File:: C:\WINDOWS\system32\swk.ini
Save this as Save this as "CFScript"
Drag CFScript.txt into ComboFix.exe
Then post the results log and a new HijackThis log.
Also please describe how your computer behaves at the moment.
WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
[Closed] IE Windows Popup (Blank Page)
Started by
yanyan19840709
, May 12 2008 12:41 PM
-
This topic is locked
34 replies to this topic
#31
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 26 May 2008 - 06:49 AM
Save this as Save this as "CFScript"
Drag CFScript.txt into ComboFix.exe
Then post the results log and a new HijackThis log.
Also please describe how your computer behaves at the moment.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to 
for the help you received.
Proud graduate of TC/WTT Classroom
Register to Remove
#32
yanyan19840709
-
- Authentic Member
-
- 43 posts
Authentic Member
Posted 26 May 2008 - 09:30 AM
Done and here are the new logs. Same as previous, so far I did not see the problem yet but I will monitor for some days and update you once it happens again. Thx!
=====================================================
ComboFix 08-05-15.3 - Ryan 2008-05-26 23:22:21.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.1201 [GMT 8:00]
執行位置?: C:\Software\ComboFix.exe
Command switches used :: D:\Ryan\PC Problem\CFScript.txt
* 已建立新的還原點
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\swk.ini
.
(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\swk.ini
.
(((((((((((((((((((((((((((( 2008-04-26 - 2008-05-26 之間建立的檔案 )))))))))))))))))))))))))))))))))
.
2008-05-25 10:10 . 2008-05-25 10:10 <DIR> d-------- C:\Program Files\ffdshow
2008-05-25 10:10 . 2008-05-24 10:55 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2008-05-25 10:10 . 2008-05-24 10:55 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-05-25 10:10 . 2008-05-24 10:55 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-05-24 23:05 . 2008-05-24 23:05 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-19 00:54 . 2008-05-19 00:54 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-17 20:41 . 2008-05-17 20:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-17 20:41 . 2008-05-17 20:41 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Malwarebytes
2008-05-17 20:41 . 2008-05-17 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-17 20:41 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-17 20:41 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-14 22:47 . 2008-05-14 22:47 244 --ah----- C:\sqmnoopt02.sqm
2008-05-14 22:47 . 2008-05-14 22:47 232 --ah----- C:\sqmdata02.sqm
.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 15:24 --------- d-----w C:\Documents and Settings\Ryan\Application Data\DNA
2008-05-26 00:41 2,071,904 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-26 00:41 182,341,664 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-25 14:28 --------- d-----w C:\Program Files\Winamp Toolbar
2008-05-25 14:28 --------- d-----w C:\Documents and Settings\Ryan\Application Data\BitTorrent
2008-05-25 11:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-24 15:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-24 14:50 --------- d-----w C:\Program Files\Winamp Remote
2008-05-24 01:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-24 01:46 --------- d-----w C:\Program Files\SpywareBlaster
2008-05-20 16:05 5,621,047 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-19 14:18 --------- d-----w C:\Program Files\ZoneAlarmSB
2008-05-17 14:22 --------- d-----w C:\Program Files\BitTorrent
2008-05-16 00:18 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-16 00:16 --------- d-----w C:\Documents and Settings\Ryan\Application Data\AdobeUM
2008-05-15 00:01 2,769,408 ----a-w C:\WINDOWS\Internet Logs\xDB26.tmp
2008-05-15 00:01 2,156,544 ----a-w C:\WINDOWS\Internet Logs\xDB27.tmp
2008-05-14 16:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-06 13:35 201,216 ----a-w C:\WINDOWS\Internet Logs\xDB24.tmp
2008-05-06 13:35 2,141,696 ----a-w C:\WINDOWS\Internet Logs\xDB25.tmp
2008-05-06 00:01 2,842,112 ----a-w C:\WINDOWS\Internet Logs\xDB22.tmp
2008-05-06 00:01 2,141,184 ----a-w C:\WINDOWS\Internet Logs\xDB23.tmp
2008-04-26 14:56 2,302,976 ----a-w C:\WINDOWS\Internet Logs\xDB20.tmp
