收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 我C盘根目录下的exe文件,删了不久又生成,严重怀疑是病 ...
123下一页
返回列表 发新帖
楼主: 狂龙啸天
 收起左侧

[病毒样本] 我C盘根目录下的exe文件,删了不久又生成,严重怀疑是病毒

[复制链接]
狂龙啸天
头像被屏蔽
 楼主| 发表于 2008-11-5 16:34:35 | 显示全部楼层
[CODE]
2008-11-05,16:31:20
System Repair Engineer 2.7.0.1210
Smallfrogs (http://www.KZTechs.com)
Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能
以下内容被选中:
    所有的启动项目(包括注册表、启动文件夹、服务等)
    浏览器加载项
    正在运行的进程(包括进程模块信息)
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件
    进程特权扫描
    计划任务
    API HOOK
    隐藏进程

启动项目
注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <avgnt><"C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min>  [Avira GmbH]
    <360Safebox><"C:\Program Files\360Safebox\safeboxTray.exe" /r>  [(Verified)Qizhi Software (beijing) Co. Ltd]
    <360Safetray><E:\Henry File\360safe\safemon\360Tray.exe /start>  [(Verified)Qizhi Software (beijing) Co. Ltd]
    <360Antiarp><E:\Henry File\360safe\antiarp\AntiArp.exe /start>  [(Verified)Qizhi Software (beijing) Co. Ltd]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
    <Userinit><C:\Windows\system32\userinit.exe,>  [(Verified)Microsoft Windows Component Publisher]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <{F8E07BB2-7A19-4057-80F1-E14646E630B4}><F8E07BB2.dll>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <PostBootReminder><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <CDBurn><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <WebCheck><%SystemRoot%\system32\webcheck.dll>  [(Verified)Microsoft Windows Publisher]
    <SysTray><C:\WINDOWS\system32\stobject.dll>  [(Verified)Microsoft Windows Publisher]
    <ThunderAdvise><>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    <WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    <WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    <WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    <WinlogonNotify: ScCertProp><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    <WinlogonNotify: Schedule><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    <WinlogonNotify: sclgntfy><sclgntfy.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    <WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    <WinlogonNotify: termsrv><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    <WinlogonNotify: wlballoon><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    <{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
    <{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    <Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
    <Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
    <浏览器自定义组件><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
    <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
    <Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    <通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
    <Windows 桌面更新><regsvr32.exe /s /n /i:U shell32.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
    <Internet Explorer 6><%SystemRoot%\system32\ie4uinit.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USER\Control Panel\Desktop]
    <SCRNSAVE.EXE><C:\WINDOWS\system32\ssstars.scr>  [(Verified)Microsoft Windows Publisher]
==================================
启动文件夹
N/A
==================================
服务
[Avira AntiVir Premium MailGuard / AntiVirMailService][Stopped/Disabled]
  <"C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe"><Avira GmbH>
[Avira AntiVir Premium Scheduler / AntiVirScheduler][Running/Auto Start]
  <"C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe"><Avira GmbH>
[Avira AntiVir Premium Guard / AntiVirService][Running/Auto Start]
