32\TPSMain.exe]
"NDSTray.exe"="NDSTray.exe" []
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 06:45 135168]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-12 13:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 13:00 59392]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003-07-14 14:57 63040]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003-07-14 14:57 95296]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-01-26 06:36 495616]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-08 15:16 921600]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 22:45 279912]
"VX1000"="C:\WINDOWS\vVX1000.exe" [2007-04-10 22:46 709992]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-24 16:37 185632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-17 18:03 29744]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Device Detector"="DevDetect.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 13:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [ ]

C:\Documents and Settings\All Users\秨﹍\祘Α栋\币笆\
Google 穝竟.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-25 18:21:28 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 18:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{522E0112-EDD9-413D-A99E-C311A54B6676}"= C:\WINDOWS\system32\ljJDSKAP.dll [2008-05-28 01:13 58880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"MsnShell32"= {35CEC8A3-2BE6-11D2-8773-92E220524250} - C:\WINDOWS\system32\MsnShell32.dll [2004-08-12 13:00 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJDSKAP]
ljJDSKAP.dll 2008-05-28 01:13 58880 C:\WINDOWS\system32\ljJDSKAP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ASUS\\WL-330 Utilities\\Discovery330.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\ezPeerPlus\\ezPeerPlus.exe"=
"C:\\Program Files\\Foxy\\Foxy.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Zattoo\\zattood.exe"=
"C:\\Program Files\\Zattoo\\Zattoo2.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6494:TCP"= 6494:TCP:Foxy (127.0.0.1:6494) 6494 TCP
"6494:UDP"= 6494:UDP:Foxy (127.0.0.1:6494) 6494 UDP

S3 ASINDIS5;ASINDIS5 Protocol Driver;C:\WINDOWS\system32\ASINDIS5.SYS [2002-09-10 12:35]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys [2007-02-08 05:55]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys [2007-02-08 05:55]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys [2007-02-08 05:55]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys [2007-02-08 05:56]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys [2007-02-08 05:56]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys [2007-02-08 05:56]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys [2007-02-08 05:56]

.
逼祘戈Жず甧
"2008-05-29 15:03:40 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 15:34:22
Windows 5.1.2600 Service Pack 2 NTFS

苯磞留旅祘...

苯磞留旅秈祘...

苯磞留旅郎...

folder error: C:\Documents and Settings\All Users\秨﹍\祘Α栋\币笆\
folder error: C:\Documents and Settings\TOSHIBA\秨﹍\祘Α栋\币笆\
C:\Documents and Settings\TOSHIBA\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1440111801-1623072934-2751514922-1006\de72adef885537255121e63e575be015_34649e78-0466-4518-a584-882733689d40

苯磞ЧΘ
留旅郎?: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ljJDSKAP.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
ЧΘ丁?: 2008-05-31 15:45:41 - machine was rebooted [TOSHIBA]
ComboFix-quarantined-files.txt 2008-05-31 14:44:31

13 ヘ魁 15,255,920,640 じ舱ノ
17 ヘ魁 15,207,010,304 じ舱ノ

275 --- E O F --- 2008-05-16 11:35:20

Logfile of Trend Micro HijackThis v2.0.2Scan saved at と 03:50:11, on 2008/5/31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\vVX1000.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\ezHelper\ezHelper.exe
C:\Program Files\Foxy\Foxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! ㄣ - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1B4801D3-9A53-4618-8E45-BED464CE2CBC} - C:\WINDOWS\system32\opnkhhge.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {522E0112-EDD9-413D-A99E-C311A54B6676} - C:\WINDOWS\system32\ljJDSKAP.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {91446146-892A-4C2C-9809-C3F9DD58CA35} - C:\WINDOWS\system32\mlJBTkLe.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {BE4D7D2A-2A38-4F2B-AAAC-0FD83BD73F7E} - C:\WINDOWS\system32\cbXOGYPH.dll (file missing)
O2 - BHO: (no name) - {E6345D5D-4DD5-4EDF-87EA-1B62542F9B5D} - C:\WINDOWS\system32\byXPJYoo.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ezHelper] C:\Program Files\ezHelper\ezHelper.exe 300
O4 - HKCU\..\Run: [foxy] "C:\Program Files\Foxy\Foxy.exe" -tray
O4 - HKCU\..\Run: "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Foxy 更 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 穓碝 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 蹲 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java 北 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: 把σ戈 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.webmail.hinet.net
O15 - Trusted Zone: webmail.hinet.net
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1159CFA4-6BEA-4ED4-8166-5556B1BFB232} (pocx Control) - http://202.133.245.200/iCF20071025.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} (TVAnts ActiveX Control) - http://download.tvants.com/pub/tvants/tvants1/win32/cab/tvants.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {5F4D222D-5EEE-40A8-8810-5642B4E4F441} (KENCAPI Class) - https://ebank.tcb-bank.com.tw/netbank/html/ib/pages/FSCAPIATL.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185374795424
O16 - DPF: {C01170CC-AF05-46C3-88BC-2C120DCEE288} (KooPlayer Control) - http://www.im.tv/IMTVPlayer.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://extranet.cranfield.ac.uk/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40233121-6B0E-4121-8A54-6B29E63F652F}: NameServer = 138.250.1.75,138.250.1.67
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: ljJDSKAP - C:\WINDOWS\SYSTEM32\ljJDSKAP.dll
O21 - SSODL: MsnShell32 - {35CEC8A3-2BE6-11D2-8773-92E220524250} - C:\WINDOWS\system32\MsnShell32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod 狝叭 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 14708 bytes

Also, I am studying Cranfield University, while the bank has not used it any more. But will both of them affect the procedure of scanning virus?

BTW, I do not know how to create an [B]uninstall list? Could you kind ly tell me how to create it?

Thanks for your help.

ndmmxiaomayi

2008-05-31, 17:07

Sorry for that.

Here's it.

Open HijackThis.
Click on the Open the Misc Tools section button.
Look under System tools.
Click on the Open Uninstall Manager... button.
Click on the Save list... button.
It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
Notepad will open. Please post this log in your next reply.

ndmmxiaomayi

2008-05-31, 17:53

Hi,

Please go to Virus Total (http://www.virustotal.com/) or Jotti (http://virusscan.jotti.org/) and upload C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys for scanning.

For Virus Total

Please copy and paste C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys in the text box next to the Browse button.
Click on Send File.

For Jotti

Please copy and paste C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys in the text box next to the Browse button.
Click on Submit.

Repeat for these files.

C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
C:\WINDOWS\system32\dllcache\tcpip.sys
C:\WINDOWS\system32\drivers\tcpip.sys

Please post back the scan results of these files, together with the Uninstall list.

Also, I am studying Cranfield University, while the bank has not used it any more. But will both of them affect the procedure of scanning virus?

No, they will not. I just need to confirm with you as I'm not sure.

ndmmxiaomayi

2008-05-31, 20:39

Hi again,

We need to send some sample for analyzing.

Please download Suspicious File Packer (http://www.safer-networking.org/files/sfp.zip) from Safer Networking and save it to your desktop.

Locate sfp.zip.
Right click on sfp.zip and select Extract All....
Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
Click on the Browse button. Click on Desktop. Then click OK.
Once done, check (tick) the Show extracted files box and click Finish.
Double click on sfp.exe to run it.
Copy and paste in the following file into Suspicious File Packer.

C:\WINDOWS\system32\MsnShell32.dll

Click Continue.
It will start packing.
Once done, click here (http://thespykiller.co.uk/index.php?action=post;board=1.0) to go to Spykiller.
In the Name box, type in your name.
In the Email box, type in your email address.
In the Subject box, copy and paste in File for Metallica.
In the big text box, copy and paste this in: Link to log: http://forums.spybot.info/showthread.php?t=28830
Type in the Visual Verification.
In the first Attach box, browse to this file - requested-files[date].cab, where date are numbers. Select this file and click Open. (This file can be found on your desktop if you extracted sfp.exe to your desktop.)
Click on Post to post the message.

tony6725

2008-05-31, 20:59

<table border="1"><tr><td colspan="4">檔案 tcpip.sys_ 接收於 2007.01.09 12:09:51 (CET)</td></tr><tr><td>反病毒引擎</td><td>版本</td><td>最後更新</td><td>掃瞄結果</td</tr><tr><td>AntiVir</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Authentium</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Avast</td><td>-</td><td>-</td><td>-</td</tr><tr><td>AVG</td><td>-</td><td>-</td><td>-</td</tr><tr><td>BitDefender</td><td>-</td><td>-</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>-</td><td>-</td><td>-</td</tr><tr><td>ClamAV</td><td>-</td><td>-</td><td>-</td</tr><tr><td>DrWeb</td><td>-</td><td>-</td><td>-</td</tr><tr><td>eSafe</td><td>-</td><td>-</td><td>-</td</tr><tr><td>eTrust-InoculateIT</td><td>-</td><td>-</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Ewido</td><td>-</td><td>-</td><td>-</td</tr><tr><td>F-Prot</td><td>-</td><td>-</td><td>-</td</tr><tr><td>F-Prot4</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Fortinet</td><td>-</td><td>-</td><td style="color: red;">suspicious</td</tr><tr><td>Ikarus</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Kaspersky</td><td>-</td><td>-</td><td>-</td</tr><tr><td>McAfee</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Microsoft</td><td>-</td><td>-</td><td>-</td</tr><tr><td>NOD32v2</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Norman</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Panda</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Prevx1</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Sophos</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Sunbelt</td><td>-</td><td>-</td><td>-</td</tr><tr><td>TheHacker</td><td>-</td><td>-</td><td>-</td</tr><tr><td>UNA</td><td>-</td><td>-</td><td>-</td</tr><tr><td>VBA32</td><td>-</td><td>-</td><td>-</td</tr><tr><td>VirusBuster</td><td>-</td><td>-</td><td>-</td</tr><tr><td colspan="4"> </td></tr><tr><td colspan="4">附加訊息</td></tr><tr><td colspan="4">MD5: b2220c618b42a2212a59d91ebd6fc4b4</td></tr><tr><td colspan="4">SHA1: 038bd2e0fb3074ef2e9e277047fc37bc247dc79f</td></tr><tr><td colspan="4">SHA256: d0fa3c6c9f9f487ece7e5ae76b91715c71847b9713bb6817fe8239c67e60bd95</td></tr><tr><td colspan="4">SHA512: c1daa80a3a0cc69dee0899aed469b40e16fbaae8000ae479e9a522a1591ae0638b70d1fd98043acecc50fff03bb2da7ffe07f412b23915e63b893e0faf5f76f4</td></tr></table>

<table border="1"><tr><td colspan="4">檔案 tcpip.sys 接收於 2008.04.20 12:33:42 (CET)</td></tr><tr><td>反病毒引擎</td><td>版本</td><td>最後更新</td><td>掃瞄結果</td</tr><tr><td>AhnLab-V3</td><td>2008.4.19.0</td><td>2008.04.18</td><td>-</td</tr><tr><td>AntiVir</td><td>7.8.0.8</td><td>2008.04.18</td><td>-</td</tr><tr><td>Authentium</td><td>4.93.8</td><td>2008.04.19</td><td>-</td</tr><tr><td>Avast</td><td>4.8.1169.0</td><td>2008.04.19</td><td>-</td</tr><tr><td>AVG</td><td>7.5.0.516</td><td>2008.04.19</td><td>-</td</tr><tr><td>BitDefender</td><td>7.2</td><td>2008.04.20</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>9.50</td><td>2008.04.19</td><td>-</td</tr><tr><td>ClamAV</td><td>0.92.1</td><td>2008.04.20</td><td>-</td</tr><tr><td>DrWeb</td><td>4.44.0.09170</td><td>2008.04.19</td><td>-</td</tr><tr><td>eSafe</td><td>7.0.15.0</td><td>2008.04.17</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>31.3.5714</td><td>2008.04.19</td><td>-</td</tr><tr><td>Ewido</td><td>4.0</td><td>2008.04.19</td><td>-</td</tr><tr><td>F-Prot</td><td>4.4.2.54</td><td>2008.04.20</td><td>-</td</tr><tr><td>F-Secure</td><td>6.70.13260.0</td><td>2008.04.19</td><td>-</td</tr><tr><td>FileAdvisor</td><td>1</td><td>2008.04.20</td><td>-</td</tr><tr><td>Fortinet</td><td>3.14.0.0</td><td>2008.04.20</td><td>-</td</tr><tr><td>Ikarus</td><td>T3.1.1.26.0</td><td>2008.04.20</td><td>-</td</tr><tr><td>Kaspersky</td><td>7.0.0.125</td><td>2008.04.20</td><td>-</td</tr><tr><td>McAfee</td><td>5277</td><td>2008.04.18</td><td>-</td</tr><tr><td>Microsoft</td><td>1.3408</td><td>2008.04.20</td><td>-</td</tr><tr><td>NOD32v2</td><td>3041</td><td>2008.04.19</td><td>-</td</tr><tr><td>Norman</td><td>5.80.02</td><td>2008.04.18</td><td>-</td</tr><tr><td>Panda</td><td>9.0.0.4</td><td>2008.04.19</td><td>-</td</tr><tr><td>Prevx1</td><td>V2</td><td>2008.04.20</td><td>-</td</tr><tr><td>Rising</td><td>20.40.62.00</td><td>2008.04.20</td><td>-</td</tr><tr><td>Sophos</td><td>4.28.0</td><td>2008.04.20</td><td>-</td</tr><tr><td>Sunbelt</td><td>3.0.1056.0</td><td>2008.04.17</td><td>-</td</tr><tr><td>Symantec</td><td>10</td><td>2008.04.20</td><td>-</td</tr><tr><td>TheHacker</td><td>6.2.92.285</td><td>2008.04.19</td><td>-</td</tr><tr><td>VBA32</td><td>3.12.6.4</td><td>2008.04.16</td><td>-</td</tr><tr><td>VirusBuster</td><td>4.3.26:9</td><td>2008.04.19</td><td>-</td</tr><tr><td>Webwasher-Gateway</td><td>6.6.2</td><td>2008.04.18</td><td>-</td</tr><tr><td colspan="4"> </td></tr><tr><td colspan="4">附加訊息</td></tr><tr><td colspan="4">File size: 360832 bytes</td></tr><tr><td colspan="4">MD5...: 64798ecfa43d78c7178375fcdd16d8c8</td></tr><tr><td colspan="4">SHA1..: 9f864005ebb9147012db4c2fbc0b23d8dae6cb68</td></tr><tr><td colspan="4">SHA256: 0866341a50166200ff82781125dad1c6ebc4593abfbadde5d45e32d32b0fe903</td></tr><tr><td colspan="4">SHA512: ec6b3fa6d7851f12aa87b30fe35797d934109f8618462fe5020d567f5206a1d3 2fd89489487e91bccc50c61f2abbed614892dad0f8c237bbaff65565a1498b94</td></tr><tr><td colspan="4">PEiD..: -</td></tr><tr><td colspan="4">PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x60aa3 timedatestamp.....: 0x47276189 (Tue Oct 30 16:53:29 2007) machinetype.......: 0x14c (I386) ( 10 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x380 0x3ee0e 0x3ee80 6.59 fa66bf829c9ddddc255d1ce20eee8bc5 .rdata 0x3f200 0x574 0x580 4.44 083e9d9bf06df4b3767e6d58ef4b263f .data 0x3f780 0xa4a4 0xa500 0.06 bc99afb1d65abc54dfba01f9847a8ee4 PAGE 0x49c80 0x1f2b 0x1f80 6.38 c71600990ce103daee008973fbba0b30 PAGELK 0x4bc00 0x6f2 0x700 6.21 33f8928f23d0d348c2179e13cfda242d PAGEIPMc 0x4c300 0x2781 0x2800 6.43 ebb829c092776199cfaf9458fbbef604 .edata 0x4eb00 0x341 0x380 5.22 6bd092a4adbde8e251da39ff2705a069 INIT 0x4ee80 0x5926 0x5980 6.19 878aed9caa342caf97f74bc4cc308955 .rsrc 0x54800 0x3f0 0x400 3.41 99a26048cfca1fdf299ceabf9424a634 .reloc 0x54c00 0x357c 0x3580 6.82 1e24cbade6e3ce7b4e8a9a8dc2291b8c ( 4 imports ) > HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel, KfReleaseSpinLock, KfAcquireSpinLock, KfRaiseIrql, KeGetCurrentIrql, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex > NDIS.SYS: NdisCloseAdapter, NdisCancelSendPackets, NdisFreePacket, NdisUnchainBufferAtFront, NdisCompletePnPEvent, NdisFreePacketPool, NdisRequest, NdisAllocatePacket, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisGetDriverHandle, NdisOpenAdapter, NdisAllocatePacketPoolEx, NdisGetReceivedPacket, NdisRegisterProtocol, NdisAllocateBuffer, NdisSetPacketPoolProtocolId, NdisReturnPackets, NdisCopyBuffer, NdisAllocateBufferPool, NdisFreeBufferPool, NdisReEnumerateProtocolBindings, NdisCompleteBindAdapter > ntoskrnl.exe: IoCreateDevice, _wcsicmp, wcscpy, wcsncpy, wcschr, ZwSetInformationThread, KeLeaveCriticalRegion, KeEnterCriticalRegion, KeQueryTimeIncrement, KeSetEvent, IoDeleteSymbolicLink, ExDeleteNPagedLookasideList, KeDelayExecutionThread, ZwOpenKey, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, ExInitializeNPagedLookasideList, MmLockPagableSectionByHandle, ZwQueryValueKey, ZwSetValueKey, InterlockedPopEntrySList, InterlockedPushEntrySList, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, IoCreateSymbolicLink, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, KeInitializeMutex, MmIsThisAnNtAsSystem, KeWaitForSingleObject, KeReleaseMutex, KeReadStateEvent, IoDeleteDevice, ZwEnumerateValueKey, RtlUnicodeStringToInteger, RtlIpv4StringToAddressW, RtlTimeToTimeFields, ExLocalTimeToSystemTime, RtlExtendedMagicDivide, RtlAppendUnicodeToString, ZwClose, _allmul, MmQuerySystemSize, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, ExfInterlockedAddUlong, MmMapLockedPagesSpecifyCache, IoFreeMdl, ExfInterlockedInsertTailList, RtlInitUnicodeString, MmMapLockedPages, KeNumberProcessors, RtlUnicodeStringToAnsiString, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlCompareMemory, ExAllocatePoolWithTag, KeCancelTimer, KeClearEvent, RtlAnsiStringToUnicodeString, IoRaiseInformationalHardError, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeInitializeSpinLock, _alldiv, KeQuerySystemTime, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile > TDI.SYS: CTESystemUpTime, CTEBlock, CTELogEvent, CTESignal, CTEBlockWithTracker, CTEStartTimer, CTEInitEvent, CTEScheduleDelayedEvent, CTEInitTimer, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiDeregisterProvider, TdiRegisterProvider, TdiPnPPowerRequest, TdiCopyMdlChainToMdlChain, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel ( 31 exports ) ARPRcv, ARPRcvPacket, FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRcvComplete, IPRcvPacket, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum </td></tr><tr><td colspan="4">Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=64798ecfa43d78c7178375fcdd16d8c8</td></tr></table>

