打印

[已解決] 無法使用IE,IE瀏覽器變空白

無法使用IE,IE瀏覽器變空白 E-mail 此主題給朋友

[隱藏]
簡單而言︰

1.打開IE瀏覽器,無法正常運作,版面全是空白,但並不是「沒有回應」。當選取IE瀏覽器的工具列(即檔案,編輯,檢視等),只能把菜單拉下,不能打開內容,而點擊 [工具] > [網際網絡選項]時,「這個作業已經取消,因為這個電腦受到限制。請和系統管理員連絡。」的字句彈出。(已檢查網絡狀況,連線並沒有問題。)

2.每次重新開啟電腦時,所有瀏覽記錄被刪除。

以下為 hijackthis 報告。

謝謝所有管理員。

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:45, on 19/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\KIS2007\KWatch.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AhnRpta.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\KIS2007\KPfwSvc.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
E:\Alcohol\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\KIS2007\KMailMon.EXE
E:\Online TV\PPStream\ppsap.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\BT\123\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Skype Control Class - {9018F6A8-2495-45DF-9F16-C738F8F3C8FF} - C:\WINDOWS\system32\SkypeComm.dll
O2 - BHO: Windows Live 登入小幫手 - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - E:\WinAVI FLV Converter\FLVTune.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] ; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PPHIDPAD] ; C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [HP Software Update] ; "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] ; "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [NvCplDaemon] ; RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] ; nwiz.exe /install
O4 - HKLM\..\Run: [PCSuiteTrayApplication] ; C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [KavStart] "C:\KIS2007\KAVStart.exe" -startup
O4 - HKLM\..\Run: [IMEKRMIG6.1] ; C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] ; C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [DAEMON Tools-1033] ; "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] ; RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Flashget] C:\PROGRA~1\FlashGet\FlashGet.exe /min
O4 - HKLM\..\Run: [Hotplug] ; C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] ; C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [NeroFilterCheck] ; C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] ; "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] ; C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [DAEMON Tools Lite] ; "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MSMSGS] ; "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPS Accelerator] E:\Online TV\PPStream\ppsap.exe
O4 - HKCU\..\Run: [dorfgwe] C:\WINDOWS\system32\uret463.exe
O4 - HKCU\..\Run: [anhtaaa] C:\WINDOWS\system32\kacsde.exe
O4 - HKCU\..\Run: [rwasds] C:\WINDOWS\system32\huwesa.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download FLV by WinAVI... - E:\WinAVI FLV Converter\flv_link.htm
O8 - Extra context menu item: &使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: &使用BitComet下載本頁視訊 - res://E:\BT\123\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &全部使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 使用BitComet下載全部連結 - res://E:\BT\123\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: 使用BitComet下載連結(&B) - res://E:\BT\123\BitComet\BitComet.exe/AddLink.htm

[ 本帖最後由 onor 於 2009-7-12 05:09 PM 編輯 ]



實用相關搜尋: Spa Software Java Microsoft 檢查 電腦

TOP

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://E:\BT\123\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - E:\WinAVI FLV Converter\FLVTune.dll (file missing)
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - E:\WinAVI FLV Converter\FLVTune.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {05BCE06B-A300-4C4E-A42F-4C04BCCDE63B} (TRLuncherROC Control) - http://weblogin.talesrunner.com.hk/TRLuncherROC.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/contr ... kPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/ ... e.cab?1199015408765
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
O16 - DPF: {A93FB56D-2F76-4DD7-8E38-9B1EB38C88A5} (SecureSession Class) - http://warranty.samsungmcs.com.hk:8080/plugIn/SecuiSECIE.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BE34BAB0-0580-45BC-AEC8-E0EF00C11F57} (GTWebCom Control) - http://hkma.towergame.com/common/GTWebCom.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kingsoft Personal Firewall Service (KPfwSvc) - Kingsoft Corporation - C:\KIS2007\KPfwSvc.EXE
O23 - Service: Kingsoft Antivirus KWatch Service (KWatchSvc) - Kingsoft Corporation - C:\KIS2007\KWatch.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Alcohol\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 10477 bytes



實用相關搜尋: Spa Software Java Samsung Canon Microsoft blog

TOP

執行 HijackThis 掃描電腦. 然後勾選以下項目左面的方格. 關閉所有視窗及瀏覽器,按 Fix checked,然後關閉 HijackThis

O2 - BHO: Skype Control Class - {9018F6A8-2495-45DF-9F16-C738F8F3C8FF} - C:\WINDOWS\system32\SkypeComm.dll

O4 - HKCU\..\Run: [dorfgwe] C:\WINDOWS\system32\uret463.exe

O4 - HKCU\..\Run: [anhtaaa] C:\WINDOWS\system32\kacsde.exe

O4 - HKCU\..\Run: [rwasds] C:\WINDOWS\system32\huwesa.exe




下載 OTM桌面

http://oldtimer.geekstogo.com/OTM.exe

  • 執行 OTM
  • 用滑鼠複製以下粗黑色文字,於 OTMoveIt3 視窗 Paste Instructions for Items to be Moved 貼上以下內容:

    :files
    C:\WINDOWS\AhnRpta.exe
    C:\WINDOWS\system32\SkypeComm.dll
    C:\WINDOWS\system32\uret463.exe
    C:\WINDOWS\system32\kacsde.exe
    C:\WINDOWS\system32\huwesa.exe


  • 之後按 MoveIt! (假如程式要求重新啓動電腦,按 Yes)
  • 關閉 OTM




重新啟動電腦. 下載 ComboFix桌面

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

  • 執行 ComboFix

    注意: 為防止保安軟件將 ComboFix 錯誤列為危險檔案. 執行 ComboFix 之前請將防毒軟件及反間諜軟件暫時關閉. 另外,ComboFix 運作其間請勿執行任何程式或用滑鼠點擊 ComboFix 視窗.

