打印

中咗木馬igfrext.exe..and..b4u902km17wh03p2j17.bak已有combofix報告 !!!

首機場

二星fun會員

Rank: 3 Rank: 3

1^# 大中小發表於 2009-3-16 15:26 只看該作者

中咗木馬igfrext.exe..and..b4u902km17wh03p2j17.bak已有combofix報告 !!!

已感染: 特洛伊木馬程式 Trojan.Win32.Agent.jwm C:\WINDOWS\b4u902km17wh03p2j17.bak 316 KB
已感染: 特洛伊木馬程式 Trojan.Win32.Agent.jwm C:\WINDOWS\igfrext.exe 316 KB
請各位幫吓小弟....thanks

TOP

首機場

二星fun會員

Rank: 3 Rank: 3

2^# 大中小發表於 2009-3-17 12:59 只看該作者

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 上午 12:16:10, on 2009/3/13
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SVD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\anus.exe
C:\WINDOWS\igfrext.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eREAD6.0\eREAD6.0\IEeREAD.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SVD] C:\WINDOWS\SVD.exe
O4 - HKLM\..\Run: [igfrext] C:\WINDOWS\igfrext.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &使用BitComet下載本頁視訊 - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &全部使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: UseFlashGet - C:\Program Files\FlashGet Network\Flashget\ComDlls\Bholink.htm
O8 - Extra context menu item: UseFlashGetDownloadAllLink - C:\Program Files\FlashGet Network\Flashget\ComDlls\Bhoall.htm
O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用BitComet下載全部連結 - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: 使用BitComet下載連結(&B) - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 新增至廣告橫幅防護 - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: 氝樓善QQ桶 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: 網頁防護統計 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: 騰訊QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ嚃粗馱撿沭扢离 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8A4943CC-1950-44F9-9045-D3D428FD3948} (SecureX Class) - http://txn01.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {8DE6AB9C-8C62-486B-8C06-5C9AD6FD06F1} (DataStore Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.co ... current/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B346388F-7F3B-4FA3-B15B-0F1B7199F688}: NameServer = 210.0.128.241 210.0.255.144
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google 更新服務 (gupdate1c99809c8de410a) (gupdate1c99809c8de410a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

--
End of file - 7633 bytes

TOP

7B

二星fun會員

Rank: 3 Rank: 3

3^# 大中小發表於 2009-3-17 14:26 只看該作者

關閉「系統還原」的步驟

1. 按一下 [開始]，用滑鼠右鍵按一下 [我的電腦]，然後按一下 [內容]。
2. 在 [系統內容] 對話方塊中，按一下 [系統還原] 索引標籤。
3. 按一下以選取 [關閉系統還原] 核取方塊。或者，按一下以選取 [關閉所有磁碟上的系統還原] 核取方塊。
4. 按一下 [確定]。

1.執行Hijackthis捷徑, 關閉除了Hijackthis.exe之外的其他視窗
2.按Do a system scan only，稍等一下直至 "Scan" 變成 "Save log"
3.勾選以下項目(左方方格)，按 "Fix checked"，hijackthis會提示你重啟，如在此一步驟後，可重新啟動電腦。

O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eREAD6.0\eREAD6.0\IEeREAD.dll (file missing)
O4 - HKLM\..\Run: [SVD] C:\WINDOWS\SVD.exe
O4 - HKLM\..\Run: [igfrext] C:\WINDOWS\igfrext.exe
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: 騰訊QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)

下載 ComboFix 至桌面

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

* 執行 ComboFix

注意: 為防止保安軟件將 ComboFix 錯誤列為危險檔案. 執行 ComboFix 之前請將防毒軟件及反間諜軟件暫時關閉. 另外，ComboFix 運作其間請勿執行任何程式或用滑鼠點擊 ComboFix 視窗.

* ComboFix 會彈出視窗，按是 (Y)
* 假如需要安裝恢復控制台，按是 (Y) 進行安裝. 完成安裝後按是 (Y) 繼續.
* 程式會進行掃描，其間桌面可能會暫時消失. 完成掃描後，程式會自動關閉.
* 之後 ComboFix 記錄會彈出，記錄會自動儲存於 C:\ComboFix.txt
* 重新啟動電腦.
* 貼上 ComboFix 記錄.