<table border="1"><tr><td colspan="4">檔案 tcpip.sys 接收於 2008.04.28 20:15:49 (CET)</td></tr><tr><td>反病毒引擎</td><td>版本</td><td>最後更新</td><td>掃瞄結果</td</tr><tr><td>AhnLab-V3</td><td>2008.4.29.0</td><td>2008.04.28</td><td>-</td</tr><tr><td>AntiVir</td><td>7.8.0.10</td><td>2008.04.28</td><td>-</td</tr><tr><td>Authentium</td><td>4.93.8</td><td>2008.04.27</td><td>-</td</tr><tr><td>Avast</td><td>4.8.1169.0</td><td>2008.04.28</td><td>-</td</tr><tr><td>AVG</td><td>7.5.0.516</td><td>2008.04.28</td><td>-</td</tr><tr><td>BitDefender</td><td>7.2</td><td>2008.04.28</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>9.50</td><td>2008.04.28</td><td>-</td</tr><tr><td>ClamAV</td><td>0.92.1</td><td>2008.04.28</td><td>-</td</tr><tr><td>DrWeb</td><td>4.44.0.09170</td><td>2008.04.28</td><td>-</td</tr><tr><td>eSafe</td><td>7.0.15.0</td><td>2008.04.27</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>31.3.5741</td><td>2008.04.28</td><td>-</td</tr><tr><td>Ewido</td><td>4.0</td><td>2008.04.28</td><td>-</td</tr><tr><td>F-Prot</td><td>4.4.2.54</td><td>2008.04.27</td><td>-</td</tr><tr><td>F-Secure</td><td>6.70.13260.0</td><td>2008.04.28</td><td>-</td</tr><tr><td>FileAdvisor</td><td>1</td><td>2008.04.28</td><td style="color: red;">No threat detected, but known vulnerabilities exist</td</tr><tr><td>Fortinet</td><td>3.14.0.0</td><td>2008.04.28</td><td>-</td</tr><tr><td>Ikarus</td><td>T3.1.1.26</td><td>2008.04.28</td><td>-</td</tr><tr><td>Kaspersky</td><td>7.0.0.125</td><td>2008.04.28</td><td>-</td</tr><tr><td>McAfee</td><td>5282</td><td>2008.04.25</td><td>-</td</tr><tr><td>Microsoft</td><td>1.3408</td><td>2008.04.22</td><td>-</td</tr><tr><td>NOD32v2</td><td>3060</td><td>2008.04.28</td><td>-</td</tr><tr><td>Panda</td><td>9.0.0.4</td><td>2008.04.27</td><td>-</td</tr><tr><td>Prevx1</td><td>V2</td><td>2008.04.28</td><td>-</td</tr><tr><td>Rising</td><td>20.42.01.00</td><td>2008.04.28</td><td>-</td</tr><tr><td>Sophos</td><td>4.28.0</td><td>2008.04.28</td><td>-</td</tr><tr><td>Sunbelt</td><td>3.0.1056.0</td><td>2008.04.17</td><td>-</td</tr><tr><td>Symantec</td><td>10</td><td>2008.04.28</td><td>-</td</tr><tr><td>TheHacker</td><td>6.2.92.294</td><td>2008.04.26</td><td>-</td</tr><tr><td>VBA32</td><td>3.12.6.5</td><td>2008.04.28</td><td>-</td</tr><tr><td>VirusBuster</td><td>4.3.26:9</td><td>2008.04.28</td><td>-</td</tr><tr><td>Webwasher-Gateway</td><td>6.6.2</td><td>2008.04.28</td><td>-</td</tr><tr><td colspan="4"> </td></tr><tr><td colspan="4">附加訊息</td></tr><tr><td colspan="4">File size: 359040 bytes</td></tr><tr><td colspan="4">MD5...: 9f4b36614a0fc234525ba224957de55c</td></tr><tr><td colspan="4">SHA1..: c4f3d44361a2afbc309db6993ee0ecf12b6666d1</td></tr><tr><td colspan="4">SHA256: 56766ef576479367c29b2ee16cf232ede2569ceb0a72bf8e38fbabc9bf7c1bec</td></tr><tr><td colspan="4">SHA512: cb94857fa99771ebe7bd70a2a462b2c032bea74eb3f7278faa3c233bc25dd4a3 4988bb87708d16b947627db15268674d7d069c6554fe115d3d3865c8f0704e9d</td></tr><tr><td colspan="4">PEiD..: -</td></tr><tr><td colspan="4">PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x61196 timedatestamp.....: 0x41107ecf (Wed Aug 04 06:14:39 2004) machinetype.......: 0x14c (I386) ( 10 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x380 0x3e946 0x3e980 6.60 643853ade61026df88ede2edb9ec7c33 .rdata 0x3ed00 0x57c 0x580 4.42 f8464eba6b02d00de9e773b0204cee78 .data 0x3f280 0xa4a4 0xa500 0.06 b3fc32b281b47111d104f80e77996f6c PAGE 0x49780 0x1f27 0x1f80 6.39 ea783b68f5cf42f310a6c23aa5236d34 PAGEIPMc 0x4b700 0x2783 0x2800 6.41 b9863a636b93f57fa3f39bc70defcb54 PAGELK 0x4df00 0x6f2 0x700 6.17 98b56ac9253dac973c411a2217b1124b .edata 0x4e600 0x2eb 0x300 5.30 bf33e66921dae71729e1c48f47faaf0b INIT 0x4e900 0x57f2 0x5800 6.21 194323979adbbb6a88673d8e797463ee .rsrc 0x54100 0x3f0 0x400 3.40 3ce484e663e0c007ee6a8661022ec6f2 .reloc 0x54500 0x3548 0x3580 6.80 242690837b0b00c1aa768245bd09bb33 ( 4 imports ) > ntoskrnl.exe: MmLockPagableSectionByHandle, _wcsicmp, wcscpy, wcsncpy, wcschr, RtlAppendUnicodeToString, RtlExtendedMagicDivide, ExLocalTimeToSystemTime, RtlTimeToTimeFields, RtlIpv4StringToAddressW, RtlUnicodeStringToInteger, ZwEnumerateValueKey, KeReadStateEvent, KeReleaseMutex, MmIsThisAnNtAsSystem, KeInitializeMutex, IoRaiseInformationalHardError, RtlAnsiStringToUnicodeString, RtlUnicodeStringToAnsiString, InterlockedPopEntrySList, InterlockedPushEntrySList, ZwQueryValueKey, ZwSetValueKey, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, MmLockPagableDataSection, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, _aulldvrm, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, ExInitializeNPagedLookasideList, KeInitializeDpc, KeInitializeTimer, KeSetTimerEx, ZwClose, IoCreateDevice, IoDeleteDevice, ZwOpenKey, KeDelayExecutionThread, KeWaitForSingleObject, ExDeleteNPagedLookasideList, MmUnlockPagableImageSection, RtlInitUnicodeString, IoCreateSymbolicLink, IoDeleteSymbolicLink, KeSetEvent, KeQueryTimeIncrement, KeEnterCriticalRegion, KeLeaveCriticalRegion, ZwSetInformationThread, KeQuerySystemTime, _allmul, _alldiv, MmQuerySystemSize, ExfInterlockedInsertTailList, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlCompareMemory, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, KeCancelTimer, KeClearEvent, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, MmMapLockedPages, KeInitializeSpinLock, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, KeInitializeEvent, ExfInterlockedAddUlong, ExAllocatePoolWithTag, MmMapLockedPagesSpecifyCache, IoFreeMdl, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeNumberProcessors, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile > HAL.dll: KfLowerIrql, KfRaiseIrql, KfReleaseSpinLock, KfAcquireSpinLock, KeGetCurrentIrql, KeRaiseIrqlToDpcLevel, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex > NDIS.SYS: NdisUnchainBufferAtFront, NdisAllocateBuffer, NdisFreePacket, NdisAllocatePacket, NdisSetPacketPoolProtocolId, NdisAllocatePacketPoolEx, NdisReturnPackets, NdisCompleteBindAdapter, NdisReEnumerateProtocolBindings, NdisFreeBufferPool, NdisFreePacketPool, NdisAllocateBufferPool, NdisCompletePnPEvent, NdisCloseAdapter, NdisCancelSendPackets, NdisRequest, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisCopyBuffer, NdisRegisterProtocol, NdisGetReceivedPacket, NdisOpenAdapter, NdisGetDriverHandle > TDI.SYS: CTESignal, CTESystemUpTime, CTEScheduleDelayedEvent, CTEInitEvent, CTEStartTimer, CTEInitTimer, CTEBlock, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, CTEBlockWithTracker, CTELogEvent, TdiRegisterDeviceObject, TdiCopyMdlChainToMdlChain, TdiPnPPowerRequest, TdiDeregisterProvider, TdiRegisterProvider, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel ( 27 exports ) FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum </td></tr><tr><td colspan="4">Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=9f4b36614a0fc234525ba224957de55c</td></tr></table>

<table border="1"><tr><td colspan="4">檔案 tcpip.sys 接收於 2008.03.21 15:08:48 (CET)</td></tr><tr><td>反病毒引擎</td><td>版本</td><td>最後更新</td><td>掃瞄結果</td</tr><tr><td>AhnLab-V3</td><td>-</td><td>-</td><td>-</td</tr><tr><td>AntiVir</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Authentium</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Avast</td><td>-</td><td>-</td><td>-</td</tr><tr><td>AVG</td><td>-</td><td>-</td><td>-</td</tr><tr><td>BitDefender</td><td>-</td><td>-</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>-</td><td>-</td><td>-</td</tr><tr><td>ClamAV</td><td>-</td><td>-</td><td>-</td</tr><tr><td>DrWeb</td><td>-</td><td>-</td><td>-</td</tr><tr><td>eSafe</td><td>-</td><td>-</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Ewido</td><td>-</td><td>-</td><td>-</td</tr><tr><td>F-Prot</td><td>-</td><td>-</td><td>-</td</tr><tr><td>F-Secure</td><td>-</td><td>-</td><td>-</td</tr><tr><td>FileAdvisor</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Fortinet</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Ikarus</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Kaspersky</td><td>-</td><td>-</td><td>-</td</tr><tr><td>McAfee</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Microsoft</td><td>-</td><td>-</td><td>-</td</tr><tr><td>NOD32v2</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Norman</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Panda</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Prevx1</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Rising</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Sophos</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Sunbelt</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Symantec</td><td>-</td><td>-</td><td>-</td</tr><tr><td>TheHacker</td><td>-</td><td>-</td><td>-</td</tr><tr><td>VBA32</td><td>-</td><td>-</td><td style="color: red;">Trojan-PSW.Win32.OnLineGames</td</tr><tr><td>VirusBuster</td><td>-</td><td>-</td><td>-</td</tr><tr><td>Webwasher-Gateway</td><td>-</td><td>-</td><td>-</td</tr><tr><td colspan="4"> </td></tr><tr><td colspan="4">附加訊息</td></tr><tr><td colspan="4">MD5: b4e29943b4b04bd5e7381546848e6669</td></tr><tr><td colspan="4">SHA1: 134f6e92e0474a32490dc169ae5ac168fa96c2b1</td></tr><tr><td colspan="4">SHA256: b87f7bbbf007e19f6d9fc11815425d2f404c0693c49713b449c1a773c9512472</td></tr><tr><td colspan="4">SHA512: e0429039376390a724d3059d864de726ee283389b636ca801d970c05d7aa667f004161f51ba1f7526628a0700c861fe3c7a200df17998740f37347773ffc8200</td></tr></table>

<table border="1"><tr><td colspan="4">檔案 tcpip.sys 接收於 2008.03.03 11:58:32 (CET)</td></tr><tr><td>反病毒引擎</td><td>版本</td><td>最後更新</td><td>掃瞄結果</td</tr><tr><td>AhnLab-V3</td><td>2008.2.29.1</td><td>2008.03.03</td><td>-</td</tr><tr><td>AntiVir</td><td>7.6.0.73</td><td>2008.03.03</td><td>-</td</tr><tr><td>Authentium</td><td>4.93.8</td><td>2008.03.02</td><td>-</td</tr><tr><td>Avast</td><td>4.7.1098.0</td><td>2008.03.02</td><td>-</td</tr><tr><td>AVG</td><td>7.5.0.516</td><td>2008.03.02</td><td>-</td</tr><tr><td>BitDefender</td><td>7.2</td><td>2008.03.03</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>9.50</td><td>2008.03.01</td><td>-</td</tr><tr><td>ClamAV</td><td>0.92.1</td><td>2008.03.03</td><td>-</td</tr><tr><td>DrWeb</td><td>4.44.0.09170</td><td>2008.03.03</td><td>-</td</tr><tr><td>eSafe</td><td>7.0.15.0</td><td>2008.02.28</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>31.3.5582</td><td>2008.03.03</td><td>-</td</tr><tr><td>Ewido</td><td>4.0</td><td>2008.03.02</td><td>-</td</tr><tr><td>F-Prot</td><td>4.4.2.54</td><td>2008.03.02</td><td>-</td</tr><tr><td>F-Secure</td><td>6.70.13260.0</td><td>2008.03.03</td><td>-</td</tr><tr><td>FileAdvisor</td><td>1</td><td>2008.03.03</td><td>-</td</tr><tr><td>Fortinet</td><td>3.14.0.0</td><td>2008.03.03</td><td>-</td</tr><tr><td>Ikarus</td><td>T3.1.1.20</td><td>2008.03.03</td><td>-</td</tr><tr><td>Kaspersky</td><td>7.0.0.125</td><td>2008.03.03</td><td>-</td</tr><tr><td>McAfee</td><td>5242</td><td>2008.02.29</td><td>-</td</tr><tr><td>Microsoft</td><td>1.3301</td><td>2008.03.03</td><td>-</td</tr><tr><td>NOD32v2</td><td>2916</td><td>2008.03.03</td><td>-</td</tr><tr><td>Norman</td><td>5.80.02</td><td>2008.02.29</td><td>-</td</tr><tr><td>Panda</td><td>9.0.0.4</td><td>2008.03.02</td><td>-</td</tr><tr><td>Prevx1</td><td>V2</td><td>2008.03.03</td><td>-</td</tr><tr><td>Rising</td><td>20.34.00.00</td><td>2008.03.03</td><td>-</td</tr><tr><td>Sophos</td><td>4.27.0</td><td>2008.03.03</td><td>-</td</tr><tr><td>Sunbelt</td><td>3.0.906.0</td><td>2008.02.28</td><td>-</td</tr><tr><td>Symantec</td><td>10</td><td>2008.03.03</td><td>-</td</tr><tr><td>TheHacker</td><td>6.2.92.231</td><td>2008.03.02</td><td>-</td</tr><tr><td>VBA32</td><td>3.12.6.2</td><td>2008.02.27</td><td>-</td</tr><tr><td>VirusBuster</td><td>4.3.26:9</td><td>2008.03.02</td><td>-</td</tr><tr><td>Webwasher-Gateway</td><td>6.6.2</td><td>2008.03.03</td><td>-</td</tr><tr><td colspan="4"> </td></tr><tr><td colspan="4">附加訊息</td></tr><tr><td colspan="4">File size: 360064 bytes</td></tr><tr><td colspan="4">MD5: 90caff4b094573449a0872a0f919b178</td></tr><tr><td colspan="4">SHA1: 01c29459e70719163d78add6b7098b8550292824</td></tr><tr><td colspan="4">PEiD: -</td></tr></table>