  • ComboFix 會彈出視窗,按是 (Y)
  • 假如需要安裝恢復控制台,按否 (N)
  • 程式會進行掃描,其間桌面可能會暫時消失. 完成掃描後,程式會自動關閉.
  • 完成後 ComboFix 可能會自動重新啓動電腦. 之後 ComboFix 記錄會彈出. 記錄會自動儲存於 C:\ComboFix.txt
  • 貼上 ComboFix 記錄.






All Your Malware Are Belong To Us

TOP

以下為ComboFix Report, 謝謝管理員。

ComboFix 09-06-24.05 - user 6/2009 Thu 23:21.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.950.886.1028.18.511.232 [GMT 8:00]
執行位置: c:\documents and settings\user\桌面\ComboFix.exe
AV: 金山毒霸檔案即時防毒 *On-access scanning disabled* (Outdated) {45EBBE4F-7185-4802-9286-13665DE6F3F1}
FW: Kingsoft Personal Firewall *enabled* {B32D173E-1363-4860-9B58-259427E43B98}
注意 - 這台電腦沒有安裝恢復控制台 !!
.
(((((((((((((((((((((((((((((((((((((((   被刪除的檔案   )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\user\LOCALS~1\Temp\E_4
c:\documents and settings\user\Application Data\ShoppingReport
c:\windows\DGStarter22.EXE
C:\0ohqxsdx.bat
C:\16onq.bat
C:\1bg.cmd
C:\1irqtv.cmd
C:\1jief.cmd
C:\1n.cmd
C:\1q8p0y.com
C:\23ft.exe
C:\3bo9tn.cmd
C:\3iugonx.com
C:\3wy1vm.cmd
C:\3yr1.cmd
C:\6.exe
C:\6o0.bat
C:\6vu680.com
C:\82i.cmd
C:\8nlo1q.cmd
C:\8oupido.bat
C:\9b8kmipy.com
C:\9dl.cmd
C:\a.exe
C:\af93gcf.exe
C:\autorun.inf
C:\b.bat
C:\b.cmd
C:\bn0.bat
C:\bsp.cmd
C:\clc3k.com
C:\d22xl.bat
C:\d8ur3qs.bat
C:\dgf.exe
C:\dgkx.exe
c:\docume~1\user\LOCALS~1\Temp\E_4\com.run
c:\docume~1\user\LOCALS~1\Temp\E_4\dp1.fne
c:\docume~1\user\LOCALS~1\Temp\E_4\eAPI.fne
c:\docume~1\user\LOCALS~1\Temp\E_4\internet.fne
c:\docume~1\user\LOCALS~1\Temp\E_4\krnln.fnr
c:\docume~1\user\LOCALS~1\Temp\E_4\RegEx.fnr
c:\docume~1\user\LOCALS~1\Temp\E_4\shell.fne
c:\docume~1\user\LOCALS~1\Temp\E_4\spec.fne
c:\documents and settings\user\Application Data\ShoppingReport\cs\Config.xml
c:\documents and settings\user\Application Data\ShoppingReport\cs\db\Aliases.dbs
c:\documents and settings\user\Application Data\ShoppingReport\cs\db\Sites.dbs
c:\documents and settings\user\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
c:\documents and settings\user\Application Data\ShoppingReport\cs\report\aggr_storage.xml
c:\documents and settings\user\Application Data\ShoppingReport\cs\report\send_storage.xml
c:\documents and settings\user\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
C:\dsty.com
C:\e00233it.com
C:\e619e.cmd
C:\eg1.cmd
C:\g0.cmd
C:\ggl.cmd
C:\gmi1jxy.com
C:\gnwav.exe
C:\gxul.com
C:\gymussy.bat
C:\hqx292nu.exe
C:\igcmrtjw.cmd
C:\j.bat
C:\j0mpdkja.cmd
C:\j1.cmd
C:\jg.com
C:\kk.bat
C:\kya6l.bat
C:\ldgybkp.bat
C:\lj6hdv.com
C:\ll.exe
C:\mcmm.bat
C:\mt.com
C:\mt0.cmd
C:\n.com
C:\ndmego0f.cmd
C:\o93ml8.bat
C:\oc.cmd
C:\om.cmd
C:\otf.cmd
C:\pjwtv.cmd
c:\program files\INSTALL.LOG
C:\q1pady.cmd
C:\rf.cmd
C:\s6muem.cmd
C:\tlmjw.cmd
C:\tt.com
C:\uyfd9cck.cmd
C:\v0vj.exe
C:\vctio.com
C:\w6hikrv.com
C:\wg0kpd.bat
c:\windows\AhnRpta.exe
c:\windows\patch.exe
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\afmain0.dll
c:\windows\system32\afmain1.dll
c:\windows\system32\e8main0.dll
c:\windows\system32\godert0.dll
c:\windows\system32\godert1.dll
c:\windows\system32\jwedsfdo0.dll
c:\windows\system32\jwedsfdo1.dll
c:\windows\system32\jwedsfdo2.dll
c:\windows\system32\kxvo0.dll
c:\windows\system32\kxvo1.dll
c:\windows\system32\lhgjyit0.dll
c:\windows\system32\lhgjyit1.dll
c:\windows\system32\lhgjyit2.dll
c:\windows\system32\taskmagr.exe
c:\windows\system32\wmdmpmsvc.dll
c:\windows\system32\xactsrv.dll
C:\xwpehlv.com
C:\y6u.bat
C:\y9rlqi.cmd
C:\yfmqo.cmd
C:\yi9.exe
E:\0ohqxsdx.bat
E:\16onq.bat
E:\1bg.cmd
E:\1irqtv.cmd
E:\1jief.cmd
E:\1n.cmd
E:\1q8p0y.com
E:\23ft.exe
E:\3bo9tn.cmd
E:\3iugonx.com
E:\3wy1vm.cmd
E:\3yr1.cmd
E:\6o0.bat
E:\82i.cmd
E:\8nlo1q.cmd
E:\8oupido.bat
E:\9b8kmipy.com
E:\9dl.cmd
E:\af93gcf.exe
E:\Autorun.inf
E:\b.bat
E:\b.cmd
E:\bn0.bat
E:\bsp.cmd
E:\clc3k.com
E:\d22xl.bat
E:\d8ur3qs.bat
E:\dgf.exe
E:\dgkx.exe
E:\dsty.com
E:\e00233it.com
E:\e619e.cmd
E:\eg1.cmd
E:\g0.cmd
E:\ggl.cmd
E:\gmi1jxy.com
E:\gnwav.exe
E:\gxul.com
E:\gymussy.bat
E:\hqx292nu.exe
E:\igcmrtjw.cmd
E:\j.bat
E:\j0mpdkja.cmd
E:\j1.cmd
E:\jg.com
E:\kk.bat
E:\kya6l.bat
E:\ldgybkp.bat
E:\lj6hdv.com
E:\ll.exe
E:\mcmm.bat
E:\mt.com
E:\n.com
E:\ndmego0f.cmd
E:\o93ml8.bat
E:\oc.cmd
E:\om.cmd
E:\otf.cmd
E:\pjwtv.cmd
E:\q1pady.cmd
E:\rf.cmd
E:\s6muem.cmd
E:\tlmjw.cmd
E:\tt.com
E:\uyfd9cck.cmd
E:\v0vj.exe
E:\vctio.com
E:\w6hikrv.com
E:\wg0kpd.bat
E:\xwpehlv.com
E:\y6u.bat
E:\y9rlqi.cmd
E:\yfmqo.cmd
E:\yi9.exe
c:\windows\system32\schtasks.exe . . . 受感染!!
發現受感染 c:\windows\system32\spoolsv.exe 並且成功解毒
從 - c:\windows\system32\dllcache\spoolsv.exe 恢復原來檔案

