ComboFix 09-01-17.01 - Administrator 2009-01-18 3:37:10.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.959.750 [GMT 8:00]
執行位置: c:\documents and settings\Administrator\桌面\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
注意 - 這台電腦沒有安裝恢復控制台 !!
.
((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Antivirus 2009
c:\program files\Antivirus 2009\av2009.exe
c:\windows\Downloaded Program Files\setup.inf
c:\windows\fxstaller.exe
c:\windows\system32\ieupdates.exe
c:\windows\system32\ljJARijG.dll
c:\windows\system32\ljJBqooN.dll
c:\windows\system32\mlJCSjkj.dll
c:\windows\system32\mlJYopol.dll
c:\windows\system32\mycpkakc.dll
c:\windows\system32\NooqBJjl.ini
c:\windows\system32\NooqBJjl.ini2
c:\windows\system32\pmnkLDwT.dll
c:\windows\system32\qoMeCuvW.dll
c:\windows\system32\rqRHxxwt.dll
c:\windows\system32\ssqQkKeE.dll
c:\windows\system32\tuvSlmKE.dll
c:\windows\system32\tuvWomLB.dll
c:\windows\system32\vtUooPiJ.dll
c:\windows\system32\xxyvwVlI.dll
c:\windows\system32\yaywxWqo.dll
.
((((((((((((((((((((((((( 2008-12-17 至 2009-01-17 的新的檔案 )))))))))))))))))))))))))))))))
.
2009-01-18 00:54 . 2003-03-24 09:47 140 --a------ c:\windows\regres.bat
2009-01-18 00:27 . 2007-11-01 16:16 38 --a------ C:\nope.bat
2009-01-18 00:26 . 2009-01-18 00:26 135,567 --a------ C:\biin.exe
2009-01-18 00:14 . 2009-01-18 01:07 4,014 --a------ C:\pip.exe
2009-01-17 19:44 . 2009-01-17 19:49 1,407,272 --ahs---- c:\windows\system32\ckakpcym.ini
2009-01-17 19:42 . 2009-01-18 00:28 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-07 17:39 . 2008-03-12 12:39 608,367 --a------ C:\5.rm
2009-01-07 17:27 . 2009-01-07 17:27 1,421,981 --a------ C:\151AC86467.wma.nv!
2008-12-28 23:44 . 2008-12-28 23:44 <DIR> d-------- c:\program files\GIF Movie Gear
2008-12-24 17:55 . 2008-12-24 17:55 <DIR> d-------- c:\program files\Easy GIF Animator
2008-12-21 06:28 . 2008-12-21 06:28 <DIR> d-------- c:\windows\Sun
2008-12-21 06:27 . 2008-12-21 06:27 <DIR> d-------- c:\program files\Java
2008-12-21 06:27 . 2008-12-21 06:27 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-21 06:27 . 2008-12-21 06:27 73,728 --a------ c:\windows\system32\javacpl.cpl
.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 16:15 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-09 16:35 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-01-04 13:23 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-28 09:29 --------- d-----w c:\program files\Common Files\Adobe
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-09 18:04 --------- d-----w c:\program files\Trend Micro
2008-12-09 17:57 80,400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2008-12-09 17:57 50,192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2008-12-09 17:57 49,680 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2008-12-09 17:57 36,368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2008-12-09 17:57 334,352 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2008-12-09 17:57 205,328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2008-12-09 17:57 144,912 ----a-w c:\windows\system32\drivers\tmcomm.sys
2008-12-09 17:57 1,195,448 ----a-w c:\windows\system32\drivers\vsapint.sys
2008-12-07 17:05 --------- d-----w c:\program files\FlashFXP
2008-12-07 17:05 --------- d-----w c:\documents and settings\All Users\Application Data\FlashFXP
2008-12-07 16:59 --------- d-----w c:\documents and settings\Administrator\Application Data\FlashFXP
2008-11-14 17:29 24,496 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-12-10 497008]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"
HIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-07-12 455168]
"
HIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-07-12 455168]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2007-12-19 288088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-02 196608]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-12-10 970808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
"INTERNAT"="INTERNAT.exe" [2004-07-06 c:\windows\system32\internat.exe]
"VTTimer"="VTTimer.exe" [2004-01-15 c:\windows\system32\VTTimer.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-12-10 497008]
"ctfmon.exe"="ctfmon.exe" [2004-07-12 c:\windows\system32\ctfmon.exe]
c:\documents and settings\Default User\「開始」功能表\程式集\啟動\
Dialog Box Assistant.lnk - c:\program files\OSDEx\OSDEx.exe [2002-04-26 35328]
c:\documents and settings\Default User\「開始」功能表\程式集\啟動\
Dialog Box Assistant.lnk - c:\program files\OSDEx\OSDEx.exe [2002-04-26 35328]
c:\documents and settings\Administrator\「開始」功能表\程式集\啟動\
Dialog Box Assistant.lnk - c:\program files\OSDEx\OSDEx.exe [2002-04-26 35328]
c:\documents and settings\All Users\「開始」功能表\程式集\啟動\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-28 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"vidc.vp31"= vp31vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\
0autocheck autochk *
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\ljJBqooN
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\U1 Technology\\LFO\\LFO.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-04-30 97928]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-12-10 334352]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2008-04-28 35216]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-04 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-04-30 76040]
R4 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [2008-04-28 517456]
R4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-12-10 49680]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-12-10 36368]
S3 sdAuxService
C Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-04-28 747912]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2008-04-28 35216]
S4 PDSched
DScheduler;c:\program files\Raxco\PerfectDisk\PDSched.exe [2004-11-01 237635]
S4 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2008-12-10 492888]
S4 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-12-10 677128]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24c2afc3-4acf-11d9-928e-806d6172696f}]
\Shell\AutoRun\command -
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2645fa73-4b27-11d9-9f70-806d6172696f}]
\Shell\AutoRun\command -
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{746d0ee3-4ad4-11d9-b44b-806d6172696f}]
\Shell\AutoRun\command -
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be5ba9b3-4aca-11d9-ae8a-806d6172696f}]
\Shell\AutoRun\command -
.
