Tech Support Forum - View Single Post - Possible Trojan, DNS problem, Redirecting!!! Despr8

lizbette · 01-06-2009, 04:11 PM

here's the log.
combofix ran in chinese, and i had no idea how to change that. i had enough chinese in my vocab to understand what it was doing though.

apparently windows recovery console could not be installed because there was something wrong with the internet connection? therefore i stopped combofix and tried opening internet explorer but every page was "this page cannot be displayed"
after i restarted, the internet connection was restored, so i tried to manually install windows recovery console through the microsoft website, but the download page had a "this page cannot be displayed"--virus at work?? since windows recovery console would not be installed no matter what, i just ran combofix without it

thank you for the info about the registry cleaners. i have uninstalled them.

as for smitfraudfix, yes i used it to try to get rid of zlob, but as this whole windows update-msn redirecting thing is still occuring on both my laptop and computer, i concluded that it did not work and that zlob was still on the computers, and had in fact spread.

ComboFix 09-01-05.05 - Owner 2009-01-06 17:39:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.254.97 [GMT -5:00]
执行位置: c:\documents and settings\Owner\Desktop\ComboFix.exe

注意 - 这台电脑没有安装恢复控制台！！
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\mdm.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((( 2008-12-06 至 2009-01-06 的新的档案 )))))))))))))))))))))))))))))))
.

2009-01-03 23:21 . 2009-01-04 08:31 <DIR> d-------- c:\program files\Perfect Optimizer
2009-01-03 23:01 . 2009-01-04 08:31 <DIR> d-------- c:\program files\RegistryFix7
2009-01-01 17:04 . 2009-01-01 17:03 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-01 17:03 . 2009-01-01 17:03 <DIR> d-------- c:\program files\Java
2009-01-01 16:59 . 2009-01-01 16:59 0 --a------ c:\windows\system32\REN79.tmp
2009-01-01 16:59 . 2009-01-01 16:59 0 --a------ c:\windows\system32\REN78.tmp
2009-01-01 14:18 . 2009-01-01 15:12 <DIR> d-------- c:\program files\fxsolutions
2009-01-01 01:24 . 2009-01-01 01:24 <DIR> d-------- c:\program files\Common Files\Tencent
2009-01-01 01:23 . 2009-01-01 01:23 <DIR> d-------- c:\program files\Tencent
2009-01-01 01:23 . 2009-01-01 01:25 <DIR> d-------- c:\documents and settings\Owner\Application Data\Tencent
2008-12-30 13:33 . 2008-12-30 14:20 <DIR> d--h----- c:\program files\InstallJammer Registry
2008-12-30 12:58 . 2008-12-30 12:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Marlin
2008-12-30 12:55 . 2008-12-30 12:55 <DIR> d-------- c:\program files\DIFX
2008-12-30 12:55 . 2008-12-30 12:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\kinoma
2008-12-28 21:57 . 2008-12-28 21:57 0 --a------ c:\windows\NSREX.INI
2008-12-28 21:53 . 2008-12-28 21:53 <DIR> d-------- c:\windows\system32\Viewers
2008-12-28 21:51 . 2008-12-28 21:51 <DIR> d-------- c:\windows\Twain32
2008-12-28 21:51 . 2008-12-28 21:51 <DIR> d-------- c:\program files\Snapshot Viewer
2008-12-26 16:30 . 2008-12-28 21:52 <DIR> d-------- c:\windows\ShellNew
2008-12-26 16:28 . 2008-12-26 16:28 <DIR> d-------- c:\documents and settings\Owner\Application Data\Microsoft Web Folders
2008-12-24 17:21 . 2008-04-13 20:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-24 17:21 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-24 17:21 . 2008-04-13 14:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-24 17:21 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-24 12:30 . 2008-12-24 13:26 63 --a------ c:\windows\system\SysSD.dll
2008-12-21 17:38 . 2008-12-21 17:45 <DIR> d-------- C:\KAV
2008-12-21 15:19 . 2008-12-21 15:19 <DIR> d-------- c:\program files\Alwil Software
2008-12-19 12:17 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-18 23:04 . 2008-12-19 19:39 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-18 20:52 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-18 19:21 . 2008-12-31 22:26 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-10 12:52 . 2008-12-10 12:52 <DIR> d-------- c:\program files\VTTrader 2

