打印

如何殺死Trojan horse Backdoor.Generic10.AUWN(附hijackthis)

臭egg

二星fun會員

Rank: 3 Rank: 3

1^# 大中小發表於 2009-3-6 20:10 只看該作者

如何殺死Trojan horse Backdoor.Generic10.AUWN(附hijackthis)

我部電腦中左隻毒(Trojan horse Backdoor.Generic10.AUWN),
AVG又detect 到在ｃ:\ｗｉｎｄｏｗs.svshost.exe,
但又好似不能delete,
成日彈warning box,
請各位朋友幫助,
如何delete 佢

THXx1000000

TOP

臭egg

二星fun會員

Rank: 3 Rank: 3

2^# 大中小發表於 2009-3-9 08:29 只看該作者

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 09:07:46, on 2009/3/3
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\bless.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\god.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\WINDOWS\system32\QTRAYIME.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\svshost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [Newis] C:\WINDOWS\bless.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{823194EA-94C3-4A30-A988-AFDDF4193638}: NameServer = 210.0.255.144 210.0.128.241
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
--
End of file - 2348 bytes

TOP

唔熟Wow

二星fun會員

Rank: 3 Rank: 3

3^# 大中小發表於 2009-3-9 10:09 只看該作者

下載 ComboFix 至桌面

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

* 執行 ComboFix

注意: 為防止保安軟件將 ComboFix 錯誤列為危險檔案. 執行 ComboFix 之前請將防毒軟件及反間諜軟件暫時關閉. 另外，ComboFix 運作其間請勿執行任何程式或用滑鼠點擊 ComboFix 視窗.

Step: CFScript

* 開啟記事本,貼上以下內容

KILLALL::

File::
C:\WINDOWS\svshost.exe
C:\WINDOWS\bless.exe

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Newis"=-

儲存--->存檔類型--->所有檔案-->檔名輸入為 CFScript.txt
把CFScript.txt 拉到 ComboxFix.exe

* ComboxFix 將會被執行
* 執行完會有報告於C:\ComboFix.txt.

Step: Report Back

* 貼上以下報告
* 如果報告太長,可以上傳到這裡http://www.box.net

* ComboFix 掃描報告 {C:\ComboFix.txt}

TOP

臭egg

二星fun會員

Rank: 3 Rank: 3

4^# 大中小發表於 2009-3-9 11:28 只看該作者

thx x1000000000000

TOP

臭egg

二星fun會員

Rank: 3 Rank: 3

5^# 大中小發表於 2009-3-9 12:00 只看該作者

ComboFix 09-03-02.03 - Lau 2009-03-03 23:42:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.479.104 [GMT 8:00]
執行位置: c:\documents and settings\Lau\桌面\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\INSTALL.LOG
c:\program files\orbit
c:\program files\orbit\OrbitPlayer\CoreAAC.ax
c:\program files\orbit\OrbitPlayer\CoreAVCDecoder.ax
c:\program files\orbit\OrbitPlayer\CoreEngine.dll
c:\program files\orbit\OrbitPlayer\OrbitPlayer.dll
c:\program files\orbit\OrbitPlayer\UnInstall.bat
c:\program files\orbit\OrbitPlayer\version
c:\program files\TENCENT\SSPlus\SAddr.dll
c:\program files\TENCENT\SSPlus\SPlus.dll
c:\windows\ggcktxt.txt
c:\windows\ggcktxt1.txt
c:\windows\IE4 Error Log.txt
c:\windows\svshost.exe
c:\windows\system32\Scrax.dll
c:\windows\system32\SSup.dll
.
((((((((((((((((((((((((( 2009-02-03 至 2009-03-03 的新的檔案 )))))))))))))))))))))))))))))))
.
2009-03-03 23:49 . 2009-03-03 23:50 237,568 --a------ c:\windows\svshost.exe
2009-03-03 23:36 . 2009-03-03 23:36 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-03-02 23:30 . 2009-03-02 23:30 <DIR> d-------- c:\program files\Trend Micro
2009-03-02 21:26 . 2008-07-11 16:10 323,584 ---h----- c:\program files\god.exe
2009-03-02 21:26 . 2009-03-02 21:26 274,432 --a------ c:\windows\um6kr17re3h17.bak
2009-03-02 21:26 . 2009-03-02 21:26 274,432 ---h----- c:\windows\bless.exe
.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-03 15:50 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-30 05:01 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-30 05:01 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-12-01 13:58 45,320 ----a-w c:\documents and settings\Lau\Application Data\GDIPFONTCACHEV1.DAT
2006-02-04 07:05 102,400 ----a-w c:\documents and settings\Lau\com_securenetasia_p11wrapper2.dll
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-07-12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Newis"="c:\windows\bless.exe" [2009-03-02 274432]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-02 180269]
"winIogin"="c:\windows\svshost.exe" [2009-03-03 237568]
c:\documents and settings\Lau\「開始」功能表\程式集\啟動\
騰訊QQ.lnk - c:\program files\Tencent\QQ\QQ.exe [2007-05-17 1441792]
c:\documents and settings\All Users\「開始」功能表\程式集\啟動\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2006-10-30 57344]
九方快速啟動.lnk - c:\windows\system32\QTRAYIME.EXE [2002-01-12 26112]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-30 13:01 10520 c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\「開始」功能表\程式集\啟動\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Microsoft Office.lnk]
path=c:\documents and settings\All Users\「開始」功能表\程式集\啟動\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Utility Tray.lnk]
path=c:\documents and settings\All Users\「開始」功能表\程式集\啟動\Utility Tray.lnk
backup=c:\windows\pss\Utility Tray.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\BitComet1\\BitComet.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"c:\\Program Files\\Tencent\\QQLive\\QQLive.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQPlayerSvr.exe"=
"d:\\PPLive\\PPLive.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23249:TCP"= 23249:TCP:BitComet 23249 TCP
"23249:UDP"= 23249:UDP:BitComet 23249 UDP
R3 npkycryp;npkycryp; [x]
R3 zotyup;zotyup; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-01-30 325128]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-01-30 107272]
S1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 5632]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-30 903960]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-30 298264]