<table border="1"><tr><td colspan="4">檔案 tcpip.sys 接收於 2008.05.19 09:32:30 (CET)</td></tr><tr><td>反病毒引擎</td><td>版本</td><td>最後更新</td><td>掃瞄結果</td</tr><tr><td>AhnLab-V3</td><td>2008.5.16.0</td><td>2008.05.19</td><td>-</td</tr><tr><td>AntiVir</td><td>7.8.0.19</td><td>2008.05.18</td><td>-</td</tr><tr><td>Authentium</td><td>5.1.0.4</td><td>2008.05.18</td><td>-</td</tr><tr><td>Avast</td><td>4.8.1195.0</td><td>2008.05.18</td><td>-</td</tr><tr><td>AVG</td><td>7.5.0.516</td><td>2008.05.18</td><td>-</td</tr><tr><td>BitDefender</td><td>7.2</td><td>2008.05.19</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>9.50</td><td>2008.05.17</td><td>-</td</tr><tr><td>ClamAV</td><td>0.92.1</td><td>2008.05.19</td><td>-</td</tr><tr><td>DrWeb</td><td>4.44.0.09170</td><td>2008.05.19</td><td>-</td</tr><tr><td>eSafe</td><td>7.0.15.0</td><td>2008.05.18</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>31.4.5798</td><td>2008.05.16</td><td>-</td</tr><tr><td>Ewido</td><td>4.0</td><td>2008.05.18</td><td>-</td</tr><tr><td>F-Prot</td><td>4.4.2.54</td><td>2008.05.16</td><td>-</td</tr><tr><td>F-Secure</td><td>6.70.13260.0</td><td>2008.05.19</td><td>-</td</tr><tr><td>Fortinet</td><td>3.14.0.0</td><td>2008.05.19</td><td>-</td</tr><tr><td>GData</td><td>2.0.7306.1023</td><td>2008.05.19</td><td>-</td</tr><tr><td>Ikarus</td><td>T3.1.1.26.0</td><td>2008.05.19</td><td>-</td</tr><tr><td>Kaspersky</td><td>7.0.0.125</td><td>2008.05.19</td><td>-</td</tr><tr><td>McAfee</td><td>5297</td><td>2008.05.17</td><td>-</td</tr><tr><td>Microsoft</td><td>1.3408</td><td>2008.05.13</td><td>-</td</tr><tr><td>NOD32v2</td><td>3107</td><td>2008.05.18</td><td>-</td</tr><tr><td>Norman</td><td>5.80.02</td><td>2008.05.16</td><td>-</td</tr><tr><td>Panda</td><td>9.0.0.4</td><td>2008.05.18</td><td>-</td</tr><tr><td>Prevx1</td><td>V2</td><td>2008.05.19</td><td>-</td</tr><tr><td>Rising</td><td>20.44.62.00</td><td>2008.05.18</td><td>-</td</tr><tr><td>Sophos</td><td>4.29.0</td><td>2008.05.19</td><td>-</td</tr><tr><td>Sunbelt</td><td>3.0.1123.1</td><td>2008.05.17</td><td>-</td</tr><tr><td>Symantec</td><td>10</td><td>2008.05.19</td><td>-</td</tr><tr><td>TheHacker</td><td>6.2.92.313</td><td>2008.05.19</td><td>-</td</tr><tr><td>VBA32</td><td>3.12.6.6</td><td>2008.05.18</td><td>-</td</tr><tr><td>VirusBuster</td><td>4.3.26:9</td><td>2008.05.18</td><td>-</td</tr><tr><td>Webwasher-Gateway</td><td>6.6.2</td><td>2008.05.19</td><td>-</td</tr><tr><td colspan="4"> </td></tr><tr><td colspan="4">附加訊息</td></tr><tr><td colspan="4">File size: 360064 bytes</td></tr><tr><td colspan="4">MD5...: ed06c31200714e734118f9a47f5df5ce</td></tr><tr><td colspan="4">SHA1..: 8afdb73bee49158d6f78256e921d9502f2391b4a</td></tr><tr><td colspan="4">SHA256: 7c419b505f34c66700720d3722a24a1b03a3c7d18926482e76f89601a84f15b2</td></tr><tr><td colspan="4">SHA512: dd1e2f4dcb9ccdd62366e37bd85e6ec7d9a5b575bd6c515c735b68149adf27e5 b19f21b24aad55b20a0a552d8435ed837e6f28f3baab2fe07fa7ada38d5d3cdf</td></tr><tr><td colspan="4">PEiD..: -</td></tr><tr><td colspan="4">PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x61516 timedatestamp.....: 0x472767f4 (Tue Oct 30 17:20:52 2007) machinetype.......: 0x14c (I386) ( 10 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x380 0x3ec36 0x3ec80 6.59 bf3727cc30fc9381405d704fc48cf298 .rdata 0x3f000 0x57c 0x580 4.44 8e59e52de3e5dbcbceb5a3ef5f649f6e .data 0x3f580 0xa4a4 0xa500 0.06 b9a573e33adfdced8dd26084f4c34980 PAGE 0x49a80 0x1f2b 0x1f80 6.39 62835585c6d5d5460c7937ca9a24a666 PAGELK 0x4ba00 0x6f2 0x700 6.23 b006a6a497bb9c46495fbf448e59f7d0 PAGEIPMc 0x4c100 0x2781 0x2800 6.43 f388ecb2e9459286d1f285da46acd63e .edata 0x4e900 0x341 0x380 5.22 8712af1a96dac3a5cc93d8600aeab255 INIT 0x4ec80 0x5836 0x5880 6.21 6b00b0dbb4853c21ff203b0ab0e968b4 .rsrc 0x54500 0x3f0 0x400 3.41 f7e220f2cc645366d35917b1d898d5a1 .reloc 0x54900 0x3554 0x3580 6.80 70106385f23ac6f4e01fd4b1e2558fad ( 4 imports ) > HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel, KfReleaseSpinLock, KfAcquireSpinLock, KfRaiseIrql, KeGetCurrentIrql, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex > NDIS.SYS: NdisCloseAdapter, NdisCancelSendPackets, NdisFreePacket, NdisUnchainBufferAtFront, NdisCompletePnPEvent, NdisFreePacketPool, NdisRequest, NdisAllocatePacket, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisGetDriverHandle, NdisOpenAdapter, NdisAllocatePacketPoolEx, NdisGetReceivedPacket, NdisRegisterProtocol, NdisAllocateBuffer, NdisSetPacketPoolProtocolId, NdisReturnPackets, NdisCopyBuffer, NdisAllocateBufferPool, NdisFreeBufferPool, NdisReEnumerateProtocolBindings, NdisCompleteBindAdapter > ntoskrnl.exe: IoCreateDevice, _wcsicmp, wcscpy, wcsncpy, wcschr, ZwSetInformationThread, KeLeaveCriticalRegion, KeEnterCriticalRegion, KeQueryTimeIncrement, KeSetEvent, IoDeleteSymbolicLink, ExDeleteNPagedLookasideList, KeDelayExecutionThread, ZwOpenKey, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, ExInitializeNPagedLookasideList, MmLockPagableSectionByHandle, ZwQueryValueKey, ZwSetValueKey, InterlockedPopEntrySList, InterlockedPushEntrySList, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, IoCreateSymbolicLink, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, _aulldvrm, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, KeInitializeMutex, MmIsThisAnNtAsSystem, KeWaitForSingleObject, KeReleaseMutex, KeReadStateEvent, IoDeleteDevice, ZwEnumerateValueKey, RtlUnicodeStringToInteger, RtlIpv4StringToAddressW, RtlTimeToTimeFields, ExLocalTimeToSystemTime, RtlExtendedMagicDivide, RtlAppendUnicodeToString, ZwClose, _allmul, MmQuerySystemSize, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, ExfInterlockedAddUlong, MmMapLockedPagesSpecifyCache, IoFreeMdl, ExfInterlockedInsertTailList, RtlInitUnicodeString, MmMapLockedPages, KeNumberProcessors, RtlUnicodeStringToAnsiString, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlCompareMemory, ExAllocatePoolWithTag, KeCancelTimer, KeClearEvent, RtlAnsiStringToUnicodeString, IoRaiseInformationalHardError, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeInitializeSpinLock, _alldiv, KeQuerySystemTime, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile > TDI.SYS: CTESystemUpTime, CTEBlock, CTELogEvent, CTESignal, CTEBlockWithTracker, CTEStartTimer, CTEInitEvent, CTEScheduleDelayedEvent, CTEInitTimer, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiDeregisterProvider, TdiRegisterProvider, TdiPnPPowerRequest, TdiCopyMdlChainToMdlChain, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel ( 31 exports ) ARPRcv, ARPRcvPacket, FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRcvComplete, IPRcvPacket, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum </td></tr></table>

Hello, I tried to create Uninstall List by following your instruction. But however, when I clicked on "Save List", it did not prompt me to save, instead the software shut off quickly without any feedback. Also I tried to use default name "uninstall_list.txt" to search in my computer, there is no any result. Did I do wrong?

BTW, sometimes my computer would pop out the windows which said " Buffer Overrun Detetced". After that, my minitor would show up a lot of wrong code to cover my original window. Does it associate with virus?

Thanks so much for your assistance.

tony6725

2008-05-31, 21:04

反病毒引擎版本最後更新掃瞄結果
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-InoculateIT - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Prot4 - - -
Fortinet - - suspicious
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Sophos - - -
Sunbelt - - -
TheHacker - - -
UNA - - -
VBA32 - - -
VirusBuster - - -

附加訊息
MD5: b2220c618b42a2212a59d91ebd6fc4b4
SHA1: 038bd2e0fb3074ef2e9e277047fc37bc247dc79f
SHA256: d0fa3c6c9f9f487ece7e5ae76b91715c71847b9713bb6817fe8239c67e60bd95
SHA512: c1daa80a3a0cc69dee0899aed469b40e16fbaae8000ae479e9a522a1591ae0638b70d1fd98043acecc50fff03bb2da7ffe07f412b23915e63b893e0faf5f76f4

檔案 tcpip.sys 接收於 2008.04.20 12:33:42 (CET)反病毒引擎版本最後更新掃瞄結果
AhnLab-V3 2008.4.19.0 2008.04.18 -
AntiVir 7.8.0.8 2008.04.18 -
Authentium 4.93.8 2008.04.19 -
Avast 4.8.1169.0 2008.04.19 -
AVG 7.5.0.516 2008.04.19 -
BitDefender 7.2 2008.04.20 -
CAT-QuickHeal 9.50 2008.04.19 -
ClamAV 0.92.1 2008.04.20 -
DrWeb 4.44.0.09170 2008.04.19 -
eSafe 7.0.15.0 2008.04.17 -
eTrust-Vet 31.3.5714 2008.04.19 -
Ewido 4.0 2008.04.19 -
F-Prot 4.4.2.54 2008.04.20 -
F-Secure 6.70.13260.0 2008.04.19 -
FileAdvisor 1 2008.04.20 -
Fortinet 3.14.0.0 2008.04.20 -
Ikarus T3.1.1.26.0 2008.04.20 -
Kaspersky 7.0.0.125 2008.04.20 -
McAfee 5277 2008.04.18 -
Microsoft 1.3408 2008.04.20 -
NOD32v2 3041 2008.04.19 -
Norman 5.80.02 2008.04.18 -
Panda 9.0.0.4 2008.04.19 -
Prevx1 V2 2008.04.20 -
Rising 20.40.62.00 2008.04.20 -
Sophos 4.28.0 2008.04.20 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.20 -
TheHacker 6.2.92.285 2008.04.19 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.19 -
Webwasher-Gateway 6.6.2 2008.04.18 -

附加訊息
File size: 360832 bytes
MD5...: 64798ecfa43d78c7178375fcdd16d8c8
SHA1..: 9f864005ebb9147012db4c2fbc0b23d8dae6cb68
SHA256: 0866341a50166200ff82781125dad1c6ebc4593abfbadde5d45e32d32b0fe903
SHA512: ec6b3fa6d7851f12aa87b30fe35797d934109f8618462fe5020d567f5206a1d3 2fd89489487e91bccc50c61f2abbed614892dad0f8c237bbaff65565a1498b94
PEiD..: -
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x60aa3 timedatestamp.....: 0x47276189 (Tue Oct 30 16:53:29 2007) machinetype.......: 0x14c (I386) ( 10 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x380 0x3ee0e 0x3ee80 6.59 fa66bf829c9ddddc255d1ce20eee8bc5 .rdata 0x3f200 0x574 0x580 4.44 083e9d9bf06df4b3767e6d58ef4b263f .data 0x3f780 0xa4a4 0xa500 0.06 bc99afb1d65abc54dfba01f9847a8ee4 PAGE 0x49c80 0x1f2b 0x1f80 6.38 c71600990ce103daee008973fbba0b30 PAGELK 0x4bc00 0x6f2 0x700 6.21 33f8928f23d0d348c2179e13cfda242d PAGEIPMc 0x4c300 0x2781 0x2800 6.43 ebb829c092776199cfaf9458fbbef604 .edata 0x4eb00 0x341 0x380 5.22 6bd092a4adbde8e251da39ff2705a069 INIT 0x4ee80 0x5926 0x5980 6.19 878aed9caa342caf97f74bc4cc308955 .rsrc 0x54800 0x3f0 0x400 3.41 99a26048cfca1fdf299ceabf9424a634 .reloc 0x54c00 0x357c 0x3580 6.82 1e24cbade6e3ce7b4e8a9a8dc2291b8c ( 4 imports ) > HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel, KfReleaseSpinLock, KfAcquireSpinLock, KfRaiseIrql, KeGetCurrentIrql, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex > NDIS.SYS: NdisCloseAdapter, NdisCancelSendPackets, NdisFreePacket, NdisUnchainBufferAtFront, NdisCompletePnPEvent, NdisFreePacketPool, NdisRequest, NdisAllocatePacket, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisGetDriverHandle, NdisOpenAdapter, NdisAllocatePacketPoolEx, NdisGetReceivedPacket, NdisRegisterProtocol, NdisAllocateBuffer, NdisSetPacketPoolProtocolId, NdisReturnPackets, NdisCopyBuffer, NdisAllocateBufferPool, NdisFreeBufferPool, NdisReEnumerateProtocolBindings, NdisCompleteBindAdapter > ntoskrnl.exe: IoCreateDevice, _wcsicmp, wcscpy, wcsncpy, wcschr, ZwSetInformationThread, KeLeaveCriticalRegion, KeEnterCriticalRegion, KeQueryTimeIncrement, KeSetEvent, IoDeleteSymbolicLink, ExDeleteNPagedLookasideList, KeDelayExecutionThread, ZwOpenKey, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, ExInitializeNPagedLookasideList, MmLockPagableSectionByHandle, ZwQueryValueKey, ZwSetValueKey, InterlockedPopEntrySList, InterlockedPushEntrySList, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, IoCreateSymbolicLink, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, KeInitializeMutex, MmIsThisAnNtAsSystem, KeWaitForSingleObject, KeReleaseMutex, KeReadStateEvent, IoDeleteDevice, ZwEnumerateValueKey, RtlUnicodeStringToInteger, RtlIpv4StringToAddressW, RtlTimeToTimeFields, ExLocalTimeToSystemTime, RtlExtendedMagicDivide, RtlAppendUnicodeToString, ZwClose, _allmul, MmQuerySystemSize, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, ExfInterlockedAddUlong, MmMapLockedPagesSpecifyCache, IoFreeMdl, ExfInterlockedInsertTailList, RtlInitUnicodeString, MmMapLockedPages, KeNumberProcessors, RtlUnicodeStringToAnsiString, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlCompareMemory, ExAllocatePoolWithTag, KeCancelTimer, KeClearEvent, RtlAnsiStringToUnicodeString, IoRaiseInformationalHardError, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeInitializeSpinLock, _alldiv, KeQuerySystemTime, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile > TDI.SYS: CTESystemUpTime, CTEBlock, CTELogEvent, CTESignal, CTEBlockWithTracker, CTEStartTimer, CTEInitEvent, CTEScheduleDelayedEvent, CTEInitTimer, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiDeregisterProvider, TdiRegisterProvider, TdiPnPPowerRequest, TdiCopyMdlChainToMdlChain, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel ( 31 exports ) ARPRcv, ARPRcvPacket, FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRcvComplete, IPRcvPacket, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum 
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=64798ecfa43d78c7178375fcdd16d8c8

反病毒引擎版本最後更新掃瞄結果
AhnLab-V3 2008.4.19.0 2008.04.18 -
AntiVir 7.8.0.8 2008.04.18 -
Authentium 4.93.8 2008.04.19 -
Avast 4.8.1169.0 2008.04.19 -
AVG 7.5.0.516 2008.04.19 -
BitDefender 7.2 2008.04.20 -
CAT-QuickHeal 9.50 2008.04.19 -
ClamAV 0.92.1 2008.04.20 -
DrWeb 4.44.0.09170 2008.04.19 -
eSafe 7.0.15.0 2008.04.17 -
eTrust-Vet 31.3.5714 2008.04.19 -
Ewido 4.0 2008.04.19 -
F-Prot 4.4.2.54 2008.04.20 -
F-Secure 6.70.13260.0 2008.04.19 -
FileAdvisor 1 2008.04.20 -
Fortinet 3.14.0.0 2008.04.20 -
Ikarus T3.1.1.26.0 2008.04.20 -
Kaspersky 7.0.0.125 2008.04.20 -
McAfee 5277 2008.04.18 -
Microsoft 1.3408 2008.04.20 -
NOD32v2 3041 2008.04.19 -
Norman 5.80.02 2008.04.18 -
Panda 9.0.0.4 2008.04.19 -
Prevx1 V2 2008.04.20 -
Rising 20.40.62.00 2008.04.20 -
Sophos 4.28.0 2008.04.20 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.20 -
TheHacker 6.2.92.285 2008.04.19 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.19 -
Webwasher-Gateway 6.6.2 2008.04.18 -