[ 本帖最後由 onor 於 2009-6-25 11:58 PM 編輯 ]



實用相關搜尋: Spa Microsoft 電腦

TOP

[隱藏]
.
(((((((((((((((((((((((((((((((((((((((   驅動/服務   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KAVSYS
-------\Legacy_OREANS32
-------\Service_AVPsys
-------\Service_oreans32


(((((((((((((((((((((((((  2009-05-25 至 2009-06-25 的新的檔案  )))))))))))))))))))))))))))))))
.

2009-06-25 15:02 . 2009-06-25 15:02        --------        d-----w-        C:\_OTM
2009-06-25 14:42 . 2009-06-25 14:42        --------        d--h--w-        c:\windows\PIF
2009-06-24 05:12 . 2009-06-24 16:46        99581        --sh--r-        C:\9l66g8k1.com
2009-06-23 05:41 . 2009-06-23 17:00        100292        --sh--r-        C:\dmf.exe
2009-06-21 16:12 . 2009-06-25 01:46        81408        ------w-        c:\windows\system32\843wee0.dll
2009-06-20 14:12 . 2009-06-22 03:13        97727        --sh--r-        C:\yq.com
2009-06-19 02:37 . 2009-06-20 00:50        97868        --sh--r-        C:\chlf9.exe
2009-06-17 15:33 . 2009-06-18 14:41        99695        --sh--r-        C:\h2t6u.exe
2009-06-16 13:51 . 2009-06-17 15:01        100985        --sh--r-        C:\r.com
2009-06-13 01:13 . 2009-06-25 01:47        81408        --sh--r-        c:\windows\system32\843wee1.dll
2009-06-11 00:28 . 2009-06-11 15:19        103456        --sh--r-        C:\6r3p.com
2009-06-09 01:49 . 2009-06-09 23:29        102664        --sh--r-        C:\vpqdgkx.com
2009-05-29 03:15 . 2009-06-05 14:36        102218        --sh--r-        C:\jj2.com

