Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SpywareProtect2009/Trojan Horse


  • This topic is locked This topic is locked
11 replies to this topic

#1 darojess

darojess

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 16 February 2009 - 09:23 PM

A few days ago, SpywareProtect2009 popped up when I started my computer. I found some instructions for manually removing it and I never saw it again. However, my computer lags a lot and is really slow. I scanned my computer with Symantec AntiVirus and it found Spyware Protect 2009 files and Trojan Horse. I would like to know if my computer's still infected and how I can fix it. Thanks. :D


DDS (Ver_09-02-01.01) - FAT32x86
Run by Acer 2428 AWXCi at 10:08:46.73 on 2009/02/17 星期二
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.950.886.1028.18.502.75 [GMT 8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\StormII\stormliv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\Wireless USB Phone API\WirelessUSBPhone.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\PPStream\ppsap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\conime.exe
C:\Documents and Settings\Acer 2428 AWXCi\桌面\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com.tw/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uDefault_Page_URL = about:
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PPS Accelerator] d:\program files\ppstream\ppsap.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [preload] c:\windows\RUNXMLPL.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LaunchAp] "c:\program files\launch manager\LaunchAp.exe"
mRun: [LManager] "c:\program files\launch manager\HotkeyApp.exe"
mRun: [CtrlVol] "c:\program files\launch manager\CtrlVol.exe"
mRun: [LMgrOSD] "c:\program files\launch manager\OSDCtrl.exe"
mRun: [Wbutton] "c:\program files\launch manager\Wbutton.exe"
mRun: [EPM-DM] c:\acer\empowering technology\epower\epm-dm.exe
mRun: [Acer ePower Management] c:\acer\empowering technology\epower\Acer ePower Management.exe boot
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\Monitor.exe
mRun: [ADMTray.exe] "c:\acer\empowering technology\admtray.exe"
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [WirelessUSBPhoneAPI] d:\program files\wireless usb phone api\WirelessUSBPhone.exe
mRun: [AVFX Engine] c:\program files\creative\creative live! cam\videofx\StartFX.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023
StartupFolder: c:\docume~1\alluse~1\3faa~1\程式集\啟動\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\3faa~1\程式集\啟動\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\3faa~1\程式集\啟動\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: Foxy 下載 - d:\program files\foxy\Foxy.exe/download.htm
IE: Foxy 搜尋 - d:\program files\foxy\Foxy.exe/search.htm
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} - hxxp://www.clubbox.co.kr/neo.fld/NowStarter.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - hxxp://download.ppstream.com/bin/powerplayer.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} - hxxp://www.gogobox.com.tw/neo.fld/GNowStarter.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5135/mcfscan.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15105/CTPID.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\acer24~1\applic~1\mozilla\firefox\profiles\kdzlsdze.default\
FF - prefs.js: browser.startup.homepage - hxxp://tw.yahoo.com/

============= SERVICES / DRIVERS ===============

R1 Hotkey;Hotkey;c:\windows\system32\drivers\HOTKEY.sys [2006-9-1 9867]
R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2006-9-1 12106]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-20 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-20 54968]
R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccosm;Contrl Center of Storm Media;c:\program files\stormii\stormliv.exe [2008-1-11 559200]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2004-7-19 4096]
R2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2005-4-7 78208]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2006-9-1 7296]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2006-9-1 4010]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-5-16 1799408]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-4-6 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090215.002\naveng.sys [2009-2-16 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090215.002\navex15.sys [2009-2-16 876112]
R3 NdisFilt;OSA NdisFilter Protocol;c:\windows\system32\drivers\NdisFilt.sys [2006-9-1 4392]
S1 mailKmd;mailKmd; [x]
S1 Wbutton;Wbutton;c:\windows\system32\drivers\wbutton.sys --> c:\windows\system32\drivers\Wbutton.sys [?]
S3 .neporsipors;.neporsipors; [x]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2006-9-1 32512]
S3 P1171VID;Creative WebCam Notebook #2;c:\windows\system32\drivers\P1171Vid.sys [2008-8-29 91392]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]

=============== Created Last 30 ================

2009-02-10 08:20 <DIR> --d----- c:\program files\Microsoft Windows OneCare Live
2009-02-10 07:21 <DIR> --d----- c:\program files\Enigma Software Group
2009-02-10 07:04 0 a------- c:\windows\system32\a.exe
2009-02-02 03:34 <DIR> --d----- c:\program files\GoldWave
2009-01-30 13:37 41 a------- c:\windows\PCDNSetting.ini
2009-01-29 22:30 113 a------- c:\windows\PPSMediaList.ini
2009-01-28 12:07 1,970,176 a------- c:\windows\system32\d3dx9.dll
2009-01-28 12:07 679,936 a------- c:\windows\system32\D3DX81ab.dll

==================== Find3M ====================

2009-01-16 21:01 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-05 14:51 1,514 a------- c:\windows\system32\cid_store.dat
2009-01-05 14:29 65,536 a------- c:\windows\IFinst27.exe
2008-12-21 06:30 384,512 a------- c:\windows\system32\dllcache\iedkcs32.dll
2008-12-21 06:30 347,136 a------- c:\windows\system32\dllcache\dxtmsft.dll
2008-12-21 06:30 230,400 a------- c:\windows\system32\dllcache\ieaksie.dll
2008-12-21 06:30 214,528 a------- c:\windows\system32\dllcache\dxtrans.dll
2008-12-21 06:30 153,088 a------- c:\windows\system32\dllcache\ieakeng.dll
2008-12-21 06:30 133,120 a------- c:\windows\system32\dllcache\extmgr.dll
2008-12-21 06:30 383,488 -------- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-21 06:30 63,488 -------- c:\windows\system32\dllcache\icardie.dll
2008-12-21 06:30 124,928 a------- c:\windows\system32\dllcache\advpack.dll
2008-12-19 17:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 17:08 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 13:25 634,024 a------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 13:23 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-12-15 15:53 54,392 a------- c:\docume~1\acer24~1\applic~1\GDIPFONTCACHEV1.DAT
2008-12-11 18:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-09-06 11:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 10:09:31.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:01 AM

Posted 25 February 2009 - 12:07 PM

Hi darojess,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Tell me if you have run any tool or have made a major change to the system since your last post. Also tell me how is the current condition of your computer.

  • To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Set the list of files/folders created to 3 Months and click Continue at the disclaimer screen.
    • Once it has finished, two logs will open.
    • log.txt (<<will be maximized)
    • info.txt (<<will be minimized).
  • Please copy and paste the content of just log.txt to your reply. No need for info.txt

    Note 1: If you have difficulty finding the log, the logs is in this folder: C:\rsit

    Note 2: The tool takes not more than one minute to scan the system.

You might want to save this page on your favorites, so you can find it again when you return.

#3 darojess

darojess
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 01 March 2009 - 03:41 PM

Hello, thanks for replying. Since my last post, I've went to the microsoft website and downloaded Windows Defender
and Avira AntiVir Personal. Nothing was found after scanning my computer (and I've deleted Avira AntiVir).
I also updated my Javascript, that's about it. My computer's still slow and often freezes when i open a new window. ):

Heres the log:

Logfile of random's system information tool 1.05 (written by random/random)
Run by Acer 2428 AWXCi at 2009-03-02 04:29:38
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 12 GB (43%) free of 27 GB
Total RAM: 502 MB (28% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 上午 04:30:13, on 2009/3/2
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\StormII\stormliv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\Wireless USB Phone API\WirelessUSBPhone.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\PPStream\ppsap.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Acer 2428 AWXCi\桌面\RSIT.exe
C:\Program Files\trend micro\Acer 2428 AWXCi.exe

