¬d¬Ý§¹¾ãª©¥»: µLªk¨Ï¥ÎIE¡AIEÂsÄý¾¹ÅܪťÕ

µLªk¨Ï¥ÎIE¡AIEÂsÄý¾¹ÅܪťÕ

²³æ¦Ó¨¥¡J

1.¥´¶}IEÂsÄý¾¹¡AµLªk¥¿±`¹B§@¡Aª©­±¥þ¬OªÅ¥Õ¡A¦ý¨Ã¤£¬O¡u¨S¦³¦^À³¡v¡C·í¿ï¨úIEÂsÄý¾¹ªº¤u¨ã¦C(§YÀɮסA½s¿è¡AÀ˵øµ¥)¡A¥u¯à§âµæ³æ©Ô¤U¡A¤£¯à¥´¶}¤º®e¡A¦ÓÂIÀ» [color=black][b][¤u¨ã] [/b][/color]> [b][ºô»Úºôµ¸¿ï¶µ][/b]®É¡A¡u³o­Ó§@·~¤w¸g¨ú®ø¡A¦]¬°³o­Ó¹q¸£¨ü¨ì­­¨î¡C½Ð©M¨t²ÎºÞ²z­û³sµ¸¡C¡vªº¦r¥y¼u¥X¡C(¤wÀˬdºôµ¸ª¬ªp¡A³s½u¨Ã¨S¦³°ÝÃD¡C)

2.¨C¦¸­«·s¶}±Ò¹q¸£®É¡A©Ò¦³ÂsÄý°O¿ý³Q§R°£¡C

¥H¤U¬° hijackthis ³ø§i¡C

ÁÂÁ©Ҧ³ºÞ²z­û¡C

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:45, on 19/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\KIS2007\KWatch.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AhnRpta.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\KIS2007\KPfwSvc.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
E:\Alcohol\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\KIS2007\KMailMon.EXE
E:\Online TV\PPStream\ppsap.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\BT\123\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Skype Control Class - {9018F6A8-2495-45DF-9F16-C738F8F3C8FF} - C:\WINDOWS\system32\SkypeComm.dll
O2 - BHO: Windows Live µn¤J¤pÀ°¤â - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - E:\WinAVI FLV Converter\FLVTune.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] ; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PPHIDPAD] ; C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [HP Software Update] ; "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] ; "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [NvCplDaemon] ; RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] ; nwiz.exe /install
O4 - HKLM\..\Run: [PCSuiteTrayApplication] ; C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [KavStart] "C:\KIS2007\KAVStart.exe" -startup
O4 - HKLM\..\Run: [IMEKRMIG6.1] ; C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] ; C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [DAEMON Tools-1033] ; "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] ; RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Flashget] C:\PROGRA~1\FlashGet\FlashGet.exe /min
O4 - HKLM\..\Run: [Hotplug] ; C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] ; C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [NeroFilterCheck] ; C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] ; "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] ; C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [DAEMON Tools Lite] ; "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MSMSGS] ; "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPS Accelerator] E:\Online TV\PPStream\ppsap.exe
O4 - HKCU\..\Run: [dorfgwe] C:\WINDOWS\system32\uret463.exe
O4 - HKCU\..\Run: [anhtaaa] C:\WINDOWS\system32\kacsde.exe
O4 - HKCU\..\Run: [rwasds] C:\WINDOWS\system32\huwesa.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download FLV by WinAVI... - E:\WinAVI FLV Converter\flv_link.htm
O8 - Extra context menu item: &¨Ï¥Î FlashGet ¤U¸ü - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: &¨Ï¥ÎBitComet¤U¸ü¥»­¶µø°T - res://E:\BT\123\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &¥þ³¡¨Ï¥Î FlashGet ¤U¸ü - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Foxy ¤U¸ü - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy ·j´M - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: ¨Ï¥ÎBitComet¤U¸ü¥þ³¡³sµ² - res://E:\BT\123\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: ¨Ï¥ÎBitComet¤U¸ü³sµ²(&B) - res://E:\BT\123\BitComet\BitComet.exe/AddLink.htm

[[i] ¥»©«³Ì«á¥Ñ onor ©ó 2009-7-12 05:09 PM ½s¿è [/i]]

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java ¥D±±¥x - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: °Ñ¦Ò¸ê®Æ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://E:\BT\123\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - E:\WinAVI FLV Converter\FLVTune.dll (file missing)
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - E:\WinAVI FLV Converter\FLVTune.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {05BCE06B-A300-4C4E-A42F-4C04BCCDE63B} (TRLuncherROC Control) - [url]http://weblogin.talesrunner.com.hk/TRLuncherROC.cab[/url]
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - [url]http://support.f-secure.com/ols/fscax.cab[/url]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [url]http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab[/url]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - [url]http://www.srtest.com/srl_bin/sysreqlab_srl.cab[/url]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [url]http://download.bitdefender.com/resources/scan8/oscan8.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199015408765[/url]
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - [url]http://www.systemrequirementslab.com/sysreqlab2.cab[/url]
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - [url]http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab[/url]
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - [url]http://www.gogobox.com.tw/neo.fld/GNowStarter.cab[/url]
O16 - DPF: {A93FB56D-2F76-4DD7-8E38-9B1EB38C88A5} (SecureSession Class) - [url]http://warranty.samsungmcs.com.hk:8080/plugIn/SecuiSECIE.cab[/url]
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - [url]http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - [url]http://support.f-secure.com/ols/fscax.cab[/url]
O16 - DPF: {BE34BAB0-0580-45BC-AEC8-E0EF00C11F57} (GTWebCom Control) - [url]http://hkma.towergame.com/common/GTWebCom.cab[/url]
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kingsoft Personal Firewall Service (KPfwSvc) - Kingsoft Corporation - C:\KIS2007\KPfwSvc.EXE
O23 - Service: Kingsoft Antivirus KWatch Service (KWatchSvc) - Kingsoft Corporation - C:\KIS2007\KWatch.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Alcohol\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 10477 bytes

°õ¦æ [color=blue][b]HijackThis[/b][/color] ±½´y¹q¸£. µM«á¤Ä¿ï¥H¤U¶µ¥Ø¥ª­±ªº¤è®æ. Ãö³¬©Ò¦³µøµ¡¤ÎÂsÄý¾¹¡A«ö [b]Fix checked[/b]¡AµM«áÃö³¬ [color=blue][b]HijackThis[/b][/color]

[b]O2 - BHO: Skype Control Class - {9018F6A8-2495-45DF-9F16-C738F8F3C8FF} - C:\WINDOWS\system32\SkypeComm.dll

O4 - HKCU\..\Run: [dorfgwe] C:\WINDOWS\system32\uret463.exe

O4 - HKCU\..\Run: [anhtaaa] C:\WINDOWS\system32\kacsde.exe

O4 - HKCU\..\Run: [rwasds] C:\WINDOWS\system32\huwesa.exe[/b]



¤U¸ü [b][color=blue]OTM[/b][/color] ¦Ü[b]®à­±[/b]

[url]http://oldtimer.geekstogo.com/OTM.exe[/url]

[list][*]°õ¦æ [b][color=blue]OTM[/b][/color]
[*]¥Î·Æ¹«½Æ»s¥H¤U²Ê¶Â¦â¤å¦r¡A©ó [b][color=blue]OTMoveIt3[/b][/color] µøµ¡ [b][color=Cyan]Paste Instructions for Items to be Moved[/color][/b] ¶K¤W¥H¤U¤º®e:

[b]:files
C:\WINDOWS\AhnRpta.exe
C:\WINDOWS\system32\SkypeComm.dll
C:\WINDOWS\system32\uret463.exe
C:\WINDOWS\system32\kacsde.exe
C:\WINDOWS\system32\huwesa.exe[/b]