2008-04-26 14:56 2,131,456 ----a-w C:\WINDOWS\Internet Logs\xDB21.tmp
2008-04-23 14:22 2,650,112 ----a-w C:\WINDOWS\Internet Logs\xDB1E.tmp
2008-04-23 14:22 2,129,920 ----a-w C:\WINDOWS\Internet Logs\xDB1F.tmp
2008-04-21 14:25 --------- d-----w C:\Documents and Settings\Ryan\Application Data\ICAClient
2008-04-21 13:54 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Juniper Networks
2008-04-21 13:53 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Juniper Networks
2008-04-21 13:53 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Juniper Networks
2008-04-21 13:51 --------- d-----w C:\Program Files\Citrix
2008-04-21 13:48 --------- d-----w C:\Program Files\Juniper Networks
2008-04-21 13:48 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Juniper Networks
2008-04-20 17:44 --------- d-----w C:\Program Files\MP4 Player
2008-04-14 14:51 2,939,904 ----a-w C:\WINDOWS\Internet Logs\xDB1C.tmp
2008-04-14 14:51 2,106,880 ----a-w C:\WINDOWS\Internet Logs\xDB1D.tmp
2008-04-12 11:16 --------- d-----w C:\Documents and Settings\Ryan\Application Data\ImgBurn
2008-04-12 08:19 --------- d-----w C:\Program Files\ImgBurn
2008-03-25 04:49 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:49 158,496 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:03 1,844,864 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-13 15:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-13 15:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-01 12:54 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.
((((((((((((((((((((((((((((( snapshot@2008-05-19_ 1.00.55.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 11:02:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-26 14:03:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-26 14:03:33 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4f8.dat
+ 2008-05-26 14:04:11 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6b4.dat
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [ ]
[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:16 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-03-01 19:43 90112]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2004-05-06 12:13 221696]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2007-03-06 11:22 2475568]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 21:13 289088]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"MP4 Player"="C:\Program Files\MP4 Player\mp4Player.exe" [2007-09-19 21:00 639488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:31 208952]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-19 00:34 579584]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"EasyTuneV"="C:\Program Files\Gigabyte\ET5\ETcall.exe" [2007-10-22 07:09 24576]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 17:08 16342528 C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 08:05 200704]
"Norton Ghost 12.0"="C:\Program Files\Norton Ghost\Agent\VProTray.exe" [2007-03-28 20:41 2037352]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-04-12 18:23 341488]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-12 09:16 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 22:50 219136]
C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27266:TCP"= 27266:TCP:BitComet 27266 TCP
"27266:UDP"= 27266:UDP:BitComet 27266 UDP
"50000:TCP"= 50000:TCP:BitComet 50000 TCP
"50000:UDP"= 50000:UDP:BitComet 50000 UDP
"50001:TCP"= 50001:TCP:BitComet 50001 TCP
"50001:UDP"= 50001:UDP:BitComet 50001 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 NEOFLTR_550_11711;Juniper Networks TDI Filter Driver (NEOFLTR_550_11711);C:\WINDOWS\system32\Drivers\NEOFLTR_550_11711.SYS [2007-04-11 10:24]
R2 ATIWebPAM;ATI WebPAM;"C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe" -s wrapper.conf []
R3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\ET5\markfun.w32 [2007-10-22 07:09]
R3 RTHDMIAzAudService;Service for HDMI;C:\WINDOWS\system32\drivers\RtHDMI.sys [2007-05-14 09:12]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-10-22 21:49]
.
排程工作資料夾的內容
"2008-05-26 15:11:01 C:\WINDOWS\Tasks\查看 Windows Live Toolbar 的更新資訊.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 23:25:24
Windows 5.1.2600 Service Pack 2 NTFS
掃描隱藏的程序...
掃描隱藏的進程...