  <"C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe"><Avira GmbH>
[Avira AntiVir Premium WebGuard / antivirwebservice][Stopped/Disabled]
  <"C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE"><Avira GmbH>
[Avira AntiVir Premium MailGuard helper service / AVEService][Stopped/Disabled]
  <"C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe"><Avira GmbH>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Stormser / Stormser][Stopped/Disabled]
  <C:\PROGRA~1\Storm Codec\Stormser.exe><(File is missing)>
[DLANX / DLANX][Stopped/Disabled]
  <C:\setup.exe><(File is missing)>
[MPKrnl / MPKrnl][Stopped/Auto Start]
  <C:\MPKrnl.exe><N/A>
==================================
驱动程序
[19b5406 / 19b5406][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\19b5406.sys><N/A>
[360AntiArp / 360AntiArp][Running/System Start]
  <\??\C:\WINDOWS\system32\drivers\360AntiArp.sys><360安全中心>
[5102a80 / 5102a80][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\5102a80.sys><N/A>
[9fd8db / 9fd8db][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\9fd8db.sys><N/A>
[Intel(r) 82801 Audio Driver Install Service (WDM) / ac97intc][Running/Manual Start]
  <system32\drivers\ac97intc.sys><Intel Corporation>
[AliIde / AliIde][Stopped/Boot Start]
  <\SystemRoot\System32\DRIVERS\aliide.sys><N/A>
[avgio / avgio][Running/System Start]
  <\??\C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgio.sys><Avira GmbH>
[avgntflt / avgntflt][Running/Manual Start]
  <\??\C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgntflt.sys><Avira GmbH>
[avipbb / avipbb][Running/System Start]
  <system32\DRIVERS\avipbb.sys><Avira GmbH>
[CmdIde / CmdIde][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\cmdide.sys><CMD Technology, Inc.>
[VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver / FETNDIS][Stopped/Manual Start]
  <system32\DRIVERS\fetnd5.sys><VIA Technologies, Inc.>
[HWiNFO32 Kernel Driver / HWiNFO32][Stopped/Auto Start]
  <\??\C:\Program Files\HWiNFO32\HWiNFO32.SYS><N/A>
[i81x / i81x][Running/Manual Start]
  <system32\DRIVERS\i81xnt5.sys><Intel(R) Corporation>
[iAimFP0 / iAimFP0][Stopped/Manual Start]
  <system32\DRIVERS\wADV01nt.sys><Intel(R) Corporation>
[iAimFP1 / iAimFP1][Stopped/Manual Start]
  <system32\DRIVERS\wADV02NT.sys><Intel(R) Corporation>
[iAimFP2 / iAimFP2][Stopped/Manual Start]
  <system32\DRIVERS\wADV05NT.sys><Intel(R) Corporation>
[iAimFP3 / iAimFP3][Stopped/Manual Start]
  <system32\DRIVERS\wSiINTxx.sys><Intel(R) Corporation>
[iAimFP4 / iAimFP4][Stopped/Manual Start]
  <system32\DRIVERS\wVchNTxx.sys><Intel(R) Corporation>
[iAimFP5 / iAimFP5][Stopped/Manual Start]
  <system32\DRIVERS\wADV07nt.sys><Intel(R) Corporation>
[iAimFP6 / iAimFP6][Stopped/Manual Start]
  <system32\DRIVERS\wADV08nt.sys><Intel(R) Corporation>
[iAimFP7 / iAimFP7][Stopped/Manual Start]
  <system32\DRIVERS\wADV09nt.sys><Intel(R) Corporation>
[iAimTV0 / iAimTV0][Stopped/Manual Start]
  <system32\DRIVERS\wATV01nt.sys><Intel(R) Corporation>
[iAimTV1 / iAimTV1][Stopped/Manual Start]
  <system32\DRIVERS\wATV02NT.sys><Intel(R) Corporation>
[iAimTV3 / iAimTV3][Stopped/Manual Start]
  <system32\DRIVERS\wATV04nt.sys><Intel(R) Corporation>
[iAimTV4 / iAimTV4][Stopped/Manual Start]
  <system32\DRIVERS\wCh7xxNT.sys><Intel(R) Corporation>
[iAimTV5 / iAimTV5][Stopped/Manual Start]
  <system32\DRIVERS\wATV10nt.sys><Intel(R) Corporation>
[iAimTV6 / iAimTV6][Stopped/Manual Start]
  <system32\DRIVERS\wATV06nt.sys><Intel(R) Corporation>
[MegaIDE / MegaIDE][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\MegaIDE.sys><LSI Logic Corporation.>
[nv / nv][Stopped/Manual Start]
  <system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[DDK PACKET Protocol / Packet][Running/Manual Start]
