Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Cycbot Backdoor


  • This topic is locked This topic is locked

#1
SJSCHOO

SJSCHOO

    Member

  • Member
  • PipPip
  • 87 posts
Father-in-law gets virus warnings from Microsoft Security Essentials (XP SP3), I install MalwareBytes+Update+Run (MS SE won't update). 35 infections found, most notable the Cycbot backdoor. Clean infection reboot crash... XP SP2 Repair disc into the night, turn off when finished. Started back to scan it today, no internet giving proxy errors. Looking at the log I see some weird stuff, looking for how to get rid of the stragglers and repair the damage done.

LEVEL OF DIFFICULTY: His XP install is in Chinese (legit). Which I can't read.
If any tools default to the system language, where the button would be to switch to English would be helpful.
Here's the OTL scan.



OTL logfile created on: 31/5/2011 18:45:36 - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Administrator\桌面
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000C04 | Country: 香港特別行政區 | Language: ZHH | Date Format: d/M/yyyy

1023.48 Mb Total Physical Memory | 498.00 Mb Available Physical Memory | 48.66% Memory free
2.40 Gb Paging File | 1.95 Gb Available in Paging File | 81.10% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.68 Gb Total Space | 64.56 Gb Free Space | 84.20% Space Free | Partition Type: NTFS
Drive D: | 596.17 Gb Total Space | 559.12 Gb Free Space | 93.78% Space Free | Partition Type: NTFS
Drive F: | 3.74 Gb Total Space | 1.78 Gb Free Space | 47.64% Space Free | Partition Type: FAT32

Computer Name: MYCHAT-66FBB85C | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/31 18:42:04 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\桌面\OTL.exe
PRC - [2011/01/14 13:35:56 | 000,196,912 | ---- | M] (Nitro PDF Software) -- C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
PRC - [2010/11/30 13:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/11 13:55:56 | 000,057,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneBusEnum.exe
PRC - [2010/11/11 13:55:46 | 000,159,472 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2009/06/24 14:02:02 | 000,933,888 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Program Files\LevelOne\WUA-0605\RtWLan.exe
PRC - [2008/08/08 12:28:12 | 002,049,320 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\InCD\NBHGui.exe
PRC - [2008/08/08 12:28:12 | 000,053,032 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
PRC - [2008/08/08 12:28:10 | 001,442,088 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
PRC - [2008/08/08 12:27:50 | 001,083,176 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\InCD\InCD.exe
PRC - [2008/06/24 16:06:06 | 001,840,424 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
PRC - [2006/12/05 14:22:06 | 000,344,064 | ---- | M] (Sonix) -- C:\WINDOWS\vsnp2std.exe
PRC - [2006/03/02 20:00:00 | 000,976,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/01/12 07:31:30 | 000,073,728 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE


========== Modules (SafeList) ==========

MOD - [2011/05/31 18:42:04 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\桌面\OTL.exe
MOD - [2010/08/24 00:11:32 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (RoxLiveShare10)
SRV - File not found [Auto | Stopped] -- -- (rckopjyz)
SRV - [2011/01/14 13:35:56 | 000,196,912 | ---- | M] (Nitro PDF Software) [Auto | Running] -- C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe -- (NitroReaderDriverReadSpool)
SRV - [2010/11/11 13:57:04 | 000,268,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm)
SRV - [2010/11/11 13:57:02 | 000,444,656 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/11/11 13:55:56 | 006,351,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2010/11/11 13:55:56 | 000,057,072 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Zune\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/08/08 12:28:12 | 000,053,032 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe -- (NeroRegInCDSrv)
SRV - [2008/08/08 12:28:10 | 001,442,088 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe -- (InCDsrv)


========== Driver Services (SafeList) ==========

DRV - [2010/04/28 07:44:02 | 000,054,760 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2010/03/10 17:25:58 | 000,020,968 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\cpuz133_x32.sys -- (cpuz133)
DRV - [2009/06/22 11:31:08 | 000,589,312 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8192su.sys -- (RTL8192su)
DRV - [2008/08/08 12:28:00 | 000,128,424 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2008/08/08 12:28:00 | 000,040,488 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDRm.sys -- (incdrm)
DRV - [2008/08/08 12:28:00 | 000,038,952 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDPass.sys -- (InCDPass)
DRV - [2006/12/27 15:51:36 | 012,006,400 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\snp2sxp.sys -- (SNP2STD) USB2.0 PC Camera (SNP2STD)
DRV - [2006/11/02 07:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2006/03/02 20:00:00 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga)
DRV - [2005/04/01 12:12:00 | 001,032,192 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/01/12 07:32:20 | 000,087,936 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2005/01/12 07:32:14 | 000,033,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/01/12 07:32:14 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/01/12 07:31:26 | 002,284,864 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/19 07:21:00 | 000,189,568 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2003/12/05 17:46:36 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2001/08/17 13:51:32 | 000,018,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\irsir.sys -- (irsir)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL Inc.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://hk.yahoo.com/
IE - HKCU\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:55333



O1 HOSTS File: ([2011/05/31 18:24:53 | 000,000,736 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (Winamp Toolbar Loader) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (NTIECatcher Class) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll (Xi)
O2 - BHO: (Yontoo Layers) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\PageRage\YontooIEClient.dll (Yontoo Technology, Inc.)
O3 - HKLM\..\Toolbar: (Winamp Toolbar) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL Inc.)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [InCD] C:\Program Files\Nero\Nero8\InCD\InCD.exe (Nero AG)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PlexUtilities] File not found
O4 - HKLM..\Run: [SecurDisc] C:\Program Files\Nero\Nero8\InCD\NBHGui.exe (Nero AG)
O4 - HKLM..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe (Sonix)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKCU..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe (Nero AG)
O4 - HKCU..\Run: [LightScribe Control Panel] File not found
O4 - HKCU..\Run: [RegistryBooster] File not found
O4 - Startup: C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\LevelOne WUA-0605 Wireless LAN Utility.lnk = C:\Program Files\LevelOne\WUA-0605\RtWLan.exe (Realtek Semiconductor Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html ()
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html ()
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 203.186.94.22 203.186.94.241 203.186.94.20
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (目前的首頁) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/07/05 23:31:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/02/04 22:52:34 | 000,000,077 | ---- | M] () - D:\AUTORUN.INF -- [ NTFS ]
O33 - MountPoints2\{4457d042-8849-11df-9645-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{4457d042-8849-11df-9645-806d6172696f}\Shell\AutoRun\command - "" = D:\SETUP.EXE -- [2008/09/03 17:25:32 | 004,717,040 | ---- | M] (Sonic Solutions)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/31 18:45:32 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\桌面\OTL.exe
[2011/05/31 18:27:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2011/05/31 18:24:58 | 000,000,000 | ---D | C] -- C:\ERDNT
[2011/05/31 18:22:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\桌面\Dial-a-fix-v0.60.0.24
[2011/05/31 18:22:42 | 001,445,888 | ---- | C] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Administrator\桌面\winsockxpfix.exe
[2011/05/31 18:22:25 | 170,688,424 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Administrator\桌面\avg_free_x86_all_2011_1375a3626.exe
[2011/05/30 22:56:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2011/05/30 21:44:27 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia330.dll
[2011/05/30 21:44:27 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia001.dll
[2011/05/30 21:44:27 | 000,026,624 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rw330ext.dll
[2011/05/30 21:43:09 | 000,054,528 | ---- | C] (Philips Semiconductors GmbH) -- C:\WINDOWS\System32\dllcache\cap7146.sys
[2011/05/30 20:22:36 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2011/05/30 20:18:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011/05/30 20:18:10 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/30 20:18:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\「開始」功能表\程式集\Malwarebytes' Anti-Malware
[2011/05/30 20:18:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/05/30 20:18:06 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/05/30 20:18:05 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/05/30 20:08:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2011/05/29 19:54:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Uzomz
[2011/05/29 19:54:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Kamax
[2011/05/29 19:01:07 | 000,000,000 | ---D | C] -- C:\Program Files\PageRage
[2011/05/29 19:01:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
[2011/05/07 23:05:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Winamp Toolbar
[2011/05/07 23:04:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Nitro PDF
[2011/05/07 23:04:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\「開始」功能表\程式集\Winamp Detector Plug-in
[2011/05/07 23:04:30 | 000,000,000 | ---D | C] -- C:\Program Files\Winamp Detect
[2011/05/07 23:04:21 | 000,026,416 | ---- | C] (Nitro PDF Software) -- C:\WINDOWS\System32\nitrolocalmon.dll
[2011/05/07 23:04:21 | 000,017,712 | ---- | C] (Nitro PDF Software) -- C:\WINDOWS\System32\nitrolocalui.dll
[2011/05/07 23:04:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Winamp Toolbar
[2011/05/07 23:04:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nitro PDF
[2011/05/07 23:04:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Software Update Utility
[2011/05/07 23:04:06 | 000,000,000 | ---D | C] -- C:\Program Files\Nitro PDF
[2011/05/07 23:04:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nitro PDF
[2011/05/07 23:03:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\OpenCandy
[2011/05/07 23:03:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\OpenCandy
[2011/05/07 23:02:28 | 016,075,784 | ---- | C] (Nullsoft, Inc.) -- C:\winamp561_full_emusic-7plus_all.exe
[2011/05/02 14:53:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\「開始」功能表\程式集\K-Lite Codec Pack
[2011/05/02 14:53:21 | 000,839,680 | ---- | C] (http://www.mp3dev.org/) -- C:\WINDOWS\System32\lameACM.acm
[2011/05/02 14:53:21 | 000,237,568 | ---- | C] (www.helixcommunity.org) -- C:\WINDOWS\System32\yv12vfw.dll
[2011/05/02 14:53:21 | 000,151,552 | ---- | C] (fccHandler) -- C:\WINDOWS\System32\ac3acm.acm
[2011/05/02 14:53:16 | 000,000,000 | ---D | C] -- C:\Program Files\K-Lite Codec Pack
[2010/07/06 22:43:26 | 000,155,648 | ---- | C] ( ) -- C:\WINDOWS\rsnp2std.dll
[2010/07/06 22:43:26 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2std.dll
[12 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/31 18:45:16 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/31 18:44:43 | 000,000,554 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/31 18:44:37 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/05/31 18:44:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/31 18:42:04 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\桌面\OTL.exe
[2011/05/31 18:29:21 | 000,002,229 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/05/31 18:24:53 | 000,000,736 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/05/31 18:24:26 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2011/05/31 18:24:26 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2011/05/31 18:16:32 | 000,335,992 | ---- | M] () -- C:\Documents and Settings\Administrator\桌面\Dial-a-fix-v0.60.0.24.zip
[2011/05/31 18:16:08 | 001,445,888 | ---- | M] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Administrator\桌面\winsockxpfix.exe
[2011/05/31 18:14:28 | 170,688,424 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Administrator\桌面\avg_free_x86_all_2011_1375a3626.exe
[2011/05/31 18:11:56 | 000,481,314 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/05/31 18:11:56 | 000,444,498 | ---- | M] () -- C:\WINDOWS\System32\prfh0404.dat
[2011/05/31 18:11:56 | 000,202,876 | ---- | M] () -- C:\WINDOWS\System32\prfc0404.dat
[2011/05/31 18:11:56 | 000,079,388 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/05/30 22:57:09 | 000,000,789 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\啟動 Internet Explorer 瀏覽器.lnk
[2011/05/30 22:56:40 | 000,000,426 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2011/05/30 22:56:39 | 000,000,426 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2011/05/30 22:56:39 | 000,000,426 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2011/05/30 22:56:39 | 000,000,426 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2011/05/30 22:56:39 | 000,000,426 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2011/05/30 22:56:39 | 000,000,426 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2011/05/30 22:56:39 | 000,000,426 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2011/05/30 22:56:39 | 000,000,426 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2011/05/30 22:56:39 | 000,000,426 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2011/05/30 22:56:39 | 000,000,426 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2011/05/30 22:55:59 | 000,126,112 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/05/30 21:45:51 | 000,000,288 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2011/05/30 21:40:49 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2011/05/30 21:40:40 | 000,004,205 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2011/05/30 21:38:18 | 000,023,196 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/05/30 21:36:49 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011/05/30 20:39:03 | 000,000,558 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/30 20:20:14 | 000,000,736 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.msn
[2011/05/30 20:18:11 | 000,000,794 | ---- | M] () -- C:\Documents and Settings\All Users\桌面\Malwarebytes' Anti-Malware.lnk
[2011/05/29 21:38:59 | 000,003,036 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\67B6.70F
[2011/05/25 21:59:34 | 000,000,412 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\spider.sav
[2011/05/21 22:43:34 | 000,010,752 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/21 22:43:34 | 000,000,156 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/05/08 18:51:52 | 000,000,072 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\default.pls
[2011/05/07 23:04:32 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Winamp.lnk
[2011/05/07 23:04:32 | 000,000,664 | ---- | M] () -- C:\Documents and Settings\All Users\桌面\Winamp.lnk
[2011/05/02 14:49:52 | 000,000,810 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[12 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/31 18:22:34 | 000,335,992 | ---- | C] () -- C:\Documents and Settings\Administrator\桌面\Dial-a-fix-v0.60.0.24.zip
[2011/05/30 21:43:28 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\dllcache\fpencode.dll
[2011/05/30 21:27:39 | 000,059,392 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imscinst.exe
[2011/05/30 21:27:08 | 001,938,688 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5.CAT
[2011/05/30 21:27:08 | 001,025,000 | ---- | C] () -- C:\WINDOWS\System32\dllcache\SP2.CAT
[2011/05/30 21:27:08 | 000,819,229 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5IIS.CAT
[2011/05/30 21:27:08 | 000,399,645 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MAPIMIG.CAT
[2011/05/30 21:27:08 | 000,141,702 | ---- | C] () -- C:\WINDOWS\System32\dllcache\netfx.cat
[2011/05/30 21:27:08 | 000,104,300 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tabletpc.cat
[2011/05/30 21:27:08 | 000,037,484 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MW770.CAT
[2011/05/30 21:27:08 | 000,031,965 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mediactr.cat
[2011/05/30 21:27:08 | 000,031,281 | ---- | C] () -- C:\WINDOWS\System32\dllcache\FP4.CAT
[2011/05/30 21:27:08 | 000,014,043 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IMS.CAT
[2011/05/30 21:27:08 | 000,013,472 | ---- | C] () -- C:\WINDOWS\System32\dllcache\HPCRDP.CAT
[2011/05/30 21:27:08 | 000,009,581 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSMSGS.CAT
[2011/05/30 21:27:08 | 000,008,574 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IASNT4.CAT
[2011/05/30 21:27:08 | 000,007,382 | ---- | C] () -- C:\WINDOWS\System32\dllcache\OEMBIOS.CAT
[2011/05/30 21:27:08 | 000,007,245 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSTSWEB.CAT
[2011/05/30 21:27:07 | 000,619,200 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5INF.CAT
[2011/05/30 20:18:11 | 000,000,794 | ---- | C] () -- C:\Documents and Settings\All Users\桌面\Malwarebytes' Anti-Malware.lnk
[2011/05/30 20:13:40 | 000,000,426 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2011/05/30 20:04:54 | 000,000,426 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2011/05/29 21:44:26 | 000,000,426 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2011/05/29 21:35:34 | 000,000,426 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2011/05/29 21:22:20 | 000,000,426 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2011/05/29 21:15:53 | 000,000,426 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2011/05/29 21:11:14 | 000,000,426 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2011/05/29 21:06:00 | 000,000,426 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2011/05/29 19:35:00 | 000,000,426 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2011/05/29 19:34:53 | 000,000,426 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2011/05/29 19:00:30 | 000,003,036 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\67B6.70F
[2011/05/02 14:53:25 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2011/05/02 14:53:24 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2011/05/02 14:53:21 | 000,631,808 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2011/05/02 14:53:21 | 000,000,414 | ---- | C] () -- C:\WINDOWS\System32\lame_acm.xml
[2011/05/02 14:53:20 | 000,243,200 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2011/05/02 14:53:20 | 000,080,896 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/04/21 21:57:59 | 000,010,752 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/19 21:36:32 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/12/16 21:35:24 | 000,026,836 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/10/16 23:54:39 | 000,000,072 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\default.pls
[2010/10/16 23:53:09 | 000,000,156 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/09/26 21:22:38 | 000,000,041 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2010/09/26 20:47:15 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\rx_image32.Cache
[2010/09/20 23:03:15 | 000,040,960 | ---- | C] () -- C:\Program Files\Uninstall_CDS.exe
[2010/07/06 22:43:30 | 000,020,480 | ---- | C] () -- C:\WINDOWS\FixCamera.exe
[2010/07/06 22:43:28 | 000,262,144 | ---- | C] () -- C:\WINDOWS\tsnp2std.exe
[2010/07/06 22:43:28 | 000,024,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\sncamd.sys
[2010/07/06 22:43:28 | 000,015,497 | ---- | C] () -- C:\WINDOWS\snp2std.ini
[2010/07/06 22:43:27 | 012,006,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2sxp.sys
[2010/07/06 22:40:11 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2010/07/06 22:35:14 | 000,000,379 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/07/06 22:21:36 | 000,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2010/07/06 21:37:20 | 000,451,072 | ---- | C] () -- C:\WINDOWS\System32\ISSRemoveSP.exe
[2010/07/06 20:05:52 | 000,000,469 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2010/07/06 19:53:04 | 000,516,096 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2010/07/06 19:52:59 | 000,079,320 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2010/07/05 23:42:18 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2010/07/05 23:33:32 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/07/05 23:32:25 | 000,026,013 | ---- | C] () -- C:\WINDOWS\System32\sleep.exe
[2010/07/05 23:31:38 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2010/07/05 23:28:59 | 000,023,196 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/07/05 23:25:33 | 000,004,205 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/07/05 23:23:40 | 000,126,112 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/01/25 12:58:06 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2006/03/02 20:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/03/02 20:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/03/02 20:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/03/02 20:00:00 | 000,261,056 | ---- | C] () -- C:\WINDOWS\winhelp.exe
[2006/03/02 20:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/03/02 20:00:00 | 000,151,808 | ---- | C] () -- C:\WINDOWS\System32\ozxtkazy.dat
[2006/03/02 20:00:00 | 000,136,448 | ---- | C] () -- C:\WINDOWS\System32\svvjqeva.dat
[2006/03/02 20:00:00 | 000,112,200 | ---- | C] () -- C:\WINDOWS\System32\prfi0404.dat
[2006/03/02 20:00:00 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2006/03/02 20:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/03/02 20:00:00 | 000,034,560 | ---- | C] () -- C:\WINDOWS\System32\auybkjrj.dat
[2006/03/02 20:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\prfd0404.dat
[2006/03/02 20:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/03/02 20:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2006/03/02 20:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/03/02 20:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/03/02 20:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2004/07/12 08:00:00 | 000,481,314 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/07/12 08:00:00 | 000,444,498 | ---- | C] () -- C:\WINDOWS\System32\prfh0404.dat
[2004/07/12 08:00:00 | 000,202,876 | ---- | C] () -- C:\WINDOWS\System32\prfc0404.dat
[2004/07/12 08:00:00 | 000,079,388 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/07/12 08:00:00 | 000,005,120 | ---- | C] () -- C:\WINDOWS\System32\setupold.exe
[2004/07/12 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2010/09/20 23:05:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InterTrust
[2011/05/30 20:53:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Kamax
[2011/05/07 23:04:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Nitro PDF
[2011/05/07 23:03:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\OpenCandy
[2010/09/19 19:00:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Uniblue
[2011/05/30 20:16:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Uzomz
[2010/09/19 18:44:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2010/07/05 23:32:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSN Messenger 6.2.0137
[2011/05/07 23:04:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nitro PDF
[2010/09/26 21:23:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SlySoft
[2011/05/29 19:01:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
[2010/09/26 20:40:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2010/12/12 17:41:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/05/30 22:56:39 | 000,000,426 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2011/05/30 22:56:39 | 000,000,426 | ---- | M] () -- C:\WINDOWS\Tasks\At10.job
[2011/05/30 22:56:39 | 000,000,426 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2011/05/30 22:56:39 | 000,000,426 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
[2011/05/30 22:56:39 | 000,000,426 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job
[2011/05/30 22:56:39 | 000,000,426 | ---- | M] () -- C:\WINDOWS\Tasks\At5.job
[2011/05/30 22:56:39 | 000,000,426 | ---- | M] () -- C:\WINDOWS\Tasks\At6.job
[2011/05/30 22:56:39 | 000,000,426 | ---- | M] () -- C:\WINDOWS\Tasks\At7.job
[2011/05/30 22:56:39 | 000,000,426 | ---- | M] () -- C:\WINDOWS\Tasks\At8.job
[2011/05/30 22:56:40 | 000,000,426 | ---- | M] () -- C:\WINDOWS\Tasks\At9.job
[2011/05/31 18:44:37 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 24 bytes -> C:\WINDOWS:405FD40B059C6F12

