打印

中左廣告病毒,(附上hijackthis)

勁化學

二星fun會員

Rank: 3 Rank: 3

1^# 大中小發表於 2009-2-26 13:34 只看該作者

中左廣告病毒,(附上hijackthis)

已試過用SUPERAntiSpyware,Malwarebytes' Anti-Malware scan過同清過一次,
但仍然有網頁會不時彈出,仲有我的最愛會自動新增d亂碼既網頁
現附上hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:40, on 26/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [zxexe.exe] C:\WINDOWS\system32\zxexe.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [Yahoo! Pager]  -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [qq] C:\DOCUME~1\MS-14S\LOCALS~1\Temp\374011
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &使用BitComet下載本頁視頻 - res://C:\DOCUME~1\MS-14S\LOCALS~1\Temp\Rar$EX00.609\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用BitComet下載全部鏈接 - res://C:\DOCUME~1\MS-14S\LOCALS~1\Temp\Rar$EX00.609\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: 使用BitComet下載鏈接(&B) - res://C:\DOCUME~1\MS-14S\LOCALS~1\Temp\Rar$EX00.609\BitComet.exe/AddLink.htm
O8 - Extra context menu item: 使用迅雷下載  - C:\Documents and Settings\MS-14S\桌面\迅雷\Thunder 4.5.2.38\geturl.htm
O8 - Extra context menu item: 使用迅雷下載全部連結  - C:\Documents and Settings\MS-14S\桌面\迅雷\Thunder 4.5.2.38\getAllurl.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_all.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmestw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmestw.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - AppInit_DLLs: bokphelm.dll,ngihnhbf.dll,lodjneif.dll,oacenpdm.dll,mhjpgenp.dll,gdbklddj.dll,gbdnpali.dll,pnbndcmf.dll,mmpjnodd.dll,hkeagkkb.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: 702171BF - {702171BF-1218-4546-B4A7-EFA5E1897651} - C:\WINDOWS\system32\ngihnhbf.dll
O21 - SSODL: 669378DD - {669378DD-DAA5-416E-A3A9-77F395BF1A8F} - C:\WINDOWS\system32\mmpjnodd.dll
O21 - SSODL: 14EA044B - {14EA044B-02C1-41FE-8CC1-4970B3678E09} - C:\WINDOWS\system32\hkeagkkb.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 5636 bytes

TOP

下次有緣

二星fun會員

Rank: 3 Rank: 3

2^# 大中小發表於 2009-2-26 14:59 只看該作者

1.關閉系統還原, 執行Hijackthis捷徑
2.按Do a system scan only，稍等一下直至 "Scan" 變成 "Save log"
3.勾選以下項目(左方方格)，關閉除了Hijackthis.exe之外的其他視窗，按 "Fix checked"，hijackthis會提示你重啟，如在此一步驟後，可重新啟動電腦。

O4 - HKLM\..\Run: [zxexe.exe] C:\WINDOWS\system32\zxexe.exe
O4 - HKLM\..\Policies\Explorer\Run: [qq] C:\DOCUME~1\MS-14S\LOCALS~1\Temp\374011
O21 - SSODL: 702171BF - {702171BF-1218-4546-B4A7-EFA5E1897651} - C:\WINDOWS\system32\ngihnhbf.dll
O21 - SSODL: 669378DD - {669378DD-DAA5-416E-A3A9-77F395BF1A8F} - C:\WINDOWS\system32\mmpjnodd.dll
O21 - SSODL: 14EA044B - {14EA044B-02C1-41FE-8CC1-4970B3678E09} - C:\WINDOWS\system32\hkeagkkb.dll

下載ATF-Cleaner
http://www.atribune.org/

執行ATF-Cleaner.exe
勾選全部,按Empty Selected.

下載 ComboFix 至桌面

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Step: CFScript

* 開啟記事本,貼上以下內容

KILLALL::

File::
C:\WINDOWS\system32\zxexe.exe
C:\WINDOWS\system32\bokphelm.dll
C:\WINDOWS\system32\ngihnhbf.dll
C:\WINDOWS\system32\lodjneif.dll
C:\WINDOWS\system32\oacenpdm.dll
C:\WINDOWS\system32\mhjpgenp.dll
C:\WINDOWS\system32\gdbklddj.dll
C:\WINDOWS\system32\gbdnpali.dll
C:\WINDOWS\system32\pnbndcmf.dll
C:\WINDOWS\system32\mmpjnodd.dll
C:\WINDOWS\system32\hkeagkkb.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
"AppInit_DLLs"=""

儲存--->存檔類型--->所有檔案-->檔名輸入為 CFScript.txt
把CFScript.txt 拉到 ComboxFix.exe

* ComboxFix 將會被執行
* 執行完會有報告於C:\ComboFix.txt.

