Tech Support Forum - View Single Post - Possible Trojan, DNS problem, Redirecting!!! Despr8

lizbette · 01-07-2009, 07:46 PM

here's the regquery log:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\Microsoft\Dbgagt]

windows recovery console still would not install because of some connection problem.
the annoying redirecting still occurs, only now it directs me to google, but the address bar is correct, reading http://windowsupdate.microsoft.com/.

here's the combofix log (left in chinese).

ComboFix 09-01-07.01 - Owner 2009-01-07 21:14:46.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.254.60 [GMT -5:00]
执行位置: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* 成功创造新还原点

注意 - 这台电脑没有安装恢复控制台！！

FILE ::
c:\windows\Tasks\PerfectOptimzier_OneClick.job
g:\resycled\boot.com
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\resycled
F:\autorun.inf
F:\resycled
G:\autorun.inf
G:\resycled
.
---- Previous Run -------
.
C:\Autorun.inf
C:\resycled
c:\resycled\boot.com
c:\windows\Tasks\PerfectOptimzier_OneClick.job
F:\autorun.inf
F:\resycled
f:\resycled\boot.com
G:\autorun.inf
G:\resycled
g:\resycled\boot.com

.
((((((((((((((((((((((((( 2008-12-08 至 2009-01-08 的新的档案 )))))))))))))))))))))))))))))))
.

2009-01-03 23:21 . 2009-01-04 08:31 <DIR> d-------- c:\program files\Perfect Optimizer
2009-01-03 23:01 . 2009-01-04 08:31 <DIR> d-------- c:\program files\RegistryFix7
2009-01-01 17:04 . 2009-01-01 17:03 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-01 17:03 . 2009-01-01 17:03 <DIR> d-------- c:\program files\Java
2009-01-01 16:59 . 2009-01-01 16:59 0 --a------ c:\windows\system32\REN79.tmp
2009-01-01 16:59 . 2009-01-01 16:59 0 --a------ c:\windows\system32\REN78.tmp
2009-01-01 14:18 . 2009-01-01 15:12 <DIR> d-------- c:\program files\fxsolutions
2009-01-01 01:24 . 2009-01-01 01:24 <DIR> d-------- c:\program files\Common Files\Tencent
2009-01-01 01:23 . 2009-01-01 01:23 <DIR> d-------- c:\program files\Tencent
2009-01-01 01:23 . 2009-01-01 01:25 <DIR> d-------- c:\documents and settings\Owner\Application Data\Tencent
2008-12-30 13:33 . 2008-12-30 14:20 <DIR> d--h----- c:\program files\InstallJammer Registry
2008-12-30 12:58 . 2008-12-30 12:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Marlin
2008-12-30 12:55 . 2008-12-30 12:55 <DIR> d-------- c:\program files\DIFX
2008-12-30 12:55 . 2008-12-30 12:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\kinoma
2008-12-28 21:57 . 2008-12-28 21:57 0 --a------ c:\windows\NSREX.INI
2008-12-28 21:53 . 2008-12-28 21:53 <DIR> d-------- c:\windows\system32\Viewers
2008-12-28 21:51 . 2008-12-28 21:51 <DIR> d-------- c:\windows\Twain32
2008-12-28 21:51 . 2008-12-28 21:51 <DIR> d-------- c:\program files\Snapshot Viewer
2008-12-26 16:30 . 2008-12-28 21:52 <DIR> d-------- c:\windows\ShellNew
2008-12-26 16:28 . 2008-12-26 16:28 <DIR> d-------- c:\documents and settings\Owner\Application Data\Microsoft Web Folders
2008-12-24 17:21 . 2008-04-13 20:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-24 17:21 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-24 17:21 . 2008-04-13 14:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-24 17:21 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-24 12:30 . 2008-12-24 13:26 63 --a------ c:\windows\system\SysSD.dll
2008-12-21 17:38 . 2008-12-21 17:45 <DIR> d-------- C:\KAV
2008-12-21 15:19 . 2008-12-21 15:19 <DIR> d-------- c:\program files\Alwil Software
2008-12-19 12:17 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-18 23:04 . 2008-12-19 19:39 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-18 20:52 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-18 19:21 . 2008-12-31 22:26 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-10 12:52 . 2008-12-10 12:52 <DIR> d-------- c:\program files\VTTrader 2

