打印

中左幾隻毒 (附hijackthis) (Wigon trogan,Joleee.NF worm,Waledac.HI trogan)

omg

二星fun會員

Rank: 3 Rank: 3

1^# 大中小發表於 2009-3-16 15:42 只看該作者

中左幾隻毒 (附hijackthis) (Wigon trogan,Joleee.NF worm,Waledac.HI trogan)

我用nod32 scan左有幾隻名出左黎, 感謝幫忙
1.Win32/Wigon trogan
2.win32/Joleee.NF worm
3.a variant of Win 32/ Waledac.HI trogan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 10:39:15, on 2009/3/15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\Program Files\Bonjour\mDNSResponder.exe
G:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
G:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\Program Files\Google\Update\GoogleUpdate.exe
G:\Program Files\Eset\nod32krn.exe
G:\Program Files\Raxco\PerfectDisk\PDAgent.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\UPHClean\uphclean.exe
G:\Program Files\Raxco\PerfectDisk\PDEngine.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Eset\nod32kui.exe
G:\WINDOWS\RTHDCPL.EXE
G:\WINDOWS\SOUNDMAN.EXE
G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\WINDOWS\FixCamera.exe
G:\WINDOWS\vsnpstd3.exe
G:\WINDOWS\tsnpstd3.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Messenger\msmsgs.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
G:\WINDOWS\system32\cmd.exe
G:\WINDOWS\services.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - G:\WINDOWS\system32\dvmurl.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - G:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: ALiBaBar_Helper - {CE439C63-384A-747A-A357-23D96B5D652B} - G:\PROGRA~1\ALiBaBar\ALiBaBar.dll
O3 - Toolbar: ALiBaBar - {0A1375E1-56C2-11D6-8E45-8933A0FB5235} - G:\PROGRA~1\ALiBaBar\ALiBaBar.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - G:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "G:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nod32kui] "G:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CJIMETIPSYNC] G:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] G:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GEST] m点\?
O4 - HKLM\..\Run: [StartCCC] "G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FixCamera] G:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [snpstd3] G:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [tsnpstd3] G:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [services] G:\WINDOWS\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "G:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [services] G:\WINDOWS\services.exe
O4 - HKLM\..\Policies\Explorer\Run: [services] G:\WINDOWS\services.exe
O4 - HKCU\..\Policies\Explorer\Run: [services] G:\WINDOWS\services.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] G:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] G:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] G:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [services] G:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] G:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] G:\WINDOWS\services.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: Foxy 下載 - res://G:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://G:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: Locate Spot on Map by GPS - G:\Program Files\Opanda\IExif 2.3\IExifMap.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - G:\Program Files\Opanda\IExif 2.3\IExifCom.htm
O8 - Extra context menu item: 使用 FDM 下載 - file://G:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: 使用 FDM 下載影片 - file://G:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: 使用 FDM 下載所有項目 - file://G:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: 使用 FDM 下載選取項目 - file://G:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: 剪貼簿文字:  簡 > 繁 - res://G:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
O8 - Extra context menu item: 剪貼簿文字:  繁 > 簡 - res://G:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 網頁:  [簡體] 顯示 - res://G:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
O8 - Extra context menu item: 網頁:  [繁體] 顯示 - res://G:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour 服務 (Bonjour Service) - Apple Inc. - G:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - G:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - G:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: Google Update Service (gupdate1c984902d7df4da) (gupdate1c984902d7df4da) - Google Inc. - G:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - G:\Program Files\Eset\nod32krn.exe
O23 - Service: PDAgent - Raxco Software, Inc. - G:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - G:\Program Files\Raxco\PerfectDisk\PDEngine.exe

--
End of file - 8908 bytes

TOP

小羊

一星fun會員

Rank: 2

2^# 大中小發表於 2009-3-17 18:18 只看該作者

關閉「系統還原」的步驟

1. 按一下 [開始]，用滑鼠右鍵按一下 [我的電腦]，然後按一下 [內容]。
2. 在 [系統內容] 對話方塊中，按一下 [系統還原] 索引標籤。
3. 按一下以選取 [關閉系統還原] 核取方塊。或者，按一下以選取 [關閉所有磁碟上的系統還原] 核取方塊。
4. 按一下 [確定]。

下載ATF-Cleaner
http://www.atribune.org/
執行ATF-Cleaner.exe
勾選全部,按Empty Selected.