Step: Report Back

* 貼上以下報告
* 如果報告太長,可以上傳到這裡http://www.box.net

* ComboFix 掃描報告 {C:\ComboFix.txt}

注意: 為防止保安軟件將 ComboFix 錯誤列為危險檔案. 執行 ComboFix 之前請將防毒軟件及反間諜軟件暫時關閉. 另外，ComboFix 運作其間請勿執行任何程式或用滑鼠點擊 ComboFix 視窗.
Combofix正常不應該需要超過20分鐘掃瞄，包括重新起動和檢測到malware。
如果掃瞄超過20分鐘，開啟Window工作管理員(同時按ctrl、alt和del)，並且結束處理程序findstr、find、SED或者swreg的所有過程，則combofix應該繼續。
如果發生以上情況, 請回報您所結束了什麼處理程序。

附上
新的Hijackthis掃描報告
電腦最新情況

TOP

勁化學

二星fun會員

Rank: 3 Rank: 3

3^# 大中小發表於 2009-2-27 11:39 只看該作者

按照以上程序後,再hijackthis,以下係報告

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:44, on 27/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKCU\..\Run: [Yahoo! Pager]  -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [qq] C:\DOCUME~1\MS-14S\LOCALS~1\Temp\374011
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &使用BitComet下載本頁視頻 - res://C:\DOCUME~1\MS-14S\LOCALS~1\Temp\Rar$EX00.609\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用BitComet下載全部鏈接 - res://C:\DOCUME~1\MS-14S\LOCALS~1\Temp\Rar$EX00.609\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: 使用BitComet下載鏈接(&B) - res://C:\DOCUME~1\MS-14S\LOCALS~1\Temp\Rar$EX00.609\BitComet.exe/AddLink.htm
O8 - Extra context menu item: 使用迅雷下載  - C:\Documents and Settings\MS-14S\桌面\迅雷\Thunder 4.5.2.38\geturl.htm
O8 - Extra context menu item: 使用迅雷下載全部連結  - C:\Documents and Settings\MS-14S\桌面\迅雷\Thunder 4.5.2.38\getAllurl.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_all.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmestw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmestw.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/bi ... Client.cab56907.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4707 bytes

TOP

勁化學

二星fun會員

Rank: 3 Rank: 3

4^# 大中小發表於 2009-2-27 12:32 只看該作者

我去查看我的最愛,被del既亂碼網頁又出番黎,首頁yahoo仍然唔正常
我番去網絡內容度再check安全性>近x內部網絡>網站>進皆
會見到一個 *.127.0.0.1 既網站,按移除,但再開番又係度,點都移除唔到,
我懷疑哩個有影響

TOP

勁化學

二星fun會員

Rank: 3 Rank: 3

5^# 大中小發表於 2009-2-27 12:40 只看該作者

忘記貼埋combofix既報告,sorry

ComboFix 09-02-26.02 - MS-14S 2009-02-27 9:41:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.247.72 [GMT 8:00]
執行位置: c:\documents and settings\MS-14S\桌面\ComboFix.exe
Command switches used :: c:\documents and settings\MS-14S\桌面\CFScript.txt
AV: AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated)
AV: Panda 鈦金版防毒軟體 2004 *On-access scanning enabled* (Updated)
* 成功創造新還原點

FILE ::
c:\windows\system32\bokphelm.dll
c:\windows\system32\gbdnpali.dll
c:\windows\system32\gdbklddj.dll
c:\windows\system32\hkeagkkb.dll
c:\windows\system32\lodjneif.dll
c:\windows\system32\mhjpgenp.dll
c:\windows\system32\mmpjnodd.dll
c:\windows\system32\ngihnhbf.dll
c:\windows\system32\oacenpdm.dll
c:\windows\system32\pnbndcmf.dll
c:\windows\system32\zxexe.exe
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Media Player\obj\wmpobj.sys
c:\documents and settings\All Users\Application Data\microsoft\office\system
c:\documents and settings\MS-14S\Favorites\梑善123厙硊絳瑤.url
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\__fdkfjfjgjitijk
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\_inifid
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\_inifiletime3
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\_inimac
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\_KC
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\_KC\2002
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\_KC\2003
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\_KC\3019
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\_KC\3020
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\_KC\3025
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\_KC\3027
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\_KC\3033
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\_KC\3038
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\_KC\3052
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\_KC\3054
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\_KC\3064
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\_KC\3077
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\_KC\3082
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\_KC\3089
c:\documents and settings\MS-14S\Local Settings\Temporary Internet Files\_kdacoptfg
c:\program files\INSTALL.LOG
c:\program files\Microsoft Office\SYSTEM\sysbar.exe
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\pp.exe
c:\windows\system32\201476D0.cfg
c:\windows\system32\4FBFD5A4.cfg
c:\windows\system32\A1A6BC2E.cfg
c:\windows\system32\AdCache
c:\windows\system32\ccsxhe.exe
c:\windows\system32\D9C002DD.cfg
c:\windows\system32\DA63E650.cfg
c:\windows\system32\datkkq32.dll
c:\windows\system32\deoouw.exe
c:\windows\system32\DFB3DAC5.cfg
c:\windows\system32\dopdy.dll
c:\windows\system32\eiqwrb.exe
c:\windows\system32\F65BDEC7.cfg
c:\windows\system32\fuqqwj.exe
c:\windows\system32\fxcfhm.exe
c:\windows\system32\gjxkic.exe
c:\windows\system32\hkeagkkb.dll
c:\windows\system32\iezuji.exe
c:\windows\system32\ipajgs.exe
c:\windows\system32\itdfxd.exe
c:\windows\system32\ivthdj.exe
c:\windows\system32\ixtbgm.exe
c:\windows\system32\jbopge.exe
c:\windows\system32\lfybdl.exe
c:\windows\system32\lohrrh.exe
c:\windows\system32\mmpjnodd.dll
c:\windows\system32\nefysf.exe
c:\windows\system32\ngihnhbf.dll
c:\windows\system32\nyvuvf.exe
c:\windows\system32\oyauvl.exe
c:\windows\system32\puibmd.exe
c:\windows\system32\r05029.exe
c:\windows\system32\sadfasdf.jpg
c:\windows\system32\sadujm.exe
c:\windows\system32\sh05029.dll
c:\windows\system32\sh05029.ini
c:\windows\system32\srbijb.exe
c:\windows\system32\tbodnj.exe
c:\windows\system32\tltcon.exe
c:\windows\system32\tofviw.exe
c:\windows\system32\uormzy.exe
c:\windows\system32\vvjqwu.exe
c:\windows\system32\vyvjky.exe
c:\windows\system32\yfbooq.exe
c:\windows\system32\zxexe.exe

