[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Zcom\\skin.dll"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=
"c:\\Program Files\\LittleFighter2\\LF2_v2.0\\lf2.exe"=
"c:\\Program Files\\Foxy\\Foxy.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"d:\\TF2\\hl2.exe"=
"c:\\Program Files\\Codemasters\\GRID\\GRID.exe"=
"c:\\Program Files\\Activision\\Spider-Man - Web of Shadows\\image\\pc\\Spider-Man Web of Shadows.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Left 4 Dead\\Left 4 Dead\\common\\left 4 dead\\left4dead.exe"=
"c:\\vLan\\vLan.exe"=
"d:\\Prince of Persia\\Prince of Persia.exe"=
"d:\\Prince of Persia\\PrinceOfPersia_Launcher.exe"=
"d:\\namnam's things\\AOC\\AOC10.exe"=
"d:\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"d:\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"d:\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\KeyHoleTV\\KeyHoleTV.exe"=
"c:\\Program Files\\GridService\\peer.exe"=
"c:\\Program Files\\Thunder Network\\SoftManager\\Program\\XLSoftmgr.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"c:\\Program Files\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9384:TCP"= 9384:TCP:BitComet 9384 TCP
"9384:UDP"= 9384:UDP:BitComet 9384 UDP
"4081:TCP"= 4081:TCP:Foxy (169.254.41.32:4081) 4081 TCP
"4081:UDP"= 4081:UDP:Foxy (169.254.41.32:4081) 4081 UDP
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-22 64160]
R1 appdrv01;Application Driver (01);c:\windows\system32\drivers\appdrv01.sys [2008-10-18 2915944]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2008-03-13 472320]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-19 950096]
R3 IPvE;IPvE Adapter Driver;c:\windows\system32\drivers\IPvE.sys [2008-11-25 14824]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-10-02 36864]
S2 appdrvrem01;Application Driver Auto Removal Service (01);c:\windows\System32\appdrvrem01.exe svc --> c:\windows\System32\appdrvrem01.exe svc [?]
S3 XDva210;XDva210;\??\c:\windows\system32\XDva210.sys --> c:\windows\system32\XDva210.sys [?]
S3 XDva214;XDva214;\??\c:\windows\system32\XDva214.sys --> c:\windows\system32\XDva214.sys [?]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{82589c3e-0188-11de-a40a-00ff39151ab4}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
‘計劃任務’ 文件夾 裡的內容
2009-02-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-22 13:27]
2009-01-09 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1223363859.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-02 20:38]
2009-02-28 c:\windows\Tasks\查看 Windows Live Toolbar 的更新資訊.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHANS REMOVED - - - -
BHO-{A776475E-FDD1-45E3-A262-B7FF54375F00} - c:\windows\system32\efcASKCv.dll
BHO-{AE90C38C-97CF-4696-B290-C7973DC9675E} - c:\program files\Little Fighter 2 Toolbar\v3.3.0.1\Little_Fighter_2_Toolbar.dll
BHO-{b5402f9b-afdd-4aeb-b75a-47a14fec227f} - c:\windows\system32\qvzbnk.dll
Toolbar-{C3CD744D-2FAE-4640-8297-16B5DA423104} - c:\program files\Little Fighter 2 Toolbar\v3.3.0.1\Little_Fighter_2_Toolbar.dll
WebBrowser-{C3CD744D-2FAE-4640-8297-16B5DA423104} - c:\program files\Little Fighter 2 Toolbar\v3.3.0.1\Little_Fighter_2_Toolbar.dll
HKCU-Run-BitComet - c:\program files\BitComet\BitComet.exe
MSConfigStartUp-Device Detector - DevDetect.exe
.
------- 而外的掃描 -------
.
uStart Page = hxxp://www.daemon-search.com/default
uInternet Connection Wizard,ShellNext = hxxp://asia.acdsee.com/products/install?pid=acdsee10_zh-hk&ver=10.0.225.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites -
http://favorites.live.com/quickadd.aspx
IE: Foxy 下載 - c:\program files\Foxy\Foxy.exe/download.htm
IE: Foxy 搜尋 - c:\program files\Foxy\Foxy.exe/search.htm
IE: 使用迅雷下載 - c:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: 使用迅雷下載全部鏈接 - c:\program files\Thunder Network\Thunder\Program\getallurl.htm
IE: 匯出至 Microsoft Office Excel(&X) - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: 蹲 Microsoft Excel(&X) - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe
TCP: {80FCD54C-06A5-4A7A-ACE3-1662EEE09D61} = 203.198.23.208 205.252.144.126
DPF: {81F3CC2E-5F40-41A5-9FCA-6DAAA6051D46} - hxxp://210.64.51.191/download/ClientATXCtrl.cab
DPF: {8DE6AB9C-8C62-486B-8C06-5C9AD6FD06F1} - hxxp://txn01.hkjc.com/BetSlip/object/eWinCtl.cab
FF - ProfilePath - c:\documents and settings\CHUNG\Application Data\Mozilla\Firefox\Profiles\b8ao4co6.default\
FF - plugin: c:\program files\Final Codecs\MozillaPlugins\nppl3260.dll
FF - plugin: c:\program files\Final Codecs\MozillaPlugins\nprjplug.dll
FF - plugin: c:\program files\Final Codecs\MozillaPlugins\nprpjplug.dll
FF - plugin: c:\program files\Java\j2re1.4.1_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.1_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.1_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.1_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.1_03\bin\NPJPI141_03.dll
FF - plugin: c:\program files\Java\j2re1.4.1_03\bin\NPOJI610.dll
---- 火狐配置文件 ----
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.external.foxy", true);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.warn-external.foxy", false);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.expose.foxy", true);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("general.useragent.extra.foxy1", "Foxy/1");
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-03-01 09:24:23
Windows 5.1.2600 Service Pack 3 NTFS
掃描被隱藏的進程 。。。
掃描被隱藏的啟動組 。。。
掃描被隱藏的文件 。。。
掃描完成
被隱藏的檔案: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"
.
------------------------ 其他運行進程 ------------------------
.
c:\windows\system32\conime.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\oodag.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
完成時間: 2009-03-01 9:26:15 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2009-03-01 01:26:09
Pre-Run: 57,920,880,640 位元組可用
Post-Run: 58,433,548,288 位元組可用
WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
344 --- E O F --- 2009-02-11 17:12:32