< End of report >













And here's the Extras.txt added.








OTL Extras logfile created on: 31/5/2011 18:45:36 - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Administrator\桌面
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000C04 | Country: 香港特別行政區 | Language: ZHH | Date Format: d/M/yyyy

1023.48 Mb Total Physical Memory | 498.00 Mb Available Physical Memory | 48.66% Memory free
2.40 Gb Paging File | 1.95 Gb Available in Paging File | 81.10% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.68 Gb Total Space | 64.56 Gb Free Space | 84.20% Space Free | Partition Type: NTFS
Drive D: | 596.17 Gb Total Space | 559.12 Gb Free Space | 93.78% Space Free | Partition Type: NTFS
Drive F: | 3.74 Gb Total Space | 1.78 Gb Free Space | 47.64% Space Free | Partition Type: FAT32

Computer Name: MYCHAT-66FBB85C | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [NewWindow] -- explorer.exe %1 (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1542:TCP" = 1542:TCP:*:Enabled:Realtek WPS TCP Prot
"1542:UDP" = 1542:UDP:*:Enabled:Realtek WPS UDP Prot
"53:UDP" = 53:UDP:*:Enabled:Realtek AP UDP Prot
"5985:TCP" = 5985:TCP:*:Disabled:Windows 遠端管理
"80:TCP" = 80:TCP:*:Disabled:Windows 遠端管理 - 相容模式 (HTTP-In)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\LevelOne\WUA-0605\RtWLan.exe" = C:\Program Files\LevelOne\WUA-0605\RtWLan.exe:*:Enabled:RtWlan -- (Realtek Semiconductor Corp.)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Winamp\winamp.exe" = C:\Program Files\Winamp\winamp.exe:*:Enabled:Winamp -- (Nullsoft, Inc.)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07EEE598-5F21-4B57-B40B-46592625B3D9}" = Zune Language Pack (PTB)
"{0C9B0475-F65F-45AB-8D88-2AE7C195E907}" = Microsoft .NET Framework 1.1 Chinese (Traditional) Lang. Pack
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1BD07DF4-FB06-41BA-B896-B2DA59000C96}" = Windows Live Toolbar
"{1ECF08CB-8602-49A7-B72E-E2D5CD84FF13}" = 遠端桌面連線
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 21
"{2881063B-C58F-49EB-97FD-8BF58EC580F9}" = Nitro PDF Reader
"{29A725D7-50B6-33D5-8FAC-239EFC439C96}" = Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - CHT
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{350C97B6-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{353FE16B-30FE-469A-BF55-B978F4218003}" = iTunes
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{5C93E291-A1CC-4E51-85C6-E194209FCDB4}" = Zune Language Pack (PTG)
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6740BCB0-5863-47F4-80F4-44F394DE4FE2}" = Zune Language Pack (NLD)
"{6B33492E-FBBC-4EC3-8738-09E16E395A10}" = Zune Language Pack (ESP)
"{7006ED29-58F2-40C3-AE87-039287AD20B6}" = Zune
"{75438C0E-9925-412E-AD85-D0E71C6CE2ED}" = USB2.0 PC Camera
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
"{7D1D6A24-65D4-454C-8815-4F08A5FFF12C}" = Macromedia Shockwave Player
"{853A4763-6643-4604-8D64-28BDD8925F4C}" = Apple Application Support
"{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = PageRage 1.10.01
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
"{90280404-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{92354E91-92E0-3C7D-A030-936F88E75451}" = Microsoft .NET Framework 3.5 Language Pack SP1 - cht
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9C049499-055C-4a0c-A916-1D8CA1FF45EB}" = LevelOne WUA-0605 Wireless LAN Driver and Utility
"{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}" = Microsoft Search Enhancement Pack
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5CCD0C8-6D5E-4515-BDD7-2A22D5D91028}" = Nero 8 Essentials
"{A71D5E81-B967-43DB-93D7-FD31BFB95748}" = MobileMe Control Panel
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-0000-0000-0000-6028747ADE01}" = Adobe Acrobat - Reader 6.0.2 Update
"{AC76BA86-7AD7-1028-7646-A00000000001}" = Adobe Reader 6.0.1 - Chinese Traditional
"{B10914FD-8812-47A4-85A1-50FCDE7F1F33}" = Windows Live Sync
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BE236D9A-52EC-4A17-82DA-84B5EAD31E3E}" = Zune Language Pack (DEU)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C5D37FFA-7483-410B-982B-91E93FD3B7DA}" = Zune Language Pack (ITA)
"{C68D33B1-0204-4EBE-BC45-A6E432B1D13A}" = Zune Language Pack (FRA)
"{C73F2967-062E-48F2-A462-D335B8950183}" = Safari
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}" = Skype Toolbars
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D92FF8EB-BD77-40AE-B68B-A6BFC6F8661D}" = Windows Live Family Safety
"{E34ACF2A-38BA-3348-90F6-B76A34647AB0}" = Microsoft .NET Framework 4 Client Profile CHT Language Pack
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1
"{EDFE2E1D-FF41-369C-9F54-86EFA9DB8833}" = Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - CHT
"{EE39FFBD-544E-49E4-A999-6819828EAE91}" = Windows Live Photo Gallery
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F2CB8C3C-9C9E-4FAB-9067-655601C5F748}" = Windows Mobile Device Updater Component
"Ad-Aware SE Professional" = Ad-Aware SE Professional
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"All ATI Software" = ATI - 軟體解除安裝公用程式
"ATI Display Driver" = ATI Display Driver
"CCleaner" = CCleaner
"CPUID CPU-Z_is1" = CPUID CPU-Z 1.54
"Defraggler" = Defraggler
"Google Chrome" = Google Chrome
"KLiteCodecPack_is1" = K-Lite Codec Pack 7.1.0 (Full)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 Language Pack SP1 - cht" = Microsoft .NET Framework 3.5 語言套件 SP1 - 繁體中文
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile CHT Language Pack" = Microsoft .NET Framework 4 Client Profile 繁體中文語言套件
"Microsoft Security Client" = Microsoft Security Essentials
"Net Transport_is1" = Net Transport 1.92.273
"NVIDIA Drivers" = NVIDIA Drivers
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Winamp" = Winamp
"Winamp Toolbar" = Winamp Toolbar
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR 壓縮工具
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0
"Zune" = Zune
"超級兔子魔法設定" = 超級兔子魔法設定

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Winamp Detect" = Winamp Detector Plug-in
"Winamp Toolbar" = Winamp Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 29/5/2011 9:39:56 | Computer Name = MYCHAT-66FBB85C | Source = Microsoft Security Client | ID = 5000
Description =

Error - 29/5/2011 9:40:42 | Computer Name = MYCHAT-66FBB85C | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80072efe, P2 endsearch, P3 search, P4 3.0.8107.0,
P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 29/5/2011 9:41:21 | Computer Name = MYCHAT-66FBB85C | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80072efe, P2 endsearch, P3 search, P4 3.0.8107.0,
P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 29/5/2011 9:42:09 | Computer Name = MYCHAT-66FBB85C | Source = Microsoft Security Client | ID = 5000
Description =

Error - 29/5/2011 9:46:41 | Computer Name = MYCHAT-66FBB85C | Source = EventSystem | ID = 4614
Description = COM+ 事件系統在其內部狀態中偵測到不一致性。在 d:\comxp_sp3\com\com1x\src\events\shared\sectools.cpp
的行 162,宣告 "GetLastError() == 122L" 失敗。請與 Microsoft 產品支援服務聯絡,以報告這個錯誤

Error - 30/5/2011 8:08:03 | Computer Name = MYCHAT-66FBB85C | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8107.0,
P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 30/5/2011 8:16:41 | Computer Name = MYCHAT-66FBB85C | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80072efe, P2 endsearch, P3 search, P4 3.0.8107.0,
P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 30/5/2011 8:17:34 | Computer Name = MYCHAT-66FBB85C | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80072efe, P2 endsearch, P3 search, P4 3.0.8107.0,
P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 30/5/2011 8:21:03 | Computer Name = MYCHAT-66FBB85C | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80072efe, P2 endsearch, P3 search, P4 3.0.8107.0,
P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 30/5/2011 9:38:29 | Computer Name = MYCHAT-66FBB85C | Source = LoadPerf | ID = 3001
Description =

[ System Events ]
Error - 31/5/2011 6:06:23 | Computer Name = MYCHAT-66FBB85C | Source = Service Control Manager | ID = 7026
Description = 下列開機啟動或系統啟動驅動程式無法載入: MpFilter

Error - 31/5/2011 6:28:28 | Computer Name = MYCHAT-66FBB85C | Source = DCOM | ID = 10005
Description = DCOM 遇到錯誤 "%1084",是當嘗試啟動服務 EventSystem 而引數為 "", 為了執行伺服器: {1BE1F766-5536-11D1-B726-00C04FB926AF}
之時

Error - 31/5/2011 6:29:38 | Computer Name = MYCHAT-66FBB85C | Source = Service Control Manager | ID = 7026
Description = 下列開機啟動或系統啟動驅動程式無法載入: Fips MpFilter Processor

Error - 31/5/2011 6:43:24 | Computer Name = MYCHAT-66FBB85C | Source = DCOM | ID = 10005
Description = DCOM 遇到錯誤 "%1084",是當嘗試啟動服務 EventSystem 而引數為 "", 為了執行伺服器: {1BE1F766-5536-11D1-B726-00C04FB926AF}
之時

Error - 31/5/2011 6:44:40 | Computer Name = MYCHAT-66FBB85C | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%834 Error Code: 0x80070032 Error description: 不支援這個要求。 Reason: %%842

Error - 31/5/2011 6:44:40 | Computer Name = MYCHAT-66FBB85C | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80070032 Error description: 不支援這個要求。 Reason: %%842

Error - 31/5/2011 6:44:40 | Computer Name = MYCHAT-66FBB85C | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%834 Error Code: 0x80070032 Error description: 不支援這個要求。 Reason: %%837

Error - 31/5/2011 6:44:40 | Computer Name = MYCHAT-66FBB85C | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80070032 Error description: 不支援這個要求。 Reason: %%837

Error - 31/5/2011 6:45:16 | Computer Name = MYCHAT-66FBB85C | Source = Service Control Manager | ID = 7000
Description = Terminal Device Helper 服務無法啟動,因為發生下列錯誤: %%1083

Error - 31/5/2011 6:45:16 | Computer Name = MYCHAT-66FBB85C | Source = Service Control Manager | ID = 7026
Description = 下列開機啟動或系統啟動驅動程式無法載入: atapi MpFilter PCIIde


< End of report >
  • 0

Advertisements


#2
SJSCHOO

SJSCHOO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
Anyone?
  • 0

#3
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi, SJSCHOO! Welcome to GeeksToGo! My nick name is Render and I will be assisting you with your Malware/Security problems. Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out :)

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just in case you are unable to access this site.

Please note:
  • Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply.
  • Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for us to analyse and fix your PC in the long run.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!

Sorry for the delay.

If you have since resolved the original problem you were having, I would appreciate you letting me know. If not please perform the following steps below so I can have a look at the current condition of your machine.

Step 1

  • Please download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it.

    Posted Image
  • Click the Scan button to start scan.

    Posted Image
  • On completion of the scan click Save log, save it to your desktop and post in your next reply.

Step 2

Download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 1 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.