發現受感染 c:\windows\system32\userinit.exe 並且成功解毒
從 - c:\windows\ServicePackFiles\i386\userinit.exe 恢復原來檔案[/COLOR]

TOP

勁化學

二星fun會員

Rank: 3 Rank: 3

6^# 大中小發表於 2009-2-27 13:12 只看該作者

((((((((((((((((((((((((((((((((((((((( 驅動/服務 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KISSTUSB
-------\Legacy_WMPOBJ
-------\Service_wmpobj

(((((((((((((((((((((((((  2009-01-27 至 2009-02-27 的新的檔案  )))))))))))))))))))))))))))))))
.

2009-02-26 11:38 . 2009-02-26 11:38       <DIR>       d--------       c:\program files\Malwarebytes' Anti-Malware
2009-02-26 11:38 . 2009-02-11 10:19       38,496       --a------       c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-26 11:38 . 2009-02-11 10:19       15,504       --a------       c:\windows\system32\drivers\mbam.sys
2009-02-26 10:59 . 2009-02-26 10:59       <DIR>       d--------       c:\documents and settings\MS-14S\Application Data\Malwarebytes
2009-02-26 10:59 . 2009-02-26 10:59       <DIR>       d--------       c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-26 06:32 . 2009-02-26 06:32       <DIR>       d--------       c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-26 06:31 . 2009-02-26 06:32       <DIR>       d--------       c:\program files\SUPERAntiSpyware
2009-02-26 06:31 . 2009-02-26 06:31       <DIR>       d--------       c:\program files\Common Files\Wise Installation Wizard
2009-02-26 06:31 . 2009-02-26 06:31       <DIR>       d--------       c:\documents and settings\MS-14S\Application Data\SUPERAntiSpyware.com
2009-02-25 09:37 . 2009-02-25 09:37       <DIR>       d--------       c:\program files\Trend Micro
2009-02-25 09:24 . 2009-02-25 09:24       <DIR>       d--------       C:\_OTMoveIt
2009-02-25 09:00 . 2009-02-25 09:00       212       --ahs----       c:\windows\system32\704C3595.cfg
2009-02-25 08:58 . 2009-02-25 08:58       244       --ahs----       c:\windows\system32\16BC0F81.cfg
2009-02-25 08:55 . 2009-02-25 08:55       252       --ahs----       c:\windows\system32\0306438F.cfg
2009-02-24 15:24 . 2009-02-24 15:24       300       --ahs----       c:\windows\system32\1957817A.cfg
2009-02-24 15:24 . 2009-02-24 15:24       232       --ahs----       c:\windows\system32\198FF3D8.cfg

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 00:09       ---------       d-----w       c:\program files\AVPersonal
2009-02-25 01:36       ---------       d-----w       c:\program files\FlashGet
2004-08-04 06:29       94,208       ----a-w       c:\program files\mozilla firefox\components\BrandRes.dll
2004-08-04 06:29       150,912       ----a-w       c:\program files\mozilla firefox\components\fullsoft.dll
2004-08-04 06:28       53,349       ----a-w       c:\program files\mozilla firefox\components\jar50.dll
2004-08-04 06:29       61,535       ----a-w       c:\program files\mozilla firefox\components\jsd3250.dll
2004-08-04 06:29       24,685       ----a-w       c:\program files\mozilla firefox\components\qfaservices.dll
2004-08-04 06:28       168,039       ----a-w       c:\program files\mozilla firefox\components\xpinstal.dll
2004-10-20 16:51       56       --sh--r       c:\windows\system32\8B16DDDAA1.sys
2004-10-20 16:51       1,682       --sha-w       c:\windows\system32\KGyGaAvL.sys
2008-08-27 20:14       32,768       --sha-w       c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082820080829\index.dat
.