[*]¤§«á«ö [b][color=red]MoveIt![/color][/b] (°²¦pµ{¦¡­n¨D­«·s啓°Ê¹q¸£¡A«ö [b]Yes[/b])
[*]Ãö³¬ [b][color=blue]OTM[/b][/color][/list]



­«·s±Ò°Ê¹q¸£. ¤U¸ü [b][color=blue]ComboFix[/color][/b] ¦Ü[b]®à­±[/b]

[url]http://download.bleepingcomputer.com/sUBs/ComboFix.exe[/url]

[list][*]°õ¦æ [b][color=blue]ComboFix[/color][/b]

[color=red]ª`·N[/color]: ¬°¨¾¤î«O¦w³n¥ó±N [b][color=blue]ComboFix[/color][/b] ¿ù»~¦C¬°¦MÀIÀÉ®×. °õ¦æ [b][color=blue]ComboFix[/color][/b] ¤§«e½Ð±N¨¾¬r³n¥ó¤Î¤Ï¶¡¿Ò³n¥ó¼È®ÉÃö³¬. ¥t¥~¡A[b][color=blue]ComboFix[/color][/b] ¹B§@¨ä¶¡½Ð¤Å°õ¦æ¥ô¦óµ{¦¡©Î¥Î·Æ¹«ÂIÀ» [b][color=blue]ComboFix[/color][/b] µøµ¡.

[*][b][color=blue]ComboFix[/color][/b] ·|¼u¥Xµøµ¡¡A«ö[b]¬O (Y)[/b]
[*]°²¦p»Ý­n¦w¸Ë[b]«ì´_±±¨î¥x[/b]¡A«ö[b]§_ (N)[/b]
[*]µ{¦¡·|¶i¦æ±½´y¡A¨ä¶¡®à­±¥i¯à·|¼È®É®ø¥¢. §¹¦¨±½´y«á¡Aµ{¦¡·|¦Û°ÊÃö³¬.
[*]§¹¦¨«á [b][color=blue]ComboFix[/color][/b] ¥i¯à·|¦Û°Ê­«·s啓°Ê¹q¸£. ¤§«á [b][color=blue]ComboFix[/color][/b] °O¿ý·|¼u¥X. °O¿ý·|¦Û°ÊÀx¦s©ó [b]C:\[color=blue]ComboFix[/color].txt[/b]
[*]¶K¤W [b][color=blue]ComboFix[/color][/b] °O¿ý.[/list]

¥H¤U¬°ComboFix Report, ÁÂÁº޲z­û¡C

ComboFix 09-06-24.05 - user 6/2009 Thu 23:21.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.950.886.1028.18.511.232 [GMT 8:00]
°õ¦æ¦ì¸m: c:\documents and settings\user\®à­±\ComboFix.exe
AV: ª÷¤s¬rÅQÀɮקY®É¨¾¬r *On-access scanning disabled* (Outdated) {45EBBE4F-7185-4802-9286-13665DE6F3F1}
FW: Kingsoft Personal Firewall *enabled* {B32D173E-1363-4860-9B58-259427E43B98}
ª`·N - ³o¥x¹q¸£¨S¦³¦w¸Ë«ì´_±±¨î¥x ¡I¡I
.
(((((((((((((((((((((((((((((((((((((((   ³Q§R°£ªºÀÉ®×   )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\user\LOCALS~1\Temp\E_4
c:\documents and settings\user\Application Data\ShoppingReport
c:\windows\DGStarter22.EXE
C:\0ohqxsdx.bat
C:\16onq.bat
C:\1bg.cmd
C:\1irqtv.cmd
C:\1jief.cmd
C:\1n.cmd
C:\1q8p0y.com
C:\23ft.exe
C:\3bo9tn.cmd
C:\3iugonx.com
C:\3wy1vm.cmd
C:\3yr1.cmd
C:\6.exe
C:\6o0.bat
C:\6vu680.com
C:\82i.cmd
C:\8nlo1q.cmd
C:\8oupido.bat
C:\9b8kmipy.com
C:\9dl.cmd
C:\a.exe
C:\af93gcf.exe
C:\autorun.inf
C:\b.bat
C:\b.cmd
C:\bn0.bat
C:\bsp.cmd
C:\clc3k.com
C:\d22xl.bat
C:\d8ur3qs.bat
C:\dgf.exe
C:\dgkx.exe
c:\docume~1\user\LOCALS~1\Temp\E_4\com.run
c:\docume~1\user\LOCALS~1\Temp\E_4\dp1.fne
c:\docume~1\user\LOCALS~1\Temp\E_4\eAPI.fne
c:\docume~1\user\LOCALS~1\Temp\E_4\internet.fne
c:\docume~1\user\LOCALS~1\Temp\E_4\krnln.fnr
c:\docume~1\user\LOCALS~1\Temp\E_4\RegEx.fnr
c:\docume~1\user\LOCALS~1\Temp\E_4\shell.fne
c:\docume~1\user\LOCALS~1\Temp\E_4\spec.fne
c:\documents and settings\user\Application Data\ShoppingReport\cs\Config.xml
c:\documents and settings\user\Application Data\ShoppingReport\cs\db\Aliases.dbs
c:\documents and settings\user\Application Data\ShoppingReport\cs\db\Sites.dbs
c:\documents and settings\user\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
c:\documents and settings\user\Application Data\ShoppingReport\cs\report\aggr_storage.xml
c:\documents and settings\user\Application Data\ShoppingReport\cs\report\send_storage.xml
c:\documents and settings\user\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
C:\dsty.com
C:\e00233it.com
C:\e619e.cmd
C:\eg1.cmd
C:\g0.cmd
C:\ggl.cmd
C:\gmi1jxy.com
C:\gnwav.exe
C:\gxul.com
C:\gymussy.bat
C:\hqx292nu.exe
C:\igcmrtjw.cmd
C:\j.bat
C:\j0mpdkja.cmd
C:\j1.cmd
C:\jg.com
C:\kk.bat
C:\kya6l.bat
C:\ldgybkp.bat
C:\lj6hdv.com
C:\ll.exe
C:\mcmm.bat
C:\mt.com
C:\mt0.cmd
C:\n.com
C:\ndmego0f.cmd
C:\o93ml8.bat
C:\oc.cmd
C:\om.cmd
C:\otf.cmd
C:\pjwtv.cmd
c:\program files\INSTALL.LOG
C:\q1pady.cmd
C:\rf.cmd
C:\s6muem.cmd
C:\tlmjw.cmd
C:\tt.com
C:\uyfd9cck.cmd
C:\v0vj.exe
C:\vctio.com
C:\w6hikrv.com
C:\wg0kpd.bat
c:\windows\AhnRpta.exe
c:\windows\patch.exe
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\afmain0.dll
c:\windows\system32\afmain1.dll
c:\windows\system32\e8main0.dll
c:\windows\system32\godert0.dll
c:\windows\system32\godert1.dll
c:\windows\system32\jwedsfdo0.dll
c:\windows\system32\jwedsfdo1.dll
c:\windows\system32\jwedsfdo2.dll
c:\windows\system32\kxvo0.dll
c:\windows\system32\kxvo1.dll
c:\windows\system32\lhgjyit0.dll
c:\windows\system32\lhgjyit1.dll
c:\windows\system32\lhgjyit2.dll
c:\windows\system32\taskmagr.exe
c:\windows\system32\wmdmpmsvc.dll
c:\windows\system32\xactsrv.dll
C:\xwpehlv.com
C:\y6u.bat
C:\y9rlqi.cmd
C:\yfmqo.cmd
C:\yi9.exe
E:\0ohqxsdx.bat
E:\16onq.bat
E:\1bg.cmd
E:\1irqtv.cmd
E:\1jief.cmd
E:\1n.cmd
E:\1q8p0y.com
E:\23ft.exe
E:\3bo9tn.cmd
E:\3iugonx.com
E:\3wy1vm.cmd
E:\3yr1.cmd
E:\6o0.bat
E:\82i.cmd
E:\8nlo1q.cmd
E:\8oupido.bat
E:\9b8kmipy.com
E:\9dl.cmd
E:\af93gcf.exe
E:\Autorun.inf
E:\b.bat
E:\b.cmd
E:\bn0.bat
E:\bsp.cmd
E:\clc3k.com
E:\d22xl.bat
E:\d8ur3qs.bat
E:\dgf.exe
E:\dgkx.exe
E:\dsty.com
E:\e00233it.com
E:\e619e.cmd
E:\eg1.cmd
E:\g0.cmd
E:\ggl.cmd
E:\gmi1jxy.com
E:\gnwav.exe
E:\gxul.com
E:\gymussy.bat
E:\hqx292nu.exe
E:\igcmrtjw.cmd
E:\j.bat
E:\j0mpdkja.cmd
E:\j1.cmd
E:\jg.com
E:\kk.bat
E:\kya6l.bat
E:\ldgybkp.bat
E:\lj6hdv.com
E:\ll.exe
E:\mcmm.bat
E:\mt.com
E:\n.com
E:\ndmego0f.cmd
E:\o93ml8.bat
E:\oc.cmd
E:\om.cmd
E:\otf.cmd
E:\pjwtv.cmd
E:\q1pady.cmd
E:\rf.cmd
E:\s6muem.cmd
E:\tlmjw.cmd
E:\tt.com
E:\uyfd9cck.cmd
E:\v0vj.exe
E:\vctio.com
E:\w6hikrv.com
E:\wg0kpd.bat
E:\xwpehlv.com
E:\y6u.bat
E:\y9rlqi.cmd
E:\yfmqo.cmd
E:\yi9.exe
c:\windows\system32\schtasks.exe . . . ¨ü·P¬V¡I¡I
µo²{¨ü·P¬V c:\windows\system32\spoolsv.exe ¨Ã¥B¦¨¥\¸Ñ¬r
±q - c:\windows\system32\dllcache\spoolsv.exe «ì´_­ì¨ÓÀÉ®×