O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WirelessUSBPhoneAPI] D:\Program Files\Wireless USB Phone API\WirelessUSBPhone.exe
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PPS Accelerator] D:\Program Files\PPStream\ppsap.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'Default user')
O8 - Extra context menu item: Foxy 下載 - res://D:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://D:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} (PowerPlayer Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...135/mcfscan.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15105/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bonjour 服務 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - C:\Program Files\StormII\stormliv.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: npkcmsvc - Unknown owner - D:\Nexon\MapleStory\npkcmsvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 13912 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-05-30 1410344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - D:\Program Files\Java\jre6\bin\ssv.dll [2008-11-10 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 324416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - D:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-11-10 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-11-10 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer eDataSecurity Management - C:\WINDOWS\system32\eDStoolbar.dll [2006-02-22 106496]
{E0E899AB-F487-11D5-8D29-0050BA6940E3}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2008-04-15 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2008-04-15 455168]
"preload"=C:\Windows\RUNXMLPL.exe [2005-05-19 32768]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-08-24 94208]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2005-08-24 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-08-24 114688]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2005-02-04 102490]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-02-04 708698]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2005-04-15 77824]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-11-02 32768]
"LaunchAp"=C:\Program Files\Launch Manager\LaunchAp.exe [2005-07-25 32768]
"LManager"=C:\Program Files\Launch Manager\HotkeyApp.exe [2006-04-20 69632]
"CtrlVol"=C:\Program Files\Launch Manager\CtrlVol.exe [2003-09-16 20480]
"LMgrOSD"=C:\Program Files\Launch Manager\OSDCtrl.exe [2005-07-25 241664]
"Wbutton"=C:\Program Files\Launch Manager\Wbutton.exe [2006-04-20 86016]
"EPM-DM"=c:\acer\Empowering Technology\ePower\epm-dm.exe [2005-11-10 212992]
"Acer ePower Management"=C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe [2005-11-09 3084288]
"eRecoveryService"=C:\Acer\Empowering Technology\eRecovery\Monitor.exe [2006-01-24 397312]
"ADMTray.exe"=C:\Acer\Empowering Technology\admtray.exe [2005-10-24 2462208]
"eDataSecurity Loader"=C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe [2005-12-27 69632]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-03-07 53408]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2006-05-16 124656]
"WirelessUSBPhoneAPI"=D:\Program Files\Wireless USB Phone API\WirelessUSBPhone.exe [2007-03-19 983040]
"AVFX Engine"=C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe [2006-06-09 24576]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]
"iTunesHelper"=D:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"SunJavaUpdateSched"=D:\Program Files\Java\jre6\bin\jusched.exe [2008-11-10 136600]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-15 15360]
"PPS Accelerator"=D:\Program Files\PPStream\ppsap.exe [2008-12-09 210296]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-08-24 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2006-05-16 43760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"AllowLegacyWebView"=
"AllowUnhashedWebView"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\System32\FSCAgent.exe"="C:\WINDOWS\System32\FSCAgent.exe:*:Enabled:???? ???? ??"
"C:\WINDOWS\System32\ClubBox.exe"="C:\WINDOWS\System32\ClubBox.exe:*:Enabled:贗毀夢蝶 冖橾瞪歎 婦葬濠"
"D:\clubbox\ClubBox.exe"="D:\clubbox\ClubBox.exe:*:Enabled:CLUBBOX File Transfer Manager"
"C:\Documents and Settings\Acer 2428 AWXCi\桌面\ClubBox.exe"="C:\Documents and Settings\Acer 2428 AWXCi\桌面\ClubBox.exe:*:Enabled:CLUBBOX File Transfer Manager"
"C:\Program Files\FlashGet\flashget.exe"="C:\Program Files\FlashGet\flashget.exe:*:Enabled:Flashget"
"D:\Program Files\Foxy\Foxy.exe"="D:\Program Files\Foxy\Foxy.exe:*:Enabled:Foxy"
"D:\Program Files\Gamania\PopKart\M01\Patcher.exe"="D:\Program Files\Gamania\PopKart\M01\Patcher.exe:*:Enabled:Nexon Game Launcher"
"D:\Program Files\Gamania\PopKart\M01\NMService.exe"="D:\Program Files\Gamania\PopKart\M01\NMService.exe:*:Enabled:Nexon Messenger Core"
"C:\Program Files\NextLink\GOGOBOX\gfscagent.exe"="C:\Program Files\NextLink\GOGOBOX\gfscagent.exe:*:Enabled:GOGOBOX檔案傳送Daemon"
"C:\Program Files\Joost\xulrunner\tvprunner.exe"="C:\Program Files\Joost\xulrunner\tvprunner.exe:*:Enabled:tvprunner"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\softnyx\GunboundWC\GunBound.gme"="C:\Program Files\softnyx\GunboundWC\GunBound.gme:*:Enabled:GunBound"
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\System32\grdmgr.exe"="C:\WINDOWS\System32\grdmgr.exe:*:Enabled:CDN ???? ??"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\StormII\Storm.exe"="C:\Program Files\StormII\Storm.exe:*:Enabled:惟瑞荌秞"
"C:\Program Files\StormII\stormliv.exe"="C:\Program Files\StormII\stormliv.exe:*:Enabled:惟瑞荌秞羸极諷秶笢陑"
"D:\Program Files\LittleFighter2\LF2_v1.9c\lf2.exe"="D:\Program Files\LittleFighter2\LF2_v1.9c\lf2.exe:*:Enabled:lf2"
"D:\Program Files\PCMan Combo\PCMan.exe"="D:\Program Files\PCMan Combo\PCMan.exe:*:Enabled:PCMan 2004 Combo"
"C:\Program Files\Foxy\Foxy.exe"="C:\Program Files\Foxy\Foxy.exe:*:Enabled:Foxy"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"D:\Program Files\Java\jre6\bin\java.exe"="D:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary"
"D:\Program Files\ooVoo\ooVoo.exe"="D:\Program Files\ooVoo\ooVoo.exe:*:Enabled:ooVoo"
"D:\Program Files\iTunes\iTunes.exe"="D:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\StormII\Box\Stline.exe"="C:\Program Files\StormII\Box\Stline.exe:*:Enabled:暴风影视"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"D:\Program Files\CrackAttack\bin\crackattack.exe"="D:\Program Files\CrackAttack\bin\crackattack.exe:*:Enabled:crackattack"
"D:\Program Files\PPStream\PPStream.exe"="D:\Program Files\PPStream\PPStream.exe:*:Enabled:PPS厙釐萇弝"
"D:\Program Files\PPStream\PPSAP.exe"="D:\Program Files\PPStream\PPSAP.exe:*:Enabled:PPS 厙釐樓厒け"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c3d6532-3996-11db-abf5-00166f28a6b6}]
shell\AutoRun\command - ~tmp0.1st.exe


======List of files/folders created in the last 3 months======

2009-03-02 04:29:39 ----D---- C:\Program Files\trend micro
2009-03-02 04:29:38 ----D---- C:\rsit
2009-02-25 14:49:32 ----HD---- C:\WINDOWS\$NtUninstallKB967715$
2009-02-12 03:01:48 ----HD---- C:\WINDOWS\$NtUninstallKB960715$
2009-02-10 08:26:58 ----D---- C:\Program Files\Windows Defender
2009-02-10 08:20:30 ----D---- C:\Program Files\Microsoft Windows OneCare Live
2009-02-10 07:21:07 ----D---- C:\Program Files\Enigma Software Group
2009-02-10 07:04:14 ----A---- C:\WINDOWS\system32\a.exe
2009-02-02 03:34:40 ----D---- C:\Program Files\GoldWave
2009-01-30 13:37:31 ----A---- C:\WINDOWS\PCDNSetting.ini
2009-01-29 22:30:58 ----A---- C:\WINDOWS\PPSMediaList.ini
2009-01-28 12:07:20 ----A---- C:\WINDOWS\system32\d3dx9.dll
2009-01-28 12:07:20 ----A---- C:\WINDOWS\system32\D3DX81ab.dll
2009-01-24 04:31:57 ----A---- C:\WINDOWS\system32\javaws.exe
2009-01-24 04:31:57 ----A---- C:\WINDOWS\system32\javaw.exe
2009-01-24 04:31:57 ----A---- C:\WINDOWS\system32\java.exe
2009-01-15 03:03:54 ----HD---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-05 14:29:32 ----A---- C:\WINDOWS\IFinst27.exe
2009-01-04 21:05:02 ----D---- C:\Documents and Settings\All Users\Application Data\Thunder Network
2009-01-04 21:04:51 ----D---- C:\Program Files\Common Files\Thunder Network
2009-01-04 21:04:25 ----D---- C:\Program Files\Thunder Network
2008-12-28 08:41:58 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-12-28 08:41:55 ----D---- C:\Program Files\Yahoo!
2008-12-11 03:03:52 ----HD---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-11 03:02:22 ----HD---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-11 03:01:19 ----HD---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-11 03:01:01 ----HD---- C:\WINDOWS\$NtUninstallKB956802$

