標題 新增找內文!

0GP-BP

#681 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-12 10:59:34看他的文開啟圖片

rock19830807(恨天高)

只知kuso的小平民 LV18 / / 商人
巴幣:12494
GP:18
經驗:

※ 引述《lawlaw ()》之銘言:
> 你po的報告不完整啊^^" 所以看不到這個是什麼問題.  

感謝大大 已修正

Malwarebytes' Anti-Malware 1.30
資料庫版本: 1381
Windows 5.1.2600 Service Pack 2

2008/11/12 上午 10:56:26
mbam-log-2008-11-12 (10-56-24).txt

掃描類型:完全掃描 (C:\|J:\|)
被掃描對象數量: 138849
時間過去: 21 minute(s), 58 second(s)

被感染記憶體進程數量: 0
被感染記憶體模組數量: 0
被感染註冊表項目數量: 1
被感染註冊表值數量: 0
被感染註冊表資料項目數量: 0
被感染資料夾數量: 0
被感染檔案數量: 0

被感染記憶體進程數量:
(沒有檢測到有害項目目)

被感染記憶體模組數量:
(沒有檢測到有害項目目)

被感染註冊表項目數量:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts

最後編輯:2008-11-12 10:59:34 ◆ Origin: <59.112.17.xxx>
0GP-BP

#682 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-12 19:13:00看他的文開啟圖片

lyh66666(破碎虛空)

了解蘿莉的冒險者 LV17 / / 初心者
巴幣:13591
GP:7
經驗:

※ 引述《lawlaw ()》之銘言:
> 我想問一下,你上面po出來的malwarebytes報告是你第一次掃瞄的報告嗎? 
> 如果是的話,那有可能你的諾頓已經把以前的病毒清掉,只是當你用有毒的隨身碟 
> 或從舊電腦移動一些有毒的檔案到新電腦時,諾頓又發現病毒. 
> 以現在的情況(你上面提供的報告),你的電腦是乾淨的. 
> 你可以留意一下下一次當諾頓發出警告時,你是否剛剛在舊電腦移動一些檔案到 
> 新電腦? 或你是否剛使用隨身碟?  

好,我會留意的
malwarebytes是諾頓發出警告後掃的

的確很有可能是隨身碟或記憶卡造成的
我等下去檢查看有沒有哪一個出問題 ( 隨身碟應該都已有防kavo的東西存在..)
今天晚上剛好有這兩個掃描的排程(平常只有諾頓),我再看看是否存在
來把每個角落掃乾淨 

最後編輯:2008-11-12 19:13:00 ◆ Origin: <220.139.131.xxx>
0GP-BP

#683 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-12 22:51:40看他的文開啟圖片

lsk21342134(錡錡)

伺機而動的影武者 LV17 / / 盜賊
巴幣:9012
GP:28
經驗:

Malwarebytes' Anti-Malware 1.30
資料庫版本: 1388
Windows 5.1.2600 Service Pack 2

2008/11/12 下午 10:46:15
mbam-log-2008-11-12 (22-46-09).txt

掃描類型:完全掃描 (C:\|D:\|)
被掃描對象數量: 107242
時間過去: 1 hour(s), 20 minute(s), 53 second(s)

被感染記憶體進程數量: 0
被感染記憶體模組數量: 0
被感染註冊表項目數量: 0
被感染註冊表值數量: 0
被感染註冊表資料項目數量: 0
被感染資料夾數量: 0
被感染檔案數量: 6

被感染記憶體進程數量:
(沒有檢測到有害項目目)

被感染記憶體模組數量:
(沒有檢測到有害項目目)

被感染註冊表項目數量:
(沒有檢測到有害項目目)

被感染註冊表值數量:
(沒有檢測到有害項目目)

被感染註冊表資料項目數量:
(沒有檢測到有害項目目)

被感染資料夾數量:
(沒有檢測到有害項目目)

被感染檔案數量:
C:\WINDOWS\ctfmon.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\Fonts\wmsncs.exe (Trojan.Agent) -> No action ta

最後編輯:2008-11-12 22:51:40 ◆ Origin: <125.232.68.xxx>
0GP-BP

#684 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-12 22:55:24看他的文開啟圖片

lsk21342134(錡錡)

