續 .....
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53cfe12c-95b0-11dc-9e4c-0030f1dc24c0}]
\Shell\AutoRun\command - k:\.\Q9\q9xpb5dl.exe
\Shell\Q9\command - k:\.\Q9\Q9Runner.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbba4fc3-2a26-11dd-a0f4-0030f1dc24c0}]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
.
.
------- 而外的掃描 -------
.
uStart Page = hxxp://hk.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &使用BitComet下載本頁視頻 - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: 使用BitComet下載全部鏈接 - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: 使用BitComet下載鏈接(&B) - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} - hxxps://bet.hongkongjockeyclub.com/ib/skey/ch/cab/eWinCtl.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {D4ACE027-B115-4181-82CF-831C68235CAB} - hxxp://hot1.vdown.21cn.com/rmdownload/drm/data3/eyejoy/ppsbase.cab
FF - ProfilePath -
---- 火狐配置文件 ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-04-24 22:30
Windows 5.1.2600 Service Pack 3 NTFS
掃描被隱藏的進程 。。。
掃描被隱藏的啟動組 。。。
掃描被隱藏的文件 。。。
掃描完成
被隱藏的檔案: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\S-1-5-21-641528987-1222926196-109803688-1003\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\S-1-5-21-641528987-1222926196-109803688-1003\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Excel\Settings\灀送xe<:* *R*e*f*\File Name MRU]
"Value"=multi:"\
00\
00"
"Maximum Entries"=dword:0000000a
[HKEY_USERS\S-1-5-21-641528987-1222926196-109803688-1003\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Excel\Settings\灀送xe<:* *R*e*f*\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,\
[HKEY_USERS\S-1-5-21-641528987-1222926196-109803688-1003\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Office\Settings\?_U *O*f*f*i*c*e* *譸\File Name MRU]
"Value"=multi:"\
00\
00"
"Maximum Entries"=dword:0000000a
[HKEY_USERS\S-1-5-21-641528987-1222926196-109803688-1003\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Office\Settings\?_U *O*f*f*i*c*e* *譸\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,\
[HKEY_USERS\S-1-5-21-1614895754-2025429265-725345543-1003_Classes\O*v*e*r*t*u*r*e* * j\
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-1614895754-2025429265-725345543-1003_Classes\O*v*e*r*t*u*r*e* * j\DefaultIcon]
@=expand:"%APPDATA%\\Microsoft\\Installer\\{50ADDF79-3249-4679-B527-3FB8C5EA99E5}\\_294823.exe,0"
[HKEY_USERS\S-1-5-21-1614895754-2025429265-725345543-1003_Classes\O*v*e*r*t*u*r*e* * j\shell]
@="open"
[HKEY_USERS\S-1-5-21-1614895754-2025429265-725345543-1003_Classes\O*v*e*r*t*u*r*e* * j\shell\open]
@="開啟(&O)"
[HKEY_USERS\S-1-5-21-1614895754-2025429265-725345543-1003_Classes\O*v*e*r*t*u*r*e* * j\shell\open\command]
@="\"c:\\Program Files\\Overture 4.0 繁體中文版\\Overture.exe\" \"%1\""
"command"=multi:"%_(xAdi9`=RGK6dXKNlr>?%)duR)D9Xu~OSIW`PT- \"%1\"\
00\
00"
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"
.
--------------------- 運行進程下的動態鏈接庫 ---------------------
- - - - - - - > 'winlogon.exe'
c:\windows\system32\Ati2evxx.dll
c:\program files\Symantec\Symantec Endpoint Protection\SnacNp.dll
- - - - - - - > 'explorer.exe'
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_chi-hk.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Symantec\Symantec Endpoint Protection\SnacNp.dll
.
------------------------ 其他運行進程 ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDANTSRV.EXE
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\conime.exe
c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
c:\progra~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe
c:\windows\javas.exe
c:\windows\cssrs.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Symantec\Symantec Endpoint Protection\SavUI.exe
.
**************************************************************************
.
完成時間: 2009-04-24 22:39 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2009-04-24 14:39
ComboFix2.txt 2009-04-24 09:46
Pre-Run: 96,631,582,720 位元組可用
Post-Run: 96,612,315,136 位元組可用
348 --- E O F --- 2009-04-16 15:44