ComboFix 10-05-07.07 - Administrator /05/09 星期日 11:20:27.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.1023.721 [GMT 8:00]
執行位置: c:\documents and settings\Administrator\桌面\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: 個人放火牆 *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* 防毒軟件還在運行中
注意 - 這台電腦沒有安裝恢復控制台 !!
.
((((((((((((((((((((((((( 2010-04-09 至 2010-05-09 的新的檔案 )))))))))))))))))))))))))))))))
.
在這段時間內,沒有新的文件被創造
.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-08 14:40 . 2010-02-15 14:13 -------- d-----w- c:\program files\ALiBaBar
2010-04-06 11:48 . 2010-02-16 21:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-04-06 11:47 . 2010-02-16 21:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-04-05 13:32 . 2010-04-05 13:32 4608 ----a-w- c:\documents and settings\Administrator\Application Data\Xenocode\ApplianceCaches\SFL.exe_v5E0E9655\Native\STUBEXE\@SYSTEM@\IME\Chewing\ChewingServer.exe
2010-04-04 13:41 . 2010-04-04 13:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\QQMusicUpdate
2010-04-04 13:41 . 2010-02-16 22:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Tencent
2010-04-04 10:00 . 2010-03-05 10:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-04 07:10 . 2010-04-04 07:10 4608 ----a-w- c:\documents and settings\Administrator\Application Data\Xenocode\ApplianceCaches\SFL.exe_v5E0E9655\Native\STUBEXE\@SYSTEM@\drwtsn32.exe
2010-03-07 19:51 . 2010-03-07 19:51 2568360 ----a-w- c:\documents and settings\Administrator\Application Data\Tencent\QQ\AuTemp\0NU1ID3Z}JGFYOBZ5SG5ZRI\12675122321261256759\QQ2010Betakb7_update.exe
2010-03-06 02:24 . 2010-03-06 02:24 4608 ----a-w- c:\documents and settings\Administrator\Application Data\Xenocode\ApplianceCaches\SFL.exe_v5E0E9655\Native\STUBEXE\@APPDIR@\Lin.bin.exe
2010-03-06 02:11 . 2010-02-16 05:29 76632 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-06 02:11 . 2010-03-06 02:11 626688 ----a-w- c:\documents and settings\Administrator\Application Data\Xenocode\ApplianceCaches\SFL.exe_v5E0E9655\MSNet20\SXS\Microsoft.VC80.CRT\msvcr80.dll
2010-03-06 02:11 . 2010-03-06 02:11 548864 ----a-w- c:\documents and settings\Administrator\Application Data\Xenocode\ApplianceCaches\SFL.exe_v5E0E9655\MSNet20\SXS\Microsoft.VC80.CRT\msvcp80.dll
2010-03-06 02:11 . 2010-03-06 02:11 479232 ----a-w- c:\documents and settings\Administrator\Application Data\Xenocode\ApplianceCaches\SFL.exe_v5E0E9655\MSNet20\SXS\Microsoft.VC80.CRT\msvcm80.dll
2010-03-06 02:11 . 2010-03-06 02:11 114176 ----a-w- c:\documents and settings\Administrator\Application Data\Xenocode\ApplianceCaches\SFL.exe_v5E0E9655\MSNet20\SXS\System.EnterpriseServices\System.EnterpriseServices.Wrapper.dll
2010-02-20 19:38 . 2010-02-16 22:21 64404 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-18 18:33 . 2010-02-18 18:33 250628 ----a-w- c:\windows\9158Cap.dat
2010-02-18 18:33 . 2010-02-18 18:33 317082 ----a-w- c:\windows\system32\drivers\9158cap.sys
2010-02-16 22:16 . 2010-02-16 22:14 31048 ------w- c:\documents and settings\Administrator\Application Data\Tencent\QQ\SafeBase\SelfUpdate.exe
2010-02-16 22:15 . 2010-02-16 22:15 106496 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
2010-02-16 22:15 . 2010-02-16 22:15 18718 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
2010-02-16 22:15 . 2010-02-16 22:15 18718 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe
2010-02-16 22:15 . 2010-02-16 22:15 106496 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
2010-02-16 22:15 . 2010-02-16 22:15 106496 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
2010-02-16 22:14 . 2010-02-16 22:14 652616 ----a-w- c:\documents and settings\Administrator\Application Data\Tencent\QQ\STemp\QQpinyinDL~0\QQPinyinDownload\QQDownload.dll
2010-02-16 22:14 . 2010-02-16 22:14 210248 ----a-w- c:\documents and settings\Administrator\Application Data\Tencent\QQ\STemp\QQpinyinDL~0\QQPinyinDownload\QQPinyinDownload.exe
