發新話題
打印

中咗backdoor trojan 刪除唔到(附HijackThis, ComboFix報告)

中咗backdoor trojan 刪除唔到(附HijackThis, ComboFix報告)

中咗backdoor trojan (cssrs.exe), 本身個防毒Symantec Endpoint Protection刪除唔到, 用過ComboFix 都唔得, help! (附HijackThis, ComboFix報告)

仲有關機時電腦話 ccSvchst.exe 有問題, 唔知同ComboFix 有無關呢?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:12:43, on 24/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\pluscri.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\javas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\cssrs.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0\CalCheck.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP 檢視 - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [pluscri] C:\WINDOWS\pluscri.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &使用BitComet下載本頁視頻 - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: 使用BitComet下載全部鏈接 - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: 使用BitComet下載鏈接(&B) - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} (SKeyHelper Class) - https://bet.hongkongjockeyclub.com/ib/skey/ch/cab/eWinCtl.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D4ACE027-B115-4181-82CF-831C68235CAB} (PPSBase Control) - http://hot1.vdown.21cn.com/rmdow ... /eyejoy/ppsbase.cab

TOP

續 .....

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour 服務 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:\WINDOWS\PSEXESVC.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O24 - Desktop Component 0: (no name) -

--
End of file - 11071 bytes

TOP

ComboFix 09-04-24.01 - Owner 4/2009 Fri 22:20.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.950.852.1028.18.511.155 [GMT 8:00]
執行位置: c:\documents and settings\Owner\桌面\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
FW: Symantec Endpoint Protection *disabled*
.

(((((((((((((((((((((((((((((((((((((((   被刪除的檔案   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\Temp\IadHide4.dll
c:\documents and settings\Owner\Local Settings\Temp\IadHide4.dll
c:\windows\cssrs.exe
c:\windows\ggcktxt.txt
c:\windows\ggcktxt1.txt
.
---- 早前運行的結果 -------
.
c:\docume~1\Owner\LOCALS~1\Temp\IadHide4.dll
c:\documents and settings\Owner\Local Settings\Temp\IadHide4.dll
c:\windows\cssrs.exe
c:\windows\ggcktxt.txt
c:\windows\ggcktxt1.txt

.
(((((((((((((((((((((((((  2009-05-24 至 2009-4-24 的新的檔案  )))))))))))))))))))))))))))))))
.

2009-04-24 14:31 . 2009-04-24 14:32        184320        ----a-w        c:\windows\cssrs.exe
2009-04-24 10:16 . 2009-04-24 10:30        --------        d-----w        C:\Combo-Fix
2009-04-21 17:57 . 2009-04-21 17:57        --------        d-----w        c:\program files\Trend Micro
2009-04-16 13:38 . 2009-02-06 10:10        227840        -c----w        c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 13:38 . 2009-03-06 14:19        292352        -c----w        c:\windows\system32\dllcache\pdh.dll
2009-04-16 13:38 . 2009-02-09 11:21        110592        -c----w        c:\windows\system32\dllcache\services.exe
2009-04-16 13:38 . 2009-02-09 10:51        401408        -c----w        c:\windows\system32\dllcache\rpcss.dll
2009-04-16 13:38 . 2009-02-09 10:51        473600        -c----w        c:\windows\system32\dllcache\fastprox.dll
2009-04-16 13:38 . 2009-02-09 10:51        707072        -c----w        c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 13:38 . 2009-02-09 10:51        668160        -c----w        c:\windows\system32\dllcache\advapi32.dll
2009-04-16 13:38 . 2009-02-09 10:51        600576        -c----w        c:\windows\system32\dllcache\ntdll.dll
2009-04-16 13:38 . 2009-02-09 10:51        453120        -c----w        c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 13:37 . 2009-03-27 06:48        1203922        -c----w        c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 13:37 . 2008-04-21 21:14        207872        -c----w        c:\windows\system32\dllcache\wordpad.exe
2009-03-27 19:39 . 2009-04-20 19:24        268        ---ha-w        C:\sqmdata19.sqm
2009-03-27 19:39 . 2009-04-20 19:24        244        ---ha-w        C:\sqmnoopt19.sqm
2009-03-27 17:36 . 2009-04-20 19:13        268        ---ha-w        C:\sqmdata18.sqm
2009-03-27 17:36 . 2009-04-20 19:13        244        ---ha-w        C:\sqmnoopt18.sqm
2009-03-26 18:52 . 2009-04-20 17:43        268        ---ha-w        C:\sqmdata17.sqm
2009-03-26 18:52 . 2009-04-20 17:43        244        ---ha-w        C:\sqmnoopt17.sqm
2009-03-25 18:51 . 2009-04-20 17:24        268        ---ha-w        C:\sqmdata16.sqm
2009-03-25 18:51 . 2009-04-20 17:24        244        ---ha-w        C:\sqmnoopt16.sqm
2009-03-25 17:25 . 2009-04-19 20:12        268        ---ha-w        C:\sqmdata15.sqm
2009-03-25 17:25 . 2009-04-19 20:12        244        ---ha-w        C:\sqmnoopt15.sqm