======List of files/folders modified in the last 3 months======

2009-03-02 04:21:12 ----A---- C:\WINDOWS\psnetwork.ini
2009-03-02 03:51:12 ----A---- C:\WINDOWS\system32\eRLog.ini
2009-03-02 03:47:22 ----A---- C:\WINDOWS\ModemLog_AC97 Soft Data Fax Modem with SmartCP.txt
2009-03-02 03:44:34 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-01 13:45:54 ----A---- C:\WINDOWS\win.ini
2009-02-25 15:52:14 ----A---- C:\WINDOWS\Powerplayer.ini
2009-02-12 03:01:52 ----A---- C:\WINDOWS\imsins.BAK
2009-02-10 04:42:26 ----A---- C:\WINDOWS\NeroDigital.ini
2009-02-03 15:21:14 ----A---- C:\WINDOWS\system32\MRT.exe
2009-01-24 14:12:50 ----A---- C:\WINDOWS\msgtn.ini
2009-01-16 21:01:20 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-01-07 17:20:24 ----A---- C:\WINDOWS\system32\LegitCheckControl.DLL
2008-12-21 06:31:12 ----A---- C:\WINDOWS\system32\wininet.dll
2008-12-21 06:31:12 ----A---- C:\WINDOWS\system32\webcheck.dll
2008-12-21 06:31:10 ----A---- C:\WINDOWS\system32\urlmon.dll
2008-12-21 06:31:10 ----A---- C:\WINDOWS\system32\url.dll
2008-12-21 06:31:10 ----A---- C:\WINDOWS\system32\pngfilt.dll
2008-12-21 06:31:10 ----A---- C:\WINDOWS\system32\occache.dll
2008-12-21 06:31:10 ----A---- C:\WINDOWS\system32\mstime.dll
2008-12-21 06:31:08 ----A---- C:\WINDOWS\system32\msrating.dll
2008-12-21 06:31:08 ----A---- C:\WINDOWS\system32\mshtmled.dll
2008-12-21 06:31:04 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2008-12-21 06:31:04 ----A---- C:\WINDOWS\system32\msfeeds.dll
2008-12-21 06:31:04 ----A---- C:\WINDOWS\system32\jsproxy.dll
2008-12-21 06:31:02 ----A---- C:\WINDOWS\system32\iertutil.dll
2008-12-21 06:31:02 ----A---- C:\WINDOWS\system32\iernonce.dll
2008-12-21 06:31:02 ----A---- C:\WINDOWS\system32\ieframe.dll
2008-12-21 06:30:56 ----A---- C:\WINDOWS\system32\iedkcs32.dll
2008-12-21 06:30:56 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2008-12-21 06:30:56 ----A---- C:\WINDOWS\system32\ieaksie.dll
2008-12-21 06:30:56 ----A---- C:\WINDOWS\system32\ieakeng.dll
2008-12-21 06:30:56 ----A---- C:\WINDOWS\system32\icardie.dll
2008-12-21 06:30:56 ----A---- C:\WINDOWS\system32\extmgr.dll
2008-12-21 06:30:56 ----A---- C:\WINDOWS\system32\dxtrans.dll
2008-12-21 06:30:56 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2008-12-21 06:30:54 ----A---- C:\WINDOWS\system32\advpack.dll
2008-12-19 17:10:16 ----A---- C:\WINDOWS\system32\ieudinit.exe
2008-12-19 17:08:04 ----A---- C:\WINDOWS\system32\ie4uinit.exe
2008-12-19 13:23:56 ----A---- C:\WINDOWS\system32\ieakui.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 FsVga;FsVga; C:\WINDOWS\system32\DRIVERS\fsvga.sys [2004-08-04 12160]
R1 Hotkey;Hotkey; C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 9867]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 39168]
R1 OsaFsLoc;OsaFsLoc; \??\C:\WINDOWS\system32\drivers\OsaFsLoc.sys []
R1 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2006-01-24 195776]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-14 8832]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.9.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2006-09-01 21275]
R2 EpmPsd;Acer EPM Power Scheme Driver; \??\C:\WINDOWS\system32\drivers\epm-psd.sys []
R2 EpmShd;Acer EPM System Hardware Driver; \??\C:\WINDOWS\system32\drivers\epm-shd.sys []
R2 int15.sys;int15.sys; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-05 12544]
R2 osaio;osaio; \??\C:\WINDOWS\system32\drivers\osaio.sys []
R2 osanbm;osanbm; \??\C:\WINDOWS\system32\drivers\osanbm.sys []
R2 s24trans;無線區域網路傳輸; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2005-11-28 13568]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-04-19 2317504]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-14 13952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-11-08 997376]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2005-11-08 242048]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-08-24 1052732]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090226.055\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090226.055\navex15.sys []
R3 NdisFilt;OSA NdisFilter Protocol; C:\WINDOWS\System32\Drivers\NdisFilt.sys [2005-09-13 4392]
R3 NTIDrvr;Upper Class Filter Driver; C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys [2005-12-01 6144]
R3 P1171VID;Creative WebCam Notebook #2; C:\WINDOWS\system32\DRIVERS\P1171Vid.sys [2004-03-19 91392]
R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2004-12-02 70912]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2006-01-24 24768]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-02-04 193216]
R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
R3 usbccgp;Microsoft USB 一般上層驅動程式; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 w29n51;Windows XP 的 Intel® PRO/Wireless 2200BG 的網路連線驅動程式; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2005-09-12 3298432]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-11-08 723712]
S1 mailKmd;mailKmd; C:\WINDOWS\system32\drivers\mailKmd.sys []
S1 Wbutton;Wbutton; C:\WINDOWS\system32\drivers\Wbutton.sys []
S2 npkcrypt;npkcrypt; \??\D:\Nexon\MapleStory\npkcrypt.sys []
S3 .neporsipors;.neporsipors; C:\WINDOWS\system32\drivers\.neporsipors.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
S3 BCM43XX;Broadcom 802.11網路介面卡驅動程式; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2004-12-22 369024]
S3 CamDrL;Logitech QuickCam Pro 3000(CamDrl); C:\WINDOWS\system32\DRIVERS\Camdrl.sys []
S3 CCDECODE;字幕解碼器; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 FilterService;UVC Filter Service; C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-09-29 51120]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-09-29 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-10-21 21568]
S3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-12-15 1038208]
S3 lvpopflt;Logitech POP Suppression Filter; C:\WINDOWS\system32\DRIVERS\lvpopflt.sys []
S3 LVUSBSta;Logitech USB Monitor Filter; C:\WINDOWS\system32\drivers\LVUSBSta.sys []
S3 LVUVC;Logitech QuickCam Fusion(UVC); C:\WINDOWS\system32\DRIVERS\lvuvc.sys []
S3 mouhid;滑鼠 HID 驅動程式; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-31 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 NETMNT;Acer NetMonitor Protocol; C:\WINDOWS\system32\DRIVERS\NETMNT.sys [2005-05-02 9600]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2006-01-23 32512]
S3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\system32\DRIVERS\nscirda.sys [2008-04-14 28672]
S3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-12-05 10368]
S3 Rasirda;WAN 迷你連接埠 (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 TIEHDUSB;TIEHDUSB; C:\WINDOWS\system32\drivers\tiehdusb.sys [2006-02-04 49536]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-10-01 32000]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 WSTCODEC;世界標準電傳轉碼器; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 WS2IFSL;Windows 通訊端 2.0 非 IFS 服務提供者支援環境; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 AWService;AdminWorks Agent X6; C:\Acer\Empowering Technology\admServ.exe [2005-10-24 1314816]
R2 Bonjour Service;Bonjour 服務; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 Capture Device Service;Capture Device Service; C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe [2007-03-06 198168]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2006-03-07 192160]
R2 ccosm;Contrl Center of Storm Media; C:\Program Files\StormII\stormliv.exe [2008-12-24 559200]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2006-03-07 169632]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2006-05-16 30448]
R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2005-11-28 114753]
R2 JavaQuickStarterService;Java Quick Starter; D:\Program Files\Java\jre6\bin\jqs.exe [2008-11-10 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-20 322120]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2005-11-28 217164]
R2 S24EventMonitor;Intel® PROSet/Wireless Service; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2005-11-28 540745]
R2 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2006-02-06 1160848]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2006-05-16 1799408]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 iPod Service;iPod 服務; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-15 265728]
S2 npkcmsvc;npkcmsvc; D:\Nexon\MapleStory\npkcmsvc.exe []
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2007-01-15 68096]
S3 aspnet_state;ASP.NET 狀態服務; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe []
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-03-31 2045632]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2006-01-23 86016]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2006-03-17 115952]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2006-01-24 214720]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-11-06 98328]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-15 14336]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-11-02 897024]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-15 14336]

-----------------EOF-----------------

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:01 AM

Posted 01 March 2009 - 05:31 PM

Hi again,

Thanks for the detailed feedback.
  • We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
    • Open Windows Defender.
    • Click on Tools, Options.
    • Scroll down the list of options to select "Real-time Protection Options."
    • Uncheck "Use Real-Time Protection (Recommended)".
    • After you uncheck this, click on the Save button and close Windows Defender.

      Note:After all of the fixes are complete and I give you the clean sign you enable Real-time Protection again.
  • Go to start > Run copy/paste the following lines one by one in the run box and click OK after each line.

    sc delete mailKmd
    sc delete .neporsipors


  • Download HostsXpert.zip
    • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
    • Double-click HostsXpert.exe to run the program.
    • Click "Make Hosts Writable?" in the upper right corner (If available).
    • Click "Restore Microsoft's Hosts file" and then click "OK".
    • Click the X to exit the program.
    • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Run Hijackthis. If you don't know how go to start > Run and copy and paste the following and click OK:

    "C:\Program Files\trend micro\Acer 2428 AWXCi.exe"

    Click "Do a system scan and safe a logfile". Post the content of the log.
Please include in your next reply:
  • The log of MBAM.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went.


#5 darojess

darojess
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 01 March 2009 - 09:00 PM

Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 5.1.2600 Service Pack 3

2009/3/2 上午 09:55:22
mbam-log-2009-03-02 (09-55-22).txt

Scan type: Quick Scan
Objects scanned: 67975
Time elapsed: 9 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{072039ab-2117-4ed5-a85f-9b9eb903e021} (Adware.CWS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/system32/nowstarter.ocx (Adware.CWS) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\NowStarter.ocx (Adware.CWS) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\NowStarter.ocx (Adware.CWS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\a.exe (Trojan.Agent) -> Quarantined and deleted successfully.

------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 上午 09:58:05, on 2009/3/2
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\StormII\stormliv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\Wireless USB Phone API\WirelessUSBPhone.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\PPStream\ppsap.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\trend micro\Acer 2428 AWXCi.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WirelessUSBPhoneAPI] D:\Program Files\Wireless USB Phone API\WirelessUSBPhone.exe
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PPS Accelerator] D:\Program Files\PPStream\ppsap.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'Default user')
O8 - Extra context menu item: Foxy 下載 - res://D:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://D:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} (PowerPlayer Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...135/mcfscan.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15105/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bonjour 服務 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - C:\Program Files\StormII\stormliv.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: npkcmsvc - Unknown owner - D:\Nexon\MapleStory\npkcmsvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 14010 bytes



The scan was very successful. Thanks for the fast reply.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:01 AM

Posted 02 March 2009 - 04:03 AM

Yes it is good to have another scan and take care of a few things:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable temporarily your AntiVirus and AntiSpyware real-time or auto protection. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#7 darojess

darojess
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 02 March 2009 - 07:46 PM

Here's the Comofix log:

