ComboFix 08-09-28.01 - Chui 2008-09-30 0:27:36.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.132 [GMT 8:00] °õ¦æ¦ì¸m: C:\Documents and Settings\Chui\®à­±\ComboFix.exe * ¤w«Ø¥ß·sªºÁÙ­ìÂI [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . (((((((((((((((((((((((((((((((((((((( ¨ä¥L¾D§R°£ªºÀÉ®× )))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Chui\My Documents\My Music\[12-21] ªF¨È¸s¬P - Songs Of Painting ·sºq+ºë¿ï ÂøÀA¤jºÐ(AVCD)\_desktop.ini C:\Documents and Settings\Chui\My Documents\My Music\bb­µ¼Ö\_desktop.ini C:\Documents and Settings\Chui\My Documents\My Music\mp3­µ¼Ö\_desktop.ini C:\Documents and Settings\Chui\My Documents\My Music\mp3­µ¼Ö\INF\_desktop.ini C:\Documents and Settings\Chui\My Documents\My Music\mp3­µ¼Ö\ȺÐÇ - ¿Ì¹ÇÃúÐÄ[192KVBR][234MB]\_desktop.ini C:\Documents and Settings\Chui\My Documents\My Music\¸s¬P-¦~²×2005·¥¿ï ³Ì¬õ«a­x»R¦±·¥­­¥þ°O¿ý\_desktop.ini C:\Documents and Settings\Chui\My Documents\My Music\ÁºÑãôá - ²ØÐÄ[192K][70MB]\_desktop.ini C:\Documents and Settings\Chui\My Documents\¤uµ{\_desktop.ini C:\Documents and Settings\Chui\My Documents\¥Í¬Û¤ù\_desktop.ini C:\Documents and Settings\Chui\My Documents\¥Í¬Û¤ù\·s¸ê®Æ§¨\_desktop.ini C:\WINDOWS\mrgtask.ini C:\WINDOWS\system32\369774CA.cfg C:\WINDOWS\system32\495271CA.cfg C:\WINDOWS\system32\4BF9CBA3.cfg C:\WINDOWS\system32\5184B75C.cfg C:\WINDOWS\system32\53360697.cfg C:\WINDOWS\system32\6AECFF9B.cfg C:\WINDOWS\system32\8566F82E.cfg C:\WINDOWS\system32\9CA963CA.cfg C:\WINDOWS\system32\aecff9.sys C:\WINDOWS\system32\aoqnabib.sys C:\WINDOWS\system32\C5350C93.cfg C:\WINDOWS\system32\catsrvwl.nls C:\WINDOWS\system32\cliconfgzx.nls C:\WINDOWS\system32\cmbdafk.exe C:\WINDOWS\system32\drivers\HBKernel32.sys C:\WINDOWS\system32\drivers\msiffei.sys C:\WINDOWS\system32\EBE50EA1.cfg C:\WINDOWS\system32\etshabty.exe C:\WINDOWS\system32\fzmsbwin.sys C:\WINDOWS\system32\gpsgajba.sys C:\WINDOWS\system32\gpzhatde.sys C:\WINDOWS\system32\ijsgajba.sys C:\WINDOWS\system32\ijzhatde.sys C:\WINDOWS\system32\jashbbty.sys C:\WINDOWS\system32\kbdswjr.nls C:\WINDOWS\system32\kub12.dll C:\WINDOWS\system32\kub12.exe C:\WINDOWS\system32\mfdesy.dll.LoG C:\WINDOWS\system32\mstimewd.nls C:\WINDOWS\system32\mtewdh.dll.LoG C:\WINDOWS\system32\scrruncqsj.nls C:\WINDOWS\system32\smmhbsrv.sys C:\WINDOWS\system32\spmybapi.sys C:\WINDOWS\system32\tdffdl.dll.LoG C:\WINDOWS\system32\thermaltinck.exe C:\WINDOWS\system32\toqnabib.sys C:\WINDOWS\system32\xfztbmsn.sys C:\WINDOWS\Winxp.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_AECFF9 -------\Legacy_HBKERNEL32 -------\Service_aecff9 -------\Service_d7ba6e -------\Service_HBKernel32 -------\Service_Hdv32 -------\Service_msIffei (((((((((((((((((((((((((((( 2008-08-28 - 2008-09-29 ¤§¶¡«Ø¥ßªºÀÉ®× ))))))))))))))))))))))))))))))))) . 2008-09-30 00:25 . 2008-09-30 00:25 d-------- C:\_OTMoveIt 2008-09-27 23:44 . 2008-09-27 23:44 d-------- C:\Program Files\Trend Micro 2008-09-27 23:30 . 2008-09-27 23:31 d-------- C:\Program Files\Maxthon2 2008-09-27 23:30 . 2008-09-30 00:11 d-------- C:\Documents and Settings\Chui\Application Data\MxBoost 2008-09-21 20:16 . 2008-09-21 20:16 428 --a------ C:\WINDOWS\system32\rqyvzaai.nls 2008-09-21 20:16 . 2008-09-21 20:16 288 --a------ C:\WINDOWS\system32\omhwjxrn.nls 2008-09-21 20:16 . 2008-09-21 20:16 288 --a------ C:\WINDOWS\system32\lkcxolcn.nls 2008-09-21 20:16 . 2008-09-21 20:16 148 --a------ C:\WINDOWS\system32\xcunltce.nls 2008-09-21 20:16 . 2008-09-21 20:16 148 --a------ C:\WINDOWS\system32\wtsapi32yt2.nls 2008-09-21 20:16 . 2008-09-21 20:16 148 --a------ C:\WINDOWS\system32\eiugimic.nls 2008-09-21 20:15 . 