--- Other Services/Drivers In Memory ---
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Aspi32
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avg8emc
*Deregistered* - avg8wd
*Deregistered* - AvgLdx86
*Deregistered* - AvgMfx86
*Deregistered* - AvgTdiX
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - FsVga
*Deregistered* - Ftdisk
*Deregistered* - GhPciScan
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - ImapiService
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - npkcrypt
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a8f9d3e-ffb0-11dc-967b-00115bba54a0}]
\Shell\AutoRun\command - G:\install.exe
\Shell\explore\Command - G:\install.exe
\Shell\open\Command - G:\install.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{839ba6b8-ec3f-11dd-9831-00115bba54a0}]
\Shell\AutoRun\command - ipy.cmd
\Shell\explore\Command - ipy.cmd
\Shell\open\Command - ipy.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a24b6bfa-93a7-11dd-979d-00115bba54a0}]
\Shell\AutoRun\command - G:\jg.com
\Shell\open\Command - G:\jg.com
.

TOP

臭egg

二星fun會員

Rank: 3 Rank: 3

6^# 大中小發表於 2009-3-9 12:46 只看該作者

.
------- 而外的掃描 -------
.
uStart Page = hxxp://hk.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: 上傳到QQ網路硬碟 - c:\program files\Tencent\QQ\AddToNetDisk.htm
IE: 新增到QQ自定義面板 - c:\program files\Tencent\QQ\AddPanel.htm
IE: 新增到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: 用QQ MMS傳送該圖片 - c:\program files\Tencent\QQ\SendMMS.htm
DPF: Microsoft XML Parser for Java - [url=file:///c:/windows/Java/classes/xmldso.cab]file://c:\windows\Java\classes\xmldso.cab[/url]
.**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-03 23:50:27
Windows 5.1.2600 Service Pack 2 NTFS
掃描被隱藏的進程。。。
掃描被隱藏的啟動組。。。
掃描被隱藏的文件。。。

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1343024091-507921405-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\送0RQ*Q*??b?g]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Program Files\\Tencent\\QQ\\AddPanel.htm"
"contexts"=dword:0000007f
[HKEY_USERS\S-1-5-21-1343024091-507921405-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\送0RQ*Q*h`]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Program Files\\Tencent\\QQ\\AddEmotion.htm"
"contexts"=dword:00000002
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"
[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\DefaultIcon]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe,14"
[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\shell\open\command]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe \"%1\""
[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\shell\print\command]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe /p \"%1\""
[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\shell\printto\command]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe /pt \"%1\" \"%2\" \"%3\" \"%4\""
[HKEY_LOCAL_MACHINE\software\Classes\gOGPKb掞?觀.*M*y*N*S*H*a*n*d*l*e*r*\Clsid]
@="{E8CFC029-8420-4EAE-ADEF-915BDC77E1DC}"
[HKEY_LOCAL_MACHINE\software\Classes\?P[鷸-*俏舸箖刁j?(*P?*.*m*e*c*P*r*o*t*o*c*o*l*\Clsid]
@="{2E1346C0-7D18-11D5-A7E7-00C02626503F}"
.
------------------------ 其他運行進程 ------------------------
.
c:\windows\system32\conime.exe
c:\program files\god.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
完成時間: 2009-03-03 23:59:43 - 電腦已重新啟動
ComboFix-quarantined-files.txt  2009-03-03 15:57:46
Pre-Run: 970,166,272 位元組可用
Post-Run: 2,837,655,552 位元組可用
WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe
[boot loader]
timeout=2
default=multidiskrdiskpartition\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multidiskrdiskpartition\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
289 --- E O F --- 2009-02-26 15:40:38