[[i] ¥»©«³Ì«á¥Ñ onor ©ó 2009-6-25 11:58 PM ½s¿è [/i]]

.
(((((((((((((((((((((((((((((((((((((((   ÅX°Ê/ªA°È   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KAVSYS
-------\Legacy_OREANS32
-------\Service_AVPsys
-------\Service_oreans32


(((((((((((((((((((((((((  2009-05-25 ¦Ü 2009-06-25 ªº·sªºÀÉ®×  )))))))))))))))))))))))))))))))
.

2009-06-25 15:02 . 2009-06-25 15:02        --------        d-----w-        C:\_OTM
2009-06-25 14:42 . 2009-06-25 14:42        --------        d--h--w-        c:\windows\PIF
2009-06-24 05:12 . 2009-06-24 16:46        99581        --sh--r-        C:\9l66g8k1.com
2009-06-23 05:41 . 2009-06-23 17:00        100292        --sh--r-        C:\dmf.exe
2009-06-21 16:12 . 2009-06-25 01:46        81408        ------w-        c:\windows\system32\843wee0.dll
2009-06-20 14:12 . 2009-06-22 03:13        97727        --sh--r-        C:\yq.com
2009-06-19 02:37 . 2009-06-20 00:50        97868        --sh--r-        C:\chlf9.exe
2009-06-17 15:33 . 2009-06-18 14:41        99695        --sh--r-        C:\h2t6u.exe
2009-06-16 13:51 . 2009-06-17 15:01        100985        --sh--r-        C:\r.com
2009-06-13 01:13 . 2009-06-25 01:47        81408        --sh--r-        c:\windows\system32\843wee1.dll
2009-06-11 00:28 . 2009-06-11 15:19        103456        --sh--r-        C:\6r3p.com
2009-06-09 01:49 . 2009-06-09 23:29        102664        --sh--r-        C:\vpqdgkx.com
2009-05-29 03:15 . 2009-06-05 14:36        102218        --sh--r-        C:\jj2.com

.
((((((((((((((((((((((((((((((((((((((((   ¦b¤T­Ó¤ë¤º³Q­×§ïªºÀÉ®×   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 15:18 . 2005-04-24 10:25        --------        d-----w-        c:\program files\FlashGet
2009-06-25 02:05 . 2006-06-12 18:51        --------        d-----w-        c:\documents and settings\user\Application Data\ppstream
2009-06-20 00:58 . 2001-09-17 12:00        84068        ----a-w-        c:\windows\system32\prfc0404.dat
2009-06-20 00:58 . 2001-09-17 12:00        257504        ----a-w-        c:\windows\system32\prfh0404.dat
2009-05-19 02:27 . 2009-05-15 14:07        103978        --sh--r-        C:\clc1al.com
2009-05-15 03:16 . 2009-05-13 17:35        104202        --sh--r-        C:\hsi.com
2009-05-07 16:24 . 2009-05-05 17:19        106442        --sh--r-        C:\utcn8c63.exe
2009-05-07 15:42 . 2004-08-04 12:00        339456        ----a-w-        c:\windows\system32\localspl.dll
2009-05-07 07:18 . 2005-05-03 03:20        --------        d-----w-        c:\documents and settings\user\Application Data\AdobeUM
2009-05-05 00:58 . 2009-05-04 19:41        105148        --sh--r-        C:\tg.com
2009-05-02 23:23 . 2009-05-02 23:23        --------        d-----w-        c:\documents and settings\All Users\Application Data\CCTV
2009-04-29 04:41 . 2009-04-29 04:41        6066176        ----a-w-        c:\windows\system32\SET1C.tmp
2009-04-29 04:41 . 2009-04-29 04:41        6066176        ------w-        c:\windows\system32\SET1A.tmp
2009-04-29 04:41 . 2009-04-29 04:41        268288        ----a-w-        c:\windows\system32\SET19.tmp
2009-04-29 04:41 . 2009-04-29 04:41        268288        ------w-        c:\windows\system32\SET17.tmp
2009-04-29 04:41 . 2004-08-04 12:00        78336        ----a-w-        c:\windows\system32\ieencode.dll
2009-04-29 04:41 . 2009-04-29 04:41        383488        ----a-w-        c:\windows\system32\SET1E.tmp
2009-04-29 04:41 . 2009-04-29 04:41        383488        ------w-        c:\windows\system32\SET1D.tmp
2009-04-29 04:41 . 2009-04-29 04:41        63488        ----a-w-        c:\windows\system32\SET24.tmp
2009-04-29 04:41 . 2009-04-29 04:41        63488        ------w-        c:\windows\system32\SET21.tmp
2009-04-29 04:41 . 2009-04-29 04:41        124928        ----a-w-        c:\windows\system32\SET27.tmp
2009-04-29 04:41 . 2009-04-29 04:41        124928        ------w-        c:\windows\system32\SET22.tmp
2009-04-19 20:08 . 2004-08-04 12:00        1846272        ----a-w-        c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2009-04-15 15:11        584192        ----a-w-        c:\windows\system32\SET92.tmp
2009-04-15 15:11 . 2004-08-04 12:00        584192        ----a-w-        c:\windows\system32\rpcrt4.dll
2009-04-15 09:56 . 2009-04-15 09:56        637952        ----a-w-        c:\windows\system32\SET93.tmp
2009-04-11 19:03 . 2005-04-24 10:01        93696        ----a-w-        c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-18 01:53 . 2009-01-16 17:41        129536        --sh--r-        c:\windows\system32\lhgjyit3.dll
2008-10-17 07:41 . 2008-10-17 07:41        15360        --sh--w-        c:\windows\system32\660B7F\winmcreg.exe
2008-10-25 17:54 . 2008-10-25 17:54        15360        --sh--w-        c:\windows\system32\660B7F\winncreg.exe
2008-11-04 12:59 . 2008-11-04 12:59        16896        --sh--w-        c:\windows\system32\660B7F\winocreg.exe
2008-11-12 19:39 . 2008-11-12 16:53        15872        --sh--w-        c:\windows\system32\660B7F\winqcreg.exe
2008-11-20 15:26 . 2008-11-20 15:26        16384        --sh--w-        c:\windows\system32\660B7F\winrcreg.exe
2008-11-25 03:36 . 2008-11-25 01:13        16384        --sh--w-        c:\windows\system32\660B7F\winscreg.exe
2008-11-29 16:53 . 2008-11-29 14:54        16896        --sh--w-        c:\windows\system32\660B7F\wintcreg.exe
2008-12-02 17:04 . 2008-12-02 17:04        16896        --sh--w-        c:\windows\system32\660B7F\winucreg.exe
2008-12-05 17:37 . 2008-12-05 17:37        16896        --sh--w-        c:\windows\system32\660B7F\winvcreg.exe
2008-12-09 16:58 . 2008-12-09 16:58        16896        --sh--w-        c:\windows\system32\660B7F\winxcreg.exe
2008-12-12 15:49 . 2008-12-12 15:49        16896        --sh--w-        c:\windows\system32\660B7F\winycreg.exe
2008-12-20 17:04 . 2008-12-20 17:04        16896        --sh--w-        c:\windows\system32\660B7F\winzareg.exe
2008-12-15 15:47 . 2008-12-15 15:47        16896        --sh--w-        c:\windows\system32\660B7F\winzcreg.exe
2008-10-17 07:34 . 2008-10-17 07:34        1514081        --sh--r-        c:\windows\system32\9E6DF6\634FBD.EXE
.

