中了trojan ,用那些software 也清除不了。
檔案: http:         //tayforlive.ru/Reklam.exe
LOCALS~1\Temp\3F8
LOCALS~1\Temp\3F9.tmp
LOCALS~1\Temp\3E5.tmp
LOCALS~1\Temp\3E6.tmp
http://       st.reallife7634.com/l3.exe
LOCALS~1\Temp\3D9.tmp類似LOCALS~1\Temp\3D9.tmp的還有很多很多

中的是Win32/TrojanDownloader.Agent.OMX trojan
及Win32/Wigon trojan
十分感謝support team 的幫助, 謝謝!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:19:54, on 19/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\drivers\services.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\CameraFixer.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\drivers\services.exe
C:\Documents and Settings\yanso\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\PPStream\ppsap.exe
C:\WINDOWS\system32\drivers\services.exe
C:\Documents and Settings\yanso\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\yanso\「開始」功能表\程式集\啟動\userinit.exe
C:\Program Files\Yahoo!\Mini\YMini.exe
C:\Program Files\Yahoo!\Mini\YASearch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\CWHKTI~1\NETVIG~1\app\pppoeservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\PROGRA~1\FlashGet\flashget.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Abevv] C:\Program Files\Xcyi\Litsht.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [winlogon] C:\Documents and Settings\yanso\svchost.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [foxy] "C:\Program Files\Foxy\Foxy.exe" -tray
O4 - HKCU\..\Run: [Yahoo!Mini] "C:\Program Files\Yahoo!\Mini\YMiniUpdat2.exe" -c
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [winlogon] C:\Documents and Settings\yanso\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: 使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05BCE06B-A300-4C4E-A42F-4C04BCCDE63B} (TRLuncherROC Control) - http://weblogin.talesrunner.com.hk/TRLuncherROC.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} (esProxy.GeneralHandler) - http://echospin.com/wizard/files/esWizard.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153371645810
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A93FB56D-2F76-4DD7-8E38-9B1EB38C88A5} (SecureSession Class) - http://warranty.samsungmcs.com.hk:8080/plugIn/SecuiSECIE.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C05F9CDB-1258-4A0D-9CA1-86E0D7305711}: NameServer = 218.102.62.71 205.252.144.126
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod 服? (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\CWHKTI~1\NETVIG~1\app\pppoeservice.exe

--
End of file - 12697 bytes

1.關閉系統還原, 執行Hijackthis捷徑
2.按Do a system scan only，稍等一下直至  "Scan" 變成 "Save log"
3.勾選以下項目(左方方格)，關閉除了Hijackthis.exe之外的其他視窗，按 "Fix checked"，hijackthis會提示你重啟，如在此一步驟後，可重新啟動電腦。
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [winlogon] C:\Documents and Settings\yanso\svchost.exe

下載 ComboFix 至桌面

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    * 執行 ComboFix

      注意: 為防止保安軟件將 ComboFix 錯誤列為危險檔案. 執行 ComboFix 之前請將防毒軟件及反間諜軟件暫時關閉. 另外，ComboFix 運作其間請勿執行任何程式或用滑鼠點擊 ComboFix 視窗.

    * ComboFix 會彈出視窗，按是 (Y)
    * 假如需要安裝恢復控制台，按是 (Y) 進行安裝. 完成安裝後按是 (Y) 繼續.
    * 程式會進行掃描，其間桌面可能會暫時消失. 完成掃描後，程式會自動關閉.
    * 完成後 ComboFix 可能會自動重新?動電腦. 之後 ComboFix 記錄會彈出. 記錄會自動儲存於 C:\ComboFix.txt
    * 貼上 ComboFix 記錄.

