.
------- 而外的掃描 -------
.
uStart Page = hxxp://yahoo.com.hk/
uInternet Connection Wizard,ShellNext = iexplore
IE: &使用 FlashGet 下載 - c:\program files\FlashGet\jc_link.htm
IE: &使用BitComet下載本頁視訊 - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &全部使用 FlashGet 下載 - c:\program files\FlashGet\jc_all.htm
IE: Foxy 下載 - c:\program files\Foxy\Foxy.exe/download.htm
IE: Foxy 搜尋 - c:\program files\Foxy\Foxy.exe/search.htm
IE: 上傳到QQ網路硬碟 - c:\program files\Tencent\QQ\AddToNetDisk.htm
IE: 使用BitComet下載全部連結 - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: 使用BitComet下載連結(&B) - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: 新增到QQ自定義面板 - c:\program files\Tencent\QQ\AddPanel.htm
IE: 新增到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: 氝樓善QQ桶 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: 添加到QQ自定義面板 - c:\program files\Tencent\QQ\AddPanel.htm
IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: 用QQ MMS傳送該圖片 - c:\program files\Tencent\QQ\SendMMS.htm
IE: 用QQ彩信發送該圖片 - c:\program files\Tencent\QQ\SendMMS.htm
IE: {{DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - {39732CE5-0EE6-401A-A0B2-27F46B755C5B} - c:\program files\Tencent\QQ\QQIEHelper.dll
TCP: {B346388F-7F3B-4FA3-B15B-0F1B7199F688} = 210.0.128.241 210.0.255.144
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} - hxxp://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
DPF: {8A4943CC-1950-44F9-9045-D3D428FD3948} - hxxp://txn01.hkjc.com/BetSlip/object/eWinCtl.cab
DPF: {8DE6AB9C-8C62-486B-8C06-5C9AD6FD06F1} - hxxp://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-03-13 01:07:08
Windows 5.1.2600 Service Pack 3 FAT NTAPI
掃描被隱藏的進程 。。。
掃描被隱藏的啟動組 。。。
掃描被隱藏的文件 。。。
掃描完成
被隱藏的檔案: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\送0RQ*Q*??b?g]
@="c:\\Program Files\\Tencent\\QQ\\AddPanel.htm"
"contexts"=dword:0000007f
[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\送0RQ*Q*h`]
@="c:\\Program Files\\Tencent\\QQ\\AddEmotion.htm"
"contexts"=dword:00000002
[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\ljQ*Q*vh]
@="c:\\Program Files\\Tencent\\QQ\\AddEmotion.htm"
"contexts"=dword:00000002
[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\0RQ*Q*??b?g]
@="c:\\Program Files\\Tencent\\QQ\\AddPanel.htm"
"contexts"=dword:0000007f
[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\0RQ*Q*h`]
@="c:\\Program Files\\Tencent\\QQ\\AddEmotion.htm"
"contexts"=dword:00000002
[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\(uQ*Q*i_嘓|v?WGr]
@="c:\\Program Files\\Tencent\\QQ\\SendMMS.htm"
"contexts"=dword:00000002
[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*?Ar]
"Order"=hex:08,00,00,00,02,00,00,00,00,01,00,00,01,00,00,00,02,00,00,00,76,00,
00,00,00,00,00,00,68,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,56,00,36,\
[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*J?b]
"Order"=hex:08,00,00,00,02,00,00,00,f8,00,00,00,01,00,00,00,02,00,00,00,76,00,
00,00,00,00,00,00,68,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,56,00,36,\
[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\nn`4*?@Y?3w?]
"Order"=hex:08,00,00,00,02,00,00,00,0c,01,00,00,01,00,00,00,02,00,00,00,7c,00,
00,00,00,00,00,00,6e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5c,00,32,\
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Q*Q*A~?送0W;N]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,
00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Q*Q*A~?J?b'Y醰]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,
00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Q*Q*A~?送0W;N]
"DisplayName"="QQ繁體新斗地主"
"UninstallString"="c:\\PROGRA~1\\TENCENT\\QQGAME\\newddz\\UNWISE.EXE c:\\PROGRA~1\\TENCENT\\QQGAME\\newddz\\INSTALL.LOG"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Q*Q*A~?J?b'Y醰]
"DisplayName"="QQ繁體遊戲大廳"
"UninstallString"="c:\\PROGRA~1\\TENCENT\\QQGAME\\UNWISE.EXE c:\\PROGRA~1\\TENCENT\\QQGAME\\INSTALL.LOG"
[HKEY_LOCAL_MACHINE\software\TAITO\??g0G*O*??????\1.00]
"Driver"="1.0.0.3"
[HKEY_LOCAL_MACHINE\software\TAITO\??g0'/送y^琫 *q\}ey^琫鋑]
"install"=dword:00000001
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\?悐 *L*i*v*e*U*p*d*a*t*e* *zhV\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
.
--------------------- 運行進程下的動態鏈接庫 ---------------------
- - - - - - - > 'winlogon.exe'
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
- - - - - - - > 'lsass.exe'
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
.
------------------------ 其他運行進程 ------------------------
.
c:\windows\system32\conime.exe
c:\program files\ANUS.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
完成時間: 2009-03-13 1:09:46 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2009-03-12 17:09:42
Pre-Run: 10,154,311,680 位元組可用
Post-Run: 11,180,883,968 位元組可用
WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe
[boot loader]
timeout=2
default=multidiskrdiskpartition\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multidiskrdiskpartition\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
342 --- E O F --- 2009-03-08 17:23:18