  <system32\DRIVERS\ProtoDrv.sys><360安全中心>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Realtek 10/100/1000 NIC Family all in one NDIS XP Driver / RTL8023xp][Running/Manual Start]
  <system32\DRIVERS\Rtlnicxp.sys><Realtek Semiconductor Corporation>
[SafeBoxKrnl / SafeBoxKrnl][Running/System Start]
  <\??\C:\Program Files\360Safebox\SafeBoxKrnl.sys><360安全中心>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[ssmdrv / ssmdrv][Running/System Start]
  <system32\DRIVERS\ssmdrv.sys><Avira GmbH>
[TorjanFW / TorjanFW][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\drivers\TFW.SYS><N/A>
==================================
浏览器加载项
[ThunderAtOnce Class]
  {01443AEC-0FD1-40fd-9C87-E93D1494C233} <E:\Henry File\Thunder\ComDlls\TDAtOnce_Now.dll, (Signed) Thunder Networking Technologies,LTD>
[Thunder Browser Helper]
  {889D2FEB-5411-4565-8998-1DD2C5261283} <E:\Henry File\Thunder\ComDlls\xunleiBHO_Now.dll, (Signed) Thunder Networking Technologies,LTD>
[SafeMon Class]
  {B69F34DD-F0F9-42DC-9EDD-957187DA688D} <E:\Henry File\360safe\safemon\safemon.dll, (Signed) 360.CN>
[]
  {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} <, >
[微软]
  {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} <http://www.microsoft.com/china/index.htm, N/A>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, N/A>
[iTrusPTA Class]
  {1E0DFFCF-27FF-4574-849B-55007349FEDA} <C:\WINDOWS\system32\aliedit\pta.dll, (Signed) >
[EditCtrl Class]
  {488A4255-3236-44B3-8F27-FA1AECAA8844} <C:\WINDOWS\system32\aliedit\aliedit.dll, (Signed) >
[AxSubmitControl Class]
  {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} <C:\WINDOWS\DOWNLO~1\SubmitControl.dll, >
[ThunderAtOnce Class]
  {01443AEC-0FD1-40FD-9C87-E93D1494C233} <E:\Henry File\Thunder\ComDlls\TDAtOnce_Now.dll, (Signed) Thunder Networking Technologies,LTD>
[]
  {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <, >
[Thunder Agent Class]
  {485463B7-8FB2-4B3B-B29B-8B919B0EACCE} <E:\Henry File\Thunder\ComDlls\ThunderAgent_Now.dll, (Signed) Thunder Networking Technologies,LTD>
[]
  {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} <, >
[]
  {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} <, >
[XMP Class]
  {6483F145-A768-4C41-AACC-52D4D7845851} <C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\xplayer.dll_1_work, >
[XDRM]
  {693571CB-54A3-4E90-9D52-EEAE1334E2D3} <C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\xdrm.dll_1_work, >
[]
  {7670648D-461B-42AF-BDFE-46D26AF5EFF2} <, >
[360SafeLive]
  {87515F61-A66C-4319-A0E0-D416CB8059E3} <E:\Henry File\360safe\live.dll, (Signed) 360.cn>
[Thunder Browser Helper]
  {889D2FEB-5411-4565-8998-1DD2C5261283} <E:\Henry File\Thunder\ComDlls\xunleiBHO_Now.dll, (Signed) Thunder Networking Technologies,LTD>
[UTPKES Control]
  {94BE7FE8-CF75-4FD3-8A41-9D5FE7135511} <C:\WINDOWS\DOWNLO~1\UTPKES.ocx, 广州科友科技股份有限公司>
[]
  {ACACC6EB-1FBA-4E13-A729-53AEB2DF54F8} <, >
[SafeMon Class]
  {B69F34DD-F0F9-42DC-9EDD-957187DA688D} <E:\Henry File\360safe\safemon\safemon.dll, (Signed) 360.CN>
[]
  {C56CB6B0-0D96-11D6-8C65-B2868B609932} <, >
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx, (Signed) Adobe Systems, Inc.>
[WangWangX Class]
  {D48876CA-733E-4FC3-8A68-9C8BA37034A6} <E:\Henry File\AliWangWang\AliIMX.dll, (Signed) Alibaba software (Shanghai) Corporation.>
[]
  {EEDD6FF9-13DE-496B-9A1C-D78B3215E266} <, >
[]
  {F3E70CEA-956E-49CC-B444-73AFE593AD7F} <, >
[]
  {FB5F1910-F110-11D2-BB9E-00C04F795683} <, >
[使用迅雷下载]
  <E:\Henry File\Thunder\Program\geturl.htm, N/A>
[使用迅雷下载全部链接]
  <E:\Henry File\Thunder\Program\getallurl.htm, N/A>
==================================
回复

