I made a full system scan with Ad-aware on Oct 30, it reported the following malware.
Snippet from scan log:
Family Id: 1394 Name: Win32.Trojan-Dropper.Delf Category: Malware TAI:10
Item Id: 282037 Value: File: C:\Program Files\Mozilla Firefox\regxpcom.exe
Item Id: 282037 Value: File: C:\Program Files\Thunder Network\Thunder\Components\ExplorerHelper\regxpcom.exe
Actually the above two files are identical, but the Symantec doesn't regard this as threat, and I also upload it to VirusTotal for inspection, here is the result.
I think this is a false positive report, please verify, thanks.
File regxpcom.exe received on 10.30.2008 18:40:41 (CET)
Current status: finished
Result: 1/36 (2.78%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.10.30.1 2008.10.30 -
AntiVir 7.9.0.10 2008.10.30 -
Authentium 5.1.0.4 2008.10.30 -
Avast 4.8.1248.0 2008.10.30 -
AVG 8.0.0.161 2008.10.30 -
BitDefender 7.2 2008.10.30 -
CAT-QuickHeal 9.50 2008.10.29 -
ClamAV 0.93.1 2008.10.30 -
DrWeb 4.44.0.09170 2008.10.30 -
eSafe 7.0.17.0 2008.10.30 -
eTrust-Vet 31.6.6180 2008.10.29 -
Ewido 4.0 2008.10.30 -
F-Prot 4.4.4.56 2008.10.29 -
F-Secure 8.0.14332.0 2008.10.30 -
Fortinet 3.117.0.0 2008.10.28 -
GData 19 2008.10.30 -
Ikarus T3.1.1.44.0 2008.10.30 -
K7AntiVirus 7.10.512 2008.10.30 -
Kaspersky 7.0.0.125 2008.10.30 -
McAfee 5418 2008.10.30 -
Microsoft 1.4005 2008.10.30 -
NOD32 3570 2008.10.30 -
Norman 5.80.02 2008.10.30 -
Panda 9.0.0.4 2008.10.29 Adware/FBrowsingAdvisor
PCTools 4.4.2.0 2008.10.30 -
Prevx1 V2 2008.10.30 -
Rising 21.01.32.00 2008.10.30 -
SecureWeb-Gateway 6.7.6 2008.10.30 -
Sophos 4.35.0 2008.10.30 -
Sunbelt 3.1.1764.1 2008.10.29 -
Symantec 10 2008.10.30 -
TheHacker 6.3.1.1.134 2008.10.30 -
TrendMicro 8.700.0.1004 2008.10.30 -
VBA32 3.12.8.9 2008.10.30 -
ViRobot 2008.10.30.1445 2008.10.30 -
VirusBuster 4.5.11.0 2008.10.30 -
Additional information
File size: 9952 bytes
MD5...: 0ca935807d52b6174c6d8f5eb4f5d9e4
SHA1..: 6add4d5dd1488a7418e45953a270d355ea396c8b
SHA256: 43f2009661e1d7628c30eadc0aca45de5415ed98715342d2e60bc82f561a0de4
SHA512: fc18df378a5de7c9b3b9298e81abbf3c59eeb392742094c19a71f81f97f6fc16
d9ab67ea8331125ddfe7c4cedda280d70b0a25de76e9273b008deb8e04b76b4d
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x401c5a
timedatestamp.....: 0x44407e03 (Sat Apr 15 05:00:51 2006)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xdb0 0xe00 6.01 e75a7a85171aa99e27a62504dbd84d69
.rdata 0x2000 0x57c 0x600 4.58 e8f28daf5835722768ca0f9d1579dc11
.data 0x3000 0x1740 0xc00 3.72 3e48c38cdd542a6a09f2fd019b0dcbd1
( 5 imports )
> nspr4.dll: PR_SetEnv, PR_GetEnv, PR_smprintf, PR_smprintf_free, PR_LoadLibraryWithFlags, PR_UnloadLibrary, PR_FindSymbol, PR_Free, PR_GetLibraryFilePathname, PR_FindSymbolAndLibrary
> plc4.dll: PL_strrchr
> KERNEL32.dll: GetModuleFileNameA, SetCurrentDirectoryA
> ADVAPI32.dll: RegOpenKeyExA, RegQueryValueExA, RegCloseKey
> MSVCRT.dll: free, memset, strlen, _controlfp, _except_handler3, _stat, __p__commode, _adjust_fdiv, __p__fmode, _initterm, __getmainargs, __setusermatherr, exit, __3@YAXPAX@Z, strcmp, __2@YAPAXI@Z, printf, _fullpath, sprintf, malloc, __set_app_type, _XcptFilter, __p___initenv, strcpy, fclose, strncmp, fgets, fopen, _exit
( 0 exports )