ComboFix 09-02-05.02 - roykwan 2009-02-06 20:32:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.886.1028.18.3326.2808 [GMT 8:00]
執行位置: c:\documents and settings\roykwan\桌面\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* 成功創造新還原點
.
((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\_000111_.tmp.dll
.
((((((((((((((((((((((((( 2009-01-06 至 2009-02-06 的新的檔案 )))))))))))))))))))))))))))))))
.
2009-02-06 20:27 . 2009-02-03 16:07 251,392 --a------ C:\hijackthis_sfx.exe
.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 12:34 24,944 ----a-w c:\windows\system32\drivers\GVTDrv.sys
2009-02-06 12:34 16,608 ----a-w c:\windows\gdrv.sys
2009-02-06 12:34 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-02-06 12:33 221,216 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-02-06 12:33 2,884 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-02-06 12:33 15,156 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-02-06 12:33 1,265,184 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-02-05 16:43 89,601 ----a-w c:\windows\system32\drivers\klick.dat
2009-02-05 16:43 33,808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-02-05 16:43 101,287 ----a-w c:\windows\system32\drivers\klin.dat
2009-02-05 16:31 --------- d-----w c:\program files\Kaspersky Lab
2009-02-05 16:29 1,606 ----a-w c:\windows\system32\PerfStringBackup.TMP
2009-02-05 16:27 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-05 16:27 --------- d-----w c:\program files\GIGABYTE
2009-02-05 16:27 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-05 16:27 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2009-02-05 16:24 --------- d-----w c:\program files\Realtek
2009-02-05 16:24 --------- d-----w c:\documents and settings\roykwan\Application Data\InstallShield
2009-02-05 16:22 319,488 ----a-w c:\windows\HideWin.exe
2009-02-05 16:19 --------- d-----w c:\program files\Intel
2009-02-05 16:12 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-05 16:12 --------- d-----w c:\program files\AGEIA Technologies
2009-02-05 16:04 --------- d-----w c:\program files\microsoft frontpage
2009-01-07 03:28 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-12-10 01:45 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-12-04 01:28 24,344 ----a-w c:\windows\system32\PhysXDevice.dll
2008-11-26 00:55 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe
2008-11-25 00:38 288,024 ----a-w c:\windows\system32\PhysXCompatCplUI.exe
2008-11-11 12:00 218,376 ----a-w c:\windows\system32\klogon.dll
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="m\?" [?]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"EasyTuneVI"="c:\program files\GIGABYTE\ET6\ETcall.exe" [2007-07-26 20480]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"GBTUpd"="c:\program files\GIGABYTE\GBTUpd\PreRun.exe" [2008-04-03 297480]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-02-06 206088]
"nwiz"="nwiz.exe" [2009-01-15 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 c:\windows\RTHDCPL.exe]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 c:\windows\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 c:\windows\alcwzrd.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 33808]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [2009-02-06 68136]
R3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2009-02-06 24944]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
.
.
------- 而外的掃描 -------
.
uInternet Connection Wizard,ShellNext = hxxp://hk.yahoo.com/
IE: "新增至廣告橫幅防護" - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-02-06 20:34:41
Windows 5.1.2600 Service Pack 2 NTFS
掃描被隱藏的進程 。。。
掃描被隱藏的啟動組 。。。
掃描被隱藏的文件 。。。
c:\windows\system32\GVTunner.ref 4 bytes
掃描完成
被隱藏的檔案: 1
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1715567821-1454471165-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\"*送?粻JTkjE^2?*]
@="c:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 2009\\ie_banner_deny.htm"
"Contexts"=dword:00000002
"CreatedByKIS"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"
.
------------------------ 其他運行進程 ------------------------
.
c:\windows\system32\conime.exe
c:\windows\system32\rundll32.exe
c:\program files\GIGABYTE\GBTUpd\RunUpd.exe
c:\program files\GIGABYTE\ET6\GUI.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
完成時間: 2009-02-06 20:35:18 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2009-02-06 12:35:16
Pre-Run: 90,538,037,248 位元組可用
Post-Run: 90,630,709,248 位元組可用
WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
134