ComboFix 09-03-02.01 - Acer 2428 AWXCi 2009-03-03 8:24:54.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.950.1.1028.18.502.147 [GMT 8:00]
執行位置: c:\documents and settings\Acer 2428 AWXCi\桌面\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\StormII
c:\program files\StormII\BfOptDll.dll
c:\program files\StormII\Box\BoxLog.dll
c:\program files\StormII\Box\HttpServer.dll
c:\program files\StormII\Box\mini.swf
c:\program files\StormII\Box\MovieBoxCore.dll
c:\program files\StormII\Box\MovieBoxPS.dll
c:\program files\StormII\Box\Skin\MovieBox.zip
c:\program files\StormII\Box\Stline.exe
c:\program files\StormII\Box\UILib.dll
c:\program files\StormII\Box\UiManager.dll
c:\program files\StormII\Box\UiPlay.dll
c:\program files\StormII\Box\UitvWrapper_dll.dll
c:\program files\StormII\codec\264be.dll
c:\program files\StormII\codec\264dmmx.dll
c:\program files\StormII\codec\264dsse.dll
c:\program files\StormII\codec\264dsse2.dll
c:\program files\StormII\codec\264dsse3.dll
c:\program files\StormII\codec\3ivx.dll
c:\program files\StormII\codec\3ivxDemux.ax
c:\program files\StormII\codec\3ivxDSDecoder.ax
c:\program files\StormII\codec\aasc32.dll
c:\program files\StormII\codec\ac3filter.ax
c:\program files\StormII\codec\ACDV.dll
c:\program files\StormII\codec\acelpdec.ax
c:\program files\StormII\codec\asusasv1.dll
c:\program files\StormII\codec\asusasv2.dll
c:\program files\StormII\codec\ativcr2.dll
c:\program files\StormII\codec\avcodec.dll
c:\program files\StormII\codec\avformat.dll
c:\program files\StormII\codec\avidavicodec.dll
c:\program files\StormII\codec\AviSplitter.ax
c:\program files\StormII\codec\avutil.dll
c:\program files\StormII\codec\bass.dll
c:\program files\StormII\codec\bass_aac.dll
c:\program files\StormII\codec\bass_alac.dll
c:\program files\StormII\codec\bass_ape.dll
c:\program files\StormII\codec\bass_flac.dll
c:\program files\StormII\codec\bass_mpc.dll
c:\program files\StormII\codec\bass_tta.dll
c:\program files\StormII\codec\bass_wv.dll
c:\program files\StormII\codec\binkw32.dll
c:\program files\StormII\codec\BSPVDEC.dll
c:\program files\StormII\codec\bw10.dll
c:\program files\StormII\codec\cddareader.ax
c:\program files\StormII\codec\cdxareader.ax
c:\program files\StormII\codec\ChpSrcFilter.ax
c:\program files\StormII\codec\CinemasterAudio.DLL
c:\program files\StormII\codec\cl264dec.ax
c:\program files\StormII\codec\CLNavX.ax
c:\program files\StormII\codec\CLRVIDDC.DLL
c:\program files\StormII\codec\clrviddd.dll
c:\program files\StormII\codec\CLVc1Dec.ax
c:\program files\StormII\codec\CLVSD.ax
c:\program files\StormII\codec\clvsdx.ax
c:\program files\StormII\codec\coreavc.ax
c:\program files\StormII\codec\CUVCcodc.dll
c:\program files\StormII\codec\DCBassSource.ax
c:\program files\StormII\codec\DECVW_32.DLL
c:\program files\StormII\codec\divxdec.ax
c:\program files\StormII\codec\DmoDec.dll
c:\program files\StormII\codec\DSMSplitter.ax
c:\program files\StormII\codec\empgdmx.ax
c:\program files\StormII\codec\ff_kernelDeint.dll
c:\program files\StormII\codec\ff_liba52.dll
c:\program files\StormII\codec\ff_libavcodec.dll
c:\program files\StormII\codec\ff_libdts.dll
c:\program files\StormII\codec\ff_libfaad2.dll
c:\program files\StormII\codec\ff_libmad.dll
c:\program files\StormII\codec\ff_libmpeg2.dll
c:\program files\StormII\codec\ff_libmplayer.dll
c:\program files\StormII\codec\ff_realaac.dll
c:\program files\StormII\codec\ff_samplerate.dll
c:\program files\StormII\codec\ff_theora.dll
c:\program files\StormII\codec\ff_TomsMoComp.dll
c:\program files\StormII\codec\ff_tremor.dll
c:\program files\StormII\codec\ff_unrar.dll
c:\program files\StormII\codec\ff_wmv9.dll
c:\program files\StormII\codec\ff_xvidcore.dll
c:\program files\StormII\codec\ffdshow.ax
c:\program files\StormII\codec\ffdshow.ax.manifest
c:\program files\StormII\codec\ffmpeg.dll
c:\program files\StormII\codec\ffsource.ax
c:\program files\StormII\codec\Flash.ocx
c:\program files\StormII\codec\FLT_ffdshow.dll
c:\program files\StormII\codec\FLVSplitter.ax
c:\program files\StormII\codec\frapsvid.dll
c:\program files\StormII\codec\G722ADEC.dll
c:\program files\StormII\codec\GeoCodec.dll
c:\program files\StormII\codec\H264VDEC.dll
c:\program files\StormII\codec\HikAudioDec.ax
c:\program files\StormII\codec\HikFileSource.ax
c:\program files\StormII\codec\HikFileSplitter.ax
c:\program files\StormII\codec\HIKM4DEC.dll
c:\program files\StormII\codec\HikVideoDec.ax
c:\program files\StormII\codec\i263_32.drv
c:\program files\StormII\codec\icmw_32.dll
c:\program files\StormII\codec\iconv.dll
c:\program files\StormII\codec\kdh4.dll
c:\program files\StormII\codec\kdm4.dll
c:\program files\StormII\codec\keys.dat
c:\program files\StormII\codec\l3codecx.ax
c:\program files\StormII\codec\LCodcCMP.dll
c:\program files\StormII\codec\libavcodec.dll
c:\program files\StormII\codec\libmpeg2_ff.dll
c:\program files\StormII\codec\libmplayer.dll
c:\program files\StormII\codec\LMVRGBxf.dll
c:\program files\StormII\codec\LMVYUVxf.dll
c:\program files\StormII\codec\lsvxdec.dll
c:\program files\StormII\codec\MatroskaSplitter.ax
c:\program files\StormII\codec\mfplat.dll
c:\program files\StormII\codec\mkunicode.dll
c:\program files\StormII\codec\mkx.dll
c:\program files\StormII\codec\mkzlib.dll
c:\program files\StormII\codec\mmamrdmx.ax
c:\program files\StormII\codec\Mp3Decdll.dll
c:\program files\StormII\codec\MP3DMOD.DLL
c:\program files\StormII\codec\mp4.dll
c:\program files\StormII\codec\mp43dmod.dll
c:\program files\StormII\codec\MP4Demux.ax
c:\program files\StormII\codec\mp4sdmod.dll
c:\program files\StormII\codec\MP4Splitter.ax
c:\program files\StormII\codec\MpaDecFilter.ax
c:\program files\StormII\codec\MpaSplitter.ax
c:\program files\StormII\codec\mpcvideodec.ax
c:\program files\StormII\codec\Mpeg2DecFilter.ax
c:\program files\StormII\codec\mpeg2dmx.ax
c:\program files\StormII\codec\Mpeg4DecA.ax
c:\program files\StormII\codec\Mpeg4DecV.ax
c:\program files\StormII\codec\Mpeg4Splitter.ax
c:\program files\StormII\codec\Mpeg4SrcFlt.ax
c:\program files\StormII\codec\MpegSplitter.ax
c:\program files\StormII\codec\mpg2splt.ax
c:\program files\StormII\codec\mpg4dmod.dll
c:\program files\StormII\codec\mpg4ds32.ax
c:\program files\StormII\codec\msdmo.dll
c:\program files\StormII\codec\msms001.vwp
c:\program files\StormII\codec\msscds32.ax
c:\program files\StormII\codec\msvcp71.dll
c:\program files\StormII\codec\msvcr71.dll
c:\program files\StormII\codec\MZP4_DEC.DLL
c:\program files\StormII\codec\NDParser.ax
c:\program files\StormII\codec\NeMP4Splitter.ax
c:\program files\StormII\codec\nvviddec.ax
c:\program files\StormII\codec\OggSplitter.ax
c:\program files\StormII\codec\ogm.dll
c:\program files\StormII\codec\openquicktimelib.dll
c:\program files\StormII\codec\Plugins\nppl3260.dll
c:\program files\StormII\codec\Plugins\nppl3260.xpt
c:\program files\StormII\codec\Plugins\npqtplugin.dll
c:\program files\StormII\codec\Plugins\nprpjplug.dll
c:\program files\StormII\codec\Plugins\nsIQTScriptablePlugin.xpt
c:\program files\StormII\codec\Plugins\nsJSRealPlayerPlugin.xpt
c:\program files\StormII\codec\Plugins\QuickTimePlugin.class
c:\program files\StormII\codec\PmpSplt.ax
c:\program files\StormII\codec\pncrt.dll
c:\program files\StormII\codec\pndx5016.dll
c:\program files\StormII\codec\pndx5032.dll
c:\program files\StormII\codec\pthreadVC2.dll
c:\program files\StormII\codec\pvmjpg21.dll
c:\program files\StormII\codec\PVWV220.DLL
c:\program files\StormII\codec\qasf.dll
c:\program files\StormII\codec\QTSystem\CFCharacterSetBitmaps.bitmap
c:\program files\StormII\codec\QTSystem\CoreVideo.qtx
c:\program files\StormII\codec\QTSystem\CoreVideo.Resources\CoreVideo.qtr
c:\program files\StormII\codec\QTSystem\CoreVideo.Resources\en.lproj\CoreVideoLocalized.qtr
c:\program files\StormII\codec\QTSystem\CoreVideo.Resources\zh_CN.lproj\CoreVideoLocalized.qtr
c:\program files\StormII\codec\QTSystem\QTCheck.ocx
c:\program files\StormII\codec\QTSystem\QTPlugin.ocx
c:\program files\StormII\codec\QTSystem\QuickTime.cpl
c:\program files\StormII\codec\QTSystem\QuickTime.qts
c:\program files\StormII\codec\QTSystem\QuickTime.Resources\en.lproj\QuickTimeLocalized.dll
c:\program files\StormII\codec\QTSystem\QuickTime.Resources\en.lproj\QuickTimeLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTime.Resources\QuickTime.dll
c:\program files\StormII\codec\QTSystem\QuickTime.Resources\QuickTime.qtr
c:\program files\StormII\codec\QTSystem\QuickTime.Resources\zh_CN.lproj\QuickTimeLocalized.dll
c:\program files\StormII\codec\QTSystem\QuickTime.Resources\zh_CN.lproj\QuickTimeLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTime3GPP.qtx
c:\program files\StormII\codec\QTSystem\QuickTime3GPP.Resources\en.lproj\QuickTime3GPPLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTime3GPP.Resources\QuickTime3GPP.qtr
c:\program files\StormII\codec\QTSystem\QuickTime3GPP.Resources\zh_CN.lproj\QuickTime3GPPLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeAudioSupport.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeAudioSupport.Resources\en.lproj\QuickTimeAudioSupportLocalized.dll
c:\program files\StormII\codec\QTSystem\QuickTimeAudioSupport.Resources\en.lproj\QuickTimeAudioSupportLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeAudioSupport.Resources\QuickTimeAudioSupport.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeAudioSupport.Resources\zh_CN.lproj\QuickTimeAudioSupportLocalized.dll
c:\program files\StormII\codec\QTSystem\QuickTimeAudioSupport.Resources\zh_CN.lproj\QuickTimeAudioSupportLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeEssentials.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeEssentials.Resources\en.lproj\QuickTimeEssentialsLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeEssentials.Resources\QuickTimeEssentials.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeEssentials.Resources\zh_CN.lproj\QuickTimeEssentialsLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeH264.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeH264.Resources\en.lproj\QuickTimeH264Localized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeH264.Resources\QuickTimeH264.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeH264.Resources\zh_CN.lproj\QuickTimeH264Localized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeInternetExtras.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeInternetExtras.Resources\en.lproj\QuickTimeInternetExtrasLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeInternetExtras.Resources\QuickTimeInternetExtras.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeInternetExtras.Resources\zh_CN.lproj\QuickTimeInternetExtrasLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeMPEG4.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeMPEG4.Resources\en.lproj\QuickTimeMPEG4Localized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeMPEG4.Resources\QuickTimeMPEG4.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeMPEG4.Resources\zh_CN.lproj\QuickTimeMPEG4Localized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeStreaming.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeStreaming.Resources\en.lproj\QuickTimeStreamingLocalized.dll