伺機而動的影武者 LV17 / / 盜賊
巴幣:9012
GP:28
經驗:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 10:48:45, on 2008/11/12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Hamachi\hamachi.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo!奇摩捷徑列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo!奇摩捷徑列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [iKu] C:\Documents and Settings\Administrator\桌面\iKu\iKu.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: "新增至廣告橫幅防護" - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 使用 FlashGet 下載 - C:\Documents and Settings\Administrator\桌面\FlashGet\ComDlls\Bholink.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - C:\Documents and Settings\Administrator\桌面\FlashGet\ComDlls\Bhoall.htm
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: 網頁流量防護狀態 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O16 - DPF: {650BBB86-3D77-49BA-A4B2-2455E44EB031} (PasswordMD5ClientCOMCtrl Class) - https://netbank.chb.com.tw/Security/PasswordMD5ClientCOM.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://momo80709.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {C9B6115C-DEA9-11D6-8C3C-0050BAA6346E} (CertificateDBClientCOMCtrl Class) - https://netbank.chb.com.tw/Security/CertificateDBClientCOM.cab
O16 - DPF: {D431F24F-0D8A-43A2-AB0D-FF6F27DE95A8} (PasswordClientCOMCtrl Class) - https://netbank.chb.com.tw/Security/PasswordClientCOM.cab
O16 - DPF: {EB8D26BA-9A4C-444C-80D1-1B544F68D797} (XMLSignatureClientCOMCtrl Class) - https://netbank.chb.com.tw/Security/XMLSignatureClientCOM.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6034 bytes
------------------------------------------------------------------------------------------------------------------
以上2篇 是昨天 發表一篇後 有大大叫我用這2種程式 在掃過一次的結果
掃完過後 網路速度 似乎又恢復正常了
新的報告 再請大大們幫我看一下 謝謝

最後編輯:2008-11-12 22:58:32 ◆ Origin: <125.232.68.xxx>
0GP-BP

#685 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-12 23:04:02看他的文開啟圖片

maeasy()

LV12 / / 初心者
巴幣:8660
GP:0
經驗:

幫我看一下 感恩...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 10:52:55, on 2008/11/12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Tencent\TT\TTraveler.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Tencent SearchHook - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - C:\Program Files\TENCENT\SSPlus\SAddr.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Tencent Browser Helper - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\SSPlus\SAddr.dll
O2 - BHO: QQBrowserHelperObject Class - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD\eREAD\WebHook.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {92B255FE-94E2-4BCA-958D-3926CE38913F} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [stup.exe] Rundll32.exe C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll,Rundll32 R
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Foxy 下載 - res://G:\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://G:\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 騰訊QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ嚃粗馱撿沭扢离 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [TBH] SOSO AddressBar Search
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://kaspersky.geek.com.tw/kavwebscan_unicode.cab
O16 - DPF: {12755229-656A-4508-BC94-2DA4D314B4C8} (CathayMyATM.ATMFunc) - https://www.mybank.com.tw/myatm/CAB/CathayMyATM.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {272B8D21-5304-4529-BD3D-1CF392342F7D} (MegaICBC XCsp) - https://netbank.megabank.com.tw/natm/MEGAATM.CAB
O16 - DPF: {2D6F8C95-63E2-441E-8A84-983DE940DA71} (SCUtils Class) - https://tw.playsafecard.gamania.com/FSSCUtilATL.cab
O16 - DPF: {4BDD5670-7D6C-4735-8820-6775A2C37CB2} (Web_Launcher Control) - http://redonline.redbana.tw/Game_Exe/Web_Launcher.cab
O16 - DPF: {596AC026-B204-4E26-8B2B-65797BF599D0} (KENP11Crypt Class) - https://tw.playsafecard.gamania.com/FSP11CryptATL.cab
O16 - DPF: {5C253D25-00FD-4703-9924-E53792DF98C9} (CathayMyATM2.EsConn) - https://www.mybank.com.tw/MyATM/cab/CathayMyATM2.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/ZH-TW/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5FFA5501-B770-4301-8FAD-D87DECE0AC62} (BOOCATM Control) - https://eatm.booc.com.tw/eATM-jsfile/jsfile/BOOCATM.cab
O16 - DPF: {7067DEA7-8C20-4519-8615-B1829371D8B9} (CTCBWebATM Control) - https://family.chinatrust.com.tw/WebATM/1001/CTCBWebATM.cab
O16 - DPF: {77B7220A-0F9C-47FA-907A-C9C97625E00B} (FESCWebATM Control) - https://payment.fesc.com.tw/lib/FesNetCliAPI_popup.cab
O16 - DPF: {81F3CC2E-5F40-41A5-9FCA-6DAAA6051D46} (ClientATXCtrl Control) - http://www.wayi.com.tw/gameup/ClientATXCtrl.cab
O16 - DPF: {8E1D16E3-37B1-48B8-862E-9D646FC0C8FF} (TFBWebATM Control) - https://ebank.taipeifubon.com.tw/ibank/component/ICCard/TFBWebATM.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E6DA47C4-FCC1-40C3-A3B9-6E496FC157AD} (XCSP.FESC Class) - https://payment.fesc.com.tw/lib/WebATM.cab
O16 - DPF: {F0754118-706B-4E14-8ED9-96E7A18DB894} (XCSP Class) - https://netbank.esunbank.com.tw/webatm/cabs/esuncsp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{43FF7BF3-7C1F-47E4-9A80-A2298066EC7B}: NameServer = 168.95.192.1 168.95.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{43FF7BF3-7C1F-47E4-9A80-A2298066EC7B}: NameServer = 168.95.192.1 168.95.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{43FF7BF3-7C1F-47E4-9A80-A2298066EC7B}: NameServer = 168.95.192.1 168.95.1.1
O23 - Service: B9D7E36B - Unknown owner - C:\WINDOWS\system32\570AB171.EXE (file missing)
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 9612 bytes
 

