2009-02-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-18 23:36]
2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
.
- - - - ORPHANS REMOVED - - - -
ShellIconOverlayIdentifiers-{DD6143E3-A474-4AEE-D934-735D21CC1A42} - c:\windows\System32\kbduldnu.dll
HKCU-Run-BitTorrent - c:\program files\BitTorrent\bittorrent.exe
HKCU-Run-foxy - c:\program files\Foxy\Foxy.exe
HKLM-Run-Abevv - c:\program files\Xcyi\Litsht.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hk.yahoo.com
mStart Page = hxxp://hk.yahoo.com
IE: 使用 FlashGet 下載 - c:\progra~1\FlashGet\jc_link.htm
IE: 全部使用 FlashGet 下載 - c:\progra~1\FlashGet\jc_all.htm
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {C05F9CDB-1258-4A0D-9CA1-86E0D7305711} = 218.102.62.71 205.252.144.126
DPF: {05BCE06B-A300-4C4E-A42F-4C04BCCDE63B} - hxxp://weblogin.talesrunner.com.hk/TRLuncherROC.cab
DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} - hxxp://echospin.com/wizard/files/esWizard.cab
DPF: {A93FB56D-2F76-4DD7-8E38-9B1EB38C88A5} - hxxp://warranty.samsungmcs.com.hk:8080/plugIn/SecuiSECIE.cab
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-02-20 21:53:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\S-1-5-21-1715567821-57989841-725345543-1004\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\S-1-5-21-1715567821-57989841-725345543-1004\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.default]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\S-1-5-21-1715567821-57989841-725345543-1004\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Office\Settings\?_U *O*f*f*i*c*e* *譸\File Name MRU]
"Value"=multi:"\
00\
00"
"Maximum Entries"=dword:0000000a
[HKEY_USERS\S-1-5-21-1715567821-57989841-725345543-1004\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Office\Settings\?_U *O*f*f*i*c*e* *譸\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,\
[HKEY_USERS\S-1-5-21-1715567821-57989841-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\BoontyGames\?"?Y沐 *jr]
"Order"=hex:08,00,00,00,02,00,00,00,00,01,00,00,01,00,00,00,02,00,00,00,7a,00,
00,00,00,00,00,00,6c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5a,00,36,\
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\conime.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\progra~1\CWHKTI~1\NETVIG~1\app\EnterNetFolder.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
c:\program files\Avant Browser\avant.exe
.
**************************************************************************
.
Completion time: 2009-02-20 22:09:18 - machine was rebooted [yanso]
ComboFix-quarantined-files.txt 2009-02-20 14:08:19
Pre-Run: 26,077,372,416 位元組可用
Post-Run: 26,058,649,600 位元組可用
307 --- E O F --- 2009-02-11 18:50:33