1.關閉Internet Explorer及已開啟的檔案資料夾視窗.
2.執行Hijackthis,
3.按Do a system scan only，稍等一下直至 "Scan" 變成 "Save log"
4.勾選以下項目(左方方格)，按 "Fix checked"，hijackthis會提示你重啟，如在此一步驟後，可重新啟動電腦。

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [GEST] m点\?
O4 - HKLM\..\Run: [services] G:\WINDOWS\services.exe
O4 - HKCU\..\Run: [services] G:\WINDOWS\services.exe
O4 - HKLM\..\Policies\Explorer\Run: [services] G:\WINDOWS\services.exe
O4 - HKCU\..\Policies\Explorer\Run: [services] G:\WINDOWS\services.exe
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [services] G:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] G:\WINDOWS\services.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)

下載 ComboFix 至桌面

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

* 執行 ComboFix

注意: 為防止保安軟件將 ComboFix 錯誤列為危險檔案. 執行 ComboFix 之前請將防毒軟件及反間諜軟件暫時關閉. 另外，ComboFix 運作其間請勿執行任何程式或用滑鼠點擊 ComboFix 視窗.

* ComboFix 會彈出視窗，按是 (Y)
* 假如需要安裝恢復控制台，按是 (Y) 進行安裝. 完成安裝後按是 (Y) 繼續.
* 程式會進行掃描，其間桌面可能會暫時消失. 完成掃描後，程式會自動關閉.
* 之後 ComboFix 記錄會彈出，記錄會自動儲存於 C:\ComboFix.txt
* 重新啟動電腦.
* 貼上 ComboFix 記錄.

如果報告太長,可以上傳到這裡 http://www.box.net

TOP

omg

二星fun會員

Rank: 3 Rank: 3

3^# 大中小發表於 2009-3-17 22:42 只看該作者

以下係combofix report,但係都仲有病毒信號,咁可以點算?

ComboFix 09-03-15.01 - Administrator 2009-03-16 20:47:32.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.950.886.1028.18.3326.2852 [GMT 8:00]
執行位置: g:\documents and settings\Administrator\桌面\ComboFix.exe
AV: ESET NOD32防毒系統 2.70 *On-access scanning disabled* (Updated)
* 成功創造新還原點
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

g:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
g:\windows\IE4 Error Log.txt
g:\windows\services.exe
g:\windows\system32\7.tmp
g:\windows\system32\9.tmp
g:\windows\system32\A.tmp
g:\windows\system32\aston.mt
g:\windows\system32\B.tmp
g:\windows\system32\C.tmp
g:\windows\system32\D.tmp
g:\windows\system32\paso.el
g:\windows\ynh.dx

  g:\windows\system32\userinit.exe . . . 受感染！！[/COLOR]

  g:\windows\explorer.exe . . . 受感染！！[/COLOR]

.
(((((((((((((((((((((((((  2009-02-16 至 2009-03-16 的新的檔案  )))))))))))))))))))))))))))))))
.

2009-03-16 20:44 . 2009-03-16 20:44 42,621 --a------ g:\windows\system32\13.tmp
2009-03-16 20:44 . 2009-03-16 20:44 1 --a------ g:\windows\system32\11.tmp
2009-03-16 20:42 . 2009-03-16 20:42 168 --a------ g:\windows\system32\6.tmp
2009-03-16 19:27 . 2009-03-16 19:27 124 --a------ g:\windows\system32\4.tmp
2009-03-15 22:30 . 2009-03-15 22:30 124 --a------ g:\windows\system32\5.tmp
2009-03-15 22:02 . 2009-03-15 22:02 124 --a------ g:\windows\system32\8.tmp
2009-03-15 21:53 . 2009-03-15 21:54 65,294 --a------ g:\windows\system32\1293.tmp
2009-03-15 21:53 . 2009-03-16 20:42 128 --a------ g:\windows\adobe.bat
2009-03-15 21:53 . 2009-03-15 21:53 124 --a------ g:\windows\system32\128F.tmp
2009-03-15 21:53 . 2009-03-15 21:53 6 --a------ g:\windows\_id.dat
2009-03-15 21:36 . 2009-03-15 21:36 0 --a------ g:\documents and settings\All Users\Application Data\PKP_DLbx.DAT
2009-02-28 14:26 . 2009-02-28 17:53 1,580 --a------ g:\windows\system32\cid_store.dat
2009-02-28 14:26 . 2009-02-28 14:26 26 --a------ g:\windows\system32\xlhcc.dat
2009-02-28 14:25 . 2009-02-28 14:25 <DIR> d-------- g:\program files\Common Files\Thunder Network
2009-02-28 14:25 . 2009-02-28 14:25 <DIR> d-------- g:\documents and settings\All Users\Application Data\Thunder Network
2009-02-28 14:25 . 2009-02-28 14:25 20 --a------ g:\windows\system32\pub_store.dat

