標題:
中咗backdoor trojan 刪除唔到(附HijackThis, ComboFix報告)
[打印本頁]
作者:
眼眼
時間:
2009-4-27 00:25
標題:
中咗backdoor trojan 刪除唔到(附HijackThis, ComboFix報告)
中咗backdoor trojan (cssrs.exe), 本身個防毒Symantec Endpoint Protection刪除唔到, 用過ComboFix 都唔得, help! (附HijackThis, ComboFix報告)
仲有關機時電腦話 ccSvchst.exe 有問題, 唔知同ComboFix 有無關呢?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:12:43, on 24/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\pluscri.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\javas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\cssrs.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0\CalCheck.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP 檢視 - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pluscri] C:\WINDOWS\pluscri.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &使用BitComet下載本頁視頻 - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: 使用BitComet下載全部鏈接 - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: 使用BitComet下載鏈接(&B) - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} (SKeyHelper Class) -
https://bet.hongkongjockeyclub.com/ib/skey/ch/cab/eWinCtl.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) -
http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) -
http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) -
http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D4ACE027-B115-4181-82CF-831C68235CAB} (PPSBase Control) -
http://hot1.vdown.21cn.com/rmdow ... /eyejoy/ppsbase.cab
作者:
眼眼
時間:
2009-4-27 00:50
續 .....
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour 服務 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:\WINDOWS\PSEXESVC.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O24 - Desktop Component 0: (no name) -
--
End of file - 11071 bytes
作者:
眼眼
時間:
2009-4-27 01:02
ComboFix 09-04-24.01 - Owner 4/2009 Fri 22:20.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.950.852.1028.18.511.155 [GMT 8:00]
執行位置: c:\documents and settings\Owner\桌面\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
FW: Symantec Endpoint Protection *disabled*
.
((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Owner\LOCALS~1\Temp\IadHide4.dll
c:\documents and settings\Owner\Local Settings\Temp\IadHide4.dll
c:\windows\cssrs.exe
c:\windows\ggcktxt.txt
c:\windows\ggcktxt1.txt
.
---- 早前運行的結果 -------
.
c:\docume~1\Owner\LOCALS~1\Temp\IadHide4.dll
c:\documents and settings\Owner\Local Settings\Temp\IadHide4.dll
c:\windows\cssrs.exe
c:\windows\ggcktxt.txt
c:\windows\ggcktxt1.txt
.
((((((((((((((((((((((((( 2009-05-24 至 2009-4-24 的新的檔案 )))))))))))))))))))))))))))))))
.
2009-04-24 14:31 . 2009-04-24 14:32 184320 ----a-w c:\windows\cssrs.exe
2009-04-24 10:16 . 2009-04-24 10:30 -------- d-----w C:\Combo-Fix
2009-04-21 17:57 . 2009-04-21 17:57 -------- d-----w c:\program files\Trend Micro
2009-04-16 13:38 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 13:38 . 2009-03-06 14:19 292352 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 13:38 . 2009-02-09 11:21 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 13:38 . 2009-02-09 10:51 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 13:38 . 2009-02-09 10:51 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 13:38 . 2009-02-09 10:51 707072 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 13:38 . 2009-02-09 10:51 668160 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 13:38 . 2009-02-09 10:51 600576 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 13:38 . 2009-02-09 10:51 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 13:37 . 2009-03-27 06:48 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 13:37 . 2008-04-21 21:14 207872 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-03-27 19:39 . 2009-04-20 19:24 268 ---ha-w C:\sqmdata19.sqm