------- Sigcheck -------

2005-05-26 03:07  359936  63fdfea54eb53de2d863ee454937ce1e       c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-14 01:07  360448  5562cc0a47b2aef06d3417b733f3c195       c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 20:18  360576  b2220c618b42a2212a59d91ebd6fc4b4       c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-31 00:53  360832  64798ecfa43d78c7178375fcdd16d8c8       c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 18:44  360960  744e57c99232201ae98c49168b918f48       c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 19:51  361600  9aefa14bd6b182d61e3119fa5f436d3d       c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 19:59  361600  ad978a1b783b5719720cff204b666c8e       c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 18:45  360320  073941d59ae065910064b728dee981ee       c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14  359040  9f4b36614a0fc234525ba224957de55c       c:\windows\$NtUninstallKB893066$\tcpip.sys
2005-05-26 03:04  359808  a938ad950b872200851574e9ebac8535       c:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-13 10:28  359808  583e063fdc888ca30d05c2724b0d7ef4       c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 19:51  359808  b4e29943b4b04bd5e7381546848e6669       c:\windows\$NtUninstallKB941644$\tcpip.sys
2007-10-31 01:20  360064  ed06c31200714e734118f9a47f5df5ce       c:\windows\$NtUninstallKB951748$\tcpip.sys
2004-08-03 23:14  359040  9f4b36614a0fc234525ba224957de55c       c:\windows\ServicePackFiles\i386\tcpip.sys
2008-04-14 03:20  361344  93ea8d04ec73a85db02eb8805988f733       c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\tcpip.sys
2008-04-14 03:20  361344  93ea8d04ec73a85db02eb8805988f733       c:\windows\SoftwareDistribution\Download\ddeea2e60eea6a8aa518f17577b56d41\tcpip.sys
2008-06-20 18:45  360320  2a5554fc5b1e04e131230e3ce035c3f9       c:\windows\system32\dllcache\tcpip.sys
2008-06-20 18:45  360320  073941d59ae065910064b728dee981ee       c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="-quiet" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"qq"="c:\docume~1\MS-14S\LOCALS~1\Temp\374011" [X]

c:\documents and settings\All Users\「開始」功能表\程式集\啟動\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders       msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTIVBOARD]
--a------ 2001-05-03 18:41 159744 c:\apps\ActivBoard\MMKeybd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
--a------ 2003-10-15 00:36 38984 c:\progra~1\ICQ\ICQNet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:55 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MULTIMEDIA KEYBOARD]
--------- 2003-09-30 07:09 425984 c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-08-29 02:47 77824 c:\program files\QuickTime\qttask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Documents and Settings\\MS-14S\\桌面\\aoc2\\empires2_x1.exe"=
"c:\\Gamania\\GetAmped\\jre\\1.3.1\\bin\\javaw.exe"=
"c:\\Documents and Settings\\MS-14S\\桌面\\aoc2\\age2_x1\\age2_x1.exe"=
"c:\\Documents and Settings\\MS-14S\\桌面\\Foxy.exe"=
"c:\\Program Files\\Foxy\\Foxy.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\MS-14S\\桌面\\aoc2\\EMPIRES2.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Gamania\\GetAmped\\amped.exe"=
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\Program Files\\Common Files\\Synacast\\SynaLive\\PE.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MSN Gaming Zone\\zclient.exe"=
"c:\\Documents and Settings\\MS-14S\\桌面\\迅雷\\Thunder 4.5.2.38\\Thunder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