最後編輯:2008-11-12 23:04:02 ◆ Origin: <61.229.82.xxx>
0GP-BP

#686 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-13 01:28:55看他的文開啟圖片

lawlaw()

賞金獵人 LV39 / / 劍士
巴幣:91007
GP:700
經驗:

※ 引述《rock19830807 (恨天高)》之銘言:
> 被感染註冊表項目數量:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts

上面這串還是不能顯示全部^^"
最後編輯:2008-11-13 01:28:55 ◆ Origin: <72.166.136.xxx>
0GP-BP

#687 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-13 01:34:47看他的文開啟圖片

lawlaw()

賞金獵人 LV39 / / 劍士
巴幣:91027
GP:700
經驗:

※ 引述《lsk21342134 (錡錡)》之銘言:
> 被感染檔案數量:
> C:\WINDOWS\ctfmon.exe (Trojan.Agent) -> No action taken.
> C:\WINDOWS\Fonts\wmsncs.exe (Trojan.Agent) -> No action ta

這個項目沒有顯示全部檔案,而且上面寫no action taken,即代表沒有任何動作.
我想問一下當malwarebytes掃完之後,你有沒有按show result(檢視結果)?
如果有的話,那你有沒有確定每一項都已經打勾然後按remove all selected(清除所
有已選項目)?

你的新hijackthis報告還有一些木馬未清,請先確定你有把malwarebytes抓到的
木馬清掉,然後才用hijackthis再掃一次電腦,然後我會幫你把餘下的清掉.
最後編輯:2008-11-13 01:37:07 ◆ Origin: <72.166.136.xxx>
0GP-BP

#688 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-13 01:40:22看他的文開啟圖片

lawlaw()

賞金獵人 LV39 / / 劍士
巴幣:91047
GP:700
經驗:

※ 引述《maeasy ()》之銘言:

有一些可疑程式,可以依下面步驟下載malwarebytes掃瞄電腦.

1. 到http://www.besttechie.net/tools/mbam-setup.exe把這個程式下載到
你的桌面.
2. 下載後在這個程式的圖象按兩下開始安裝程式.
3. 安裝時請不要改變任何設定.
4. 安裝完後在以下兩項前打勾:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
5. 按完成(finish).

這個程式就會自動開始更新.

6. 在Scanner選單中請確定Perform Quick Scan有打勾,然後按scan. 如果它問
你想掃那個硬碟,你就選全部.
7. 掃完後按ok,然後回到主選單按show results,請確定報告中的所有項目都打
勾,然後按remove selected.
刪除後它會有一個像hijackthis的文字檔報告,你就把那個報告po上來,報告太
長的話就分兩篇po.

在你下一次回文時,希望你可以把以下這些報告po上來:

1. malwarebytes的報告
2. hijackthis的最新報告

這個程式在安裝繁體中文後可以會顯示成亂碼,有兩個方法可以解決這個問題:

1. 把控制台 > 地區及語言選項中的進階頁的中文(台灣)改成中文(PRC),這樣程式會顯示簡體中文.

2. 打開亂碼的malwarebytes,在右邊數過來的第三頁中,最底那個是語言選項,選最後第六項就是正體中文.
最後編輯:2008-11-13 01:40:22 ◆ Origin: <72.166.136.xxx>
0GP-BP

#689 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-13 13:15:07看他的文開啟圖片

maeasy()

LV13 / / 初心者
巴幣:8700
GP:0
經驗:

> 在你下一次回文時,希望你可以把以下這些報告po上來: 
> 1. malwarebytes的報告 
Malwarebytes' Anti-Malware 1.30
資料庫版本: 1392
Windows 5.1.2600 Service Pack 2