ComboFix 09-02-18.01 - yanso 2009-02-20 21:43:46.3 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.950.1.1028.18.375.122 [GMT 8:00]
Running from: c:\documents and settings\yanso\桌面\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090217231110109.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090217235058984.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe.vir
c:\documents and settings\LocalService\svchost.exe
c:\documents and settings\yanso\「開始」功能表\程式集\啟動\userinit.exe
c:\documents and settings\yanso\svchost.exe
c:\program files\Microsoft Common
c:\program files\Microsoft Common\svchost.exe.vir
c:\program files\StormII
c:\program files\StormII\Codec\Plugins\nppl3260.dll
c:\program files\StormII\Codec\Plugins\nppl3260.xpt
c:\program files\StormII\Codec\Plugins\nprpjplug.dll
c:\program files\StormII\Codec\Plugins\nsJSRealPlayerPlugin.xpt
c:\program files\StormII\Codec\RMSplt.ax
c:\program files\StormII\Codec\VSFilter.dll
c:\program files\StormII\config.xml
c:\program files\StormII\keys.dat
c:\program files\StormII\log\2.07.04.02.log
c:\program files\StormII\log\2.07.07.16.log
c:\program files\StormII\log\2.07.07.31.log
c:\program files\StormII\log\2.07.08.27.log
c:\program files\StormII\log\2.07.09.01.log
c:\program files\StormII\media.dll
c:\program files\StormII\mps.dll
c:\program files\StormII\PlayList.smpl
c:\program files\StormII\score.dll
c:\program files\StormII\sexpert.dll
c:\program files\StormII\Skin\惟瑞2冪萎.zip
c:\program files\StormII\sparser.dll
c:\program files\StormII\spfa.dll
c:\program files\StormII\splayers.dll
c:\program files\StormII\sprobe.dll
c:\program files\StormII\storm.cfg
c:\program files\StormII\Storm.exe
c:\program files\StormII\Storm.ver
c:\program files\StormII\supdate.dll
c:\program files\StormII\uninst.exe
C:\userinit.exe
c:\windows\system32\config\systemprofile\svchost.exe
c:\windows\system32\digeste.dll.vir
c:\windows\system32\drivers\services.exe
c:\windows\wiaserviv.log
e:\recycler\desktop.0xe
e:\recycler\desktop.ini

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BOONTY_GAMES
-------\Legacy_TCPSR
-------\Service_Boonty Games
-------\Service_tcpsr
-------\Service_UACd.sys


(((((((((((((((((((((((((   Files Created from 2009-01-20 to 2009-02-20  )))))))))))))))))))))))))))))))
.

2009-02-20 21:19 . 2009-02-20 21:21 <DIR> d-------- C:\32788R22FWJFW.1.tmp
2009-02-20 00:21 . 2009-02-20 00:22 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-02-19 22:18 . 2009-02-19 22:18 <DIR> d-------- c:\program files\Trend Micro
2009-02-18 23:59 . 2009-02-18 23:36 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-18 23:49 . 2009-02-18 23:49 <DIR> d-------- c:\documents and settings\LocalService\桌面
2009-02-18 23:36 . 2009-02-18 23:36 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-18 23:33 . 2009-02-18 23:33 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-18 23:32 . 2009-02-18 23:32 <DIR> d-------- c:\program files\Lavasoft
2009-02-18 23:32 . 2009-02-18 23:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-18 22:36 . 2009-02-18 22:36 <DIR> d-------- C:\fsaua.data
2009-02-17 23:29 . 2009-02-19 22:08 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-17 23:27 . 2006-05-25 14:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2009-02-17 23:27 . 2003-02-02 19:06 153,088 --a------ c:\windows\system32\UNRAR3.dll
2009-02-17 23:27 . 2005-08-26 00:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2009-02-17 23:27 . 2002-03-06 00:00 75,264 --a------ c:\windows\system32\unacev2.dll
2009-02-17 23:27 . 2006-06-19 12:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
2009-02-17 23:26 . 2009-02-17 23:33 <DIR> d-------- c:\program files\Trojan Remover
2009-02-17 23:26 . 2009-02-17 23:26 <DIR> d-------- c:\documents and settings\yanso\Application Data\Simply Super Software
2009-02-17 23:26 . 2009-02-17 23:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-02-13 22:04 . 2009-02-13 22:07 <DIR> d--h----- c:\program files\Zero G Registry
2009-02-13 22:04 . 2009-02-13 22:06 <DIR> d-------- c:\program files\eform
2009-02-13 22:04 . 2009-02-13 22:04 <DIR> d--h----- c:\documents and settings\yanso\InstallAnywhere
2009-02-07 21:43 . 2009-02-07 21:43 <DIR> d-------- c:\program files\enable Metronome
2009-02-07 21:34 . 2009-02-07 21:34 151 --a------ c:\windows\MetroTimer.ini
2009-01-30 18:38 . 2009-01-30 18:40 <DIR> d-------- c:\documents and settings\yanso\Application Data\U3