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 03:52 --------- d-----w c:\documents and settings\Owner\Application Data\Skype
2009-01-06 03:05 --------- d-----w c:\documents and settings\Owner\Application Data\skypePM
2009-01-03 01:41 --------- d-----w c:\program files\Common Files\Adobe
2009-01-01 18:38 --------- d-----w c:\program files\fxsgts
2009-01-01 03:22 --------- d-----w c:\program files\E-Book Systems
2008-12-28 19:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-26 21:27 --------- d-----w c:\program files\microsoft frontpage
2008-12-20 03:08 --------- d-----w c:\program files\Google
2008-12-18 23:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-04 04:15 --------- d-----w c:\documents and settings\All Users\Application Data\VTSystems
2008-12-04 04:11 --------- d-----w c:\program files\OperaPro2
2008-11-12 00:27 --------- d-----w c:\program files\MetaTrader - Alpari (US)
2008-03-14 23:00 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2001-10-05 16:53 21,866 ----a-w c:\program files\Common Files\tppupd2k.dll
1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
2008-08-19 18:14 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-11 185896]
"TPP Auto Loader"="c:\windows\TPPALDR.EXE" [2001-10-05 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\XRainbowPhone\\XRainbowPhone.exe"=
"c:\\Program Files\\Common Files\\Synacast\\SynaLive\\PE.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Tencent\\QQ2009\\Bin\\QQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\DealBook 360\\DealBookFX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5425:TCP"= 5425:TCP:ppLive
"6152:UDP"= 6152:UDP:ppLive
"1950:TCP"= 1950:TCP:fx trader
"1999:TCP"= 1999:TCP:Port1
"3020:TCP"= 3020:TCP:Port2
"2020:TCP"= 2020:TCP:Port3
"1000:TCP"= 1000:TCP:Port4

S3 Alidevice;Alidevice; [x]
S3 TPP725;USB Storage Adapter (TPP);c:\windows\system32\drivers\TPP725.SYS [2004-03-07 43269]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d70f482-42ce-11dc-b952-000bdbc46caf}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com g:
\Shell\Open\command - g:\resycled\boot.com g:
.
‘计划任务’ 文件夹里的内容

2009-01-06 c:\windows\Tasks\PerfectOptimzier_OneClick.job
- c:\program files\Perfect Optimizer\PerfectOptimizer.exe []
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)
HKCU-Run-Sonic RecordNow! - (no file)
HKLM-Run-PerfectOptimizer - c:\program files\Perfect Optimizer\PerfectOptimizer.exe

.
------- 而外的扫描 -------
.
IE: ìí?óμ?QQ±í?é
IE: ìí?óμ?QQ±í?é - c:\program files\Tencent\qq\AddEmotion.htm
IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm

c:\windows\Downloaded Program Files\safeInput4jh.dll - O16 -: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714}
hxxps://pbank.95559.com.cn/personbank/ocx/safe_bankcomm.cab
.
.
------- 文件类型 -------
.
chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 17:44:47
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程。。。 ...

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-583907252-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*NULL*Q*NULL*h埮`]
@="c:\\Program Files\\Tencent\\QQ\\AddEmotion.htm"
"contexts"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\%懫qR漢*NULL**NULL*鉺*NULL*\InfFile]
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Dbgagt\1*NULL*]
"value"="?\04\00\02\12\05\1f?"

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*NULL*Q*NULL*h埮`]
"contexts"=dword:00000002
@="c:\\Program Files\\Tencent\\QQ2009\\Bin\\AddEmotion.htm"
.
完成时间: 2009-01-06 17:48:28
ComboFix-quarantined-files.txt 2009-01-06 22:47:50