Step 3

Posted Image OTL Custom Scan

  • Double click on the Posted Image icon to run it.
  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top, make sure Stadard output is selected.
  • Select Scan all users
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scans/Fixes box copy and paste this in:

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    %systemroot%\*. /mp /s
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    CREATERESTOREPOINT

  • Click the Posted Image button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open OTL.Txt in Notepad window.
  • Please copy (Edit->Select All, Edit->Copy) the content of this file and post it with your next reply.

When completed the above, please post back the following in the order asked for:
  • aswMBR log
  • Contents of the RKreport.txt
  • OTL scan log
    [/b]

  • 0

#4
SJSCHOO

SJSCHOO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
Thanks for responding, the OTL logs will be very different. After 3 days I figured this wasn't going to get worked on so I scanned other Cycbot posts and did what little I could. RootkitUnhooker (unsuccessful), ComboFix, XP SP3 update, MalwareBytes/Microsoft Security Essentials multiple scans each. Still finding the same things again and again.



aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-06-04 10:32:20
-----------------------------
10:32:20.671 OS Version: Windows 5.1.2600 Service Pack 3
10:32:20.671 Number of processors: 1 586 0x2F00
10:32:20.671 ComputerName: MYCHAT-66FBB85C UserName: Administrator
10:32:20.937 Initialize success
10:32:27.375 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000070
10:32:27.375 Disk 0 Vendor: HDS728080PLA380 PF2OA60A Size: 78533MB BusType: 3
10:32:27.375 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000071
10:32:27.375 Disk 1 Vendor: WDC_WD6400AAKS-00A7B0 01.03B01 Size: 610480MB BusType: 3
10:32:27.390 Disk 0 MBR read successfully
10:32:27.390 Disk 0 MBR scan
10:32:27.390 Disk 0 Windows XP default MBR code
10:32:27.390 Disk 0 scanning sectors +160810650
10:32:27.421 Disk 0 scanning C:\WINDOWS\system32\drivers
10:32:38.406 Service scanning
10:32:39.484 Disk 0 trace - called modules:
10:32:39.484 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvatabus.sys
10:32:39.484 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f59ab8]
10:32:39.484 3 CLASSPNP.SYS[f767bfd7] -> nt!IofCallDriver -> \Device\00000072[0x86f30b10]
10:32:39.500 5 ACPI.sys[f74f2620] -> nt!IofCallDriver -> \Device\00000070[0x86f59030]
10:32:39.500 Scan finished successfully
10:32:57.265 Disk 0 MBR has been saved successfully to "F:\MBR.dat"
10:32:57.265 The log file has been saved successfully to "F:\aswMBR.txt"














RogueKiller V5.2.1 [06/02/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Administrator [Admin rights]
Mode: Scan -- Date : 06/04/2011 10:33:13

Bad processes: 1
[SUSP PATH] vsnp2std.exe -- c:\windows\vsnp2std.exe -> KILLED

Registry Entries: 3
[SUSP PATH] HKLM\[...]\Run : snp2std (C:\WINDOWS\vsnp2std.exe) -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (http=127.0.0.1:55333) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

HOSTS File:
127.0.0.1 localhost


Finished : << \RKreport[1].txt >>
RKreport[1].txt

















OTL logfile created on: 4/6/2011 10:35:49 - Run 2
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Administrator\桌面
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C04 | Country: 香港特別行政區 | Language: ZHH | Date Format: d/M/yyyy

1023.48 Mb Total Physical Memory | 457.41 Mb Available Physical Memory | 44.69% Memory free
2.40 Gb Paging File | 1.91 Gb Available in Paging File | 79.65% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.68 Gb Total Space | 61.25 Gb Free Space | 79.88% Space Free | Partition Type: NTFS
Drive D: | 596.17 Gb Total Space | 558.45 Gb Free Space | 93.67% Space Free | Partition Type: NTFS
Drive F: | 3.75 Gb Total Space | 3.71 Gb Free Space | 98.88% Space Free | Partition Type: NTFS

Computer Name: MYCHAT-66FBB85C | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/31 18:42:04 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\桌面\OTL.exe
PRC - [2011/03/18 01:26:14 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2011/03/18 01:24:50 | 001,043,968 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2011/01/14 13:35:56 | 000,196,912 | ---- | M] (Nitro PDF Software) -- C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
PRC - [2010/11/30 13:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/11 13:55:56 | 000,057,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneBusEnum.exe
PRC - [2010/11/11 13:55:46 | 000,159,472 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2009/06/24 14:02:02 | 000,933,888 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Program Files\LevelOne\WUA-0605\RtWLan.exe
PRC - [2008/08/08 12:28:12 | 002,049,320 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\InCD\NBHGui.exe
PRC - [2008/08/08 12:28:12 | 000,053,032 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
PRC - [2008/08/08 12:28:10 | 001,442,088 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
PRC - [2008/08/08 12:27:50 | 001,083,176 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\InCD\InCD.exe
PRC - [2008/06/24 16:06:06 | 001,840,424 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
PRC - [2008/04/14 22:00:32 | 000,978,432 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/14 22:00:26 | 000,027,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\conime.exe
PRC - [2005/01/12 07:31:30 | 000,073,728 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE


========== Modules (SafeList) ==========

MOD - [2011/05/31 18:42:04 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\桌面\OTL.exe
MOD - [2010/08/24 00:11:32 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (RoxLiveShare10)
SRV - File not found [Auto | Stopped] -- -- (rckopjyz)
SRV - [2011/03/18 01:26:14 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2011/01/14 13:35:56 | 000,196,912 | ---- | M] (Nitro PDF Software) [Auto | Running] -- C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe -- (NitroReaderDriverReadSpool)
SRV - [2010/11/11 13:57:04 | 000,268,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm)
SRV - [2010/11/11 13:57:02 | 000,444,656 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/11/11 13:55:56 | 006,351,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2010/11/11 13:55:56 | 000,057,072 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Zune\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/08/08 12:28:12 | 000,053,032 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe -- (NeroRegInCDSrv)
SRV - [2008/08/08 12:28:10 | 001,442,088 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe -- (InCDsrv)


========== Driver Services (SafeList) ==========

DRV - [2011/06/04 10:30:19 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{61763A0E-8D7A-41BC-BBF9-47859A27C0F7}\MpKsl39f15467.sys -- (MpKsl39f15467)
DRV - [2010/05/13 10:02:32 | 000,532,224 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2010/04/28 07:44:02 | 000,054,760 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2010/03/10 17:25:58 | 000,020,968 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\cpuz133_x32.sys -- (cpuz133)
DRV - [2009/06/22 11:31:08 | 000,589,312 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8192su.sys -- (RTL8192su)
DRV - [2008/08/08 12:28:00 | 000,128,424 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2008/08/08 12:28:00 | 000,040,488 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDRm.sys -- (incdrm)
DRV - [2008/08/08 12:28:00 | 000,038,952 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDPass.sys -- (InCDPass)
DRV - [2006/12/27 15:51:36 | 012,006,400 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\snp2sxp.sys -- (SNP2STD) USB2.0 PC Camera (SNP2STD)
DRV - [2006/11/02 07:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2006/03/02 20:00:00 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga)
DRV - [2005/04/01 12:12:00 | 001,032,192 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/01/12 07:32:20 | 000,087,936 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2005/01/12 07:32:14 | 000,033,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/01/12 07:32:14 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/01/12 07:31:26 | 002,284,864 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/19 07:21:00 | 000,189,568 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2003/12/05 17:46:36 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2001/08/17 13:51:32 | 000,018,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\irsir.sys -- (irsir)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL Inc.)


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = tw.yahoo.com

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = tw.yahoo.com

IE - HKU\S-1-5-21-343818398-2052111302-839522115-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://hk.yahoo.com/
IE - HKU\S-1-5-21-343818398-2052111302-839522115-500\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL Inc.)
IE - HKU\S-1-5-21-343818398-2052111302-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-343818398-2052111302-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-21-343818398-2052111302-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:55333



O1 HOSTS File: ([2011/06/01 21:34:49 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (Winamp Toolbar Loader) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (NTIECatcher Class) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll (Xi)
O2 - BHO: (Yontoo Layers) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\PageRage\YontooIEClient.dll (Yontoo Technology, Inc.)
O3 - HKLM\..\Toolbar: (Winamp Toolbar) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL Inc.)
O3 - HKU\S-1-5-21-343818398-2052111302-839522115-500\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL Inc.)
O4 - HKLM..\Run: [IMJPMIG8.1] File not found
O4 - HKLM..\Run: [InCD] C:\Program Files\Nero\Nero8\InCD\InCD.exe (Nero AG)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [QuickTime Task] File not found
O4 - HKLM..\Run: [SecurDisc] C:\Program Files\Nero\Nero8\InCD\NBHGui.exe (Nero AG)
O4 - HKLM..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe (Sonix)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-343818398-2052111302-839522115-500..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe (Nero AG)
O4 - Startup: C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\LevelOne WUA-0605 Wireless LAN Utility.lnk = C:\Program Files\LevelOne\WUA-0605\RtWLan.exe (Realtek Semiconductor Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-343818398-2052111302-839522115-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-343818398-2052111302-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-343818398-2052111302-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-343818398-2052111302-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html ()
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html ()
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 203.186.94.22 203.186.94.241 203.186.94.20
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (目前的首頁) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/07/05 23:31:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (56027131116781568)