如果報告太長,可以上傳到這裡 http://www.box.net

TOP

首機場

二星fun會員

Rank: 3 Rank: 3

4^# 大中小發表於 2009-3-17 15:12 只看該作者

ComboFix 09-03-10.03 - Kim 2009-03-13  1:00:39.1 - FAT32x86
Microsoft Windows XP Professional  5.1.2600.3.950.1.1028.18.511.192 [GMT 8:00]
執行位置: c:\documents and settings\Kim\桌面\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
FW: Norton Internet Worm Protection *disabled*
* 成功創造新還原點
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\program files\FlashGet Network
c:\program files\FlashGet Network\Flashget\dbtrans_verbose.log
c:\program files\FlashGet Network\Flashget\fgoption.ini
c:\program files\FlashGet Network\Flashget\JCCHS.INI
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\0.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\1.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\10.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\11.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\12.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\13.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\14.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\15.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\16.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\17.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\18.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\19.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\2.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\20.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\21.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\3.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\4.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\5.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\6.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\7.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\8.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\9.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\nologin.bmp
c:\program files\FlashGet Network\Flashget\modules\INMEDIA\Info.ini
c:\program files\FlashGet Network\Flashget\modules\INMEDIA\INMEDIA.dll
c:\program files\FlashGet Network\Flashget\P2PCfg.ini
c:\program files\FlashGet Network\Flashget\p2spmgr.ini
c:\program files\FlashGet Network\Flashget\p4spmgr.ini
c:\program files\FlashGet Network\Flashget\Profiles\config.dat
c:\program files\FlashGet Network\Flashget\Profiles\tasks.dat
c:\program files\FlashGet Network\Flashget\transaction.log
c:\windows\ggcktxt.txt
c:\windows\ggcktxt1.txt
D:\install.exe

.
(((((((((((((((((((((((((  2009-02-12 至 2009-03-12 的新的檔案  )))))))))))))))))))))))))))))))
.

2009-03-13 00:13 . 2009-03-13 00:13       <DIR>       d--------       c:\program files\Trend Micro
2009-03-13 00:08 . 2009-03-13 00:08       323,584       ---h-----       c:\windows\igfrext.exe
2009-03-13 00:08 . 2009-03-13 00:08       323,584       --a------       c:\windows\b4u902km17wh03p2j17.bak
2009-03-11 23:53 . 2009-03-11 23:53       <DIR>       d--------       c:\windows\BDOSCAN8
2009-03-06 20:00 . 2008-04-12 18:00       368,640       ---h-----       c:\program files\anus.exe
2009-02-28 01:03 . 2009-02-28 01:03       32       --a------       c:\windows\go
2009-02-26 20:32 . 2009-02-26 20:32       27       --a------       c:\windows\AdvConfig.ini
2009-02-26 20:31 . 2009-02-26 20:32       <DIR>       d--------       c:\documents and settings\Kim\Application Data\Kingsoft
2009-02-26 19:59 . 2009-02-26 19:59       <DIR>       d--------       c:\program files\Google

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 17:05       32       --sha-w       c:\windows\system32\drivers\fidbox2.idx
2009-03-12 17:05       32       --sha-w       c:\windows\system32\drivers\fidbox2.dat
2009-03-12 17:05       32       --sha-w       c:\windows\system32\drivers\fidbox.idx
2009-03-12 17:05       32       --sha-w       c:\windows\system32\drivers\fidbox.dat
2009-02-04 16:36       89,601       ----a-w       c:\windows\system32\drivers\klick.dat
2009-02-04 16:36       101,287       ----a-w       c:\windows\system32\drivers\klin.dat
2009-02-03 11:36       286,720       ---h--w       c:\windows\SVD.exe
2009-01-16 13:01       3,594,752       ------w       c:\windows\system32\dllcache\mshtml.dll
2008-12-20 22:30       63,488       ------w       c:\windows\system32\dllcache\icardie.dll
2008-12-20 22:30       384,512       ------w       c:\windows\system32\dllcache\iedkcs32.dll
2008-12-20 22:30       383,488       ------w       c:\windows\system32\dllcache\ieapfltr.dll
2008-12-20 22:30       347,136       ----a-w       c:\windows\system32\dllcache\dxtmsft.dll
2008-12-20 22:30       230,400       ------w       c:\windows\system32\dllcache\ieaksie.dll
2008-12-20 22:30       214,528       ------w       c:\windows\system32\dllcache\dxtrans.dll
2008-12-20 22:30       153,088       ------w       c:\windows\system32\dllcache\ieakeng.dll
2008-12-20 22:30       133,120       ------w       c:\windows\system32\dllcache\extmgr.dll
2008-12-20 22:30       124,928       ------w       c:\windows\system32\dllcache\advpack.dll
2008-12-19 09:10       13,824       ------w       c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 09:08       70,656       ------w       c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 05:25       634,024       ------w       c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23       161,792       ------w       c:\windows\system32\dllcache\ieakui.dll
2008-05-31 17:58       1,279,740       ----a-w       c:\documents and settings\Kim\pipilib.zip
2003-01-12 04:41       3,392       ----a-w       c:\windows\inf\OTHER\cmiainfo.sys
2008-10-01 10:30       32,768       --sha-w       c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100120081002\index.dat
.