‘計劃任務’ 文件夾 裡的內容
2009-01-17 c:\windows\Tasks\ygnhkfyz.job
- c:\windows\system32\rundll32.exe [20044-07-12 08:00]
2009-01-17 c:\windows\Tasks\查看 Windows Live Toolbar 的更新資訊.job
- c:\program files\Windows Live Toolbar\\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHANS REMOVED - - - -
BHO-{0B014B81-4E12-46F9-806F-55867AF8FD3C} - c:\windows\system32\winsystems.dll
BHO-{27487FB5-59E8-4178-ADE5-33F873193563} - c:\windows\system32\ljJBqooN.dll
HKCU-Run-ProcessSupervisorGUI - c:\program files\Process Lasso\ProcessSupervisor.exe
HKLM-Run-IMJPMIG8.1 - c:\windows\IME\imjp8_1\IMJPMIG.EXE
HKLM-Run-Cmaudio - cmicnfg.cpl
.
------- 而外的掃描 -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites -
http://favorites.live.com/quickadd.aspx
IE: 使用影音傳送帶下載 - c:\program files\Xi\NetTransport 2\NTAddLink.html
IE: 使用影音傳送帶下載全部連結 - c:\program files\Xi\NetTransport 2\NTAddList.html
IE: 剪貼簿文字: 簡 > 繁 - c:\program files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
IE: 剪貼簿文字: 繁 > 簡 - c:\program files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: 網頁: [簡體] 顯示 - c:\program files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
IE: 網頁: [繁體] 顯示 - c:\program files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
c:\windows\Downloaded Program Files\EWinSecurityAX.dll - c:\windows\Downloaded Program Files\EWinECertRegAX.dll
c:\windows\Downloaded Program Files\EWinSKey.dll
c:\windows\Downloaded Program Files\IEZoneSet.exe
c:\windows\Downloaded Program Files\IEZoneHlp.dll
O16 -: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5}
hxxps://bet.hongkongjockeyclub.com/ib/skey/ch/cab/eWinCtl.cab
c:\windows\Downloaded Program Files\eWinCtl.inf
c:\windows\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
hxxp://downloads.ewido.net/ewidoOnlineScan.cab
c:\windows\Downloaded Program Files\LaunchLFO.ocx - O16 -: {33527649-30BB-4C61-9D70-638D64A6670E}
hxxp://www.littlefighteronline.com/hk/yahoo_hk/LaunchLFO.ocx
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-01-18 03:48:30
Windows 5.1.2600 Service Pack 2 NTFS
掃描被隱藏的進程 。。。
掃描被隱藏的啟動組 。。。
掃描被隱藏的文件 。。。
掃描完成
被隱藏的檔案: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEEYS ---------------------
[HKEY_USERS\Administrator\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Office\Settings\?_U *O*f*f*i*c*e* *囻譸\File Name MRU]
"Value"=multi:"\
00\
00"
"Maximum Entries"=dword:0000000a
[HKEY_USERS\Administrator\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Office\Settings\?_U *O*f*f*i*c*e* *囻譸\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
56,68,0d,00,fa,08,00,00,56,68,0d,00,fa,08,00,00,56,68,0d,00,fa,08,00,00,56,\
[HKEY_USERS\Administrator_Classes\CLSID\{6994A7F3-4AF1-4621-BFA0-911D8AF7788C}\?te'*]
@=""
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"
.
------------------------ 其他運行進程 -------------------------
.
c:\windows\system32\conime.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
完成時間: 2009-01-18 3:52:39 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2009-01-17 19:52:29
Pre-Run: 11,079,458,816 位元組可用
Post-Run: 13,190,848,512 位元組可用
224 --- E O F --- 2009-01-14 22:37:25