------- Sigcheck -------

[-] 2008-04-15 10:54        14336        3AECECC06B3C127F625A73BB6E01668C        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\svchost.exe
[-] 2004-08-04 12:00        14336        723BA2EFE4A16774E98F53D7AC6C71FD        c:\windows\system32\svchost.exe
[-] 2004-08-04 12:00        14336        723BA2EFE4A16774E98F53D7AC6C71FD        c:\windows\system32\dllcache\svchost.exe

[-] 2008-04-15 10:54        82432        EBF5E57B2E84FB3DB0A598364FAAE00C        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\ws2_32.dll
[-] 2004-08-04 12:00        82944        8A39164F7884644723CD7ACC913260AF        c:\windows\system32\ws2_32.dll
[-] 2004-08-04 12:00        82944        8A39164F7884644723CD7ACC913260AF        c:\windows\system32\dllcache\ws2_32.dll

[-] 2008-04-15 10:54        493568        0D07E75030839CF4A0A0D854484A7FEF        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\winlogon.exe
[-] 2004-08-04 12:00        487936        7189E588041174198281933EB2CA449C        c:\windows\system32\winlogon.exe
[-] 2004-08-04 12:00        487936        7189E588041174198281933EB2CA449C        c:\windows\system32\dllcache\winlogon.exe

[-] 2008-04-13 19:20        182656        1DF7F42665C94B825322FAE71721130D        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\ndis.sys
[-] 2004-08-04 12:00        182912        558635D3AF1C7546D26067D5D9B6959E        c:\windows\system32\dllcache\ndis.sys
[-] 2004-08-04 12:00        182912        558635D3AF1C7546D26067D5D9B6959E        c:\windows\system32\drivers\ndis.sys

[-] 2008-04-13 18:53        36608        3BB22519A194418D5FEC05D800A19AD0        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\ip6fw.sys
[-] 2004-08-04 12:00        29056        4448006B6BC60E6C027932CFC38D6855        c:\windows\system32\dllcache\ip6fw.sys
[-] 2004-08-04 12:00        29056        4448006B6BC60E6C027932CFC38D6855        c:\windows\system32\drivers\ip6fw.sys

[-] 2007-06-18 11:39        977920        3DDB98936B29019549C6FBABD86846E7        c:\windows\explorer.exe
[-] 2007-06-18 11:41        977920        D1822278F43E2850E03EF36D29686D4F        c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2004-08-04 12:00        976896        453888766DA789F18FBBF5B20E4BC17F        c:\windows\$NtUninstallKB938828$\explorer.exe
[-] 2008-04-15 10:54        978432        88057E7B74236C11098E4D4EEAC7DF5E        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\explorer.exe
[-] 2007-06-18 11:39        977920        3DDB98936B29019549C6FBABD86846E7        c:\windows\SoftwareDistribution\Download\9d5c1d99957d44de27929ec25364cf95\SP2GDR\explorer.exe
[-] 2007-06-18 11:41        977920        D1822278F43E2850E03EF36D29686D4F        c:\windows\SoftwareDistribution\Download\9d5c1d99957d44de27929ec25364cf95\SP2QFE\explorer.exe
[-] 2007-06-18 11:39        977920        3DDB98936B29019549C6FBABD86846E7        c:\windows\system32\dllcache\explorer.exe

[-] 2008-04-15 10:54        13312        4E09C68586CF236B9853FC7F93F69C62        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\lsass.exe
[-] 2004-08-04 12:00        13312        4BCA771A81625259AFFAA218E0111D76        c:\windows\system32\lsass.exe
[-] 2004-08-04 12:00        13312        4BCA771A81625259AFFAA218E0111D76        c:\windows\system32\dllcache\lsass.exe

[-] 2008-04-15 10:54        15360        4C97CBAD0CF9E6263C49CFA57BCCAEDD        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\ctfmon.exe
[-] 2004-08-04 12:00        15360        3BCEF6B66827EC0B9923D20E62D067BA        c:\windows\system32\ctfmon.exe
[-] 2004-08-04 12:00        15360        3BCEF6B66827EC0B9923D20E62D067BA        c:\windows\system32\dllcache\ctfmon.exe

[-] 2008-04-15 10:54        25088        A66E0579B78B8C1A62330BB124C9CD23        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\userinit.exe
[-] 2004-08-04 12:00        23552        F3A20A3C6A4DF7FE038F4CCA70080B10        c:\windows\system32\userinit.exe
[-] 2004-08-04 12:00        23552        F3A20A3C6A4DF7FE038F4CCA70080B10        c:\windows\system32\dllcache\userinit.exe

[-] 2008-04-15 10:54        286208        F1D722FAC699F6372D020A634ADC8361        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\termsrv.dll
[-] 2004-08-04 12:00        286208        741E5693774F23F222887B9E4C6826E5        c:\windows\system32\termsrv.dll
[-] 2004-08-04 12:00        286208        741E5693774F23F222887B9E4C6826E5        c:\windows\system32\dllcache\termsrv.dll

[-] 2008-04-15 10:54        17408        FB52B1E513761A3D13FDB8D52655476F        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\powrprof.dll
[-] 2004-08-04 12:00        17408        7040C2BCA7D6EFEEB14A807EAD9449DB        c:\windows\system32\powrprof.dll
[-] 2004-08-04 12:00        17408        7040C2BCA7D6EFEEB14A807EAD9449DB        c:\windows\system32\dllcache\powrprof.dll

[-] 2008-04-15 10:54        110080        F74927743F8D8F58C277D37C3F0DD7CB        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\imm32.dll
[-] 2004-08-04 12:00        110080        A37DE5013935401F52A31D6C3982D6C2        c:\windows\system32\imm32.dll
[-] 2004-08-04 12:00        110080        A37DE5013935401F52A31D6C3982D6C2        c:\windows\system32\dllcache\imm32.dll

[-] 2008-04-15 10:54        1570816        5A500070F303F0D2B3EB428E35B8C06C        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\sfcfiles.dll
[-] 2004-08-04 12:00        1546752        1680AD7B6FBD7CE495188A8A4CA3758B        c:\windows\system32\sfcfiles.dll
[-] 2004-08-04 12:00        1546752        1680AD7B6FBD7CE495188A8A4CA3758B        c:\windows\system32\dllcache\sfcfiles.dll

[-] 2008-04-15 10:54        146944        BC80756C9E2EA29D4EB345C94D53E78E        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\appmgmts.dll
[-] 2004-08-04 12:00        146944        31F504D66AA1F02C50709CDF48F28976        c:\windows\system32\appmgmts.dll
[-] 2004-08-04 12:00        146944        31F504D66AA1F02C50709CDF48F28976        c:\windows\system32\dllcache\appmgmts.dll

[-] 2008-04-15 10:36        23296        781A83EE8D53443539E54D4743437196        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\kbdclass.sys
[-] 2004-08-04 12:00        23424        8CCDD51821BBACD3DBA1AFA5E7C4D756        c:\windows\system32\drivers\kbdclass.sys
.