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-19 15:47 --------- d-----w c:\program files\ESET
2009-02-19 15:46 --------- d-----w c:\program files\FlashGet
2009-02-17 02:41 --------- d-----w c:\documents and settings\yanso\Application Data\ppstream
2009-02-17 02:12 --------- d-----w c:\program files\PPStream
2009-02-17 02:12 --------- d-----w c:\program files\MSN Messenger
2009-02-16 14:03 --------- d-----w c:\program files\Windows Live Safety Center
2009-02-15 10:30 --------- d-----w c:\documents and settings\yanso\Application Data\AdobeUM
2009-02-11 14:42 46,872 ----a-w c:\documents and settings\yanso\Application Data\GDIPFONTCACHEV1.DAT
2009-01-30 13:43 --------- d-----w c:\program files\Soulseek
2009-01-30 13:38 --------- d-----w c:\program files\Foxy
2009-01-30 13:38 --------- d-----w c:\documents and settings\yanso\Application Data\Foxy
2009-01-30 13:36 --------- d-----w c:\program files\Canon
2009-01-30 13:30 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-01-30 13:27 --------- d-----w c:\program files\Finale NotePad 2007
2009-01-30 13:27 --------- d-----w c:\documents and settings\yanso\Application Data\Skype
2009-01-30 13:26 --------- d-----w c:\program files\BitComet
2009-01-27 08:45 --------- d-----w c:\program files\Avant Browser
2008-12-28 03:49 --------- d-----w c:\program files\Guitar Pro 5
2008-12-28 03:43 --------- d-----w c:\program files\HP
2007-04-16 15:54 33,280 ----a-w c:\documents and settings\yanso\svchost.exe.vir
2006-08-04 01:33 0 -c--a-w c:\documents and settings\yanso\loaded.exe
2004-10-21 19:16 118,736 -c--a-w c:\documents and settings\yanso\setup.exe
.

------- Sigcheck -------

2006-04-20 20:18  360576  b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-31 00:53  360832  64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 18:44  360960  744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 19:51  361600  9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 19:59  361600  ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2001-09-17 22:00  327168  e7774698bb0d14b0710a9a31e209f9b6 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 14:14  359040  9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 19:51  359808  b4e29943b4b04bd5e7381546848e6669 c:\windows\$NtUninstallKB941644$\tcpip.sys
2007-10-31 01:20  360064  ed06c31200714e734118f9a47f5df5ce c:\windows\$NtUninstallKB951748$\tcpip.sys
2004-08-04 14:14  359040  9f4b36614a0fc234525ba224957de55c c:\windows\ServicePackFiles\i386\TCPIP.SYS
2008-04-14 03:20  361344  93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\tcpip.sys
2008-07-10 10:56  360320  073941d59ae065910064b728dee981ee c:\windows\system32\dllcache\TCPIP.SYS
2008-07-10 10:56  360320  073941d59ae065910064b728dee981ee c:\windows\system32\drivers\TCPIP.SYS

2007-06-18 19:39  977920  3ddb98936b29019549c6fbabd86846e7 c:\windows\explorer.exe
2007-06-18 19:41  977920  d1822278f43e2850e03ef36d29686d4f c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2001-09-17 22:00  1000960  ee2156a747c0038fa3453de33f081878 c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-12 09:16  976896  211358ae74733075c22142b3ac519a19 c:\windows\$NtUninstallKB938828$\explorer.exe
2004-08-12 09:16  976896  211358ae74733075c22142b3ac519a19 c:\windows\ServicePackFiles\i386\explorer.exe
2008-04-15 18:54  978432  88057e7b74236c11098e4d4eeac7df5e c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\explorer.exe
2007-06-18 19:39  977920  3ddb98936b29019549c6fbabd86846e7 c:\windows\system32\dllcache\explorer.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Yahoo!Mini"="c:\program files\Yahoo!\Mini\YMiniUpdat2.exe" [2007-12-03 757248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
&quotPS Accelerator"="c:\program files\PPStream\ppsap.exe" [2008-12-11 210296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
&quotHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
&quotHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-10 180269]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-10 270648]
"CameraFixer"="c:\windows\CameraFixer.exe" [2006-10-09 20480]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2006-09-26 270336]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-02-17 1237896]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-18 509784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2004-08-12 15360]

c:\documents and settings\All Users\「開始」功能表\程式集\啟動\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-08-09 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati0taxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati4puxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"c:\\Program Files\\Avant Browser\\avant.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\PPStream\\PPSAP.exe"=