2009-03-27 19:39 . 2009-04-20 19:24 244 ---ha-w C:\sqmnoopt19.sqm
2009-03-27 17:36 . 2009-04-20 19:13 268 ---ha-w C:\sqmdata18.sqm
2009-03-27 17:36 . 2009-04-20 19:13 244 ---ha-w C:\sqmnoopt18.sqm
2009-03-26 18:52 . 2009-04-20 17:43 268 ---ha-w C:\sqmdata17.sqm
2009-03-26 18:52 . 2009-04-20 17:43 244 ---ha-w C:\sqmnoopt17.sqm
2009-03-25 18:51 . 2009-04-20 17:24 268 ---ha-w C:\sqmdata16.sqm
2009-03-25 18:51 . 2009-04-20 17:24 244 ---ha-w C:\sqmnoopt16.sqm
2009-03-25 17:25 . 2009-04-19 20:12 268 ---ha-w C:\sqmdata15.sqm
2009-03-25 17:25 . 2009-04-19 20:12 244 ---ha-w C:\sqmnoopt15.sqm
.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 17:41 . 2009-03-22 19:22 268 ---ha-w C:\sqmdata10.sqm
2009-04-22 17:41 . 2009-03-22 19:22 244 ---ha-w C:\sqmnoopt10.sqm
2009-04-22 14:11 . 2009-03-21 17:52 268 ---ha-w C:\sqmdata09.sqm
2009-04-22 14:11 . 2009-03-21 17:52 244 ---ha-w C:\sqmnoopt09.sqm
2009-04-22 13:54 . 2009-03-21 13:49 268 ---ha-w C:\sqmdata08.sqm
2009-04-22 13:54 . 2009-03-21 13:49 244 ---ha-w C:\sqmnoopt08.sqm
2009-04-22 13:47 . 2009-03-21 05:13 268 ---ha-w C:\sqmdata07.sqm
2009-04-22 13:47 . 2009-03-21 05:13 244 ---ha-w C:\sqmnoopt07.sqm
2009-04-22 12:21 . 2009-03-20 15:32 268 ---ha-w C:\sqmdata06.sqm
2009-04-22 12:21 . 2009-03-20 15:32 244 ---ha-w C:\sqmnoopt06.sqm
2009-04-21 19:08 . 2009-03-20 05:11 268 ---ha-w C:\sqmdata05.sqm
2009-04-21 19:08 . 2009-03-20 05:11 244 ---ha-w C:\sqmnoopt05.sqm
2009-04-21 17:41 . 2009-03-19 19:29 268 ---ha-w C:\sqmdata04.sqm
2009-04-21 17:41 . 2009-03-19 19:29 244 ---ha-w C:\sqmnoopt04.sqm
2009-04-21 13:11 . 2009-03-19 05:16 268 ---ha-w C:\sqmdata03.sqm
2009-04-21 13:11 . 2009-03-19 05:16 244 ---ha-w C:\sqmnoopt03.sqm
2009-04-21 08:35 . 2009-03-18 18:34 268 ---ha-w C:\sqmdata02.sqm
2009-04-21 08:35 . 2009-03-18 18:34 244 ---ha-w C:\sqmnoopt02.sqm
2009-04-21 08:28 . 2009-03-18 05:01 268 ---ha-w C:\sqmdata01.sqm
2009-04-21 08:28 . 2009-03-18 05:01 244 ---ha-w C:\sqmnoopt01.sqm
2009-04-21 04:46 . 2009-03-18 04:41 268 ---ha-w C:\sqmdata00.sqm
2009-04-21 04:46 . 2009-03-18 04:41 244 ---ha-w C:\sqmnoopt00.sqm
2009-04-20 18:25 . 2007-09-19 11:20 -------- d-----w c:\program files\eMule
2009-04-19 11:16 . 2009-03-25 04:54 268 ---ha-w C:\sqmdata14.sqm
2009-04-19 11:16 . 2009-03-25 04:54 244 ---ha-w C:\sqmnoopt14.sqm
2009-04-19 08:28 . 2007-10-03 19:39 -------- d-----w c:\documents and settings\Owner\Application Data\U3
2009-04-18 19:26 . 2009-03-24 16:09 268 ---ha-w C:\sqmdata13.sqm
2009-04-18 19:26 . 2009-03-24 16:09 244 ---ha-w C:\sqmnoopt13.sqm
2009-04-18 13:39 . 2009-03-23 19:12 268 ---ha-w C:\sqmdata12.sqm
2009-04-18 13:39 . 2009-03-23 19:12 244 ---ha-w C:\sqmnoopt12.sqm
2009-04-17 19:30 . 2009-03-23 04:48 268 ---ha-w C:\sqmdata11.sqm
2009-04-17 19:30 . 2009-03-23 04:48 244 ---ha-w C:\sqmnoopt11.sqm
2009-04-16 17:23 . 2007-12-02 04:58 2572 ----a-w c:\windows\system32\PerfStringBackup.TMP
2009-04-16 17:23 . 2004-01-01 17:18 883696 ----a-w c:\windows\system32\prfh0404.dat
2009-04-16 17:23 . 2004-01-01 17:18 417202 ----a-w c:\windows\system32\prfc0404.dat
2009-03-13 10:52 . 2009-03-13 10:52 182 ----a-w C:\drwtsn32.log