TOP

勁化學

二星fun會員

Rank: 3 Rank: 3

7^# 大中小發表於 2009-2-27 13:15 只看該作者

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5107:TCP"= 5107:TCP:*isabled:mxie (218.191.170.166:5107) 5107 TCP
"5107:UDP"= 5107:UDP:*isabled:mxie (218.191.170.166:5107) 5107 UDP
"6100:TCP"= 6100:TCP:*isabled:kupe (218.191.170.166:6100) 6100 TCP
"6100:UDP"= 6100:UDP:*isabled:kupe (218.191.170.166:6100) 6100 UDP
"4863:TCP"= 4863:TCP:*isabled:ppLive
"5316:UDP"= 5316:UDP:*:Disabled:ppLive
"22126:TCP"= 22126:TCP:BitComet 22126 TCP
"22126:UDP"= 22126:UDP:BitComet 22126 UDP
"24821:TCP"= 24821:TCP:BitComet 24821 TCP
"24821:UDP"= 24821:UDP:BitComet 24821 UDP
"20529:TCP"= 20529:TCP:BitComet 20529 TCP
"20529:UDP"= 20529:UDP:BitComet 20529 UDP
"16766:TCP"= 16766:TCP:BitComet 16766 TCP
"16766:UDP"= 16766:UDP:BitComet 16766 UDP
"23441:TCP"= 23441:TCP:BitComet 23441 TCP
"23441:UDP"= 23441:UDP:BitComet 23441 UDP
"9037:TCP"= 9037:TCP:BitComet 9037 TCP
"9037:UDP"= 9037:UDP:BitComet 9037 UDP
"27383:TCP"= 27383:TCP:BitComet 27383 TCP
"27383:UDP"= 27383:UDP:BitComet 27383 UDP
"14923:TCP"= 14923:TCP:BitComet 14923 TCP
"14923:UDP"= 14923:UDP:BitComet 14923 UDP
"8938:TCP"= 8938:TCP:BitComet 8938 TCP
"8938:UDP"= 8938:UDP:BitComet 8938 UDP
"8719:TCP"= 8719:TCP:BitComet 8719 TCP
"8719:UDP"= 8719:UDP:BitComet 8719 UDP
"25826:TCP"= 25826:TCP:BitComet 25826 TCP
"25826:UDP"= 25826:UDP:BitComet 25826 UDP
"13342:TCP"= 13342:TCP:BitComet 13342 TCP
"13342:UDP"= 13342:UDP:BitComet 13342 UDP
"17065:TCP"= 17065:TCP:BitComet 17065 TCP
"17065:UDP"= 17065:UDP:BitComet 17065 UDP
"26997:TCP"= 26997:TCP:BitComet 26997 TCP
"26997:UDP"= 26997:UDP:BitComet 26997 UDP
"19177:TCP"= 19177:TCP:BitComet 19177 TCP
"19177:UDP"= 19177:UDP:BitComet 19177 UDP
"27070:TCP"= 27070:TCP:BitComet 27070 TCP
"27070:UDP"= 27070:UDP:BitComet 27070 UDP
"21911:TCP"= 21911:TCP:BitComet 21911 TCP
"21911:UDP"= 21911:UDP:BitComet 21911 UDP
"16089:TCP"= 16089:TCP:BitComet 16089 TCP
"16089:UDP"= 16089:UDP:BitComet 16089 UDP
"23911:TCP"= 23911:TCP:BitComet 23911 TCP
"23911:UDP"= 23911:UDP:BitComet 23911 UDP
"19961:TCP"= 19961:TCP:BitComet 19961 TCP
"19961:UDP"= 19961:UDP:BitComet 19961 UDP
"19989:TCP"= 19989:TCP:BitComet 19989 TCP
"19989:UDP"= 19989:UDP:BitComet 19989 UDP
"15657:TCP"= 15657:TCP:BitComet 15657 TCP
"15657:UDP"= 15657:UDP:BitComet 15657 UDP
"18337:TCP"= 18337:TCP:BitComet 18337 TCP
"18337:UDP"= 18337:UDP:BitComet 18337 UDP
"11784:TCP"= 11784:TCP:BitComet 11784 TCP
"11784:UDP"= 11784:UDP:BitComet 11784 UDP
"16717:TCP"= 16717:TCP:BitComet 16717 TCP
"16717:UDP"= 16717:UDP:BitComet 16717 UDP
"27575:TCP"= 27575:TCP:BitComet 27575 TCP
"27575:UDP"= 27575:UDP:BitComet 27575 UDP
"24246:TCP"= 24246:TCP:BitComet 24246 TCP
"24246:UDP"= 24246:UDP:BitComet 24246 UDP
"12799:TCP"= 12799:TCP:Foxy (124.244.221.212:12799) 12799 TCP
"12799:UDP"= 12799:UDP:Foxy (124.244.221.212:12799) 12799 UDP
"12984:TCP"= 12984:TCP:BitComet 12984 TCP
"12984:UDP"= 12984:UDP:BitComet 12984 UDP
"13561:TCP"= 13561:TCP:BitComet 13561 TCP
"13561:UDP"= 13561:UDP:BitComet 13561 UDP
"23903:TCP"= 23903:TCP:BitComet 23903 TCP
"23903:UDP"= 23903:UDP:BitComet 23903 UDP
"27313:TCP"= 27313:TCP:BitComet 27313 TCP
"27313:UDP"= 27313:UDP:BitComet 27313 UDP
"21494:TCP"= 21494:TCP:BitComet 21494 TCP
"21494:UDP"= 21494:UDP:BitComet 21494 UDP
"9520:TCP"= 9520:TCP:BitComet 9520 TCP
"9520:UDP"= 9520:UDP:BitComet 9520 UDP
"7462:TCP"= 7462:TCP:BitComet 7462 TCP
"7462:UDP"= 7462:UDP:BitComet 7462 UDP
"9178:TCP"= 9178:TCP:BitComet 9178 TCP