2008/11/13 下午 12:20:27
mbam-log-2008-11-13 (12-20-27).txt

掃描類型:完全掃描 (C:\|D:\|E:\|F:\|G:\|)
被掃描對象數量: 115444
時間過去: 22 minute(s), 27 second(s)

被感染記憶體進程數量: 0
被感染記憶體模組數量: 0
被感染註冊表項目數量: 46
被感染註冊表值數量: 11
被感染註冊表資料項目數量: 0
被感染資料夾數量: 0
被感染檔案數量: 32

被感染記憶體進程數量:
(沒有檢測到有害項目目)

被感染記憶體模組數量:
(沒有檢測到有害項目目)

被感染註冊表項目數量:
HKEY_CLASSES_ROOT\TypeLib\{54f35df6-7ea5-4da8-84ff-db647d5a69e7} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5ee9791e-3de9-4499-88bf-7681fdcbf7a4} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d17cf0b4-0870-4426-845d-632cc02ce9e6} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{39732ce5-0ee6-401a-a0b2-27f46b755c5b} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{54ebd53a-9bc1-480b-966a-843a333ca162} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{54ebd53a-9bc1-480b-966a-843a333ca162} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54ebd53a-9bc1-480b-966a-843a333ca162} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qqiehelper.qqbrowserhelperobject.1 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0c7c23ef-a848-485b-873c-0ed954731014} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0c7c23ef-a848-485b-873c-0ed954731014} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0c7c23ef-a848-485b-873c-0ed954731014} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a57e074f-56d8-4a33-8112-aac9693aa909} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{db8b2393-7a6c-4c76-88ce-6b1f6ff6ffe9} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{669751ed-d558-49ae-b01a-3b374cc7910e} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/cathaymyatm.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{12755229-656a-4508-bc94-2da4d314b4c8} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{12755229-656a-4508-bc94-2da4d314b4c8} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6cddb2bf-09cc-4cbb-9e6c-1f3d89c8408b} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a809b1d1-c7c0-4798-b2ac-4581d0271826} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/cathaymyatm2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{245e051b-5c83-4e6e-90ba-e08804252aa5} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{36e4eee4-0e90-4dc1-96e6-6e6cfa0f2310} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5c253d25-00fd-4703-9924-e53792df98c9} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{5c253d25-00fd-4703-9924-e53792df98c9} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cf6d4bbd-28e7-4c7c-b14b-3951eb8dfeca} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f2c3ff04-91c9-41f2-9a22-5b2423aa2502} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/ctcbwebatm.ocx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{cd7ce33b-38de-409b-a566-cdce3a787ba3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{907906fc-d86c-4b4d-83e6-2a8f7652eca2} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ecbd360a-bea0-4f7c-9790-b746d1e9a65f} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4c4a0f63-61c1-4c36-b2c5-be86ab42b1bb} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7067dea7-8c20-4519-8615-b1829371d8b9} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7067dea7-8c20-4519-8615-b1829371d8b9} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/tfbwebatm.ocx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e8a77de-c6da-4b5c-8fa2-0728780ad7c9} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{23408c05-e9bc-4054-9538-fcd0ff6af031} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{29d84a21-89f5-4dde-adbc-b53b628364a7} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3f53390b-94cf-4723-bf11-128dbd23c7ee} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8e1d16e3-37b1-48b8-862e-9d646fc0c8ff} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8e1d16e3-37b1-48b8-862e-9d646fc0c8ff} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/webatm.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{02853c6e-3a6d-4872-aa2f-518dffe88833} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7b0e7ef3-6036-4653-ba26-f1f41607e8eb} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e6da47c4-fcc1-40c3-a3b9-6e496fc157ad} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{e6da47c4-fcc1-40c3-a3b9-6e496fc157ad} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\TBH (Adware.Agent) -> Quarantined and deleted successfully.

被感染註冊表值數量:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{db8b2393-7a6c-4c76-88ce-6b1f6ff6ffe9} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0c7c23ef-a848-485b-873c-0ed954731014} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{a57e074f-56d8-4a33-8112-aac9693aa909} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{db8b2393-7a6c-4c76-88ce-6b1f6ff6ffe9} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{669751ed-d558-49ae-b01a-3b374cc7910e} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\CathayMyATM.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\CathayMyATM2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\CTCBWebATM.ocx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\TFBWebATM.ocx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\WebATM.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\stup.exe (Adware.Agent) -> Quarantined and deleted successfully.