2009-03-13 10:01 . 2007-06-19 10:08 149768 ----a-w c:\windows\system32\drivers\WpsHelper.sys
2009-03-11 14:38 . 2009-03-11 14:09 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-11 14:37 . 2004-01-02 03:59 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-11 14:12 . 2009-03-11 14:09 -------- d-----w c:\program files\Symantec
2009-03-11 14:12 . 2009-03-11 14:12 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-11 14:12 . 2009-03-11 14:12 60808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-03-11 14:12 . 2009-03-11 14:12 136496 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-11 14:12 . 2009-03-11 14:12 10652 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-11 13:59 . 2009-03-11 13:59 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-11 12:56 . 2009-03-11 12:52 4 ----a-w C:\acnaver.txt
2009-03-11 12:52 . 2009-03-11 15:54 229376 ---ha-w c:\windows\javas.exe
2009-03-11 12:52 . 2009-03-11 12:52 229376 ---h--w c:\windows\pluscri.exe
2009-03-11 10:07 . 2007-07-28 03:10 -------- d-----w c:\program files\ESET
2009-03-07 14:45 . 2007-05-23 17:33 -------- d-----w c:\program files\TVAnts
2009-03-06 14:19 . 2004-08-05 23:29 292352 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:03 . 2004-01-21 10:34 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 16:49 . 2004-08-12 01:16 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 14:03 . 2004-01-01 17:18 1846400 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:21 . 2002-09-09 15:35 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:21 . 2004-01-01 17:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:21 . 2004-08-05 23:29 110592 ----a-w c:\windows\system32\services.exe
2009-02-09 10:51 . 2004-01-01 17:18 707072 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:51 . 2004-08-05 23:24 668160 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:51 . 2004-01-01 04:20 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:51 . 2004-01-01 17:18 600576 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:39 . 2004-08-05 23:29 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:56 . 2004-08-05 23:29 56832 ----a-w c:\windows\system32\secur32.dll
作者:
眼眼
時間:
2009-4-27 01:26
續 .....
2009-01-24 15:59 . 2009-01-11 09:33 550 ----a-w C:\LiveABC.Log
2009-01-24 15:59 . 2009-01-11 09:33 73216 ----a-w c:\windows\ST6UNST.EXE
2008-12-03 03:34 . 2004-10-08 13:43 65336 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-11-15 01:02 . 2004-10-06 13:44 65336 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-12-27 20:23 . 2006-12-27 20:23 466944 ----a-w c:\program files\Common Files\MSWORD8.OLB
2004-01-01 04:04 . 2007-07-29 10:14 128 ----a-w c:\documents and settings\Administrator.HPXP\Local Settings\Application Data\fusioncache.dat
2004-01-01 04:04 . 2004-10-06 05:47 128 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\fusioncache.dat
2004-01-01 04:04 . 2004-01-01 04:04 128 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
1999-04-30 08:2004-10-10 09:19 00:08 . c:\program files\internet explorer\plugins\UPjpeg.dll
2009-01-14 12:2009-01-14 12:41 41:20 . c:\program files\mozilla firefox\components\jar50.dll
2009-01-14 12:2009-01-14 12:41 41:21 . c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-14 12:2009-01-14 12:41 41:20 . c:\program files\mozilla firefox\components\xpinstal.dll
2008-10-31 17:04 . 2008-10-31 17:05 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008110120081102\index.dat
.