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 13:21 --------- d-----w c:\program files\MetaTrader - Alpari (US)
2009-01-06 03:52 --------- d-----w c:\documents and settings\Owner\Application Data\Skype
2009-01-06 03:05 --------- d-----w c:\documents and settings\Owner\Application Data\skypePM
2009-01-03 01:41 --------- d-----w c:\program files\Common Files\Adobe
2009-01-01 22:03 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-01 18:38 --------- d-----w c:\program files\fxsgts
2009-01-01 03:22 --------- d-----w c:\program files\E-Book Systems
2008-12-28 19:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-26 21:27 --------- d-----w c:\program files\microsoft frontpage
2008-12-20 03:08 --------- d-----w c:\program files\Google
2008-12-18 23:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-04 04:15 --------- d-----w c:\documents and settings\All Users\Application Data\VTSystems
2008-12-04 04:11 --------- d-----w c:\program files\OperaPro2
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-03-14 23:00 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2001-10-05 16:53 21,866 ----a-w c:\program files\Common Files\tppupd2k.dll
1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
2008-08-19 18:14 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-06_17.45.58.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-08 02:09:18 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_744.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-11 185896]
"TPP Auto Loader"="c:\windows\TPPALDR.EXE" [2001-10-05 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\XRainbowPhone\\XRainbowPhone.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Tencent\\QQ2009\\Bin\\QQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\DealBook 360\\DealBookFX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5425:TCP"= 5425:TCP:ppLive
"6152:UDP"= 6152:UDP:ppLive
"1950:TCP"= 1950:TCP:fx trader
"1999:TCP"= 1999:TCP:Port1
"3020:TCP"= 3020:TCP:Port2
"2020:TCP"= 2020:TCP:Port3
"1000:TCP"= 1000:TCP:Port4

S3 Alidevice;Alidevice; [x]
S3 TPP725;USB Storage Adapter (TPP);c:\windows\system32\drivers\TPP725.SYS [2004-03-07 43269]
.
.
------- 而外的扫描 -------
.
IE: ìí?óμ?QQ±í?é
IE: ìí?óμ?QQ±í?é - c:\program files\Tencent\qq\AddEmotion.htm
IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm

c:\windows\Downloaded Program Files\safeInput4jh.dll - O16 -: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714}
hxxps://pbank.95559.com.cn/personbank/ocx/safe_bankcomm.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 21:18:00
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程。。。 ...

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-583907252-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*NULL*Q*NULL*h埮`]
@="c:\\Program Files\\Tencent\\QQ\\AddEmotion.htm"
"contexts"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\%懫qR漢*NULL**NULL*鉺*NULL*\InfFile]
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Dbgagt\1*NULL*]
"value"="?\04\00\02\12\05\1f?"

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*NULL*Q*NULL*h埮`]
"contexts"=dword:00000002
@="c:\\Program Files\\Tencent\\QQ2009\\Bin\\AddEmotion.htm"
.
完成时间: 2009-01-07 21:21:19
ComboFix-quarantined-files.txt 2009-01-08 02:20:41
ComboFix2.txt 2009-01-06 22:48:31