.
((((((((((((((((((((((((((((((((((((((((   在三個月內被修改的檔案   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 17:41 . 2009-03-22 19:22        268        ---ha-w        C:\sqmdata10.sqm
2009-04-22 17:41 . 2009-03-22 19:22        244        ---ha-w        C:\sqmnoopt10.sqm
2009-04-22 14:11 . 2009-03-21 17:52        268        ---ha-w        C:\sqmdata09.sqm
2009-04-22 14:11 . 2009-03-21 17:52        244        ---ha-w        C:\sqmnoopt09.sqm
2009-04-22 13:54 . 2009-03-21 13:49        268        ---ha-w        C:\sqmdata08.sqm
2009-04-22 13:54 . 2009-03-21 13:49        244        ---ha-w        C:\sqmnoopt08.sqm
2009-04-22 13:47 . 2009-03-21 05:13        268        ---ha-w        C:\sqmdata07.sqm
2009-04-22 13:47 . 2009-03-21 05:13        244        ---ha-w        C:\sqmnoopt07.sqm
2009-04-22 12:21 . 2009-03-20 15:32        268        ---ha-w        C:\sqmdata06.sqm
2009-04-22 12:21 . 2009-03-20 15:32        244        ---ha-w        C:\sqmnoopt06.sqm
2009-04-21 19:08 . 2009-03-20 05:11        268        ---ha-w        C:\sqmdata05.sqm
2009-04-21 19:08 . 2009-03-20 05:11        244        ---ha-w        C:\sqmnoopt05.sqm
2009-04-21 17:41 . 2009-03-19 19:29        268        ---ha-w        C:\sqmdata04.sqm
2009-04-21 17:41 . 2009-03-19 19:29        244        ---ha-w        C:\sqmnoopt04.sqm
2009-04-21 13:11 . 2009-03-19 05:16        268        ---ha-w        C:\sqmdata03.sqm
2009-04-21 13:11 . 2009-03-19 05:16        244        ---ha-w        C:\sqmnoopt03.sqm
2009-04-21 08:35 . 2009-03-18 18:34        268        ---ha-w        C:\sqmdata02.sqm
2009-04-21 08:35 . 2009-03-18 18:34        244        ---ha-w        C:\sqmnoopt02.sqm
2009-04-21 08:28 . 2009-03-18 05:01        268        ---ha-w        C:\sqmdata01.sqm
2009-04-21 08:28 . 2009-03-18 05:01        244        ---ha-w        C:\sqmnoopt01.sqm
2009-04-21 04:46 . 2009-03-18 04:41        268        ---ha-w        C:\sqmdata00.sqm
2009-04-21 04:46 . 2009-03-18 04:41        244        ---ha-w        C:\sqmnoopt00.sqm
2009-04-20 18:25 . 2007-09-19 11:20        --------        d-----w        c:\program files\eMule
2009-04-19 11:16 . 2009-03-25 04:54        268        ---ha-w        C:\sqmdata14.sqm
2009-04-19 11:16 . 2009-03-25 04:54        244        ---ha-w        C:\sqmnoopt14.sqm
2009-04-19 08:28 . 2007-10-03 19:39        --------        d-----w        c:\documents and settings\Owner\Application Data\U3
2009-04-18 19:26 . 2009-03-24 16:09        268        ---ha-w        C:\sqmdata13.sqm
2009-04-18 19:26 . 2009-03-24 16:09        244        ---ha-w        C:\sqmnoopt13.sqm
2009-04-18 13:39 . 2009-03-23 19:12        268        ---ha-w        C:\sqmdata12.sqm
2009-04-18 13:39 . 2009-03-23 19:12        244        ---ha-w        C:\sqmnoopt12.sqm
2009-04-17 19:30 . 2009-03-23 04:48        268        ---ha-w        C:\sqmdata11.sqm
2009-04-17 19:30 . 2009-03-23 04:48        244        ---ha-w        C:\sqmnoopt11.sqm
2009-04-16 17:23 . 2007-12-02 04:58        2572        ----a-w        c:\windows\system32\PerfStringBackup.TMP
2009-04-16 17:23 . 2004-01-01 17:18        883696        ----a-w        c:\windows\system32\prfh0404.dat
2009-04-16 17:23 . 2004-01-01 17:18        417202        ----a-w        c:\windows\system32\prfc0404.dat
2009-03-13 10:52 . 2009-03-13 10:52        182        ----a-w        C:\drwtsn32.log
2009-03-13 10:01 . 2007-06-19 10:08        149768        ----a-w        c:\windows\system32\drivers\WpsHelper.sys
2009-03-11 14:38 . 2009-03-11 14:09        --------        d-----w        c:\documents and settings\All Users\Application Data\Symantec
2009-03-11 14:37 . 2004-01-02 03:59        --------        d-----w        c:\program files\Common Files\Symantec Shared
2009-03-11 14:12 . 2009-03-11 14:09        --------        d-----w        c:\program files\Symantec
2009-03-11 14:12 . 2009-03-11 14:12        806        ----a-w        c:\windows\system32\drivers\SYMEVENT.INF
2009-03-11 14:12 . 2009-03-11 14:12        60808        ----a-w        c:\windows\system32\S32EVNT1.DLL
2009-03-11 14:12 . 2009-03-11 14:12        136496        ----a-w        c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-11 14:12 . 2009-03-11 14:12        10652        ----a-w        c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-11 13:59 . 2009-03-11 13:59        --------        d-----w        c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-11 12:56 . 2009-03-11 12:52        4        ----a-w        C:\acnaver.txt
2009-03-11 12:52 . 2009-03-11 15:54        229376        ---ha-w        c:\windows\javas.exe
2009-03-11 12:52 . 2009-03-11 12:52        229376        ---h--w        c:\windows\pluscri.exe
2009-03-11 10:07 . 2007-07-28 03:10        --------        d-----w        c:\program files\ESET
2009-03-07 14:45 . 2007-05-23 17:33        --------        d-----w        c:\program files\TVAnts
2009-03-06 14:19 . 2004-08-05 23:29        292352        ----a-w        c:\windows\system32\pdh.dll
2009-03-03 00:03 . 2004-01-21 10:34        826368        ----a-w        c:\windows\system32\wininet.dll
2009-02-20 16:49 . 2004-08-12 01:16        78336        ----a-w        c:\windows\system32\ieencode.dll
2009-02-09 14:03 . 2004-01-01 17:18        1846400        ----a-w        c:\windows\system32\win32k.sys
2009-02-09 11:21 . 2002-09-09 15:35        2023936        ----a-w        c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:21 . 2004-01-01 17:18        2145280        ----a-w        c:\windows\system32\ntoskrnl.exe
2009-02-09 11:21 . 2004-08-05 23:29        110592        ----a-w        c:\windows\system32\services.exe
2009-02-09 10:51 . 2004-01-01 17:18        707072        ----a-w        c:\windows\system32\lsasrv.dll
2009-02-09 10:51 . 2004-08-05 23:24        668160        ----a-w        c:\windows\system32\advapi32.dll
2009-02-09 10:51 . 2004-01-01 04:20        401408        ----a-w        c:\windows\system32\rpcss.dll
2009-02-09 10:51 . 2004-01-01 17:18        600576        ----a-w        c:\windows\system32\ntdll.dll
2009-02-06 10:39 . 2004-08-05 23:29        35328        ----a-w        c:\windows\system32\sc.exe
2009-02-03 19:56 . 2004-08-05 23:29        56832        ----a-w        c:\windows\system32\secur32.dll