(((((((((((((((((((((((((((((((((((((   ­«­nµn¤JÂI   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*ª`·N* ªÅ¥Õ»P¦Xªk¯Ê¬Ùµn¿ý±N¤£·|³QÅã¥Ü
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-03-21 486856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"PPS Accelerator"="e:\online tv\PPStream\ppsap.exe" [2008-12-11 210296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PPHIDPAD"="c:\winpenjr\Win32\pphidpad.exe" [2004-09-16 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"CJIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2007-03-22 66400]
"PHIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2007-03-22 98656]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"KavStart"="c:\kis2007\KAVStart.exe" [2007-11-09 139264]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-09-17 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-04-24 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-04-24 98304]
"Flashget"="c:\progra~1\FlashGet\FlashGet.exe" [2007-09-11 1998896]
"Hotplug"="c:\program files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe" [2003-12-19 163840]
"Mirabilis ICQ"="c:\progra~1\ICQ\ICQNet.exe" [2003-10-14 38984]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-24 132496]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^¡u¶}©l¡v¥\¯àªí^µ{¦¡¶°^±Ò°Ê^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^¡u¶}©l¡v¥\¯àªí^µ{¦¡¶°^±Ò°Ê^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^user^¡u¶}©l¡v¥\¯àªí^µ{¦¡¶°^±Ò°Ê^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^user^¡u¶}©l¡v¥\¯àªí^µ{¦¡¶°^±Ò°Ê^¡¡¡¡¡¡.lnk]
path=c:\documents and settings\user\¡u¶}©l¡v¥\¯àªí\µ{¦¡¶°\±Ò°Ê\¡¡¡¡¡¡.lnk
backup=c:\windows\pss\¡¡¡¡¡¡.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"winvnc"=2 (0x2)
"NOD32krn"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\ALI213\\bt.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Intuwave Ltd\\Shared\\mRouterRunTime\\mRouterRuntime.exe"=
"e:\\warcraft\\Warcraft III\\Warcraft III.exe"=
"e:\\BT\\123\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Theme\\Nokia\\Carbide.ui S60 Theme Edition 3.1\\JRE\\bin\\javaw.exe"=
"c:\\Program Files\\NextLink\\GOGOBOX\\GFSCAgent.exe"=
"c:\\Program Files\\NextLink\\GOGOBOX\\gogobox.exe"=
"c:\\Program Files\\Foxy\\Foxy.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Online TV\\PPStream\\PPStream.exe"=
"e:\\Online TV\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"e:\\PES2009\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"e:\\PES2009\\pes2009.exe"=
"e:\\Kingsoft\\Powerword 2007\\xdict.exe"=
"e:\\Kingsoft\\Powerword 2007\\update.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"e:\\Online TV\\TVAnts\\Tvants.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7454:TCP"= 7454:TCP:BitComet 7454 TCP
"7454:UDP"= 7454:UDP:BitComet 7454 UDP
"21528:TCP"= 21528:TCP:BitComet 21528 TCP
"21528:UDP"= 21528:UDP:BitComet 21528 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"8144:TCP"= 8144:TCP:Foxy (192.168.1.100:8144) 8144 TCP
"8144:UDP"= 8144:UDP:Foxy (192.168.1.100:8144) 8144 UDP

R1 KNetWch;KNetWch;c:\kis2007\KNetWch.SYS [21/12/2007 12:29 24784]
R1 KWatch3;KWatch3;c:\windows\system32\drivers\KWatch3.SYS [21/12/2007 12:30 35328]
R1 ppmoucls;ppmoucls;c:\windows\system32\drivers\PPMOUCLS.SYS [6/8/2005 21:42 20704]
R1 pptchpad;PenPower Touchpad;c:\windows\system32\drivers\PPTCHPD5.SYS [6/8/2005 21:42 17216]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3/11/2006 19:19 13592]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys --> c:\windows\system32\drivers\nod32drv.sys [?]
S3 pacdcacm;pacdcacm;c:\windows\system32\drivers\pacdcacm.sys [26/10/2005 1:40 26496]
S3 x800bus;Panasonic X800 Composite Device driver (WDM);c:\windows\system32\drivers\x800bus.sys [10/11/2005 21:02 52480]
S3 x800mdfl;Panasonic X800 Connectivity Filter Driver;c:\windows\system32\drivers\x800mdfl.sys [10/11/2005 21:03 6032]
S3 x800mdm;Panasonic X800 Connectivity Driver;c:\windows\system32\drivers\x800mdm.sys [10/11/2005 21:03 87040]
.
¡¥­p¹º¥ô°È¡¦ ¤å¥ó§¨ ¸Ìªº¤º®e

2009-06-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 11:20]

2009-06-21 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-03-15 10:15]

2009-06-25 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 14:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-dorfgwe - c:\windows\system32\uret463.exe


.

------- ¦Ó¥~ªº±½´y -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uStart Page = hxxp://hk.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &Download FLV by WinAVI... - e:\winavi flv converter\flv_link.htm
IE: &¨Ï¥Î FlashGet ¤U¸ü - c:\progra~1\FlashGet\jc_link.htm
IE: &¨Ï¥ÎBitComet¤U¸ü¥»­¶µø°T - e:\bt\123\BitComet\BitComet.exe/AddVideo.htm
IE: &¥þ³¡¨Ï¥Î FlashGet ¤U¸ü - c:\progra~1\FlashGet\jc_all.htm
IE: Foxy ¤U¸ü - c:\program files\Foxy\Foxy.exe/download.htm
IE: Foxy ·j´M - c:\program files\Foxy\Foxy.exe/search.htm
IE: ¨Ï¥ÎBitComet¤U¸ü¥þ³¡³sµ² - e:\bt\123\BitComet\BitComet.exe/AddAllLink.htm
IE: ¨Ï¥ÎBitComet¤U¸ü³sµ²(&B) - e:\bt\123\BitComet\BitComet.exe/AddLink.htm
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
DPF: Microsoft XML Parser for Java
DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} - hxxp://www.gogobox.com.tw/neo.fld/GNowStarter.cab
DPF: {A93FB56D-2F76-4DD7-8E38-9B1EB38C88A5} - hxxp://warranty.samsungmcs.com.hk:8080/plugIn/SecuiSECIE.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
DPF: {BE34BAB0-0580-45BC-AEC8-E0EF00C11F57} - hxxp://hkma.towergame.com/common/GTWebCom.cab
.
.
------- ¤å¥óÃþ«¬ -------
.
chm.file="hh.exe" %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2009-06-25 23:33
Windows 5.1.2600 Service Pack 2 NTFS

±½´y³QÁôÂ꺶iµ{ ...  

±½´y³QÁôÂêº±Ò°Ê²Õ ...