2008-09-21 20:15 428 --a------ C:\WINDOWS\system32\ulptxuad.nls 2008-09-21 20:15 . 2008-09-21 20:15 428 --a------ C:\WINDOWS\system32\nysjmbxi.nls 2008-09-20 16:42 . 2008-09-20 16:42 288 --a------ C:\WINDOWS\system32\alvpldvo.nls 2008-09-20 16:41 . 2008-09-20 16:41 428 --a------ C:\WINDOWS\system32\zthaword.nls 2008-09-20 16:41 . 2008-09-20 16:41 428 --a------ C:\WINDOWS\system32\gysmfskj.nls 2008-09-20 16:41 . 2008-09-20 16:41 428 --a------ C:\WINDOWS\system32\dkmujnte.nls 2008-09-20 16:41 . 2008-09-20 16:41 288 --a------ C:\WINDOWS\system32\drqbmldm.nls 2008-09-20 16:41 . 2008-09-20 16:41 148 --a------ C:\WINDOWS\system32\jxjfmoez.nls 2008-09-20 14:27 . 2008-09-20 14:27 288 --a------ C:\WINDOWS\system32\jpfyahee.nls 2008-09-20 12:00 . 2008-09-20 12:00 288 --a------ C:\WINDOWS\system32\klgjqolh.nls 2008-09-20 11:17 . 2008-09-20 11:17 428 --a------ C:\WINDOWS\system32\sitrosxu.nls 2008-09-20 08:16 . 2008-09-20 08:16 428 --a------ C:\WINDOWS\system32\xgnymdoc.nls 2008-09-20 08:16 . 2008-09-20 08:16 428 --a------ C:\WINDOWS\system32\nyapkhce.nls 2008-09-20 00:56 . 2008-09-20 00:56 288 --a------ C:\WINDOWS\system32\agvlckdj.nls 2008-09-20 00:55 . 2008-09-20 00:55 428 --a------ C:\WINDOWS\system32\munzzyam.nls 2008-09-20 00:55 . 2008-09-20 00:55 428 --a------ C:\WINDOWS\system32\izwsjvrj.nls 2008-09-20 00:55 . 2008-09-20 00:55 428 --a------ C:\WINDOWS\system32\cxpbdexx.nls . (((((((((((((((((((((((((((((((((((( ªñ¤T­Ó¤ë¤º§ó°ÊªºÀÉ®× ))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-29 14:16 --------- d-----w C:\Documents and Settings\Chui\Application Data\AVG7 2008-09-19 13:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-09-19 08:37 --------- d-----w C:\Documents and Settings\Chui\Application Data\MSNShell 2008-09-13 02:03 --------- d-----w C:\Program Files\GrandChase 2008-08-23 02:46 --------- d-----w C:\Program Files\gamania 2008-08-21 06:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonTW 2008-08-16 16:46 --------- d-----w C:\Program Files\PPStream 2008-08-16 16:46 --------- d-----w C:\Program Files\MSN Messenger 2008-08-06 04:06 --------- d-----w C:\Documents and Settings\Chui\Application Data\ppstream 2008-07-31 18:28 --------- d-----w C:\Program Files\Stamina 2008-07-31 17:52 --------- d-----w C:\Documents and Settings\Chui\Application Data\U3 2006-10-20 11:42 102,400 ----a-w C:\Documents and Settings\Chui\com_securenetasia_p11wrapper2.dll 2004-10-01 07:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2004-08-08 01:13 520 --sh--w C:\WINDOWS\system32\smdsbsrv.sys . (((((((((((((((((((((((((((((((((((((((((( ­«­nµn¿ýÀÉ ))))))))))))))))))))))))))))))))))))))))))))))))))))) . . *ª`·N* ªÅ¥Õ©Î¦Xªkªºµn¿ý­È±N¤£·|Åã¥Ü REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "ezHelper"="C:\Program Files\ezHelper\ezHelper.exe" [2007-08-02 458760] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-04-28 589824] "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-20 180269] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-01-25 579072] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-28 6731312] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 282624] "VTTimer"="VTTimer.exe" [2005-03-09 C:\WINDOWS\system32\VTTimer.exe] "VTTrayp"="VTtrayp.exe" [2005-03-13 C:\WINDOWS\system32\VTTrayp.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2008-01-25 219136] C:\Documents and Settings\All Users\¡u¶}©l¡v¥\¯àªí\µ{¦¡¶°\±Ò°Ê\ WL Utility.lnk - C:\Program Files\WIFI_LINK\WL_Utility\ZDWlan.exe [2007-06-30 512000] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\PPStream\\PPStream.exe"= "C:\\Program Files\\GrandChase\\Main.exe"= "C:\\Program Files\\BitComet\\BitComet.