附加訊息
File size: 360832 bytes
MD5...: 64798ecfa43d78c7178375fcdd16d8c8
SHA1..: 9f864005ebb9147012db4c2fbc0b23d8dae6cb68
SHA256: 0866341a50166200ff82781125dad1c6ebc4593abfbadde5d45e32d32b0fe903
SHA512: ec6b3fa6d7851f12aa87b30fe35797d934109f8618462fe5020d567f5206a1d3 2fd89489487e91bccc50c61f2abbed614892dad0f8c237bbaff65565a1498b94
PEiD..: -
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x60aa3 timedatestamp.....: 0x47276189 (Tue Oct 30 16:53:29 2007) machinetype.......: 0x14c (I386) ( 10 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x380 0x3ee0e 0x3ee80 6.59 fa66bf829c9ddddc255d1ce20eee8bc5 .rdata 0x3f200 0x574 0x580 4.44 083e9d9bf06df4b3767e6d58ef4b263f .data 0x3f780 0xa4a4 0xa500 0.06 bc99afb1d65abc54dfba01f9847a8ee4 PAGE 0x49c80 0x1f2b 0x1f80 6.38 c71600990ce103daee008973fbba0b30 PAGELK 0x4bc00 0x6f2 0x700 6.21 33f8928f23d0d348c2179e13cfda242d PAGEIPMc 0x4c300 0x2781 0x2800 6.43 ebb829c092776199cfaf9458fbbef604 .edata 0x4eb00 0x341 0x380 5.22 6bd092a4adbde8e251da39ff2705a069 INIT 0x4ee80 0x5926 0x5980 6.19 878aed9caa342caf97f74bc4cc308955 .rsrc 0x54800 0x3f0 0x400 3.41 99a26048cfca1fdf299ceabf9424a634 .reloc 0x54c00 0x357c 0x3580 6.82 1e24cbade6e3ce7b4e8a9a8dc2291b8c ( 4 imports ) > HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel, KfReleaseSpinLock, KfAcquireSpinLock, KfRaiseIrql, KeGetCurrentIrql, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex > NDIS.SYS: NdisCloseAdapter, NdisCancelSendPackets, NdisFreePacket, NdisUnchainBufferAtFront, NdisCompletePnPEvent, NdisFreePacketPool, NdisRequest, NdisAllocatePacket, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisGetDriverHandle, NdisOpenAdapter, NdisAllocatePacketPoolEx, NdisGetReceivedPacket, NdisRegisterProtocol, NdisAllocateBuffer, NdisSetPacketPoolProtocolId, NdisReturnPackets, NdisCopyBuffer, NdisAllocateBufferPool, NdisFreeBufferPool, NdisReEnumerateProtocolBindings, NdisCompleteBindAdapter > ntoskrnl.exe: IoCreateDevice, _wcsicmp, wcscpy, wcsncpy, wcschr, ZwSetInformationThread, KeLeaveCriticalRegion, KeEnterCriticalRegion, KeQueryTimeIncrement, KeSetEvent, IoDeleteSymbolicLink, ExDeleteNPagedLookasideList, KeDelayExecutionThread, ZwOpenKey, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, ExInitializeNPagedLookasideList, MmLockPagableSectionByHandle, ZwQueryValueKey, ZwSetValueKey, InterlockedPopEntrySList, InterlockedPushEntrySList, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, IoCreateSymbolicLink, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, KeInitializeMutex, MmIsThisAnNtAsSystem, KeWaitForSingleObject, KeReleaseMutex, KeReadStateEvent, IoDeleteDevice, ZwEnumerateValueKey, RtlUnicodeStringToInteger, RtlIpv4StringToAddressW, RtlTimeToTimeFields, ExLocalTimeToSystemTime, RtlExtendedMagicDivide, RtlAppendUnicodeToString, ZwClose, _allmul, MmQuerySystemSize, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, ExfInterlockedAddUlong, MmMapLockedPagesSpecifyCache, IoFreeMdl, ExfInterlockedInsertTailList, RtlInitUnicodeString, MmMapLockedPages, KeNumberProcessors, RtlUnicodeStringToAnsiString, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlCompareMemory, ExAllocatePoolWithTag, KeCancelTimer, KeClearEvent, RtlAnsiStringToUnicodeString, IoRaiseInformationalHardError, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeInitializeSpinLock, _alldiv, KeQuerySystemTime, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile > TDI.SYS: CTESystemUpTime, CTEBlock, CTELogEvent, CTESignal, CTEBlockWithTracker, CTEStartTimer, CTEInitEvent, CTEScheduleDelayedEvent, CTEInitTimer, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiDeregisterProvider, TdiRegisterProvider, TdiPnPPowerRequest, TdiCopyMdlChainToMdlChain, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel ( 31 exports ) ARPRcv, ARPRcvPacket, FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRcvComplete, IPRcvPacket, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum 
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=64798ecfa43d78c7178375fcdd16d8c8

檔案 tcpip.sys 接收於 2008.04.28 20:15:49 (CET)反病毒引擎版本最後更新掃瞄結果
AhnLab-V3 2008.4.29.0 2008.04.28 -
AntiVir 7.8.0.10 2008.04.28 -
Authentium 4.93.8 2008.04.27 -
Avast 4.8.1169.0 2008.04.28 -
AVG 7.5.0.516 2008.04.28 -
BitDefender 7.2 2008.04.28 -
CAT-QuickHeal 9.50 2008.04.28 -
ClamAV 0.92.1 2008.04.28 -
DrWeb 4.44.0.09170 2008.04.28 -
eSafe 7.0.15.0 2008.04.27 -
eTrust-Vet 31.3.5741 2008.04.28 -
Ewido 4.0 2008.04.28 -
F-Prot 4.4.2.54 2008.04.27 -
F-Secure 6.70.13260.0 2008.04.28 -
FileAdvisor 1 2008.04.28 No threat detected, but known vulnerabilities exist
Fortinet 3.14.0.0 2008.04.28 -
Ikarus T3.1.1.26 2008.04.28 -
Kaspersky 7.0.0.125 2008.04.28 -
McAfee 5282 2008.04.25 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3060 2008.04.28 -
Panda 9.0.0.4 2008.04.27 -
Prevx1 V2 2008.04.28 -
Rising 20.42.01.00 2008.04.28 -
Sophos 4.28.0 2008.04.28 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.28 -
TheHacker 6.2.92.294 2008.04.26 -
VBA32 3.12.6.5 2008.04.28 -
VirusBuster 4.3.26:9 2008.04.28 -
Webwasher-Gateway 6.6.2 2008.04.28 -

附加訊息
File size: 359040 bytes
MD5...: 9f4b36614a0fc234525ba224957de55c
SHA1..: c4f3d44361a2afbc309db6993ee0ecf12b6666d1
SHA256: 56766ef576479367c29b2ee16cf232ede2569ceb0a72bf8e38fbabc9bf7c1bec
SHA512: cb94857fa99771ebe7bd70a2a462b2c032bea74eb3f7278faa3c233bc25dd4a3 4988bb87708d16b947627db15268674d7d069c6554fe115d3d3865c8f0704e9d
PEiD..: -
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x61196 timedatestamp.....: 0x41107ecf (Wed Aug 04 06:14:39 2004) machinetype.......: 0x14c (I386) ( 10 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x380 0x3e946 0x3e980 6.60 643853ade61026df88ede2edb9ec7c33 .rdata 0x3ed00 0x57c 0x580 4.42 f8464eba6b02d00de9e773b0204cee78 .data 0x3f280 0xa4a4 0xa500 0.06 b3fc32b281b47111d104f80e77996f6c PAGE 0x49780 0x1f27 0x1f80 6.39 ea783b68f5cf42f310a6c23aa5236d34 PAGEIPMc 0x4b700 0x2783 0x2800 6.41 b9863a636b93f57fa3f39bc70defcb54 PAGELK 0x4df00 0x6f2 0x700 6.17 98b56ac9253dac973c411a2217b1124b .edata 0x4e600 0x2eb 0x300 5.30 bf33e66921dae71729e1c48f47faaf0b INIT 0x4e900 0x57f2 0x5800 6.21 194323979adbbb6a88673d8e797463ee .rsrc 0x54100 0x3f0 0x400 3.40 3ce484e663e0c007ee6a8661022ec6f2 .reloc 0x54500 0x3548 0x3580 6.80 242690837b0b00c1aa768245bd09bb33 ( 4 imports ) > ntoskrnl.exe: MmLockPagableSectionByHandle, _wcsicmp, wcscpy, wcsncpy, wcschr, RtlAppendUnicodeToString, RtlExtendedMagicDivide, ExLocalTimeToSystemTime, RtlTimeToTimeFields, RtlIpv4StringToAddressW, RtlUnicodeStringToInteger, ZwEnumerateValueKey, KeReadStateEvent, KeReleaseMutex, MmIsThisAnNtAsSystem, KeInitializeMutex, IoRaiseInformationalHardError, RtlAnsiStringToUnicodeString, RtlUnicodeStringToAnsiString, InterlockedPopEntrySList, InterlockedPushEntrySList, ZwQueryValueKey, ZwSetValueKey, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, MmLockPagableDataSection, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, _aulldvrm, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, ExInitializeNPagedLookasideList, KeInitializeDpc, KeInitializeTimer, KeSetTimerEx, ZwClose, IoCreateDevice, IoDeleteDevice, ZwOpenKey, KeDelayExecutionThread, KeWaitForSingleObject, ExDeleteNPagedLookasideList, MmUnlockPagableImageSection, RtlInitUnicodeString, IoCreateSymbolicLink, IoDeleteSymbolicLink, KeSetEvent, KeQueryTimeIncrement, KeEnterCriticalRegion, KeLeaveCriticalRegion, ZwSetInformationThread, KeQuerySystemTime, _allmul, _alldiv, MmQuerySystemSize, ExfInterlockedInsertTailList, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlCompareMemory, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, KeCancelTimer, KeClearEvent, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, MmMapLockedPages, KeInitializeSpinLock, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, KeInitializeEvent, ExfInterlockedAddUlong, ExAllocatePoolWithTag, MmMapLockedPagesSpecifyCache, IoFreeMdl, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeNumberProcessors, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile > HAL.dll: KfLowerIrql, KfRaiseIrql, KfReleaseSpinLock, KfAcquireSpinLock, KeGetCurrentIrql, KeRaiseIrqlToDpcLevel, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex > NDIS.SYS: NdisUnchainBufferAtFront, NdisAllocateBuffer, NdisFreePacket, NdisAllocatePacket, NdisSetPacketPoolProtocolId, NdisAllocatePacketPoolEx, NdisReturnPackets, NdisCompleteBindAdapter, NdisReEnumerateProtocolBindings, NdisFreeBufferPool, NdisFreePacketPool, NdisAllocateBufferPool, NdisCompletePnPEvent, NdisCloseAdapter, NdisCancelSendPackets, NdisRequest, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisCopyBuffer, NdisRegisterProtocol, NdisGetReceivedPacket, NdisOpenAdapter, NdisGetDriverHandle > TDI.SYS: CTESignal, CTESystemUpTime, CTEScheduleDelayedEvent, CTEInitEvent, CTEStartTimer, CTEInitTimer, CTEBlock, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, CTEBlockWithTracker, CTELogEvent, TdiRegisterDeviceObject, TdiCopyMdlChainToMdlChain, TdiPnPPowerRequest, TdiDeregisterProvider, TdiRegisterProvider, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel ( 27 exports ) FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum 
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=9f4b36614a0fc234525ba224957de55c

反病毒引擎;版本;最後更新;掃瞄結果
AhnLab-V3;2008.4.29.0;2008.04.28;-
AntiVir;7.8.0.10;2008.04.28;-
Authentium;4.93.8;2008.04.27;-
Avast;4.8.1169.0;2008.04.28;-
AVG;7.5.0.516;2008.04.28;-
BitDefender;7.2;2008.04.28;-
CAT-QuickHeal;9.50;2008.04.28;-
ClamAV;0.92.1;2008.04.28;-
DrWeb;4.44.0.09170;2008.04.28;-
eSafe;7.0.15.0;2008.04.27;-
eTrust-Vet;31.3.5741;2008.04.28;-
Ewido;4.0;2008.04.28;-
F-Prot;4.4.2.54;2008.04.27;-
F-Secure;6.70.13260.0;2008.04.28;-
FileAdvisor;1;2008.04.28;No threat detected, but known vulnerabilities exist
Fortinet;3.14.0.0;2008.04.28;-
Ikarus;T3.1.1.26;2008.04.28;-
Kaspersky;7.0.0.125;2008.04.28;-
McAfee;5282;2008.04.25;-
Microsoft;1.3408;2008.04.22;-
NOD32v2;3060;2008.04.28;-
Panda;9.0.0.4;2008.04.27;-
Prevx1;V2;2008.04.28;-
Rising;20.42.01.00;2008.04.28;-
Sophos;4.28.0;2008.04.28;-
Sunbelt;3.0.1056.0;2008.04.17;-
Symantec;10;2008.04.28;-
TheHacker;6.2.92.294;2008.04.26;-
VBA32;3.12.6.5;2008.04.28;-
VirusBuster;4.3.26:9;2008.04.28;-
Webwasher-Gateway;6.6.2;2008.04.28;-

附加訊息
File size: 359040 bytes
MD5...: 9f4b36614a0fc234525ba224957de55c
SHA1..: c4f3d44361a2afbc309db6993ee0ecf12b6666d1
SHA256: 56766ef576479367c29b2ee16cf232ede2569ceb0a72bf8e38fbabc9bf7c1bec
SHA512: cb94857fa99771ebe7bd70a2a462b2c032bea74eb3f7278faa3c233bc25dd4a3 4988bb87708d16b947627db15268674d7d069c6554fe115d3d3865c8f0704e9d
PEiD..: -
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x61196 timedatestamp.....: 0x41107ecf (Wed Aug 04 06:14:39 2004) machinetype.......: 0x14c (I386) ( 10 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x380 0x3e946 0x3e980 6.60 643853ade61026df88ede2edb9ec7c33 .rdata 0x3ed00 0x57c 0x580 4.42 f8464eba6b02d00de9e773b0204cee78 .data 0x3f280 0xa4a4 0xa500 0.06 b3fc32b281b47111d104f80e77996f6c PAGE 0x49780 0x1f27 0x1f80 6.39 ea783b68f5cf42f310a6c23aa5236d34 PAGEIPMc 0x4b700 0x2783 0x2800 6.41 b9863a636b93f57fa3f39bc70defcb54 PAGELK 0x4df00 0x6f2 0x700 6.17 98b56ac9253dac973c411a2217b1124b .edata 0x4e600 0x2eb 0x300 5.30 bf33e66921dae71729e1c48f47faaf0b INIT 0x4e900 0x57f2 0x5800 6.21 194323979adbbb6a88673d8e797463ee .rsrc 0x54100 0x3f0 0x400 3.40 3ce484e663e0c007ee6a8661022ec6f2 .reloc 0x54500 0x3548 0x3580 6.80 242690837b0b00c1aa768245bd09bb33 ( 4 imports ) > ntoskrnl.exe: MmLockPagableSectionByHandle, _wcsicmp, wcscpy, wcsncpy, wcschr, RtlAppendUnicodeToString, RtlExtendedMagicDivide, ExLocalTimeToSystemTime, RtlTimeToTimeFields, RtlIpv4StringToAddressW, RtlUnicodeStringToInteger, ZwEnumerateValueKey, KeReadStateEvent, KeReleaseMutex, MmIsThisAnNtAsSystem, KeInitializeMutex, IoRaiseInformationalHardError, RtlAnsiStringToUnicodeString, RtlUnicodeStringToAnsiString, InterlockedPopEntrySList, InterlockedPushEntrySList, ZwQueryValueKey, ZwSetValueKey, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, MmLockPagableDataSection, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, _aulldvrm, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, ExInitializeNPagedLookasideList, KeInitializeDpc, KeInitializeTimer, KeSetTimerEx, ZwClose, IoCreateDevice, IoDeleteDevice, ZwOpenKey, KeDelayExecutionThread, KeWaitForSingleObject, ExDeleteNPagedLookasideList, MmUnlockPagableImageSection, RtlInitUnicodeString, IoCreateSymbolicLink, IoDeleteSymbolicLink, KeSetEvent, KeQueryTimeIncrement, KeEnterCriticalRegion, KeLeaveCriticalRegion, ZwSetInformationThread, KeQuerySystemTime, _allmul, _alldiv, MmQuerySystemSize, ExfInterlockedInsertTailList, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlCompareMemory, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, KeCancelTimer, KeClearEvent, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, MmMapLockedPages, KeInitializeSpinLock, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, KeInitializeEvent, ExfInterlockedAddUlong, ExAllocatePoolWithTag, MmMapLockedPagesSpecifyCache, IoFreeMdl, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeNumberProcessors, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile > HAL.dll: KfLowerIrql, KfRaiseIrql, KfReleaseSpinLock, KfAcquireSpinLock, KeGetCurrentIrql, KeRaiseIrqlToDpcLevel, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex > NDIS.SYS: NdisUnchainBufferAtFront, NdisAllocateBuffer, NdisFreePacket, NdisAllocatePacket, NdisSetPacketPoolProtocolId, NdisAllocatePacketPoolEx, NdisReturnPackets, NdisCompleteBindAdapter, NdisReEnumerateProtocolBindings, NdisFreeBufferPool, NdisFreePacketPool, NdisAllocateBufferPool, NdisCompletePnPEvent, NdisCloseAdapter, NdisCancelSendPackets, NdisRequest, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisCopyBuffer, NdisRegisterProtocol, NdisGetReceivedPacket, NdisOpenAdapter, NdisGetDriverHandle > TDI.SYS: CTESignal, CTESystemUpTime, CTEScheduleDelayedEvent, CTEInitEvent, CTEStartTimer, CTEInitTimer, CTEBlock, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, CTEBlockWithTracker, CTELogEvent, TdiRegisterDeviceObject, TdiCopyMdlChainToMdlChain, TdiPnPPowerRequest, TdiDeregisterProvider, TdiRegisterProvider, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel ( 27 exports ) FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum 
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=9f4b36614a0fc234525ba224957de55c

檔案 tcpip.sys 接收於 2008.03.21 15:08:48 (CET)反病毒引擎版本最後更新掃瞄結果
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
FileAdvisor - - -
Fortinet - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - Trojan-PSW.Win32.OnLineGames
VirusBuster - - -
Webwasher-Gateway - - -