c:\program files\StormII\codec\QTSystem\QuickTimeStreaming.Resources\en.lproj\QuickTimeStreamingLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeStreaming.Resources\QuickTimeStreaming.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeStreaming.Resources\zh_CN.lproj\QuickTimeStreamingLocalized.dll
c:\program files\StormII\codec\QTSystem\QuickTimeStreaming.Resources\zh_CN.lproj\QuickTimeStreamingLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeStreamingExtras.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeStreamingExtras.Resources\en.lproj\QuickTimeStreamingExtrasLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeStreamingExtras.Resources\QuickTimeStreamingExtras.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeStreamingExtras.Resources\zh_CN.lproj\QuickTimeStreamingExtrasLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeVR.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeVR.Resources\en.lproj\QuickTimeVRLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeVR.Resources\QuickTimeVR.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeVR.Resources\zh_CN.lproj\QuickTimeVRLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeWebHelper.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeWebHelper.Resources\en.lproj\QuickTimeWebHelperLocalized.dll
c:\program files\StormII\codec\QTSystem\QuickTimeWebHelper.Resources\en.lproj\QuickTimeWebHelperLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeWebHelper.Resources\QuickTimeWebHelper.dll
c:\program files\StormII\codec\QTSystem\QuickTimeWebHelper.Resources\QuickTimeWebHelper.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeWebHelper.Resources\zh_CN.lproj\QuickTimeWebHelperLocalized.dll
c:\program files\StormII\codec\QTSystem\QuickTimeWebHelper.Resources\zh_CN.lproj\QuickTimeWebHelperLocalized.qtr
c:\program files\StormII\codec\QuickTime.qts
c:\program files\StormII\codec\QuickTimeVR.qtx
c:\program files\StormII\codec\RadGtSplitter.ax
c:\program files\StormII\codec\Real\Codecs\14_43260.dll
c:\program files\StormII\codec\Real\Codecs\28_83260.dll
c:\program files\StormII\codec\Real\Codecs\atrc.dll
c:\program files\StormII\codec\Real\Codecs\cook.dll
c:\program files\StormII\codec\Real\Codecs\ddnt3260.dll
c:\program files\StormII\codec\Real\Codecs\dnet3260.dll
c:\program files\StormII\codec\Real\Codecs\drv1.dll
c:\program files\StormII\codec\Real\Codecs\drv2.dll
c:\program files\StormII\codec\Real\Codecs\drvc.dll
c:\program files\StormII\codec\Real\Codecs\hxltcolor.dll
c:\program files\StormII\codec\Real\Codecs\raac.dll
c:\program files\StormII\codec\Real\Codecs\ralf.dll
c:\program files\StormII\codec\Real\Codecs\rv10.dll
c:\program files\StormII\codec\Real\Codecs\rv20.dll
c:\program files\StormII\codec\Real\Codecs\rv30.dll
c:\program files\StormII\codec\Real\Codecs\rv40.dll
c:\program files\StormII\codec\Real\Codecs\sipr.dll
c:\program files\StormII\codec\Real\Common\objb3201.dll
c:\program files\StormII\codec\Real\Common\pnen3260.dll
c:\program files\StormII\codec\Real\Common\pngu3267.dll
c:\program files\StormII\codec\Real\Common\pnrs3260.dll
c:\program files\StormII\codec\Real\Common\rppr3260.dll
c:\program files\StormII\codec\Real\Common\security.dll
c:\program files\StormII\codec\Real\Plugins\audplin.dll
c:\program files\StormII\codec\Real\Plugins\authmgr.dll
c:\program files\StormII\codec\Real\Plugins\clbascauth.dll
c:\program files\StormII\codec\Real\Plugins\clntxres.dll
c:\program files\StormII\codec\Real\Plugins\ExtResources\coreres.xrs
c:\program files\StormII\codec\Real\Plugins\fpsechnd.dll
c:\program files\StormII\codec\Real\Plugins\httpfsys.dll
c:\program files\StormII\codec\Real\Plugins\hxsdp.dll
c:\program files\StormII\codec\Real\Plugins\hxxml.dll
c:\program files\StormII\codec\Real\Plugins\imgrender.dll
c:\program files\StormII\codec\Real\Plugins\memfsys.dll
c:\program files\StormII\codec\Real\Plugins\mp3fformat.dll
c:\program files\StormII\codec\Real\Plugins\mp3render.dll
c:\program files\StormII\codec\Real\Plugins\mp4arender.dll
c:\program files\StormII\codec\Real\Plugins\ntlmauth.dll
c:\program files\StormII\codec\Real\Plugins\oggfformat.dll
c:\program files\StormII\codec\Real\Plugins\pacplin.dll
c:\program files\StormII\codec\Real\Plugins\plusplin.dll
c:\program files\StormII\codec\Real\Plugins\pxcb3210.dll
c:\program files\StormII\codec\Real\Plugins\ramfformat.dll
c:\program files\StormII\codec\Real\Plugins\ramrender.dll
c:\program files\StormII\codec\Real\Plugins\rarender.dll
c:\program files\StormII\codec\Real\Plugins\rmfformat.dll
c:\program files\StormII\codec\Real\Plugins\rmxfpln.dll
c:\program files\StormII\codec\Real\Plugins\rmxrend.dll
c:\program files\StormII\codec\Real\Plugins\rn5auth.dll
c:\program files\StormII\codec\Real\Plugins\rtfformat.dll
c:\program files\StormII\codec\Real\Plugins\rtrender.dll
c:\program files\StormII\codec\Real\Plugins\rvrender.dll
c:\program files\StormII\codec\Real\Plugins\sdpplin.dll
c:\program files\StormII\codec\Real\Plugins\security.dll
c:\program files\StormII\codec\Real\Plugins\smlfformat.dll
c:\program files\StormII\codec\Real\Plugins\smlrender.dll
c:\program files\StormII\codec\Real\Plugins\smmrender.dll
c:\program files\StormII\codec\Real\Plugins\smplfsys.dll
c:\program files\StormII\codec\Real\Plugins\stubdrm.dll
c:\program files\StormII\codec\Real\Plugins\tfilesys.dll
c:\program files\StormII\codec\Real\Plugins\vidplin.dll
c:\program files\StormII\codec\Real\Plugins\vidsite.dll
c:\program files\StormII\codec\Real\Plugins\vorbisrend.dll
c:\program files\StormII\codec\Real\Plugins\vsrlocal.dll
c:\program files\StormII\codec\Real\rpplugins\cn\embed_cn.dll
c:\program files\StormII\codec\Real\rpplugins\cn\rpclsvc_cn.dll
c:\program files\StormII\codec\Real\rpplugins\embd3260.dll
c:\program files\StormII\codec\Real\rpplugins\rpcl3260.dll
c:\program files\StormII\codec\Real\rpplugins\rput3260.dll
c:\program files\StormII\codec\RLMPCDec.ax
c:\program files\StormII\codec\rmoc3260.dll
c:\program files\StormII\codec\RMSplt.ax
c:\program files\StormII\codec\Sc726dec.ax
c:\program files\StormII\codec\SCMPack.dll
c:\program files\StormII\codec\scsource.ax
c:\program files\StormII\codec\skinsres.dll
c:\program files\StormII\codec\smackw32.dll
c:\program files\StormII\codec\SonicLicenseManager9.dll
c:\program files\StormII\codec\splitter.ax
c:\program files\StormII\codec\swscale.dll
c:\program files\StormII\codec\TomsMoComp_ff.dll
c:\program files\StormII\codec\ts.dll
c:\program files\StormII\codec\tsccvid.dll
c:\program files\StormII\codec\TTL2Dec.dll
c:\program files\StormII\codec\v2k2_dec.dll
c:\program files\StormII\codec\v2kdspde.dll
c:\program files\StormII\codec\vc1dc.dll
c:\program files\StormII\codec\vc1dmmx.dll
c:\program files\StormII\codec\vc1dsse.dll
c:\program files\StormII\codec\vc1dsse2.dll
c:\program files\StormII\codec\vc1wp.ax
c:\program files\StormII\codec\VDODEC32.dll
c:\program files\StormII\codec\vdowave.drv
c:\program files\StormII\codec\VgmAudio.ax
c:\program files\StormII\codec\vgmbgr.ax
c:\program files\StormII\codec\VgmSplt.ax
c:\program files\StormII\codec\vgmv2k2.ax
c:\program files\StormII\codec\Vid1Dec.dll
c:\program files\StormII\codec\VideoTune.ax
c:\program files\StormII\codec\vmnc.dll
c:\program files\StormII\codec\voxmsdec.ax
c:\program files\StormII\codec\vp6vfw.dll
c:\program files\StormII\codec\vp7vfw.dll
c:\program files\StormII\codec\vtaccess.dll
c:\program files\StormII\codec\WMADMOD.dll
c:\program files\StormII\codec\wmpasf.dll
c:\program files\StormII\codec\wmsdmod.dll
c:\program files\StormII\codec\WMVDECOD.dll
c:\program files\StormII\codec\wmvdmod.dll
c:\program files\StormII\codec\xvid.ax
c:\program files\StormII\codec\xvidcore.dll
c:\program files\StormII\corelog.dll
c:\program files\StormII\current.ecs
c:\program files\StormII\GdiPlus.dll
c:\program files\StormII\getimg.exe
c:\program files\StormII\GifParser.dll
c:\program files\StormII\keys.dat
c:\program files\StormII\media\def\def.flv
c:\program files\StormII\media\def\def.ini
c:\program files\StormII\media\empty.swf
c:\program files\StormII\media\media4in1.swf
c:\program files\StormII\media\mediabp.swf
c:\program files\StormII\media\others.xml
c:\program files\StormII\media\others.xml.ini
c:\program files\StormII\media\stcon.ini
c:\program files\StormII\media\toff.ini
c:\program files\StormII\media\video_material_list.xml
c:\program files\StormII\media\video_material_list.xml.ini
c:\program files\StormII\media\video_style_list.xml
c:\program files\StormII\media\video_style_list.xml.ini
c:\program files\StormII\media2.dll
c:\program files\StormII\mediainfo.dll
c:\program files\StormII\medialib.dll
c:\program files\StormII\mee.db
c:\program files\StormII\meedb.dll
c:\program files\StormII\mps.dll
c:\program files\StormII\msvcp60.dll
c:\program files\StormII\playlist.smpl
c:\program files\StormII\rndrmgr.dll
c:\program files\StormII\Skin\惟瑞1冪萎.zip
c:\program files\StormII\Skin\惟瑞2冪萎.zip
c:\program files\StormII\spfa.dll
c:\program files\StormII\splayers.dll
c:\program files\StormII\stMgr.exe
c:\program files\StormII\Storm.exe
c:\program files\StormII\StormDebug.exe
c:\program files\StormII\stormliv.exe
c:\program files\StormII\stormply.exe
c:\program files\StormII\stormres.dll
c:\program files\StormII\subdecoder.dll
c:\program files\StormII\swDirScaner.dll
c:\program files\StormII\swf\tudou.swf
c:\program files\StormII\uninst.exe
c:\program files\StormII\unrar.dll
c:\program files\StormII\video.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\Temp\log.txt