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Chinesegamer\\WLOnline\\Update.exe"= "C:\\Documents and Settings\\Chui\\®à­±\\¤¬ËΧڥý\\msnmsgr.exe"= "C:\\ezPeerPlus\\ezPeerPlus.exe"= "C:\\Program Files\\MSNShell\\Bin\\engie.exe"= "C:\\Program Files\\Valve\\hl.exe"= "C:\\WINDOWS\\system32\\dpvsetup.exe"= "C:\\Program Files\\PPStream\\PPSAP.exe"= "C:\\Documents and Settings\\Chui\\®à­±\\¤¬ËΧڥý\\aoc¥@¬ö«Ò°êII-©ºªAªÌ¤J«I 2\\aoc\\AgeIICON\\age2_x1.exe"= "C:\\WINDOWS\\system32\\dplaysvr.exe"= "C:\\Program Files\\Chinesegamer\\WLOnline\\Main.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "17472:TCP"= 17472:TCP:BitComet 17472 TCP "17472:UDP"= 17472:UDP:BitComet 17472 UDP "20368:TCP"= 20368:TCP:BitComet 20368 TCP "20368:UDP"= 20368:UDP:BitComet 20368 UDP "5692:TCP"= 5692:TCP:Foxy (192.168.0.121:5692) 5692 TCP "5692:UDP"= 5692:UDP:Foxy (192.168.0.121:5692) 5692 UDP R0 dvkxr;dvkxr;C:\WINDOWS\system32\drivers\dvkxr.sys [2004-08-04 28704] S3 athrusb;Atheros Wireless LAN USB device driver;C:\WINDOWS\system32\DRIVERS\athrusb.sys [2006-11-30 446976] S3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\BRGSp50.sys [2005-06-08 20608] S3 w550bus;Sony Ericsson W550 driver (WDM);C:\WINDOWS\system32\DRIVERS\w550bus.sys [2005-08-01 60928] S3 w550mdfl;Sony Ericsson W550 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w550mdfl.sys [2005-08-01 8336] S3 w550mdm;Sony Ericsson W550 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w550mdm.sys [2005-08-01 96672] S3 w550mgmt;Sony Ericsson W550 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w550mgmt.sys [2005-07-15 88080] S3 w550obex;Sony Ericsson W550 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w550obex.sys [2005-07-15 85952] S3 ZD1211BU(WIFI LINK);WIFI LINK IEEE 802.11 b+g Wireless LAN Driver (USB)(WIFI LINK);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 477696] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da385626-3b65-11dd-bab4-0015f2c49336}] \Shell\Auto\command - autorunx.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorunx.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbbd944c-27c9-11dc-b791-0015f2c49336}] \Shell\AutoRun\command - I:\LaunchU3.exe -a . - - - - ORPHANS REMOVED - - - - WebBrowser-{39852EFE-325B-45EF-9A60-3DBECD2DDDD5} - (no file) ShellExecuteHooks-{eaa21495-29ae-4e50-8ad9-a4f877c1ab85} - C:\WINDOWS\system32\MMHADPQG1097.dll ShellExecuteHooks-{00050005-0005-0005-0005-00050005BB15} - (no file) ShellExecuteHooks-{BA4B5EBD-AB43-4c2b-84F5-F1AD85E79E4A} - (no file) . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Chui\Application Data\Mozilla\Firefox\Profiles\k9kyiv4z.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://zh-CN.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:zh-CN:official . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-30 00:32:34 Windows 5.1.2600 Service Pack 2 NTFS ±½´yÁôÂ꺵{§Ç... ±½´yÁôÂ꺶iµ{... ±½´yÁôÂêºÀÉ®×... ±½´y§¹¦¨ ÁôÂÃÀÉ®×: 0 ************************************************************************** . ------------------------ Other Running Proocesses ------------------------ . C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\conime.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\ComboFix\pv.cfexe . ************************************************************************** . §¹¦¨®É¶¡: 2008-09-30 0:38:38 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-29 16:38:35 Pre-Run: 54,270,971,904 ¦ì¤¸²Õ¥i¥Î Post-Run: 58,195,042,304 ¦ì¤¸²Õ¥i¥Î 229 --- E O F --- 2008-09-09 22:48:24