新近中招,请各位高手帮帮眼orz

显示全部楼层 · 发表于 2007-9-24 19:36:01

之前浏览网页时卡巴报了几次木马frojan,generic(陆续有sys86.exe,sys88.exe,sys281.exe,sys63.exe等)但是手动删除文件并修改注册表后重启联网后仍然会出现病毒提示,并且CPU使用一直处于80%以上,下面是sreng的扫描日志,请各位大人帮忙看看,orz

2007-09-24,19:08:37
System Repair Engineer 2.5.16.900
Smallfrogs (http://www.KZTechs.com)
Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能
以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件
进程特权扫描
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"> [Kaspersky Lab]
<!AVG Anti-Spyware><"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized> [(Verified)GRISOFT LTD]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
[(Verified)Microsoft Windows Publisher]
[(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
[(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{57B86673-276A-48B2-BAE7-C6DBB3020EB8}> [(Verified)GRISOFT LTD]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
[Kaspersky Lab]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
[(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
[Microsoft Corporation]
==================================
启动文件夹
N/A
==================================
服务
[AVG Anti-Spyware Guard / AVG Anti-Spyware Guard][Running/Auto Start]
[卡巴斯基反病毒6.0个人版 / AVP][Running/Auto Start]
<"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r>
[Human Interface Device Access / HidServ][Stopped/Disabled]
%SystemRoot%\System32\hidserv.dll>
==================================
驱动程序
[360TimeProt / 360TimeProt][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\360TimeProt.sys>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
[AliIde / AliIde][Stopped/Boot Start]
<\SystemRoot\System32\DRIVERS\aliide.sys>
[标准 IDE/ESDI 硬盘控制器 / atapi][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\atapi.sys>
[AVG Anti-Spyware Driver / AVG Anti-Spyware Driver][Running/System Start]
<\??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys>
[AVG Anti-Spyware Clean Driver / AvgAsCln][Running/System Start]
[CmdIde / CmdIde][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\cmdide.sys>
[d346bus / d346bus][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\d346bus.sys><>
[d346prt / d346prt][Running/Boot Start]
<\SystemRoot\System32\Drivers\d346prt.sys><>
[kl1 / kl1][Running/Boot Start]
<\SystemRoot\system32\drivers\kl1.sys>
[klif / klif][Running/System Start]
<\??\C:\WINDOWS\system32\drivers\klif.sys>
[MegaIDE / MegaIDE][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\MegaIDE.sys>
[nv / nv][Running/Manual Start]
[NVIDIA nForce MCP Networking Controller Driver / NVENET][Running/Manual Start]
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Stopped/Manual Start]
[Secdrv / Secdrv][Stopped/Manual Start]
[TSP / TSP][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\drivers\klif.sys>
[ViaIde / ViaIde][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\viaide.sys>
==================================
浏览器加载项
[Adobe PDF Reader Link Helper]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
[NTIECatcher Class]
{C56CB6B0-0D96-11D6-8C65-B2868B609932}
[Web反病毒统计]
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}
[信息检索(&R)]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}
[Windows Live Photo Upload Control]
{7FC1B346-83E6-4774-8D20-1A6B09B0E737}
[RealPlayer G2 Control]
{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000}
[Adobe PDF Reader Link Helper]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
[NTIECatcher Class]
{C56CB6B0-0D96-11D6-8C65-B2868B609932}
[使用影音传送带下载]
[使用影音传送带下载全部链接]
[导出到 Microsoft Office Excel(&X)]
==================================
正在运行的进程
[PID: 424 / SYSTEM][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 720 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 744 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\klogon.dll] [Kaspersky Lab, 6.0.2.621]
[C:\WINDOWS\system32\UNISPIM.IME] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[C:\WINDOWS\system32\upengine.dll] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 792 / SYSTEM][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 804 / SYSTEM][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 956 / SYSTEM][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1036 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1156 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1208 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1368 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1408 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\hpzsnt09.dll] [HP, 2.236.4.0]
[C:\WINDOWS\system32\mdimon.dll] [Microsoft Corporation, 11.3.1897.0]