.
((((((((((((((((((((((((((((((((((((((((   在三個月內被修改的檔案   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 15:18 . 2005-04-24 10:25        --------        d-----w-        c:\program files\FlashGet
2009-06-25 02:05 . 2006-06-12 18:51        --------        d-----w-        c:\documents and settings\user\Application Data\ppstream
2009-06-20 00:58 . 2001-09-17 12:00        84068        ----a-w-        c:\windows\system32\prfc0404.dat
2009-06-20 00:58 . 2001-09-17 12:00        257504        ----a-w-        c:\windows\system32\prfh0404.dat
2009-05-19 02:27 . 2009-05-15 14:07        103978        --sh--r-        C:\clc1al.com
2009-05-15 03:16 . 2009-05-13 17:35        104202        --sh--r-        C:\hsi.com
2009-05-07 16:24 . 2009-05-05 17:19        106442        --sh--r-        C:\utcn8c63.exe
2009-05-07 15:42 . 2004-08-04 12:00        339456        ----a-w-        c:\windows\system32\localspl.dll
2009-05-07 07:18 . 2005-05-03 03:20        --------        d-----w-        c:\documents and settings\user\Application Data\AdobeUM
2009-05-05 00:58 . 2009-05-04 19:41        105148        --sh--r-        C:\tg.com
2009-05-02 23:23 . 2009-05-02 23:23        --------        d-----w-        c:\documents and settings\All Users\Application Data\CCTV
2009-04-29 04:41 . 2009-04-29 04:41        6066176        ----a-w-        c:\windows\system32\SET1C.tmp
2009-04-29 04:41 . 2009-04-29 04:41        6066176        ------w-        c:\windows\system32\SET1A.tmp
2009-04-29 04:41 . 2009-04-29 04:41        268288        ----a-w-        c:\windows\system32\SET19.tmp
2009-04-29 04:41 . 2009-04-29 04:41        268288        ------w-        c:\windows\system32\SET17.tmp
2009-04-29 04:41 . 2004-08-04 12:00        78336        ----a-w-        c:\windows\system32\ieencode.dll
2009-04-29 04:41 . 2009-04-29 04:41        383488        ----a-w-        c:\windows\system32\SET1E.tmp
2009-04-29 04:41 . 2009-04-29 04:41        383488        ------w-        c:\windows\system32\SET1D.tmp
2009-04-29 04:41 . 2009-04-29 04:41        63488        ----a-w-        c:\windows\system32\SET24.tmp
2009-04-29 04:41 . 2009-04-29 04:41        63488        ------w-        c:\windows\system32\SET21.tmp
2009-04-29 04:41 . 2009-04-29 04:41        124928        ----a-w-        c:\windows\system32\SET27.tmp
2009-04-29 04:41 . 2009-04-29 04:41        124928        ------w-        c:\windows\system32\SET22.tmp
2009-04-19 20:08 . 2004-08-04 12:00        1846272        ----a-w-        c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2009-04-15 15:11        584192        ----a-w-        c:\windows\system32\SET92.tmp
2009-04-15 15:11 . 2004-08-04 12:00        584192        ----a-w-        c:\windows\system32\rpcrt4.dll
2009-04-15 09:56 . 2009-04-15 09:56        637952        ----a-w-        c:\windows\system32\SET93.tmp
2009-04-11 19:03 . 2005-04-24 10:01        93696        ----a-w-        c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-18 01:53 . 2009-01-16 17:41        129536        --sh--r-        c:\windows\system32\lhgjyit3.dll
2008-10-17 07:41 . 2008-10-17 07:41        15360        --sh--w-        c:\windows\system32\660B7F\winmcreg.exe
2008-10-25 17:54 . 2008-10-25 17:54        15360        --sh--w-        c:\windows\system32\660B7F\winncreg.exe
2008-11-04 12:59 . 2008-11-04 12:59        16896        --sh--w-        c:\windows\system32\660B7F\winocreg.exe
2008-11-12 19:39 . 2008-11-12 16:53        15872        --sh--w-        c:\windows\system32\660B7F\winqcreg.exe
2008-11-20 15:26 . 2008-11-20 15:26        16384        --sh--w-        c:\windows\system32\660B7F\winrcreg.exe
2008-11-25 03:36 . 2008-11-25 01:13        16384        --sh--w-        c:\windows\system32\660B7F\winscreg.exe
2008-11-29 16:53 . 2008-11-29 14:54        16896        --sh--w-        c:\windows\system32\660B7F\wintcreg.exe
2008-12-02 17:04 . 2008-12-02 17:04        16896        --sh--w-        c:\windows\system32\660B7F\winucreg.exe
2008-12-05 17:37 . 2008-12-05 17:37        16896        --sh--w-        c:\windows\system32\660B7F\winvcreg.exe
2008-12-09 16:58 . 2008-12-09 16:58        16896        --sh--w-        c:\windows\system32\660B7F\winxcreg.exe
2008-12-12 15:49 . 2008-12-12 15:49        16896        --sh--w-        c:\windows\system32\660B7F\winycreg.exe
2008-12-20 17:04 . 2008-12-20 17:04        16896        --sh--w-        c:\windows\system32\660B7F\winzareg.exe
2008-12-15 15:47 . 2008-12-15 15:47        16896        --sh--w-        c:\windows\system32\660B7F\winzcreg.exe
2008-10-17 07:34 . 2008-10-17 07:34        1514081        --sh--r-        c:\windows\system32\9E6DF6\634FBD.EXE
.



實用相關搜尋: Spa

TOP

------- Sigcheck -------

[-] 2008-04-15 10:54        14336        3AECECC06B3C127F625A73BB6E01668C        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\svchost.exe
[-] 2004-08-04 12:00        14336        723BA2EFE4A16774E98F53D7AC6C71FD        c:\windows\system32\svchost.exe
[-] 2004-08-04 12:00        14336        723BA2EFE4A16774E98F53D7AC6C71FD        c:\windows\system32\dllcache\svchost.exe

[-] 2008-04-15 10:54        82432        EBF5E57B2E84FB3DB0A598364FAAE00C        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\ws2_32.dll
[-] 2004-08-04 12:00        82944        8A39164F7884644723CD7ACC913260AF        c:\windows\system32\ws2_32.dll
[-] 2004-08-04 12:00        82944        8A39164F7884644723CD7ACC913260AF        c:\windows\system32\dllcache\ws2_32.dll

[-] 2008-04-15 10:54        493568        0D07E75030839CF4A0A0D854484A7FEF        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\winlogon.exe
[-] 2004-08-04 12:00        487936        7189E588041174198281933EB2CA449C        c:\windows\system32\winlogon.exe
[-] 2004-08-04 12:00        487936        7189E588041174198281933EB2CA449C        c:\windows\system32\dllcache\winlogon.exe

[-] 2008-04-13 19:20        182656        1DF7F42665C94B825322FAE71721130D        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\ndis.sys
[-] 2004-08-04 12:00        182912        558635D3AF1C7546D26067D5D9B6959E        c:\windows\system32\dllcache\ndis.sys
[-] 2004-08-04 12:00        182912        558635D3AF1C7546D26067D5D9B6959E        c:\windows\system32\drivers\ndis.sys

[-] 2008-04-13 18:53        36608        3BB22519A194418D5FEC05D800A19AD0        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\ip6fw.sys
[-] 2004-08-04 12:00        29056        4448006B6BC60E6C027932CFC38D6855        c:\windows\system32\dllcache\ip6fw.sys
[-] 2004-08-04 12:00        29056        4448006B6BC60E6C027932CFC38D6855        c:\windows\system32\drivers\ip6fw.sys