(((((((((((((((((((((((((((((
SnapShot@2009-04-24_09.36.47
)))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-24 14:04 . 2009-04-24 14:04 16384 c:\windows\Temp\Perflib_Perfdata_5cc.dat
+ 2009-04-24 14:29 . 2009-04-24 14:29 16384 c:\windows\Temp\Perflib_Perfdata_3d0.dat
+ 2004-01-01 02:33 . 2009-04-24 12:24 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-01-01 02:33 . 2009-04-23 15:32 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-01-01 02:33 . 2009-04-24 12:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-01-01 02:33 . 2009-04-23 15:32 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-01-01 02:33 . 2009-04-24 12:24 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-01-01 02:33 . 2009-04-23 15:32 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-08 32768]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"HIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"HIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-20 483328]
"Home Theater SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2004-06-24 155648]
"WINREMOTE"="c:\program files\InterVideo\Common\Bin\WinRemote.exe" [2004-06-24 192512]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2003-11-03 221184]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 335872]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2004-02-11 59392]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 110592]
"WT GameChannel"="c:\program files\WildTangent\Apps\GameChannel.exe" [2003-10-09 184784]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-21 57344]
"S2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-14 75520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-14 185872]
"pluscri"="c:\windows\pluscri.exe" [2009-03-11 229376]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-08-05 115560]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2003-04-03 50176]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-05-03 67584]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-05-03 2533888]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\「開始」功能表\程式集\啟動\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Ulead Photo Express 4.0 月曆檢查程式.lnk - c:\program files\Ulead Systems\Ulead Photo Express 4.0\CalCheck.exe [2004-10-10 57344]
Updates from HP.lnk - c:\program files\Updates from HP\137903\Program\BackWeb-137903.exe [2004-1-1 16384]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-10-7 118784]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15641:TCP"= 15641:TCP:BitComet 15641 TCP
"15641:UDP"= 15641:UDP:BitComet 15641 UDP
"16988:TCP"= 16988:TCP:BitComet 16988 TCP
"16988:UDP"= 16988:UDP:BitComet 16988 UDP
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS [2003-09-16 152576]
R3 VVRUSB;VVRUSB Device;c:\windows\system32\DRIVERS\VVRUSB.sys [2002-01-19 38479]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-11 101936]
S3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\DRIVERS\PhTVTune.sys [2003-12-24 24192]
S3 PRISM_A00;Intersil PRISM 802.11a/g Driver;c:\windows\system32\DRIVERS\PCTELSAP.SYS [2004-01-29 350282]
作者:
眼眼
時間:
2009-4-27 01:33
續 .....
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53cfe12c-95b0-11dc-9e4c-0030f1dc24c0}]
\Shell\AutoRun\command - k:\.\Q9\q9xpb5dl.exe
\Shell\Q9\command - k:\.\Q9\Q9Runner.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbba4fc3-2a26-11dd-a0f4-0030f1dc24c0}]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
.
.
------- 而外的掃描 -------
.
uStart Page = hxxp://hk.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &使用BitComet下載本頁視頻 - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: 使用BitComet下載全部鏈接 - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: 使用BitComet下載鏈接(&B) - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} - hxxps://bet.hongkongjockeyclub.com/ib/skey/ch/cab/eWinCtl.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {D4ACE027-B115-4181-82CF-831C68235CAB} - hxxp://hot1.vdown.21cn.com/rmdownload/drm/data3/eyejoy/ppsbase.cab
FF - ProfilePath -
---- 火狐配置文件 ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-04-24 22:30