TOP

續 .....

2009-01-24 15:59 . 2009-01-11 09:33        550        ----a-w        C:\LiveABC.Log
2009-01-24 15:59 . 2009-01-11 09:33        73216        ----a-w        c:\windows\ST6UNST.EXE
2008-12-03 03:34 . 2004-10-08 13:43        65336        ----a-w        c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-11-15 01:02 . 2004-10-06 13:44        65336        ----a-w        c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-12-27 20:23 . 2006-12-27 20:23        466944        ----a-w        c:\program files\Common Files\MSWORD8.OLB
2004-01-01 04:04 . 2007-07-29 10:14        128        ----a-w        c:\documents and settings\Administrator.HPXP\Local Settings\Application Data\fusioncache.dat
2004-01-01 04:04 . 2004-10-06 05:47        128        ----a-w        c:\windows\system32\config\systemprofile\Local Settings\Application Data\fusioncache.dat
2004-01-01 04:04 . 2004-01-01 04:04        128        ----a-w        c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
1999-04-30 08:2004-10-10 09:19                00:08 .        c:\program files\internet explorer\plugins\UPjpeg.dll
2009-01-14 12:2009-01-14 12:41                41:20 .        c:\program files\mozilla firefox\components\jar50.dll
2009-01-14 12:2009-01-14 12:41                41:21 .        c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-14 12:2009-01-14 12:41                41:20 .        c:\program files\mozilla firefox\components\xpinstal.dll
2008-10-31 17:04 . 2008-10-31 17:05        32768        --sha-w        c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008110120081102\index.dat
.