举报

狂龙啸天
头像被屏蔽
 楼主| 发表于 2008-11-5 16:34:59 | 显示全部楼层
正在运行的进程
[PID: 420 / SYSTEM][\SystemRoot\System32\smss.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 476 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 500 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\uxtheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 544 / SYSTEM][C:\WINDOWS\system32\services.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 556 / SYSTEM][C:\WINDOWS\system32\lsass.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 720 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 768 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 832 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\System32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 976 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 988 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1260 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
    [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1296 / SYSTEM][C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe]  [Avira GmbH, 8.00.00.17]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\schedr.dll]  [Avira GmbH, 8.00.03.00]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\avevtlog.dll]  [Avira GmbH, 8.00.00.16]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\sqlite3.dll]  [, 3.3.17.1]
[PID: 1628 / SYSTEM][C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe]  [Avira GmbH, 8.00.01.30]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\avevtlog.dll]  [Avira GmbH, 8.00.00.16]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\guardmsg.dll]  [Avira GmbH, 8.00.08.00]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\sqlite3.dll]  [, 3.3.17.1]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVPREF.DLL]  [Avira GmbH, 8.00.02.00]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\SMTPLIB.DLL]  [Avira GmbH, 1.02.00.23]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVGIO.DLL]  [Avira GmbH, 8.00.01.03]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\avipc.dll]  [Avira GmbH, 1.0.6.0]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\aecore.dll]  [Avira GmbH, 8.1.2.9]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\aevdf.dll]  [Avira GmbH, 8.1.0.6]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\aescript.dll]  [Avira GmbH, 8.1.1.9]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\aescn.dll]  [Avira GmbH, 8.1.1.3]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\aerdl.dll]  [Avira GmbH, 8.1.1.2]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\aepack.dll]  [Avira GmbH, 8.1.2.4]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\unacev2.dll]  [N/A, ]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\aeoffice.dll]  [Avira GmbH, 8.1.0.29]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\aeheur.dll]  [Avira GmbH, 8.1.0.63]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\aehelp.dll]  [Avira GmbH, 8.1.1.2]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\aegen.dll]  [Avira GmbH, 8.1.0.42]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\aeemu.dll]  [Avira GmbH, 8.1.0.9]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\aebb.dll]  [Avira GmbH, 8.1.0.3]
[PID: 1704 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\actxprxy.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 13248 / new][C:\WINDOWS\Explorer.EXE]  [(Verified) Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\actxprxy.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [E:\Henry File\360safe\safemon\safemon.dll]  [360.CN, 4, 2, 0, 1005]
    [E:\Henry File\Thunder\ComDlls\TDAtOnce_Now.dll]  [Thunder Networking Technologies,LTD, 1.0.5.34]