附加訊息
MD5: b4e29943b4b04bd5e7381546848e6669
SHA1: 134f6e92e0474a32490dc169ae5ac168fa96c2b1
SHA256: b87f7bbbf007e19f6d9fc11815425d2f404c0693c49713b449c1a773c9512472
SHA512: e0429039376390a724d3059d864de726ee283389b636ca801d970c05d7aa667f004161f51ba1f7526628a0700c861fe3c7a200df17998740f37347773ffc8200

反病毒引擎;版本;最後更新;掃瞄結果
AhnLab-V3;-;-;-
AntiVir;-;-;-
Authentium;-;-;-
Avast;-;-;-
AVG;-;-;-
BitDefender;-;-;-
CAT-QuickHeal;-;-;-
ClamAV;-;-;-
DrWeb;-;-;-
eSafe;-;-;-
eTrust-Vet;-;-;-
Ewido;-;-;-
F-Prot;-;-;-
F-Secure;-;-;-
FileAdvisor;-;-;-
Fortinet;-;-;-
Ikarus;-;-;-
Kaspersky;-;-;-
McAfee;-;-;-
Microsoft;-;-;-
NOD32v2;-;-;-
Norman;-;-;-
Panda;-;-;-
Prevx1;-;-;-
Rising;-;-;-
Sophos;-;-;-
Sunbelt;-;-;-
Symantec;-;-;-
TheHacker;-;-;-
VBA32;-;-;Trojan-PSW.Win32.OnLineGames
VirusBuster;-;-;-
Webwasher-Gateway;-;-;-

附加訊息
MD5: b4e29943b4b04bd5e7381546848e6669
SHA1: 134f6e92e0474a32490dc169ae5ac168fa96c2b1
SHA256: b87f7bbbf007e19f6d9fc11815425d2f404c0693c49713b449c1a773c9512472
SHA512: e0429039376390a724d3059d864de726ee283389b636ca801d970c05d7aa667f004161f51ba1f7526628a0700c861fe3c7a200df17998740f37347773ffc8200

檔案 tcpip.sys 接收於 2008.03.03 11:58:32 (CET)反病毒引擎版本最後更新掃瞄結果
AhnLab-V3 2008.2.29.1 2008.03.03 -
AntiVir 7.6.0.73 2008.03.03 -
Authentium 4.93.8 2008.03.02 -
Avast 4.7.1098.0 2008.03.02 -
AVG 7.5.0.516 2008.03.02 -
BitDefender 7.2 2008.03.03 -
CAT-QuickHeal 9.50 2008.03.01 -
ClamAV 0.92.1 2008.03.03 -
DrWeb 4.44.0.09170 2008.03.03 -
eSafe 7.0.15.0 2008.02.28 -
eTrust-Vet 31.3.5582 2008.03.03 -
Ewido 4.0 2008.03.02 -
F-Prot 4.4.2.54 2008.03.02 -
F-Secure 6.70.13260.0 2008.03.03 -
FileAdvisor 1 2008.03.03 -
Fortinet 3.14.0.0 2008.03.03 -
Ikarus T3.1.1.20 2008.03.03 -
Kaspersky 7.0.0.125 2008.03.03 -
McAfee 5242 2008.02.29 -
Microsoft 1.3301 2008.03.03 -
NOD32v2 2916 2008.03.03 -
Norman 5.80.02 2008.02.29 -
Panda 9.0.0.4 2008.03.02 -
Prevx1 V2 2008.03.03 -
Rising 20.34.00.00 2008.03.03 -
Sophos 4.27.0 2008.03.03 -
Sunbelt 3.0.906.0 2008.02.28 -
Symantec 10 2008.03.03 -
TheHacker 6.2.92.231 2008.03.02 -
VBA32 3.12.6.2 2008.02.27 -
VirusBuster 4.3.26:9 2008.03.02 -
Webwasher-Gateway 6.6.2 2008.03.03 -

附加訊息
File size: 360064 bytes
MD5: 90caff4b094573449a0872a0f919b178
SHA1: 01c29459e70719163d78add6b7098b8550292824
PEiD: -

反病毒引擎;版本;最後更新;掃瞄結果
AhnLab-V3;2008.2.29.1;2008.03.03;-
AntiVir;7.6.0.73;2008.03.03;-
Authentium;4.93.8;2008.03.02;-
Avast;4.7.1098.0;2008.03.02;-
AVG;7.5.0.516;2008.03.02;-
BitDefender;7.2;2008.03.03;-
CAT-QuickHeal;9.50;2008.03.01;-
ClamAV;0.92.1;2008.03.03;-
DrWeb;4.44.0.09170;2008.03.03;-
eSafe;7.0.15.0;2008.02.28;-
eTrust-Vet;31.3.5582;2008.03.03;-
Ewido;4.0;2008.03.02;-
F-Prot;4.4.2.54;2008.03.02;-
F-Secure;6.70.13260.0;2008.03.03;-
FileAdvisor;1;2008.03.03;-
Fortinet;3.14.0.0;2008.03.03;-
Ikarus;T3.1.1.20;2008.03.03;-
Kaspersky;7.0.0.125;2008.03.03;-
McAfee;5242;2008.02.29;-
Microsoft;1.3301;2008.03.03;-
NOD32v2;2916;2008.03.03;-
Norman;5.80.02;2008.02.29;-
Panda;9.0.0.4;2008.03.02;-
Prevx1;V2;2008.03.03;-
Rising;20.34.00.00;2008.03.03;-
Sophos;4.27.0;2008.03.03;-
Sunbelt;3.0.906.0;2008.02.28;-
Symantec;10;2008.03.03;-
TheHacker;6.2.92.231;2008.03.02;-
VBA32;3.12.6.2;2008.02.27;-
VirusBuster;4.3.26:9;2008.03.02;-
Webwasher-Gateway;6.6.2;2008.03.03;-

附加訊息
File size: 360064 bytes
MD5: 90caff4b094573449a0872a0f919b178
SHA1: 01c29459e70719163d78add6b7098b8550292824
PEiD: -

檔案 tcpip.sys 接收於 2008.05.19 09:32:30 (CET)反病毒引擎版本最後更新掃瞄結果
AhnLab-V3 2008.5.16.0 2008.05.19 -
AntiVir 7.8.0.19 2008.05.18 -
Authentium 5.1.0.4 2008.05.18 -
Avast 4.8.1195.0 2008.05.18 -
AVG 7.5.0.516 2008.05.18 -
BitDefender 7.2 2008.05.19 -
CAT-QuickHeal 9.50 2008.05.17 -
ClamAV 0.92.1 2008.05.19 -
DrWeb 4.44.0.09170 2008.05.19 -
eSafe 7.0.15.0 2008.05.18 -
eTrust-Vet 31.4.5798 2008.05.16 -
Ewido 4.0 2008.05.18 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.19 -
Fortinet 3.14.0.0 2008.05.19 -
GData 2.0.7306.1023 2008.05.19 -
Ikarus T3.1.1.26.0 2008.05.19 -
Kaspersky 7.0.0.125 2008.05.19 -
McAfee 5297 2008.05.17 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3107 2008.05.18 -
Norman 5.80.02 2008.05.16 -
Panda 9.0.0.4 2008.05.18 -
Prevx1 V2 2008.05.19 -
Rising 20.44.62.00 2008.05.18 -
Sophos 4.29.0 2008.05.19 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.19 -
TheHacker 6.2.92.313 2008.05.19 -
VBA32 3.12.6.6 2008.05.18 -
VirusBuster 4.3.26:9 2008.05.18 -
Webwasher-Gateway 6.6.2 2008.05.19 -

附加訊息
File size: 360064 bytes
MD5...: ed06c31200714e734118f9a47f5df5ce
SHA1..: 8afdb73bee49158d6f78256e921d9502f2391b4a
SHA256: 7c419b505f34c66700720d3722a24a1b03a3c7d18926482e76f89601a84f15b2
SHA512: dd1e2f4dcb9ccdd62366e37bd85e6ec7d9a5b575bd6c515c735b68149adf27e5 b19f21b24aad55b20a0a552d8435ed837e6f28f3baab2fe07fa7ada38d5d3cdf
PEiD..: -
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x61516 timedatestamp.....: 0x472767f4 (Tue Oct 30 17:20:52 2007) machinetype.......: 0x14c (I386) ( 10 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x380 0x3ec36 0x3ec80 6.59 bf3727cc30fc9381405d704fc48cf298 .rdata 0x3f000 0x57c 0x580 4.44 8e59e52de3e5dbcbceb5a3ef5f649f6e .data 0x3f580 0xa4a4 0xa500 0.06 b9a573e33adfdced8dd26084f4c34980 PAGE 0x49a80 0x1f2b 0x1f80 6.39 62835585c6d5d5460c7937ca9a24a666 PAGELK 0x4ba00 0x6f2 0x700 6.23 b006a6a497bb9c46495fbf448e59f7d0 PAGEIPMc 0x4c100 0x2781 0x2800 6.43 f388ecb2e9459286d1f285da46acd63e .edata 0x4e900 0x341 0x380 5.22 8712af1a96dac3a5cc93d8600aeab255 INIT 0x4ec80 0x5836 0x5880 6.21 6b00b0dbb4853c21ff203b0ab0e968b4 .rsrc 0x54500 0x3f0 0x400 3.41 f7e220f2cc645366d35917b1d898d5a1 .reloc 0x54900 0x3554 0x3580 6.80 70106385f23ac6f4e01fd4b1e2558fad ( 4 imports ) > HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel, KfReleaseSpinLock, KfAcquireSpinLock, KfRaiseIrql, KeGetCurrentIrql, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex > NDIS.SYS: NdisCloseAdapter, NdisCancelSendPackets, NdisFreePacket, NdisUnchainBufferAtFront, NdisCompletePnPEvent, NdisFreePacketPool, NdisRequest, NdisAllocatePacket, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisGetDriverHandle, NdisOpenAdapter, NdisAllocatePacketPoolEx, NdisGetReceivedPacket, NdisRegisterProtocol, NdisAllocateBuffer, NdisSetPacketPoolProtocolId, NdisReturnPackets, NdisCopyBuffer, NdisAllocateBufferPool, NdisFreeBufferPool, NdisReEnumerateProtocolBindings, NdisCompleteBindAdapter > ntoskrnl.exe: IoCreateDevice, _wcsicmp, wcscpy, wcsncpy, wcschr, ZwSetInformationThread, KeLeaveCriticalRegion, KeEnterCriticalRegion, KeQueryTimeIncrement, KeSetEvent, IoDeleteSymbolicLink, ExDeleteNPagedLookasideList, KeDelayExecutionThread, ZwOpenKey, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, ExInitializeNPagedLookasideList, MmLockPagableSectionByHandle, ZwQueryValueKey, ZwSetValueKey, InterlockedPopEntrySList, InterlockedPushEntrySList, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, IoCreateSymbolicLink, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, _aulldvrm, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, KeInitializeMutex, MmIsThisAnNtAsSystem, KeWaitForSingleObject, KeReleaseMutex, KeReadStateEvent, IoDeleteDevice, ZwEnumerateValueKey, RtlUnicodeStringToInteger, RtlIpv4StringToAddressW, RtlTimeToTimeFields, ExLocalTimeToSystemTime, RtlExtendedMagicDivide, RtlAppendUnicodeToString, ZwClose, _allmul, MmQuerySystemSize, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, ExfInterlockedAddUlong, MmMapLockedPagesSpecifyCache, IoFreeMdl, ExfInterlockedInsertTailList, RtlInitUnicodeString, MmMapLockedPages, KeNumberProcessors, RtlUnicodeStringToAnsiString, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlCompareMemory, ExAllocatePoolWithTag, KeCancelTimer, KeClearEvent, RtlAnsiStringToUnicodeString, IoRaiseInformationalHardError, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeInitializeSpinLock, _alldiv, KeQuerySystemTime, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile > TDI.SYS: CTESystemUpTime, CTEBlock, CTELogEvent, CTESignal, CTEBlockWithTracker, CTEStartTimer, CTEInitEvent, CTEScheduleDelayedEvent, CTEInitTimer, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiDeregisterProvider, TdiRegisterProvider, TdiPnPPowerRequest, TdiCopyMdlChainToMdlChain, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel ( 31 exports ) ARPRcv, ARPRcvPacket, FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRcvComplete, IPRcvPacket, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum 

反病毒引擎;版本;最後更新;掃瞄結果
AhnLab-V3;2008.5.16.0;2008.05.19;-
AntiVir;7.8.0.19;2008.05.18;-
Authentium;5.1.0.4;2008.05.18;-
Avast;4.8.1195.0;2008.05.18;-
AVG;7.5.0.516;2008.05.18;-
BitDefender;7.2;2008.05.19;-
CAT-QuickHeal;9.50;2008.05.17;-
ClamAV;0.92.1;2008.05.19;-
DrWeb;4.44.0.09170;2008.05.19;-
eSafe;7.0.15.0;2008.05.18;-
eTrust-Vet;31.4.5798;2008.05.16;-
Ewido;4.0;2008.05.18;-
F-Prot;4.4.2.54;2008.05.16;-
F-Secure;6.70.13260.0;2008.05.19;-
Fortinet;3.14.0.0;2008.05.19;-
GData;2.0.7306.1023;2008.05.19;-
Ikarus;T3.1.1.26.0;2008.05.19;-
Kaspersky;7.0.0.125;2008.05.19;-
McAfee;5297;2008.05.17;-
Microsoft;1.3408;2008.05.13;-
NOD32v2;3107;2008.05.18;-
Norman;5.80.02;2008.05.16;-
Panda;9.0.0.4;2008.05.18;-
Prevx1;V2;2008.05.19;-
Rising;20.44.62.00;2008.05.18;-
Sophos;4.29.0;2008.05.19;-
Sunbelt;3.0.1123.1;2008.05.17;-
Symantec;10;2008.05.19;-
TheHacker;6.2.92.313;2008.05.19;-
VBA32;3.12.6.6;2008.05.18;-
VirusBuster;4.3.26:9;2008.05.18;-
Webwasher-Gateway;6.6.2;2008.05.19;-

附加訊息
File size: 360064 bytes
MD5...: ed06c31200714e734118f9a47f5df5ce
SHA1..: 8afdb73bee49158d6f78256e921d9502f2391b4a
SHA256: 7c419b505f34c66700720d3722a24a1b03a3c7d18926482e76f89601a84f15b2
SHA512: dd1e2f4dcb9ccdd62366e37bd85e6ec7d9a5b575bd6c515c735b68149adf27e5 b19f21b24aad55b20a0a552d8435ed837e6f28f3baab2fe07fa7ada38d5d3cdf
PEiD..: -
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x61516 timedatestamp.....: 0x472767f4 (Tue Oct 30 17:20:52 2007) machinetype.......: 0x14c (I386) ( 10 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x380 0x3ec36 0x3ec80 6.59 bf3727cc30fc9381405d704fc48cf298 .rdata 0x3f000 0x57c 0x580 4.44 8e59e52de3e5dbcbceb5a3ef5f649f6e .data 0x3f580 0xa4a4 0xa500 0.06 b9a573e33adfdced8dd26084f4c34980 PAGE 0x49a80 0x1f2b 0x1f80 6.39 62835585c6d5d5460c7937ca9a24a666 PAGELK 0x4ba00 0x6f2 0x700 6.23 b006a6a497bb9c46495fbf448e59f7d0 PAGEIPMc 0x4c100 0x2781 0x2800 6.43 f388ecb2e9459286d1f285da46acd63e .edata 0x4e900 0x341 0x380 5.22 8712af1a96dac3a5cc93d8600aeab255 INIT 0x4ec80 0x5836 0x5880 6.21 6b00b0dbb4853c21ff203b0ab0e968b4 .rsrc 0x54500 0x3f0 0x400 3.41 f7e220f2cc645366d35917b1d898d5a1 .reloc 0x54900 0x3554 0x3580 6.80 70106385f23ac6f4e01fd4b1e2558fad ( 4 imports ) > HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel, KfReleaseSpinLock, KfAcquireSpinLock, KfRaiseIrql, KeGetCurrentIrql, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex > NDIS.SYS: NdisCloseAdapter, NdisCancelSendPackets, NdisFreePacket, NdisUnchainBufferAtFront, NdisCompletePnPEvent, NdisFreePacketPool, NdisRequest, NdisAllocatePacket, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisGetDriverHandle, NdisOpenAdapter, NdisAllocatePacketPoolEx, NdisGetReceivedPacket, NdisRegisterProtocol, NdisAllocateBuffer, NdisSetPacketPoolProtocolId, NdisReturnPackets, NdisCopyBuffer, NdisAllocateBufferPool, NdisFreeBufferPool, NdisReEnumerateProtocolBindings, NdisCompleteBindAdapter > ntoskrnl.exe: IoCreateDevice, _wcsicmp, wcscpy, wcsncpy, wcschr, ZwSetInformationThread, KeLeaveCriticalRegion, KeEnterCriticalRegion, KeQueryTimeIncrement, KeSetEvent, IoDeleteSymbolicLink, ExDeleteNPagedLookasideList, KeDelayExecutionThread, ZwOpenKey, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, ExInitializeNPagedLookasideList, MmLockPagableSectionByHandle, ZwQueryValueKey, ZwSetValueKey, InterlockedPopEntrySList, InterlockedPushEntrySList, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, IoCreateSymbolicLink, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, _aulldvrm, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, KeInitializeMutex, MmIsThisAnNtAsSystem, KeWaitForSingleObject, KeReleaseMutex, KeReadStateEvent, IoDeleteDevice, ZwEnumerateValueKey, RtlUnicodeStringToInteger, RtlIpv4StringToAddressW, RtlTimeToTimeFields, ExLocalTimeToSystemTime, RtlExtendedMagicDivide, RtlAppendUnicodeToString, ZwClose, _allmul, MmQuerySystemSize, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, ExfInterlockedAddUlong, MmMapLockedPagesSpecifyCache, IoFreeMdl, ExfInterlockedInsertTailList, RtlInitUnicodeString, MmMapLockedPages, KeNumberProcessors, RtlUnicodeStringToAnsiString, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlCompareMemory, ExAllocatePoolWithTag, KeCancelTimer, KeClearEvent, RtlAnsiStringToUnicodeString, IoRaiseInformationalHardError, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeInitializeSpinLock, _alldiv, KeQuerySystemTime, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile > TDI.SYS: CTESystemUpTime, CTEBlock, CTELogEvent, CTESignal, CTEBlockWithTracker, CTEStartTimer, CTEInitEvent, CTEScheduleDelayedEvent, CTEInitTimer, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiDeregisterProvider, TdiRegisterProvider, TdiPnPPowerRequest, TdiCopyMdlChainToMdlChain, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel ( 31 exports ) ARPRcv, ARPRcvPacket, FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRcvComplete, IPRcvPacket, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum

tony6725

2008-06-01, 01:19

Hello I had done this prodedure. Please take a look.

ndmmxiaomayi

2008-06-01, 07:24

Hello,

Sorry for the delay. We shall skip the Uninstall list for now.