Windows 5.1.2600 Service Pack 3 NTFS
掃描被隱藏的進程 。。。
掃描被隱藏的啟動組 。。。
掃描被隱藏的文件 。。。
掃描完成
被隱藏的檔案: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\S-1-5-21-641528987-1222926196-109803688-1003\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\S-1-5-21-641528987-1222926196-109803688-1003\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Excel\Settings\灀送xe<:* *R*e*f*\File Name MRU]
"Value"=multi:"\
0
0\
0
0"
"Maximum Entries"=dword:0000000a
[HKEY_USERS\S-1-5-21-641528987-1222926196-109803688-1003\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Excel\Settings\灀送xe<:* *R*e*f*\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,\
[HKEY_USERS\S-1-5-21-641528987-1222926196-109803688-1003\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Office\Settings\?_U *O*f*f*i*c*e* *譸\File Name MRU]
"Value"=multi:"\
0
0\
0
0"
"Maximum Entries"=dword:0000000a
[HKEY_USERS\S-1-5-21-641528987-1222926196-109803688-1003\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Office\Settings\?_U *O*f*f*i*c*e* *譸\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,\
[HKEY_USERS\S-1-5-21-1614895754-2025429265-725345543-1003_Classes\O*v*e*r*t*u*r*e* * j\
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-1614895754-2025429265-725345543-1003_Classes\O*v*e*r*t*u*r*e* * j\DefaultIcon]
@=expand:"%APPDATA%\\Microsoft\\Installer\\{50ADDF79-3249-4679-B527-3FB8C5EA99E5}\\_294823.exe,0"
[HKEY_USERS\S-1-5-21-1614895754-2025429265-725345543-1003_Classes\O*v*e*r*t*u*r*e* * j\shell]
@="open"
[HKEY_USERS\S-1-5-21-1614895754-2025429265-725345543-1003_Classes\O*v*e*r*t*u*r*e* * j\shell\open]
@="開啟(&O)"
[HKEY_USERS\S-1-5-21-1614895754-2025429265-725345543-1003_Classes\O*v*e*r*t*u*r*e* * j\shell\open\command]
@="\"c:\\Program Files\\Overture 4.0 繁體中文版\\Overture.exe\" \"%1\""
"command"=multi:"%_(xAdi9`=RGK6dXKNlr>?%)duR)D9Xu~OSIW`PT- \"%1\"\
0
0\
0
0"
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"
.
--------------------- 運行進程下的動態鏈接庫 ---------------------
- - - - - - - > 'winlogon.exe'
c:\windows\system32\Ati2evxx.dll
c:\program files\Symantec\Symantec Endpoint Protection\SnacNp.dll
- - - - - - - > 'explorer.exe'
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_chi-hk.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Symantec\Symantec Endpoint Protection\SnacNp.dll
.
------------------------ 其他運行進程 ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDANTSRV.EXE
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\conime.exe
c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
c:\progra~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe
c:\windows\javas.exe
c:\windows\cssrs.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Symantec\Symantec Endpoint Protection\SavUI.exe
.
**************************************************************************
.
完成時間: 2009-04-24 22:39 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2009-04-24 14:39
ComboFix2.txt 2009-04-24 09:46
Pre-Run: 96,631,582,720 位元組可用
Post-Run: 96,612,315,136 位元組可用
348 --- E O F --- 2009-04-16 15:44
作者:
下次有緣
時間:
2009-4-27 01:39
關閉「系統還原」的步驟
1. 按一下 [開始],用滑鼠右鍵按一下 [我的電腦],然後按一下 [內容]。
2. 在 [系統內容] 對話方塊中,按一下 [系統還原] 索引標籤。
3. 按一下以選取 [關閉系統還原] 核取方塊。或者,按一下以選取 [關閉所有磁碟上的系統還原] 核取方塊。
4. 按一下 [確定]。
下載ATF-Cleaner
http://www.atribune.org/
執行ATF-Cleaner.exe
勾選全部,按Empty Selected.
1.關閉Internet Explorer及已開啟的檔案資料夾視窗.
2.執行Hijackthis,
3.按Do a system scan only,稍等一下直至 "Scan" 變成 "Save log"
4.勾選以下項目(左方方格),按 "Fix checked",hijackthis會提示你重啟,如在此一步驟後,可重新啟動電腦。
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [pluscri] C:\WINDOWS\pluscri.exe
* 開啟記事本,貼上以下內容
KILLALL::
File::
c:\windows\cssrs.exe
c:\windows\javas.exe
c:\windows\pluscri.exe
儲存--->存檔類型--->所有檔案-->檔名輸入為 CFScript.txt
把CFScript.txt 拉到 ComboxFix.exe
* ComboxFix 將會被執行
* 執行完會有報告於C:\ComboFix.txt.
下載System Repair Engineer
http://www.kztechs.com/sreng/download.html
解壓及 執行System Repair Engineer
1.按[ 智慧掃描]
2.按[掃描]
3.按Save Reports
4.Post SREngLOG
作者:
下次有緣
時間:
2009-4-27 01:40
以下這是什麼軟件?
k:\.\Q9\q9xpb5dl.exe
k:\.\Q9\Q9Runner.exe
歡迎光臨 UFunFun 討論區 (http://ufunfun.com/)
Powered by Discuz! 6.0.0