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-16 12:42 16,608 ----a-w g:\windows\gdrv.sys
2009-03-15 14:06 --------- d-----w g:\program files\Common Files\Nikon
2009-03-15 13:53 --------- d-----w g:\program files\Eset
2009-03-15 13:47 --------- d-----w g:\program files\Nikon
2009-03-15 13:43 --------- d-----w g:\program files\uTorrent
2009-03-15 12:00 20 ---h--w g:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-03-08 10:01 --------- d-----w g:\program files\Common Files\Symantec Shared
2009-03-08 10:00 --------- d-----w g:\program files\Norton Security Scan
2009-02-22 02:04 --------- d-----w g:\program files\Google
2009-02-09 13:51 1,847,040 ----a-w g:\windows\system32\win32k.sys
2009-02-09 12:50 --------- d-----w g:\documents and settings\Administrator\Application Data\Free Download Manager
2009-02-05 16:16 --------- d-----w g:\program files\Windows Live Safety Center
2009-01-28 06:15 --------- d-----w g:\program files\Common Files\Adobe AIR
2009-01-28 06:15 --------- d-----w g:\documents and settings\Administrator\Application Data\Gabob.NowBoarding.B1EDF665FD3C3F3F09EA618A6CFE5BBDBDB5E912.1
2009-01-18 02:55 --------- d-----w g:\program files\Opanda
2008-12-14 16:11 20 ---h--w g:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2008-12-12 09:31 0 ----a-w g:\documents and settings\All Users\Application Data\PKP_DLdy.DAT
.

------- Sigcheck -------

2008-06-20 19:51  361600  9aefa14bd6b182d61e3119fa5f436d3d g:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 19:59  361600  ad978a1b783b5719720cff204b666c8e g:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2007-12-17 18:24  360576  bd8686216e34e22c4ed45a2320b2bea1 g:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-14 03:20  361344  93ea8d04ec73a85db02eb8805988f733 g:\windows\SoftwareDistribution\Download\0754f2689ef4733e1aa2ff38e323f37d\tcpip.sys
2008-06-20 18:44  360960  744e57c99232201ae98c49168b918f48 g:\windows\system32\dllcache\tcpip.sys
2008-06-20 18:44  360960  c949aad942f3004f4a76a38a578fd19c g:\windows\system32\drivers\tcpip.sys

2007-12-15 16:12  995328  389268dff6a50fcab1f49f425e4d455a g:\windows\explorer.exe
2008-04-15 00:30  995840  36ea9a3415f2c7b8b2dc87d1e6488ef8 g:\windows\SoftwareDistribution\Download\0754f2689ef4733e1aa2ff38e323f37d\explorer.exe
2007-12-15 16:12  995328  eb4908b8abfbf229fdf9b7678bd7948a g:\windows\system32\dllcache\explorer.exe

2008-04-15 00:30  32768  d5bb893604d2a67c1733ef72c280dd0f g:\windows\SoftwareDistribution\Download\0754f2689ef4733e1aa2ff38e323f37d\ctfmon.exe
2004-08-04 20:00  32768  180791e875fcd05f2ee1615015119dbf g:\windows\system32\ctfmon.exe
2004-08-04 20:00  32768  856ae1db5709d07bf4cc7928da50ef26 g:\windows\system32\dllcache\ctfmon.exe

2008-04-15 00:31  42496  10c8b6a40058bfc06594bc34bc5724a3 g:\windows\SoftwareDistribution\Download\0754f2689ef4733e1aa2ff38e323f37d\userinit.exe
2004-08-04 20:00  40960  0424f3ce7329270200d88dd3628c1396 g:\windows\system32\userinit.exe
2004-08-04 20:00  40960  3015d408e94ffdad7f41f5087cae70a4 g:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="g:\windows\system32\ctfmon.exe" [2004-08-04 32768]
"MSMSGS"="g:\program files\Messenger\msmsgs.exe" [2007-12-18 1711616]
"DAEMON Tools Lite"="g:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="g:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"Adobe Reader Speed Launcher"="g:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"nod32kui"="g:\program files\Eset\nod32kui.exe" [2008-11-02 949376]
"CJIMETIPSYNC"="g:\program files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2003-07-14 63040]
"PHIMETIPSYNC"="g:\program files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2003-07-14 95296]
"StartCCC"="g:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 81920]
"QuickTime Task"="g:\program files\QuickTime Alternative\QTTask.exe" [2008-11-04 434176]
"iTunesHelper"="g:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"FixCamera"="g:\windows\FixCamera.exe" [2007-07-11 40960]
"snpstd3"="g:\windows\vsnpstd3.exe" [2007-05-10 856064]
"tsnpstd3"="g:\windows\tsnpstd3.exe" [2007-04-21 290816]
"RTHDCPL"="RTHDCPL.EXE" [2008-06-27 g:\windows\RTHDCPL.exe]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 g:\windows\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 g:\windows\alcwzrd.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="g:\windows\system32\CTFMON.EXE" [2004-08-04 32768]