.
((((((((((((((((((((((((((((((((((((((( 驅動/服務 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( 2009-02-03 至 2009-03-03 的新的檔案 )))))))))))))))))))))))))))))))
.

2009-03-02 09:42 . 2009-03-02 09:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-02 09:42 . 2009-03-02 09:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-02 09:42 . 2009-03-02 09:42 <DIR> d-------- c:\documents and settings\Acer 2428 AWXCi\Application Data\Malwarebytes
2009-03-02 09:42 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-02 09:42 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-02 09:35 . 2008-07-27 12:11 <DIR> d-------- C:\HostsXpert
2009-03-02 04:29 . 2009-03-02 04:29 <DIR> d-------- C:\rsit
2009-03-02 04:29 . 2009-03-02 04:29 <DIR> d-------- c:\program files\trend micro
2009-02-10 08:26 . 2009-02-10 08:27 <DIR> d-------- c:\program files\Windows Defender
2009-02-10 08:20 . 2009-02-10 08:20 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live
2009-02-10 07:21 . 2009-02-10 07:21 <DIR> d-------- c:\program files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 19:34 --------- d-----w c:\program files\GoldWave
2009-01-16 13:01 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-05 06:29 65,536 ----a-w c:\windows\IFinst27.exe
2009-01-04 13:05 --------- d-----w c:\documents and settings\All Users\Application Data\Thunder Network
2009-01-04 13:04 --------- d-----w c:\program files\Thunder Network
2009-01-04 13:04 --------- d-----w c:\program files\Common Files\Thunder Network
2008-12-20 22:30 63,488 ------w c:\windows\system32\dllcache\icardie.dll
2008-12-20 22:30 384,512 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
2008-12-20 22:30 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
2008-12-20 22:30 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
2008-12-20 22:30 230,400 ----a-w c:\windows\system32\dllcache\ieaksie.dll
2008-12-20 22:30 214,528 ----a-w c:\windows\system32\dllcache\dxtrans.dll
2008-12-20 22:30 153,088 ----a-w c:\windows\system32\dllcache\ieakeng.dll
2008-12-20 22:30 133,120 ----a-w c:\windows\system32\dllcache\extmgr.dll
2008-12-20 22:30 124,928 ----a-w c:\windows\system32\dllcache\advpack.dll
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 09:08 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 05:25 634,024 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-12-15 07:53 54,392 ----a-w c:\documents and settings\Acer 2428 AWXCi\Application Data\GDIPFONTCACHEV1.DAT
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-09-06 03:00 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat
.

------- Sigcheck -------

2008-06-20 04:51 361600 a29e1209f925a0e9b330e11da5fc7bab c:\windows\system32\drivers\tcpip.sys
2008-06-20 04:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\dllcache\tcpip.sys
2006-04-20 19:51 359808 1dbf125862891817f374f407626967f4 c:\windows\SoftwareDistribution\Download\a052bbfa3d15bdf109b40420332a1c79\sp2gdr\tcpip.sys
2006-04-20 20:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\SoftwareDistribution\Download\a052bbfa3d15bdf109b40420332a1c79\sp2qfe\tcpip.sys
2006-04-20 20:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 03:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 04:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 04:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2004-08-04 05:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 19:51 359808 b4e29943b4b04bd5e7381546848e6669 c:\windows\$NtUninstallKB941644$\tcpip.sys
2007-10-31 01:20 360064 ed06c31200714e734118f9a47f5df5ce c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-06-20 03:45 360320 073941d59ae065910064b728dee981ee c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-14 03:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-04-14 03:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]
"PPS Accelerator"="d:\program files\PPStream\ppsap.exe" [2008-12-09 210296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"preload"="c:\windows\RUNXMLPL.exe" [2005-05-19 32768]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-24 114688]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 102490]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 708698]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]
"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2006-04-20 69632]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2005-07-25 241664]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2006-04-20 86016]
"EPM-DM"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-10 212992]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 3084288]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-16 124656]
"WirelessUSBPhoneAPI"="d:\program files\Wireless USB Phone API\WirelessUSBPhone.exe" [2007-03-19 983040]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

c:\documents and settings\All Users\「開始」功能表\程式集\啟動\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-15 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP70"= c:\windows\system32\vp7vfw.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"vidc.xivd"= d:\program files\StormII\codec\xvidvfw.dll
"vidc.tscc"= c:\windows\system32\tsccvid.dll
"vidc.aasc"= aasc32.dll
"vidc.aas4"= aasc32.dll
"vidc.UCDO"= clrviddd.dll
"vidc.avrn"= avidavicodec.dll
"vidc.advj"= avidavicodec.dll
"vidc.asv1"= asusasv1.dll
"vidc.asv2"= asusasv2.dll
"vidc.asvx"= asusasv2.dll
"vidc.vdom"= vdowave.drv
"vidc.I263"= i263_32.drv
"vidc.lsvx"= lsvxdec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Foxy\\Foxy.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\grdmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"d:\\Program Files\\PCMan Combo\\PCMan.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\CrackAttack\\bin\\crackattack.exe"=
"d:\\Program Files\\PPStream\\PPStream.exe"=
"d:\\Program Files\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10559:TCP"= 10559:TCP:Foxy (192.168.1.3:10559) 10559 TCP
"10559:UDP"= 10559:UDP:Foxy (192.168.1.3:10559) 10559 UDP
"37674:TCP"= 37674:TCP:ooVoo TCP 端口 37674
"37674:UDP"= 37674:UDP:ooVoo UDP 端口 37674
"37675:UDP"= 37675:UDP:ooVoo UDP 端口 37675