Run CFScript

Please open a new Notepad file and copy and paste the following in the Code box into Notepad:

http://forums.spybot.info/showthread.php?p=197702#post197702

File::
C:\WINDOWS\system32\lnafsody.ini
C:\WINDOWS\system32\texwtpji.ini
C:\WINDOWS\system32\eyiqflsg.ini
C:\WINDOWS\system32\mgoowcpj.ini
C:\WINDOWS\system32\wcvayejn.ini

Collect::
C:\WINDOWS\system32\jwchjnxv.dll
C:\WINDOWS\system32\ljJDSKAP.dll
C:\WINDOWS\system32\iifgEvSL.dll
C:\WINDOWS\system32\MsnShell32.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1B4801D3-9A53-4618-8E45-BED464CE2CBC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{522E0112-EDD9-413D-A99E-C311A54B6676}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91446146-892A-4C2C-9809-C3F9DD58CA35}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE4D7D2A-2A38-4F2B-AAAC-0FD83BD73F7E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6345D5D-4DD5-4EDF-87EA-1B62542F9B5D}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{522E0112-EDD9-413D-A99E-C311A54B6676}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"MsnShell32"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJDSKAP]

Warning: The above script is just for tony6725. If you are not tony6725, please do not use this script as it may damage the workings of your system.

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript into Combofix.

http://i266.photobucket.com/albums/ii277/sUBs_/CFScript.gif

Combofix will start running. When done, a log will be produced. Please post this log in your next reply.

In addition, it will prompt you to submit some files for analyzing.

http://i266.photobucket.com/albums/ii277/sUBs_/CF-Submit_notice.gif

Click OK.

Copy and paste the file path into the text box next to the Browse button (boxed up in red).

http://xs123.xs.to/xs123/08053/cfsumbit320.png

Click on Send File.

Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please post:

Combofix log (C:\Combofix.txt)
A new HijackThis log

tony6725

2008-06-01, 18:00

ComboFix 08-05-29.1 - TOSHIBA 2008-06-01 16:28:39.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.291 [GMT 1:00]
執行位置?: C:\Documents and Settings\TOSHIBA\桌面\ComboFix.exe
Command switches used :: C:\Documents and Settings\TOSHIBA\桌面\CFScript.txt
* 已建立新的還原點
* Resident AV is active

FILE ::
C:\WINDOWS\system32\eyiqflsg.ini
C:\WINDOWS\system32\lnafsody.ini
C:\WINDOWS\system32\mgoowcpj.ini
C:\WINDOWS\system32\texwtpji.ini
C:\WINDOWS\system32\wcvayejn.ini
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM1b5f3051.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ddcDwxxw.dll
C:\WINDOWS\system32\fpjoafdj.ini
C:\WINDOWS\system32\jbxgsbdc.dll
C:\WINDOWS\system32\jdfaojpf.dll
C:\WINDOWS\system32\wxxwDcdd.ini
C:\WINDOWS\system32\wxxwDcdd.ini2
.
---- Previous Run -------
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\eyiqflsg.ini
C:\WINDOWS\system32\iifgEvSL.dll
C:\WINDOWS\system32\jwchjnxv.dll
C:\WINDOWS\system32\ljJDSKAP.dll
C:\WINDOWS\system32\lnafsody.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mgoowcpj.ini
C:\WINDOWS\system32\MsnShell32.dll
C:\WINDOWS\system32\texwtpji.ini
C:\WINDOWS\system32\wcvayejn.ini

.
(((((((((((((((((((((((((((( 2008-05-01 - 2008-06-01 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-05-31 02:12 . 2008-05-31 02:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-30 19:46 . 2008-05-30 19:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-30 19:46 . 2008-05-30 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-30 13:50 . 2008-05-31 01:25 326 --a------ C:\WINDOWS\wininit.ini
2008-05-29 18:57 . 2008-05-29 18:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-29 18:57 . 2008-05-29 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 02:48 . 2007-08-13 18:52 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-05-29 01:19 . 2008-05-29 01:19 <DIR> d-------- C:\Documents and Settings\TOSHIBA\Application Data\Lavasoft
2008-05-29 01:17 . 2008-05-29 01:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-29 00:15 . 2008-05-29 00:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-28 02:25 . 2008-05-28 02:25 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-28 02:25 . 2008-05-28 02:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-28 01:16 . 2007-07-12 22:33 87,552 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2008-05-28 01:13 . 2008-05-28 01:13 <DIR> d-------- C:\Program Files\Acro Software
2008-05-24 21:01 . 2008-05-24 21:03 <DIR> d-------- C:\Program Files\Zattoo
2008-05-24 03:08 . 2008-05-24 03:08 <DIR> d-------- C:\Program Files\PPLive
2008-05-24 03:08 . 2008-05-24 03:08 <DIR> d-------- C:\Program Files\Common Files\Synacast
2008-05-22 01:16 . 2008-05-22 01:16 <DIR> d-------- C:\Documents and Settings\TOSHIBA\Application Data\LinkedIn

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 15:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-06-01 15:35 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\DNA
2008-06-01 14:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-31 19:30 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\Skype
2008-05-30 15:34 --------- d-----w C:\Program Files\Foxy
2008-05-29 20:05 --------- d-----w C:\Program Files\Eset
2008-05-28 15:22 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\BitTorrent
2008-05-28 01:25 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-29 13:47 --------- d-----w C:\Program Files\TVAnts
2008-04-28 17:15 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-04-28 00:10 49,864 ----a-w C:\Documents and Settings\TOSHIBA\Application Data\GDIPFONTCACHEV1.DAT
2008-04-27 19:29 11,381 ----a-w C:\WINDOWS\E220AutoRunLog.tmp
2008-04-24 20:51 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\3M
2008-04-24 20:50 --------- d-----w C:\Program Files\3M
2008-04-22 23:45 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\ppstream
2008-04-20 00:52 --------- d-----w C:\Program Files\Kontiki
2008-04-20 00:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-17 19:23 --------- d-----w C:\Program Files\Apple Software Update
2008-04-17 17:03 --------- d-----w C:\Program Files\Google
2008-04-16 23:11 --------- d-----w C:\Program Files\TVAntsX
2008-04-13 23:20 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\foobar2000
2008-04-07 23:59 --------- d-----w C:\Program Files\iTunes
2008-04-07 23:57 --------- d-----w C:\Program Files\iPod
2008-04-07 23:54 --------- d-----w C:\Program Files\QuickTime
2008-04-07 00:23 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\toshiba
.

------- Sigcheck -------

2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-12 13:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-11-06 23:42 359808 b4e29943b4b04bd5e7381546848e6669 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 18:20 360064 ed06c31200714e734118f9a47f5df5ce C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-05-31_15.42.00.41 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-31 14:32:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 15:37:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 15:37:25 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_240.dat
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 18:21 68856]
"ezHelper"="C:\Program Files\ezHelper\ezHelper.exe" [2006-11-30 03:59 456192]
"foxy"="C:\Program Files\Foxy\Foxy.exe" [2008-05-29 19:37 1160704]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 13:45 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-12 13:00 208952]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2004-06-28 10:24 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 13:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-04-06 17:19 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-04-06 17:07 114688]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 03:52 1368064]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 09:46 192512]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-06-13 10:21 122880]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 08:00 88363 C:\WINDOWS\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2003-12-02 07:15 73728 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2004-06-01 13:43 278528 C:\WINDOWS\system32\TPSMain.exe]
"NDSTray.exe"="NDSTray.exe" []
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 06:45 135168]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-12 13:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 13:00 59392]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003-07-14 14:57 63040]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003-07-14 14:57 95296]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-01-26 06:36 495616]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-08 15:16 921600]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 22:45 279912]
"VX1000"="C:\WINDOWS\vVX1000.exe" [2007-04-10 22:46 709992]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-24 16:37 185632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-17 18:03 29744]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Device Detector"="DevDetect.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 13:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [ ]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
Google 更新器.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-25 18:21:28 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 18:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ASUS\\WL-330 Utilities\\Discovery330.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\ezPeerPlus\\ezPeerPlus.exe"=
"C:\\Program Files\\Foxy\\Foxy.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Zattoo\\zattood.exe"=
"C:\\Program Files\\Zattoo\\Zattoo2.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10018:TCP"= 10018:TCP:Foxy (192.168.1.43:10018) 10018 TCP
"10018:UDP"= 10018:UDP:Foxy (192.168.1.43:10018) 10018 UDP

R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 22:45]
S3 ASINDIS5;ASINDIS5 Protocol Driver;C:\WINDOWS\system32\ASINDIS5.SYS [2002-09-10 12:35]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-17 18:03]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys [2007-02-08 05:55]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys [2007-02-08 05:55]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys [2007-02-08 05:55]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys [2007-02-08 05:56]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys [2007-02-08 05:56]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys [2007-02-08 05:56]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys [2007-02-08 05:56]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2007-04-10 22:46]

.
排程工作資料夾的內容
"2008-05-29 15:03:40 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 16:38:16
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

folder error: C:\Documents and Settings\TOSHIBA\「開始」功能表\程式集\啟動\
folder error: C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\File Manager\SendToDevice.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\SoftwareDistribution\Download\21c6169d3e46f366cb5d1751adb8cb13\update\update.exe
.
**************************************************************************
.
完成時間?: 2008-06-01 16:49:25 - machine was rebooted [TOSHIBA]
ComboFix-quarantined-files.txt 2008-06-01 15:48:07
ComboFix2.txt 2008-05-31 14:45:43

13 個目錄 15,433,850,880 位元組可用
17 個目錄 15,417,511,936 位元組可用

240 --- E O F --- 2008-05-16 11:35:20

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 04:56:49, on 2008/6/1
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\File Manager\SendToDevice.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ezHelper] C:\Program Files\ezHelper\ezHelper.exe 300
O4 - HKCU\..\Run: [foxy] "C:\Program Files\Foxy\Foxy.exe" -tray
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.webmail.hinet.net
O15 - Trusted Zone: webmail.hinet.net
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1159CFA4-6BEA-4ED4-8166-5556B1BFB232} (pocx Control) - http://202.133.245.200/iCF20071025.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} (TVAnts ActiveX Control) - http://download.tvants.com/pub/tvants/tvants1/win32/cab/tvants.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {5F4D222D-5EEE-40A8-8810-5642B4E4F441} (KENCAPI Class) - https://ebank.tcb-bank.com.tw/netbank/html/ib/pages/FSCAPIATL.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185374795424
O16 - DPF: {C01170CC-AF05-46C3-88BC-2C120DCEE288} (KooPlayer Control) - http://www.im.tv/IMTVPlayer.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://extranet.cranfield.ac.uk/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40233121-6B0E-4121-8A54-6B29E63F652F}: NameServer = 138.250.1.75,138.250.1.67
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 14183 bytes

BTW, Combo did not prompt me to send any file to analyse. When it finished, the blue window shut off automatically. Then windows update function which has been out of work for a while, has worked. Are these phenonmena above right?

ndmmxiaomayi

2008-06-01, 18:44

Hi,

I'm not sure for the Windows Update part, but Combofix should ask you to upload some files for analysis.

On your desktop, can you find this file - [4]-Submit_date@time.zip ?

date@time is the date and time Combofix created this file.

If so, please visit this website and upload this file - http://www.bleepingcomputer.com/submit-malware.php?channel=4

In the Link to topic where this file was requested:, copy and paste in http://forums.spybot.info/showthread.php?p=197702#post197702

Find files

Please open Notepad and copy and paste the following in the Code box into Notepad:

dir C:\*.* /L /A /B /S|Find "USBKey.exe" >> "%userprofile%\desktop\look.txt"
dir C:\*.* /L /A /B /S|Find "MsnHelp.exe" >> "%userprofile%\desktop\look.txt"
notepad "%userprofile%\desktop\look.txt"

Click on File > Save As....

In the File Name box, copy and paste in find.bat

In the Save As Type box, select All Files from the drop-down list.

Click Save.

Double click on find.bat to run it. Command Prompt will open, followed by Notepad afterwards. Please post the contents of this Notepad file in your next reply.

Note: Searching for files can take some time. Please be patient.

tony6725

2008-06-01, 22:41

Hello I cant really find the file created by combo. What I can find on my desktop is "requested-files[2008-06-01_00_10].cab". In order to make sure this is right file, I run combo again, and the result is still the same. Hence, I upload the file, you can see if it is right one.

Also, I tried to do what you insruct me, running fat.bat. But the pop-out windows tells me it can not find the path, so apparently there is no forthcoming instructions coming out.

Waht can I do?

ndmmxiaomayi

2008-06-02, 07:27

Hi,

The files have been deleted, that's why no zipped files are created.

Show hidden files

Open My Computer.
Go to Tools > Folder Options.
Select the View tab.
Scroll down to Hidden files and folders.
Select Show hidden files and folders.
Uncheck (untick) Hide extensions of known file types.
Uncheck (untick) Hide protected operating system files (Recommended).
Click Yes when prompted.
Click OK.

Navigate to this folder - C:\Windows\Downloaded Program Files

If a file named USBKey.exe is present, please let me know.

Find a file

Download FileFind.zip (http://www.atribune.org/downloads/FileFind.zip) by Atribune and save it to your desktop.
Locate the FileFind.zip that you've downloaded earlier.
Right click on FileFind.zip and select Extract All....
Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
Click on the Browse button. Click on Desktop. Then click OK.
Once done, check (tick) the Show extracted files box and click Finish.
Double click on FileFind.exe to run it.
Enter MsnHelp.exe into the File: box.
Click on the Search button.
After a while a list of file locations will appear in the List of Files: box.
Click on the Export button.
This will create a Notepad file named Export.txt located in C drive.
Please copy and paste it to your next reply.

tony6725

2008-06-07, 23:15

Sorry for my late response coz of my business trip. I had checked, there is no USBKEY file in the place where u mentioned above.

However, I tried to download FileFind, the webpage seems to be removed already(can't display the webpage).

Thanks for your help

ndmmxiaomayi

2008-06-07, 23:30

The website is down for the moment.

Please check all your hard disk drives for the presence of this file:

C:\RECYCLER\MsnHelp.exe

If you have more hard disk drives (example, D:\ and E:\) , make sure that MsnHelp.exe is not present.

If it's present, please delete the files.

tony6725

2008-06-07, 23:42

I have done the check, theere is no the presence of that file

ndmmxiaomayi

2008-06-07, 23:50

Sounds good.

Delete your current copy of Combofix and download it from one of these links:

Bleeping Computer (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Forospyware (http://www.forospyware.com/sUBs/ComboFix.exe)
Geeks to Go (http://subs.geekstogo.com/ComboFix.exe)

Save it to your desktop.

Disable NOD32 Antivirus temporarily

Please disable NOD32 Antivirus temporarily as it may interfere with the fixes. Remember to re-enable it back before posting the logs!

Please navigate to the system tray on the bottom right hand corner and look for a http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/nod32.png icon.

Open it and click on the http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/nod32_quit.png button.
A popup will warn that protection will now be disabled. Click on Yes to disable the Antivirus guard.

Run Combofix

Double on ComboFix.exe to run it. When done, a log will be produced. Please post this log, together with a new HijackThis log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please post:

Combofix log (C:\Combofix.txt)
A new HijackThis log

tony6725

2008-06-08, 00:55

ComboFix 08-06-07.1 - TOSHIBA 2008-06-07 23:37:48.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.297 [GMT 1:00]
執行位置?: C:\Documents and Settings\TOSHIBA\桌面\ComboFix.exe
* 已建立新的還原點
* Resident AV is active

.