g:\documents and settings\Administrator\「開始」功能表\程式集\啟動\
Nikon Monitor.lnk - g:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-06-14 499712]

g:\documents and settings\All Users\「開始」功能表\程式集\啟動\
Cisco Systems VPN Client.lnk - g:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-11-15 1425424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="g:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"g:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"g:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"g:\\Program Files\\Kingsoft\\Powerword 2007\\xdict.exe"=
"g:\\Program Files\\Kingsoft\\Powerword 2007\\update.exe"=
"g:\\Program Files\\Foxy\\Foxy.exe"=
"g:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"g:\\Program Files\\uTorrent\\utorrent.exe"=
"g:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\BT\\free_3008\\counter-strike 1.6\\cstrike.exe"=

TOP

omg

二星fun會員

Rank: 3 Rank: 3

4^# 大中小發表於 2009-3-17 22:49 只看該作者

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19701:TCP"= 19701:TCP:Foxy (192.168.2.100:19701) 19701 TCP
"19701:UDP"= 19701:UDP:Foxy (192.168.2.100:19701) 19701 UDP

R1 nod32drv;nod32drv;g:\windows\system32\drivers\nod32drv.sys [2008-11-02 15424]
R2 GEST Service;GEST Service for program management.;g:\program files\GIGABYTE\EnergySaver\GSvr.exe [2008-11-02 80392]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;g:\windows\system32\drivers\AtiHdmi.sys [2008-11-02 89600]
S2 gupdate1c984902d7df4da;Google Update Service (gupdate1c984902d7df4da);g:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 133104]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Launch.exe
.
‘計劃任務’ 文件夾裡的內容

2009-02-28 g:\windows\Tasks\AppleSoftwareUpdate.job
- g:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-16 g:\windows\Tasks\GoogleUpdateTaskMachine.job
- g:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 01:11]

2009-03-08 g:\windows\Tasks\Norton Security Scan for Administrator.job
- g:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-services - g:\windows\services.exe
HKU-Default-Run-services - g:\windows\services.exe
HKLM-Explorer_Run-services - g:\windows\services.exe
HKCU-Explorer_Run-services - g:\windows\services.exe

.
------- 而外的掃描 -------
.
uStart Page = file:///C:/index.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Foxy 下載 - g:\program files\Foxy\Foxy.exe/download.htm
IE: Foxy 搜尋 - g:\program files\Foxy\Foxy.exe/search.htm
IE: Locate Spot on Map by GPS - g:\program files\Opanda\IExif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - g:\program files\Opanda\IExif 2.3\IExifCom.htm
IE: 使用 FDM 下載 - file://g:\program files\Free Download Manager\dllink.htm
IE: 使用 FDM 下載影片 - file://g:\program files\Free Download Manager\dlfvideo.htm
IE: 使用 FDM 下載所有項目 - file://g:\program files\Free Download Manager\dlall.htm
IE: 使用 FDM 下載選取項目 - file://g:\program files\Free Download Manager\dlselected.htm
IE: 剪貼簿文字:  簡 > 繁 - g:\program files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
IE: 剪貼簿文字:  繁 > 簡 - g:\program files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
IE: 匯出至 Microsoft Office Excel(&X) - g:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: 網頁:  [簡體] 顯示 - g:\program files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
IE: 網頁:  [繁體] 顯示 - g:\program files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
LSP: g:\windows\system32\imon.dll
FF - ProfilePath - g:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hdnj4pck.default\
FF - prefs.js: browser.startup.homepage - file:///C:/index.htm
FF - component: g:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - plugin: g:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\np32asw.dll

---- 火狐配置文件 ----
g:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.external.foxy", true);
g:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.warn-external.foxy", false);
g:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.expose.foxy", true);
g:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("general.useragent.extra.foxy1", "Foxy/1");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-16 20:48:37
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