------- Sigcheck -------

2008-06-20 19:51  361600  a29e1209f925a0e9b330e11da5fc7bab       c:\windows\system32\drivers\tcpip.sys
2008-06-20 19:51  361600  9aefa14bd6b182d61e3119fa5f436d3d       c:\windows\system32\dllcache\tcpip.sys
2002-08-29 01:58  332928  244a2f9816bc9b593957281ef577d976       c:\windows\$NtUninstallKB917953_0$\tcpip.sys
2006-04-20 19:51  359808  1dbf125862891817f374f407626967f4       c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys
2006-04-20 20:18  360576  b2220c618b42a2212a59d91ebd6fc4b4       c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-31 00:53  360832  64798ecfa43d78c7178375fcdd16d8c8       c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 18:44  360960  744e57c99232201ae98c49168b918f48       c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 19:51  361600  9aefa14bd6b182d61e3119fa5f436d3d       c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 19:59  361600  ad978a1b783b5719720cff204b666c8e       c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 18:45  360320  073941d59ae065910064b728dee981ee       c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-14 03:20  361344  93ea8d04ec73a85db02eb8805988f733       c:\windows\ServicePackFiles\i386\tcpip.sys
2004-08-04 14:14  359040  9f4b36614a0fc234525ba224957de55c       c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 19:51  359808  1dbf125862891817f374f407626967f4       c:\windows\$NtUninstallKB941644$\tcpip.sys
2007-10-31 01:20  360064  ed06c31200714e734118f9a47f5df5ce       c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-14 03:20  361344  93ea8d04ec73a85db02eb8805988f733       c:\windows\$NtUninstallKB951748$\tcpip.sys
.

TOP

首機場

二星fun會員

Rank: 3 Rank: 3

5^# 大中小發表於 2009-3-17 15:23 只看該作者

((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-08-10 180269]
"igfrext"="c:\windows\igfrext.exe" [2009-03-13 323584]
"SVD"="c:\windows\SVD.exe" [2009-02-03 286720]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 218376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\CTFMON.EXE" [2008-04-15 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-05-25 15:22 63040 c:\windows\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^蒙恬Email功能.lnk]
path=c:\documents and settings\All Users\「開始」功能表\程式集\啟動\蒙恬Email功能.lnk
backup=c:\windows\pss\蒙恬Email功能.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^蒙恬快速鍵.lnk]
path=c:\documents and settings\All Users\「開始」功能表\程式集\啟動\蒙恬快速鍵.lnk
backup=c:\windows\pss\蒙恬快速鍵.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kim^「開始」功能表^程式集^啟動^騰訊QQ.lnk]
path=c:\documents and settings\Kim\「開始」功能表\程式集\啟動\騰訊QQ.lnk
backup=c:\windows\pss\騰訊QQ.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-04-27 15:44 63720 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-03-17 21:05 339968 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
--a------ 2007-06-28 12:51 218376 c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2007-09-14 09:50 1603152 c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
--a------ 2007-10-26 09:10 652624 c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-15 00:30 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\custom.exe]
--------- 2004-11-26 11:29 57344 c:\winpenjr\win32\CUSTOM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
--a------ 2007-09-11 16:35 1998896 c:\program files\FlashGet\flashget.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\foxy]
--a------ 2008-05-29 19:37 1160704 c:\program files\Foxy\Foxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 13:32 208952 c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-15 00:30 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2008-04-15 00:31 455168 c:\windows\system32\IME\TINTLGNT\tintsetp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2008-04-15 00:31 455168 c:\windows\system32\IME\TINTLGNT\tintsetp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPHIDPAD]
--a------ 2005-03-30 16:49 61440 c:\winpenjr\win32\pphidpad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVD]
---h----- 2009-02-03 19:36 286720 c:\windows\SVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-08-10 23:37 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"自動 LiveUpdate 排程器"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"StarWindService"=2 (0x2)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Downloads\\Foxy.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Foxy\\Foxy.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19694:TCP"= 19694:TCP:BitComet 19694 TCP
"19694:UDP"= 19694:UDP:BitComet 19694 UDP

