UFunFun 討論區 - Powered by Discuz! Board

標題: window file 有問題(中毒)uhthn麻煩幫幫手 [打印本頁]

作者: 小羊 時間: 2009-4-19 16:52 標題: window file 有問題(中毒)uhthn麻煩幫幫手

我想問如果我個防毒check到window system32入邊有file(oodbs.exe.VIR) 中左毒
可以點做? 唔del得既話應該fix? and點fix?
唔該幫幫手!!uhthn見字麻煩幫幫手我係冒名而來

以下係HijackThis check既log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 上午 11:53:55, on 2009/4/9
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
D:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PowerDVD\PDVDServ.exe
D:\WINDOWS\system32\oodag.exe
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
D:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
D:\Program Files\Nero\Nero 7\InCD\InCD.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\system32\svchost.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\TP-LINK\TL-WN310G_350G_351Gv5.0_TL-WN360Gv1.0\TWCU.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Filseclab\Twister\twister.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
D:\Program Files\PPStream\ppsap.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Common Files\Filseclab\FilMsg.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TTPlayer\TTPlayer.exe
D:\Documents and Settings\Administrator\桌面\HijackThis.exe
D:\WINDOWS\System32\NOTEPAD.EXE
D:\WINDOWS\system32\wuauclt.exe
接下

作者: 小羊 時間: 2009-4-19 17:45

R3 - URLSearchHook: Yahoo!奇摩捷徑列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - D:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - D:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live 登入小幫手 - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - D:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] D:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TWCU] "C:\Program Files\TP-LINK\TL-WN310G_350G_351Gv5.0_TL-WN360Gv1.0\TWCU.exe" -nogui
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [twister] "C:\Program Files\Filseclab\Twister\twister.exe" -a
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PPS Accelerator] D:\Program Files\PPStream\ppsap.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: "新增至廣告橫幅防護" - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: 網頁流量防護狀態 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: 發佈至部落格 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: 使用 Windows Live Writer 發佈至部落格(&B) - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: HP 剪貼本 - {58ECB495-38F0-49cb-A538-10282ABF65E7} - D:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP 智慧型選取 - {700259D7-1666-479a-93B1-3250410481E8} - D:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - D:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - D:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - D:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - D:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - D:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - D:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - D:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - D:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - D:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - D:\WINDOWS\system32\mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - D:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - D:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - D:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - D:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - D:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - D:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - D:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - D:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - D:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - D:\WINDOWS\system32\wiascr.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - D:\Program Files\Windows Live\Mail\mailcomm.dll
O23 - Service: TP-LINK Configuration Service (ACS) - Atheros - D:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (avp) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour 服務 (Bonjour Service) - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\system32\oodag.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 11437 bytes

作者: 囡囡妹@@ 時間: 2009-4-21 00:25

將個文件上傳到呢個網上檢查
http://www.virustotal.com/

貼上結果

作者: 小羊 時間: 2009-4-21 04:50

首先唔該晒你幫忙
出現以下結果 & 我個防毒(費爾托斯)出現禁止上傳個檔案執行
""Exception

Please report failure as: ErrorTime= "Apr 10 18:41:36" ""

我有試過用其他檔案upload,係做到結果出黎
但係用個有毒既檔案(oodbs.exe.VIR)就唔得
出現以下同埋以上""...""
""0 bytes size received / Se ha recibido un archivo vacio ""

作者: 囡囡妹@@ 時間: 2009-4-22 01:10

先暫停費爾的檔案保護(監控)