[C:\WINDOWS\System32\spool\PRTPROCS\W32X86\mdippr.dll] [Microsoft Corporation, 11.3.1897.0]
[PID: 1696 / Administrator][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UNISPIM.IME] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[C:\WINDOWS\system32\upengine.dll] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scrchpg.dll] [Kaspersky Lab, 6.0.2.621]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\WinRAR\rarext.dll] [N/A, ]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\ShellEx.dll] [Kaspersky Lab, 6.0.2.621]
[C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll] [GRISOFT s.r.o., 7, 5, 1, 36]
[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll] [Adobe Systems, Inc., 7.0.0.0]
[PID: 356 / Administrator][C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe] [GRISOFT s.r.o., 7, 5, 1, 43]
[C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll] [GRISOFT s.r.o., 4, 2, 0, 19]
[C:\WINDOWS\system32\UNISPIM.IME] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[C:\WINDOWS\system32\upengine.dll] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[PID: 408 / Administrator][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UNISPIM.IME] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[PID: 164 / LOCAL SERVICE][C:\WINDOWS\System32\alg.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2320 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.654\SREngPS.EXE] [Smallfrogs Studio, 2.5.16.900]
[C:\WINDOWS\system32\UNISPIM.IME] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[C:\WINDOWS\system32\upengine.dll] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.654\Upload\3rdUpd.DLL] [Smallfrogs Studio, 2, 1, 0, 15]
[PID: 2696 / Administrator][C:\WINDOWS\system32\taskmgr.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UNISPIM.IME] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[C:\WINDOWS\system32\upengine.dll] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[PID: 2756 / Administrator][C:\Program Files\Maxthon2\Maxthon.exe] [Maxthon International ltd., 2, 0, 2, 615]
[C:\Program Files\Maxthon2\mxpp.dll] [Maxthon, 1, 0, 0, 50]
[C:\Program Files\Maxthon2\MxSk.dll] [Maxthon, 1, 0, 0, 119]
[C:\Program Files\Maxthon2\MxProxy2.dll] [, 1, 0, 0, 3115]
[C:\WINDOWS\system32\UNISPIM.IME] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[C:\Program Files\Maxthon2\MxFav.dll] [Maxthon, 1, 0, 0, 186]
[C:\Program Files\Maxthon2\maxzlib.dll] [, 1.2.3]
[C:\Program Files\Maxthon2\mxtool.dll] [, 1, 0, 0, 1]
[C:\WINDOWS\system32\upengine.dll] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[C:\Program Files\Maxthon2\mxfeedU.dll] [, 1, 0, 45, 45]
[C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL] [Microsoft Corporation, 11.0.5510]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scrchpg.dll] [Kaspersky Lab, 6.0.2.621]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\klscav.dll] [Kaspersky Lab, 6.0.2.621]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prremote.dll] [Kaspersky Lab, 6.0.2.621]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prloader.dll] [Kaspersky Lab, 6.0.2.621]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prkernel.ppl] [Kaspersky Lab, 6.0.2.621]
[c:\program files\kaspersky lab\kaspersky anti-virus 6.0\params.ppl] [Kaspersky Lab, 6.0.2.621]
[c:\program files\kaspersky lab\kaspersky anti-virus 6.0\pxstub.ppl] [Kaspersky Lab, 6.0.2.621]
[c:\program files\kaspersky lab\kaspersky anti-virus 6.0\tempfile.ppl] [Kaspersky Lab, 6.0.2.621]
[C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx] [Adobe Systems, Inc., 9,0,47,0]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\system32\Macromed\Common\SwSupport.dll] [Adobe Systems, Inc., 10.2r22]
==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
N/A
==================================
Autorun.inf
N/A
==================================
HOSTS 文件
127.0.0.1 localhost
==================================
进程特权扫描
特殊特权被允许： SeLoadDriverPrivilege [PID = 2756, C:\PROGRAM FILES\MAXTHON2\MAXTHON.EXE]
==================================
API HOOK
RVA 错误： LoadLibraryA (危险等级: 高, 被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
RVA 错误： LoadLibraryExA (危险等级: 高, 被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
RVA 错误： LoadLibraryExW (危险等级: 高, 被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
RVA 错误： LoadLibraryW (危险等级: 高, 被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
RVA 错误： GetProcAddress (危险等级: 高, 被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
==================================
隐藏进程
N/A
==================================