掃描被隱藏的進程。。。

掃描被隱藏的啟動組。。。

掃描被隱藏的文件。。。

掃描完成
被隱藏的檔案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1004336348-1682526488-725345543-500\Software\ACD Systems\A*C*D*S*e*e* *9*.*0* *A~?-NHr\PlugIns\ID_Media]
"MDEThumbnailPosition"=dword:00000005
"MDEThumbnailChoice"=dword:00000001
"MDEAutoPlay"=dword:00000000
"MDEMute"=dword:00000000
"MDEVolumeLevel"=dword:00000032
"MDERowFrames"=dword:00000002
"MDEColumnFrames"=dword:00000002
"MDEPages"=dword:0000000a
"MDEPreservedAspectRatio"=dword:00000001
"MDEBackgroundColor"=dword:00000000
"MDEUsePercentage"=dword:00000001
"MDEThumbnailPercent"=dword:00000005
"MDEBorderColor"=dword:00000000
"MDEShowBorder"=dword:00000001
"MDEMultiPage"=dword:00000001
"MDEUsePageSelected"=dword:00000000

[HKEY_USERS\S-1-5-21-1004336348-1682526488-725345543-500\Software\ACD Systems\A*C*D*S*e*e* *9*.*0* *A~?-NHr\PlugIns\ID_Media\IMAGE]
"8BPS"=dword:00000000
"BMP"=dword:00000000
"BMPF"=dword:00000000
"BMPP"=dword:00000000
"DIB"=dword:00000000
"FPIX"=dword:00000000
"FPX"=dword:00000000
"GIF"=dword:00000000
"GIFF"=dword:00000000
"GRIP"=dword:00000000
"JP2"=dword:00000000
"JPE"=dword:00000000
"JPEG"=dword:00000000
"JPG"=dword:00000000
"MAC"=dword:00000000
"PCT"=dword:00000000
"PIC"=dword:00000000
"PICT"=dword:00000000
"PNG"=dword:00000000
"PNGF"=dword:00000000
"PNTG"=dword:00000000
"PSD"=dword:00000000
"QIF"=dword:00000000
"QTI"=dword:00000000
"QTIF"=dword:00000000
"SGI"=dword:00000000
"TGA"=dword:00000000
"TIF"=dword:00000000
"TIFF"=dword:00000000
"TPIC"=dword:00000000
[HKEY_USERS\S-1-5-21-1004336348-1682526488-725345543-500\Software\ACD Systems\A*C*D*S*e*e* *9*.*0* *A~?-NHr\PlugIns\ID_Media\MOVIE]
"3G2"=dword:00000001
"3GP"=dword:00000001
"3GP2"=dword:00000001
"3GPP"=dword:00000001
"AAC"=dword:00000001
"ADTS"=dword:00000001
"AIF"=dword:00000001
"AIFC"=dword:00000001
"AIFF"=dword:00000001
"AMC"=dword:00000001
"AMR"=dword:00000001
"ASF"=dword:00000001
"AU"=dword:00000001
"AVI"=dword:00000001
"BWF"=dword:00000001
"CAF"=dword:00000001
"CDDA"=dword:00000001
"CEL"=dword:00000001
"DIF"=dword:00000001
"DV"=dword:00000001
"FLC"=dword:00000001
"FLI"=dword:00000001
"GSM"=dword:00000001
"KAR"=dword:00000001
"M15"=dword:00000001
"M1A"=dword:00000001
"M1V"=dword:00000001
"M2A"=dword:00000001
"M3U"=dword:00000001
"M4A"=dword:00000001
"M4B"=dword:00000001
"M4P"=dword:00000001
"M4V"=dword:00000001
"M75"=dword:00000001
"MID"=dword:00000001
"MIDI"=dword:00000001
"MOV"=dword:00000001
"MP2"=dword:00000001
"MP2V"=dword:00000001
"MP3"=dword:00000001
"MP4"=dword:00000001
"MPA"=dword:00000001
"MPE"=dword:00000001
"MPEG"=dword:00000001
"MPG"=dword:00000001
"MPV"=dword:00000001
"MPV2"=dword:00000001
"PICS"=dword:00000001
"QCP"=dword:00000001
"QT"=dword:00000001
"QTPF"=dword:00000001
"RMI"=dword:00000001
"SD2"=dword:00000001
"SDV"=dword:00000001
"SFIL"=dword:00000001
"SMF"=dword:00000001
"SMI"=dword:00000001
"SMIL"=dword:00000001
"SML"=dword:00000001
"SND"=dword:00000001
"SWA"=dword:00000001
"ULW"=dword:00000001
"VFW"=dword:00000001
"WAV"=dword:00000001
"WMA"=dword:00000001
"WMV"=dword:00000001

TOP