[-] 2007-06-18 11:39        977920        3DDB98936B29019549C6FBABD86846E7        c:\windows\explorer.exe
[-] 2007-06-18 11:41        977920        D1822278F43E2850E03EF36D29686D4F        c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2004-08-04 12:00        976896        453888766DA789F18FBBF5B20E4BC17F        c:\windows\$NtUninstallKB938828$\explorer.exe
[-] 2008-04-15 10:54        978432        88057E7B74236C11098E4D4EEAC7DF5E        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\explorer.exe
[-] 2007-06-18 11:39        977920        3DDB98936B29019549C6FBABD86846E7        c:\windows\SoftwareDistribution\Download\9d5c1d99957d44de27929ec25364cf95\SP2GDR\explorer.exe
[-] 2007-06-18 11:41        977920        D1822278F43E2850E03EF36D29686D4F        c:\windows\SoftwareDistribution\Download\9d5c1d99957d44de27929ec25364cf95\SP2QFE\explorer.exe
[-] 2007-06-18 11:39        977920        3DDB98936B29019549C6FBABD86846E7        c:\windows\system32\dllcache\explorer.exe

[-] 2008-04-15 10:54        13312        4E09C68586CF236B9853FC7F93F69C62        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\lsass.exe
[-] 2004-08-04 12:00        13312        4BCA771A81625259AFFAA218E0111D76        c:\windows\system32\lsass.exe
[-] 2004-08-04 12:00        13312        4BCA771A81625259AFFAA218E0111D76        c:\windows\system32\dllcache\lsass.exe

[-] 2008-04-15 10:54        15360        4C97CBAD0CF9E6263C49CFA57BCCAEDD        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\ctfmon.exe
[-] 2004-08-04 12:00        15360        3BCEF6B66827EC0B9923D20E62D067BA        c:\windows\system32\ctfmon.exe
[-] 2004-08-04 12:00        15360        3BCEF6B66827EC0B9923D20E62D067BA        c:\windows\system32\dllcache\ctfmon.exe

[-] 2008-04-15 10:54        25088        A66E0579B78B8C1A62330BB124C9CD23        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\userinit.exe
[-] 2004-08-04 12:00        23552        F3A20A3C6A4DF7FE038F4CCA70080B10        c:\windows\system32\userinit.exe
[-] 2004-08-04 12:00        23552        F3A20A3C6A4DF7FE038F4CCA70080B10        c:\windows\system32\dllcache\userinit.exe

[-] 2008-04-15 10:54        286208        F1D722FAC699F6372D020A634ADC8361        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\termsrv.dll
[-] 2004-08-04 12:00        286208        741E5693774F23F222887B9E4C6826E5        c:\windows\system32\termsrv.dll
[-] 2004-08-04 12:00        286208        741E5693774F23F222887B9E4C6826E5        c:\windows\system32\dllcache\termsrv.dll

[-] 2008-04-15 10:54        17408        FB52B1E513761A3D13FDB8D52655476F        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\powrprof.dll
[-] 2004-08-04 12:00        17408        7040C2BCA7D6EFEEB14A807EAD9449DB        c:\windows\system32\powrprof.dll
[-] 2004-08-04 12:00        17408        7040C2BCA7D6EFEEB14A807EAD9449DB        c:\windows\system32\dllcache\powrprof.dll

[-] 2008-04-15 10:54        110080        F74927743F8D8F58C277D37C3F0DD7CB        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\imm32.dll
[-] 2004-08-04 12:00        110080        A37DE5013935401F52A31D6C3982D6C2        c:\windows\system32\imm32.dll
[-] 2004-08-04 12:00        110080        A37DE5013935401F52A31D6C3982D6C2        c:\windows\system32\dllcache\imm32.dll

[-] 2008-04-15 10:54        1570816        5A500070F303F0D2B3EB428E35B8C06C        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\sfcfiles.dll
[-] 2004-08-04 12:00        1546752        1680AD7B6FBD7CE495188A8A4CA3758B        c:\windows\system32\sfcfiles.dll
[-] 2004-08-04 12:00        1546752        1680AD7B6FBD7CE495188A8A4CA3758B        c:\windows\system32\dllcache\sfcfiles.dll

[-] 2008-04-15 10:54        146944        BC80756C9E2EA29D4EB345C94D53E78E        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\appmgmts.dll
[-] 2004-08-04 12:00        146944        31F504D66AA1F02C50709CDF48F28976        c:\windows\system32\appmgmts.dll
[-] 2004-08-04 12:00        146944        31F504D66AA1F02C50709CDF48F28976        c:\windows\system32\dllcache\appmgmts.dll

[-] 2008-04-15 10:36        23296        781A83EE8D53443539E54D4743437196        c:\windows\SoftwareDistribution\Download\44efa6227a0729b233508b6f95c3fb71\kbdclass.sys
[-] 2004-08-04 12:00        23424        8CCDD51821BBACD3DBA1AFA5E7C4D756        c:\windows\system32\drivers\kbdclass.sys
.