========== Files/Folders - Created Within 30 Days ==========

[2011/06/04 10:33:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\桌面\RK_Quarantine
[2011/06/04 10:28:11 | 000,589,632 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Administrator\桌面\aswMBR.exe
[2011/06/03 22:40:27 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2011/06/03 22:39:13 | 000,974,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42.dll
[2011/06/03 22:39:13 | 000,953,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40u.dll
[2011/06/03 22:35:17 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2011/06/03 22:12:52 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2011/06/03 22:12:25 | 000,590,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcrt4.dll
[2011/06/02 20:19:04 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2011/06/02 20:19:04 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/06/02 19:57:23 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2011/06/02 19:57:23 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2011/06/02 19:57:22 | 001,991,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2011/06/02 19:57:21 | 011,080,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2011/06/02 19:57:21 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2011/06/02 19:17:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2011/06/02 19:11:26 | 001,372,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml6.dll
[2011/06/02 19:11:26 | 000,039,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml6r.dll
[2011/06/02 19:11:24 | 000,086,016 | ---- | C] (Sipro Lab Telecom Inc.) -- C:\WINDOWS\System32\dllcache\sl_anet.acm
[2011/06/02 19:11:23 | 000,294,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msaud32.acm
[2011/06/02 19:11:23 | 000,290,816 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\WINDOWS\System32\dllcache\l3codeca.acm
[2011/06/02 19:10:19 | 000,294,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dlimport.exe
[2011/06/02 19:09:19 | 000,269,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bthport.sys
[2011/06/02 19:09:00 | 000,138,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\afd.sys
[2011/06/02 19:08:51 | 000,357,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srv.sys
[2011/06/02 19:07:19 | 000,455,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2011/06/02 19:07:12 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2011/06/02 19:06:37 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2011/06/02 19:05:43 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2011/06/02 19:01:22 | 000,119,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\t2embed.dll
[2011/06/02 19:01:22 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fontsub.dll
[2011/06/02 19:01:16 | 002,192,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2011/06/02 19:01:14 | 002,148,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2011/06/02 19:01:13 | 002,027,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2011/06/02 19:00:39 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2011/06/02 18:56:34 | 000,203,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rmcast.sys
[2011/06/02 18:56:28 | 000,331,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msadce.dll
[2011/06/02 18:53:49 | 000,337,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll
[2011/06/02 18:53:41 | 001,172,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml3.dll
[2011/06/01 21:24:31 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2011/06/01 21:24:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\「開始」功能表\程式集\ZoneAlarm
[2011/06/01 21:24:28 | 000,058,368 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsregexp.dll
[2011/06/01 21:24:27 | 000,104,448 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zlcommdb.dll
[2011/06/01 21:24:27 | 000,069,120 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zlcomm.dll
[2011/06/01 21:24:24 | 001,238,528 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zpeng25.dll
[2011/06/01 21:24:24 | 000,110,080 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsxml.dll
[2011/06/01 21:24:24 | 000,043,008 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vswmi.dll
[2011/06/01 21:24:23 | 000,532,224 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdatant.sys
[2011/06/01 21:24:23 | 000,302,592 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vspubapi.dll
[2011/06/01 21:24:23 | 000,108,032 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsmonapi.dll
[2011/06/01 21:24:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ZoneLabs
[2011/06/01 21:23:37 | 000,715,264 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsutil.dll
[2011/06/01 21:23:37 | 000,228,864 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsinit.dll
[2011/06/01 21:23:37 | 000,112,128 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdata.dll
[2011/06/01 21:21:25 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2011/06/01 21:21:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2011/06/01 21:06:17 | 001,431,344 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\桌面\TDSSKiller.exe
[2011/06/01 20:43:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\「開始」功能表\程式集\Rootkit Unhooker LE
[2011/06/01 20:43:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\桌面\M3654654654
[2011/06/01 20:42:37 | 000,719,574 | ---- | C] (UG North ) -- C:\Documents and Settings\Administrator\桌面\RkU3.8.388.590.exe
[2011/06/01 20:20:32 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/06/01 20:20:32 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/06/01 20:20:32 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/06/01 20:20:32 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/06/01 20:20:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/06/01 20:20:22 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/06/01 20:19:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\PCHealth
[2011/06/01 20:19:37 | 004,109,346 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator\桌面\ComboFix.exe
[2011/05/31 18:45:32 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\桌面\OTL.exe
[2011/05/31 18:27:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2011/05/31 18:24:58 | 000,000,000 | ---D | C] -- C:\ERDNT
[2011/05/31 18:22:42 | 001,445,888 | ---- | C] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Administrator\桌面\winsockxpfix.exe
[2011/05/31 18:22:30 | 331,805,736 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\桌面\http-__download.microsoft.com_download_d_3_0_d30e32d8-418a-469d-b600-f32ce3edf42d_WindowsXP-KB936929-SP3-x86-ENU.exe
[2011/05/31 18:22:25 | 170,688,424 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Administrator\桌面\avg_free_x86_all_2011_1375a3626.exe
[2011/05/30 21:44:59 | 000,031,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\weitekp9.sys
[2011/05/30 21:44:58 | 000,041,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\weitekp9.dll
[2011/05/30 21:44:57 | 000,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wamps51.dll
[2011/05/30 21:44:56 | 000,073,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\w3ext.dll
[2011/05/30 21:44:56 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\w3svapi.dll
[2011/05/30 21:44:56 | 000,004,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\w3ctrs51.dll
[2011/05/30 21:44:55 | 000,048,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\w32.dll
[2011/05/30 21:44:48 | 000,015,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tsprof.exe
[2011/05/30 21:44:46 | 000,185,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\thawbrkr.dll
[2011/05/30 21:44:45 | 000,021,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tdipx.sys
[2011/05/30 21:44:45 | 000,019,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tdspx.sys
[2011/05/30 21:44:45 | 000,013,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tdasync.sys
[2011/05/30 21:44:43 | 000,016,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\status.dll
[2011/05/30 21:44:42 | 000,101,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srusbusd.dll
[2011/05/30 21:44:40 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\snmpstup.dll
[2011/05/30 21:44:40 | 000,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_snprfdll.dll
[2011/05/30 21:44:39 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_smtpctrs.dll
[2011/05/30 21:44:38 | 000,038,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm9aw.dll
[2011/05/30 21:44:38 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smb6w.dll
[2011/05/30 21:44:38 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sma3w.dll
[2011/05/30 21:44:38 | 000,026,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm93w.dll
[2011/05/30 21:44:38 | 000,026,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm92w.dll
[2011/05/30 21:44:38 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm90w.dll
[2011/05/30 21:44:38 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm8dw.dll
[2011/05/30 21:44:38 | 000,015,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smierrsm.dll
[2011/05/30 21:44:38 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smimsgif.dll
[2011/05/30 21:44:38 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smierrsy.dll
[2011/05/30 21:44:37 | 000,030,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm87w.dll
[2011/05/30 21:44:37 | 000,030,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm81w.dll
[2011/05/30 21:44:37 | 000,029,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm8cw.dll
[2011/05/30 21:44:37 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm8aw.dll
[2011/05/30 21:44:37 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm89w.dll
[2011/05/30 21:44:37 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm59w.dll
[2011/05/30 21:44:35 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\simptcp.dll
[2011/05/30 21:44:30 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_scripto.dll
[2011/05/30 21:44:30 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_seos.dll
[2011/05/30 21:44:27 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia330.dll
[2011/05/30 21:44:27 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia001.dll
[2011/05/30 21:44:25 | 000,023,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_regtrace.exe
[2011/05/30 21:44:25 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\register.exe
[2011/05/30 21:44:23 | 000,018,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\quser.exe
[2011/05/30 21:44:23 | 000,010,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\query.exe
[2011/05/30 21:44:20 | 000,131,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pmxviceo.dll
[2011/05/30 21:44:20 | 000,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pmxmcro.dll
[2011/05/30 21:44:20 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pmxgl.dll
[2011/05/30 21:44:19 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pagecnt.dll
[2011/05/30 21:44:19 | 000,020,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\permchk.dll
[2011/05/30 21:44:15 | 000,038,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_ntfsdrv.dll
[2011/05/30 21:44:13 | 000,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\nextlink.dll
[2011/05/30 21:43:56 | 000,092,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mga.sys
[2011/05/30 21:43:56 | 000,092,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mga.dll
[2011/05/30 21:43:56 | 000,026,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mdsync.dll
[2011/05/30 21:43:54 | 000,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_mailmsg.dll
[2011/05/30 21:43:53 | 000,022,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\logscrpt.dll
[2011/05/30 21:43:50 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdth3.dll
[2011/05/30 21:43:50 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdth2.dll
[2011/05/30 21:43:50 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdvntc.dll
[2011/05/30 21:43:50 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdusa.dll
[2011/05/30 21:43:50 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdurdu.dll
[2011/05/30 21:43:50 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdth1.dll
[2011/05/30 21:43:49 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinpun.dll
[2011/05/30 21:43:49 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdth0.dll
[2011/05/30 21:43:49 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdsyr2.dll
[2011/05/30 21:43:49 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdsyr1.dll
[2011/05/30 21:43:49 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdintel.dll
[2011/05/30 21:43:49 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdintam.dll
[2011/05/30 21:43:48 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinmar.dll
[2011/05/30 21:43:48 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinkan.dll
[2011/05/30 21:43:48 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinhin.dll
[2011/05/30 21:43:48 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinguj.dll
[2011/05/30 21:43:48 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdindev.dll
[2011/05/30 21:43:48 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdheb.dll
[2011/05/30 21:43:48 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdfa.dll
[2011/05/30 21:43:48 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbddiv2.dll
[2011/05/30 21:43:48 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbddiv1.dll
[2011/05/30 21:43:48 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdgeo.dll
[2011/05/30 21:43:47 | 000,018,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jupiw.dll
[2011/05/30 21:43:47 | 000,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iwrps.dll
[2011/05/30 21:43:47 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbda3.dll
[2011/05/30 21:43:47 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbda2.dll
[2011/05/30 21:43:47 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbda1.dll
[2011/05/30 21:43:47 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdarmw.dll
[2011/05/30 21:43:47 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdarme.dll
[2011/05/30 21:43:46 | 000,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\isapips.dll
[2011/05/30 21:43:44 | 000,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\infoctrs.dll
[2011/05/30 21:43:42 | 000,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iiscrmap.dll
[2011/05/30 21:43:42 | 000,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iissync.exe
[2011/05/30 21:43:42 | 000,003,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iismui.dll
[2011/05/30 21:43:41 | 000,060,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iisclex4.dll
[2011/05/30 21:43:29 | 000,132,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsclntr.dll
[2011/05/30 21:43:29 | 000,111,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxscfgwz.dll
[2011/05/30 21:43:29 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsroute.dll
[2011/05/30 21:43:29 | 000,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxssend.exe
[2011/05/30 21:43:28 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ftpctrs2.dll
[2011/05/30 21:43:28 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ftlx041e.dll
[2011/05/30 21:43:27 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\flattemp.exe
[2011/05/30 21:43:26 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_fcachdll.dll
[2011/05/30 21:43:25 | 000,057,856 | ---- | C] (SEIKO EPSON CORP.) -- C:\WINDOWS\System32\dllcache\esuimgd.dll
[2011/05/30 21:43:25 | 000,045,056 | ---- | C] (SEIKO EPSON CORP.) -- C:\WINDOWS\System32\dllcache\esunid.dll
[2011/05/30 21:43:25 | 000,031,744 | ---- | C] (SEIKO EPSON CORP.) -- C:\WINDOWS\System32\dllcache\esucmd.dll
[2011/05/30 21:43:25 | 000,025,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\et4000.sys
[2011/05/30 21:43:15 | 000,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\convlog.exe
[2011/05/30 21:43:15 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\controt.dll
[2011/05/30 21:43:15 | 000,020,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cprofile.exe
[2011/05/30 21:43:15 | 000,020,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\counters.dll
[2011/05/30 21:43:11 | 000,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chgport.exe
[2011/05/30 21:43:11 | 000,015,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chgusr.exe
[2011/05/30 21:43:11 | 000,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chglogon.exe
[2011/05/30 21:43:11 | 000,010,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\change.exe
[2011/05/30 21:43:09 | 000,054,528 | ---- | C] (Philips Semiconductors GmbH) -- C:\WINDOWS\System32\dllcache\cap7146.sys
[2011/05/30 21:43:09 | 000,010,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\c_iscii.dll
[2011/05/30 21:43:03 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\browscap.dll
[2011/05/30 21:43:01 | 000,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\authfilt.dll
[2011/05/30 21:42:54 | 000,045,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_aqadmin.dll
[2011/05/30 21:42:54 | 000,029,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\asptxn.dll
[2011/05/30 21:42:54 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aspperf.dll
[2011/05/30 21:42:46 | 000,049,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\adrot.dll
[2011/05/30 21:42:46 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\admxprox.dll
[2011/05/30 21:42:46 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_adsiisex.dll
[2011/05/30 21:42:40 | 000,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wamregps.dll
[2011/05/30 21:42:39 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tcptsat.dll
[2011/05/30 21:42:32 | 000,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetsloc.dll
[2011/05/30 21:42:32 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetmgr.exe
[2011/05/30 21:42:31 | 000,169,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iisui.dll
[2011/05/30 21:42:31 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iisreset.exe
[2011/05/30 21:42:31 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ftpsapi2.dll
[2011/05/30 21:42:31 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iisrstap.dll
[2011/05/30 21:42:30 | 000,208,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fpmmcsat.dll
[2011/05/30 21:42:27 | 000,094,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\certmap.ocx
[2011/05/30 21:39:32 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\isignup.exe
[2011/05/30 21:37:06 | 000,147,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\irftp.exe
[2011/05/30 21:37:05 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wshirda.dll
[2011/05/30 21:30:17 | 000,018,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\irsir.sys
[2011/05/30 21:27:39 | 000,482,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\pintlgnt.ime
[2011/05/30 21:27:39 | 000,482,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pintlgnt.ime
[2011/05/30 21:27:39 | 000,070,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pintlphr.exe
[2011/05/30 21:27:39 | 000,067,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pmigrate.dll
[2011/05/30 21:27:29 | 000,024,661 | ---- | C] (Perle Systems Ltd.) -- C:\WINDOWS\System32\spxcoins.dll
[2011/05/30 21:27:29 | 000,024,661 | ---- | C] (Perle Systems Ltd.) -- C:\WINDOWS\System32\dllcache\spxcoins.dll
[2011/05/30 21:27:29 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\irclass.dll
[2011/05/30 21:27:29 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\irclass.dll
[2011/05/30 20:18:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011/05/30 20:18:10 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/30 20:18:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\「開始」功能表\程式集\Malwarebytes' Anti-Malware
[2011/05/30 20:18:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/05/30 20:18:06 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/05/30 20:18:05 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/05/30 20:08:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2011/05/29 19:54:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Uzomz
[2011/05/29 19:54:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Kamax
[2011/05/29 19:01:07 | 000,000,000 | ---D | C] -- C:\Program Files\PageRage
[2011/05/07 23:05:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Winamp Toolbar
[2011/05/07 23:04:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Nitro PDF
[2011/05/07 23:04:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\「開始」功能表\程式集\Winamp Detector Plug-in
[2011/05/07 23:04:30 | 000,000,000 | ---D | C] -- C:\Program Files\Winamp Detect
[2011/05/07 23:04:21 | 000,026,416 | ---- | C] (Nitro PDF Software) -- C:\WINDOWS\System32\nitrolocalmon.dll
[2011/05/07 23:04:21 | 000,017,712 | ---- | C] (Nitro PDF Software) -- C:\WINDOWS\System32\nitrolocalui.dll
[2011/05/07 23:04:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Winamp Toolbar
[2011/05/07 23:04:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nitro PDF
[2011/05/07 23:04:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Software Update Utility
[2011/05/07 23:04:06 | 000,000,000 | ---D | C] -- C:\Program Files\Nitro PDF
[2011/05/07 23:04:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nitro PDF
[2011/05/07 23:03:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\OpenCandy
[2011/05/07 23:03:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\OpenCandy
[2011/05/07 23:02:28 | 016,075,784 | ---- | C] (Nullsoft, Inc.) -- C:\winamp561_full_emusic-7plus_all.exe
[2010/07/06 22:43:26 | 000,155,648 | ---- | C] ( ) -- C:\WINDOWS\rsnp2std.dll
[2010/07/06 22:43:26 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2std.dll
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[13 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/04 10:39:03 | 000,000,558 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/04 10:35:20 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/06/04 10:31:25 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/04 10:30:40 | 000,000,554 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/04 10:30:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/04 10:27:33 | 000,508,928 | ---- | M] () -- C:\Documents and Settings\Administrator\桌面\RogueKiller.exe
[2011/06/04 10:25:54 | 000,589,632 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Administrator\桌面\aswMBR.exe
[2011/06/03 22:53:53 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/06/03 22:48:31 | 000,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\桌面\Safari.lnk
[2011/06/03 22:45:24 | 000,001,485 | ---- | M] () -- C:\Documents and Settings\Administrator\桌面\Windows 檔案總管.lnk
[2011/06/03 22:40:14 | 000,000,814 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/06/03 22:00:46 | 000,000,210 | -HS- | M] () -- C:\boot.ini
[2011/06/02 20:19:13 | 000,481,314 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/06/02 20:19:13 | 000,445,606 | ---- | M] () -- C:\WINDOWS\System32\prfh0404.dat
[2011/06/02 20:19:13 | 000,203,804 | ---- | M] () -- C:\WINDOWS\System32\prfc0404.dat
[2011/06/02 20:19:13 | 000,079,388 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/06/02 19:51:28 | 000,000,794 | ---- | M] () -- C:\Documents and Settings\All Users\桌面\Malwarebytes' Anti-Malware.lnk
[2011/06/02 19:34:31 | 000,000,789 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\啟動 Internet Explorer 瀏覽器.lnk
[2011/06/02 19:34:15 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2011/06/02 19:32:58 | 000,126,112 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/06/01 21:45:32 | 000,002,229 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/06/01 21:34:49 | 000,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/06/01 21:24:57 | 000,420,800 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2011/06/01 21:24:29 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2011/06/01 21:24:29 | 000,000,741 | ---- | M] () -- C:\Documents and Settings\Administrator\桌面\ZoneAlarm Security.lnk
[2011/06/01 21:11:02 | 046,973,440 | ---- | M] () -- C:\Documents and Settings\Administrator\桌面\zaSetup_92_106_000_en.exe
[2011/06/01 20:17:12 | 004,109,346 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator\桌面\ComboFix.exe
[2011/06/01 20:05:34 | 000,000,156 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/06/01 20:05:16 | 000,014,336 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/31 18:42:04 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\桌面\OTL.exe
[2011/05/31 18:35:18 | 000,629,057 | ---- | M] () -- C:\Documents and Settings\Administrator\桌面\RkU3.8.388.590.rar
[2011/05/31 18:24:26 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2011/05/31 18:24:26 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2011/05/31 18:20:20 | 331,805,736 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\桌面\http-__download.microsoft.com_download_d_3_0_d30e32d8-418a-469d-b600-f32ce3edf42d_WindowsXP-KB936929-SP3-x86-ENU.exe
[2011/05/31 18:16:32 | 000,335,992 | ---- | M] () -- C:\Documents and Settings\Administrator\桌面\Dial-a-fix-v0.60.0.24.zip
[2011/05/31 18:16:08 | 001,445,888 | ---- | M] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Administrator\桌面\winsockxpfix.exe
[2011/05/31 18:14:28 | 170,688,424 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Administrator\桌面\avg_free_x86_all_2011_1375a3626.exe
[2011/05/30 21:45:51 | 000,000,288 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2011/05/30 21:40:40 | 000,004,205 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2011/05/30 21:38:18 | 000,023,196 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/05/30 20:20:14 | 000,000,736 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.msn
[2011/05/29 21:38:59 | 000,003,036 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\67B6.70F
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/05/25 21:59:34 | 000,000,412 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\spider.sav
[2011/05/25 07:10:16 | 001,431,344 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\桌面\TDSSKiller.exe
[2011/05/08 18:51:52 | 000,000,072 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\default.pls
[2011/05/07 23:04:32 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Winamp.lnk
[2011/05/07 23:04:32 | 000,000,664 | ---- | M] () -- C:\Documents and Settings\All Users\桌面\Winamp.lnk
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[13 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/04 10:28:11 | 000,508,928 | ---- | C] () -- C:\Documents and Settings\Administrator\桌面\RogueKiller.exe
[2011/06/03 22:50:04 | 000,001,355 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/06/02 19:11:25 | 000,664,121 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.chm
[2011/06/02 19:11:25 | 000,354,468 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud1.wav
[2011/06/02 19:11:25 | 000,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud7.wav
[2011/06/02 19:11:25 | 000,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud6.wav
[2011/06/02 19:11:25 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud9.wav
[2011/06/02 19:11:25 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud8.wav
[2011/06/02 19:11:25 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud3.wav
[2011/06/02 19:11:25 | 000,086,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud5.wav
[2011/06/02 19:11:25 | 000,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud4.wav
[2011/06/02 19:11:25 | 000,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud2.wav
[2011/06/02 19:11:25 | 000,049,688 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.adm
[2011/06/02 19:11:25 | 000,029,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplay.chm
[2011/06/02 19:11:25 | 000,010,457 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.hta
[2011/06/02 19:11:25 | 000,001,771 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.css
[2011/06/02 19:11:25 | 000,001,646 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpocm.inf
[2011/06/02 19:11:25 | 000,000,420 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmploc.js
[2011/06/02 19:11:24 | 000,572,557 | ---- | C] () -- C:\WINDOWS\System32\dllcache\rtuner.wmv
[2011/06/02 19:11:24 | 000,375,519 | ---- | C] () -- C:\WINDOWS\System32\dllcache\nuskin.wmv
[2011/06/02 19:11:24 | 000,300,969 | ---- | C] () -- C:\WINDOWS\System32\dllcache\viz.wmv
[2011/06/02 19:11:24 | 000,081,924 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plyr_err.chm
[2011/06/02 19:11:24 | 000,066,138 | ---- | C] () -- C:\WINDOWS\System32\dllcache\revert.wmz
[2011/06/02 19:11:24 | 000,057,942 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmp.inf
[2011/06/02 19:11:24 | 000,034,526 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmdm.inf
[2011/06/02 19:11:24 | 000,023,829 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tourbg.gif
[2011/06/02 19:11:24 | 000,022,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npds.zip
[2011/06/02 19:11:24 | 000,017,489 | ---- | C] () -- C:\WINDOWS\System32\dllcache\videobg.gif
[2011/06/02 19:11:24 | 000,013,540 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmfsdk.inf
[2011/06/02 19:11:24 | 000,008,677 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm7.gif
[2011/06/02 19:11:24 | 000,007,892 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm9.gif
[2011/06/02 19:11:24 | 000,007,636 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm2.gif
[2011/06/02 19:11:24 | 000,007,369 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm4.gif
[2011/06/02 19:11:24 | 000,006,241 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm3.gif
[2011/06/02 19:11:24 | 000,006,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm6.gif
[2011/06/02 19:11:24 | 000,005,789 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm1.gif
[2011/06/02 19:11:24 | 000,005,290 | ---- | C] () -- C:\WINDOWS\System32\dllcache\vidsamp.gif
[2011/06/02 19:11:24 | 000,004,193 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm8.gif
[2011/06/02 19:11:24 | 000,003,187 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tour.js
[2011/06/02 19:11:24 | 000,002,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm5.gif
[2011/06/02 19:11:24 | 000,002,469 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplay.gif
[2011/06/02 19:11:24 | 000,002,450 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpause.gif
[2011/06/02 19:11:24 | 000,002,375 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplayh.gif
[2011/06/02 19:11:24 | 000,002,371 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpauseh.gif
[2011/06/02 19:11:24 | 000,001,800 | ---- | C] () -- C:\WINDOWS\System32\dllcache\skins.inf
[2011/06/02 19:11:24 | 000,001,471 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst6.wpl
[2011/06/02 19:11:24 | 000,001,471 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst5.wpl
[2011/06/02 19:11:24 | 000,001,471 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst3.wpl
[2011/06/02 19:11:24 | 000,001,461 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst12.wpl
[2011/06/02 19:11:24 | 000,001,457 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst4.wpl
[2011/06/02 19:11:24 | 000,001,398 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taon.gif
[2011/06/02 19:11:24 | 000,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taonh.gif
[2011/06/02 19:11:24 | 000,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoff.gif
[2011/06/02 19:11:24 | 000,001,367 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoffh.gif
[2011/06/02 19:11:24 | 000,001,249 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst1.wpl
[2011/06/02 19:11:24 | 000,001,148 | ---- | C] () -- C:\WINDOWS\System32\dllcache\snd.htm
[2011/06/02 19:11:24 | 000,001,044 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst2.wpl
[2011/06/02 19:11:24 | 000,001,039 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst7.wpl
[2011/06/02 19:11:24 | 000,001,030 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst8.wpl
[2011/06/02 19:11:24 | 000,000,794 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst11.wpl
[2011/06/02 19:11:24 | 000,000,791 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst10.wpl
[2011/06/02 19:11:24 | 000,000,781 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst9.wpl
[2011/06/02 19:11:24 | 000,000,781 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst13.wpl
[2011/06/02 19:11:24 | 000,000,780 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst14.wpl
[2011/06/02 19:11:24 | 000,000,724 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst15.wpl
[2011/06/02 19:11:24 | 000,000,403 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npdrmv2.zip
[2011/06/02 19:11:23 | 000,457,607 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mdlib.wmv
[2011/06/02 19:11:23 | 000,381,425 | ---- | C] () -- C:\WINDOWS\System32\dllcache\copycd.wmv
[2011/06/02 19:11:23 | 000,184,068 | ---- | C] () -- C:\WINDOWS\System32\dllcache\compact.wmz
[2011/06/02 19:11:23 | 000,036,464 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplayer2.inf
[2011/06/02 19:11:23 | 000,009,585 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.css
[2011/06/02 19:11:23 | 000,008,298 | ---- | C] () -- C:\WINDOWS\System32\dllcache\contents.htm
[2011/06/02 19:11:23 | 000,006,878 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.js
[2011/06/02 19:11:23 | 000,005,971 | ---- | C] () -- C:\WINDOWS\System32\dllcache\events.js
[2011/06/02 19:11:23 | 000,002,778 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogoh.gif
[2011/06/02 19:11:23 | 000,002,545 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogo.gif
[2011/06/02 19:11:23 | 000,000,999 | ---- | C] () -- C:\WINDOWS\System32\dllcache\bktrh.gif
[2011/06/02 19:11:23 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnth.gif
[2011/06/02 19:11:23 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnt.gif
[2011/06/02 19:11:23 | 000,000,772 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cntd.gif
[2011/06/02 19:11:23 | 000,000,760 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapph.gif
[2011/06/02 19:11:23 | 000,000,717 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapp.gif
[2011/06/01 21:24:29 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2011/06/01 21:24:29 | 000,000,741 | ---- | C] () -- C:\Documents and Settings\Administrator\桌面\ZoneAlarm Security.lnk
[2011/06/01 21:24:23 | 000,420,800 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2011/06/01 21:15:56 | 046,973,440 | ---- | C] () -- C:\Documents and Settings\Administrator\桌面\zaSetup_92_106_000_en.exe
[2011/06/01 20:20:32 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/06/01 20:20:32 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/06/01 20:20:32 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/06/01 20:20:32 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/06/01 20:20:32 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/06/01 20:19:34 | 000,629,057 | ---- | C] () -- C:\Documents and Settings\Administrator\桌面\RkU3.8.388.590.rar
[2011/05/31 18:22:34 | 000,335,992 | ---- | C] () -- C:\Documents and Settings\Administrator\桌面\Dial-a-fix-v0.60.0.24.zip
[2011/05/30 21:27:39 | 000,059,392 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imscinst.exe
[2011/05/30 21:27:08 | 001,025,000 | ---- | C] () -- C:\WINDOWS\System32\dllcache\SP2.CAT
[2011/05/30 21:27:08 | 000,819,229 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5IIS.CAT
[2011/05/30 21:27:08 | 000,399,645 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MAPIMIG.CAT
[2011/05/30 21:27:08 | 000,037,484 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MW770.CAT
[2011/05/30 21:27:08 | 000,013,472 | ---- | C] () -- C:\WINDOWS\System32\dllcache\HPCRDP.CAT
[2011/05/30 21:27:08 | 000,008,574 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IASNT4.CAT
[2011/05/30 21:27:08 | 000,007,382 | ---- | C] () -- C:\WINDOWS\System32\dllcache\OEMBIOS.CAT
[2011/05/30 20:18:11 | 000,000,794 | ---- | C] () -- C:\Documents and Settings\All Users\桌面\Malwarebytes' Anti-Malware.lnk
[2011/05/29 19:00:30 | 000,003,036 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\67B6.70F
[2011/05/02 14:53:25 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2011/05/02 14:53:24 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2011/05/02 14:53:21 | 000,631,808 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2011/05/02 14:53:20 | 000,243,200 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2011/05/02 14:53:20 | 000,080,896 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/04/21 21:57:59 | 000,014,336 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/19 21:36:32 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/12/16 21:35:24 | 000,026,836 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/10/16 23:54:39 | 000,000,072 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\default.pls
[2010/10/16 23:53:09 | 000,000,156 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/09/26 21:22:38 | 000,000,041 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2010/09/26 20:47:15 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\rx_image32.Cache
[2010/09/20 23:03:15 | 000,040,960 | ---- | C] () -- C:\Program Files\Uninstall_CDS.exe
[2010/07/06 22:43:30 | 000,020,480 | ---- | C] () -- C:\WINDOWS\FixCamera.exe
[2010/07/06 22:43:28 | 000,262,144 | ---- | C] () -- C:\WINDOWS\tsnp2std.exe
[2010/07/06 22:43:28 | 000,024,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\sncamd.sys
[2010/07/06 22:43:28 | 000,015,497 | ---- | C] () -- C:\WINDOWS\snp2std.ini
[2010/07/06 22:43:27 | 012,006,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2sxp.sys
[2010/07/06 22:40:11 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2010/07/06 22:35:14 | 000,000,379 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/07/06 22:21:36 | 000,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2010/07/06 21:37:20 | 000,451,072 | ---- | C] () -- C:\WINDOWS\System32\ISSRemoveSP.exe
[2010/07/06 20:05:52 | 000,000,469 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2010/07/06 19:53:04 | 000,516,096 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2010/07/06 19:52:59 | 000,079,320 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2010/07/05 23:42:18 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2010/07/05 23:33:32 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/07/05 23:32:25 | 000,026,013 | ---- | C] () -- C:\WINDOWS\System32\sleep.exe
[2010/07/05 23:31:38 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2010/07/05 23:28:59 | 000,023,196 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/07/05 23:25:33 | 000,004,205 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/07/05 23:23:40 | 000,126,112 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/01/25 12:58:06 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2006/03/02 20:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/03/02 20:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/03/02 20:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/03/02 20:00:00 | 000,261,056 | ---- | C] () -- C:\WINDOWS\winhelp.exe
[2006/03/02 20:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/03/02 20:00:00 | 000,151,808 | ---- | C] () -- C:\WINDOWS\System32\ozxtkazy.dat
[2006/03/02 20:00:00 | 000,136,448 | ---- | C] () -- C:\WINDOWS\System32\svvjqeva.dat
[2006/03/02 20:00:00 | 000,112,200 | ---- | C] () -- C:\WINDOWS\System32\prfi0404.dat
[2006/03/02 20:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/03/02 20:00:00 | 000,034,560 | ---- | C] () -- C:\WINDOWS\System32\auybkjrj.dat
[2006/03/02 20:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\prfd0404.dat
[2006/03/02 20:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/03/02 20:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/03/02 20:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/03/02 20:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/07/12 08:00:00 | 000,481,314 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/07/12 08:00:00 | 000,445,606 | ---- | C] () -- C:\WINDOWS\System32\prfh0404.dat
[2004/07/12 08:00:00 | 000,203,804 | ---- | C] () -- C:\WINDOWS\System32\prfc0404.dat
[2004/07/12 08:00:00 | 000,079,388 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/07/12 08:00:00 | 000,005,120 | ---- | C] () -- C:\WINDOWS\System32\setupold.exe
[2004/07/12 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2010/09/20 23:05:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InterTrust
[2011/05/30 20:53:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Kamax
[2011/05/07 23:04:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Nitro PDF
[2011/05/07 23:03:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\OpenCandy
[2010/09/19 19:00:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Uniblue
[2011/05/30 20:16:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Uzomz
[2010/09/19 18:44:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2010/07/05 23:32:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSN Messenger 6.2.0137
[2011/05/07 23:04:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nitro PDF
[2010/09/26 21:23:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SlySoft
[2010/09/26 20:40:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2010/12/12 17:41:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/06/04 10:35:20 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2010/05/12 17:20:38 | 003,347,144 | ---- | M] ( ) -- C:\cpuz_154_setup(1).exe
[2010/05/12 17:20:38 | 003,347,144 | ---- | M] ( ) -- C:\cpuz_154_setup.exe
[2007/09/26 04:47:57 | 014,696,480 | ---- | M] (Microsoft Corporation) -- C:\IE7-WindowsXP-x86-cht.exe
[2011/04/18 01:55:46 | 080,873,256 | ---- | M] (Apple Inc.) -- C:\iTunesSetup(1).exe
[2010/11/18 23:16:49 | 081,898,280 | ---- | M] (Apple Inc.) -- C:\iTunesSetup.exe
[2010/08/25 10:57:10 | 079,109,464 | ---- | M] (Nero AG) -- C:\Nero_BurningROM-10.0.11000_trial.exe
[2010/11/18 12:29:53 | 005,585,280 | ---- | M] (Uniblue Systems Ltd ) -- C:\speedupmypc.exe
[2010/05/13 20:41:13 | 000,209,971 | ---- | M] () -- C:\ThemeEditor1_0N.EXE
[2010/06/29 05:17:57 | 015,303,792 | ---- | M] (Nullsoft, Inc.) -- C:\winamp558_full_emusic-7plus_all.exe
[2011/03/22 17:43:17 | 016,075,784 | ---- | M] (Nullsoft, Inc.) -- C:\winamp561_full_emusic-7plus_all.exe
[2010/04/28 21:19:50 | 001,228,624 | ---- | M] (Microsoft Corporation) -- C:\wlsetup-web.exe