(((((((((((((((((((((((((((((   SnapShot@2009-04-24_09.36.47   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-24 14:04 . 2009-04-24 14:04        16384              c:\windows\Temp\Perflib_Perfdata_5cc.dat
+ 2009-04-24 14:29 . 2009-04-24 14:29        16384              c:\windows\Temp\Perflib_Perfdata_3d0.dat
+ 2004-01-01 02:33 . 2009-04-24 12:24        32768              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-01-01 02:33 . 2009-04-23 15:32        32768              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-01-01 02:33 . 2009-04-24 12:24        32768              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-01-01 02:33 . 2009-04-23 15:32        32768              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-01-01 02:33 . 2009-04-24 12:24        16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-01-01 02:33 . 2009-04-23 15:32        16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
.
(((((((((((((((((((((((((((((((((((((   重要登入點   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-08 32768]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"HIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"HIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-20 483328]
"Home Theater SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2004-06-24 155648]
"WINREMOTE"="c:\program files\InterVideo\Common\Bin\WinRemote.exe" [2004-06-24 192512]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2003-11-03 221184]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 335872]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2004-02-11 59392]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 110592]
"WT GameChannel"="c:\program files\WildTangent\Apps\GameChannel.exe" [2003-10-09 184784]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-21 57344]
"S2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-14 75520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-14 185872]
"pluscri"="c:\windows\pluscri.exe" [2009-03-11 229376]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-08-05 115560]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2003-04-03 50176]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-05-03 67584]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-05-03 2533888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\「開始」功能表\程式集\啟動\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Ulead Photo Express 4.0 月曆檢查程式.lnk - c:\program files\Ulead Systems\Ulead Photo Express 4.0\CalCheck.exe [2004-10-10 57344]
Updates from HP.lnk - c:\program files\Updates from HP\137903\Program\BackWeb-137903.exe [2004-1-1 16384]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-10-7 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15641:TCP"= 15641:TCP:BitComet 15641 TCP
"15641:UDP"= 15641:UDP:BitComet 15641 UDP
"16988:TCP"= 16988:TCP:BitComet 16988 TCP
"16988:UDP"= 16988:UDP:BitComet 16988 UDP

R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS [2003-09-16 152576]
R3 VVRUSB;VVRUSB Device;c:\windows\system32\DRIVERS\VVRUSB.sys [2002-01-19 38479]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-11 101936]
S3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\DRIVERS\PhTVTune.sys [2003-12-24 24192]
S3 PRISM_A00;Intersil PRISM 802.11a/g Driver;c:\windows\system32\DRIVERS\PCTELSAP.SYS [2004-01-29 350282]                                                                                                                                                                                                                       

TOP

續 .....

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53cfe12c-95b0-11dc-9e4c-0030f1dc24c0}]
\Shell\AutoRun\command - k:\.\Q9\q9xpb5dl.exe
\Shell\Q9\command - k:\.\Q9\Q9Runner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbba4fc3-2a26-11dd-a0f4-0030f1dc24c0}]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
.
.
------- 而外的掃描 -------
.
uStart Page = hxxp://hk.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &使用BitComet下載本頁視頻 - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: 使用BitComet下載全部鏈接 - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: 使用BitComet下載鏈接(&B) - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} - hxxps://bet.hongkongjockeyclub.com/ib/skey/ch/cab/eWinCtl.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {D4ACE027-B115-4181-82CF-831C68235CAB} - hxxp://hot1.vdown.21cn.com/rmdownload/drm/data3/eyejoy/ppsbase.cab
FF - ProfilePath -

---- 火狐配置文件 ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel",             1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad",                   false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom",  "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-24 22:30
Windows 5.1.2600 Service Pack 3 NTFS

掃描被隱藏的進程 。。。  

掃描被隱藏的啟動組 。。。

掃描被隱藏的文件 。。。  

掃描完成
被隱藏的檔案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-641528987-1222926196-109803688-1003\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-641528987-1222926196-109803688-1003\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Excel\Settings\灀送xe<:* *R*e*f*\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-641528987-1222926196-109803688-1003\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Excel\Settings\灀送xe<:* *R*e*f*\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
   8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,\

