卡巴斯基偵察電腦中了木馬程式Trojan.Win32.RaMag.a，
但係del唔到，希望有師兄可以教我點樣可以Del到~謝謝
以下係ComboFix的報告：

ComboFix 09-02-06.01 - user 2009-02-07 13:54:53.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.950.1.1028.18.1023.638 [GMT 8:00]
執行位置: c:\documents and settings\user\桌面\123.exe.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
* 成功創造新還原點
.

(((((((((((((((((((((((((((((((((((((((   被刪除的檔案   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
D:\Autorun.inf

.
(((((((((((((((((((((((((((((((((((((((   驅動/服務   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4


(((((((((((((((((((((((((  2009-01-07 至 2009-02-07 的新的檔案  )))))))))))))))))))))))))))))))
.

2009-02-07 12:59 . 2009-02-07 12:59        107,710        -r-hs----        c:\windows\system32\kacsde.exe
2009-02-07 12:59 . 2009-02-07 13:57        81,408        -r-hs----        c:\windows\system32\godert0.dll
2009-02-07 12:58 . 2009-02-07 13:57        129,536        -r-hs----        c:\windows\system32\lhgjyit0.dll
2009-02-07 12:58 . 2009-02-07 00:17        105,352        -r-hs----        c:\windows\system32\uret463.exe
2009-02-07 12:58 . 2009-02-07 00:17        105,352        -r-hs----        C:\6vu680.com
2009-02-06 19:35 . 2009-02-06 19:35        0        --a------        c:\windows\nsreg.dat
2009-02-06 19:34 . 2009-02-06 23:26        <DIR>        d--------        c:\program files\Cheat Engine
2009-02-06 19:34 . 2007-12-26 17:30        1,970,176        --a------        c:\windows\system32\d3dx9.dll
2009-02-06 19:34 . 2007-12-26 17:30        679,936        --a------        c:\windows\system32\D3DX81ab.dll
2009-02-06 09:03 . 2009-02-06 09:04        <DIR>        d--------        c:\documents and settings\user\Application Data\Media Player Classic
2009-02-06 08:53 . 2009-02-06 08:53        <DIR>        d--------        c:\program files\MKVtoolnix
2009-02-06 00:04 . 2009-02-05 16:19        934        --a------        c:\windows\system32\$winnt$.inf
2009-02-05 22:22 . 2009-02-05 22:22        <DIR>        d--------        c:\program files\Kaspersky Lab
2009-02-05 22:22 . 2009-02-07 08:32        <DIR>        d--------        c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-02-05 22:04 . 2009-02-05 22:06        <DIR>        d--------        c:\program files\Autoinstall
2009-02-05 21:56 . 2009-02-05 21:58        <DIR>        d--------        c:\program files\Unlocker
2009-02-05 21:56 . 2009-02-05 21:56        <DIR>        d--------        c:\documents and settings\user\Application Data\Desktopicon
2009-02-05 21:01 . 2009-02-05 21:01        <DIR>        d--------        c:\program files\Google
2009-02-05 21:00 . 2009-02-06 07:53        <DIR>        d--------        c:\program files\BitComet
2009-02-05 20:30 . 2009-02-07 13:57        <DIR>        d--------        c:\documents and settings\user\Tracing
2009-02-05 20:26 . 2009-02-05 20:26        <DIR>        d--------        c:\program files\Microsoft
2009-02-05 20:25 . 2009-02-05 20:25        <DIR>        d--------        c:\program files\Windows Live SkyDrive
2009-02-05 20:25 . 2009-02-05 20:25        <DIR>        d--------        c:\program files\Windows Live
2009-02-05 20:16 . 2009-02-05 20:16        <DIR>        d--------        c:\program files\Common Files\Windows Live
2009-02-05 20:04 . 2009-02-05 20:04        <DIR>        d--------        c:\program files\K-Lite Codec Pack
2009-02-05 19:17 . 2009-02-05 19:17        <DIR>        d---s----        c:\documents and settings\user\UserData
2009-02-05 17:57 . 2009-02-05 17:57        <DIR>        d--------        c:\program files\NETVIGATOR
2009-02-05 17:55 . 2009-02-05 17:55        <DIR>        d--------        c:\program files\TP-LINK
2009-02-05 17:53 . 2009-02-05 17:53        <DIR>        d--------        c:\documents and settings\All Users\Application Data\ESET
2009-02-05 17:23 . 2009-02-05 17:23        <DIR>        d--------        c:\documents and settings\user\Application Data\ATI
2009-02-05 17:23 . 2009-02-05 17:23        <DIR>        d--------        c:\documents and settings\All Users\Application Data\ATI
2009-02-05 17:19 . 2009-02-05 17:19        <DIR>        d--------        c:\program files\Common Files\ATI Technologies
2009-02-05 17:16 . 2009-02-05 17:21        <DIR>        d--------        c:\program files\ATI Technologies
2009-02-05 17:11 . 2009-02-05 17:11        <DIR>        d--------        c:\program files\Realtek
2009-02-05 17:11 . 2009-02-05 17:55        <DIR>        d--h-----        c:\program files\InstallShield Installation Information
2009-02-05 17:11 . 2009-02-05 17:19        <DIR>        d--------        c:\program files\Common Files\InstallShield