< MD5 for: EXPLORER.EXE >
[2006/03/02 20:00:00 | 000,976,896 | ---- | M] (Microsoft Corporation) MD5=453888766DA789F18FBBF5B20E4BC17F -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2006/03/02 20:00:00 | 000,976,896 | ---- | M] (Microsoft Corporation) MD5=453888766DA789F18FBBF5B20E4BC17F -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/14 22:00:32 | 000,978,432 | ---- | M] (Microsoft Corporation) MD5=F7A2245D8BD832D1E7A01C26D5E6EFD0 -- C:\WINDOWS\explorer.exe
[2008/04/14 22:00:32 | 000,978,432 | ---- | M] (Microsoft Corporation) MD5=F7A2245D8BD832D1E7A01C26D5E6EFD0 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe

< MD5 for: SVCHOST.EXE >
[2006/03/02 20:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=723BA2EFE4A16774E98F53D7AC6C71FD -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
[2006/03/02 20:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=723BA2EFE4A16774E98F53D7AC6C71FD -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2008/04/14 22:01:06 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=B703AEE8722CED0F0FD804EA844D8DE6 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/14 22:01:06 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=B703AEE8722CED0F0FD804EA844D8DE6 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/04/14 22:01:10 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=613D7C29C9E3E2375971DA7E42E4E330 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/14 22:01:10 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=613D7C29C9E3E2375971DA7E42E4E330 -- C:\WINDOWS\system32\userinit.exe
[2006/03/02 20:00:00 | 000,023,552 | ---- | M] (Microsoft Corporation) MD5=F3A20A3C6A4DF7FE038F4CCA70080B10 -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2006/03/02 20:00:00 | 000,023,552 | ---- | M] (Microsoft Corporation) MD5=F3A20A3C6A4DF7FE038F4CCA70080B10 -- C:\WINDOWS\ERDNT\cache\userinit.exe

< MD5 for: WINLOGON.EXE >
[2008/04/14 22:01:12 | 000,493,568 | ---- | M] (Microsoft Corporation) MD5=6A5FE820683147636F66D2A731B7169B -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/14 22:01:12 | 000,493,568 | ---- | M] (Microsoft Corporation) MD5=6A5FE820683147636F66D2A731B7169B -- C:\WINDOWS\system32\winlogon.exe
[2006/03/02 20:00:00 | 000,487,936 | ---- | M] (Microsoft Corporation) MD5=7189E588041174198281933EB2CA449C -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2006/03/02 20:00:00 | 000,487,936 | ---- | M] (Microsoft Corporation) MD5=7189E588041174198281933EB2CA449C -- C:\WINDOWS\ERDNT\cache\winlogon.exe

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\shell\open\command\\: "C:\Program Files\Google\Chrome\Application\chrome.exe" [2011/05/20 13:54:14 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --show-icons [2011/05/20 13:54:14 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --hide-icons [2011/05/20 13:54:14 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/05/20 13:54:14 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Program Files\Google\Chrome\Application\chrome.exe" [2011/05/20 13:54:14 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google 瀏覽器\InstallInfo\\ShowIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --show-icons [2011/05/20 13:54:14 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google 瀏覽器\InstallInfo\\HideIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --hide-icons [2011/05/20 13:54:14 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google 瀏覽器\InstallInfo\\ReinstallCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/05/20 13:54:14 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google 瀏覽器\shell\open\command\\: "C:\Program Files\Google\Chrome\Application\chrome.exe" [2011/05/20 13:54:14 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/02/18 19:49:53 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/02/18 19:49:53 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/02/18 19:49:53 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ReinstallCommand: "C:\Program Files\Safari\Safari.exe" /reinstall [2011/02/15 23:18:16 | 002,388,264 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\HideIconsCommand: "C:\Program Files\Safari\Safari.exe" /hideicons [2011/02/15 23:18:16 | 002,388,264 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ShowIconsCommand: "C:\Program Files\Safari\Safari.exe" /showicons [2011/02/15 23:18:16 | 002,388,264 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\shell\open\command\\: "C:\Program Files\Safari\Safari.exe" [2011/02/15 23:18:16 | 002,388,264 | ---- | M] (Apple Inc.)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\shell\open\command\\: "C:\Program Files\Google\Chrome\Application\chrome.exe" [2011/05/20 13:54:14 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --show-icons [2011/05/20 13:54:14 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --hide-icons [2011/05/20 13:54:14 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/05/20 13:54:14 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Program Files\Google\Chrome\Application\chrome.exe" [2011/05/20 13:54:14 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google 瀏覽器\InstallInfo\\ShowIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --show-icons [2011/05/20 13:54:14 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google 瀏覽器\InstallInfo\\HideIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --hide-icons [2011/05/20 13:54:14 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google 瀏覽器\InstallInfo\\ReinstallCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/05/20 13:54:14 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google 瀏覽器\shell\open\command\\: "C:\Program Files\Google\Chrome\Application\chrome.exe" [2011/05/20 13:54:14 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/02/18 19:49:53 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/02/18 19:49:53 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/02/18 19:49:53 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ReinstallCommand: "C:\Program Files\Safari\Safari.exe" /reinstall [2011/02/15 23:18:16 | 002,388,264 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\HideIconsCommand: "C:\Program Files\Safari\Safari.exe" /hideicons [2011/02/15 23:18:16 | 002,388,264 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ShowIconsCommand: "C:\Program Files\Safari\Safari.exe" /showicons [2011/02/15 23:18:16 | 002,388,264 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\shell\open\command\\: "C:\Program Files\Safari\Safari.exe" [2011/02/15 23:18:16 | 002,388,264 | ---- | M] (Apple Inc.)