實用相關搜尋: Spa Software

TOP

(((((((((((((((((((((((((((((((((((((   重要登入點   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"cSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-03-21 486856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"PS Accelerator"="e:\online tv\PPStream\ppsap.exe" [2008-12-11 210296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIDPAD"="c:\winpenjr\Win32\pphidpad.exe" [2004-09-16 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"CJIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2007-03-22 66400]
"HIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2007-03-22 98656]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"KavStart"="c:\kis2007\KAVStart.exe" [2007-11-09 139264]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-09-17 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-04-24 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-04-24 98304]
"Flashget"="c:\progra~1\FlashGet\FlashGet.exe" [2007-09-11 1998896]
"Hotplug"="c:\program files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe" [2003-12-19 163840]
"Mirabilis ICQ"="c:\progra~1\ICQ\ICQNet.exe" [2003-10-14 38984]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-24 132496]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^user^「開始」功能表^程式集^啟動^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^user^「開始」功能表^程式集^啟動^﹛﹛﹛.lnk]
path=c:\documents and settings\user\「開始」功能表\程式集\啟動\﹛﹛﹛.lnk
backup=c:\windows\pss\﹛﹛﹛.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"winvnc"=2 (0x2)
"NOD32krn"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\ALI213\\bt.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Intuwave Ltd\\Shared\\mRouterRunTime\\mRouterRuntime.exe"=
"e:\\warcraft\\Warcraft III\\Warcraft III.exe"=
"e:\\BT\\123\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Theme\\Nokia\\Carbide.ui S60 Theme Edition 3.1\\JRE\\bin\\javaw.exe"=
"c:\\Program Files\\NextLink\\GOGOBOX\\GFSCAgent.exe"=
"c:\\Program Files\\NextLink\\GOGOBOX\\gogobox.exe"=
"c:\\Program Files\\Foxy\\Foxy.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Online TV\\PPStream\\PPStream.exe"=
"e:\\Online TV\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"e:\\PES2009\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"e:\\PES2009\\pes2009.exe"=
"e:\\Kingsoft\\Powerword 2007\\xdict.exe"=
"e:\\Kingsoft\\Powerword 2007\\update.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"e:\\Online TV\\TVAnts\\Tvants.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7454:TCP"= 7454:TCP:BitComet 7454 TCP
"7454:UDP"= 7454:UDP:BitComet 7454 UDP
"21528:TCP"= 21528:TCP:BitComet 21528 TCP
"21528:UDP"= 21528:UDP:BitComet 21528 UDP
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"8144:TCP"= 8144:TCP:Foxy (192.168.1.100:8144) 8144 TCP
"8144:UDP"= 8144:UDP:Foxy (192.168.1.100:8144) 8144 UDP

R1 KNetWch;KNetWch;c:\kis2007\KNetWch.SYS [21/12/2007 12:29 24784]
R1 KWatch3;KWatch3;c:\windows\system32\drivers\KWatch3.SYS [21/12/2007 12:30 35328]
R1 ppmoucls;ppmoucls;c:\windows\system32\drivers\PPMOUCLS.SYS [6/8/2005 21:42 20704]
R1 pptchpadenPower Touchpad;c:\windows\system32\drivers\PPTCHPD5.SYS [6/8/2005 21:42 17216]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3/11/2006 19:19 13592]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys --> c:\windows\system32\drivers\nod32drv.sys [?]
S3 pacdcacm;pacdcacm;c:\windows\system32\drivers\pacdcacm.sys [26/10/2005 1:40 26496]
S3 x800bus;Panasonic X800 Composite Device driver (WDM);c:\windows\system32\drivers\x800bus.sys [10/11/2005 21:02 52480]
S3 x800mdfl;Panasonic X800 Connectivity Filter Driver;c:\windows\system32\drivers\x800mdfl.sys [10/11/2005 21:03 6032]
S3 x800mdm;Panasonic X800 Connectivity Driver;c:\windows\system32\drivers\x800mdm.sys [10/11/2005 21:03 87040]
.
‘計劃任務’ 文件夾 裡的內容

2009-06-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 11:20]

2009-06-21 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-03-15 10:15]

2009-06-25 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 14:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-dorfgwe - c:\windows\system32\uret463.exe


.



實用相關搜尋: Spa Software Java Microsoft

TOP

------- 而外的掃描 -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uStart Page = hxxp://hk.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &Download FLV by WinAVI... - e:\winavi flv converter\flv_link.htm
IE: &使用 FlashGet 下載 - c:\progra~1\FlashGet\jc_link.htm
IE: &使用BitComet下載本頁視訊 - e:\bt\123\BitComet\BitComet.exe/AddVideo.htm
IE: &全部使用 FlashGet 下載 - c:\progra~1\FlashGet\jc_all.htm
IE: Foxy 下載 - c:\program files\Foxy\Foxy.exe/download.htm
IE: Foxy 搜尋 - c:\program files\Foxy\Foxy.exe/search.htm
IE: 使用BitComet下載全部連結 - e:\bt\123\BitComet\BitComet.exe/AddAllLink.htm
IE: 使用BitComet下載連結(&B) - e:\bt\123\BitComet\BitComet.exe/AddLink.htm
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
DPF: Microsoft XML Parser for Java
DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} - hxxp://www.gogobox.com.tw/neo.fld/GNowStarter.cab
DPF: {A93FB56D-2F76-4DD7-8E38-9B1EB38C88A5} - hxxp://warranty.samsungmcs.com.hk:8080/plugIn/SecuiSECIE.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
DPF: {BE34BAB0-0580-45BC-AEC8-E0EF00C11F57} - hxxp://hkma.towergame.com/common/GTWebCom.cab
.
.
------- 文件類型 -------
.
chm.file="hh.exe" %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 23:33
Windows 5.1.2600 Service Pack 2 NTFS

掃描被隱藏的進程 ...  

掃描被隱藏的啟動組 ...

掃描被隱藏的文件 ...  


c:\windows\TEMP\KAV5CDC7.TMP 0 bytes

掃描完成
被隱藏的檔案: 1

**************************************************************************
.






TOP

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275210071-776561741-725345543-1003\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Access\Settings\/SQ *?eh?*A*g*e*G*r*o*u*p*'* *?.*.*.*\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1275210071-776561741-725345543-1003\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Access\Settings\/SQ *?eh?*A*g*e*G*r*o*u*p*'* *?.*.*.*\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
   90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

[HKEY_USERS\S-1-5-21-1275210071-776561741-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Atari\!j駤jW3*]
"Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-1275210071-776561741-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\"Y{^?醰2*]
"Order"=hex:08,00,00,00,02,00,00,00,70,01,00,00,01,00,00,00,03,00,00,00,7a,00,
   00,00,00,00,00,00,6c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5a,00,36,\

[HKEY_USERS\S-1-5-21-1275210071-776561741-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\[\gY@l\        N W??袈V*]
"Order"=hex:08,00,00,00,02,00,00,00,7a,01,00,00,01,00,00,00,03,00,00,00,7c,00,
   00,00,00,00,00,00,6e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5c,00,36,\