±½´y³QÁôÂ꺤å¥ó ...  


c:\windows\TEMP\KAV5CDC7.TMP 0 bytes

±½´y§¹¦¨
³QÁôÂêºÀÉ®×: 1

**************************************************************************
.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275210071-776561741-725345543-1003\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Access\Settings\/SúQ *?™eh?*A*g*e*G*r*o*u*p*'* *?.*.*.*\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1275210071-776561741-725345543-1003\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Access\Settings\/SúQ *?™eh?*A*g*e*G*r*o*u*p*'* *?.*.*.*\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
   90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

[HKEY_USERS\S-1-5-21-1275210071-776561741-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Atari\!jìdjW3*]
"Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-1275210071-776561741-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\"Y{^?™ó^2*]
"Order"=hex:08,00,00,00,02,00,00,00,70,01,00,00,01,00,00,00,03,00,00,00,7a,00,
   00,00,00,00,00,00,6c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5a,00,36,\

[HKEY_USERS\S-1-5-21-1275210071-776561741-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\‡[û\gY@l\        NW??³PV*]
"Order"=hex:08,00,00,00,02,00,00,00,7a,01,00,00,01,00,00,00,03,00,00,00,7c,00,
   00,00,00,00,00,00,6e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5c,00,36,\

[HKEY_USERS\S-1-5-21-1275210071-776561741-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\?q\Òk8?*2*0*0*7* *2–ÒkWY?\?f?eôc]
"Order"=hex:08,00,00,00,02,00,00,00,08,02,00,00,01,00,00,00,04,00,00,00,7e,00,
   00,00,00,00,00,00,70,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5e,00,36,\

[HKEY_USERS\S-1-5-21-1275210071-776561741-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\?q\Òk8?*2*0*0*7* *2–ÒkWY?\?q\Òk8—å]wQ]
"Order"=hex:08,00,00,00,02,00,00,00,86,01,00,00,01,00,00,00,03,00,00,00,7a,00,
   00,00,00,00,00,00,6c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5a,00,36,\

[HKEY_USERS\S-1-5-21-1275210071-776561741-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\?¸^?àO³P-*®U_jHr]
"Order"=hex:08,00,00,00,02,00,00,00,06,01,00,00,01,00,00,00,02,00,00,00,7c,00,
   00,00,00,00,00,00,6e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5c,00,36,\

[HKEY_LOCAL_MACHINE\software\Classes\*\shell\(u(g?nd?Y+^2*0*0*7*ƒcÏc\Command]
@="c:\\Documents and Settings\\user\\®à­±\\¤ì°¨²M°£¤j®v2007\\BeatTrojan.exe %1\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00D[x\04\00\00\00\00€\00\00\00\00IME:2007-12-30 8:49"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQöN\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQöN\CurVer]
@="BDATuner.¤¸¥ó.1"

[HKEY_LOCAL_MACHINE\software\Classes\Folder\shell\(u(g?nd?Y+^2*0*0*7*ƒcÏc\Command]
@="c:\\Documents and Settings\\user\\®à­±\\¤ì°¨²M°£¤j®v2007\\BeatTrojan.exe %1\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00D[x\04\00\00\00\00€\00\00\00\00IME:2007-12-30 8:49"

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxŸx™PýN‹WKa\DefaultIcon]
@="c:\\PROGRA~1\\Ahead\\Nero\\nero.exe,14"

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxŸx™PýN‹WKa\shell\open\command]
@="c:\\PROGRA~1\\Ahead\\Nero\\nero.exe \"%1\""

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxŸx™PýN‹WKa\shell\print\command]
@="c:\\PROGRA~1\\Ahead\\Nero\\nero.exe /p \"%1\""

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxŸx™PýN‹WKa\shell\printto\command]
@="c:\\PROGRA~1\\Ahead\\Nero\\nero.exe /pt \"%1\" \"%2\" \"%3\" \"%4\""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\?_j³Pb-*-N‡eHr]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,c0,0f,16,00,00,00,00,d4,2c,95,
   2c,5a,8e,c6,01,00,00,00,00,65,00,3a,00,5c,00,8d,9f,5f,6a,b3,50,7f,62,5c,00,\
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\?_j³Pb-*-N‡eHr]
"UninstallString"="c:\\WINDOWS\\IsUninst.exe -fe:\\Às¾÷¶Ç©Ó\\i\\ª±±o\\Uninst.isu"
"DisplayName"="Às¾÷¶Ç©Ó-¤¤¤åª©"

[HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\Root\SYSTEM\0003]
@Denied: (Read) (LocalSystem)
@Allowed: (Read) (Administrators)
"DeviceDesc"="PnP BIOS Extension"
"ClassGUID"="{4D36E97D-E325-11CE-BFC1-08002BE10318}"
"Class"="System"
"HardwareID"=multi:"root\\d347bus\00\00"
"Driver"="{4D36E97D-E325-11CE-BFC1-08002BE10318}\\0025"
"Mfg"="(Standard system devices)"
"Service"="d347bus"
"ConfigFlags"=dword:00000000
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\Root\SYSTEM\0003\LogConf]
@Allowed: (Read) (Administrators)
.

--------------------- ¹B¦æ¶iµ{¤Uªº°ÊºAÃì±µ®w ---------------------

- - - - - - - > 'explorer.exe'(2264)
c:\progra~1\FlashGet\fgmgr.dll
c:\kis2007\KMailOEBand.dll
c:\kis2007\KASocket.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_chi-hk.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\program files\Panasonic\Panasonic X800 PC Software Suite\eccopyhook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ ¨ä¥L¹B¦æ¶iµ{ ------------------------
.
c:\kis2007\KWatch.EXE
c:\windows\system32\conime.exe
c:\kis2007\KPFWSvc.EXE
c:\program files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
c:\windows\system32\nvsvc32.exe
e:\alcohol\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WgaTray.exe
c:\kis2007\KMailMon.EXE
.
**************************************************************************
.
§¹¦¨®É¶¡: 2009-06-25 23:41 - ¹q¸£¤w­«·s±Ò°Ê
ComboFix-quarantined-files.txt  2009-06-25 15:41

Pre-Run: 1,693,687,808 ¦ì¤¸²Õ¥i¥Î
Post-Run: 8,175,747,072 ¦ì¤¸²Õ¥i¥Î

Current=4 Default=4 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
563        --- E O F ---        2009-06-24 02:40

°õ¦æ [b][color=blue]OTM[/b][/color]

[list][*]¥Î·Æ¹«½Æ»s¥H¤U²Ê¶Â¦â¤å¦r¡A©ó [b][color=blue]OTMoveIt3[/b][/color] µøµ¡ [b][color=Cyan]Paste Instructions for Items to be Moved[/color][/b] ¶K¤W¥H¤U¤º®e:

[b]:files
C:\clc1al.com
C:\hsi.com
C:\utcn8c63.exe
C:\tg.com
C:\9l66g8k1.com
C:\dmf.exe
C:\yq.com
C:\chlf9.exe
C:\h2t6u.exe
C:\r.com
C:\6r3p.com
C:\vpqdgkx.com
C:\jj2.com
c:\windows\system32\uret463.exe
c:\windows\system32\lhgjyit3.dll
c:\windows\system32\843wee1.dll
c:\windows\system32\843wee0.dll
c:\windows\system32\660B7F
c:\windows\system32\9E6DF6[/b]

[*]¤§«á«ö [b][color=red]MoveIt![/color][/b] (°²¦pµ{¦¡­n¨D­«·s啓°Ê¹q¸£¡A«ö [b]Yes[/b])
[*]Ãö³¬ [b][color=blue]OTM[/b][/color][/list]




­«·s啓°Ê¹q¸£. ¥Î [b][color=blue]Kaspersky Online Scanner[/b][/color] ±½´y¹q¸£¡AµM«á¶K¤W°O¿ý.

