Tech Support Forum - View Single Post

YSJR · 10-21-2008, 09:59 PM

Dear Katana,

Here are the logs, thanks.

ComboFix 08-10-15.05 - Wai Hung 2008-10-22 12:01:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2475 [GMT 11:00]
执行位置: C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wai Hung\Desktop\CFScript.txt
* 成功创造新还原点
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTFRS
-------\Legacy_PACKET
-------\Legacy_TDSSSERV
-------\Service_Ntfrs
-------\Service_vqdtdkez

((((((((((((((((((((((((( 2008-09-22 至 2008-10-22 的新的档案 )))))))))))))))))))))))))))))))
.

2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\rsit
2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\Program Files\trend micro
2008-10-15 17:00 . 2008-08-14 21:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 17:00 . 2008-08-14 21:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 17:00 . 2008-08-14 20:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 17:00 . 2008-08-14 20:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 17:00 . 2008-09-15 23:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 17:00 . 2008-09-08 21:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-09-29 12:48 . 2008-09-29 12:48 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-09-29 00:02 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\Recordpad
2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\NCH Swift Sound
2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-09-29 00:00 . 2008-10-09 10:29 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-09-29 00:00 . 2008-09-29 00:00 <DIR> d-------- C:\Program Files\NCH Software
2008-09-26 12:59 . 2008-09-26 12:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-22 01:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-21 10:49 --------- d-----w C:\Program Files\McAfee
2008-10-17 01:44 --------- d-----w C:\Program Files\Java
2008-10-15 07:40 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\AdobeUM
2008-10-07 09:59 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-29 06:32 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2008-09-29 01:48 --------- d-----w C:\Program Files\Common Files\Real
2008-09-20 10:38 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\Malwarebytes
2008-09-20 10:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-19 02:07 84,624 ----a-w C:\Documents and Settings\Wai Hung\Application Data\GDIPFONTCACHEV1.DAT
2008-09-18 03:32 --------- d-----w C:\Program Files\Bonjour
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-09 14:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 14:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-01-15 19:52 76 --sh--r C:\WINDOWS\CT4CET.bin
.

((((((((((((((((((((((((((((( snapshot@2008-10-16_17.09.37.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-16 03:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-10-21 22:38:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-10-16 03:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-21 22:38:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 8429568]
"OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-08-28 36864]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 282624]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"Google IME Autoupdater"="C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-08-05 308720]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2005-10-31 503808]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"nwiz"="nwiz.exe" [2007-05-11 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-05-11 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-06-06 C:\WINDOWS\system32\nvmctray.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-05-17 568176]
Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-01-16 7168]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-01-16 50688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\3 Mobile\\3 Mobile Broadband\\3 Mobile Broadband.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\美女麻将\\美女麻将.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\?à???é??\\?à???é??.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-08-28 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-08-28 7424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{943cef6d-6935-11dd-a189-001e4cdce70b}]
\Shell\AutoRun\command - E:\AutoRun.exe
.
‘计划任务’ 文件夹里的内容

2008-05-14 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2008-08-31 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-22 12

35
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程。。。 ...

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ 其他运行进程 ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
.
**************************************************************************
.
完成时间: 2008-10-22 12:11:08 - 电脑已重新启动
ComboFix-quarantined-files.txt 2008-10-22 01:11:02
ComboFix2.txt 2008-10-16 06:10:08

Pre-Run: 118,417,354,752 bytes free
Post-Run: 118,457,208,832 bytes free

194 --- E O F --- 2008-10-15 06:04:45

AND THE SCAN LOG:

ANALYSIS: 2008-10-22 15:37:51
PROTECTIONS: 2
MALWARE: 11
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee Internet Security Suite 2007 8.1 No Yes
McAfee VirusScan Plus 12.1 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00034347 dialer.su Dialers No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\switch
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@atdmt[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@tribalfusion[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@bs.serving-sys[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@statse.webtrendslive[1].txt
00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Wai Hung\Desktop\Flash_Disinfector.exe[C:\Documents and Settings\Wai Hung\Desktop\Flash_Disinfector.exe][nircmd.exe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP178\A0039240.EXE
01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@enhance[2].txt
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP178\A0039226.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP173\A0037794.sys
03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe[32788R22FWJFW\catchme.cfexe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location Y
;===================================================================================================================================================================================
No C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe[32788R22FWJFW\psexec.cfexe] Y
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description Y
;===================================================================================================================================================================================
;===================================================================================================================================================================================