作者: 小羊 時間: 2009-4-22 05:02

係出左以下既結果

反病毒引擎       版本       最後更新       掃瞄結果
a-squared       4.0.0.93       2009.02.16       -
AhnLab-V3       5.0.0.2       2009.02.16       -
AntiVir       7.9.0.79       2009.02.16       -
Authentium       5.1.0.4       2009.02.15       -
Avast       4.8.1335.0       2009.02.16       -
AVG       8.0.0.237       2009.02.16       -
BitDefender       7.2       2009.02.16       -
CAT-QuickHeal       10.00       2009.02.16       -
ClamAV       0.94.1       2009.02.16       -
Comodo       978       2009.02.15       -
DrWeb       4.44.0.09170       2009.02.16       -
eSafe       7.0.17.0       2009.02.15       Suspicious File
eTrust-Vet       31.6.6358       2009.02.16       -
F-Prot       4.4.4.56       2009.02.15       -
F-Secure       8.0.14470.0       2009.02.16       -
Fortinet       3.117.0.0       2009.02.16       -
GData       19       2009.02.16       -
Ikarus       T3.1.1.45.0       2009.02.16       -
K7AntiVirus       7.10.630       2009.02.14       -
Kaspersky       7.0.0.125       2009.02.16       -
McAfee       5527       2009.02.15       -
McAfee+Artemis       5527       2009.02.15       -
Microsoft       1.4306       2009.02.16       -
NOD32       3856       2009.02.16       -
Norman       6.00.02       2009.02.13       -
nProtect       2009.1.8.0       2009.02.16       Trojan/W32.Krap.112128
Panda       10.0.0.10       2009.02.15       -
PCTools       4.4.2.0       2009.02.16       -
Prevx1       V2       2009.02.16       -
Rising       21.17.02.00       2009.02.16       -
SecureWeb-Gateway       6.7.6       2009.02.16       Trojan.Crypt.LooksLike.XPACK
Sophos       4.38.0       2009.02.16       -
Sunbelt       3.2.1851.2       2009.02.12       VIPRE.Suspicious
Symantec       10       2009.02.16       -
TheHacker       6.3.2.2.258       2009.02.16       -
TrendMicro       8.700.0.1004       2009.02.16       -
VBA32       3.12.8.12       2009.02.16       -
ViRobot       2009.2.16.1609       2009.02.16       -
VirusBuster       4.5.11.0       2009.02.15       -
附加訊息
File size: 112128 bytes
MD5...: 7fe86776965e7d10585cd757165f3526
SHA1..: 8cd1b18ce9b7b25882ac37d3cfea930d04994bad
SHA256: 198383179066f7a448d0987b4307b6e22c1ca6fb90e75ef647e7c99c9bac20bd
SHA512: 6550b1d6590fdca474e32f74515fd558beee697613023e76344074bd9dd9a211
46935ac9dc8d8781d835c0581f4cc1ad7fb869ddfc6c5accfd8a42fe5db23484
ssdeep: 3072:CZ0KT7ZBOcPxg//U/KiciXqgspNm767j1jd11:a0KXPjZg//4xq5o767j1j
d1
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3648c
timedatestamp.....: 0x447f7e95 (Thu Jun 01 23:56:05 2006)
machinetype.......: 0x14c (I386)

( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
0x1000 0x339ac 0x19c00 8.00 c1cb635373faa611007540d8b6a22338
0x35000 0x155c 0x1600 6.58 6d3282e546d3ab932e6211d1e6b0e383

( 2 imports )
> ootmapi.dll: _OOLoadDriver@4
> NTDLL.dll: ZwDisplayString

( 0 exports )
CWSandbox info: http://research.sunbelt-software ... d10585cd757165f3526

作者: 小羊 時間: 2009-4-23 07:05

麻煩幫幫手
問題還未解決

作者: 囡囡妹@@ 時間: 2009-4-24 21:07

想問一問你個 O&O Defrag 係官方版本定係破解版?

作者: 小羊 時間: 2009-4-25 01:13

我唸應該係官方的
因為呢個O&O Defrag,係我裝window隻碟入邊附帶的

作者: 小羊 時間: 2009-4-27 23:41

請盡快回覆我
這個檔案令我忐忑不安
麻煩晒

作者: 囡囡妹@@ 時間: 2009-4-28 08:07

個File 我個人黎睇 , 係誤報 , 因為個File 係 O&O D .
你先把檔案加入費爾既信任名單中 / 安裝最新版 O&O

作者: 小羊 時間: 2009-4-29 08:04

唔該晒
如果話我不太常用O&O D這個程式
而這個屬於危險的檔案又因他而起
我可唔可以uninstall左佢?

歡迎光臨 UFunFun 討論區 (http://www.ufunfun.com/)