"9178:UDP"= 9178:UDP:BitComet 9178 UDP
"21586:TCP"= 21586:TCP:BitComet 21586 TCP
"21586:UDP"= 21586:UDP:BitComet 21586 UDP
"11605:TCP"= 11605:TCP:BitComet 11605 TCP
"11605:UDP"= 11605:UDP:BitComet 11605 UDP
"19579:TCP"= 19579:TCP:BitComet 19579 TCP
"19579:UDP"= 19579:UDP:BitComet 19579 UDP
"22703:TCP"= 22703:TCP:BitComet 22703 TCP
"22703:UDP"= 22703:UDP:BitComet 22703 UDP
"22601:TCP"= 22601:TCP:BitComet 22601 TCP
"22601:UDP"= 22601:UDP:BitComet 22601 UDP
"26475:TCP"= 26475:TCP:BitComet 26475 TCP
"26475:UDP"= 26475:UDP:BitComet 26475 UDP
"19232:TCP"= 19232:TCP:BitComet 19232 TCP
"19232:UDP"= 19232:UDP:BitComet 19232 UDP
"20624:TCP"= 20624:TCP:BitComet 20624 TCP
"20624:UDP"= 20624:UDP:BitComet 20624 UDP
"21517:TCP"= 21517:TCP:BitComet 21517 TCP
"21517:UDP"= 21517:UDP:BitComet 21517 UDP
"15520:TCP"= 15520:TCP:BitComet 15520 TCP
"15520:UDP"= 15520:UDP:BitComet 15520 UDP
"25092:TCP"= 25092:TCP:BitComet 25092 TCP
"25092:UDP"= 25092:UDP:BitComet 25092 UDP
"7754:TCP"= 7754:TCP:BitComet 7754 TCP
"7754:UDP"= 7754:UDP:BitComet 7754 UDP
"21624:TCP"= 21624:TCP:BitComet 21624 TCP
"21624:UDP"= 21624:UDP:BitComet 21624 UDP
"14024:TCP"= 14024:TCP:BitComet 14024 TCP
"14024:UDP"= 14024:UDP:BitComet 14024 UDP
"13361:TCP"= 13361:TCP:BitComet 13361 TCP
"13361:UDP"= 13361:UDP:BitComet 13361 UDP
"7491:TCP"= 7491:TCP:BitComet 7491 TCP
"7491:UDP"= 7491:UDP:BitComet 7491 UDP
"24069:TCP"= 24069:TCP:BitComet 24069 TCP
"24069:UDP"= 24069:UDP:BitComet 24069 UDP
"26423:TCP"= 26423:TCP:BitComet 26423 TCP
"26423:UDP"= 26423:UDP:BitComet 26423 UDP
"25469:TCP"= 25469:TCP:BitComet 25469 TCP
"25469:UDP"= 25469:UDP:BitComet 25469 UDP
"19171:TCP"= 19171:TCP:BitComet 19171 TCP
"19171:UDP"= 19171:UDP:BitComet 19171 UDP
"21234:TCP"= 21234:TCP:BitComet 21234 TCP
"21234:UDP"= 21234:UDP:BitComet 21234 UDP
"11362:TCP"= 11362:TCP:BitComet 11362 TCP
"11362:UDP"= 11362:UDP:BitComet 11362 UDP
"9058:TCP"= 9058:TCP:BitComet 9058 TCP
"9058:UDP"= 9058:UDP:BitComet 9058 UDP
"22269:TCP"= 22269:TCP:BitComet 22269 TCP
"22269:UDP"= 22269:UDP:BitComet 22269 UDP
"9561:TCP"= 9561:TCP:BitComet 9561 TCP
"9561:UDP"= 9561:UDP:BitComet 9561 UDP
"8363:TCP"= 8363:TCP:BitComet 8363 TCP
"8363:UDP"= 8363:UDP:BitComet 8363 UDP
"24277:TCP"= 24277:TCP:BitComet 24277 TCP
"24277:UDP"= 24277:UDP:BitComet 24277 UDP
"18215:TCP"= 18215:TCP:BitComet 18215 TCP
"18215:UDP"= 18215:UDP:BitComet 18215 UDP
"12496:TCP"= 12496:TCP:BitComet 12496 TCP
"12496:UDP"= 12496:UDP:BitComet 12496 UDP
"15487:TCP"= 15487:TCP:BitComet 15487 TCP
"15487:UDP"= 15487:UDP:BitComet 15487 UDP
"18801:TCP"= 18801:TCP:BitComet 18801 TCP
"18801:UDP"= 18801:UDP:BitComet 18801 UDP
"8644:TCP"= 8644:TCP:BitComet 8644 TCP
"8644:UDP"= 8644:UDP:BitComet 8644 UDP
"17869:TCP"= 17869:TCP:BitComet 17869 TCP
"17869:UDP"= 17869:UDP:BitComet 17869 UDP
"10950:TCP"= 10950:TCP:BitComet 10950 TCP
"10950:UDP"= 10950:UDP:BitComet 10950 UDP
"9855:TCP"= 9855:TCP:BitComet 9855 TCP
"9855:UDP"= 9855:UDP:BitComet 9855 UDP
"16947:TCP"= 16947:TCP:BitComet 16947 TCP
"16947:UDP"= 16947:UDP:BitComet 16947 UDP
"9403:TCP"= 9403:TCP:BitComet 9403 TCP
"9403:UDP"= 9403:UDP:BitComet 9403 UDP
"24694:TCP"= 24694:TCP:BitComet 24694 TCP
"24694:UDP"= 24694:UDP:BitComet 24694 UDP
"7323:TCP"= 7323:TCP:BitComet 7323 TCP
"7323:UDP"= 7323:UDP:BitComet 7323 UDP
"16219:TCP"= 16219:TCP:BitComet 16219 TCP
"16219:UDP"= 16219:UDP:BitComet 16219 UDP
"13338:TCP"= 13338:TCP:BitComet 13338 TCP
"13338:UDP"= 13338:UDP:BitComet 13338 UDP