R1 Hotkey;Hotkey;c:\windows\system32\drivers\HOTKEY.sys [2006-09-01 9867]
R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2006-09-01 12106]
R2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2004-07-19 4096]
R2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2005-04-07 78208]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2006-09-01 7296]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2006-09-01 4010]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-04-06 101936]
R3 NdisFilt;OSA NdisFilter Protocol;c:\windows\system32\drivers\NdisFilt.sys [2006-09-01 4392]
R3 P1171VID;Creative WebCam Notebook #2;c:\windows\system32\drivers\P1171Vid.sys [2008-08-29 91392]
S1 Wbutton;Wbutton;c:\windows\system32\drivers\Wbutton.sys --> c:\windows\system32\drivers\Wbutton.sys [?]
S2 ccosm;Contrl Center of Storm Media;c:\program files\StormII\stormliv.exe /asservice --> c:\program files\StormII\stormliv.exe [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-03-17 115952]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c3d6532-3996-11db-abf5-00166f28a6b6}]
\Shell\AutoRun\command - ~tmp0.1st.exe
.
‘計劃任務’ 文件夾 裡的內容

2009-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-RunOnce-WUAppSetup - c:\program files\Common Files\logishrd\WUApp32.exe


.
------- 而外的掃描 -------
.
uStart Page = hxxp://www.yahoo.com.tw/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Foxy 下載 - d:\program files\Foxy\Foxy.exe/download.htm
IE: Foxy 搜尋 - d:\program files\Foxy\Foxy.exe/search.htm
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - hxxp://download.ppstream.com/bin/powerplayer.cab
DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} - hxxp://www.gogobox.com.tw/neo.fld/GNowStarter.cab
FF - ProfilePath - c:\documents and settings\Acer 2428 AWXCi\Application Data\Mozilla\Firefox\Profiles\kdzlsdze.default\
FF - prefs.js: browser.startup.homepage - hxxp://tw.yahoo.com/
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npjp2.dll

---- 火狐配置文件 ----
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.external.foxy", true);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.warn-external.foxy", false);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.expose.foxy", true);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("general.useragent.extra.foxy1", "Foxy/1");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-03 08:33:30
Windows 5.1.2600 Service Pack 3 FAT NTAPI

掃描被隱藏的進程 。。。

掃描被隱藏的啟動組 。。。

掃描被隱藏的文件 。。。

掃描完成
被隱藏的檔案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-842925246-839522115-1003_Classes\O*v*e*r*t*u*r*e* *j\额
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1292428093-842925246-839522115-1003_Classes\O*v*e*r*t*u*r*e* *j\鸡DefaultIcon]
@=expand:"%APPDATA%\\Microsoft\\Installer\\{64C3D5BE-47B3-4085-B6D5-585D2677145A}\\_294823.exe,0"

[HKEY_USERS\S-1-5-21-1292428093-842925246-839522115-1003_Classes\O*v*e*r*t*u*r*e* *j\鸡shell]
@="open"

[HKEY_USERS\S-1-5-21-1292428093-842925246-839522115-1003_Classes\O*v*e*r*t*u*r*e* *j\鸡shell\open]
@="開啟(&O)"

[HKEY_USERS\S-1-5-21-1292428093-842925246-839522115-1003_Classes\O*v*e*r*t*u*r*e* *j\鸡shell\open\command]
@="\"d:\\Program Files\\Overture 4.0 繁體中文版\\Overture.exe\" \"%1\""
"command"=multi:"6{kHH=g^g8k`.!F03tyD>?%)duR)D9Xu~OSIW`PT- \"%1\"\00\00"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lx馪⒃蠏阗Ka\DefaultIcon]
@="c:\\PROGRA~1\\Ahead\\Nero\\nero.exe,14"

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lx馪⒃蠏阗Ka\shell\open\command]
@="c:\\PROGRA~1\\Ahead\\Nero\\nero.exe \"%1\""

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lx馪⒃蠏阗Ka\shell\print\command]
@="c:\\PROGRA~1\\Ahead\\Nero\\nero.exe /p \"%1\""

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lx馪⒃蠏阗Ka\shell\printto\command]
@="c:\\PROGRA~1\\Ahead\\Nero\\nero.exe /pt \"%1\" \"%2\" \"%3\" \"%4\""
.
------------------------ 其他運行進程 ------------------------
.
c:\program files\INTEL\WIRELESS\BIN\EVTENG.EXE
c:\program files\INTEL\WIRELESS\BIN\S24EVMON.EXE
c:\program files\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
c:\windows\system32\conime.exe
c:\program files\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
c:\program files\COMMON FILES\SYMANTEC SHARED\SPBBC\SPBBCSVC.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\acer\EMPOWERING TECHNOLOGY\ADMSERV.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
d:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
完成時間: 2009-03-03 8:40:31 - 電腦已重新啟動 [Acer 2428 AWXCi]
ComboFix-quarantined-files.txt 2009-03-03 00:40:24

Pre-Run: 11,213,979,648 位元組可用
Post-Run: 12,011,356,160 位元組可用

WindowsXP-KB310994-SP2-Home-BootDisk-CHT.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

663 --- E O F --- 2009-02-27 02:59:01

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:01 AM

Posted 03 March 2009 - 09:46 AM

Combofix removed Storm II and some other baddies.

Please read this carefully: http://www.zyxware.com/articles/2007/08/14...virus-infection
Note: It is important to have autoplay feature turned off and not to open the thump drives by double clicking. Instead rightclick the drive and select Explore

There is also possible that you have an infected flash drive. If so (you have a flash drive) please do the step with Flash-Disinfector. Insert it when it is asked during the the step 1 and let it be connected when you run combofix. If you don't have a flash drive proceed with the step 2.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    • Turn of the auto-protect or resident-shield of your antivirus.
    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning which takes only a few seconds and then exit the program.
    • Reboot your computer when done.
    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

  • Close any open browsers.

    Open notepad and copy/paste the text in the code box below into it:

    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c3d6532-3996-11db-abf5-00166f28a6b6}]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.xivd"=-
    
    Driver::
    ccosm

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Use the windows search advanced options:
    • Go to start -> Search -> click All files and folders.
    • Click More advanced options.
    • Put a check mark in the box nest to search system folders, search hidden files and folders and search sub-folders.
    • Make sure Case Sensitive box in not checked.
    • Type or copy and paste ~tmp0.1st.exe in the upper box and click on search. Tell me if there is such a file on the system.
  • Please use Internet Explorer to perform a BitDefender Online Virus and Malware Scan
    • Click on I Agree.
    • If an Active X warning box will appear Click on Install.
      Note: If you got the message:"Could not load the Online Scanner! Click here for other possible fixes", it means Internet Explorer has blocked the Active X being installed. Just above the page under the Internet Explorer toolbar you see this message:
      "This website wants to install the following add-on: "Bitdefender OnlineScanner v8' from 'BITDEFENDER LLC'. If you trust the website and the add-on and want to install it, click here..."
      Click on that and select: Install Active x.
    • Now Click On Start Scan. Please wait as it might take some time.
    • If it found anything when it finished click Click here to export the scan report
    • Give the report a name and save it. The file will be a .HTML file.
    • Please attach the file to your reply.
    • To attach the file press ADDREPLY, under the reply window press Browse... show the path to the file on your computer.
    • Highlight the file and click Open then press the green UPLOAD button.


#9 darojess

darojess
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 04 March 2009 - 12:45 AM

I couldn't find any file with the name of ~tmp0.1st.exe in the system and I ran the flash disinfector. Here's the log and the BitDefender.html is attached. Thanks.

ComboFix 09-03-02.01 - Acer 2428 AWXCi 2009-03-04 5:26:34.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.950.1.1028.18.502.179 [GMT 8:00]
執行位置: c:\documents and settings\Acer 2428 AWXCi\桌面\ComboFix.exe
Command switches used :: c:\documents and settings\Acer 2428 AWXCi\桌面\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* 成功創造新還原點
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( 驅動/服務 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CCOSM
-------\Service_ccosm


((((((((((((((((((((((((( 2009-02-03 至 2009-03-03 的新的檔案 )))))))))))))))))))))))))))))))
.

2009-03-02 09:42 . 2009-03-02 09:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-02 09:42 . 2009-03-02 09:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-02 09:42 . 2009-03-02 09:42 <DIR> d-------- c:\documents and settings\Acer 2428 AWXCi\Application Data\Malwarebytes
2009-03-02 09:42 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-02 09:42 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-02 09:35 . 2008-07-27 12:11 <DIR> d-------- C:\HostsXpert
2009-03-02 04:29 . 2009-03-02 04:29 <DIR> d-------- C:\rsit
2009-03-02 04:29 . 2009-03-02 04:29 <DIR> d-------- c:\program files\trend micro
2009-02-10 08:26 . 2009-02-10 08:27 <DIR> d-------- c:\program files\Windows Defender
2009-02-10 08:20 . 2009-02-10 08:20 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live
2009-02-10 07:21 . 2009-02-10 07:21 <DIR> d-------- c:\program files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 19:34 --------- d-----w c:\program files\GoldWave
2009-01-16 13:01 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-05 06:29 65,536 ----a-w c:\windows\IFinst27.exe
2009-01-04 13:05 --------- d-----w c:\documents and settings\All Users\Application Data\Thunder Network
2009-01-04 13:04 --------- d-----w c:\program files\Thunder Network
2009-01-04 13:04 --------- d-----w c:\program files\Common Files\Thunder Network
2008-12-20 22:30 63,488 ------w c:\windows\system32\dllcache\icardie.dll
2008-12-20 22:30 384,512 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
2008-12-20 22:30 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
2008-12-20 22:30 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
2008-12-20 22:30 230,400 ----a-w c:\windows\system32\dllcache\ieaksie.dll
2008-12-20 22:30 214,528 ----a-w c:\windows\system32\dllcache\dxtrans.dll
2008-12-20 22:30 153,088 ----a-w c:\windows\system32\dllcache\ieakeng.dll
2008-12-20 22:30 133,120 ----a-w c:\windows\system32\dllcache\extmgr.dll
2008-12-20 22:30 124,928 ----a-w c:\windows\system32\dllcache\advpack.dll
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 09:08 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 05:25 634,024 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-12-15 07:53 54,392 ----a-w c:\documents and settings\Acer 2428 AWXCi\Application Data\GDIPFONTCACHEV1.DAT
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-09-06 03:00 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat
.