Pre-Run: 44,097,908,736 bytes free
Post-Run: 44,268,527,616 bytes free

171 --- E O F --- 2008-12-25 22:26:38

01-06-2009, 04:11 PM	#5 (permalink)
lizbette Registered User Join Date: Dec 2008 Posts: 10 OS: windows xp service pack 3	Re: Possible Trojan, DNS problem, Redirecting!!! Despr8 here's the log. combofix ran in chinese, and i had no idea how to change that. i had enough chinese in my vocab to understand what it was doing though. apparently windows recovery console could not be installed because there was something wrong with the internet connection? therefore i stopped combofix and tried opening internet explorer but every page was "this page cannot be displayed" after i restarted, the internet connection was restored, so i tried to manually install windows recovery console through the microsoft website, but the download page had a "this page cannot be displayed"--virus at work?? since windows recovery console would not be installed no matter what, i just ran combofix without it thank you for the info about the registry cleaners. i have uninstalled them. as for smitfraudfix, yes i used it to try to get rid of zlob, but as this whole windows update-msn redirecting thing is still occuring on both my laptop and computer, i concluded that it did not work and that zlob was still on the computers, and had in fact spread. ComboFix 09-01-05.05 - Owner 2009-01-06 17:39:42.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.254.97 [GMT -5:00] 执行位置: c:\documents and settings\Owner\Desktop\ComboFix.exe 注意 - 这台电脑没有安装恢复控制台！！ . ((((((((((((((((((((((((((((((((((((((( 被删除的档案 ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\dumphive.exe c:\windows\system32\IEDFix.exe c:\windows\system32\mdm.exe c:\windows\system32\SrchSTS.exe c:\windows\system32\tmp.reg . ((((((((((((((((((((((((( 2008-12-06 至 2009-01-06 的新的档案 ))))))))))))))))))))))))))))))) . 2009-01-03 23:21 . 2009-01-04 08:31 <DIR> d-------- c:\program files\Perfect Optimizer 2009-01-03 23:01 . 2009-01-04 08:31 <DIR> d-------- c:\program files\RegistryFix7 2009-01-01 17:04 . 2009-01-01 17:03 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-01-01 17:03 . 2009-01-01 17:03 <DIR> d-------- c:\program files\Java 2009-01-01 16:59 . 2009-01-01 16:59 0 --a------ c:\windows\system32\REN79.tmp 2009-01-01 16:59 . 2009-01-01 16:59 0 --a------ c:\windows\system32\REN78.tmp 2009-01-01 14:18 . 2009-01-01 15:12 <DIR> d-------- c:\program files\fxsolutions 2009-01-01 01:24 . 2009-01-01 01:24 <DIR> d-------- c:\program files\Common Files\Tencent 2009-01-01 01:23 . 2009-01-01 01:23 <DIR> d-------- c:\program files\Tencent 2009-01-01 01:23 . 2009-01-01 01:25 <DIR> d-------- c:\documents and settings\Owner\Application Data\Tencent 2008-12-30 13:33 . 2008-12-30 14:20 <DIR> d--h----- c:\program files\InstallJammer Registry 2008-12-30 12:58 . 2008-12-30 12:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Marlin 2008-12-30 12:55 . 2008-12-30 12:55 <DIR> d-------- c:\program files\DIFX 2008-12-30 12:55 . 2008-12-30 12:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\kinoma 2008-12-28 21:57 . 2008-12-28 21:57 0 --a------ c:\windows\NSREX.INI 2008-12-28 21:53 . 2008-12-28 21:53 <DIR> d-------- c:\windows\system32\Viewers 2008-12-28 21:51 . 2008-12-28 21:51 <DIR> d-------- c:\windows\Twain32 2008-12-28 21:51 . 2008-12-28 21:51 <DIR> d-------- c:\program files\Snapshot Viewer 2008-12-26 16:30 . 2008-12-28 21:52 <DIR> d-------- c:\windows\ShellNew 2008-12-26 16:28 . 2008-12-26 16:28 <DIR> d-------- c:\documents and settings\Owner\Application Data\Microsoft Web Folders 2008-12-24 17:21 . 2008-04-13 20:12 159,232 --a------ c:\windows\system32\ptpusd.dll 2008-12-24 17:21 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys 2008-12-24 17:21 . 2008-04-13 14:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys 2008-12-24 17:21 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll 2008-12-24 12:30 . 2008-12-24 13:26 63 --a------ c:\windows\system\SysSD.dll 2008-12-21 17:38 . 2008-12-21 17:45 <DIR> d-------- C:\KAV 2008-12-21 15:19 . 2008-12-21 15:19 <DIR> d-------- c:\program files\Alwil Software 2008-12-19 12:17 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe 2008-12-18 23:04 . 2008-12-19 19:39 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2008-12-18 20:52 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui 2008-12-18 19:21 . 2008-12-31 22:26 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-12-10 12:52 . 