Pre-Run: 45,545,353,216 bytes free
Post-Run: 45,535,031,296 bytes free

187 --- E O F --- 2008-12-25 22:26:38

01-07-2009, 07:46 PM	#7 (permalink)
lizbette Registered User Join Date: Dec 2008 Posts: 10 OS: windows xp service pack 3	Re: Possible Trojan, DNS problem, Redirecting!!! Despr8 here's the regquery log: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\software\Microsoft\Dbgagt] windows recovery console still would not install because of some connection problem. the annoying redirecting still occurs, only now it directs me to google, but the address bar is correct, reading http://windowsupdate.microsoft.com/. here's the combofix log (left in chinese). ComboFix 09-01-07.01 - Owner 2009-01-07 21:14:46.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.254.60 [GMT -5:00] 执行位置: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt * 成功创造新还原点注意 - 这台电脑没有安装恢复控制台！！ FILE :: c:\windows\Tasks\PerfectOptimzier_OneClick.job g:\resycled\boot.com . ((((((((((((((((((((((((((((((((((((((( 被删除的档案 ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf C:\resycled F:\autorun.inf F:\resycled G:\autorun.inf G:\resycled . ---- Previous Run ------- . C:\Autorun.inf C:\resycled c:\resycled\boot.com c:\windows\Tasks\PerfectOptimzier_OneClick.job F:\autorun.inf F:\resycled f:\resycled\boot.com G:\autorun.inf G:\resycled g:\resycled\boot.com . ((((((((((((((((((((((((( 2008-12-08 至 2009-01-08 的新的档案 ))))))))))))))))))))))))))))))) . 2009-01-03 23:21 . 2009-01-04 08:31 <DIR> d-------- c:\program files\Perfect Optimizer 2009-01-03 23:01 . 2009-01-04 08:31 <DIR> d-------- c:\program files\RegistryFix7 2009-01-01 17:04 . 2009-01-01 17:03 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-01-01 17:03 . 2009-01-01 17:03 <DIR> d-------- c:\program files\Java 2009-01-01 16:59 . 2009-01-01 16:59 0 --a------ c:\windows\system32\REN79.tmp 2009-01-01 16:59 . 2009-01-01 16:59 0 --a------ c:\windows\system32\REN78.tmp 2009-01-01 14:18 . 2009-01-01 15:12 <DIR> d-------- c:\program files\fxsolutions 2009-01-01 01:24 . 2009-01-01 01:24 <DIR> d-------- c:\program files\Common Files\Tencent 2009-01-01 01:23 . 2009-01-01 01:23 <DIR> d-------- c:\program files\Tencent 2009-01-01 01:23 . 2009-01-01 01:25 <DIR> d-------- c:\documents and settings\Owner\Application Data\Tencent 2008-12-30 13:33 . 2008-12-30 14:20 <DIR> d--h----- c:\program files\InstallJammer Registry 2008-12-30 12:58 . 2008-12-30 12:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Marlin 2008-12-30 12:55 . 2008-12-30 12:55 <DIR> d-------- c:\program files\DIFX 2008-12-30 12:55 . 2008-12-30 12:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\kinoma 2008-12-28 21:57 . 2008-12-28 21:57 0 --a------ c:\windows\NSREX.INI 2008-12-28 21:53 . 2008-12-28 21:53 <DIR> d-------- c:\windows\system32\Viewers 2008-12-28 21:51 . 2008-12-28 21:51 <DIR> d-------- c:\windows\Twain32 2008-12-28 21:51 . 2008-12-28 21:51 <DIR> d-------- c:\program files\Snapshot Viewer 2008-12-26 16:30 . 2008-12-28 21:52 <DIR> d-------- c:\windows\ShellNew 2008-12-26 16:28 . 2008-12-26 16:28 <DIR> d-------- c:\documents and settings\Owner\Application Data\Microsoft Web Folders 2008-12-24 17:21 . 2008-04-13 20:12 159,232 --a------ c:\windows\system32\ptpusd.dll 2008-12-24 17:21 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys 2008-12-24 17:21 . 2008-04-13 14:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys 2008-12-24 17:21 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll 2008-12-24 12:30 . 2008-12-24 13:26 63 --a------ c:\windows\system\SysSD.dll 2008-12-21 17:38 . 2008-12-21 17:45 <DIR> d-------- C:\KAV 2008-12-21 15:19 . 2008-12-21 15:19 <DIR> d-------- c:\program files\Alwil Software 2008-12-19 12:17 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe 2008-12-18 23:04 . 2008-12-19 19:39 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2008-12-18 20:52 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui 2008-12-18 19:21 . 2008-12-31 22:26 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-12-10 12:52 . 