[HKEY_USERS\S-1-5-21-1275210071-776561741-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\?q\烓8?*2*0*0*7* *2烓WY?\?f?e瀿]
"Order"=hex:08,00,00,00,02,00,00,00,08,02,00,00,01,00,00,00,04,00,00,00,7e,00,
   00,00,00,00,00,00,70,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5e,00,36,\

[HKEY_USERS\S-1-5-21-1275210071-776561741-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\?q\烓8?*2*0*0*7* *2烓WY?\?q\烓8嬁wQ]
"Order"=hex:08,00,00,00,02,00,00,00,86,01,00,00,01,00,00,00,03,00,00,00,7a,00,
   00,00,00,00,00,00,6c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5a,00,36,\

[HKEY_USERS\S-1-5-21-1275210071-776561741-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\?窠?誁袈-*娓_jHr]
"Order"=hex:08,00,00,00,02,00,00,00,06,01,00,00,01,00,00,00,02,00,00,00,7c,00,
   00,00,00,00,00,00,6e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5c,00,36,\

[HKEY_LOCAL_MACHINE\software\Classes\*\shell\(u(g?nd?Y+^2*0*0*7*c柋\Command]
@="c:\\Documents and Settings\\user\\桌面\\木馬清除大師2007\\BeatTrojan.exe %1\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00D[x\04\00\00\00\00\00\00\00\00IME:2007-12-30 8:49"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"

[HKEY_LOCAL_MACHINE\software\Classes\Folder\shell\(u(g?nd?Y+^2*0*0*7*c柋\Command]
@="c:\\Documents and Settings\\user\\桌面\\木馬清除大師2007\\BeatTrojan.exe %1\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00D[x\04\00\00\00\00\00\00\00\00IME:2007-12-30 8:49"

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxxPNWKa\DefaultIcon]
@="c:\\PROGRA~1\\Ahead\\Nero\\nero.exe,14"

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxxPNWKa\shell\open\command]
@="c:\\PROGRA~1\\Ahead\\Nero\\nero.exe \"%1\""

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxxPNWKa\shell\print\command]
@="c:\\PROGRA~1\\Ahead\\Nero\\nero.exe /p \"%1\""

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxxPNWKa\shell\printto\command]
@="c:\\PROGRA~1\\Ahead\\Nero\\nero.exe /pt \"%1\" \"%2\" \"%3\" \"%4\""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\?_j袈b-*-NeHr]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,c0,0f,16,00,00,00,00,d4,2c,95,
   2c,5a,8e,c6,01,00,00,00,00,65,00,3a,00,5c,00,8d,9f,5f,6a,b3,50,7f,62,5c,00,\
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\?_j袈b-*-NeHr]
"UninstallString"="c:\\WINDOWS\\IsUninst.exe -fe:\\龍機傳承\\i\\玩得\\Uninst.isu"
"DisplayName"="龍機傳承-中文版"

[HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\Root\SYSTEM\0003]
@Denied: (Read) (LocalSystem)
@Allowed: (Read) (Administrators)
"DeviceDesc"="PnP BIOS Extension"
"ClassGUID"="{4D36E97D-E325-11CE-BFC1-08002BE10318}"
"Class"="System"
"HardwareID"=multi:"root\\d347bus\00\00"
"Driver"="{4D36E97D-E325-11CE-BFC1-08002BE10318}\\0025"
"Mfg"="(Standard system devices)"
"Service"="d347bus"
"ConfigFlags"=dword:00000000
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\Root\SYSTEM\0003\LogConf]
@Allowed: (Read) (Administrators)
.



實用相關搜尋: Spa Software Microsoft

TOP

[隱藏]
--------------------- 運行進程下的動態鏈接庫 ---------------------

- - - - - - - > 'explorer.exe'(2264)
c:\progra~1\FlashGet\fgmgr.dll
c:\kis2007\KMailOEBand.dll
c:\kis2007\KASocket.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_chi-hk.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\program files\Panasonic\Panasonic X800 PC Software Suite\eccopyhook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ 其他運行進程 ------------------------
.
c:\kis2007\KWatch.EXE
c:\windows\system32\conime.exe
c:\kis2007\KPFWSvc.EXE
c:\program files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
c:\windows\system32\nvsvc32.exe
e:\alcohol\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WgaTray.exe
c:\kis2007\KMailMon.EXE
.
**************************************************************************
.
完成時間: 2009-06-25 23:41 - 電腦已重新啟動
ComboFix-quarantined-files.txt  2009-06-25 15:41

Pre-Run: 1,693,687,808 位元組可用
Post-Run: 8,175,747,072 位元組可用

Current=4 Default=4 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
563        --- E O F ---        2009-06-24 02:40



實用相關搜尋: Spa Software Microsoft 電腦

TOP

執行 OTM

  • 用滑鼠複製以下粗黑色文字,於 OTMoveIt3 視窗 Paste Instructions for Items to be Moved 貼上以下內容:

    :files
    C:\clc1al.com
    C:\hsi.com
    C:\utcn8c63.exe
    C:\tg.com
    C:\9l66g8k1.com
    C:\dmf.exe
    C:\yq.com
    C:\chlf9.exe
    C:\h2t6u.exe
    C:\r.com
    C:\6r3p.com
    C:\vpqdgkx.com
    C:\jj2.com
    c:\windows\system32\uret463.exe
    c:\windows\system32\lhgjyit3.dll
    c:\windows\system32\843wee1.dll
    c:\windows\system32\843wee0.dll
    c:\windows\system32\660B7F
    c:\windows\system32\9E6DF6


  • 之後按 MoveIt! (假如程式要求重新啓動電腦,按 Yes)
  • 關閉 OTM





重新啓動電腦. 用 Kaspersky Online Scanner 掃描電腦,然後貼上記錄.