10-21-2008, 09:59 PM	#7 (permalink)
YSJR Registered User Join Date: Oct 2008 Posts: 10 OS: XP	Re: Infected with Trojan Dear Katana, Here are the logs, thanks. ComboFix 08-10-15.05 - Wai Hung 2008-10-22 12:01:46.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2475 [GMT 11:00] 执行位置: C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Wai Hung\Desktop\CFScript.txt * 成功创造新还原点 * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( 被删除的档案 ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( 驱动/服务 ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NTFRS -------\Legacy_PACKET -------\Legacy_TDSSSERV -------\Service_Ntfrs -------\Service_vqdtdkez ((((((((((((((((((((((((( 2008-09-22 至 2008-10-22 的新的档案 ))))))))))))))))))))))))))))))) . 2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\rsit 2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\Program Files\trend micro 2008-10-15 17:00 . 2008-08-14 21:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe 2008-10-15 17:00 . 2008-08-14 21:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe 2008-10-15 17:00 . 2008-08-14 20:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe 2008-10-15 17:00 . 2008-08-14 20:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe 2008-10-15 17:00 . 2008-09-15 23:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys 2008-10-15 17:00 . 2008-09-08 21:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys 2008-09-29 12:48 . 2008-09-29 12:48 <DIR> d-------- C:\Program Files\Common Files\xing shared 2008-09-29 00:02 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\Recordpad 2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\NCH Swift Sound 2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound 2008-09-29 00:00 . 2008-10-09 10:29 <DIR> d-------- C:\Program Files\NCH Swift Sound 2008-09-29 00:00 . 2008-09-29 00:00 <DIR> d-------- C:\Program Files\NCH Software 2008-09-26 12:59 . 2008-09-26 12:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles . (((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-22 01:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-10-21 10:49 --------- d-----w C:\Program Files\McAfee 2008-10-17 01:44 --------- d-----w C:\Program Files\Java 2008-10-15 07:40 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\AdobeUM 2008-10-07 09:59 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware 2008-09-29 06:32 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio 2008-09-29 01:48 --------- d-----w C:\Program Files\Common Files\Real 2008-09-20 10:38 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\Malwarebytes 2008-09-20 10:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-09-19 02:07 84,624 ----a-w C:\Documents and Settings\Wai Hung\Application Data\GDIPFONTCACHEV1.DAT 2008-09-18 03:32 --------- d-----w C:\Program Files\Bonjour 2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys 2008-09-09 14:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-09 14:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys 2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys 2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-08-14 10:04 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys 2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe 2008-01-15 19:52 76 --sh--r C:\WINDOWS\CT4CET.bin . ((((((((((((((((((((((((((((( snapshot@2008-10-16_17.09.37.65 ))))))))))))))))))))))))))))))))))))))))) . - 2008-10-16 03:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-10-21 22:38:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-10-16 03:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-10-21 22:38:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat . ((((((((((((((((((((((((((((((((((((( 重要登入点 )))))))))))))))))))))))))))))))))))))))))))))))))) . . 注意空白与合法缺省登录将不会被显示 REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 8429568] "OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-08-28 36864] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848] "DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936] "KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 282624] "RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184] "RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992] "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320] "Google IME Autoupdater"="C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-08-05 308720] "Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2005-10-31 503808] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "nwiz"="nwiz.exe" [2007-05-11 C:\WINDOWS\system32\nwiz.exe] "NVHotkey"="nvHotkey.dll" [2007-05-11 C:\WINDOWS\system32\nvhotkey.dll] "NvMediaCenter"="NvMCTray.dll" [2007-06-06 C:\WINDOWS\system32\nvmctray.dll] "SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 C:\WINDOWS\stsystra.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193] Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-05-17 568176] Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-01-16 7168] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-01-16 50688] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\3 Mobile\\3 Mobile Broadband\\3 Mobile Broadband.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "C:\\Program Files\\美女麻将\\美女麻将.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\Program Files\\?à???é??\\?à???é??.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol "10426:UDP"= 10426:UDP:SingleClick ICC R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184] R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-08-28 235520] R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-08-28 7424] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{943cef6d-6935-11dd-a189-001e4cdce70b}] \Shell\AutoRun\command - E:\AutoRun.exe . ‘计划任务’ 文件夹里的内容 2008-05-14 C:\WINDOWS\Tasks\McDefragTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32] 2008-08-31 C:\WINDOWS\Tasks\McQcTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32] . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-22 1235 Windows 5.1.2600 Service Pack 3 NTFS 扫描被隐藏的进程。。。 ... 扫描被隐藏的启动组。。。扫描被隐藏的文件。。。扫描完成被隐藏的档案: 0 ********************************************************************** . --------------------- 运行进程下的动态链接库 --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\WINDOWS\system32\nview.dll . ------------------------ 其他运行进程 ------------------------ . C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\conime.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Dell Network Assistant\hnm_svc.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe C:\Program Files\McAfee\MPF\MpfSrv.exe C:\Program Files\McAfee\MSK\msksrver.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\UTSCSI.EXE C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe . ********************************************************************** . 完成时间: 2008-10-22 12:11:08 - 电脑已重新启动 ComboFix-quarantined-files.txt 2008-10-22 01:11:02 ComboFix2.txt 2008-10-16 06:10:08 Pre-Run: 118,417,354,752 bytes free Post-Run: 118,457,208,832 bytes free 194 --- E O F --- 2008-10-15 06:04:45 AND THE SCAN LOG: ANALYSIS: 2008-10-22 15:37:51 PROTECTIONS: 2 MALWARE: 11 SUSPECTS: 1 ;********************************************************************************************************************************************************************************* PROTECTIONS Description Version Active Updated ;=================================================================================================================================================================================== McAfee Internet Security Suite 2007 8.1 No Yes McAfee VirusScan Plus 12.1 No No ;=================================================================================================================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=================================================================================================================================================================================== 00034347 dialer.su Dialers No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\switch 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@doubleclick[1].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@atdmt[2].txt 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@tribalfusion[1].txt 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@bs.serving-sys[1].txt 00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@statse.webtrendslive[1].txt 00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Wai Hung\Desktop\Flash_Disinfector.exe[C:\Documents and Settings\Wai Hung\Desktop\Flash_Disinfector.exe][nircmd.exe] 01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP178\A0039240.EXE 01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@enhance[2].txt 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP178\A0039226.sys 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP173\A0037794.sys 03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe[32788R22FWJFW\catchme.cfexe] ;=================================================================================================================================================================================== SUSPECTS Sent Location Y ;=================================================================================================================================================================================== No C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe[32788R22FWJFW\psexec.cfexe] Y ;=================================================================================================================================================================================== VULNERABILITIES Id Severity Description Y ;=================================================================================================================================================================================== ;===================================================================================================================================================================================