*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-02 3882312]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.exe" [2009-02-05 162744]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-11 1667584]
"dorfgwe"="c:\windows\system32\uret463.exe" [2009-02-07 105352]
"anhtaaa"="c:\windows\system32\kacsde.exe" [2009-02-07 107710]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-12 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 c:\windows\RTHDCPL.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-12 15360]
c:\documents and settings\All Users\「開始」功能表\程式集\啟動\TP-LINK
TL-WN322G Wireless Utility.lnk - c:\program files\TP-LINK\TL-WN322G Wireless Utility\ZDWlan.exe [2009-02-05 491520]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26072:TCP"= 26072:TCP:BitComet 26072 TCP
"26072:UDP"= 26072:UDP:BitComet 26072 UDP
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 33808]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-02-05 89600]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
R3 ZD1211BU(TP-LINK);TL-WN322G/WN322G+ Wireless USB Adapter Driver(TP-LINK);c:\windows\system32\drivers\ZD1211BU.sys [2009-02-05 500736]
S3 AVPsys;AVPsys;c:\windows\system32\drivers\cdaudio.sys [2001-08-17 18688]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a98d471-f4bf-11dd-9079-001d0fae7511}]
\Shell\AutoRun\command - F:\6vu680.com
\Shell\open\Command - F:\6vu680.com
.
.
------- 而外的掃描 -------
.
uStart Page = hxxp://www.yahoo.com.hk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
TCP: {F32E1396-852F-4B03-9DEB-7FC2287FE0DE} = 218.102.62.71 203.198.23.208
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\mn7u6rp9.default\
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-02-07 13:57:33
Windows 5.1.2600 Service Pack 2 NTFS
掃描被隱藏的進程 。。。
掃描被隱藏的啟動組 。。。
掃描被隱藏的文件 。。。
掃描完成
被隱藏的檔案: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"
.
--------------------- 運行進程下的動態鏈接庫 ---------------------
- - - - - - - > 'winlogon.exe'(1300)
c:\windows\system32\Ati2evxx.dll
.
------------------------ 其他運行進程 ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
c:\windows\system32\conime.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
完成時間: 2009-02-07 13:58:43 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2009-02-07 05:58:41
Pre-Run: 147,222,343,680 位元組可用
Post-Run: 148,288,233,472 位元組可用
WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
166