R1 ppmoucls;ppmoucls;c:\windows\system32\drivers\PPMOUCLS.SYS [2007-08-10 20704]
R1 pptchpadenPower Touchpad;c:\windows\system32\drivers\PPTCHPD5.SYS [2007-08-10 17216]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-08-30 46112]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-04-04 24344]
S2 gupdate1c99809c8de410a;Google 更新服務 (gupdate1c99809c8de410a);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 npkycryp;npkycryp;\??\c:\program files\Tencent\QQ\npkycryp.sys --> c:\program files\Tencent\QQ\npkycryp.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 自動 LiveUpdate 排程器;自動 LiveUpdate 排程器;c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe [2007-08-12 100032]
.
‘計劃任務’ 文件夾裡的內容

2009-03-12 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 19:59]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{65F8A3D2-4C22-4A33-9633-73167EAEEC45} - (no file)
MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
MSConfigStartUp-Cmaudio - cmicnfg.cpl

TOP

首機場

二星fun會員

Rank: 3 Rank: 3

6^# 大中小發表於 2009-3-17 16:13 只看該作者

.
------- 而外的掃描 -------
.
uStart Page = hxxp://yahoo.com.hk/
uInternet Connection Wizard,ShellNext = iexplore
IE: &使用 FlashGet 下載 - c:\program files\FlashGet\jc_link.htm
IE: &使用BitComet下載本頁視訊 - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &全部使用 FlashGet 下載 - c:\program files\FlashGet\jc_all.htm
IE: Foxy 下載 - c:\program files\Foxy\Foxy.exe/download.htm
IE: Foxy 搜尋 - c:\program files\Foxy\Foxy.exe/search.htm
IE: 上傳到QQ網路硬碟 - c:\program files\Tencent\QQ\AddToNetDisk.htm
IE: 使用BitComet下載全部連結 - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: 使用BitComet下載連結(&B) - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: 新增到QQ自定義面板 - c:\program files\Tencent\QQ\AddPanel.htm
IE: 新增到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: 氝樓善QQ桶 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: 添加到QQ自定義面板 - c:\program files\Tencent\QQ\AddPanel.htm
IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: 用QQ MMS傳送該圖片 - c:\program files\Tencent\QQ\SendMMS.htm
IE: 用QQ彩信發送該圖片 - c:\program files\Tencent\QQ\SendMMS.htm
IE: {{DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - {39732CE5-0EE6-401A-A0B2-27F46B755C5B} - c:\program files\Tencent\QQ\QQIEHelper.dll
TCP: {B346388F-7F3B-4FA3-B15B-0F1B7199F688} = 210.0.128.241 210.0.255.144
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} - hxxp://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
DPF: {8A4943CC-1950-44F9-9045-D3D428FD3948} - hxxp://txn01.hkjc.com/BetSlip/object/eWinCtl.cab
DPF: {8DE6AB9C-8C62-486B-8C06-5C9AD6FD06F1} - hxxp://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-13 01:07:08
Windows 5.1.2600 Service Pack 3 FAT NTAPI

掃描被隱藏的進程。。。

掃描被隱藏的啟動組。。。

掃描被隱藏的文件。。。

掃描完成
被隱藏的檔案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\送0RQ*Q*??b?g]
@="c:\\Program Files\\Tencent\\QQ\\AddPanel.htm"
"contexts"=dword:0000007f