(((((((((((((((((((((((((((( 2008-05-07 - 2008-06-07 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-06-05 03:12 . 2008-06-05 03:12 <DIR> d-------- C:\WINDOWS\Visca Barcelona! Uninstaller
2008-06-05 03:12 . 2008-02-20 16:50 903,680 --a------ C:\WINDOWS\Visca Barcelona!.scr
2008-06-05 03:12 . 2008-05-29 01:52 657,837 --a------ C:\WINDOWS\Visca Barcelona!.swf
2008-06-05 03:12 . 2008-05-29 01:49 640,056 --a------ C:\WINDOWS\Visca Barcelona!.bmp
2008-06-05 03:12 . 2008-02-20 16:49 495,104 --a------ C:\WINDOWS\Visca Barcelona!.exe
2008-06-05 03:12 . 2008-05-29 01:43 42,422 --a------ C:\WINDOWS\Visca Barcelona!.ico
2008-06-05 03:12 . 2008-05-29 01:52 678 --a------ C:\WINDOWS\Visca Barcelona!.c3
2008-06-05 03:12 . 2008-05-29 01:52 678 --a------ C:\WINDOWS\Visca Barcelona!.c1
2008-06-05 03:12 . 2006-10-24 17:06 639 --a------ C:\WINDOWS\Visca Barcelona!.c4
2008-06-05 03:12 . 2006-10-08 19:33 0 --a------ C:\WINDOWS\Visca Barcelona!.ini
2008-05-31 02:12 . 2008-05-31 02:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-30 19:46 . 2008-05-30 19:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-30 19:46 . 2008-05-30 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-30 13:50 . 2008-05-31 01:25 326 --a------ C:\WINDOWS\wininit.ini
2008-05-29 18:57 . 2008-05-29 18:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-29 18:57 . 2008-05-29 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 02:48 . 2007-08-13 18:52 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-05-29 01:19 . 2008-05-29 01:19 <DIR> d-------- C:\Documents and Settings\TOSHIBA\Application Data\Lavasoft
2008-05-29 01:17 . 2008-05-29 01:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-29 00:15 . 2008-05-29 00:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-28 02:25 . 2008-05-28 02:25 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-28 02:25 . 2008-05-28 02:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-28 01:16 . 2007-07-12 22:33 87,552 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2008-05-28 01:13 . 2008-05-28 01:13 <DIR> d-------- C:\Program Files\Acro Software
2008-05-24 21:01 . 2008-06-05 21:20 <DIR> d-------- C:\Program Files\Zattoo
2008-05-24 03:08 . 2008-05-24 03:08 <DIR> d-------- C:\Program Files\PPLive
2008-05-24 03:08 . 2008-05-24 03:08 <DIR> d-------- C:\Program Files\Common Files\Synacast
2008-05-22 01:16 . 2008-05-22 01:16 <DIR> d-------- C:\Documents and Settings\TOSHIBA\Application Data\LinkedIn

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 22:35 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\BitTorrent
2008-06-07 22:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-06-07 16:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-06 09:40 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\Skype
2008-06-05 21:28 --------- d-----w C:\Program Files\Google
2008-06-05 07:38 50,720 ----a-w C:\Documents and Settings\TOSHIBA\Application Data\GDIPFONTCACHEV1.DAT
2008-05-30 15:34 --------- d-----w C:\Program Files\Foxy
2008-05-29 20:05 --------- d-----w C:\Program Files\Eset
2008-05-28 01:25 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-29 13:47 --------- d-----w C:\Program Files\TVAnts
2008-04-28 17:15 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-04-27 19:29 11,381 ----a-w C:\WINDOWS\E220AutoRunLog.tmp
2008-04-24 20:51 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\3M
2008-04-24 20:50 --------- d-----w C:\Program Files\3M
2008-04-22 23:45 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\ppstream
2008-04-20 00:52 --------- d-----w C:\Program Files\Kontiki
2008-04-20 00:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-17 19:23 --------- d-----w C:\Program Files\Apple Software Update
2008-04-16 23:11 --------- d-----w C:\Program Files\TVAntsX
2008-04-13 23:20 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\foobar2000
2008-04-07 23:59 --------- d-----w C:\Program Files\iTunes
2008-04-07 23:57 --------- d-----w C:\Program Files\iPod
2008-04-07 23:54 --------- d-----w C:\Program Files\QuickTime
2008-04-07 00:23 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\toshiba
2008-03-25 04:49 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:49 158,496 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:03 1,844,864 ----a-w C:\WINDOWS\system32\win32k.sys
.

------- Sigcheck -------

2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-12 13:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-11-06 23:42 359808 b4e29943b4b04bd5e7381546848e6669 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 18:20 360064 ed06c31200714e734118f9a47f5df5ce C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot_2008-06-01_21.23.22.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-26 11:48:56 296,960 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\SP2QFE\msctf.dll
+ 2007-03-06 03:45:38 12,000 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spmsg.dll
+ 2007-03-06 03:45:43 207,072 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spuninst.exe
+ 2007-03-06 03:45:37 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\spcustom.dll
+ 2007-03-06 03:46:01 690,912 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\update.exe
+ 2007-03-06 03:46:53 328,928 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\updspapi.dll
- 2008-06-01 20:05:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-07 19:58:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-02-26 11:59:27 293,888 -c----w C:\WINDOWS\system32\dllcache\msctf.dll
- 2007-08-13 17:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:30:24 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2004-08-12 12:00:00 293,376 ----a-w C:\WINDOWS\system32\MSCTF.dll
+ 2008-02-26 11:59:27 293,888 ----a-w C:\WINDOWS\system32\msctf.dll
+ 2008-06-07 20:00:14 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_340.dat
+ 2008-06-05 02:12:29 728,911 ----a-w C:\WINDOWS\Visca Barcelona! Uninstaller\unins000.exe
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 18:21 68856]
"ezHelper"="C:\Program Files\ezHelper\ezHelper.exe" [2006-11-30 03:59 456192]
"foxy"="C:\Program Files\Foxy\Foxy.exe" [2008-05-29 19:37 1160704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-12 13:00 208952]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2004-06-28 10:24 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 13:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-04-06 17:19 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-04-06 17:07 114688]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 03:52 1368064]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 09:46 192512]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-06-13 10:21 122880]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 08:00 88363 C:\WINDOWS\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2003-12-02 07:15 73728 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2004-06-01 13:43 278528 C:\WINDOWS\system32\TPSMain.exe]
"NDSTray.exe"="NDSTray.exe" []
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 06:45 135168]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-12 13:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 13:00 59392]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003-07-14 14:57 63040]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003-07-14 14:57 95296]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-01-26 06:36 495616]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-08 15:16 921600]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 22:45 279912]
"VX1000"="C:\WINDOWS\vVX1000.exe" [2007-04-10 22:46 709992]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-24 16:37 185632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-17 18:03 29744]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Device Detector"="DevDetect.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 13:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [ ]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
Google 更新器.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-25 18:21:28 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 18:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ASUS\\WL-330 Utilities\\Discovery330.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\ezPeerPlus\\ezPeerPlus.exe"=
"C:\\Program Files\\Foxy\\Foxy.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Zattoo\\zattood.exe"=
"C:\\Program Files\\Zattoo\\Zattoo2.exe"=
"C:\\Program Files\\Zattoo\\Zattoo.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10018:TCP"= 10018:TCP:Foxy (192.168.1.43:10018) 10018 TCP
"10018:UDP"= 10018:UDP:Foxy (192.168.1.43:10018) 10018 UDP

R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 22:45]
S3 ASINDIS5;ASINDIS5 Protocol Driver;C:\WINDOWS\system32\ASINDIS5.SYS [2002-09-10 12:35]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-17 18:03]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys [2007-02-08 05:55]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys [2007-02-08 05:55]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys [2007-02-08 05:55]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys [2007-02-08 05:56]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys [2007-02-08 05:56]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys [2007-02-08 05:56]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys [2007-02-08 05:56]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2007-04-10 22:46]

.
排程工作資料夾的內容
"2008-06-05 15:03:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 23:41:42
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

C:\WINDOWS\explorer.exe [2100] 0x817E5020

掃描隱藏的進程...

掃描隱藏的檔案...

folder error: C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
folder error: C:\Documents and Settings\TOSHIBA\「開始」功能表\程式集\啟動\

掃描完成
隱藏檔案?: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
完成時間?: 2008-06-07 23:43:36
ComboFix-quarantined-files.txt 2008-06-07 22:42:50

13 個目錄 14,782,140,416 位元組可用
16 個目錄 15,124,828,160 位元組可用

206 --- E O F --- 2008-06-02 08:42:22

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 11:53:41, on 2008/6/7
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ezHelper] C:\Program Files\ezHelper\ezHelper.exe 300
O4 - HKCU\..\Run: [foxy] "C:\Program Files\Foxy\Foxy.exe" -tray
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.webmail.hinet.net
O15 - Trusted Zone: webmail.hinet.net
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1159CFA4-6BEA-4ED4-8166-5556B1BFB232} (pocx Control) - http://202.133.245.200/iCF20071025.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} (TVAnts ActiveX Control) - http://download.tvants.com/pub/tvants/tvants1/win32/cab/tvants.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {5F4D222D-5EEE-40A8-8810-5642B4E4F441} (KENCAPI Class) - https://ebank.tcb-bank.com.tw/netbank/html/ib/pages/FSCAPIATL.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185374795424
O16 - DPF: {C01170CC-AF05-46C3-88BC-2C120DCEE288} (KooPlayer Control) - http://www.im.tv/IMTVPlayer.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://extranet.cranfield.ac.uk/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40233121-6B0E-4121-8A54-6B29E63F652F}: NameServer = 138.250.1.75,138.250.1.67
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 13616 bytes

ndmmxiaomayi

2008-06-08, 06:31

Did you install these ?

C:\WINDOWS\Visca Barcelona! Uninstaller
C:\WINDOWS\Visca Barcelona!.scr
C:\WINDOWS\Visca Barcelona!.swf
C:\WINDOWS\Visca Barcelona!.bmp
C:\WINDOWS\Visca Barcelona!.exe
C:\WINDOWS\Visca Barcelona!.ico
C:\WINDOWS\Visca Barcelona!.c3
C:\WINDOWS\Visca Barcelona!.c1
C:\WINDOWS\Visca Barcelona!.c4
C:\WINDOWS\Visca Barcelona!.ini

2008-06-07 22:35 --------- d-----w C:\Documents and Settings\TOSHIBA\Application Data\BitTorrent

Reminder: Don't use P2P programs while we are still cleaning the computer.

http://forums.spybot.info/showpost.php?p=197452&postcount=2

tony6725

2008-06-08, 14:17

yes, I did download this programme as window sreensaver. In terms of P2P, I remember I close it when I ran Combofix.

So, do you mean I should redo?

ndmmxiaomayi

2008-06-08, 20:47

There's no need to re-do.

Run ATF Cleaner

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) and save it to your desktop.

Double click on ATF-Cleaner.exe to run it.

Click on Main at the top.
Tick all the boxes except the Prefetch and Cookies box.
Click on Empty Selected button.

If you use Firefox

Click on Firefox at the top.
Tick all the boxes except Firefox Cookies and Firefox Saved Passwords.
Click on Empty Selected button.

If you use Opera

Click on Opera at the top.
Tick all the boxes except Opera Cookies and Opera Saved Passwords.
Click on Empty Selected button.

Close ATF Cleaner when you are done.

Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to a convenient location.
Double click on mbam-setup.exe to install it.
Before clicking the Finish button, make sure that these 2 boxes are checked (ticked): Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
Select the Scanner tab. Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
When done, you will be prompted. Click OK, then click on Show Results.
Checked (ticked) all items and click on Remove Selected.
After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

In your next reply, please post:

Malwarebytes' Anti-Malware scan report
A new HijackThis log

tony6725

2008-06-09, 03:10

I had a problem when I ran Malware software.

when the scan was running after 1 mins plus, there was a window suddenly poping out. It said Run-Time Error "6". Overflow. I had tried twice, but the problem keep happening.

ndmmxiaomayi

2008-06-09, 15:18

I will pass your message along to the developer.

In the meanwhile, please do the following:

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan. Please use Internet Explorer as it uses ActiveX.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an ActiveX from Kaspersky. Click Yes.
When the downloads have finished, click on Next button.
Click on Scan Settings button.
Select extended under Scan using the following antivirus database:
Check (tick) these boxes under Scan options: Scan Archives
Scan Mail Bases Click OK
Click on My Computer under Please select a target to scan:
Once the scan is complete it will display if your system has been infected. Click on Save as text button and save it to your desktop.
Copy and paste this log in your next reply.

In your next reply, please post:

Kaspersky Antivirus scan report
A new HijackThis log

tony6725

2008-06-10, 11:31

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, June 10, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, June 10, 2008 00:45:36
Records in database: 845469
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\

Scan statistics:
Files scanned: 78069
Threat name: 15
Infected objects: 17
Suspicious objects: 0
Duration of the scan: 01:57:09

File name / Threat name / Threats count
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000002.pst Infected: Email-Worm.Win32.Bagle.gt 1
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail (to 836\Deleted items\2DDA5BAC-0000101E.eml Infected: Trojan-PSW.Win32.Magania.smb 1
C:\Program Files\Eset\infected\23RGQNCA.NQF Infected: Trojan.Win32.Agent.hfr 1
C:\Program Files\Eset\infected\CKDPTXBA.NQF Infected: Trojan.Win32.Agent.cnm 1
C:\Program Files\Eset\infected\ESVQV5AA.NQF Infected: Trojan-Downloader.Win32.Agent.qzz 1
C:\Program Files\Eset\infected\MJKO1RBA.NQF Infected: Trojan.Win32.Inject.ud 1
C:\Program Files\Eset\infected\QKKCMDAA.NQF Infected: Worm.Win32.Skipi.c 1
C:\Program Files\Eset\infected\TJ4YF0DA.NQF Infected: not-a-virus:Downloader.Win32.WinFixer.au 1
C:\Program Files\Eset\infected\XGG0DGAA.NQF Infected: Trojan-Dropper.Win32.Agent.bdj 1
C:\QooBox\Quarantine\C\WINDOWS\system32\dxitpbqh.dll.vir Infected: Trojan.Win32.Monder.le 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fsungpdg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.vqd 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lbjjqrbt.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.vqf 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mlJDsRki.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\qvwnvmfa.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.vqf 1
C:\QooBox\Quarantine\catchme2008-06-01_163742.91.zip Infected: not-a-virus:AdWare.Win32.Virtumonde.trt 2
C:\QooBox\Quarantine\catchme2008-06-01_163742.91.zip Infected: Backdoor.Win32.Agent.gkf 1

The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 上午 10:29:49, on 2008/6/10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\TOSHIBA\Local Settings\Temp\jkos-TOSHIBA\binaries\ScanningProcess.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ezHelper] C:\Program Files\ezHelper\ezHelper.exe 300
O4 - HKCU\..\Run: [foxy] "C:\Program Files\Foxy\Foxy.exe" -tray
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.webmail.hinet.net
O15 - Trusted Zone: webmail.hinet.net
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1159CFA4-6BEA-4ED4-8166-5556B1BFB232} (pocx Control) - http://202.133.245.200/iCF20071025.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} (TVAnts ActiveX Control) - http://download.tvants.com/pub/tvants/tvants1/win32/cab/tvants.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {5F4D222D-5EEE-40A8-8810-5642B4E4F441} (KENCAPI Class) - https://ebank.tcb-bank.com.tw/netbank/html/ib/pages/FSCAPIATL.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185374795424
O16 - DPF: {C01170CC-AF05-46C3-88BC-2C120DCEE288} (KooPlayer Control) - http://www.im.tv/IMTVPlayer.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://extranet.cranfield.ac.uk/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40233121-6B0E-4121-8A54-6B29E63F652F}: NameServer = 138.250.1.75,138.250.1.67
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 13992 bytes

ndmmxiaomayi

2008-06-10, 16:55

The new Kaspersky scan doesn't look very informative. It showed that there are infected mails in your mail box, but it doesn't tell us what mails are infected. We aren't going to delete the whole mail box just for one infected mail. :rolleyes:

Let's see if another scanner works.

Please go to Eset website (http://www.eset.com/onlinescan/) to perform an online scan. Please use Internet Explorer as it uses ActiveX.