¨Ï¥Î±Ð¾Ç:

[url]http://discuss.com.hk/viewthread.php?tid=944141[/url]



¥t¥~¡A¥Ñ©ó [b][color=blue]schtasks[/color].exe[/b] ¨ü¨ì·P¬V¡A½Ð§A揾¤Ho«Y Windows XP Professional SP2 ¬J¹q¸£½Æ»s¦¹ÀɮסAµM«á©ñ¦^­ì¦³¦ì¸m: [b]C:\WINDOWS\[color=blue]system32[/color][/b]

°õ¦æOTM ¤Î schtasks«á¡A¤´¥¼¯à¨Ï¥ÎIE¡A¬GµLªk°õ¦æ Kaspersky Online Scanner¡C
³o·|¬O¦]¬°¡u±z¥i¯à¬Oµsª©³n¥óªº¨ü®`ªÌ¡v¶Ü¡H
µLªk¨Ï¥Îªº±¡ªp³£¦n¹³IE§ó·s«á¤~µo¥Í¡C

¤U¸ü¥H¤UÀɮצܮୱ. °õ¦æÀɮסA«ö[b]½T©w[/b]¡AµM«á­«·s±Ò°Ê¹q¸£.

[url]http://www.sendspace.com/file/mrz5um[/url]

¤§«á¤u¨ã¦C­­¨îÀ³¸Ó·|®ø¥¢. ¥h [¤u¨ã] > [ºô»Úºô¸ô¿ï¶µ] > [¶i¶¥] ¡A«ö [­«³]]¡A¤Ä¤W¿ï¶µ¡A¦A«ö [­«³]] ½T©w.

¸ò¦í«ö¥H¤U³sµ²¤¤¬J¨BÆJ°õ¦æ:

[url]http://support.microsoft.com/kb/555027[/url]



°²¦p¤§«á IE ¤´µM¥¼¯à¥¿±`¹B§@¡A¦w¸Ë Firefox¡A¦A¥Î Kaspersky Online Scanner ±½´y.

°õ¦æ¥H¤W«ü¥O¤´¥¼¯à¨Ï¥ÎIE¡A©Ò¥H§Ú¦w¸Ë¤FFirefox¡C

¥H¤U³sµ²¬°Kaspersky Online Virusscanner Report.
[url=http://www.sendspace.com/file/2w48xc]http://www.sendspace.com/file/2w48xc[/url]

[[i] ¥»©«³Ì«á¥Ñ onor ©ó 2009-6-29 09:58 AM ½s¿è [/i]]

°õ¦æ [b][color=blue]OTM[/b][/color]

[*]¥Î·Æ¹«½Æ»s¥H¤U²Ê¶Â¦â¤å¦r¡A©ó [b][color=blue]OTMoveIt3[/b][/color] µøµ¡ [b][color=Cyan]Paste Instructions for Items to be Moved[/color][/b] ¶K¤W¥H¤U¤º®e:

[b]:files
C:\1brfrip.exe
C:\8q6h.exe
C:\91m.com
C:\96.com
C:\ejoq.exe
C:\fp.exe
C:\i2.com
C:\kjibu.com
C:\n09jwu9.com
C:\r9ghv9.com
C:\s38k.exe
C:\tfa8rk6.com
C:\ud.exe
C:\v9l1l.com
C:\xc.exe
C:\xpq63xl.exe
C:\y319s.exe
C:\WINDOWS\System32\mstKde.dll
C:\WINDOWS\system32\afmain2.dll
C:\WINDOWS\system32\afmain3.dll
C:\WINDOWS\system32\mstKde.dll
C:\WINDOWS\system32\mswmdmsrv.dll
E:\1brfrip.exe
E:\6.exe
E:\6r3p.com
E:\6vu680.com
E:\8q6h.exe
E:\91m.com
E:\96.com
E:\9l66g8k1.com
E:\a.exe
E:\chlf9.exe
E:\clc1al.com
E:\dmf.exe
E:\ejoq.exe
E:\fp.exe
E:\h2t6u.exe
E:\hsi.com
E:\i2.com
E:\jj2.com
E:\kjibu.com
E:\n09jwu9.com
E:\r.com
E:\r9ghv9.com
E:\s38k.exe
E:\tfa8rk6.com
E:\tg.com
E:\tv program
E:\ud.exe
E:\utcn8c63.exe
E:\v9l1l.com
E:\vpqdgkx.com
E:\xc.exe
E:\xpq63xl.exe
E:\y319s.exe
E:\yq.com[/b]

[*]¤§«á«ö [b][color=red]MoveIt![/color][/b] (°²¦pµ{¦¡­n¨D­«·s啓°Ê¹q¸£¡A«ö [b]Yes[/b])
[*]Ãö³¬ [b][color=blue]OTM[/b][/color][/list]



­«·s啓°Ê¹q¸£. ¤U¸ü [b][color=blue]ESET Online Scanner[/color][/b] ¦Ü[b]®à­±[/b]

[url]http://download.eset.com/special/eos/esetsmartinstaller_enu.exe[/url]

[list][*]°õ¦æ¦w¸ËÀÉ¡A«ö [b]YES¡AI accept the Terms of Use[/b]¡A¦A«ö [b]Start[/b]
[*][b][color=blue]ESET Online Scanner[/color][/b] ·|¶i¦æ¦w¸Ë. §¹¦¨¦w¸Ë«á«ö [b]Start[/b] ¶i¦æ§ó·s¤Î±½´y.
[*]§¹¦¨±½´y«á¡A°²¦pµo²{´c·Nµ{¦¡¡A«ö [b]List of found threats[/b]¡A¦A«ö [b]Export to text file[/b] Àx¦s±½´y°O¿ý.
[*]¶K¤W [b][color=blue]ESET Online Scanner[/color][/b] °O¿ý.[/list]



¥Î [b][color=blue]ESET Online Scanner[/color][/b] ±½´y«e°õ¦æ¥H¤U¨BÆJ.

¥Ñ©ó¨ä¤¤¤@­Ó¨t²ÎÀÉ®× [b]C:\WINDOWS\systems32\[color=blue]sens[/color].dll[/b] ¨ü¨ì·P¬V¡A§A­n§ó·s©O­ÓÀÉ®×.

# §A¥i¥H揾¤Ho«Y Windows XP Professional SP2 ¬J¹q¸£½Æ»s¦¹ÀÉ®×.

¤§«á­«·s啓°Ê¹q¸£¡A«ö [b]F8[/b] ¶i¤J¦w¥þ¼Ò¦¡.

§R°£ [b][color=blue]sens[/color].dll[/b]¡AµM«á±N·sÀɮשñ¦^­ì¦³¦ì¸m: [b]C:\WINDOWS\[color=blue]system32[/color][/b]

# ¦pªG¦³ Windows XP Professional SP2 CD¡A§A¥ç¥i¥H´¡¤J Windows XP ¥úºÐ¡AµM«á­«·s啓°Ê¹q¸£¡A«ö [b]F8[/b] ¶i¤J¦w¥þ¼Ò¦¡.

§R°£¥H¤UÀÉ®×:

[b]C:\WINDOWS\systems32\[color=blue]sens[/color].dll[/b]

«ö¥ª¤U¨¤[b]¶}©l[/b] > °õ¦æ > ¿é¤J [b]cmd[/b] > ½T©w

©óµøµ¡¤º¿é¤J¥H¤U«ü¥O¡AµM«á«ö [b]Enter[/b]

[b]expand [color=red]x[/color]:\i386\sens.dl_c:\windows\system32\sens.dll[/b] ([color=red][b]x[/b][/color] «ü¥úºÐ¾÷¸ô®|¡A¨Ò¦p d¡Be¡Bf µ¥)

¥t¥~¡A§A¸Ü¤´¥¼¯à¨Ï¥Î IE «Y«üÊ\Ä~Äò¥X²{ªÅ¥Õ­¶¶Ü.