2008-12-10 12:52 <DIR> d-------- c:\program files\VTTrader 2 . (((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-07 13:21 --------- d-----w c:\program files\MetaTrader - Alpari (US) 2009-01-06 03:52 --------- d-----w c:\documents and settings\Owner\Application Data\Skype 2009-01-06 03:05 --------- d-----w c:\documents and settings\Owner\Application Data\skypePM 2009-01-03 01:41 --------- d-----w c:\program files\Common Files\Adobe 2009-01-01 22:03 410,984 ----a-w c:\windows\system32\deploytk.dll 2009-01-01 18:38 --------- d-----w c:\program files\fxsgts 2009-01-01 03:22 --------- d-----w c:\program files\E-Book Systems 2008-12-28 19:04 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-26 21:27 --------- d-----w c:\program files\microsoft frontpage 2008-12-20 03:08 --------- d-----w c:\program files\Google 2008-12-18 23:19 --------- d-----w c:\program files\Common Files\Symantec Shared 2008-12-04 04:15 --------- d-----w c:\documents and settings\All Users\Application Data\VTSystems 2008-12-04 04:11 --------- d-----w c:\program files\OperaPro2 2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll 2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:12 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 19:07 208,744 ----a-w c:\windows\system32\muweb.dll 2008-03-14 23:00 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat 2001-10-05 16:53 21,866 ----a-w c:\program files\Common Files\tppupd2k.dll 1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL 1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL 1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL 1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL 1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL 1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL 2008-08-19 18:14 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat . ((((((((((((((((((((((((((((( snapshot@2009-01-06_17.45.58.93 ))))))))))))))))))))))))))))))))))))))))) . + 2009-01-08 02:09:18 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_744.dat . ((((((((((((((((((((((((((((((((((((( 重要登入点 )))))))))))))))))))))))))))))))))))))))))))))))))) . . 注意空白与合法缺省登录将不会被显示 REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-11 185896] "TPP Auto Loader"="c:\windows\TPPALDR.EXE" [2001-10-05 118784] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\rtcshare.exe"= "c:\\Program Files\\XRainbowPhone\\XRainbowPhone.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Tencent\\QQ2009\\Bin\\QQ.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\DealBook 360\\DealBookFX.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5425:TCP"= 5425:TCP:ppLive "6152:UDP"= 6152:UDP:ppLive "1950:TCP"= 1950:TCP:fx trader "1999:TCP"= 1999:TCP:Port1 "3020:TCP"= 3020:TCP:Port2 "2020:TCP"= 2020:TCP:Port3 "1000:TCP"= 1000:TCP:Port4 S3 Alidevice;Alidevice; [x] S3 TPP725;USB Storage Adapter (TPP);c:\windows\system32\drivers\TPP725.SYS [2004-03-07 43269] . . ------- 而外的扫描 ------- . IE: ìí?óμ?QQ±í?é IE: ìí?óμ?QQ±í?é - c:\program files\Tencent\qq\AddEmotion.htm IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm c:\windows\Downloaded Program Files\safeInput4jh.dll - O16 -: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} hxxps://pbank.95559.com.cn/personbank/ocx/safe_bankcomm.cab . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-07 21:18:00 Windows 5.1.2600 Service Pack 3 NTFS 扫描被隐藏的进程。。。 ... 扫描被隐藏的启动组。。。扫描被隐藏的文件。。。扫描完成被隐藏的档案: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1801674531-583907252-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQNULLQNULLh埮`] @="c:\\Program Files\\Tencent\\QQ\\AddEmotion.htm" "contexts"=dword:00000002 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\%懫qR漢NULLNULL鉺NULL\InfFile] @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Dbgagt\1NULL] "value"="?\04\00\02\12\05\1f?" [HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQNULLQNULLh埮`] "contexts"=dword:00000002 @="c:\\Program Files\\Tencent\\QQ2009\\Bin\\AddEmotion.htm" . 完成时间: 2009-01-07 21:21:19 ComboFix-quarantined-files.txt 2009-01-08 02:20:41 ComboFix2.txt 2009-01-06 22:48:31 Pre-Run: 45,545,353,216 bytes free Post-Run: 45,535,031,296 bytes free 187 --- E O F --- 2008-12-25 22:26:38