被感染註冊表資料項目數量:
(沒有檢測到有害項目目)

被感染資料夾數量:
(沒有檢測到有害項目目)

被感染檔案數量:
C:\Program Files\Tencent\QQ\QQIEHelper.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\SSPlus\SAddr.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SSup.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Nt_File_Temp\16.bmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Nt_File_Temp\19.bmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Nt_File_Temp\2.bmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Nt_File_Temp\20.bmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Nt_File_Temp\21.bmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Nt_File_Temp\23.bmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Nt_File_Temp\24.bmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Nt_File_Temp\25.bmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Nt_File_Temp\26.bmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Nt_File_Temp\28.bmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Nt_File_Temp\3.bmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Nt_File_Temp\30.bmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Nt_File_Temp\32.bmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Nt_File_Temp\35.bmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Nt_File_Temp\36.bmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Nt_File_Temp\6.bmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\BOOCATM.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CathayMyATM.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CathayMyATM.INF (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CathayMyATM2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CathayMyATM2.INF (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CTCBWebATM.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CTCBWebATM.ocx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\TFBWebATM.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\TFBWebATM.ocx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\WebATM.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\WebATM.inf

最後編輯:2008-11-13 13:15:07 ◆ Origin: <61.229.76.xxx>
0GP-BP

#690 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-13 13:18:13看他的文開啟圖片

maeasy()

LV13 / / 初心者
巴幣:8700
GP:0
經驗:

> 在你下一次回文時,希望你可以把以下這些報告po上來: 
> 2. hijackthis的最新報告 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 01:13:15, on 2008/11/13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Tencent\TT\TTraveler.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD\eREAD\WebHook.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {92B255FE-94E2-4BCA-958D-3926CE38913F} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Foxy 下載 - res://G:\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://G:\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 騰訊QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: QQ嚃粗馱撿沭扢离 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\WINDOWS\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://kaspersky.geek.com.tw/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {272B8D21-5304-4529-BD3D-1CF392342F7D} (MegaICBC XCsp) - https://netbank.megabank.com.tw/natm/MEGAATM.CAB
O16 - DPF: {2D6F8C95-63E2-441E-8A84-983DE940DA71} (SCUtils Class) - https://tw.playsafecard.gamania.com/FSSCUtilATL.cab
O16 - DPF: {4BDD5670-7D6C-4735-8820-6775A2C37CB2} (Web_Launcher Control) - http://redonline.redbana.tw/Game_Exe/Web_Launcher.cab
O16 - DPF: {596AC026-B204-4E26-8B2B-65797BF599D0} (KENP11Crypt Class) - https://tw.playsafecard.gamania.com/FSP11CryptATL.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/ZH-TW/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5FFA5501-B770-4301-8FAD-D87DECE0AC62} (BOOCATM Control) - https://eatm.booc.com.tw/eATM-jsfile/jsfile/BOOCATM.cab
O16 - DPF: {77B7220A-0F9C-47FA-907A-C9C97625E00B} (FESCWebATM Control) - https://payment.fesc.com.tw/lib/FesNetCliAPI_popup.cab
O16 - DPF: {81F3CC2E-5F40-41A5-9FCA-6DAAA6051D46} (ClientATXCtrl Control) - http://www.wayi.com.tw/gameup/ClientATXCtrl.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {F0754118-706B-4E14-8ED9-96E7A18DB894} (XCSP Class) - https://netbank.esunbank.com.tw/webatm/cabs/esuncsp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{43FF7BF3-7C1F-47E4-9A80-A2298066EC7B}: NameServer = 168.95.192.1 168.95.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{43FF7BF3-7C1F-47E4-9A80-A2298066EC7B}: NameServer = 168.95.192.1 168.95.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{43FF7BF3-7C1F-47E4-9A80-A2298066EC7B}: NameServer = 168.95.192.1 168.95.1.1
O23 - Service: B9D7E36B - Unknown owner - C:\WINDOWS\system32\570AB171.EXE (file missing)
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 8399 bytes

兩個報告都copy好了....謝謝~~

最後編輯:2008-11-13 13:18:13 ◆ Origin: <61.229.76.xxx>
0GP-BP

#691 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-13 16:09:48看他的文開啟圖片

all123456(不是)

廢柴上的風霜菇 LV15 / / 初心者
巴幣:12014
GP:9
經驗:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 04:07:19, on 2008/11/13
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\cpf.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live 登入小幫手 - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O9 - Extra button: 發佈至部落格 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: 使用 Windows Live Writer 發佈至部落格(&B) - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210004361642
O16 - DPF: {81F3CC2E-5F40-41A5-9FCA-6DAAA6051D46} (ClientATXCtrl Control) - http://www.wayi.com.tw/gameup/ClientATXCtrl.CAB
O16 - DPF: {C70E8BB2-849B-478E-828E-9F71729C86B2} (ATXWSM Control) - http://download.wayi.com.tw/download/WSM/ATXWSM.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{515FD3E4-555E-439A-A4DE-F75E02E9A441}: NameServer = 168.95.192.1 168.95.1.1
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 8278 bytes

可以幫忙鑑識一下嗎?辛苦你們了!!