R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2004-08-25 6656]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R3 avgntdw;avgntdw;c:\program files\AVPersonal\AVGNTDW.SYS [2005-04-29 32896]
R3 BT848;FlyVideo WDM Video Capture;c:\windows\system32\drivers\BT848.sys [1980-01-01 210617]
R3 BTTUNER;FlyVideo WDM TvTuner;c:\windows\system32\drivers\bttuner.sys [1980-01-01 9581]
R3 BTXBAR;FlyVideo WDM Crossbar;c:\windows\system32\drivers\btxbar.sys [1980-01-01 7883]
R3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [2002-07-16 26496]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S1 MFKGTKEY;MFKGTKEY;c:\windows\system32\drivers\mfkgtkey.sys [2004-08-25 10191]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
S3 ComFiltranda Anti-Dialer;\??\c:\windows\system32\DRIVERS\COMFiltr.sys --> c:\windows\system32\DRIVERS\COMFiltr.sys [?]
S3 L6PODLVODxt Live Service;c:\windows\system32\drivers\L6PODLV.sys [2008-03-06 514432]

TOP

勁化學

二星fun會員

Rank: 3 Rank: 3

8^# 大中小發表於 2009-2-27 13:26 只看該作者

--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - AntiVirService
*Deregistered* - AudioSrv
*Deregistered* - AVWUpSrv
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - ImapiService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - nhksrv
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SLService
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - UMWdf
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-nvviddrv32 - gxrkrxh.exe
ShellExecuteHooks-{912F6837-CCB6-424B-BC9C-8BB5541AFB54} - (no file)
ShellExecuteHooks-{1957817A-94B2-4CAC-B113-A331809B5730} - 1957817A.dll
ShellExecuteHooks-{198FF3D8-56F1-466B-A36F-F9C28B43E440} - 198FF3D8.dll
ShellExecuteHooks-{0306438F-7E67-4DDA-8EF2-C0AD040FEBE0} - 0306438F.dll
ShellExecuteHooks-{16BC0F81-410C-41DF-A902-1B04368BA8AE} - 16BC0F81.dll
ShellExecuteHooks-{704C3595-DB85-40F6-A601-8D6F346907BD} - 704C3595.dll
ShellExecuteHooks-{702171BF-1218-4546-B4A7-EFA5E1897651} - c:\windows\system32\ngihnhbf.dll
ShellExecuteHooks-{669378DD-DAA5-416E-A3A9-77F395BF1A8F} - c:\windows\system32\mmpjnodd.dll
ShellExecuteHooks-{14EA044B-02C1-41FE-8CC1-4970B3678E09} - c:\windows\system32\hkeagkkb.dll
SSODL-702171BF-{702171BF-1218-4546-B4A7-EFA5E1897651} - c:\windows\system32\ngihnhbf.dll
SSODL-669378DD-{669378DD-DAA5-416E-A3A9-77F395BF1A8F} - c:\windows\system32\mmpjnodd.dll
SSODL-14EA044B-{14EA044B-02C1-41FE-8CC1-4970B3678E09} - c:\windows\system32\hkeagkkb.dll
MSConfigStartUp-foxy - c:\docume~1\MS-14S\LOCALS~1\Temp\Rar$EX00.703\Foxy.exe
MSConfigStartUp-Steam - c:\program files\valve\steam\steam.exe

.
------- 而外的掃描 -------
.
uStart Page = hxxp://hk.yahoo.com/
IE: &使用BitComet下載本頁視頻 - c:\docume~1\MS-14S\LOCALS~1\Temp\Rar$EX00.609\BitComet.exe/AddVideo.htm
IE: Foxy 下載 - c:\program files\Foxy\Foxy.exe/download.htm
IE: Foxy 搜尋 - c:\program files\Foxy\Foxy.exe/search.htm
IE: 使用 FlashGet 下載 - c:\progra~1\FlashGet\jc_link.htm
IE: 使用BitComet下載全部鏈接 - c:\docume~1\MS-14S\LOCALS~1\Temp\Rar$EX00.609\BitComet.exe/AddAllLink.htm
IE: 使用BitComet下載鏈接(&B) - c:\docume~1\MS-14S\LOCALS~1\Temp\Rar$EX00.609\BitComet.exe/AddLink.htm
IE: 使用迅雷下載 - c:\documents and settings\MS-14S\桌面\迅雷\Thunder 4.5.2.38\geturl.htm
IE: 使用迅雷下載全部連結 - c:\documents and settings\MS-14S\桌面\迅雷\Thunder 4.5.2.38\getAllurl.htm
IE: 全部使用 FlashGet 下載 - c:\progra~1\FlashGet\jc_all.htm
Trusted Zone: line6.net
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -

TOP

勁化學

二星fun會員

Rank: 3 Rank: 3

9^# 大中小發表於 2009-2-27 13:39 只看該作者

---- 火狐配置文件 ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.block.target_new_window",    false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status",    false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.popup_allowed_events", "change click dblclick reset submit");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images",       true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout",  30);       // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120);       // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.negotiate-auth.trusted-uris", "https://");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior",       0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior",    3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel",          1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad",                false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\greprefs\all.js - pref("bidi.clipboardtextmode", 3);
c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.manual_confirm",  true);
c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.notifications.enabled",  true);
c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.notifications.interval", 1);
c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.notifications.lastDate", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version", "0.9");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updatesAvailable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updateVersion", "");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updateDescription", "");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updateURL", "");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.extensions.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.extensions.autoUpdate", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 604800000); // every 7 days
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.lastUpdateDate", 0); // UTC offset when last update was performed.
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.extensions.count", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.disable_open_during_load",       true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("javascript.options.showInConsole", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocols.useSystemDefaults", false); // set to true if user links should use system default handlers
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocol-handler.external.news" , true); // for news
c:\program files\Mozilla Firefox\defaults\pref\foxy.js - pref("network.protocol-handler.external.foxy", true);
c:\program files\Mozilla Firefox\defaults\pref\foxy.js - pref("network.protocol-handler.warn-external.foxy", false);
c:\program files\Mozilla Firefox\defaults\pref\foxy.js - pref("network.protocol-handler.expose.foxy", true);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.external.foxy", true);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.warn-external.foxy", false);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.expose.foxy", true);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("general.useragent.extra.foxy1", "Foxy/1");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-27 09:47:35
Windows 5.1.2600 Service Pack 2 NTFS

掃描被隱藏的進程。。。

掃描被隱藏的啟動組。。。

掃描被隱藏的文件。。。

掃描完成
被隱藏的檔案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-2000478354-1897051121-725345543-1004\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@=""

[HKEY_USERS\S-1-5-21-2000478354-1897051121-725345543-1004\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.default]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-2000478354-1897051121-725345543-1004\Software\Microsoft\Internet Explorer\MenuExt\O(u??N       ?*]
@="c:\\Documents and Settings\\MS-14S\\桌面\\迅雷\\Thunder 4.5.2.38\\geturl.htm"
"contexts"=dword:00000022