TOP

唔熟Wow

二星fun會員

Rank: 3 Rank: 3

7^# 大中小發表於 2009-3-9 13:09 只看該作者

Step: CFScript

* 開啟記事本,貼上以下內容

KILLALL::

File::
C:\WINDOWS\svshost.exe
C:\WINDOWS\bless.exe
C:\32788R22FWJFW.0.tmp
c:\program files\god.exe
c:\windows\um6kr17re3h17.bak
c:\ipy.cmd
c:\jg.com

Driver::
npkycryp
zotyup

Rootkit::
npkycryp
zotyup

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Newis"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a8f9d3e-ffb0-11dc-967b-00115bba54a0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{839ba6b8-ec3f-11dd-9831-00115bba54a0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a24b6bfa-93a7-11dd-979d-00115bba54a0}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

儲存--->存檔類型--->所有檔案-->檔名輸入為 CFScript.txt
把CFScript.txt 拉到 ComboxFix.exe

* ComboxFix 將會被執行
* 執行完會有報告於C:\ComboFix.txt.

Step: Report Back

* 貼上以下報告
* 如果報告太長,可以上傳到這裡http://www.box.net

TOP

臭egg

二星fun會員

Rank: 3 Rank: 3

8^# 大中小發表於 2009-3-10 07:04 只看該作者

ComboFix 09-03-03.01 - Lau 2009-03-04 20:49:26.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.950.1.1028.18.479.192 [GMT 8:00]
執行位置: c:\documents and settings\Lau\桌面\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* 成功創造新還原點
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\svshost.exe

.
(((((((((((((((((((((((((  2009-02-04 至 2009-03-04 的新的檔案  )))))))))))))))))))))))))))))))
.

2009-03-04 20:58 . 2009-03-04 21:00       180,332       --a------       c:\windows\svshost.exe
2009-03-04 20:41 . 2009-03-04 20:42       <DIR>       d--------       C:\32788R22FWJFW.1.tmp
2009-03-03 23:36 . 2009-03-03 23:36       <DIR>       d--------       C:\32788R22FWJFW.0.tmp
2009-03-02 23:30 . 2009-03-02 23:30       <DIR>       d--------       c:\program files\Trend Micro
2009-03-02 21:26 . 2008-07-11 16:10       323,584       ---h-----       c:\program files\god.exe
2009-03-02 21:26 . 2009-03-02 21:26       274,432       --a------       c:\windows\um6kr17re3h17.bak
2009-03-02 21:26 . 2009-03-02 21:26       274,432       ---h-----       c:\windows\bless.exe

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-03 15:50       ---------       d-----w       c:\documents and settings\All Users\Application Data\avg8
2009-01-30 05:01       325,128       ----a-w       c:\windows\system32\drivers\avgldx86.sys
2009-01-30 05:01       107,272       ----a-w       c:\windows\system32\drivers\avgtdix.sys
2008-12-01 13:58       45,320       ----a-w       c:\documents and settings\Lau\Application Data\GDIPFONTCACHEV1.DAT
2006-02-04 07:05       102,400       ----a-w       c:\documents and settings\Lau\com_securenetasia_p11wrapper2.dll
.

((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-07-12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Newis"="c:\windows\bless.exe" [2009-03-02 274432]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-02 180269]
"winIogin"="c:\windows\svshost.exe" [2009-03-04 237568]

c:\documents and settings\Lau\「開始」功能表\程式集\啟動\
騰訊QQ.lnk - c:\program files\Tencent\QQ\QQ.exe [2007-05-17 1441792]

c:\documents and settings\All Users\「開始」功能表\程式集\啟動\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2006-10-30 57344]
九方快速啟動.lnk - c:\windows\system32\QTRAYIME.EXE [2002-01-12 26112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-30 13:01 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\「開始」功能表\程式集\啟動\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Microsoft Office.lnk]
path=c:\documents and settings\All Users\「開始」功能表\程式集\啟動\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Utility Tray.lnk]
path=c:\documents and settings\All Users\「開始」功能表\程式集\啟動\Utility Tray.lnk
backup=c:\windows\pss\Utility Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\BitComet1\\BitComet.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"c:\\Program Files\\Tencent\\QQLive\\QQLive.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQPlayerSvr.exe"=
"d:\\PPLive\\PPLive.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23249:TCP"= 23249:TCP:BitComet 23249 TCP
"23249:UDP"= 23249:UDP:BitComet 23249 UDP