※ 引述《all123456 (不是)》之銘言:

我想問一下,下面這些程式你認識嗎?
> C:\WINDOWS\FixCamera.exe
> C:\WINDOWS\tsnp2std.exe   
> C:\WINDOWS\vsnp2std.exe
FixCamera.exe 這我就不認識了
tsnp2std.exe,vsnp2std.exe是我視訊的程式
vm我知道因為我有灌那個學linux
感謝你囉
最後編輯:2008-11-14 03:49:22 ◆ Origin: <122.124.167.xxx>
0GP-BP

#692 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-13 20:18:56看他的文開啟圖片

lordzpipo92(pipo)

開始XD的見習生 LV10 / / 初心者
巴幣:4354
GP:5
經驗:

你好,這是小弟的,請過目
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 08:09:06, on 2008/11/13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\npkcmsvc.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TTPlayer\TTPlayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\svchost.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\迅雷下載\ComDlls\TDAtOnce_Now.dll (file missing)
O2 - BHO: ThunderBHO - {6A19C29C-ED45-4483-8999-9F939C8161F2} - C:\Program Files\迅雷下載\ComDlls\xunleiBHO_Now.dll (file missing)
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD\eREAD\WebHook.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Computer Alarm Clock] C:\Program Files\Computer Alarm Clock\cac.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User '?')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User '?')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User '?')
O4 - HKUS\S-1-5-21-1614895754-412668190-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 使用迅雷下載 - C:\Program Files\迅雷下載\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下載全部鏈接 - C:\Program Files\迅雷下載\Program\getallurl.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://nprotect.lineage2.com.tw/nProtect/netizen2007/ncsoft/npkcx_inca.cab
O16 - DPF: {DC4207CE-C03E-4449-ACB1-032CA4137053} (Npz Control) - https://nprotect.lineage2.com.tw/nProtect/netizen2004/ncsoft/npz.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F97B7ED-9CEA-45B4-8B78-8465A92A8B65}: NameServer = 139.175.55.244
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcmsvc.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 5220 bytes
外加一個不明連接的圖,我也不懂這是什麽
還有關於megaupload的,由於時常要從哪裡下載東西,所以應該是不會刪除
http://img370.imageshack.us/my.php?image=72640073oj0.jpg
最後編輯:2008-11-13 20:18:56 ◆ Origin: <60.53.89.xxx>
0GP-BP

#693 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-13 21:44:33看他的文開啟圖片

lsk21342134(錡錡)

伺機而動的影武者 LV17 / / 盜賊
巴幣:9072
GP:28
經驗:

昨天發的2篇新報告
有可能是因為我用Malwarebytes' Anti-Malware 沒有清除所有物件
今天原本想要從新 掃描
可是卻...

出現這個
打不開Malwarebytes' Anti-Malware ...
從安裝 也一樣

如果這個不能用了
希望大大們能給我其他的
點腦真怪怪的= =

最後編輯:2008-11-13 21:44:33 ◆ Origin: <125.232.68.xxx>
0GP-BP

#694 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-14 00:22:51看他的文開啟圖片

youi6978(生命誠可貴)

伺機而動的影武者 LV16 / / 僧侶
巴幣:11350
GP:21
經驗:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 上午 12:20:48, on 2008/11/14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LEXMA\3D Wheel Laser Mouse\1.0a\ACQTMAPP.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LEXMA\3D Wheel Laser Mouse\1.0a\ACQHIDCL.DAT
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Administrator\桌面\FreeGrab 1.2.3.4.5\FreeGrab.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Garena\Garena.exe
C:\Program Files\TTPlayer\TTPlayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [ACQTMOUSE] "C:\Program Files\LEXMA\3D Wheel Laser Mouse\1.0a\ACQTMAPP.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: 下載編碼內容(S&martGet) - C:\Documents and Settings\Administrator\桌面\SmartGet1.45\dl_text.html
O8 - Extra context menu item: 使用S&martGet下載 - C:\Documents and Settings\Administrator\桌面\SmartGet1.45\dl_link.htm
O8 - Extra context menu item: 全部使用Smart&Get下載 - C:\Documents and Settings\Administrator\桌面\SmartGet1.45\dl_all.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {71CBAA62-E60D-4C12-9AE8-7933946A2FDB} (CheckOCX Control) - http://elearn.ntou.edu.tw/ts_player/tsload.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{227CCB5A-98FC-4675-BE65-83CCFE349C97}: NameServer = 168.95.192.1 168.95.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{227CCB5A-98FC-4675-BE65-83CCFE349C97}: NameServer = 168.95.192.1 168.95.1.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