    [C:\WINDOWS\system32\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [E:\Henry File\Thunder\ComDlls\xunleiBHO_Now.dll]  [Thunder Networking Technologies,LTD, 5, 0, 8, 120]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\shlext.dll]  [Avira GmbH, 7.00.00.15]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\MFC71U.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [E:\Henry File\WinRAR\rarext.dll]  [N/A, ]
    [E:\Henry File\Unlocker\UnlockerCOM.dll]  [N/A, ]
[PID: 9548 / new][C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe]  [Avira GmbH, 8.00.70.02]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\MFC71U.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\cclib.dll]  [Avira GmbH, 8.00.70.05]
    [C:\Program Files\Avira\AntiVir PersonalEdition Premium\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [c:\program files\avira\antivir personaledition premium\ccgen.dll]  [Avira GmbH, 8.00.70.03]
    [c:\program files\avira\antivir personaledition premium\ccgenrc.dll]  [Avira GmbH, 8.00.70.00]
    [c:\program files\avira\antivir personaledition premium\ccguard.dll]  [Avira GmbH, 8.00.70.04]
    [c:\program files\avira\antivir personaledition premium\ccgrdrc.dll]  [Avira GmbH, 8.00.72.00]
    [c:\program files\avira\antivir personaledition premium\avipc.dll]  [Avira GmbH, 1.0.6.0]
    [c:\program files\avira\antivir personaledition premium\ccupdate.dll]  [Avira GmbH, 8.00.70.02]
    [c:\program files\avira\antivir personaledition premium\ccupdrc.dll]  [Avira GmbH, 8.00.70.00]
    [c:\program files\avira\antivir personaledition premium\cclic.dll]  [Avira GmbH, 8.00.70.04]
    [c:\program files\avira\antivir personaledition premium\cclicrc.dll]  [Avira GmbH, 8.00.70.00]
    [c:\program files\avira\antivir personaledition premium\ccmsg.dll]  [Avira GmbH, 8.00.00.06]
[PID: 11600 / new][E:\Henry File\360safe\antiarp\AntiArp.exe]  [360安全中心, 2, 0, 0, 1008]
    [E:\Henry File\360safe\safemon\safemon.dll]  [360.CN, 4, 2, 0, 1005]
    [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2312 / new][C:\Documents and Settings\new\桌面\sreng2\SREngLdr.EXE]  [Smallfrogs Studio, 2.7.0.1210]
[PID: 3688 / new][C:\Documents and Settings\new\桌面\sreng2\SRE1a10268b.EXE]  [Smallfrogs Studio, 2.7.0.1210]
    [E:\Henry File\360safe\safemon\safemon.dll]  [360.CN, 4, 2, 0, 1005]
    [C:\WINDOWS\system32\UxTheme.dll]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\Documents and Settings\new\桌面\sreng2\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]==================================
文件关联
.TXT  Error. [C:\WINDOWS\notepad.exe %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  Error. ["hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  Error. [C:\WINDOWS\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
N/A
==================================
Autorun.inf
N/A
==================================
HOSTS 文件
N/A
==================================
进程特权扫描
特殊特权被允许: SeLoadDriverPrivilege [PID = 1296, C:\PROGRAM FILES\AVIRA\ANTIVIR PERSONALEDITION PREMIUM\SCHED.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 1628, C:\PROGRAM FILES\AVIRA\ANTIVIR PERSONALEDITION PREMIUM\AVGUARD.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 2312, C:\DOCUMENTS AND SETTINGS\NEW\桌面\SRENG2\SRENGLDR.EXE]
==================================
计划任务
N/A
==================================
API HOOK
N/A
==================================
隐藏进程
N/A
==================================

[/CODE]
回复

举报

狂龙啸天
头像被屏蔽
 楼主| 发表于 2008-11-5 16:43:07 | 显示全部楼层
SRE扫描日志已经上传,看得我眼花缭乱,晕~~
回复

举报

sanhu35
发表于 2008-11-5 17:12:07 | 显示全部楼层
删除注册表和对应文件
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{F8E07BB2-7A19-4057-80F1-E14646E630B4}><F8E07BB2.dll>  [N/A]