R3 npkycryp;npkycryp; [x]
R3 zotyup;zotyup; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-01-30 325128]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-01-30 107272]
S1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 5632]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-30 903960]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-30 298264]

--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Aspi32
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avg8emc
*Deregistered* - avg8wd
*Deregistered* - AvgLdx86
*Deregistered* - AvgMfx86
*Deregistered* - AvgTdiX
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - FsVga
*Deregistered* - Ftdisk
*Deregistered* - GhPciScan
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - ImapiService
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - npkcrypt
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a8f9d3e-ffb0-11dc-967b-00115bba54a0}]
\Shell\AutoRun\command - G:\install.exe
\Shell\explore\Command - G:\install.exe
\Shell\open\Command - G:\install.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{839ba6b8-ec3f-11dd-9831-00115bba54a0}]
\Shell\AutoRun\command - ipy.cmd
\Shell\explore\Command - ipy.cmd
\Shell\open\Command - ipy.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a24b6bfa-93a7-11dd-979d-00115bba54a0}]
\Shell\AutoRun\command - G:\jg.com
\Shell\open\Command - G:\jg.com
.

TOP

臭egg

二星fun會員

Rank: 3 Rank: 3

9^# 大中小發表於 2009-3-10 07:19 只看該作者

.
------- 而外的掃描 -------
.
uStart Page = hxxp://hk.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: 上傳到QQ網路硬碟 - c:\program files\Tencent\QQ\AddToNetDisk.htm
IE: 新增到QQ自定義面板 - c:\program files\Tencent\QQ\AddPanel.htm
IE: 新增到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: 用QQ MMS傳送該圖片 - c:\program files\Tencent\QQ\SendMMS.htm
DPF: Microsoft XML Parser for Java - [url=file://c:\windows\Java\classes\xmldso.cab]file://c:\windows\Java\classes\xmldso.cab[/url]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-04 20:59:32
Windows 5.1.2600 Service Pack 2 NTFS
掃描被隱藏的進程。。。
掃描被隱藏的啟動組。。。
掃描被隱藏的文件。。。

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1343024091-507921405-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\送0RQ*Q*??b?g]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Program Files\\Tencent\\QQ\\AddPanel.htm"
"contexts"=dword:0000007f
[HKEY_USERS\S-1-5-21-1343024091-507921405-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\送0RQ*Q*h`]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Program Files\\Tencent\\QQ\\AddEmotion.htm"
"contexts"=dword:00000002
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"
[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"
[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\DefaultIcon]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe,14"
[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\shell\open\command]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe \"%1\""
[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\shell\print\command]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe /p \"%1\""
[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\shell\printto\command]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe /pt \"%1\" \"%2\" \"%3\" \"%4\""
[HKEY_LOCAL_MACHINE\software\Classes\gOGPKb掞?觀.*M*y*N*S*H*a*n*d*l*e*r*\Clsid]
@="{E8CFC029-8420-4EAE-ADEF-915BDC77E1DC}"
[HKEY_LOCAL_MACHINE\software\Classes\?P[鷸-*俏舸箖刁j?(*P?*.*m*e*c*P*r*o*t*o*c*o*l*\Clsid]
@="{2E1346C0-7D18-11D5-A7E7-00C02626503F}"
.
------------------------ 其他運行進程 ------------------------
.
c:\windows\system32\conime.exe
c:\program files\god.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
完成時間: 2009-03-04 21:07:48 - 電腦已重新啟動
ComboFix-quarantined-files.txt  2009-03-04 13:06:17
ComboFix2.txt  2009-03-03 15:59:50
Pre-Run: 2,810,474,496 位元組可用
Post-Run: 2,803,515,392 位元組可用
270 --- E O F --- 2009-02-26 15:40:38

TOP

臭egg

二星fun會員

Rank: 3 Rank: 3

10^# 大中小發表於 2009-3-10 08:44 只看該作者

Script Name: KavoAutoRunKill.USPT
Author: uhthn2002
This script will remove the Kavo Trojan.Autorun files.

刪除檔案
[#]成功 C:\aaw7boot.cmd
[#]成功 C:\WINDOWS\Prefetch\TASKKILL.EXE-0A8306E3.pf
[#]成功 C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf

流動功能
[#]成功刪除臨時文件 -> SysTmp
[#]成功刪除臨時文件 -> InternetTmp
[#]成功刪除臨時文件 -> RecycleBin

TOP