复制代码

显示全部楼层 · 发表于 2007-9-24 22:52:39

安全模式下重新扫一个日志。

显示全部楼层 · 发表于 2007-9-25 16:01:30

得令重扫归来~~

2007-09-25,15:51:40
System Repair Engineer 2.5.16.900
Smallfrogs (http://www.KZTechs.com)
Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能
以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件
进程特权扫描
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<AVP><"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"> [Kaspersky Lab]
<!AVG Anti-Spyware><"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized> [(Verified)GRISOFT LTD]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Publisher]
<Userinit><C:\WINDOWS\system32\UserInit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll> [(Verified)Microsoft Windows Publisher]
<{57B86673-276A-48B2-BAE7-C6DBB3020EB8}><C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll> [(Verified)GRISOFT LTD]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
<PostBootReminder><%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Windows Publisher]
<CDBurn><%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Windows Publisher]
<WebCheck><%SystemRoot%\system32\webcheck.dll> [(Verified)Microsoft Windows Publisher]
<SysTray><C:\WINDOWS\system32\stobject.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
<WinlogonNotify: crypt32chain><crypt32.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
<WinlogonNotify: cryptnet><cryptnet.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
<WinlogonNotify: cscdll><cscdll.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
<WinlogonNotify: klogon><C:\WINDOWS\system32\klogon.dll> [Kaspersky Lab]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
<WinlogonNotify: ScCertProp><wlnotify.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
<WinlogonNotify: Schedule><wlnotify.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
<WinlogonNotify: sclgntfy><sclgntfy.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
<WinlogonNotify: SensLogn><WlNotify.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
<WinlogonNotify: termsrv><wlnotify.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
<WinlogonNotify: wlballoon><wlnotify.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
<{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll> [(Verified)Microsoft Windows Publisher]
<{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
<Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
<浏览器自定义组件><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
<Windows 桌面更新><regsvr32.exe /s /n /i:U shell32.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
<Internet Explorer 6><%SystemRoot%\system32\ie4uinit.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
<N/A><C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install> [Microsoft Corporation]
==================================
启动文件夹
N/A
==================================
服务
[AVG Anti-Spyware Guard / AVG Anti-Spyware Guard][Running/Auto Start]
<C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe><GRISOFT s.r.o.>
[卡巴斯基反病毒6.0个人版 / AVP][Stopped/Auto Start]
<"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r><Kaspersky Lab>
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
==================================
驱动程序
[360TimeProt / 360TimeProt][Stopped/Auto Start]
<\??\C:\WINDOWS\system32\drivers\360TimeProt.sys><N/A>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Stopped/Manual Start]
<system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[AliIde / AliIde][Stopped/Boot Start]
<\SystemRoot\System32\DRIVERS\aliide.sys><N/A>
[标准 IDE/ESDI 硬盘控制器 / atapi][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\atapi.sys><N/A>
[AVG Anti-Spyware Driver / AVG Anti-Spyware Driver][Stopped/System Start]
<\??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys><N/A>
[AVG Anti-Spyware Clean Driver / AvgAsCln][Running/System Start]
<System32\DRIVERS\AvgAsCln.sys><GRISOFT, s.r.o.>
[CmdIde / CmdIde][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\cmdide.sys><CMD Technology, Inc.>
[d346bus / d346bus][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\d346bus.sys><>
[d346prt / d346prt][Running/Boot Start]
<\SystemRoot\System32\Drivers\d346prt.sys><>
[kl1 / kl1][Stopped/Boot Start]
<\SystemRoot\system32\drivers\kl1.sys><Kaspersky Lab>
[klif / klif][Stopped/System Start]
<\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab>
[MegaIDE / MegaIDE][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\MegaIDE.sys><LSI Logic Corporation.>
[nv / nv][Stopped/Manual Start]
<system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[NVIDIA nForce MCP Networking Controller Driver / NVENET][Stopped/Manual Start]
<system32\DRIVERS\NVENET.sys><NVIDIA Corporation>
[Direct Parallel Link Driver / Ptilink][Stopped/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Stopped/Manual Start]
<system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>
[TCP/IP Protocol Driver / Tcpip][Stopped/System Start]
<system32\DRIVERS\tcpip.sys><Microsoft Corporation>
[TSP / TSP][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab>
[ViaIde / ViaIde][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\viaide.sys><Microsoft Corporation>
==================================
浏览器加载项
[Adobe PDF Reader Link Helper]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[NTIECatcher Class]
{C56CB6B0-0D96-11D6-8C65-B2868B609932} <C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll, Xi>
[Web反病毒统计]
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll, Kaspersky Lab>
[信息检索(&R)]
{92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL, Microsoft Corporation>
[Windows Live Photo Upload Control]
{7FC1B346-83E6-4774-8D20-1A6B09B0E737} <C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll, Microsoft? Corporation>
[RealPlayer G2 Control]
{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} <C:\WINDOWS\system32\rmoc3260.dll, RealNetworks, Inc.>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx, Adobe Systems, Inc.>
[Adobe PDF Reader Link Helper]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[NTIECatcher Class]
{C56CB6B0-0D96-11D6-8C65-B2868B609932} <C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll, Xi>
[使用影音传送带下载]
<C:\Program Files\Xi\NetTransport 2\NTAddLink.html, N/A>
[使用影音传送带下载全部链接]
<C:\Program Files\Xi\NetTransport 2\NTAddList.html, N/A>
[导出到 Microsoft Office Excel(&X)]
<res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>
==================================
正在运行的进程
[PID: 152][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 220][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 244][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\klogon.dll] [Kaspersky Lab, 6.0.2.621]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UNISPIM.IME] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[C:\WINDOWS\system32\upengine.dll] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[PID: 288][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 300][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 448][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 496][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 568][C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe] [GRISOFT s.r.o., 7, 5, 1, 22]
[C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll] [GRISOFT s.r.o., 4, 2, 0, 19]
[PID: 600][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 800][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UNISPIM.IME] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[C:\WINDOWS\system32\upengine.dll] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll] [Adobe Systems, Inc., 7.0.0.0]
[C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll] [GRISOFT s.r.o., 7, 5, 1, 36]
[PID: 1104][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.155\SREngPS.EXE] [Smallfrogs Studio, 2.5.16.900]
[C:\WINDOWS\system32\UNISPIM.IME] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\upengine.dll] [北京清华紫光软件股份有限公司, 3.0.0.3045]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.155\Upload\3rdUpd.DLL] [Smallfrogs Studio, 2, 1, 0, 15]
==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
N/A
==================================
Autorun.inf
N/A
==================================
HOSTS 文件
127.0.0.1 localhost
==================================
进程特权扫描
N/A
==================================
API HOOK
N/A
==================================
隐藏进程
N/A
==================================