--
End of file - 6692 bytes

請大大幫忙看看
最後編輯:2008-11-14 00:22:51 ◆ Origin: <220.136.11.xxx>
0GP-BP

#695 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-14 01:25:04看他的文開啟圖片

lawlaw()

賞金獵人 LV39 / / 劍士
巴幣:91107
GP:700
經驗:

※ 引述《maeasy ()》之銘言:

現在請你在hijackthis中,把下面那些字串打勾,然後按fix checked:

> O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD\eREAD\WebHook.dll (file missing)
> O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
> O3 - Toolbar: (no name) - {92B255FE-94E2-4BCA-958D-3926CE38913F} - (no file)
> O23 - Service: B9D7E36B - Unknown owner - C:\WINDOWS\system32\570AB171.EXE (file missing)
> O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

然後請到卡巴免費線上掃瞄,把電腦掃瞄一次,然後把結果報告po上來.
http://www.kaspersky.com/virusscanner
按一下那個"Kaspersky Online Scanner"然後就可以開始.
如果無法掃瞄的話,你可能需要更新你的sun java.

掃瞄完畢後,請特別留意報告中有沒有下面兩個檔案:

> C:\Program Files\Tencent\TT\TTraveler.exe
> O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe

如果沒有的話,請把它們上載到www.virustotal.com檢查.

下面這些是activex的東西,我想知道你認不認識它們,包括有:
netbank.megabank.com.tw
eatm.booc.com.tw
payment.fesc.com.tw
netbank.esunbank.com.tw

> O16 - DPF: {272B8D21-5304-4529-BD3D-1CF392342F7D} (MegaICBC XCsp) - https://netbank.megabank.com.tw/natm/MEGAATM.CAB
> O16 - DPF: {5FFA5501-B770-4301-8FAD-D87DECE0AC62} (BOOCATM Control) - https://eatm.booc.com.tw/eATM-jsfile/jsfile/BOOCATM.cab
> O16 - DPF: {77B7220A-0F9C-47FA-907A-C9C97625E00B} (FESCWebATM Control) - https://payment.fesc.com.tw/lib/FesNetCliAPI_popup.cab
> O16 - DPF: {F0754118-706B-4E14-8ED9-96E7A18DB894} (XCSP Class) - https://netbank.esunbank.com.tw/webatm/cabs/esuncsp.cab

最後請重新開機到安全模式,把C:/Windows/ALCMTR.EXE刪除

在你下次的回文,希望你可以附上:
1. 卡巴掃瞄報告
2. virustotal檢查結果
最後編輯:2008-11-14 01:25:04 ◆ Origin: <72.166.136.xxx>
0GP-BP

#696 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-14 01:32:43看他的文開啟圖片

lawlaw()

賞金獵人 LV39 / / 劍士
巴幣:91127
GP:700
經驗:

※ 引述《all123456 (不是)》之銘言:

我想問一下,下面這些程式你認識嗎?
> C:\WINDOWS\FixCamera.exe
> C:\WINDOWS\tsnp2std.exe
> C:\WINDOWS\vsnp2std.exe

下面這個VMare的程式你又認識嗎?
> O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
> O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
> O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
> O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

下面這個不是木馬,只是它會吃資源,所以建議刪除.
刪除方法是在hijackthis中把這串打勾,按fix checked.
然後重開機到安全模式,把C:/Windows/ALCMTR.EXE刪除.
> O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
最後編輯:2008-11-14 01:32:43 ◆ Origin: <72.166.136.xxx>
0GP-BP

#697 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-14 01:39:32看他的文開啟圖片

lawlaw()

賞金獵人 LV39 / / 劍士
巴幣:91127
GP:700
經驗:

※ 引述《lordzpipo92 (pipo)》之銘言:
> C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
> O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win

這個FreeRAM XP Pro的程式你認識嗎?