.
((((((((((((((((((((((((((((((((((((((((   在三個月內被修改的檔案   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-07 05:56        602,144        --sha-w        c:\windows\system32\drivers\fidbox.dat
2009-02-07 05:56        6,832        --sha-w        c:\windows\system32\drivers\fidbox.idx
2009-02-07 05:56        180,256        --sha-w        c:\windows\system32\drivers\fidbox2.dat
2009-02-07 05:56        1,696        --sha-w        c:\windows\system32\drivers\fidbox2.idx
2009-02-05 15:01        89,601        ----a-w        c:\windows\system32\drivers\klick.dat
2009-02-05 15:01        33,808        ----a-w        c:\windows\system32\drivers\klbg.sys
2009-02-05 15:01        101,287        ----a-w        c:\windows\system32\drivers\klin.dat
2009-02-05 14:25        4,224        ----a-w        c:\windows\system32\drivers\beep.sys
2009-02-05 09:59        25,088        ----a-w        c:\windows\system32\QCKEY32.DLL
2009-02-05 09:11        315,392        ----a-w        c:\windows\HideWin.exe
2009-02-05 08:16        ---------        d-----w        c:\program files\microsoft frontpage
2008-12-02 14:37        49,480        ----a-w        c:\windows\system32\sirenacm.dll
2008-11-11 12:00        218,376        ----a-w        c:\windows\system32\klogon.dll
.

(((((((((((((((((((((((((((((((((((((   重要登入點   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-02 3882312]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.exe" [2009-02-05 162744]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-11 1667584]
"dorfgwe"="c:\windows\system32\uret463.exe" [2009-02-07 105352]
"anhtaaa"="c:\windows\system32\kacsde.exe" [2009-02-07 107710]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-12 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-12 15360]

c:\documents and settings\All Users\「開始」功能表\程式集\啟動\TP-LINK
TL-WN322G Wireless Utility.lnk - c:\program files\TP-LINK\TL-WN322G Wireless Utility\ZDWlan.exe [2009-02-05 491520]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26072:TCP"= 26072:TCP:BitComet 26072 TCP
"26072:UDP"= 26072:UDP:BitComet 26072 UDP

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 33808]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-02-05 89600]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
R3 ZD1211BU(TP-LINK);TL-WN322G/WN322G+ Wireless USB Adapter Driver(TP-LINK);c:\windows\system32\drivers\ZD1211BU.sys [2009-02-05 500736]
S3 AVPsys;AVPsys;c:\windows\system32\drivers\cdaudio.sys [2001-08-17 18688]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a98d471-f4bf-11dd-9079-001d0fae7511}]
\Shell\AutoRun\command - F:\6vu680.com
\Shell\open\Command - F:\6vu680.com
.
.
------- 而外的掃描 -------
.
uStart Page = hxxp://www.yahoo.com.hk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
TCP: {F32E1396-852F-4B03-9DEB-7FC2287FE0DE} = 218.102.62.71 203.198.23.208
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\mn7u6rp9.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-07 13:57:33
Windows 5.1.2600 Service Pack 2 NTFS

掃描被隱藏的進程 。。。  

掃描被隱藏的啟動組 。。。

掃描被隱藏的文件 。。。  

掃描完成
被隱藏的檔案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"
.
--------------------- 運行進程下的動態鏈接庫 ---------------------

- - - - - - - > 'winlogon.exe'(1300)
c:\windows\system32\Ati2evxx.dll
.
------------------------ 其他運行進程 ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
c:\windows\system32\conime.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
完成時間: 2009-02-07 13:58:43 - 電腦已重新啟動
ComboFix-quarantined-files.txt  2009-02-07 05:58:41

Pre-Run: 147,222,343,680 位元組可用
Post-Run: 148,288,233,472 位元組可用

WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

166

Script Name: KavoAutoRunKill.USPT
Author: uhthn2002
This script will remove the Kavo Trojan.Autorun files.


刪除檔案
[#]成功 C:\6vu680.com
[#]成功 D:\6vu680.com
[#]成功 C:\autorun.inf
[#]成功 D:\autorun.inf
[#]成功 C:\WINDOWS\system32\uret463.exe
[#]成功 C:\WINDOWS\system32\kacsde.exe
[#]成功 C:\WINDOWS\system32\lhgjyit0.dll
[#]成功 C:\WINDOWS\system32\godert0.dll
[#]成功 C:\WINDOWS\Prefetch\SNDVOL32.EXE-383480B7.pf


流動功能
[#]成功 刪除臨時文件 -> SysTmp
[#]成功 刪除臨時文件 -> InternetTmp
[#]成功 刪除臨時文件 -> RecycleBin

刪除Uanish

Step: Registry Delete

• 開啟記事本,貼上以下內容
  REGEDIT4
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a98d471-f4bf-11dd-9079-001d0fae7511}]
  
  
  
• 儲存--->存檔類型--->所有檔案-->檔名輸入為 FIX.reg執行FIX.reg
  

用卡巴掃描系統 睇下重有冇問題

掃描完之後，要點樣睇仲有無係度架？?
因為個已偵察仲係度，要點樣睇呢，謝謝

掃描後仍然出現已偵察的病毒，
係咪清除哂啦？謝謝

Step: Re-Enable System-Restore

• 開始-->控制台-->系統-->系統還原-->勾選"關閉所有磁碟上的系統還原"方格--->套用
  假如它要求重新開機 , 請允許它重新開機取消勾選"關閉所有磁碟上的系統還原"方格-->確定
  

之後應該冇問題了

謝謝，我再跟了步驟後scan，
已偵察到的木馬程式仲係度，是否正常？?

你清空左d記錄再scan , 最緊要都係留意 , Kaspersky 監控重有冇彈 木馬 / C:\開唔到等