复制代码

显示全部楼层 · 发表于 2007-9-25 16:20:22

日志是正常的，现在咔吧报毒的路径是什么？那个进程占用cpu使用率大？

显示全部楼层 · 发表于 2007-9-26 13:56:28

显示全部楼层 · 发表于 2007-9-26 22:26:50

今天出现的是C:\WINDOWS\sys36.exe（以前的sys数字.exe还会生成C:\WINDOWS\system32\26D744E2.EXE并修改注册表，今天这个似乎没有），具体占cpu没注意，因为之后ie马上出现explorer错误要关闭，我用icesword关闭进程后用killbox杀了，此后CPU比较正常，没发现什么异常进程。。。
头痛ing～～

显示全部楼层 · 发表于 2007-9-27 13:00:05

你是说平时正常，用着用着就发现病毒了？是否局域网啊？不会是其他机器中招了吧。。

显示全部楼层 · 发表于 2007-9-28 06:02:04

报告，并没有局域网～～
我暂时就这么混着吧，sigh

显示全部楼层 · 发表于 2007-10-4 18:14:04

今天又来鸟，c:\windows\sys70.exe,生成C:\WINDOWS\system32\26D744E2.EXE修改注册表生成machine\controlset001\sevices\DE0D55FE\imagepath,头痛ing

显示全部楼层 · 发表于 2007-10-5 00:15:01

8位随机数又出新变种？！

新近中招,请各位高手帮帮眼orz

回复 1楼 momowie 的帖子

回复 3楼 momowie 的帖子

路过看不懂

回复 6楼 momowie 的帖子

新近中招,请各位高手帮帮眼orz

回复 1楼 momowie 的帖子

回复 3楼 momowie 的帖子

路过 看不懂

回复 6楼 momowie 的帖子

路过看不懂