¥H¤U³sµ²¬° ESET Online Scanner Report:
[url=http://www.sendspace.com/file/2xfo8n]http://www.sendspace.com/file/2xfo8n[/url]

¹ï¡A¥¼¯à¨Ï¥Î IE ¬O«ü¤´µMªÅ¥Õ ¤Î ¤u¨ã¤´¨ü­­¨î¡C

¤U¸ü [b][color=blue]System Repair Engineer[/b][/color]

[url]http://www.kztechs.com/eng/download.html[/url]

[list][*]±N [b][color=blue]System Repair Engineer[/b][/color] ¸ê®Æ§¨¸ÑÀ£¦Ü®à­±.
[*]°õ¦æ [b][color=blue]SREngLdr[/b][/color]
[*]¿ï¾Ü [b]System Repair[/b]¡A¦A«ö [b]Windows Shell/IE[/b]
[*]¤Ä¤W¥H¤U¶µ¥Ø¡A¦A«ö [b]Repair[/b]

[b]Enable File menu...
Enable View menu...
Enable Favorites menu...
Enable Help menu...
Enable Internet Explorer options...[/b][/list]



¤§«á¦w¸Ë [b][color=blue]Internet Explorer 8[/color][/b]

[url]http://www.microsoft.com/windows/internet-explorer/worldwide-sites.aspx[/url]



¦pªG IE ¥ò¥X²{ªÅ¥Õ¡A¸Õ¦h¤@¦¸¥H¤U¤èªk

[url]http://support.microsoft.com/kb/555027[/url]

¦P®IÚ»¤U¤u¨ã¦C¥ò¦³ÉN°ÝÃD.



¥t¥~¡A°õ¦æ [b][color=blue]SREngLdr[/b][/color]

[list][*]¿ï¾Ü [b]Smart Scan[/b]¡A¦A«ö [b]Scan[/b] ¶i¦æ±½´y.
[*]§¹¦¨±½´y«á¡A«ö [b]Save Reports[/b] Àx¦s [b][color=blue]System Repair Engineer[/b][/color] ±½´y°O¿ý.
[*]¶K¤W [b][color=blue]System Repair Engineer[/b][/color] ±½´y°O¿ý.[/list]

[[i] ¥»©«³Ì«á¥Ñ geck789 ©ó 2009-7-2 12:22 PM ½s¿è [/i]]

IE ªÅ¥Õ¤Î¤u¨ã¦Cªº°ÝÃD¤w¸Ñ¨M¡C
¥H¤U³sµ²¬° System Repair Engineer Report:
[url]http://www.sendspace.com/file/fog07r[/url]

°õ¦æ [b][color=blue]System Repair Engineer[/b][/color]

[list][*] [b]Boot Items[/b] ¤§¤UÂI¿ï [b]Registry[/b]
[*]ÂI¿ï¥H¤U¶µ¥Ø¡A«ö [b]Delete[/b]

[b]634FBD[/b]

[*]¤§«á·|¼u¥X¤@­Óµøµ¡¡A«ö [b]Yes[/b]
[*]Ãö³¬ [b][color=blue]System Repair Engineer[/b][/color][/list]



¥Î [b][color=blue]BitDefender Online Scanner[/b][/color] ±½´y¹q¸£¡AµM«á¶K¤W°O¿ý.

¨Ï¥Î±Ð¾Ç:

[url]http://discuss.com.hk/viewthread.php?tid=944141[/url]

¦b°õ¦æ BitDefender Online Scanner®É¡A¦w¸ËActiveX«á¡A¥H¤Uĵ§i¦r¥y¼u¥X¡J
¡uThis web site is not authorized to host this ActiveX control.
Please contact the webmaster of this web site, or report to BitDefender at the e-mail address: [email=scanonline@bitdefender.com]scanonline@bitdefender.com[/email]¡v

ÁöµMµe­±¤w¸õ¶i¿ï¾Ü ¡uFolders to Scan¡v¡B¡uCleaning Option¡v¡A¦ý¤£¯à¶i¦æ¨âªÌ«ü¥O¡C¬G¨Sªk¶i¦æ±½ºË¡C

[[i] ¥»©«³Ì«á¥Ñ onor ©ó 2009-7-4 10:50 AM ½s¿è [/i]]

¸Õ¤U¥Î [b][color=blue]F-Secure Online Virus Scanner[/color][/b]

¨Ï¥Î±Ð¾Ç:

[url]http://discuss.com.hk/viewthread.php?tid=944141[/url]

²Ä¤@¦¸°õ¦æF-Secure Online Virus Scanner®É¡A
ªá¤F¤E¤p®É¡A¨ì66%®É¡A¨S¦³¦^À³¡C

¦Ó¡A²Ä2¦¸°õ¦æ®É¡Aªá¤F30¦h¤p®É¡A¤´µM¥u¨ì66%¡A³Ì«á¤]¨S¦³¦^À³¡C

½Ð°Ý¦³¨ä¥L±½¬r¥Î¶Ü¡H

¦³.

:smile_o16:

[b][color=blue]Panda ActiveScan[/b][/color] ¨Ï¥Î±Ð¾Ç:

[url]http://discuss.com.hk/viewthread.php?tid=944141[/url]

²×©ó¡A¦¨¥\ªº§¹¦¨±½¬r¤F:loveliness:

¥H¤U³sµ²¬° Panda ActiveScan³ø§i¡J
[url]http://www.sendspace.com/file/gvu7kh[/url]

«ö¥ª¤U¨¤[b]¶}©l[/b] > °õ¦æ > ¿é¤J¥H¤U¤º®e²¾°£ [b][color=blue]ComboFix[/color][/b] > ½T©w

[quote]combofix /u[/quote]



§R°£¥H¤U¸ê®Æ§¨:

[b]C:\[color=blue]_OTM[/color][/b]



¤U¸ü [b][color=blue]Malwarebytes' Anti-Malware [/b][/color] ¦Ü[b]®à­±[/b]

[url]http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html[/url]

[list][*]¦w¸Ë [b][color=blue]Malwarebytes' Anti-Malware [/b][/color] (¦w¸Ë®É¿ï¾Ü­^¤å)
[*]§¹¦¨¦w¸Ë«á«ö [b]Finish[/b] ¶i¦æ§ó·s.
[*]§ó·s«áµ¥«Ý [b][color=blue]Malwarebytes' Anti-Malware [/b][/color] ±Ò°Ê¡AµM«á¿ï¾Ü [b]Perform full scan[/b]¡A«ö [b]Scan[/b]¡A¦A«ö [b]Start Scan[/b] ¶i¦æ±½´y.
[*]§¹¦¨±½´y«á«ö [b]Show Results[/b]
[*]°²¦pµo²{·P¬V¶µ¥Ø¡A½T©w¤Ä¿ï©Ò¦³¶µ¥Ø¡A¦A«ö [b]Remove Selected[/b] ¶i¦æ²M²z.
[*]§¹¦¨²M²z«á·|¼u¥X±½´y°Oºñ. Àx¦s±½´y°Oºñ.
[*]°²¦pµ{¦¡­n¨D­«·s啓°Ê¡A«ö[b]¬O(Y)[/b]­«·s啓°Ê.
[*]Ãö³¬ [b][color=blue]Malwarebytes' Anti-Malware [/b][/color][/list]



¥Î [color=blue][b]HijackThis[/b][/color] ±½´y¹q¸£¡AµM«á¶K¤W¥H¤U°O¿ý:

[list][color=blue][b]HijackThis

[b][color=blue]Malwarebytes' Anti-Malware [/b][/color][/b][/color][/list]

¥H¤U³sµ²¤À§O¬° HijackThis ¤Î Malwarebytes' Anti-Malware ³ø§i¡J

[url]http://www.sendspace.com/file/wkxe2l[/url]

[url]http://www.sendspace.com/file/t2av9q[/url]

Ú»¾¤¤w¸g²M²zo¦èoªº¯f¬r.

:loveliness:

¯uªºÁÂÁº޲z­û :$