掃描隱藏的檔案...
folder error: C:\Documents and Settings\Ryan\「開始」功能表\程式集\啟動\
folder error: C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
掃描完成
隱藏檔案?: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MarkFun_NT]
"ImagePath"="\??\C:\Program Files\Gigabyte\ET5\markfun.w32"
.
完成時間?: 2008-05-26 23:26:28
ComboFix-quarantined-files.txt 2008-05-26 15:26:24
ComboFix2.txt 2008-05-20 16:34:21
ComboFix3.txt 2008-05-19 14:21:30
ComboFix4.txt 2008-05-18 17:01:15
11 個目錄 1,762,390,016 位元組可用
15 個目錄 1,919,229,952 位元組可用
184 --- E O F --- 2008-05-16 18:08:53
=====================================================
Logfile of HijackThis v1.99.1
Scan saved at 23:29:16, on 26/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\ATI\WebPAM\_jvm\bin\java.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gigabyte\ET5\GUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Alcohol Soft\Alcohol 120\alcohol.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\MP4 Player\mp4Player.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\ETcall.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [alcohol_.exe Autorun] C:\Program Files\Alcohol Soft\Alcohol 120\alcohol_.exe /startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] C:\Program Files\BitComet\BitComet.exe /tray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [alcohol.exe Autorun] C:\Program Files\Alcohol Soft\Alcohol 120\alcohol.exe /startup
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MP4 Player] "C:\Program Files\MP4 Player\mp4Player.exe" hmw
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 在新的前景索引標籤中開啟 - res://C:\Program Files\Windows Live Toolbar\Components\zh-hk\msntabres.dll.mui/230?5141d3746377489597f180bf6b20508d
O8 - Extra context menu item: 在新的背景索引標籤中開啟 - res://C:\Program Files\Windows Live Toolbar\Components\zh-hk\msntabres.dll.mui/229?5141d3746377489597f180bf6b20508d
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI WebPAM (ATIWebPAM) - Unknown owner - C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe" -s wrapper.conf (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
=====================================================
ComboFix 08-05-15.3 - Ryan 2008-05-26 23:22:21.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.1201 [GMT 8:00]
執行位置?: C:\Software\ComboFix.exe
Command switches used :: D:\Ryan\PC Problem\CFScript.txt
* 已建立新的還原點
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\swk.ini
.
(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\swk.ini
.
(((((((((((((((((((((((((((( 2008-04-26 - 2008-05-26 之間建立的檔案 )))))))))))))))))))))))))))))))))
.
2008-05-25 10:10 . 2008-05-25 10:10 <DIR> d-------- C:\Program Files\ffdshow
2008-05-25 10:10 . 2008-05-24 10:55 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2008-05-25 10:10 . 2008-05-24 10:55 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-05-25 10:10 . 2008-05-24 10:55 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-05-24 23:05 . 2008-05-24 23:05 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-19 00:54 . 2008-05-19 00:54 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-17 20:41 . 2008-05-17 20:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-17 20:41 . 2008-05-17 20:41 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Malwarebytes
2008-05-17 20:41 . 2008-05-17 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-17 20:41 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-17 20:41 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-14 22:47 . 2008-05-14 22:47 244 --ah----- C:\sqmnoopt02.sqm
2008-05-14 22:47 . 2008-05-14 22:47 232 --ah----- C:\sqmdata02.sqm
.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 15:24 --------- d-----w C:\Documents and Settings\Ryan\Application Data\DNA
2008-05-26 00:41 2,071,904 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-26 00:41 182,341,664 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-25 14:28 --------- d-----w C:\Program Files\Winamp Toolbar
2008-05-25 14:28 --------- d-----w C:\Documents and Settings\Ryan\Application Data\BitTorrent
2008-05-25 11:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-24 15:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-24 14:50 --------- d-----w C:\Program Files\Winamp Remote
2008-05-24 01:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-24 01:46 --------- d-----w C:\Program Files\SpywareBlaster
2008-05-20 16:05 5,621,047 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-19 14:18 --------- d-----w C:\Program Files\ZoneAlarmSB
2008-05-17 14:22 --------- d-----w C:\Program Files\BitTorrent
2008-05-16 00:18 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-16 00:16 --------- d-----w C:\Documents and Settings\Ryan\Application Data\AdobeUM