[HKEY_USERS\S-1-5-21-641528987-1222926196-109803688-1003\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Office\Settings\?_U *O*f*f*i*c*e* *譸\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-641528987-1222926196-109803688-1003\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Office\Settings\?_U *O*f*f*i*c*e* *譸\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
   8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,\

[HKEY_USERS\S-1-5-21-1614895754-2025429265-725345543-1003_Classes\O*v*e*r*t*u*r*e* * j\
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1614895754-2025429265-725345543-1003_Classes\O*v*e*r*t*u*r*e* * j\DefaultIcon]
@=expand:"%APPDATA%\\Microsoft\\Installer\\{50ADDF79-3249-4679-B527-3FB8C5EA99E5}\\_294823.exe,0"

[HKEY_USERS\S-1-5-21-1614895754-2025429265-725345543-1003_Classes\O*v*e*r*t*u*r*e* * j\shell]
@="open"

[HKEY_USERS\S-1-5-21-1614895754-2025429265-725345543-1003_Classes\O*v*e*r*t*u*r*e* * j\shell\open]
@="開啟(&O)"

[HKEY_USERS\S-1-5-21-1614895754-2025429265-725345543-1003_Classes\O*v*e*r*t*u*r*e* * j\shell\open\command]
@="\"c:\\Program Files\\Overture 4.0 繁體中文版\\Overture.exe\" \"%1\""
"command"=multi:"%_(xAdi9`=RGK6dXKNlr>?%)duR)D9Xu~OSIW`PT- \"%1\"\00\00"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"
.
--------------------- 運行進程下的動態鏈接庫 ---------------------

- - - - - - - > 'winlogon.exe'
c:\windows\system32\Ati2evxx.dll
c:\program files\Symantec\Symantec Endpoint Protection\SnacNp.dll

- - - - - - - > 'explorer.exe'
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_chi-hk.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Symantec\Symantec Endpoint Protection\SnacNp.dll
.
------------------------ 其他運行進程 ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDANTSRV.EXE
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\conime.exe
c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
c:\progra~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe
c:\windows\javas.exe
c:\windows\cssrs.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Symantec\Symantec Endpoint Protection\SavUI.exe
.
**************************************************************************
.
完成時間: 2009-04-24 22:39 - 電腦已重新啟動
ComboFix-quarantined-files.txt  2009-04-24 14:39
ComboFix2.txt  2009-04-24 09:46

Pre-Run: 96,631,582,720 位元組可用
Post-Run: 96,612,315,136 位元組可用

348        --- E O F ---        2009-04-16 15:44

TOP

關閉「系統還原」的步驟

   1. 按一下 [開始],用滑鼠右鍵按一下 [我的電腦],然後按一下 [內容]。
   2. 在 [系統內容] 對話方塊中,按一下 [系統還原] 索引標籤。
   3. 按一下以選取 [關閉系統還原] 核取方塊。或者,按一下以選取 [關閉所有磁碟上的系統還原] 核取方塊。
   4. 按一下 [確定]。

下載ATF-Cleaner
http://www.atribune.org/
執行ATF-Cleaner.exe
勾選全部,按Empty Selected.

1.關閉Internet Explorer及已開啟的檔案資料夾視窗.
2.執行Hijackthis,
3.按Do a system scan only,稍等一下直至  "Scan" 變成 "Save log"
4.勾選以下項目(左方方格),按 "Fix checked",hijackthis會提示你重啟,如在此一步驟後,可重新啟動電腦。

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [pluscri] C:\WINDOWS\pluscri.exe

* 開啟記事本,貼上以下內容

KILLALL::

File::
c:\windows\cssrs.exe
c:\windows\javas.exe
c:\windows\pluscri.exe

儲存--->存檔類型--->所有檔案-->檔名輸入為 CFScript.txt
把CFScript.txt 拉到 ComboxFix.exe

    * ComboxFix 將會被執行
    * 執行完會有報告於C:\ComboFix.txt.


下載System Repair Engineer
http://www.kztechs.com/sreng/download.html
解壓及 執行System Repair Engineer
1.按[ 智慧掃描]
2.按[掃描]
3.按Save Reports
4.Post SREngLOG                                                                                                                                                                                                                       

TOP

以下這是什麼軟件?
k:\.\Q9\q9xpb5dl.exe
k:\.\Q9\Q9Runner.exe

TOP

發新話題