< End of report >
  • 0

#5
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

Please follow the steps below:

Step 1

We need to run an OTL Fix

  • Please right click on Posted Image on your desktop and click on Run as administrator.
  • Under the Custom Scans/Fixes box copy and paste this in:

    :OTL
    SRV - File not found [Auto | Stopped] -- -- (rckopjyz)
    IE - HKU\S-1-5-21-343818398-2052111302-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:55333
    O4 - HKLM..\Run: [IMJPMIG8.1] File not found

    :Files
    ipconfig /flushdns /c

    :Reg

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [emptyflash]
    [createrestorepoint]
    [reboot]
  • Click on Posted Image button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click on Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

Step 2

Posted Image Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware.
  • Select the Update tab.
  • Click on Check for Updates button.
  • Click on OK.
  • Select the Scanner tab.
  • Select Perform quick scan, then click on Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 3

Please run OTL once again click on Quick scan and post the log.

When completed the above, please post back the following in the order asked for:
  • OTL fix log
  • MBAM log
  • OTL log

  • 0

#6
SJSCHOO

SJSCHOO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
Ok, just before the MalwareBytes scan I ran RootkitUnhooker again to see if the 'driver/s' were still there and they were.

0xF79E3000 C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{61763A0E-8D7A-41BC-BBF9-47859A27C0F7}\MpKsl39f15467.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0xF7903000 C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{61763A0E-8D7A-41BC-BBF9-47859A27C0F7}\MpKsl8bbbb75c.sys 24576 bytes (Microsoft Corporation, KSLDriver)

Saved the log. Updated/Ran full M/B scan found nothing (log still attatched). Microsoft Security Essentials was live while M/B was scanning, it also came up with no warnings. I also attatched the RkU log, tell me if I'm just crazy.

Thanks by the way





OTL FIX LOG
->Apple Safari cache emptied: 14336 bytes
->Flash cache emptied: 1822 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 30452 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 6498613 bytes
%systemroot%\System32 .tmp files removed: 8593 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 139777 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 64.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.23.0 log created on 06042011_184018

Files\Folders moved on Reboot...
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFCC6D.tmp moved successfully.
File\Folder C:\WINDOWS\temp\ZLT06d49.TMP not found!

Registry entries deleted on Reboot...









M/B SCAN LOG
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6768

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/6/2011 19:36:03
mbam-log-2011-06-04 (19-36-03).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 214735
Time elapsed: 40 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)











POST OTL QUICK SCAN
OTL logfile created on: 4/6/2011 19:37:20 - Run 3
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Administrator\桌面
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C04 | Country: 香港特別行政區 | Language: ZHH | Date Format: d/M/yyyy

1023.48 Mb Total Physical Memory | 286.89 Mb Available Physical Memory | 28.03% Memory free
2.40 Gb Paging File | 1.80 Gb Available in Paging File | 74.94% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.68 Gb Total Space | 61.70 Gb Free Space | 80.47% Space Free | Partition Type: NTFS
Drive D: | 596.17 Gb Total Space | 558.50 Gb Free Space | 93.68% Space Free | Partition Type: NTFS
Drive F: | 3.75 Gb Total Space | 3.71 Gb Free Space | 98.88% Space Free | Partition Type: NTFS

Computer Name: MYCHAT-66FBB85C | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/31 18:42:04 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\桌面\OTL.exe
PRC - [2011/05/29 09:11:22 | 001,047,656 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2011/03/18 01:26:14 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2011/03/18 01:24:50 | 001,043,968 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2011/01/14 13:35:56 | 000,196,912 | ---- | M] (Nitro PDF Software) -- C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
PRC - [2010/11/30 13:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/11 13:55:56 | 000,057,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneBusEnum.exe
PRC - [2010/11/11 13:55:46 | 000,159,472 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2009/06/24 14:02:02 | 000,933,888 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Program Files\LevelOne\WUA-0605\RtWLan.exe
PRC - [2008/08/08 12:28:12 | 002,049,320 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\InCD\NBHGui.exe
PRC - [2008/08/08 12:28:12 | 000,053,032 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
PRC - [2008/08/08 12:28:10 | 001,442,088 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
PRC - [2008/08/08 12:27:50 | 001,083,176 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\InCD\InCD.exe
PRC - [2008/06/24 16:06:06 | 001,840,424 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
PRC - [2008/04/14 22:00:32 | 000,978,432 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/12/05 14:22:06 | 000,344,064 | ---- | M] (Sonix) -- C:\WINDOWS\vsnp2std.exe
PRC - [2005/01/12 07:31:30 | 000,073,728 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE


========== Modules (SafeList) ==========

MOD - [2011/05/31 18:42:04 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\桌面\OTL.exe
MOD - [2010/08/24 00:11:32 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (RoxLiveShare10)
SRV - File not found [On_Demand | Stopped] -- -- (01D40EA5)
SRV - [2011/03/18 01:26:14 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2011/01/14 13:35:56 | 000,196,912 | ---- | M] (Nitro PDF Software) [Auto | Running] -- C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe -- (NitroReaderDriverReadSpool)
SRV - [2010/11/11 13:57:04 | 000,268,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm)
SRV - [2010/11/11 13:57:02 | 000,444,656 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/11/11 13:55:56 | 006,351,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2010/11/11 13:55:56 | 000,057,072 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Zune\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/08/08 12:28:12 | 000,053,032 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe -- (NeroRegInCDSrv)
SRV - [2008/08/08 12:28:10 | 001,442,088 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe -- (InCDsrv)


========== Driver Services (SafeList) ==========

DRV - [2011/06/04 18:48:26 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{61763A0E-8D7A-41BC-BBF9-47859A27C0F7}\MpKsl8bbbb75c.sys -- (MpKsl8bbbb75c)
DRV - [2011/06/04 10:30:19 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{61763A0E-8D7A-41BC-BBF9-47859A27C0F7}\MpKsl39f15467.sys -- (MpKsl39f15467)
DRV - [2010/05/13 10:02:32 | 000,532,224 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2010/04/28 07:44:02 | 000,054,760 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2010/03/10 17:25:58 | 000,020,968 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\cpuz133_x32.sys -- (cpuz133)
DRV - [2009/06/22 11:31:08 | 000,589,312 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8192su.sys -- (RTL8192su)
DRV - [2008/08/08 12:28:00 | 000,128,424 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2008/08/08 12:28:00 | 000,040,488 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDRm.sys -- (incdrm)
DRV - [2008/08/08 12:28:00 | 000,038,952 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDPass.sys -- (InCDPass)
DRV - [2006/12/27 15:51:36 | 012,006,400 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\snp2sxp.sys -- (SNP2STD) USB2.0 PC Camera (SNP2STD)
DRV - [2006/11/02 07:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2006/03/02 20:00:00 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga)
DRV - [2005/04/01 12:12:00 | 001,032,192 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/01/12 07:32:20 | 000,087,936 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2005/01/12 07:32:14 | 000,033,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/01/12 07:32:14 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/01/12 07:31:26 | 002,284,864 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/19 07:21:00 | 000,189,568 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2003/12/05 17:46:36 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2001/08/17 13:51:32 | 000,018,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\irsir.sys -- (irsir)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL Inc.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://hk.yahoo.com/
IE - HKCU\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" =



O1 HOSTS File: ([2011/06/04 18:40:21 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (Winamp Toolbar Loader) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (NTIECatcher Class) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll (Xi)
O2 - BHO: (Yontoo Layers) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\PageRage\YontooIEClient.dll (Yontoo Technology, Inc.)
O3 - HKLM\..\Toolbar: (Winamp Toolbar) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL Inc.)
O4 - HKLM..\Run: [InCD] C:\Program Files\Nero\Nero8\InCD\InCD.exe (Nero AG)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [QuickTime Task] File not found
O4 - HKLM..\Run: [SecurDisc] C:\Program Files\Nero\Nero8\InCD\NBHGui.exe (Nero AG)
O4 - HKLM..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe (Sonix)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKCU..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe (Nero AG)
O4 - Startup: C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\LevelOne WUA-0605 Wireless LAN Utility.lnk = C:\Program Files\LevelOne\WUA-0605\RtWLan.exe (Realtek Semiconductor Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html ()
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html ()
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 203.186.94.22 203.186.94.241 203.186.94.20
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (目前的首頁) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/07/05 23:31:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/04 18:40:18 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/06/02 20:19:04 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2011/06/02 20:19:04 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/06/02 19:17:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2011/06/02 19:05:43 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2011/06/01 21:24:31 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2011/06/01 21:24:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\「開始」功能表\程式集\ZoneAlarm
[2011/06/01 21:24:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ZoneLabs
[2011/06/01 21:21:25 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2011/06/01 21:21:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2011/06/01 21:06:17 | 001,431,344 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\桌面\TDSSKiller.exe
[2011/06/01 20:43:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\「開始」功能表\程式集\Rootkit Unhooker LE
[2011/06/01 20:20:32 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/06/01 20:20:32 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/06/01 20:20:32 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/06/01 20:20:32 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/06/01 20:20:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/06/01 20:20:22 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/06/01 20:19:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\PCHealth
[2011/06/01 20:19:37 | 004,109,346 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator\桌面\ComboFix.exe
[2011/05/31 18:45:32 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\桌面\OTL.exe
[2011/05/31 18:27:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2011/05/31 18:24:58 | 000,000,000 | ---D | C] -- C:\ERDNT
[2011/05/31 18:22:42 | 001,445,888 | ---- | C] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Administrator\桌面\winsockxpfix.exe
[2011/05/31 18:22:25 | 170,688,424 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Administrator\桌面\avg_free_x86_all_2011_1375a3626.exe
[2011/05/30 21:44:27 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia330.dll
[2011/05/30 21:44:27 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia001.dll
[2011/05/30 21:43:09 | 000,054,528 | ---- | C] (Philips Semiconductors GmbH) -- C:\WINDOWS\System32\dllcache\cap7146.sys
[2011/05/30 20:18:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011/05/30 20:18:10 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/30 20:18:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\「開始」功能表\程式集\Malwarebytes' Anti-Malware
[2011/05/30 20:18:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/05/30 20:18:06 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/05/30 20:18:05 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/05/30 20:08:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2011/05/29 19:54:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Uzomz
[2011/05/29 19:54:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Kamax
[2011/05/29 19:01:07 | 000,000,000 | ---D | C] -- C:\Program Files\PageRage
[2011/05/07 23:05:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Winamp Toolbar
[2011/05/07 23:04:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Nitro PDF
[2011/05/07 23:04:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\「開始」功能表\程式集\Winamp Detector Plug-in
[2011/05/07 23:04:30 | 000,000,000 | ---D | C] -- C:\Program Files\Winamp Detect
[2011/05/07 23:04:21 | 000,026,416 | ---- | C] (Nitro PDF Software) -- C:\WINDOWS\System32\nitrolocalmon.dll
[2011/05/07 23:04:21 | 000,017,712 | ---- | C] (Nitro PDF Software) -- C:\WINDOWS\System32\nitrolocalui.dll
[2011/05/07 23:04:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Winamp Toolbar
[2011/05/07 23:04:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nitro PDF
[2011/05/07 23:04:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Software Update Utility
[2011/05/07 23:04:06 | 000,000,000 | ---D | C] -- C:\Program Files\Nitro PDF
[2011/05/07 23:04:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nitro PDF
[2011/05/07 23:03:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\OpenCandy
[2011/05/07 23:03:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\OpenCandy
[2011/05/07 23:02:28 | 016,075,784 | ---- | C] (Nullsoft, Inc.) -- C:\winamp561_full_emusic-7plus_all.exe
[2010/07/06 22:43:26 | 000,155,648 | ---- | C] ( ) -- C:\WINDOWS\rsnp2std.dll
[2010/07/06 22:43:26 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2std.dll

========== Files - Modified Within 30 Days ==========

[2011/06/04 19:39:00 | 000,000,558 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/04 18:53:27 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/06/04 18:49:23 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/04 18:48:46 | 000,000,554 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/04 18:48:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/04 18:40:21 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/06/04 10:27:33 | 000,508,928 | ---- | M] () -- C:\Documents and Settings\Administrator\桌面\RogueKiller.exe
[2011/06/03 22:53:53 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/06/03 22:48:31 | 000,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\桌面\Safari.lnk
[2011/06/03 22:45:24 | 000,001,485 | ---- | M] () -- C:\Documents and Settings\Administrator\桌面\Windows 檔案總管.lnk
[2011/06/03 22:40:14 | 000,000,814 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/06/03 22:00:46 | 000,000,210 | -HS- | M] () -- C:\boot.ini
[2011/06/02 20:19:13 | 000,481,314 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/06/02 20:19:13 | 000,445,606 | ---- | M] () -- C:\WINDOWS\System32\prfh0404.dat
[2011/06/02 20:19:13 | 000,203,804 | ---- | M] () -- C:\WINDOWS\System32\prfc0404.dat
[2011/06/02 20:19:13 | 000,079,388 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/06/02 19:51:28 | 000,000,794 | ---- | M] () -- C:\Documents and Settings\All Users\桌面\Malwarebytes' Anti-Malware.lnk
[2011/06/02 19:34:31 | 000,000,789 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\啟動 Internet Explorer 瀏覽器.lnk
[2011/06/02 19:34:15 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2011/06/02 19:32:58 | 000,126,112 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/06/01 21:45:32 | 000,002,229 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/06/01 21:24:57 | 000,420,800 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2011/06/01 21:24:29 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2011/06/01 21:24:29 | 000,000,741 | ---- | M] () -- C:\Documents and Settings\Administrator\桌面\ZoneAlarm Security.lnk
[2011/06/01 20:17:12 | 004,109,346 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator\桌面\ComboFix.exe
[2011/06/01 20:05:34 | 000,000,156 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/06/01 20:05:16 | 000,014,336 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/31 18:42:04 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\桌面\OTL.exe
[2011/05/31 18:35:18 | 000,629,057 | ---- | M] () -- C:\Documents and Settings\Administrator\桌面\RkU3.8.388.590.rar
[2011/05/31 18:24:26 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2011/05/31 18:24:26 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2011/05/31 18:16:08 | 001,445,888 | ---- | M] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Administrator\桌面\winsockxpfix.exe
[2011/05/31 18:14:28 | 170,688,424 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Administrator\桌面\avg_free_x86_all_2011_1375a3626.exe
[2011/05/30 21:45:51 | 000,000,288 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2011/05/30 21:40:40 | 000,004,205 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2011/05/30 21:38:18 | 000,023,196 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/05/30 20:20:14 | 000,000,736 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.msn
[2011/05/29 21:38:59 | 000,003,036 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\67B6.70F
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/05/25 21:59:34 | 000,000,412 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\spider.sav
[2011/05/25 07:10:16 | 001,431,344 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\桌面\TDSSKiller.exe
[2011/05/08 18:51:52 | 000,000,072 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\default.pls
[2011/05/07 23:04:32 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Winamp.lnk
[2011/05/07 23:04:32 | 000,000,664 | ---- | M] () -- C:\Documents and Settings\All Users\桌面\Winamp.lnk