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12216:TCP"= 12216:TCP:BitComet 12216 TCP
"12216:UDP"= 12216:UDP:BitComet 12216 UDP
"6418:TCP"= 6418:TCP:Foxy (169.254.206.183:6418) 6418 TCP
"6418:UDP"= 6418:UDP:Foxy (169.254.206.183:6418) 6418 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-18 64160]
R0 PzWDMzWDM;c:\windows\system32\drivers\PzWDM.sys [2007-10-10 15172]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-19 950096]
R2 PPPoEServicePPoE Service;c:\progra~1\CWHKTI~1\NETVIG~1\app\pppoeservice.exe [2006-06-03 45056]
R3 RAWESR;RAWESR;c:\progra~1\CWHKTI~1\NETVIG~1\app\RAWESR.SYS [2006-06-03 9088]
R3 TAPBIND;TAPBIND;c:\progra~1\CWHKTI~1\NETVIG~1\app\TAPBIND1.SYS [2006-06-03 16864]
S0 ati0taxx;ati0taxx;c:\windows\system32\Drivers\ati0taxx.sys --> c:\windows\system32\Drivers\ati0taxx.sys [?]
S0 ati4puxx;ati4puxx;c:\windows\system32\Drivers\ati4puxx.sys --> c:\windows\system32\Drivers\ati4puxx.sys [?]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\yanso\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\yanso\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;c:\windows\system32\drivers\n100325.sys [2006-06-03 128000]
S3 NTSPPPOE;NTS Enternet P.P.P.o.E LAN  Miniport Driver;c:\windows\system32\drivers\ntspppoe.sys [2006-06-03 150496]
S3 pacdcacm;pacdcacm;c:\windows\system32\drivers\pacdcacm.sys [2007-05-20 26496]

--- Other Services/Drivers In Memory ---

*Deregistered* - iPod Service
.
Contents of the 'Scheduled Tasks' folder

2009-02-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-18 23:36]

2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{DD6143E3-A474-4AEE-D934-735D21CC1A42} - c:\windows\System32\kbduldnu.dll
HKCU-Run-BitTorrent - c:\program files\BitTorrent\bittorrent.exe
HKCU-Run-foxy - c:\program files\Foxy\Foxy.exe
HKLM-Run-Abevv - c:\program files\Xcyi\Litsht.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://hk.yahoo.com
mStart Page = hxxp://hk.yahoo.com
IE: 使用 FlashGet 下載 - c:\progra~1\FlashGet\jc_link.htm
IE: 全部使用 FlashGet 下載 - c:\progra~1\FlashGet\jc_all.htm
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {C05F9CDB-1258-4A0D-9CA1-86E0D7305711} = 218.102.62.71 205.252.144.126
DPF: {05BCE06B-A300-4C4E-A42F-4C04BCCDE63B} - hxxp://weblogin.talesrunner.com.hk/TRLuncherROC.cab
DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} - hxxp://echospin.com/wizard/files/esWizard.cab
DPF: {A93FB56D-2F76-4DD7-8E38-9B1EB38C88A5} - hxxp://warranty.samsungmcs.com.hk:8080/plugIn/SecuiSECIE.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 21:53:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-1715567821-57989841-725345543-1004\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-1715567821-57989841-725345543-1004\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.default]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-1715567821-57989841-725345543-1004\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Office\Settings\?_U *O*f*f*i*c*e* *譸\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1715567821-57989841-725345543-1004\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Office\Settings\?_U *O*f*f*i*c*e* *譸\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
   8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,\

[HKEY_USERS\S-1-5-21-1715567821-57989841-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\BoontyGames\?"?Y沐 *jr]
"Order"=hex:08,00,00,00,02,00,00,00,00,01,00,00,01,00,00,00,02,00,00,00,7a,00,
   00,00,00,00,00,00,6c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5a,00,36,\

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\conime.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\progra~1\CWHKTI~1\NETVIG~1\app\EnterNetFolder.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
c:\program files\Avant Browser\avant.exe
.
**************************************************************************
.
Completion time: 2009-02-20 22:09:18 - machine was rebooted [yanso]
ComboFix-quarantined-files.txt  2009-02-20 14:08:19

Pre-Run: 26,077,372,416 位元組可用
Post-Run: 26,058,649,600 位元組可用

307 --- E O F --- 2009-02-11 18:50:33

Step: CFScript

* 開啟記事本,貼上以下內容

KILLALL::

Driver::
ati0taxx
ati4puxx

Rootkit::
c:\windows\system32\Drivers\ati0taxx.sys
c:\windows\system32\Drivers\ati4puxx.sys

File::
C:\32788R22FWJFW.1.tmp
C:\32788R22FWJFW.0.tmp
C:\fsaua.data
c:\windows\system32\Drivers\ati0taxx.sys
c:\windows\system32\Drivers\ati4puxx.sys

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati0taxx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati4puxx.sys]

儲存--->存檔類型--->所有檔案-->檔名輸入為 CFScript.txt
把CFScript.txt 拉到 ComboxFix.exe

    * ComboxFix 將會被執行
    * 執行完會有報告於C:\ComboFix.txt.



Step: Report Back

    * 貼上 以下報告
    * 如果報告太長,可以上傳到 這裡http://www.sendspace.com

    * ComboFix 掃描報告 {C:\ComboFix.txt}