[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\送0RQ*Q*h`]
@="c:\\Program Files\\Tencent\\QQ\\AddEmotion.htm"
"contexts"=dword:00000002

[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\ljQ*Q*vh]
@="c:\\Program Files\\Tencent\\QQ\\AddEmotion.htm"
"contexts"=dword:00000002

[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\0RQ*Q*??b?g]
@="c:\\Program Files\\Tencent\\QQ\\AddPanel.htm"
"contexts"=dword:0000007f

[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\0RQ*Q*h`]
@="c:\\Program Files\\Tencent\\QQ\\AddEmotion.htm"
"contexts"=dword:00000002

[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\(uQ*Q*i_嘓|v?WGr]
@="c:\\Program Files\\Tencent\\QQ\\SendMMS.htm"
"contexts"=dword:00000002

[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*?Ar]
"Order"=hex:08,00,00,00,02,00,00,00,00,01,00,00,01,00,00,00,02,00,00,00,76,00,
00,00,00,00,00,00,68,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,56,00,36,\

[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*J?b]
"Order"=hex:08,00,00,00,02,00,00,00,f8,00,00,00,01,00,00,00,02,00,00,00,76,00,
00,00,00,00,00,00,68,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,56,00,36,\

[HKEY_USERS\S-1-5-21-861567501-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\nn`4*?@Y?3w?]
"Order"=hex:08,00,00,00,02,00,00,00,0c,01,00,00,01,00,00,00,02,00,00,00,7c,00,
00,00,00,00,00,00,6e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5c,00,32,\

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Q*Q*A~?送0W;N]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,
00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Q*Q*A~?J?b'Y醰]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,
00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Q*Q*A~?送0W;N]
"DisplayName"="QQ繁體新斗地主"
"UninstallString"="c:\\PROGRA~1\\TENCENT\\QQGAME\\newddz\\UNWISE.EXE c:\\PROGRA~1\\TENCENT\\QQGAME\\newddz\\INSTALL.LOG"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Q*Q*A~?J?b'Y醰]
"DisplayName"="QQ繁體遊戲大廳"
"UninstallString"="c:\\PROGRA~1\\TENCENT\\QQGAME\\UNWISE.EXE c:\\PROGRA~1\\TENCENT\\QQGAME\\INSTALL.LOG"

[HKEY_LOCAL_MACHINE\software\TAITO\??g0G*O*??????\1.00]
"Driver"="1.0.0.3"

[HKEY_LOCAL_MACHINE\software\TAITO\??g0'/送y^琫 *q\}ey^琫鋑]
"install"=dword:00000001

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\?悐 *L*i*v*e*U*p*d*a*t*e* *zhV\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
.
--------------------- 運行進程下的動態鏈接庫 ---------------------

- - - - - - - > 'winlogon.exe'
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
.
------------------------ 其他運行進程 ------------------------
.
c:\windows\system32\conime.exe
c:\program files\ANUS.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
完成時間: 2009-03-13  1:09:46 - 電腦已重新啟動
ComboFix-quarantined-files.txt  2009-03-12 17:09:42

Pre-Run: 10,154,311,680 位元組可用
Post-Run: 11,180,883,968 位元組可用

WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe
[boot loader]
timeout=2
default=multidiskrdiskpartition\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multidiskrdiskpartition\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

342       --- E O F ---       2009-03-08 17:23:18

TOP

7B

二星fun會員

Rank: 3 Rank: 3

7^# 大中小發表於 2009-3-18 13:05 只看該作者

Step: CFScript

* 開啟記事本,貼上以下內容

KILLALL::

File::
c:\windows\igfrext.exe
c:\windows\b4u902km17wh03p2j17.bak

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfrext"=-

儲存--->存檔類型--->所有檔案-->檔名輸入為 CFScript.txt
把CFScript.txt 拉到 ComboxFix.exe

* ComboxFix 將會被執行
* 執行完會有報告於C:\ComboFix.txt.

TOP

首機場

二星fun會員

Rank: 3 Rank: 3

8^# 大中小發表於 2009-3-20 15:10 只看該作者

好似都係一樣

combofix報告
http://www.box.net/shared/10so67b4io

Thx...

TOP