========== Files Created - No Company Name ==========

[2011/06/04 10:28:11 | 000,508,928 | ---- | C] () -- C:\Documents and Settings\Administrator\桌面\RogueKiller.exe
[2011/06/03 22:50:04 | 000,001,355 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/06/02 19:11:25 | 000,664,121 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.chm
[2011/06/02 19:11:25 | 000,354,468 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud1.wav
[2011/06/02 19:11:25 | 000,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud7.wav
[2011/06/02 19:11:25 | 000,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud6.wav
[2011/06/02 19:11:25 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud9.wav
[2011/06/02 19:11:25 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud8.wav
[2011/06/02 19:11:25 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud3.wav
[2011/06/02 19:11:25 | 000,086,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud5.wav
[2011/06/02 19:11:25 | 000,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud4.wav
[2011/06/02 19:11:25 | 000,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud2.wav
[2011/06/02 19:11:25 | 000,049,688 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.adm
[2011/06/02 19:11:25 | 000,029,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplay.chm
[2011/06/02 19:11:25 | 000,010,457 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.hta
[2011/06/02 19:11:25 | 000,001,771 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.css
[2011/06/02 19:11:25 | 000,001,646 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpocm.inf
[2011/06/02 19:11:25 | 000,000,420 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmploc.js
[2011/06/02 19:11:24 | 000,572,557 | ---- | C] () -- C:\WINDOWS\System32\dllcache\rtuner.wmv
[2011/06/02 19:11:24 | 000,375,519 | ---- | C] () -- C:\WINDOWS\System32\dllcache\nuskin.wmv
[2011/06/02 19:11:24 | 000,300,969 | ---- | C] () -- C:\WINDOWS\System32\dllcache\viz.wmv
[2011/06/02 19:11:24 | 000,081,924 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plyr_err.chm
[2011/06/02 19:11:24 | 000,066,138 | ---- | C] () -- C:\WINDOWS\System32\dllcache\revert.wmz
[2011/06/02 19:11:24 | 000,057,942 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmp.inf
[2011/06/02 19:11:24 | 000,034,526 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmdm.inf
[2011/06/02 19:11:24 | 000,023,829 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tourbg.gif
[2011/06/02 19:11:24 | 000,022,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npds.zip
[2011/06/02 19:11:24 | 000,017,489 | ---- | C] () -- C:\WINDOWS\System32\dllcache\videobg.gif
[2011/06/02 19:11:24 | 000,013,540 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmfsdk.inf
[2011/06/02 19:11:24 | 000,008,677 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm7.gif
[2011/06/02 19:11:24 | 000,007,892 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm9.gif
[2011/06/02 19:11:24 | 000,007,636 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm2.gif
[2011/06/02 19:11:24 | 000,007,369 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm4.gif
[2011/06/02 19:11:24 | 000,006,241 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm3.gif
[2011/06/02 19:11:24 | 000,006,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm6.gif
[2011/06/02 19:11:24 | 000,005,789 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm1.gif
[2011/06/02 19:11:24 | 000,005,290 | ---- | C] () -- C:\WINDOWS\System32\dllcache\vidsamp.gif
[2011/06/02 19:11:24 | 000,004,193 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm8.gif
[2011/06/02 19:11:24 | 000,003,187 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tour.js
[2011/06/02 19:11:24 | 000,002,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm5.gif
[2011/06/02 19:11:24 | 000,002,469 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplay.gif
[2011/06/02 19:11:24 | 000,002,450 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpause.gif
[2011/06/02 19:11:24 | 000,002,375 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplayh.gif
[2011/06/02 19:11:24 | 000,002,371 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpauseh.gif
[2011/06/02 19:11:24 | 000,001,800 | ---- | C] () -- C:\WINDOWS\System32\dllcache\skins.inf
[2011/06/02 19:11:24 | 000,001,471 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst6.wpl
[2011/06/02 19:11:24 | 000,001,471 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst5.wpl
[2011/06/02 19:11:24 | 000,001,471 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst3.wpl
[2011/06/02 19:11:24 | 000,001,461 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst12.wpl
[2011/06/02 19:11:24 | 000,001,457 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst4.wpl
[2011/06/02 19:11:24 | 000,001,398 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taon.gif
[2011/06/02 19:11:24 | 000,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taonh.gif
[2011/06/02 19:11:24 | 000,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoff.gif
[2011/06/02 19:11:24 | 000,001,367 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoffh.gif
[2011/06/02 19:11:24 | 000,001,249 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst1.wpl
[2011/06/02 19:11:24 | 000,001,148 | ---- | C] () -- C:\WINDOWS\System32\dllcache\snd.htm
[2011/06/02 19:11:24 | 000,001,044 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst2.wpl
[2011/06/02 19:11:24 | 000,001,039 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst7.wpl
[2011/06/02 19:11:24 | 000,001,030 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst8.wpl
[2011/06/02 19:11:24 | 000,000,794 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst11.wpl
[2011/06/02 19:11:24 | 000,000,791 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst10.wpl
[2011/06/02 19:11:24 | 000,000,781 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst9.wpl
[2011/06/02 19:11:24 | 000,000,781 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst13.wpl
[2011/06/02 19:11:24 | 000,000,780 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst14.wpl
[2011/06/02 19:11:24 | 000,000,724 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst15.wpl
[2011/06/02 19:11:24 | 000,000,403 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npdrmv2.zip
[2011/06/02 19:11:23 | 000,457,607 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mdlib.wmv
[2011/06/02 19:11:23 | 000,381,425 | ---- | C] () -- C:\WINDOWS\System32\dllcache\copycd.wmv
[2011/06/02 19:11:23 | 000,184,068 | ---- | C] () -- C:\WINDOWS\System32\dllcache\compact.wmz
[2011/06/02 19:11:23 | 000,036,464 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplayer2.inf
[2011/06/02 19:11:23 | 000,009,585 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.css
[2011/06/02 19:11:23 | 000,008,298 | ---- | C] () -- C:\WINDOWS\System32\dllcache\contents.htm
[2011/06/02 19:11:23 | 000,006,878 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.js
[2011/06/02 19:11:23 | 000,005,971 | ---- | C] () -- C:\WINDOWS\System32\dllcache\events.js
[2011/06/02 19:11:23 | 000,002,778 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogoh.gif
[2011/06/02 19:11:23 | 000,002,545 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogo.gif
[2011/06/02 19:11:23 | 000,000,999 | ---- | C] () -- C:\WINDOWS\System32\dllcache\bktrh.gif
[2011/06/02 19:11:23 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnth.gif
[2011/06/02 19:11:23 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnt.gif
[2011/06/02 19:11:23 | 000,000,772 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cntd.gif
[2011/06/02 19:11:23 | 000,000,760 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapph.gif
[2011/06/02 19:11:23 | 000,000,717 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapp.gif
[2011/06/01 21:24:29 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2011/06/01 21:24:29 | 000,000,741 | ---- | C] () -- C:\Documents and Settings\Administrator\桌面\ZoneAlarm Security.lnk
[2011/06/01 21:24:23 | 000,420,800 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2011/06/01 20:20:32 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/06/01 20:20:32 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/06/01 20:20:32 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/06/01 20:20:32 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/06/01 20:20:32 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/06/01 20:19:34 | 000,629,057 | ---- | C] () -- C:\Documents and Settings\Administrator\桌面\RkU3.8.388.590.rar
[2011/05/30 21:27:39 | 000,059,392 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imscinst.exe
[2011/05/30 21:27:08 | 001,025,000 | ---- | C] () -- C:\WINDOWS\System32\dllcache\SP2.CAT
[2011/05/30 21:27:08 | 000,819,229 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5IIS.CAT
[2011/05/30 21:27:08 | 000,399,645 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MAPIMIG.CAT
[2011/05/30 21:27:08 | 000,037,484 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MW770.CAT
[2011/05/30 21:27:08 | 000,013,472 | ---- | C] () -- C:\WINDOWS\System32\dllcache\HPCRDP.CAT
[2011/05/30 21:27:08 | 000,008,574 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IASNT4.CAT
[2011/05/30 21:27:08 | 000,007,382 | ---- | C] () -- C:\WINDOWS\System32\dllcache\OEMBIOS.CAT
[2011/05/30 20:18:11 | 000,000,794 | ---- | C] () -- C:\Documents and Settings\All Users\桌面\Malwarebytes' Anti-Malware.lnk
[2011/05/29 19:00:30 | 000,003,036 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\67B6.70F
[2011/05/02 14:53:25 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2011/05/02 14:53:24 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2011/05/02 14:53:21 | 000,631,808 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2011/05/02 14:53:20 | 000,243,200 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2011/05/02 14:53:20 | 000,080,896 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/04/21 21:57:59 | 000,014,336 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/19 21:36:32 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/12/16 21:35:24 | 000,026,836 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/10/16 23:54:39 | 000,000,072 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\default.pls
[2010/10/16 23:53:09 | 000,000,156 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/09/26 21:22:38 | 000,000,041 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2010/09/26 20:47:15 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\rx_image32.Cache
[2010/09/20 23:03:15 | 000,040,960 | ---- | C] () -- C:\Program Files\Uninstall_CDS.exe
[2010/07/06 22:43:30 | 000,020,480 | ---- | C] () -- C:\WINDOWS\FixCamera.exe
[2010/07/06 22:43:28 | 000,262,144 | ---- | C] () -- C:\WINDOWS\tsnp2std.exe
[2010/07/06 22:43:28 | 000,024,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\sncamd.sys
[2010/07/06 22:43:28 | 000,015,497 | ---- | C] () -- C:\WINDOWS\snp2std.ini
[2010/07/06 22:43:27 | 012,006,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2sxp.sys
[2010/07/06 22:40:11 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2010/07/06 22:35:14 | 000,000,379 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/07/06 22:21:36 | 000,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2010/07/06 21:37:20 | 000,451,072 | ---- | C] () -- C:\WINDOWS\System32\ISSRemoveSP.exe
[2010/07/06 20:05:52 | 000,000,469 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2010/07/06 19:53:04 | 000,516,096 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2010/07/06 19:52:59 | 000,079,320 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2010/07/05 23:42:18 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2010/07/05 23:33:32 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/07/05 23:32:25 | 000,026,013 | ---- | C] () -- C:\WINDOWS\System32\sleep.exe
[2010/07/05 23:31:38 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2010/07/05 23:28:59 | 000,023,196 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/07/05 23:25:33 | 000,004,205 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/07/05 23:23:40 | 000,126,112 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/01/25 12:58:06 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2006/03/02 20:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/03/02 20:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/03/02 20:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/03/02 20:00:00 | 000,261,056 | ---- | C] () -- C:\WINDOWS\winhelp.exe
[2006/03/02 20:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/03/02 20:00:00 | 000,151,808 | ---- | C] () -- C:\WINDOWS\System32\ozxtkazy.dat
[2006/03/02 20:00:00 | 000,136,448 | ---- | C] () -- C:\WINDOWS\System32\svvjqeva.dat
[2006/03/02 20:00:00 | 000,112,200 | ---- | C] () -- C:\WINDOWS\System32\prfi0404.dat
[2006/03/02 20:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/03/02 20:00:00 | 000,034,560 | ---- | C] () -- C:\WINDOWS\System32\auybkjrj.dat
[2006/03/02 20:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\prfd0404.dat
[2006/03/02 20:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/03/02 20:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/03/02 20:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/03/02 20:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/07/12 08:00:00 | 000,481,314 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/07/12 08:00:00 | 000,445,606 | ---- | C] () -- C:\WINDOWS\System32\prfh0404.dat
[2004/07/12 08:00:00 | 000,203,804 | ---- | C] () -- C:\WINDOWS\System32\prfc0404.dat
[2004/07/12 08:00:00 | 000,079,388 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/07/12 08:00:00 | 000,005,120 | ---- | C] () -- C:\WINDOWS\System32\setupold.exe
[2004/07/12 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2010/09/20 23:05:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InterTrust
[2011/05/30 20:53:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Kamax
[2011/05/07 23:04:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Nitro PDF
[2011/05/07 23:03:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\OpenCandy
[2010/09/19 19:00:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Uniblue
[2011/05/30 20:16:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Uzomz
[2010/09/19 18:44:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2010/07/05 23:32:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSN Messenger 6.2.0137
[2011/05/07 23:04:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nitro PDF
[2010/09/26 21:23:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SlySoft
[2010/09/26 20:40:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2010/12/12 17:41:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/06/04 18:53:27 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