2010-02-16 21:56 . 2010-02-16 21:56 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-02-16 18:58 . 2010-02-16 18:58 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-16 18:58 . 2010-02-16 18:58 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-16 05:32 . 2010-02-16 05:32 737280 ----a-w- c:\windows\iun6002.exe
2010-02-16 05:26 . 2010-02-16 05:26 3416 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-02-16 05:26 . 2008-04-21 07:00 67666 ----a-w- c:\windows\system32\prfc0404.dat
2010-02-16 05:26 . 2008-04-21 07:00 231648 ----a-w- c:\windows\system32\prfh0404.dat
2010-02-16 05:24 . 2010-02-16 05:24 315392 ----a-w- c:\windows\HideWin.exe
2010-02-15 14:44 . 2010-02-15 10:38 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-15 14:14 . 2010-02-15 14:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-15 14:13 . 2010-02-15 14:13 29422 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{394BE3D9-7F57-4638-A8D1-1D88671913B7}\_294823.exe
2010-02-15 14:13 . 2010-02-15 14:13 23558 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{394BE3D9-7F57-4638-A8D1-1D88671913B7}\_18be6784.exe
2010-02-15 10:35 . 2010-02-15 10:35 21456 ----a-w- c:\windows\system32\emptyregdb.dat
.
------- Sigcheck -------
[-] 2009-01-24 . 7E5A5B50A8BB71578A338DE0ED05CA09 . 1570816 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot_2010-05-08_14.41.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-09 03:19 . 2010-05-09 03:19 16384 c:\windows\Temp\Perflib_Perfdata_774.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-16 135664]
"SRS Audio Sandbox"="c:\program files\SRS Labs\Audio Sandbox\SRSSSC.exe" [2010-01-07 3196184]
"Camfrog"="c:\program files\Camfrog\Camfrog Video Chat\CamfrogNet.exe" [2009-10-13 41864]
"Lingoes"="c:\program files\Lingoes\Translator2\Lingoes.exe" [2009-10-08 2203648]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-21 208952]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-15 149280]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"nwiz"="nwiz.exe" [2007-04-19 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16126464]
"SkyTel"="SkyTel.EXE" [2007-04-04 1822720]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-12-16 2054360]
"9158CamMonitor"="c:\program files\9158VirtualCamera\9158Notify.EXE" [2007-11-06 208896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-21 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 128512]
c:\documents and settings\All Users\「開始」功能表\程式集\啟動\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2010-2-16 1976056]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 07:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 08:44 3883840 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Tencent\\QQSoftMgr\\1.0.338.203\\QQSoftMgr.exe"=
"c:\\Program Files\\Tencent\\QQSoftMgr\\1.0.338.203\\QQSoftMgrUpdater.exe"=
"c:\\Program Files\\Tencent\\QQSoftMgr\\1.0.338.203\\TencentUpdateSvc.exe"=
"c:\\Program Files\\Tencent\\QQ\\Bin\\QQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 fttxr52P;fttxr52P;c:\windows\system32\drivers\fttxr52P.sys [2009/1/24 下午 03:31 160256]
R0 Si3124;Si3124;c:\windows\system32\drivers\si3124.sys [2009/1/24 下午 03:32 76208]
R0 Si3531;Si3531;c:\windows\system32\drivers\Si3531.sys [2009/1/24 下午 03:31 210736]
R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [2009/1/24 下午 03:31 125952]
R0 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [2010/2/16 上午 01:35 5248]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009/12/16 下午 05:21 108792]
R2 9158CAP;9158cap, WDM Video Capture;c:\windows\system32\drivers\9158cap.sys [2010/2/19 上午 02:33 317082]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2009/12/16 下午 05:21 735960]
R2 TSUSVC;Tencent Software Update Service;c:\program files\Tencent\QQSoftMgr\1.0.338.203\TencentUpdateSvc.exe [2008/12/9 下午 05:22 116040]
S0 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [2010/2/16 上午 01:35 159616]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010/2/17 上午 06:21 135664]
.