> O2 - BHO: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
> O3 - Toolbar: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

Megaupload Toolbar算是一個高危的工具列,它會比較容易讓惡意程式入侵你的
電腦,所以你可以考慮要不要把它刪除.
最後編輯:2008-11-14 01:39:32 ◆ Origin: <72.166.136.xxx>
0GP-BP

#698 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-14 01:41:35看他的文開啟圖片

lawlaw()

賞金獵人 LV39 / / 劍士
巴幣:91167
GP:700
經驗:

※ 引述《lsk21342134 (錡錡)》之銘言:
> 昨天發的2篇新報告
> 有可能是因為我用Malwarebytes' Anti-Malware 沒有清除所有物件
> 今天原本想要從新 掃描
> 可是卻...
> 出現這個
> 打不開Malwarebytes' Anti-Malware ...
> 從安裝 也一樣
> 如果這個不能用了
> 希望大大們能給我其他的
> 點腦真怪怪的= =

只是語言設定出了問題,你先到開始 > 執行中輸入regedit,然後在那個視窗的左
邊找下面的資料夾:
HKEY_CURRENT_USER > Software > Malwarebytes' Anti-malware
然後在右邊的視窗,在language上按兩下,輸入chineseTR.lng
再把regedit關掉就可以打開malwarebytes了.
最後編輯:2008-11-14 01:41:35 ◆ Origin: <72.166.136.xxx>
0GP-BP

#699 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-14 01:46:06看他的文開啟圖片

lawlaw()

賞金獵人 LV39 / / 劍士
巴幣:91167
GP:700
經驗:

※ 引述《youi6978 (生命誠可貴)》之銘言:
> C:\Documents and Settings\Administrator\桌面\FreeGrab 1.2.3.4.5\FreeGrab.exe

這個freegrab的程式你認識嗎?
最後編輯:2008-11-14 01:46:06 ◆ Origin: <72.166.136.xxx>
0GP-BP

#700 RE:⊙毒駭處理法⊙殺毒、分析、諮詢、安全

發表:2008-11-14 20:17:29看他的文開啟圖片

arsarsars28(落雲飄揚慕凡心)

夜行者月痕 LV24 / / 劍士
巴幣:15146
GP:197
經驗:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 08:14:27, on 2008/11/14
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\winsys2.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
E:\雜七雜八\Thunder 5.8.1.507 美化版\Program\Thunder5.exe
E:\雜七雜八\mplayerc1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo!奇摩捷徑列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - E:\雜七雜八\Thunder 5.8.1.507 美化版\ComDlls\TDAtOnce_Now.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - E:\雜七雜八\Thunder 5.8.1.507 美化版\ComDlls\xunleiBHO_Now.dll (file missing)
O2 - BHO: Windows Live 登入小幫手 - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ALiBaBar_Helper - {CE439C63-384A-747A-A357-23D96B5D652B} - C:\PROGRA~1\ALiBaBar\ALiBaBar.dll
O3 - Toolbar: ALiBaBar - {0A1375E1-56C2-11D6-8E45-8933A0FB5235} - C:\PROGRA~1\ALiBaBar\ALiBaBar.dll
O3 - Toolbar: Yahoo!奇摩捷徑列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ezHelper] "C:\Program Files\ezHelper\ezHelper.exe" 300
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: 下載編碼內容(S&martGet) - E:\雜七雜八\SmartGet1.45.1\dl_text.html
O8 - Extra context menu item: 使用S&martGet下載 - E:\雜七雜八\SmartGet1.45.1\dl_link.htm
O8 - Extra context menu item: 使用迅雷下載 - E:\雜七雜八\Thunder 5.8.1.507 美化版\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下載全部鏈接 - E:\雜七雜八\Thunder 5.8.1.507 美化版\Program\getallurl.htm
O8 - Extra context menu item: 全部使用Smart&Get下載 - E:\雜七雜八\SmartGet1.45.1\dl_all.htm
O8 - Extra context menu item: 剪貼簿文字:  簡 > 繁 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
O8 - Extra context menu item: 剪貼簿文字:  繁 > 簡 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 網頁:  [簡體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
O8 - Extra context menu item: 網頁:  [繁體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: 網頁防護統計 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxernsp.dll
O10 - Unknown file in Winsock LSP: prxerdrv.dll
O10 - Unknown file in Winsock LSP: prxerdrv.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {10060452-A92B-4427-8E06-46904B8A3678} (OMG Control) - http://luna.omg.com.tw/ActiveX/omg.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{456614C2-538C-4B68-B4DC-105406B9B446}: NameServer = 168.95.192.1 168.95.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{456614C2-538C-4B68-B4DC-105406B9B446}: NameServer = 168.95.192.1 168.95.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{4DC879DA-5BF1-4F1D-B776-D4C86400FCD6}: NameServer = 203.64.38.99,203.64.38.100
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8195 bytes

麻煩各位好心的大大門幫小弟我看看那邊有問題
亦或有沒有中毒之類的,感謝感謝

最後編輯:2008-11-14 20:17:29 ◆ Origin: <59.115.204.xxx>

板務人員
動漫電玩通
[洛克人] 剪刀人怕誰的武器? 作者:囫圇 檢舉