< End of report >













ROOTKIT UNHOOKER LOG
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>SSDT State
==============================================
ntkrnlpa.exe-->NtConnectPort, Type: Address change 0x8059AA14-->EEA5B534 [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtCreateFile, Type: Address change 0x8056F38C-->EEA55782 [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtCreateKey, Type: Address change 0x8061BCEC-->EEA746DC [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtCreatePort, Type: Address change 0x8059B530-->EEA5BCC0 [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtCreateProcess, Type: Address change 0x805C8582-->EEA6EEB4 [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtCreateProcessEx, Type: Address change 0x805C84CC-->EEA6F2A2 [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtCreateSection, Type: Address change 0x805A1816-->EEA78916 [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtCreateWaitablePort, Type: Address change 0x8059B554-->EEA5BDF6 [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtDeleteFile, Type: Address change 0x8056CF2C-->EEA56398 [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtDeleteKey, Type: Address change 0x8061C188-->EEA75FE4 [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtDeleteValueKey, Type: Address change 0x8061C358-->EEA7593C [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtDuplicateObject, Type: Address change 0x805B49A2-->EEA6DDF0 [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtLoadKey, Type: Address change 0x8061DF10-->EEA7693C [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtLoadKey2, Type: Address change 0x8061DB1C-->EEA76B44 [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtOpenFile, Type: Address change 0x805704AA-->EEA55FAA [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtOpenProcess, Type: Address change 0x805C23F8-->EEA711CE [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtOpenThread, Type: Address change 0x805C2684-->EEA70DF8 [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtRenameKey, Type: Address change 0x8061B70E-->EEA778D2 [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtReplaceKey, Type: Address change 0x8061DDC0-->EEA77208 [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtRequestWaitReplyPort, Type: Address change 0x805991BA-->EEA5B0F4 [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtRestoreKey, Type: Address change 0x8061D6CC-->EEA782A4 [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtSecureConnectPort, Type: Address change 0x8059A1A8-->EEA5B7DC [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtSetInformationFile, Type: Address change 0x80571394-->EEA5675C [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtSetSecurityObject, Type: Address change 0x805B7114-->EEA77E12 [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtSetValueKey, Type: Address change 0x8061A25E-->EEA750C4 [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtSystemDebugControl, Type: Address change 0x8060FC2C-->EEA6FF0A [C:\WINDOWS\System32\vsdatant.sys]
ntkrnlpa.exe-->NtTerminateProcess, Type: Address change 0x805C9DA6-->EEA6FC86 [C:\WINDOWS\System32\vsdatant.sys]
==============================================
>Shadow
==============================================
win32k.sys-->NtUserMessageCall, Type: Address change 0xBF80EE6B-->EEA59F38 [C:\WINDOWS\System32\vsdatant.sys]
win32k.sys-->NtUserPostMessage, Type: Address change 0xBF8089B4-->EEA5A07A [C:\WINDOWS\System32\vsdatant.sys]
win32k.sys-->NtUserPostThreadMessage, Type: Address change 0xBF8B3D3D-->EEA5A1B2 [C:\WINDOWS\System32\vsdatant.sys]
win32k.sys-->NtUserRegisterRawInputDevices, Type: Address change 0xBF915BA7-->EEA57B4C [C:\WINDOWS\System32\vsdatant.sys]
win32k.sys-->NtUserSendInput, Type: Address change 0xBF8C31E7-->EEA5A5A6 [C:\WINDOWS\System32\vsdatant.sys]
==============================================
>Processes
==============================================
0x86FB77C0 [4] System
0x8517FDA0 [136] C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc., ATI External Event Utility EXE Module)
0x85070DA0 [196] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8509F020 [380] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)
0x8696F790 [424] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)
0x85063290 [580] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc., MobileDeviceService)
0x85CD67A8 [672] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x85CB77A8 [696] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)
0x853D69E8 [740] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)
0x85C9E7A8 [752] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))
0x851A1020 [916] C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc., ATI External Event Utility EXE Module)
0x8519F610 [940] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x853F2440 [1000] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x851486D0 [1072] C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation, Antimalware Service Executable)
0x8512D5D8 [1108] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85145DA0 [1156] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x84DEF620 [1164] C:\Program Files\iPod\bin\iPodService.exe (Apple Inc., iPodService Module (32-bit))
0x850DC2B0 [1348] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x84D7B638 [1372] C:\Documents and Settings\Administrator\®ŕ­±\M3654654654\b4m8xL4Om.exe (UG North, RKULE, SR2 Normandy)
0x850AE800 [1396] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x84FED800 [1852] C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc., Bonjour Service)
0x84F0C620 [1876] C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe (Nero AG, incdsrv)
0x85032020 [1992] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x84EEE9E0 [2072] C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc., Java™ Quick Starter Service)
0x84F85C88 [2152] C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe (Nero AG, Nero Home)
0x84ED3020 [2160] C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe (Nero AG, Nero Registry InCD Service)
0x84EA1DA0 [2232] C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe (Nitro PDF Software, Solid Spool Service)
0x84E8A808 [2264] C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corp., Microsoft SeaPort Search Enhancement Broker)
0x851A2020 [2356] C:\Program Files\Zune\ZuneBusEnum.exe (Microsoft Corporation, Zune Bus Enumerator Service)
0x850649E0 [2708] C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation, Windows Update)
0x84DDEDA0 [2784] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x84E06B28 [2840] C:\Program Files\Nero\Nero8\InCD\NBHGui.exe (Nero AG, Nero SecurDisc Host)
0x84F05DA0 [2904] C:\Program Files\Nero\Nero8\InCD\InCD.exe (Nero AG, InCD)
0x84FF6778 [2928] C:\WINDOWS\vsnp2std.exe (Sonix, CameraMonitor Application)
0x84DFC808 [3092] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation, Microsoft Security Client User Interface)
0x84DF65B0 [3204] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation, Zune Auto-Launcher)
0x84D76DA0 [3208] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0x84F674E0 [3304] C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation, Windows Update)
0x84DF2818 [3352] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc., iTunesHelper)
0x84DDCB28 [3420] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp., Realtek Sound Manager)
0x84FBCDA0 [3556] C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe (Nero AG, Nero Home)
0x84DCB020 [3628] C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A., Skype )
0x84FBC530 [3636] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation, CTF Loader)
0x84EFE598 [3740] C:\Program Files\LevelOne\WUA-0605\RtWLan.exe (Realtek Semiconductor Corp., RtWLan ( For WinXP/2003) Application)
0x84F5ADA0 [3984] C:\WINDOWS\system32\alg.exe (Microsoft Corporation, Application Layer Gateway Service)
0x850AC408 [1920] C:\WINDOWS\system32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD, TrueVector Service)
0x84DF39D0 [3440] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD, ZoneAlarm Client)
==============================================
>Drivers
==============================================
0xEDDE1000 C:\WINDOWS\system32\DRIVERS\snp2sxp.sys 12009472 bytes (-, USB2.0 PC Camera driver)
0xBF0B0000 C:\WINDOWS\System32\ati3duag.dll 2297856 bytes (ATI Technologies Inc. , ati3duag.dll)
0xF70B1000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 2285568 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))
0x804D8000 C:\WINDOWS\system32\ntkrnlpa.exe 2069248 bytes (Microsoft Corporation, NT Kernel & System)
0x804D8000 PnpManager 2069248 bytes
0x804D8000 RAW 2069248 bytes
0x804D8000 WMIxWDM 2069248 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF800000 Win32k 1847296 bytes
0xF6EEE000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1069056 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xBF2E1000 C:\WINDOWS\System32\ativvaxx.dll 610304 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xEDD51000 C:\WINDOWS\system32\DRIVERS\RTL8192su.sys 589824 bytes (Realtek Semiconductor Corporation , Realtek RTL8192S USB NDIS Driver)
0xF7392000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xEEA3A000 C:\WINDOWS\System32\vsdatant.sys 528384 bytes (Check Point Software Technologies LTD, ZoneAlarm Firewalling Driver)
0xF6CEB000 C:\WINDOWS\System32\Drivers\wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0xEE97D000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6D5C000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xEEB31000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB7412000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xF7026000 C:\WINDOWS\system32\DRIVERS\NVNRM.SYS 278528 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 241664 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xF6FF3000 C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS 208896 bytes (NVIDIA Corporation, NVIDIA Networking Soft-NPU Driver.)
0xBF04D000 C:\WINDOWS\System32\ati2cqag.dll 204800 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF07F000 C:\WINDOWS\System32\atikvmag.dll 200704 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xF6DBA000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF74EC000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB7A18000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7365000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xEE9ED000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xEEB09000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xEEC7C000 C:\WINDOWS\system32\DRIVERS\MpFilter.sys 159744 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0xEEAE3000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF7496000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB79A4000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF708D000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF72DF000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF706A000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xEEA18000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806D2000 ACPI_HAL 131840 bytes
0x806D2000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7448000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xEEB9D000 C:\WINDOWS\system32\drivers\InCDFs.sys 126976 bytes (Nero AG, InCD File System Driver)
0xF74BC000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF734B000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF747E000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF6EC3000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB842F000 C:\WINDOWS\system32\DRIVERS\WudfPf.sys 94208 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xF741F000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xEDD3B000 C:\WINDOWS\System32\Drivers\dump_nvatabus.sys 90112 bytes
0xB7F3B000 C:\WINDOWS\system32\DRIVERS\irda.sys 90112 bytes (Microsoft Corporation, IRDA Protocol Driver)
0xF7468000 nvatabus.sys 90112 bytes (NVIDIA Corporation, NVIDIAR nForce™ IDE Performance Driver)
0xB785F000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF6EDA000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEEB8A000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7436000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF6DEA000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF74DB000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6E5B000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF76EB000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF762B000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF76CB000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF772B000 C:\WINDOWS\system32\DRIVERS\serial.sys 61440 bytes (Microsoft Corporation, Serial Device Driver)
0xB7A95000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF77AB000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF763B000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF76FB000 C:\WINDOWS\system32\DRIVERS\redbook.sys 57344 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF779B000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0xF767B000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF773B000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF6E6B000 C:\WINDOWS\system32\DRIVERS\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xB8059000 C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys 49152 bytes (Microsoft Corporation, Family Safety Filter Driver (TDI))
0xF775B000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF765B000 VolSnap.sys 49152 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF788B000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF76DB000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF774B000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF778B000 C:\WINDOWS\system32\DRIVERS\zumbus.sys 45056 bytes (Microsoft Corporation, Zune User-Mode Bus Enumerator)
0xF764B000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF77BB000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF76BB000 C:\WINDOWS\system32\DRIVERS\processr.sys 40960 bytes (Microsoft Corporation, Processor Device Driver)
0xF777B000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF768B000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xB8760000 C:\WINDOWS\system32\drivers\cpuz133_x32.sys 36864 bytes (Windows ® Win 7 DDK provider, CPUID Driver)
0xF6E4B000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF770B000 C:\WINDOWS\system32\drivers\InCDPass.sys 36864 bytes (Nero AG, Nero InCD RW Filter Driver)
0xF771B000 C:\WINDOWS\system32\drivers\InCDRm.sys 36864 bytes (Nero AG, Nero MRW Filter Driver)
0xF776B000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF787B000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB6972000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF780B000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF766B000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF761B000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF78E3000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF795B000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF7993000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7923000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF79C3000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF789B000 C:\WINDOWS\System32\Drivers\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF79AB000 C:\WINDOWS\system32\DRIVERS\SNCAMD.SYS 28672 bytes (-, USB2.0 PC Camera driver)
0xF793B000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF79E3000 C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{61763A0E-8D7A-41BC-BBF9-47859A27C0F7}\MpKsl39f15467.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0xF7903000 C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{61763A0E-8D7A-41BC-BBF9-47859A27C0F7}\MpKsl8bbbb75c.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0xF799B000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF78BB000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF78CB000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF79D3000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7A1B000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Cisco Systems, Inc., IEEE 802.1X Protocol Driver)
0xF7913000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF7943000 C:\WINDOWS\system32\DRIVERS\irsir.sys 20480 bytes (Microsoft Corporation, Serial Infrared Driver)
0xF78D3000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF79DB000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7953000 C:\WINDOWS\system32\DRIVERS\rasirda.sys 20480 bytes (Microsoft Corporation, IrDA WAN Miniport Driver)
0xF79EB000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF796B000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7963000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF7A03000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF78A3000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF6EBB000 C:\WINDOWS\system32\drivers\InCDRec.sys 16384 bytes (Nero AG, Nero InCD File System Recognizer)
0xEE96D000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7AB3000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB7F59000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7ACF000 C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 16384 bytes (NVIDIA Corporation, NVIDIA Networking Bus Driver.)
0xF7B0F000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7A2B000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF7AFB000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF731F000 C:\WINDOWS\system32\DRIVERS\fsvga.sys 12288 bytes (Microsoft Corporation, Full Screen Video Driver)
0xEE975000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF7B17000 C:\WINDOWS\system32\DRIVERS\irenum.sys 12288 bytes (Microsoft Corporation, Infra-Red Bus Enumerator)
0xEE965000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7313000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7ABF000 C:\WINDOWS\system32\drivers\pfc.sys 12288 bytes (Padus, Inc., Padus® ASPI Shell)
0xF6EAF000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7B51000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7B95000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7B4D000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7B55000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7B59000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7B2F000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7B3D000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7B1D000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7B1B000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7B1F000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7C07000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7CEE000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7C80000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7BE3000 PCIIde.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0006AB0A, Type: Inline - RelativeJump 0x80542B0A-->80542B11 [ntkrnlpa.exe]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xEEB703A8-->EEA60CBA [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xEEB703D4-->EEA604C8 [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xEEB703E0-->EEA60672 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xF7810B4C-->EEA60CBA [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification 0xF7810B1C-->EEA5EC2A [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xF7810B3C-->EEA604C8 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xF7810B28-->EEA60672 [vsdatant.sys]
[3628]Skype.exe-->kernel32.dll-->GetModuleHandleA, Type: IAT modification 0x013890A0-->00000000 [unknown_code_page]
[3628]Skype.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x013890A4-->00000000 [Skype.exe]
[380]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DA1218-->00000000 [shimeng.dll]
[380]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77EF10B4-->00000000 [shimeng.dll]
[380]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[380]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7D5915A4-->00000000 [shimeng.dll]
[380]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D1133C-->00000000 [shimeng.dll]
[380]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3E4C14B0-->00000000 [shimeng.dll]
[380]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A1109C-->00000000 [shimeng.dll]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
  • 0

#7
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

Logs looks good. Are you experiencing any problems ?

0xF79E3000 C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{61763A0E-8D7A-41BC-BBF9-47859A27C0F7}\MpKsl39f15467.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0xF7903000 C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{61763A0E-8D7A-41BC-BBF9-47859A27C0F7}\MpKsl8bbbb75c.sys 24576 bytes (Microsoft Corporation, KSLDriver)

These are legit files and belongs to MSE.

Please do the following:

Please download AVP Tool by Kaspersky. Save it to your desktop, and reboot your computer into SafeMode.

  • You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
  • Use your up arrow key to highlight SafeMode then hit enter.
  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit OK at the prompt for scanning in Safe Mode.
  • It will then open a box. There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked:

    Hidden Startup Objects
    System Memory
    Disk Boot Sectors.
    My Computer.
    Also any other drives (Removable that you may have)
  • After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose OK.
  • Then choose OK again and you are back to the main screen.
  • Then click on Scan at the to right hand corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all.
  • If it says it cannot be Neutralized then chooose the delete option when prompted.
  • After that is done click on the Reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and post it in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.
  • 0

#8
SJSCHOO

SJSCHOO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
Sounds good, just looked suspicious. Thanks for the help. I tried downloading and installing that Kaspersky tool 2x but each time it said "Database is corrupted" and asked me to try again. I'll leave ZoneAlarm installed and running along with MS:SE and M/B so if something starts happening again, we'll go back at it again.
  • 0

#9
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

This is not a good sign at all. Try to download it on some other computer then transfer it to this one with some removable media.
  • 0

#10
SJSCHOO

SJSCHOO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
That was the first one I used, started in Safe Mode, installed, tried to run and failed. 2nd time downloaded from 'infected' computer. I'll try downloading again from my clean computer, but could you try downloading and running it too to make sure its not just a corrupted file they're offering? (I'll also try to run it from my PC)
  • 0

Advertisements


#11
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
File is good. I already checked it.
  • 0

#12
SJSCHOO

SJSCHOO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
Luckily false alarm. Downloaded new copy, failed again. I realized the program only supported 3 languages (Chinese not one of them) and when it would search for the database in the \Desktop\Removal Tool folder it would fail and error. Except their Desktop isn't "Desktop" it's Chinese. Created C:\AV\ and it installed and started without issue. Running now, if it gets too late, I'll post the log in the morning.
  • 0

#13
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Aje. It should be 桌面 for desktop. Thank you for letting me know.

Scan should take some time - several hours - see you then.
  • 0

#14
SJSCHOO

SJSCHOO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
Before I fell asleep, I saw it found 4 items (all in the MS:SE folder, pretty positive they were quarantined back up files) but it had also already deleted those same 4. When I woke up the computer was already turned off. Turned it on and ran another scan this morning in safe mode with the same settings and the log is clean, just showing the start and stop time. Thanks a ton for the help!
  • 0

#15
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Your logs shows that your system is clean. If you have no further issues with your computer, then please proceed with the following procedures outlined below.

Update to Wondows XP SP3 - Windows XP Service Pack 3 (SP3) is an important update that includes previously released security, performance, and stability updates for Windows XP.

Please update your system to SP3. The recommended (and easiest) way to get SP3 is to turn on Automatic Updates. For more information, see Set up Automatic Updates at the Windows website.
You can also download Service pack 3 from here and install it manually.

Java Updates - Java needs to be regularly updated to fix security vulnerabilities. You can download the latest version of the Java Runtime Environment (JRE) from here. Download, install and reboot your computer. You also need to uninstall older versions of Java:

  • Click Start
  • Select Control Panel
  • Select Add or Remove Programs
  • Remove all Java updates except the latest one you have just installed.

Update Adobe Acrobat Reader to latest version. You can download it HERE.

Suggestion:

Foxit is a great free PDF alternative. It uses fewer system resources and is not vulnerable to the exploits affecting Adobe Reader. Providing full PDF functionality, Foxit is rapidly becoming the PDF reader of choice for many. Get it here.



Removing the tools we used:

Reset System Restore points:

  • Please reopen Posted Image on your desktop.
  • Copy (select all lines inside quote box and press CTRL+C) and Paste (press CTRL+V) the following code into the Posted Image textbox.

    :Commands
    [ClearAllRestorePoints]

  • Click on Posted Image button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click on Posted Image button.

NEXT...

OTL Clean-Up:

  • Reopen Posted Image on your desktop.
  • Click on Posted Image
  • You will be prompted to reboot your system. Please do so.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.


There are a few things I recommend you to do once your computer is completely clean:

Other Software Updates - Go HERE to scan your computer for any out of date software at least once per week. The vast majority of virus, worm and spyware infections could have been prevented, if the user had kept their software up-to-date. You should do everything you can to keep your software up-to-date. Doing so will help you prevent infections and the headaches that follow them.

Web Browsers - Picking the right internet browser is very important. You need to find one that suits your needs but that is also safe. All browsers listed below are far more secure than Internet Explorer, immune to almost all known browser hijackers, and also have the best built-in pop up blockers.

Although, if you prefer staying with Internet Explorer I highly recommend you do this :

Make Internet Explorer more secure:
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the options Download signed and unsigned ActiveX controls to Prompt, and Initialize and Script ActiveX controls not marked as safe to Disable.
  • Next click OK, then Apply button and then OK to exit the Internet Properties page.

Tips to protect yourself against malware and reduce the potential for re-infection:

Now after all these steps, your PC will be more secure. However it is important to note that you can still get infected if you are not careful. One of the best security programs you can have is common sense. As malware gets more sophisticated, you need to be more wary. If you do get caught though and the above steps can't help prevent it, we will be here to help you out.

Stay secure and thank you for choosing GeeksToGo.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP