續．林北又中毒了

感謝PTT_AntiVirus板板友junorn推薦Combofix

使用過後發現這程式刪除的檔案遠比我想像的多

備份資料夾386MB...

以下為log...


d-------- c:\windows\Cache

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 06:23 --------- d-----w c:\program files\Yahoo!
2009-01-29 06:23 --------- d-----w c:\program files\Windows Live Toolbar
2009-01-29 06:23 --------- d-----w c:\program files\Windows Live Favorites
2009-01-29 06:23 --------- d-----w c:\program files\Windows Live
2009-01-29 06:23 --------- d-----w c:\program files\Unicode-At-on
2009-01-29 06:23 --------- d-----w c:\program files\Safari
2009-01-29 06:23 --------- d-----w c:\program files\Roland
2009-01-29 06:23 --------- d-----w c:\program files\Real Alternative
2009-01-29 06:19 --------- d-----w c:\program files\Microsoft Silverlight
2009-01-29 03:39 --------- d-----w c:\program files\Orbitdownloader
2009-01-28 18:56 --------- d-----w c:\documents and settings\Administrator\Application Data\Orbit
2009-01-28 16:11 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-28 16:01 --------- d-----w c:\program files\Spyware Doctor
2009-01-28 09:49 --------- d-----w c:\program files\Common Files\Adobe
2009-01-22 14:16 --------- d-----w c:\program files\JTrim
2009-01-18 14:11 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-25 15:13 --------- d-----w c:\program files\Riva
2008-12-25 15:13 --------- d-----w c:\program files\Common Files\SWF Studio
2008-12-11 14:44 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-11 14:10 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-12-08 06:54 --------- d-----w c:\documents and settings\Administrator\Application Data\PC Tools
2008-12-04 18:34 --------- d-----w c:\program files\BitComet
2008-12-04 15:25 305,512 ----a-w c:\windows\WLXPGSS.SCR
2008-12-04 08:43 --------- d-----w c:\documents and settings\Administrator\Application Data\GrabPro
2008-12-04 08:34 --------- d-----w c:\documents and settings\NetworkService\Application Data\Orbit
2008-12-04 05:34 --------- d-----w c:\documents and settings\NetworkService\Application Data\GrabPro
2008-12-03 14:29 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-03 05:29 --------- d-----w c:\program files\Lavasoft
2008-12-03 05:29 --------- d-----w c:\documents and settings\Administrator\Application Data\Lavasoft
2008-12-02 14:37 49,480 ----a-w c:\windows\system32\sirenacm.dll
2008-12-01 11:08 --------- d-----w c:\documents and settings\NetworkService\Application Data\Yahoo!
2008-11-06 02:02 105,472 ----a-w c:\windows\system32\TudouUpload.dll
2008-06-12 09:16 28,672 ----a-w c:\program files\mozilla firefox\components\FlashgetXpi.dll
.

((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{32099AAC-C132-4136-9E9A-4E364A424E17}"= "c:\program files\DAEMON Tools Toolbar\DTToolbar.dll" [2008-07-17 691656]

[HKEY_CLASSES_ROOT\clsid\{32099aac-c132-4136-9e9a-4e364a424e17}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{3E288F79-03E4-4983-A48E-0D879B51FF19}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{32099AAC-C132-4136-9E9A-4E364A424E17}"= "c:\program files\DAEMON Tools Toolbar\DTToolbar.dll" [2008-07-17 691656]

[HKEY_CLASSES_ROOT\clsid\{32099aac-c132-4136-9e9a-4e364a424e17}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{3E288F79-03E4-4983-A48E-0D879B51FF19}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2008-12-02 3882312]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-17 490952]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-08-21 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-07-20 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"vsc32cnf.exe"="c:\program files\Roland\VSC32\vsc32cnf.exe" [2000-02-07 36864]
"vscvol.exe"="c:\program files\Roland\VSC32\vscvol.exe" [2000-02-08 36864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-01-29 1168264]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2008-04-15 c:\windows\system32\ctfmon.exe]

c:\documents and settings\Administrator\「開始」功能表\程式集\啟動\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-08-05 113664]

c:\documents and settings\All Users\「開始」功能表\程式集\啟動\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-08-05 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-18 65588]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-12-04 1690824]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI3"= vscapi.dll
"WAVE3"= vscapi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\eMule\\emule.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8426:TCP"= 8426:TCP:BitComet 8426 TCP
"8426:UDP"= 8426:UDP:BitComet 8426 UDP

R3 vsc32;Virtual Sound Canvas 3.2;c:\windows\system32\drivers\vsc.sys [2008-07-19 951284]
R4 RVIEGVST;VSC VST Engine;c:\program files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [2008-07-19 188276]
R4 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2008-12-04 226640]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys --> c:\windows\system32\drivers\pavboot.sys [?]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-08 356920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a8fe2e4-5542-11dd-b8f9-001a4d9dab55}]
\Shell\AutoRun\command - I:\v0vj.exe
\Shell\explore\Command - I:\v0vj.exe
\Shell\open\Command - I:\v0vj.exe
.
‘計劃任務’ 文件夾 裡的內容

2009-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-20 00:04]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ClubBox - (no file)
MSConfigStartUp-FlashGet - c:\program files\FlashGet Network\Flashget\flashget.exe
MSConfigStartUp-Load - c:\windows\rundl132.exe


.
------- 而外的掃描 -------
.
uStart Page = hxxp://search.orbitdownloader.com
mStart Page = hxxp://tw.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://tw.yahoo.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: &使用 FlashGet 下載 - c:\program files\FlashGet\jc_link.htm
IE: &全部使用 FlashGet 下載 - c:\program files\FlashGet\jc_all.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Link to &MidpX - c:\program files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm
IE: 使用 FlashGet 下載 - c:\program files\FlashGet Network\Flashget\ComDlls\Bholink.htm
IE: 全部使用 FlashGet 下載 - c:\program files\FlashGet Network\Flashget\ComDlls\Bhoall.htm
TCP: {342E252F-C2BF-4059-A145-6BCE5D556C52} = 168.95.192.1 168.95.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} - hxxp://www.gogobox.com.tw/neo.fld/GNowStarter.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zuwdhy7b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.tw/firefox?client=firefox-a&rls=org.mozilla:zh-TW:official
FF - component: c:\program files\Mozilla Firefox\components\FlashgetXpi.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 14:24:02
Windows 5.1.2600 Service Pack 3 NTFS

掃描被隱藏的進程 。。。 

掃描被隱藏的啟動組 。。。 

掃描被隱藏的文件 。。。 

掃描完成
被隱藏的檔案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\nn辄`4*+*?@Y?3w?]
"Order"=hex:08,00,00,00,02,00,00,00,90,00,00,00,01,00,00,00,01,00,00,00,84,00,
00,00,00,00,00,00,76,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,64,00,36,\

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\讄L?*C*C*l*e*a*n*e*r*\command]
@="c:\\Program Files\\CCleaner\\ccleaner.exe /AUTO"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\?_U *C*C*l*e*a*n*e*r*\command]
@="c:\\Program Files\\CCleaner\\ccleaner.exe"
.
完成時間: 2009-01-29 14:25:07
ComboFix-quarantined-files.txt 2009-01-29 06:25:05

Pre-Run: 587,091,968 位元組可用
Post-Run: 748,314,624 位元組可用

WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

1826