------- Sigcheck -------

2008-06-20 04:51 361600 a29e1209f925a0e9b330e11da5fc7bab c:\windows\system32\drivers\tcpip.sys
2008-06-20 04:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\dllcache\tcpip.sys
2006-04-20 19:51 359808 1dbf125862891817f374f407626967f4 c:\windows\SoftwareDistribution\Download\a052bbfa3d15bdf109b40420332a1c79\sp2gdr\tcpip.sys
2006-04-20 20:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\SoftwareDistribution\Download\a052bbfa3d15bdf109b40420332a1c79\sp2qfe\tcpip.sys
2006-04-20 20:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 03:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 04:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 04:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2004-08-04 05:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 19:51 359808 b4e29943b4b04bd5e7381546848e6669 c:\windows\$NtUninstallKB941644$\tcpip.sys
2007-10-31 01:20 360064 ed06c31200714e734118f9a47f5df5ce c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-06-20 03:45 360320 073941d59ae065910064b728dee981ee c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-14 03:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-04-14 03:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-03-03_ 8.38.47.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-03 21:33:36 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_1f0.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]
"PPS Accelerator"="d:\program files\PPStream\ppsap.exe" [2008-12-09 210296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"preload"="c:\windows\RUNXMLPL.exe" [2005-05-19 32768]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-24 114688]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 102490]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 708698]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]
"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2006-04-20 69632]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2005-07-25 241664]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2006-04-20 86016]
"EPM-DM"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-10 212992]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 3084288]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-16 124656]
"WirelessUSBPhoneAPI"="d:\program files\Wireless USB Phone API\WirelessUSBPhone.exe" [2007-03-19 983040]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

c:\documents and settings\All Users\「開始」功能表\程式集\啟動\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-15 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP70"= c:\windows\system32\vp7vfw.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"vidc.tscc"= c:\windows\system32\tsccvid.dll
"vidc.aasc"= aasc32.dll
"vidc.aas4"= aasc32.dll
"vidc.UCDO"= clrviddd.dll
"vidc.avrn"= avidavicodec.dll
"vidc.advj"= avidavicodec.dll
"vidc.asv1"= asusasv1.dll
"vidc.asv2"= asusasv2.dll
"vidc.asvx"= asusasv2.dll
"vidc.vdom"= vdowave.drv
"vidc.I263"= i263_32.drv
"vidc.lsvx"= lsvxdec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Foxy\\Foxy.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\grdmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"d:\\Program Files\\PCMan Combo\\PCMan.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\CrackAttack\\bin\\crackattack.exe"=
"d:\\Program Files\\PPStream\\PPStream.exe"=
"d:\\Program Files\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10559:TCP"= 10559:TCP:Foxy (192.168.1.3:10559) 10559 TCP
"10559:UDP"= 10559:UDP:Foxy (192.168.1.3:10559) 10559 UDP
"37674:TCP"= 37674:TCP:ooVoo TCP 端口 37674
"37674:UDP"= 37674:UDP:ooVoo UDP 端口 37674
"37675:UDP"= 37675:UDP:ooVoo UDP 端口 37675

R1 Hotkey;Hotkey;c:\windows\system32\drivers\HOTKEY.sys [2006-09-01 9867]
R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2006-09-01 12106]
R2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2004-07-19 4096]
R2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2005-04-07 78208]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2006-09-01 7296]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2006-09-01 4010]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-04-06 101936]
R3 NdisFilt;OSA NdisFilter Protocol;c:\windows\system32\drivers\NdisFilt.sys [2006-09-01 4392]
R3 P1171VID;Creative WebCam Notebook #2;c:\windows\system32\drivers\P1171Vid.sys [2008-08-29 91392]
S1 Wbutton;Wbutton;c:\windows\system32\drivers\Wbutton.sys --> c:\windows\system32\drivers\Wbutton.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-03-17 115952]
.
‘計劃任務’ 文件夾 裡的內容

2009-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- 而外的掃描 -------
.
uStart Page = hxxp://www.yahoo.com.tw/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Foxy 下載 - d:\program files\Foxy\Foxy.exe/download.htm
IE: Foxy 搜尋 - d:\program files\Foxy\Foxy.exe/search.htm
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - hxxp://download.ppstream.com/bin/powerplayer.cab
DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} - hxxp://www.gogobox.com.tw/neo.fld/GNowStarter.cab
FF - ProfilePath - c:\documents and settings\Acer 2428 AWXCi\Application Data\Mozilla\Firefox\Profiles\kdzlsdze.default\
FF - prefs.js: browser.startup.homepage - hxxp://tw.yahoo.com/

---- 火狐配置文件 ----
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.external.foxy", true);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.warn-external.foxy", false);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.expose.foxy", true);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("general.useragent.extra.foxy1", "Foxy/1");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-04 05:34:28
Windows 5.1.2600 Service Pack 3 FAT NTAPI

掃描被隱藏的進程 。。。

掃描被隱藏的啟動組 。。。

掃描被隱藏的文件 。。。

掃描完成
被隱藏的檔案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-842925246-839522115-1003_Classes\O*v*e*r*t*u*r*e* *j\额
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1292428093-842925246-839522115-1003_Classes\O*v*e*r*t*u*r*e* *j\鸡DefaultIcon]
@=expand:"%APPDATA%\\Microsoft\\Installer\\{64C3D5BE-47B3-4085-B6D5-585D2677145A}\\_294823.exe,0"

[HKEY_USERS\S-1-5-21-1292428093-842925246-839522115-1003_Classes\O*v*e*r*t*u*r*e* *j\鸡shell]
@="open"

[HKEY_USERS\S-1-5-21-1292428093-842925246-839522115-1003_Classes\O*v*e*r*t*u*r*e* *j\鸡shell\open]
@="開啟(&O)"

[HKEY_USERS\S-1-5-21-1292428093-842925246-839522115-1003_Classes\O*v*e*r*t*u*r*e* *j\鸡shell\open\command]
@="\"d:\\Program Files\\Overture 4.0 繁體中文版\\Overture.exe\" \"%1\""
"command"=multi:"6{kHH=g^g8k`.!F03tyD>?%)duR)D9Xu~OSIW`PT- \"%1\"\00\00"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lx馪⒃蠏阗Ka\DefaultIcon]
@="c:\\PROGRA~1\\Ahead\\Nero\\nero.exe,14"

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lx馪⒃蠏阗Ka\shell\open\command]
@="c:\\PROGRA~1\\Ahead\\Nero\\nero.exe \"%1\""

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lx馪⒃蠏阗Ka\shell\print\command]
@="c:\\PROGRA~1\\Ahead\\Nero\\nero.exe /p \"%1\""

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lx馪⒃蠏阗Ka\shell\printto\command]
@="c:\\PROGRA~1\\Ahead\\Nero\\nero.exe /pt \"%1\" \"%2\" \"%3\" \"%4\""
.
--------------------- 運行進程下的動態鏈接庫 ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\COMRes.dll
.
------------------------ 其他運行進程 ------------------------
.
c:\program files\INTEL\WIRELESS\BIN\EVTENG.EXE
c:\program files\INTEL\WIRELESS\BIN\S24EVMON.EXE
c:\program files\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
c:\windows\system32\conime.exe
c:\program files\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
c:\program files\COMMON FILES\SYMANTEC SHARED\SPBBC\SPBBCSVC.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\acer\EMPOWERING TECHNOLOGY\ADMSERV.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
d:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
完成時間: 2009-03-04 5:43:30 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2009-03-03 21:43:22
ComboFix2.txt 2009-03-03 00:40:34

Pre-Run: 11,641,552,896 位元組可用
Post-Run: 11,884,920,832 位元組可用

271 --- E O F --- 2009-03-03 04:53:48

Attached Files



#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:01 AM

Posted 04 March 2009 - 02:04 PM

Everything looks good. BitDefender found nothing but those (removed) malware in Norton quarantine folder.
  • Go to start > run and copy and paste or type next command in the field then hit enter:

    ComboFix /u

    Note: There's a space between Combofix and /

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore.

    The first reboot might be a little slow, the next one will be faster.

  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  • I recommend installing this small application for safe surfing: Javacools© SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. Update it manually (if you use the free version) once in 2-3 weeks and enable the restriction.
Please let me know Combofix is uninstalled properly.

Happy computing!

#11 darojess

darojess
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 05 March 2009 - 02:01 AM

ComboFix was successfully uninstalled, and I installed the programs you recommended.
Is there anything else I should uninstall or do? Thank you so much. :thumbup2:

Edited by darojess, 05 March 2009 - 02:25 AM.


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:01 AM

Posted 05 March 2009 - 12:40 PM

No you have done the right thing. :thumbup2:

And you are most welcome.

This thread will now be closed.

If you need this topic reopened, please send me a PM and I will reopen it for you. Include the address of this thread in your request.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users