Check (tick) this box: YES, I accept the Terms of Use.
Click on the Start button next to it.
When prompted to run ActiveX. click Yes.
You will be asked to install an ActiveX. Click Install.
Once installed, the scanner will be initialized.
After the scanner is initialized, click Start.
Uncheck (untick) Remove found threats box.
Check (tick) Scan unwanted applications.
Click on Scan.
It will start scanning. Please be patient.
Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.

tony6725

2008-06-10, 22:03

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3173 (20080610)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=0925a11e1bf37f49a096187e8e84b65d
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-06-10 07:59:36
# local_time=2008-06-10 08:59:36 )
# country="Taiwan"
# osver=5.1.2600 NT Service Pack 2
# scanned=246126
# found=5
# scan_time=4394
# nod_component=NOD32MOD_WINNT_CHINESE_BASE Build:0x1108031e (NOD32 for Windows NT/2000/XP/2003/x64 - Base)
# nod_component=NOD32MOD_WINNT_CHINESE_INET Build:0x1108031e (NOD32 for Windows NT/2000/XP/2003/x64 - Internet support)
# nod_component=NOD32MOD_WINNT_CHINESE_STANDARD Build:0x1108031e (NOD32 for Windows NT/2000/XP/2003/x64 - Standard component)
C:\QooBox\Quarantine\catchme2008-06-01_163742.91.zip multiple infiltrations 4D0201511FF470C311996349D9BDC558
C:\QooBox\Quarantine\catchme2008-06-01_163742.91.zip ?ZIP ?Documents and Settings/TOSHIBA/catchme.zip multiple infiltrations 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2008-06-01_163742.91.zip ?ZIP ?Documents and Settings/TOSHIBA/catchme.zip ?ZIP ?iifgEvSL.dll Win32/Adware.Virtumonde application 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2008-06-01_163742.91.zip ?ZIP ?Documents and Settings/TOSHIBA/catchme.zip ?ZIP ?ljJDSKAP.dll Win32/Adware.Virtumonde application 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2008-06-01_163742.91.zip ?ZIP ?Documents and Settings/TOSHIBA/catchme.zip ?ZIP ?MsnShell32.dll Win32/AutoRun.OQ worm 00000000000000000000000000000000

ndmmxiaomayi

2008-06-11, 15:18

Doesn't look very informative. :sad:

I see that you have NOD32 Antivirus. Does it has an email scanner? Please try scanning your whole system with NOD32 Antivirus.

tony6725

2008-06-11, 20:48

NOD32版本 3172 (20080610) NT
正在檢查NOD32.EXE檔案的CRC：狀態正常
掃描操作記憶體時發生錯誤。不能掃描操作記憶體(核心服務並未運作或載入nod32m1.vxd時發生錯誤)。
日期： 11.6.2008 時間：18:40:57
已掃描的磁碟，目錄及檔案：C:
C:\pagefile.sys - 開啟 (檔案被鎖定)時發生錯誤。 [4]
C:\Documents and Settings\NetworkService\NTUSER.DAT - 開啟 (檔案被鎖定)時發生錯誤。 [4]
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - 開啟 (檔案被鎖定)時發生錯誤。 [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - 開啟 (檔案被鎖定)時發生錯誤。 [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - 開啟 (檔案被鎖定)時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\NTUSER.DAT - 開啟 (檔案被鎖定)時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\ntuser.dat.LOG - 開啟 (檔案被鎖定)時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\01\35-{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}-v1-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v35-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\04\204-{81199B9C-A1ED-4272-B20B-68D8DDA3F709}-v204-{81199B9C-A1ED-4272-B20B-68D8DDA3F709}-v204-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\05\205-{81199B9C-A1ED-4272-B20B-68D8DDA3F709}-v205-{81199B9C-A1ED-4272-B20B-68D8DDA3F709}-v205-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\06\206-{81199B9C-A1ED-4272-B20B-68D8DDA3F709}-v206-{81199B9C-A1ED-4272-B20B-68D8DDA3F709}-v206-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\07\207-{81199B9C-A1ED-4272-B20B-68D8DDA3F709}-v207-{81199B9C-A1ED-4272-B20B-68D8DDA3F709}-v207-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\08\208-{81199B9C-A1ED-4272-B20B-68D8DDA3F709}-v208-{81199B9C-A1ED-4272-B20B-68D8DDA3F709}-v208-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\09\209-{81199B9C-A1ED-4272-B20B-68D8DDA3F709}-v209-{81199B9C-A1ED-4272-B20B-68D8DDA3F709}-v209-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\10\141-{81199B9C-A1ED-4272-B20B-68D8DDA3F709}-v210-{B15AD867-F633-41BE-80FC-FE2555A3A699}-v141-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\11\2917-{81199B9C-A1ED-4272-B20B-68D8DDA3F709}-v11-{383E0AF5-1026-47ED-BAAA-00FA695F5784}-v2917-Partial.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\12\2916-{81199B9C-A1ED-4272-B20B-68D8DDA3F709}-v12-{383E0AF5-1026-47ED-BAAA-00FA695F5784}-v2916-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\32\32-{B83E7ACB-BAF6-4BC7-83AF-463640566992}-v32-{B83E7ACB-BAF6-4BC7-83AF-463640566992}-v32-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\33\33-{B83E7ACB-BAF6-4BC7-83AF-463640566992}-v33-{B83E7ACB-BAF6-4BC7-83AF-463640566992}-v33-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\36\36-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v36-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v36-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\37\37-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v37-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v37-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\38\38-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v38-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v38-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\38\38-{B83E7ACB-BAF6-4BC7-83AF-463640566992}-v38-{B83E7ACB-BAF6-4BC7-83AF-463640566992}-v38-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\39\39-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v39-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v39-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\39\39-{B83E7ACB-BAF6-4BC7-83AF-463640566992}-v39-{B83E7ACB-BAF6-4BC7-83AF-463640566992}-v39-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\40\40-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v40-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v40-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\40\40-{B83E7ACB-BAF6-4BC7-83AF-463640566992}-v40-{B83E7ACB-BAF6-4BC7-83AF-463640566992}-v40-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\41\41-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v41-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v41-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\41\41-{B83E7ACB-BAF6-4BC7-83AF-463640566992}-v41-{B83E7ACB-BAF6-4BC7-83AF-463640566992}-v41-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\42\42-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v42-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v42-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\43\43-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v43-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v43-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\44\44-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v44-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v44-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\45\45-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v45-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v45-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\46\46-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v46-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v46-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\47\47-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v47-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v47-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\48\48-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v48-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v48-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\49\49-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v49-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v49-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\50\50-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v50-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v50-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\51\51-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v51-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v51-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\52\52-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v52-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v52-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\53\53-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v53-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v53-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\54\54-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v54-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v54-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\55\55-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v55-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v55-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\56\56-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v56-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v56-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\57\57-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v57-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v57-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\58\58-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v58-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v58-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\60\60-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v60-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v60-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\63\63-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v63-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v63-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\66\66-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v66-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v66-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\69\69-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v69-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v69-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\72\72-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v72-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v72-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\75\75-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v75-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v75-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\ella0802@hotmail.com\DFSR\Staging\CS{AA8F5D76-C455-E00A-3CCB-A3EE13E65825}\78\78-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v78-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v78-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\00\2761-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1600-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2761-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\01\10-{CEA7A175-653F-0B2F-6FF5-30079103B814}-v1-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v10-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\03\2759-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1603-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2759-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\05\1565-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1505-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1565-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\05\2756-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1605-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2756-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\06\1566-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1506-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1566-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\07\1567-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1507-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1567-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\08\1568-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1508-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1568-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\08\2764-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1608-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2764-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\10\2765-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1610-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2765-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\12\2766-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1612-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2766-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\14\2767-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1614-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2767-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\20\20-{306B156E-57F1-47E0-A578-49876903AC72}-v20-{306B156E-57F1-47E0-A578-49876903AC72}-v20-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\21\21-{306B156E-57F1-47E0-A578-49876903AC72}-v21-{306B156E-57F1-47E0-A578-49876903AC72}-v21-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\21\2768-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1521-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2768-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\22\22-{306B156E-57F1-47E0-A578-49876903AC72}-v22-{306B156E-57F1-47E0-A578-49876903AC72}-v22-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\23\23-{306B156E-57F1-47E0-A578-49876903AC72}-v23-{306B156E-57F1-47E0-A578-49876903AC72}-v23-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\47\247-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v247-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v247-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\48\248-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v248-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v248-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\49\249-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v249-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v249-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\49\2769-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2649-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2769-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\50\250-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v250-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v250-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\50\2770-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2650-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2770-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\56\4293-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v4256-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v4293-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\58\4282-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v4258-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v4282-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\60\4261-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v4260-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v4261-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\64\64-{306B156E-57F1-47E0-A578-49876903AC72}-v64-{306B156E-57F1-47E0-A578-49876903AC72}-v64-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\65\65-{306B156E-57F1-47E0-A578-49876903AC72}-v65-{306B156E-57F1-47E0-A578-49876903AC72}-v65-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\78\2755-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1578-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2755-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\81\2758-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1581-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2758-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\84\2753-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1584-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2753-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\86\2763-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1586-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2763-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\88\2754-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1588-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2754-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\91\2757-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1591-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2757-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\94\2762-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1594-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2762-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\may826@hotmail.com\DFSR\Staging\CS{CEA7A175-653F-0B2F-6FF5-30079103B814}\97\2760-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v1597-{B32ECFDA-CF04-4016-8561-DD17787B95BC}-v2760-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Messenger\tony6725@hotmail.com\SharingMetadata\thinkytseng@hotmail.com\DFSR\Staging\CS{A66AA3A7-10FC-7466-5273-0EE6F9F3E3E3}\29\329-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v329-{8D199142-0E6B-4DFE-90A6-B5C02A76AAD5}-v329-Downloaded.frx - 開啟時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - 開啟 (檔案被鎖定)時發生錯誤。 [4]
C:\Documents and Settings\TOSHIBA\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - 開啟 (檔案被鎖定)時發生錯誤。 [4]
C:\System Volume Information\MountPointManagerRemoteDatabase - 開啟 (存取拒絕)時發生錯誤。 [4]
C:\System Volume Information\_restore{FE01E12C-C4D0-4F4E-80E6-4A25B7882A1A}\RP240\A0042194.dll - Win32/Adware.Virtumonde.FP 應用程式
C:\System Volume Information\_restore{FE01E12C-C4D0-4F4E-80E6-4A25B7882A1A}\RP246\A0042933.dll - Win32/Adware.Virtumonde.FP 應用程式
C:\System Volume Information\_restore{FE01E12C-C4D0-4F4E-80E6-4A25B7882A1A}\RP246\A0042934.dll - Win32/Adware.AdMedia 應用程式
C:\System Volume Information\_restore{FE01E12C-C4D0-4F4E-80E6-4A25B7882A1A}\RP246\A0042935.dll - Win32/Adware.Virtumonde 應用程式
C:\WINDOWS\system32\config\default - 開啟 (檔案被鎖定)時發生錯誤。 [4]
C:\WINDOWS\system32\config\default.LOG - 開啟 (檔案被鎖定)時發生錯誤。 [4]
C:\WINDOWS\system32\config\SAM - 開啟 (檔案被鎖定)時發生錯誤。 [4]
C:\WINDOWS\system32\config\SAM.LOG - 開啟 (檔案被鎖定)時發生錯誤。 [4]
C:\WINDOWS\system32\config\SECURITY - 開啟 (檔案被鎖定)時發生錯誤。 [4]
C:\WINDOWS\system32\config\SECURITY.LOG - 開啟 (檔案被鎖定)時發生錯誤。 [4]
C:\WINDOWS\system32\config\software - 開啟 (檔案被鎖定)時發生錯誤。 [4]
C:\WINDOWS\system32\config\software.LOG - 開啟 (檔案被鎖定)時發生錯誤。 [4]
C:\WINDOWS\system32\config\system - 開啟 (檔案被鎖定)時發生錯誤。 [4]
C:\WINDOWS\system32\config\system.LOG - 開啟 (檔案被鎖定)時發生錯誤。 [4]
已掃描的檔案數目：94296
已發現的病毒數目：4
完結時間： 19:31:22 總掃描時間：3025 秒 (00:50:25)
注意：
[4] 檔案無法被開啟，可能正被另一程式或操作系統使用中。

Does it help you?! BTW, some of my infected emails have been isolated into one category in the outlook. Do you mean this?

ndmmxiaomayi

2008-06-11, 20:55

If the infected mails are quarantined, it's OK.

tony6725

2008-06-11, 23:59

so does it mean my computer is ok now?

ndmmxiaomayi

2008-06-13, 15:00

Yup, it looks good. :)

Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6.0 (http://java.sun.com/javase/downloads/index.jsp).

Scroll down to where it says "Java Runtime Environment (JRE) 6u6 allows end-users to run Java applications".

Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".

The page will refresh.

Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Close any programs you may have running - especially your web browser.

Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.

Check any item with Java Runtime Environment (JRE or J2SE) in the name.

Click the Remove or Change/Remove button.

Repeat as many times as necessary to remove each Java versions.

Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

Post back a new HijackThis log afterwards.

tony6725

2008-06-14, 01:49

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 上午 12:49:05, on 2008/6/14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ezHelper] C:\Program Files\ezHelper\ezHelper.exe 300
O4 - HKCU\..\Run: [foxy] "C:\Program Files\Foxy\Foxy.exe" -tray
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.webmail.hinet.net
O15 - Trusted Zone: webmail.hinet.net
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1159CFA4-6BEA-4ED4-8166-5556B1BFB232} (pocx Control) - http://202.133.245.200/iCF20071025.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} (TVAnts ActiveX Control) - http://download.tvants.com/pub/tvants/tvants1/win32/cab/tvants.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {5F4D222D-5EEE-40A8-8810-5642B4E4F441} (KENCAPI Class) - https://ebank.tcb-bank.com.tw/netbank/html/ib/pages/FSCAPIATL.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185374795424
O16 - DPF: {C01170CC-AF05-46C3-88BC-2C120DCEE288} (KooPlayer Control) - http://www.im.tv/IMTVPlayer.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://extranet.cranfield.ac.uk/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40233121-6B0E-4121-8A54-6B29E63F652F}: NameServer = 138.250.1.75,138.250.1.67
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 13935 bytes

ndmmxiaomayi

2008-06-14, 17:03

Log looks good. :) Any other issues?

tony6725

2008-06-14, 21:36

Thanks so much for yor help during the period of past few weeks. So should I just keep NOD32 as my main anti-virus software, and delete others which I downloaded past few weeks?

ndmmxiaomayi

2008-06-15, 12:51

Yes, you should NOD32 as your antivirus. It's a good one. :)

Now that you are clean, we will need to remove the tools we use.

Remove Combofix

Click on Start > Run. Copy and paste in ComboFix /u and click OK. An image is below for reference.

http://xs121.xs.to/xs121/07484/remcf.PNG

Create a new, clean System Restore point

Click on Start > All Programs > Accessories > System Tools > System Restore.
On the Welcome Page, select Create a restore point. Click Next.
Give this restore point a descriptive name and click Create.
When done, click Close.

Warning: Do not clear infected System Restore points before creating a new System Restore point first!

Please read the above to create a new System Restore point first, then clear out the infected System Restore points.

Clear infected System Restore points

Click on Start > All Programs > Accessories > System Tools > Disk Cleanup.
Select C drive and click OK.
Select the More Options tab.
Under System Restore, click on Clean up....
You will be prompted. Click Yes.
When done, click OK.
You will be prompted again. Press Yes to confirm.
When done, Disk Cleanup will close automatically.

Here are some tips to prevent another infection again. There's no need to install all programs recommended.

Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows

Go to Start > All Programs > Windows Update

To update Office

Open up any Office program.

Go to Help > Check for Updates

Alternatively, you can visit the links below to update Windows and Office products.

Windows Update (http://update.microsoft.com/)
Office Update (http://office.microsoft.com/en-us/officeupdate/default.aspx)

If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

Go to Start > Control Panel > Automatic Updates
Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.

Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
Never open emails from unknown senders.
Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge (http://sourceforge.net/) or Pricelessware (http://www.pricelesswarehome.org/).

Surf safely

Many of the exploits are directed to users of Internet Explorer and Firefox.

Using Firefox (http://www.mozilla.com/en-US/firefox/) with NoScript add-on (https://addons.mozilla.org/en-US/firefox/addon/722) helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.

If you prefer to use Internet Explorer, here are some settings to change to improve the security of Internet Explorer.

For Internet Explorer 7

Please read this article (http://surfthenetsafely.com/ieseczone8.htm) to configure Internet Explorer 7 properly.

Stop malicious scripts

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript (http://www.symantec.com/avcenter/noscript.exe) by Symantec or Script Defender (http://www.analogx.com/contents/download/system/sdefend.htm) by AnalogX to handle these scripts.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article (http://www.microsoft.com/athome/security/update/howbackup.mspx) to learn how to backup. Follow this article (http://support.microsoft.com/kb/309340) by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer (http://www.bleepingcomputer.com/tutorials/tutorial127.html).

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs (http://p2p.malwareremoval.com/) if you need to use one.

Prevent a re-infection

Winpatrol
Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here (http://www.winpatrol.com/features.html).

You can get a free copy (http://www.winpatrol.com/wpsetup.exe) of Winpatrol or use the Plus version (http://winpatrol.stores.yahoo.net/winplusmemre.html) for more features.

You can read Winpatrol's FAQ (http://www.winpatrol.com/faq.html) if you run into problems.

Spyware Blaster
SpywareBlaster is a program that is used to secure Internet Explorer by making it harder for ActiveX (http://surfthenetsafely.com/activex.htm) programs to run on your computer. It does this by disabling known offending ActiveX programs from running at all.

You can download SpywareBlaster from Javacool (http://www.javacoolsoftware.com/spywareblaster.html).

If you need help in using SpywareBlaster, you can read SpywareBlaster's tutorial (http://www.bleepingcomputer.com/tutorials/tutorial49.html) at Bleeping Computer.

SpywareGuard
Just as an antivirus program scans a file for viruses before opening it, SpywareGuard does the same thing, except that it scans it for spywares.

You can download SpywareGuard from Javacool (http://www.javacoolsoftware.com/spywareguard.html).

If you need help in using SpywareGuard, you can SpywareGuard's tutorial (http://www.bleepingcomputer.com/tutorials/tutorial50.html) at Bleeping Computer.

Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware program. It scans and removes malware for free, but if you want real-time protection, you can pay a small one-time fee.

Remember to update and scan with it regularly. A tutorial for using Malwarebytes' Anti-Malware can be found on BFC Computer Help (http://bfccomputers.com/index.php?showtopic=1645).

Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs (http://www.spywarewarrior.com/rogue_anti-spyware.htm) and Malwarebytes RogueNET (http://www.malwarebytes.org/roguenet.php). This will save you from a lot of trouble. If in doubt, don't ever download it.

SiteHound Toolbar
SiteHound (http://www.firetrust.com/en/products/sitehound) is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.

Use an alternative email client

If you are using Outlook Express as your default email client, try using Thunderbird (http://www.mozilla.com/en-US/thunderbird/) or Pegasus Mail (http://www.pmail.com/) instead.

Here are some more things to read about:

List of clean and infected download managers (http://www.safer-networking.org/en/articles/download-managers.html)
Configuring Skype (http://www.tcd.ie/iss/internet/skype.php)
Greater email safety (http://surfthenetsafely.com/surfsafely4.htm)
Phishing - what is it? (http://surfthenetsafely.com/phishing.htm)
Configuring Outlook Express (http://surfthenetsafely.com/slides/oeconfigureslide1.htm)
The Unofficial Cookie FAQ (http://www.cookiecentral.com/faq)
Securing your home wireless network (http://www.windowsecurity.com/articles/Wireless-Network-Security-Home.html)
80 Super Security Tips (http://www.pcmag.com/article2/0,1895,1838690,00.asp)
The different classes of security softwares (http://wiki.castlecops.com/Different_classes_of_security_software)