删除服务和相应的文件 最好强删
[DLANX / DLANX][Stopped/Disabled]
  <C:\setup.exe><(File is missing)>
[MPKrnl / MPKrnl][Stopped/Auto Start]
  <C:\MPKrnl.exe><N/A>


修复关联文件。同时删除3楼图里面的文件!
回复

举报

狂龙啸天
头像被屏蔽
 楼主| 发表于 2008-11-5 17:31:41 | 显示全部楼层
原帖由 sanhu35 于 2008-11-5 17:12 发表
删除注册表和对应文件
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
  [N/A]

删除服务和相应的文件 最好强删
[DLANX / DLANX][Stopped/Disabled]
  
[MPKrn ...


谢谢啦,我再试试~~
回复

举报

浪滔天
发表于 2008-11-5 18:58:20 | 显示全部楼层
原帖由 XANADU 于 2008-11-5 16:17 发表
用KIS

禁止 创建、写入C:\*.EXE


这样在C盘的任何文件夹中都无法创建exe文件了,kis默认是子文件夹也使用这样的设置,现在的版本无法在不包含子文件夹的情况下单独在某个分区下或文件夹下禁止创建某种类型的文件。
回复

举报

250662772
发表于 2008-11-5 19:06:11 | 显示全部楼层
1.建议使用费尔木马强力清除助手删除以下文件:(点击下载)或用smtdel删除点击下载smtdel地址2点击下载smtdel
删除前最好卸载所有可移动存储介质(包括U盘,MP3,手机存储卡等)。


c:\mpkrnl.exe
c:\setup.exe
c:\windows\system32\19b5406.sys
c:\windows\system32\9fd8db.sys
c:\windows\system32\5102a80.sys
c:\windows\system32\drivers\tfw.sys

2.删除重启后使用SREng修复下面各项:

    启动项目 -- 注册表之如下项删除:
[{F8E07BB2-7A19-4057-80F1-E14646E630B4}]    <F8E07BB2.dll>

    启动项目 -- 服务 -- Win32服务应用程序之如下项禁用:
[MPKrnl / MPKrnl]    <C:\MPKrnl.exe>
[DLANX / DLANX]    <C:\setup.exe>

    启动项目 -- 服务-- 驱动程序之如下项禁用:
[19b5406 / 19b5406]    <\??\C:\WINDOWS\system32\19b5406.sys>
[9fd8db / 9fd8db]    <\??\C:\WINDOWS\system32\9fd8db.sys>
[5102a80 / 5102a80]    <\??\C:\WINDOWS\system32\5102a80.sys>
[TorjanFW / TorjanFW]    <\??\C:\WINDOWS\system32\drivers\TFW.SYS>

**********************以上分析报告仅供参考************************
分析:250662772
时间:2008-11-5
************(*^__^*)=O(∩_∩)O******************
回复

举报

BING126
头像被屏蔽
发表于 2008-11-5 20:39:58 | 显示全部楼层
McAfee  New Malware.b
回复

举报

liu5678
发表于 2008-11-5 23:23:03 | 显示全部楼层
2008-11-5 23:22:32        http://bbs.kafan.cn/attachment.p ... 5898456//MPKrnl.exe        Internet Explorer        拒绝: Trojan-Downloader.Win32.Agent.antv
回复

举报

狂龙啸天
头像被屏蔽
 楼主| 发表于 2008-11-6 10:43:46 | 显示全部楼层
原帖由 250662772 于 2008-11-5 19:06 发表
1.建议使用费尔木马强力清除助手删除以下文件:(点击下载)或用smtdel删除点击下载smtdel地址2点击下载smtdel
删除前最好卸载所有可移动存储介质(包括U盘,MP3,手机存储卡等)。


c:\mpkrnl.exe
c:\setup.ex ...


多谢,似乎正常了~~
回复

举报

下一页 »
123下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-11-10 04:35 , Processed in 0.102828 second(s), 15 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表