hldrrr.exe "infection"?

**halite001** · 2008-05-13, 03:38

Combofix runs perfectly - no processes had to be terminated.
Combofix log:
ComboFix 08-05-11.1 - user 2008-05-12 23:29:16.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.205 [GMT 8:00]
執行位置?: C:\rename.exe
Command switches used :: C:\CFScript.txt
* 已建立新的還原點

FILE ::
E:\nideiect.com
F:\nideiect.com
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\downld

.
(((((((((((((((((((((((((((( 2008-04-12 - 2008-05-12 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-05-11 16:37 . 2008-05-11 16:37 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-11 16:37 . 2008-05-11 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-10 21:04 . 2008-05-11 22:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-10 13:25 . 2008-05-10 13:25 <DIR> d-------- C:\Program Files\Graphmatica
2008-05-03 19:56 . 2008-05-06 18:59 <DIR> d-------- C:\Documents and Settings\user\Application Data\IDM
2008-05-03 19:55 . 2008-05-06 18:34 <DIR> d-------- C:\Program Files\Internet Download Manager

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 15:24 --------- d-----w C:\Documents and Settings\user\Application Data\DMCache
2008-05-12 08:48 2,396 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP
2008-05-12 08:36 1,895,716 ----a-w C:\rename.exe
2008-05-12 08:04 --------- d-----w C:\Program Files\eMule
2008-05-10 13:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-09 12:32 --------- d-----w C:\Program Files\FlashGet
2008-04-27 16:32 --------- d-----w C:\Program Files\Winamp
2008-04-26 03:42 115,256 ----a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
2008-04-06 11:36 --------- d-----w C:\Program Files\DivX
2008-03-29 13:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 13:54 --------- d-----w C:\Program Files\Merriam-Webster
2008-03-29 13:51 --------- d-----w C:\Program Files\7-Zip
2008-03-29 13:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-27 03:25 --------- d-----w C:\Program Files\Recuva
2008-03-23 13:58 --------- d-----w C:\Program Files\GiPo@Utilities
2008-03-23 13:58 --------- d-----w C:\Program Files\Common Files\Gibinsoft Shared
2008-02-21 02:05 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-02-21 02:05 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-02-15 15:12 206,256 ----a-w C:\WINDOWS\system32\idmmbc.dll
2007-12-10 00:41 323,616 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-10 00:41 10,016 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

------- Sigcheck -------

2005-05-26 03:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-04-20 20:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2004-08-12 20:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-26 03:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-12-07 13:14 359808 45265cbad25c6254afafc7bdd88bdb4b C:\WINDOWS\system32\dllcache\TCPIP.SYS
2006-12-07 13:14 359808 45265cbad25c6254afafc7bdd88bdb4b C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( snapshot@2008-05-12_16.50.53.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-12 08:44:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 15:24:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-11-24 03:58:33 52,880 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-12 08:48:45 52,880 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-24 03:58:33 380,658 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-12 08:48:45 380,658 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-11-24 03:58:33 62,276 ----a-w C:\WINDOWS\system32\prfc0404.dat
+ 2008-05-12 08:48:45 62,392 ----a-w C:\WINDOWS\system32\prfc0404.dat
- 2007-11-24 03:58:33 217,100 ----a-w C:\WINDOWS\system32\prfh0404.dat
+ 2008-05-12 08:48:45 217,322 ----a-w C:\WINDOWS\system32\prfh0404.dat
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 20:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2006-08-11 08:10 675840]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-01-01 21:31 986112]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2007-12-21 07:08 931760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-12 20:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-12 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-12 20:00 455168]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 20:00 59392]
"SoundMan"="SOUNDMAN.EXE" [2004-09-10 18:29 77824 C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-15 11:20 2557952 C:\WINDOWS\ALCWZRD.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 21:10 339968]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"PCMService"="c:\Apps\Powercinema\PCMService.exe" [2005-05-11 13:48 127118]
"CHotkey"="C:\APPS\Chicony\chicony.bat" [2005-09-28 15:13 54]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-12 12:50 180269]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 21:43 188416]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-06 16:53 856064]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-12 20:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"WinampAgent"="C:\Program Files\Winamp\wianmpa.exe" [ ]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 20:00 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DeviceDiscovery"=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 自動 LiveUpdate 排程器;自動 LiveUpdate 排程器;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-09-10 16:14]
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-05-27 12:51]
S3 ProtoWall;ProtoWall Network Service;C:\WINDOWS\system32\DRIVERS\ProtoWall.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7f5ae3e-27a3-11dc-89cf-0016764d7dae}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
排程工作資料夾的內容
"2008-04-14 17:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-04-30 17:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 23:32:05
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

folder error: C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
folder error: C:\Documents and Settings\user\「開始」功能表\程式集\啟動\

掃描完成
隱藏檔案?: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\?悐 L i v e U p d a t e zhV]
"ImagePath"="\"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe\""
.
完成時間?: 2008-05-12 23:33:27
ComboFix-quarantined-files.txt 2008-05-12 15:33:09
ComboFix2.txt 2008-05-12 08:53:53

17 個目錄 91,098,583,040 位元組可用
23 個目錄 91,081,097,216 位元組可用

194 --- E O F --- 2007-11-21 14:06:39

Thread: hldrrr.exe "infection"?

Thread Tools

Display

Threaded View

Posting Permissions