‹‹ 上一主題 | 下一主題 ››
發新話題
打印

好像中毒,請幫忙附hijackthis及malware及combofix的txt

出名tom

二星fun會員

Rank: 3Rank: 3
1# 發表於 2009-2-6 22:51  只看該作者

好像中毒,請幫忙附hijackthis及malware及combofix的txt

唔知有無已經清理乾淨,識做的已經做了,請大家幫忙^^

Logfile of HijackThis v1.99.1
Scan saved at 20:29:34, on 6/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\GIGABYTE\ET6\GUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GEST] m\?
O4 - HKLM\..\Run: [EasyTuneVI] C:\Program Files\GIGABYTE\ET6\ETcall.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [GBTUpd] C:\Program Files\GIGABYTE\GBTUpd\PreRun.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: "新增至廣告橫幅防護" - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: 網頁流量防護狀態 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233852490750
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Kaspersky Internet Security (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r (file missing)
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

TOP

出名tom

二星fun會員

Rank: 3Rank: 3
2# 發表於 2009-2-6 23:26  只看該作者
ComboFix 09-02-05.02 - roykwan 2009-02-06 20:32:25.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.950.886.1028.18.3326.2808 [GMT 8:00]
執行位置: c:\documents and settings\roykwan\桌面\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* 成功創造新還原點
.

(((((((((((((((((((((((((((((((((((((((   被刪除的檔案   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_000111_.tmp.dll

.
(((((((((((((((((((((((((  2009-01-06 至 2009-02-06 的新的檔案  )))))))))))))))))))))))))))))))
.

2009-02-06 20:27 . 2009-02-03 16:07        251,392        --a------        C:\hijackthis_sfx.exe

.
((((((((((((((((((((((((((((((((((((((((   在三個月內被修改的檔案   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 12:34        24,944        ----a-w        c:\windows\system32\drivers\GVTDrv.sys
2009-02-06 12:34        16,608        ----a-w        c:\windows\gdrv.sys
2009-02-06 12:34        ---------        d-----w        c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-02-06 12:33        221,216        --sha-w        c:\windows\system32\drivers\fidbox2.dat
2009-02-06 12:33        2,884        --sha-w        c:\windows\system32\drivers\fidbox2.idx
2009-02-06 12:33        15,156        --sha-w        c:\windows\system32\drivers\fidbox.idx
2009-02-06 12:33        1,265,184        --sha-w        c:\windows\system32\drivers\fidbox.dat
2009-02-05 16:43        89,601        ----a-w        c:\windows\system32\drivers\klick.dat
2009-02-05 16:43        33,808        ----a-w        c:\windows\system32\drivers\klbg.sys
2009-02-05 16:43        101,287        ----a-w        c:\windows\system32\drivers\klin.dat
2009-02-05 16:31        ---------        d-----w        c:\program files\Kaspersky Lab
2009-02-05 16:29        1,606        ----a-w        c:\windows\system32\PerfStringBackup.TMP
2009-02-05 16:27        ---------        d--h--w        c:\program files\InstallShield Installation Information
2009-02-05 16:27        ---------        d-----w        c:\program files\GIGABYTE
2009-02-05 16:27        ---------        d-----w        c:\program files\Common Files\InstallShield
2009-02-05 16:27        ---------        d-----w        c:\documents and settings\All Users\Application Data\InstallShield
2009-02-05 16:24        ---------        d-----w        c:\program files\Realtek
2009-02-05 16:24        ---------        d-----w        c:\documents and settings\roykwan\Application Data\InstallShield
2009-02-05 16:22        319,488        ----a-w        c:\windows\HideWin.exe
2009-02-05 16:19        ---------        d-----w        c:\program files\Intel
2009-02-05 16:12        ---------        d-----w        c:\program files\Common Files\Wise Installation Wizard
2009-02-05 16:12        ---------        d-----w        c:\program files\AGEIA Technologies
2009-02-05 16:04        ---------        d-----w        c:\program files\microsoft frontpage
2009-01-07 03:28        453,152        ----a-w        c:\windows\system32\NVUNINST.EXE
2008-12-10 01:45        70,936        ----a-w        c:\windows\system32\PhysXLoader.dll
2008-12-04 01:28        24,344        ----a-w        c:\windows\system32\PhysXDevice.dll
2008-11-26 00:55        288,024        ----a-w        c:\windows\system32\PhysXCplUI.exe
2008-11-25 00:38        288,024        ----a-w        c:\windows\system32\PhysXCompatCplUI.exe
2008-11-11 12:00        218,376        ----a-w        c:\windows\system32\klogon.dll
.

(((((((((((((((((((((((((((((((((((((   重要登入點   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="m\?" [?]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"EasyTuneVI"="c:\program files\GIGABYTE\ET6\ETcall.exe" [2007-07-26 20480]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"GBTUpd"="c:\program files\GIGABYTE\GBTUpd\PreRun.exe" [2008-04-03 297480]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-02-06 206088]
"nwiz"="nwiz.exe" [2009-01-15 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 c:\windows\RTHDCPL.exe]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 c:\windows\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 c:\windows\alcwzrd.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 33808]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [2009-02-06 68136]
R3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2009-02-06 24944]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
.
.
------- 而外的掃描 -------
.
uInternet Connection Wizard,ShellNext = hxxp://hk.yahoo.com/
IE: "新增至廣告橫幅防護" - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-06 20:34:41
Windows 5.1.2600 Service Pack 2 NTFS

掃描被隱藏的進程 。。。  

掃描被隱藏的啟動組 。。。

掃描被隱藏的文件 。。。  


c:\windows\system32\GVTunner.ref 4 bytes

掃描完成
被隱藏的檔案: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-1454471165-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\"*送?粻JTkjE^2?*]
@="c:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 2009\\ie_banner_deny.htm"
"Contexts"=dword:00000002
"CreatedByKIS"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"
.
------------------------ 其他運行進程 ------------------------
.
c:\windows\system32\conime.exe
c:\windows\system32\rundll32.exe
c:\program files\GIGABYTE\GBTUpd\RunUpd.exe
c:\program files\GIGABYTE\ET6\GUI.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
完成時間: 2009-02-06 20:35:18 - 電腦已重新啟動
ComboFix-quarantined-files.txt  2009-02-06 12:35:16

Pre-Run: 90,538,037,248 位元組可用
Post-Run: 90,630,709,248 位元組可用

WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

134

TOP

出名tom

二星fun會員

Rank: 3Rank: 3
3# 發表於 2009-2-6 23:35  只看該作者
Malwarebytes' Anti-Malware 1.33
Database version: 1733
Windows 5.1.2600 Service Pack 2
6/2/2009 22:03:48
mbam-log-2009-02-06 (22-03-48).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|L:\|)
Objects scanned: 82121
Time elapsed: 1 hour(s), 1 minute(s), 12 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

TOP

‹‹ 上一主題 | 下一主題 ››
發新話題