2008-12-10 12:52 <DIR> d-------- c:\program files\VTTrader 2 . (((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-06 03:52 --------- d-----w c:\documents and settings\Owner\Application Data\Skype 2009-01-06 03:05 --------- d-----w c:\documents and settings\Owner\Application Data\skypePM 2009-01-03 01:41 --------- d-----w c:\program files\Common Files\Adobe 2009-01-01 18:38 --------- d-----w c:\program files\fxsgts 2009-01-01 03:22 --------- d-----w c:\program files\E-Book Systems 2008-12-28 19:04 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-26 21:27 --------- d-----w c:\program files\microsoft frontpage 2008-12-20 03:08 --------- d-----w c:\program files\Google 2008-12-18 23:19 --------- d-----w c:\program files\Common Files\Symantec Shared 2008-12-04 04:15 --------- d-----w c:\documents and settings\All Users\Application Data\VTSystems 2008-12-04 04:11 --------- d-----w c:\program files\OperaPro2 2008-11-12 00:27 --------- d-----w c:\program files\MetaTrader - Alpari (US) 2008-03-14 23:00 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat 2001-10-05 16:53 21,866 ----a-w c:\program files\Common Files\tppupd2k.dll 1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL 1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL 1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL 1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL 1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL 1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL 2008-08-19 18:14 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat . ((((((((((((((((((((((((((((((((((((( 重要登入点 )))))))))))))))))))))))))))))))))))))))))))))))))) . . 注意空白与合法缺省登录将不会被显示 REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-11 185896] "TPP Auto Loader"="c:\windows\TPPALDR.EXE" [2001-10-05 118784] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk \0lsdelete [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\rtcshare.exe"= "c:\\Program Files\\XRainbowPhone\\XRainbowPhone.exe"= "c:\\Program Files\\Common Files\\Synacast\\SynaLive\\PE.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Tencent\\QQ2009\\Bin\\QQ.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\DealBook 360\\DealBookFX.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5425:TCP"= 5425:TCP:ppLive "6152:UDP"= 6152:UDP:ppLive "1950:TCP"= 1950:TCP:fx trader "1999:TCP"= 1999:TCP:Port1 "3020:TCP"= 3020:TCP:Port2 "2020:TCP"= 2020:TCP:Port3 "1000:TCP"= 1000:TCP:Port4 S3 Alidevice;Alidevice; [x] S3 TPP725;USB Storage Adapter (TPP);c:\windows\system32\drivers\TPP725.SYS [2004-03-07 43269] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d70f482-42ce-11dc-b952-000bdbc46caf}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com g: \Shell\Open\command - g:\resycled\boot.com g: . ‘计划任务’ 文件夹里的内容 2009-01-06 c:\windows\Tasks\PerfectOptimzier_OneClick.job - c:\program files\Perfect Optimizer\PerfectOptimizer.exe [] . - - - - ORPHANS REMOVED - - - - WebBrowser-{A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file) HKCU-Run-Sonic RecordNow! - (no file) HKLM-Run-PerfectOptimizer - c:\program files\Perfect Optimizer\PerfectOptimizer.exe . ------- 而外的扫描 ------- . IE: ìí?óμ?QQ±í?é IE: ìí?óμ?QQ±í?é - c:\program files\Tencent\qq\AddEmotion.htm IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm c:\windows\Downloaded Program Files\safeInput4jh.dll - O16 -: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} hxxps://pbank.95559.com.cn/personbank/ocx/safe_bankcomm.cab . . ------- 文件类型 ------- . chm.file="hh.exe" %1 txtfile=c:\windows\notepad.exe %1 . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-06 17:44:47 Windows 5.1.2600 Service Pack 3 NTFS 扫描被隐藏的进程。。。 ... 扫描被隐藏的启动组。。。扫描被隐藏的文件。。。扫描完成被隐藏的档案: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1801674531-583907252-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQNULLQNULLh埮`] @="c:\\Program Files\\Tencent\\QQ\\AddEmotion.htm" "contexts"=dword:00000002 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\%懫qR漢NULLNULL鉺NULL\InfFile] @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Dbgagt\1NULL] "value"="?\04\00\02\12\05\1f?" [HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQNULLQNULLh埮`] "contexts"=dword:00000002 @="c:\\Program Files\\Tencent\\QQ2009\\Bin\\AddEmotion.htm" . 完成时间: 2009-01-06 17:48:28 ComboFix-quarantined-files.txt 2009-01-06 22:47:50 Pre-Run: 44,097,908,736 bytes free Post-Run: 44,268,527,616 bytes free 171 --- E O F --- 2008-12-25 22:26:38