.
------- 而外的掃描 -------
.
uStart Page = hxxp://hk.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: 上傳到QQ網路硬碟 - c:\program files\Tencent\QQ\AddToNetDisk.htm
IE: 新增到QQ自定義面板 - c:\program files\Tencent\QQ\AddPanel.htm
IE: 新增到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: 用QQ MMS傳送該圖片 - c:\program files\Tencent\QQ\SendMMS.htm
DPF: Microsoft XML Parser for Java - [url=file:///c:/windows/Java/classes/xmldso.cab]
file://c:\windows\Java\classes\xmldso.cab[/url]
.**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-03-03 23:50:27
Windows 5.1.2600 Service Pack 2 NTFS
掃描被隱藏的進程 。。。
掃描被隱藏的啟動組 。。。
掃描被隱藏的文件 。。。
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1343024091-507921405-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\送0RQ*Q*??b?g]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Program Files\\Tencent\\QQ\\AddPanel.htm"
"contexts"=dword:0000007f
[HKEY_USERS\S-1-5-21-1343024091-507921405-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\送0RQ*Q*h`]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Program Files\\Tencent\\QQ\\AddEmotion.htm"
"contexts"=dword:00000002
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"
[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\DefaultIcon]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe,14"
[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\shell\open\command]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe \"%1\""
[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\shell\print\command]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe /p \"%1\""
[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\shell\printto\command]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe /pt \"%1\" \"%2\" \"%3\" \"%4\""
[HKEY_LOCAL_MACHINE\software\Classes\gOGPKb掞?觀.*M*y*N*S*H*a*n*d*l*e*r*\Clsid]
@="{E8CFC029-8420-4EAE-ADEF-915BDC77E1DC}"
[HKEY_LOCAL_MACHINE\software\Classes\?P[鷸-*俏舸箖刁j?(*P?*.*m*e*c*P*r*o*t*o*c*o*l*\Clsid]
@="{2E1346C0-7D18-11D5-A7E7-00C02626503F}"
.
------------------------ 其他運行進程 ------------------------
.
c:\windows\system32\conime.exe
c:\program files\god.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
完成時間: 2009-03-03 23:59:43 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2009-03-03 15:57:46
Pre-Run: 970,166,272 位元組可用
Post-Run: 2,837,655,552 位元組可用
WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe
[boot loader]
timeout=2
default=multidiskrdiskpartition\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multidiskrdiskpartition\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
289 --- E O F --- 2009-02-26 15:40:38