‘計劃任務’ 文件夾 裡的內容
2010-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 22:21]
2010-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 22:21]
2010-04-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-2111687655-1417001333-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-16 22:19]
2010-05-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-2111687655-1417001333-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-16 22:19]
2010-04-04 c:\windows\Tasks\Norton Security Scan for Administrator.job
- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2010-02-18 10:26]
.
.
------- 而外的掃描 -------
.
uStart Page = hxxp://tw.yahoo.com/
uInternet Settings,ProxyServer = 0.0.31.144:80
uInternet Settings,ProxyOverride = <local>
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
.
.
------- 文件類型 -------
.
txtfile=c:\windows\notepad.exe %1
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-09 11:23
Windows 5.1.2600 Service Pack 3 NTFS
掃描被隱藏的進程 ...
掃描被隱藏的啟動組 ...
掃描被隱藏的文件 ...
掃描完成
被隱藏的檔案: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-796845957-2111687655-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b3,54,b7,01,73,ee,b4,4d,b7,10,18,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b3,54,b7,01,73,ee,b4,4d,b7,10,18,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b3,54,b7,01,73,ee,b4,4d,b7,10,18,\
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"
[HKEY_LOCAL_MACHINE\software\Classes\O*b*j*e*c*t*D*o*c*k* *;NL?S\DefaultIcon]
@="\"c:\\Program Files\\Stardock\\ObjectDock\\ObjectDock.exe\",1"
[HKEY_LOCAL_MACHINE\software\Classes\O*b*j*e*c*t*D*o*c*k* *;NL?S\shell\open\command]
@="\"c:\\Program Files\\Stardock\\ObjectDock\\ObjectDock.exe\" \"%1\""
[HKEY_LOCAL_MACHINE\software\Classes\O*b*j*e*c*t*D*o*c*k* *涄譸\DefaultIcon]
@="\"c:\\Program Files\\Stardock\\ObjectDock\\ObjectDock.exe\",1"
[HKEY_LOCAL_MACHINE\software\Classes\O*b*j*e*c*t*D*o*c*k* *涄譸\shell\open\command]
@="\"c:\\Program Files\\Stardock\\ObjectDock\\ObjectDock.exe\" \"%1\""
[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *�p?hV\Capabilities]
"ApplicationName"="Google 瀏覽器"
"ApplicationIcon"="c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe,0"
"ApplicationDescription"="Google 瀏覽器"
[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *�p?hV\Capabilities\FileAssociations]
".xhtml"="ChromeHTML"
".xht"="ChromeHTML"
".shtml"="ChromeHTML"
".html"="ChromeHTML"
".htm"="ChromeHTML"
[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *�p?hV\Capabilities\StartMenu]
"StartMenuInternet"="Google 瀏覽器"
[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *�p?hV\Capabilities\URLAssociations]
"https"="ChromeHTML"
"http"="ChromeHTML"
"ftp"="ChromeHTML"
[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *�p?hV\DefaultIcon]
@="c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe,0"
[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *�p?hV\InstallInfo]
"IconsVisible"=dword:00000001
"ShowIconsCommand"="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\" --show-icons"
"HideIconsCommand"="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\" --hide-icons"
"ReinstallCommand"="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\" --make-default-browser"
[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *�p?hV\shell\open\command]
@="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\""
[HKEY_LOCAL_MACHINE\software\Microsoft\ESENT\Process\S*R*S*S*S*C* *A~?-N??紒.~\DEBUG]
"Trace Level"=""
[HKEY_LOCAL_MACHINE\software\Microsoft\ESENT\Process\yrfkhV-*ir糞�W\DEBUG]
"Trace Level"=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b3,54,b7,01,73,ee,b4,4d,b7,10,18,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b3,54,b7,01,73,ee,b4,4d,b7,10,18,\
.
完成時間: 2010-05-09 11:24:43
ComboFix-quarantined-files.txt 2010-05-09 03:24
ComboFix2.txt 2010-05-08 14:42
ComboFix3.txt 2010-02-16 20:58
Pre-Run: 93,525,901,312 位元組可用
Post-Run: 93,493,960,704 位元組可用
- - End Of File - - 735A6A4620AB85757ECE41E847422C59
|