[HKEY_USERS\S-1-5-21-2000478354-1897051121-725345543-1004\Software\Microsoft\Internet Explorer\MenuExt\O(u??N       Q?#} *]
@="c:\\Documents and Settings\\MS-14S\\桌面\\迅雷\\Thunder 4.5.2.38\\getAllurl.htm"
"contexts"=dword:000000f3

[HKEY_USERS\S-1-5-21-2000478354-1897051121-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*7_惠]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2000478354-1897051121-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*7_惠\OpenWithList]
@Class="Shell"
"a"="AVConverterUI.exe"
"MRUList"="a"

TOP

勁化學

二星fun會員

Rank: 3 Rank: 3

10^# 大中小發表於 2009-2-27 13:43 只看該作者

[HKEY_USERS\S-1-5-21-2000478354-1897051121-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*U}
\!q餱cTR]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2000478354-1897051121-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*U}
\!q餱cTR\OpenWithList]
@Class="Shell"
"a"="AVConverterUI.exe"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-2000478354-1897051121-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Koei\       NW莤1*1*]
"Order"=hex:08,00,00,00,02,00,00,00,36,03,00,00,01,00,00,00,06,00,00,00,8c,00,
00,00,00,00,00,00,7e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6c,00,36,\

[HKEY_USERS\S-1-5-21-2000478354-1897051121-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Koei\       NW莤g! *Z7_Hr]
"Order"=hex:08,00,00,00,02,00,00,00,16,01,00,00,01,00,00,00,02,00,00,00,82,00,
00,00,00,00,00,00,74,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,62,00,32,\

[HKEY_USERS\S-1-5-21-2000478354-1897051121-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Koei\       NW莤i! *Z7_Hr]
"Order"=hex:08,00,00,00,02,00,00,00,2e,03,00,00,01,00,00,00,06,00,00,00,8c,00,
00,00,00,00,00,00,7e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6c,00,36,\

[HKEY_USERS\S-1-5-21-2000478354-1897051121-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\qg?b;       NWKNfwm??I*I*]
"Order"=hex:08,00,00,00,02,00,00,00,2e,02,00,00,01,00,00,00,04,00,00,00,74,00,
00,00,00,00,00,00,66,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,54,00,32,\

[HKEY_USERS\S-1-5-21-2000478354-1897051121-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\鋊*鷘a煃l?浨]
"Order"=hex:08,00,00,00,02,00,00,00,12,02,00,00,01,00,00,00,04,00,00,00,82,00,
00,00,00,00,00,00,74,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,62,00,36,\

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"
.
--------------------- 運行進程下的動態鏈接庫 ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ 其他運行進程 ------------------------
.
c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe
c:\program files\AVPersonal\AVGUARD.EXE
c:\program files\AVPersonal\AVWUPSRV.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\conime.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
完成時間: 2009-02-27  9:57:01 - 電腦已重新啟動
ComboFix-quarantined-files.txt  2009-02-27 01:56:54

Pre-Run: 16,265,117,696 位元組可用
Post-Run: 16,213,782,528 位元組可用

WindowsXP-KB310994-SP2-Home-BootDisk-CHT.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

626       --- E O F ---       2009-02-25 04:03:47

TOP

下次有緣

二星fun會員

Rank: 3 Rank: 3

11^# 大中小發表於 2009-2-28 01:55 只看該作者

127.0.0.1被稱為本地迴環地址

去VirusTotal http://www.virustotal.com/

Check下以下檔案.
c:\windows\system32\KGyGaAvL.sys

Step: CFScript

* 開啟記事本,貼上以下內容

KILLALL::

File::
c:\windows\system32\8B16DDDAA1.sys
c:\windows\system32\704C3595.cfg
c:\windows\system32\16BC0F81.cfg
c:\windows\system32\0306438F.cfg
c:\windows\system32\1957817A.cfg
c:\windows\system32\198FF3D8.cfg

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"qq"=-

儲存--->存檔類型--->所有檔案-->檔名輸入為 CFScript.txt
把CFScript.txt 拉到 ComboxFix.exe

* ComboxFix 將會被執行
* 執行完會有報告於C:\ComboFix.txt.

下載ATF-Cleaner
http://www.atribune.org/

執行ATF-Cleaner.exe
勾選全部,按Empty Selected.

TOP

勁化學

二星fun會員

Rank: 3 Rank: 3

12^# 大中小發表於 2009-2-28 03:41 只看該作者

按以上程序後,發覺*.127.0.0.1個網址仍然移除唔到,現貼上hijackthis同combofix 既報告

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:48, on 28/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKCU\..\Run: [Yahoo! Pager]  -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &使用BitComet下載本頁視頻 - res://C:\DOCUME~1\MS-14S\LOCALS~1\Temp\Rar$EX00.609\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用BitComet下載全部鏈接 - res://C:\DOCUME~1\MS-14S\LOCALS~1\Temp\Rar$EX00.609\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: 使用BitComet下載鏈接(&B) - res://C:\DOCUME~1\MS-14S\LOCALS~1\Temp\Rar$EX00.609\BitComet.exe/AddLink.htm
O8 - Extra context menu item: 使用迅雷下載  - C:\Documents and Settings\MS-14S\桌面\迅雷\Thunder 4.5.2.38\geturl.htm
O8 - Extra context menu item: 使用迅雷下載全部連結  - C:\Documents and Settings\MS-14S\桌面\迅雷\Thunder 4.5.2.38\getAllurl.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_all.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmestw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmestw.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/bi ... Client.cab56907.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4624 bytes

TOP