2008-05-15 00:01 2,769,408 ----a-w C:\WINDOWS\Internet Logs\xDB26.tmp
2008-05-15 00:01 2,156,544 ----a-w C:\WINDOWS\Internet Logs\xDB27.tmp
2008-05-14 16:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-06 13:35 201,216 ----a-w C:\WINDOWS\Internet Logs\xDB24.tmp
2008-05-06 13:35 2,141,696 ----a-w C:\WINDOWS\Internet Logs\xDB25.tmp
2008-05-06 00:01 2,842,112 ----a-w C:\WINDOWS\Internet Logs\xDB22.tmp
2008-05-06 00:01 2,141,184 ----a-w C:\WINDOWS\Internet Logs\xDB23.tmp
2008-04-26 14:56 2,302,976 ----a-w C:\WINDOWS\Internet Logs\xDB20.tmp
2008-04-26 14:56 2,131,456 ----a-w C:\WINDOWS\Internet Logs\xDB21.tmp
2008-04-23 14:22 2,650,112 ----a-w C:\WINDOWS\Internet Logs\xDB1E.tmp
2008-04-23 14:22 2,129,920 ----a-w C:\WINDOWS\Internet Logs\xDB1F.tmp
2008-04-21 14:25 --------- d-----w C:\Documents and Settings\Ryan\Application Data\ICAClient
2008-04-21 13:54 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Juniper Networks
2008-04-21 13:53 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Juniper Networks
2008-04-21 13:53 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Juniper Networks
2008-04-21 13:51 --------- d-----w C:\Program Files\Citrix
2008-04-21 13:48 --------- d-----w C:\Program Files\Juniper Networks
2008-04-21 13:48 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Juniper Networks
2008-04-20 17:44 --------- d-----w C:\Program Files\MP4 Player
2008-04-14 14:51 2,939,904 ----a-w C:\WINDOWS\Internet Logs\xDB1C.tmp
2008-04-14 14:51 2,106,880 ----a-w C:\WINDOWS\Internet Logs\xDB1D.tmp
2008-04-12 11:16 --------- d-----w C:\Documents and Settings\Ryan\Application Data\ImgBurn
2008-04-12 08:19 --------- d-----w C:\Program Files\ImgBurn
2008-03-25 04:49 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:49 158,496 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:03 1,844,864 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-13 15:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-13 15:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-01 12:54 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.
((((((((((((((((((((((((((((( snapshot@2008-05-19_ 1.00.55.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 11:02:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-26 14:03:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-26 14:03:33 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4f8.dat
+ 2008-05-26 14:04:11 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6b4.dat
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [ ]
[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:16 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-03-01 19:43 90112]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2004-05-06 12:13 221696]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2007-03-06 11:22 2475568]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 21:13 289088]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"MP4 Player"="C:\Program Files\MP4 Player\mp4Player.exe" [2007-09-19 21:00 639488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:31 208952]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-19 00:34 579584]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"EasyTuneV"="C:\Program Files\Gigabyte\ET5\ETcall.exe" [2007-10-22 07:09 24576]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 17:08 16342528 C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 08:05 200704]
"Norton Ghost 12.0"="C:\Program Files\Norton Ghost\Agent\VProTray.exe" [2007-03-28 20:41 2037352]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-04-12 18:23 341488]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-12 09:16 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 22:50 219136]
C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27266:TCP"= 27266:TCP:BitComet 27266 TCP
"27266:UDP"= 27266:UDP:BitComet 27266 UDP
"50000:TCP"= 50000:TCP:BitComet 50000 TCP
"50000:UDP"= 50000:UDP:BitComet 50000 UDP
"50001:TCP"= 50001:TCP:BitComet 50001 TCP
"50001:UDP"= 50001:UDP:BitComet 50001 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 NEOFLTR_550_11711;Juniper Networks TDI Filter Driver (NEOFLTR_550_11711);C:\WINDOWS\system32\Drivers\NEOFLTR_550_11711.SYS [2007-04-11 10:24]
R2 ATIWebPAM;ATI WebPAM;"C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe" -s wrapper.conf []
R3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\ET5\markfun.w32 [2007-10-22 07:09]
R3 RTHDMIAzAudService;Service for HDMI;C:\WINDOWS\system32\drivers\RtHDMI.sys [2007-05-14 09:12]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-10-22 21:49]
.