使用教學:

http://discuss.com.hk/viewthread.php?tid=944141



另外,由於 schtasks.exe 受到感染,請你揾人o係 Windows XP Professional SP2 既電腦複製此檔案,然後放回原有位置: C:\WINDOWS\system32



實用相關搜尋: Spa 電腦
All Your Malware Are Belong To Us

TOP

執行OTM 及 schtasks後,仍未能使用IE,故無法執行 Kaspersky Online Scanner。
這會是因為「您可能是盜版軟件的受害者」嗎?
無法使用的情況都好像IE更新後才發生。



實用相關搜尋: Spa 軟件

TOP

下載以下檔案至桌面. 執行檔案,按確定,然後重新啟動電腦.

http://www.sendspace.com/file/mrz5um

之後工具列限制應該會消失. 去 [工具] > [網際網路選項] > [進階] ,按 [重設],勾上選項,再按 [重設] 確定.

跟住按以下連結中既步驟執行:

http://support.microsoft.com/kb/555027



假如之後 IE 仍然未能正常運作,安裝 Firefox,再用 Kaspersky Online Scanner 掃描.







All Your Malware Are Belong To Us

TOP

執行以上指令仍未能使用IE,所以我安裝了Firefox。

以下連結為Kaspersky Online Virusscanner Report.
http://www.sendspace.com/file/2w48xc

[ 本帖最後由 onor 於 2009-6-29 09:58 AM 編輯 ]



實用相關搜尋: Spa

TOP

[隱藏]
執行 OTM

  • 用滑鼠複製以下粗黑色文字,於 OTMoveIt3 視窗 Paste Instructions for Items to be Moved 貼上以下內容:

    :files
    C:\1brfrip.exe
    C:\8q6h.exe
    C:\91m.com
    C:\96.com
    C:\ejoq.exe
    C:\fp.exe
    C:\i2.com
    C:\kjibu.com
    C:\n09jwu9.com
    C:\r9ghv9.com
    C:\s38k.exe
    C:\tfa8rk6.com
    C:\ud.exe
    C:\v9l1l.com
    C:\xc.exe
    C:\xpq63xl.exe
    C:\y319s.exe
    C:\WINDOWS\System32\mstKde.dll
    C:\WINDOWS\system32\afmain2.dll
    C:\WINDOWS\system32\afmain3.dll
    C:\WINDOWS\system32\mstKde.dll
    C:\WINDOWS\system32\mswmdmsrv.dll
    E:\1brfrip.exe
    E:\6.exe
    E:\6r3p.com
    E:\6vu680.com
    E:\8q6h.exe
    E:\91m.com
    E:\96.com
    E:\9l66g8k1.com
    E:\a.exe
    E:\chlf9.exe
    E:\clc1al.com
    E:\dmf.exe
    E:\ejoq.exe
    E:\fp.exe
    E:\h2t6u.exe
    E:\hsi.com
    E:\i2.com
    E:\jj2.com
    E:\kjibu.com
    E:\n09jwu9.com
    E:\r.com
    E:\r9ghv9.com
    E:\s38k.exe
    E:\tfa8rk6.com
    E:\tg.com
    E:\tv program
    E:\ud.exe
    E:\utcn8c63.exe
    E:\v9l1l.com
    E:\vpqdgkx.com
    E:\xc.exe
    E:\xpq63xl.exe
    E:\y319s.exe
    E:\yq.com


  • 之後按 MoveIt! (假如程式要求重新啓動電腦,按 Yes)
  • 關閉 OTM



    重新啓動電腦. 下載 ESET Online Scanner桌面

    http://download.eset.com/special/eos/esetsmartinstaller_enu.exe

    • 執行安裝檔,按 YES,I accept the Terms of Use,再按 Start
    • ESET Online Scanner 會進行安裝. 完成安裝後按 Start 進行更新及掃描.
    • 完成掃描後,假如發現惡意程式,按 List of found threats,再按 Export to text file 儲存掃描記錄.
    • 貼上 ESET Online Scanner 記錄.




    ESET Online Scanner 掃描前執行以下步驟.

    由於其中一個系統檔案 C:\WINDOWS\systems32\sens.dll 受到感染,你要更新呢個檔案.

    # 你可以揾人o係 Windows XP Professional SP2 既電腦複製此檔案.

    之後重新啓動電腦,按 F8 進入安全模式.

    刪除 sens.dll,然後將新檔案放回原有位置: C:\WINDOWS\system32

    # 如果有 Windows XP Professional SP2 CD,你亦可以插入 Windows XP 光碟,然後重新啓動電腦,按 F8 進入安全模式.

    刪除以下檔案:

    C:\WINDOWS\systems32\sens.dll

    按左下角開始 > 執行 > 輸入 cmd > 確定

    於視窗內輸入以下指令,然後按 Enter

    expand x:\i386\sens.dl_c:\windows\system32\sens.dll (x 指光碟機路徑,例如 d、e、f 等)

    另外,你話仍未能使用 IE 係指佢繼續出現空白頁嗎.


    實用相關搜尋: Spa 電腦
  • All Your Malware Are Belong To Us

    TOP

    伸延閱讀
     28 12
     提示:支持鍵盤翻頁 ←左 右→ 發新話題發佈投票

    重要聲明:本討論區是以即時上載留言的方式運作,香港討論區對所有留言的真實性、完整性及立場等,不負任何法律責任。而一切留言之言論只代表留言者個人意 見,並非本網站之立場,讀者及用戶不應信賴內容,並應自行判斷內容之真實性。於有關情形下,讀者及用戶應尋求專業意見(如涉及醫療、法律或投資等問題)。 由於本討論區受到「即時上載留言」運作方式所規限,故不能完全監察所有留言,若讀者及用戶發現有留言出現問題,請聯絡我們。香港討論區有權刪除任何留言及拒絕任何人士上載留言 (刪除前或不會作事先警告及通知 ), 同時亦有不刪除留言的權利,如有任何爭議,管理員擁有最終的詮釋權 。用戶切勿撰寫粗言穢語、誹謗、渲染色情暴力或人身攻擊的言論,敬請自律。本網站保留一切法律權利。


    Copyright©2003- Discuss.com.hk Limited. All Right Reserved.
    版權所有,不得轉載。