排程工作資料夾的內容
"2008-05-26 15:11:01 C:\WINDOWS\Tasks\查看 Windows Live Toolbar 的更新資訊.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 23:25:24
Windows 5.1.2600 Service Pack 2 NTFS
掃描隱藏的程序...
掃描隱藏的進程...
掃描隱藏的檔案...
folder error: C:\Documents and Settings\Ryan\「開始」功能表\程式集\啟動\
folder error: C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
掃描完成
隱藏檔案?: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MarkFun_NT]
"ImagePath"="\??\C:\Program Files\Gigabyte\ET5\markfun.w32"
.
完成時間?: 2008-05-26 23:26:28
ComboFix-quarantined-files.txt 2008-05-26 15:26:24
ComboFix2.txt 2008-05-20 16:34:21
ComboFix3.txt 2008-05-19 14:21:30
ComboFix4.txt 2008-05-18 17:01:15
11 個目錄 1,762,390,016 位元組可用
15 個目錄 1,919,229,952 位元組可用
184 --- E O F --- 2008-05-16 18:08:53
=====================================================
Logfile of HijackThis v1.99.1
Scan saved at 23:29:16, on 26/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\ATI\WebPAM\_jvm\bin\java.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gigabyte\ET5\GUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Alcohol Soft\Alcohol 120\alcohol.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\MP4 Player\mp4Player.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\ETcall.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [alcohol_.exe Autorun] C:\Program Files\Alcohol Soft\Alcohol 120\alcohol_.exe /startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] C:\Program Files\BitComet\BitComet.exe /tray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [alcohol.exe Autorun] C:\Program Files\Alcohol Soft\Alcohol 120\alcohol.exe /startup
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MP4 Player] "C:\Program Files\MP4 Player\mp4Player.exe" hmw
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 在新的前景索引標籤中開啟 - res://C:\Program Files\Windows Live Toolbar\Components\zh-hk\msntabres.dll.mui/230?5141d3746377489597f180bf6b20508d
O8 - Extra context menu item: 在新的背景索引標籤中開啟 - res://C:\Program Files\Windows Live Toolbar\Components\zh-hk\msntabres.dll.mui/229?5141d3746377489597f180bf6b20508d
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI WebPAM (ATIWebPAM) - Unknown owner - C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe" -s wrapper.conf (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
#33
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 26 May 2008 - 09:42 AM
If that doesn't work try this.
1. Try running IE without any add ons. Go to Start Menu -> All Programs -> Accessories -> System Tools -> Internet Explorer (No Add-ons)
2. Reset IE settings. Go to Tools > Internet Options > Advanced tab. Click on "Reset..." button. Go to Security tab and move the bar to Medium or Default. Click OK. Close all browsers. Reboot the computer.
Note:
Thanks to Rorschach112 and IndiGenus for their help with this.
1. Try running IE without any add ons. Go to Start Menu -> All Programs -> Accessories -> System Tools -> Internet Explorer (No Add-ons)
2. Reset IE settings. Go to Tools > Internet Options > Advanced tab. Click on "Reset..." button. Go to Security tab and move the bar to Medium or Default. Click OK. Close all browsers. Reboot the computer.
Note:
Thanks to Rorschach112 and IndiGenus for their help with this.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#34
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 01 June 2008 - 03:19 PM
Do you still need help with this?
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#35
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 07 June 2008 - 09:26 AM
Due to inactivity this topic will be closed.
If you need help please start a new thread and post a new HJT log
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
