按照版主的方法,卸载QQ,在安全模式下咔吧杀毒,这次杀出的是另一个病毒:
Trojan-Downloader.BAT.Ftp.ab ,问一下版主,这个木马怎么杀????????
下面是扫描报告
- 2007-05-21,10:53:30
- System Repair Engineer 2.3.13.690
- Smallfrogs ([url]http://www.KZTechs.com[/url])
- Windows XP Professional Service Pack 1 (Build 2600)
- - 管理权限用户 - 完整功能
- 以下内容被选中:
- 所有的启动项目(包括注册表、启动文件夹、服务等)
- 浏览器加载项
- 正在运行的进程(包括进程模块信息)
- 文件关联
- Winsock 提供者
- Autorun.inf
- HOSTS 文件
- 启动项目
- 注册表
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- <ctfmon.exe><C:\WINDOWS\System32\ctfmon.exe> [(Verified)Microsoft Corporation]
- <NvMediaCenter><RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit> [(Verified)NVIDIA Corporation]
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- <IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Corporation]
- <PHIME2002ASync><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Corporation]
- <PHIME2002A><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Corporation]
- <SoundMan><SOUNDMAN.EXE> [(Verified)Realtek Semiconductor Corp.]
- <NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup> [(Verified)NVIDIA Corporation]
- <nwiz><nwiz.exe /install> [NVIDIA Corporation]
- <AVP><"E:\Program Files\Kaspersky\avp.exe"> [Kaspersky Lab]
- <TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot> [RealNetworks, Inc.]
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
- <shell><Explorer.exe> [(Verified)Microsoft Corporation]
- <Userinit><c:\windows\system32\userinit.exe,> [(Verified)Microsoft Corporation]
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
- <AppInit_DLLs><> [N/A]
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
- <UIHost><logonui.exe> [(Verified)Microsoft Corporation]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
- <{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll> [(Verified)Microsoft Corporation]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
- <PostBootReminder><%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Corporation]
- <CDBurn><%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Corporation]
- <WebCheck><%SystemRoot%\System32\webcheck.dll> [(Verified)Microsoft Corporation]
- <SysTray><C:\WINDOWS\System32\stobject.dll> [(Verified)Microsoft Corporation]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
- <WinlogonNotify: crypt32chain><crypt32.dll> [(Verified)Microsoft Corporation]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
- <WinlogonNotify: cryptnet><cryptnet.dll> [(Verified)Microsoft Corporation]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
- <WinlogonNotify: cscdll><cscdll.dll> [(Verified)Microsoft Corporation]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
- <WinlogonNotify: klogon><C:\WINDOWS\System32\klogon.dll> [Kaspersky Lab]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
- <WinlogonNotify: ScCertProp><wlnotify.dll> [(Verified)Microsoft Corporation]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
- <WinlogonNotify: Schedule><wlnotify.dll> [(Verified)Microsoft Corporation]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
- <WinlogonNotify: sclgntfy><sclgntfy.dll> [(Verified)Microsoft Corporation]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
- <WinlogonNotify: SensLogn><WlNotify.dll> [(Verified)Microsoft Corporation]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
- <WinlogonNotify: termsrv><wlnotify.dll> [(Verified)Microsoft Corporation]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
- <WinlogonNotify: wlballoon><wlnotify.dll> [(Verified)Microsoft Corporation]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
- <{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\System32\browseui.dll> [(Verified)Microsoft Corporation]
- <{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\System32\browseui.dll> [(Verified)Microsoft Corporation]
- ==================================
- 启动文件夹
- N/A
- ==================================
- 服务
- [卡巴斯基互联网安全套装6.0 / AVP][Stopped/Auto Start]
- <E:\Program Files\Kaspersky\avp.exe -r><Kaspersky Lab>
- [Human Interface Device Access / HidServ][Stopped/Disabled]
- <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
- [NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
- <C:\WINDOWS\System32\nvsvc32.exe><NVIDIA Corporation>
- [Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
- <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\System32\mspmsnsv.dll><Microsoft Corporation>
- ==================================
- 驱动程序
- [Service for WDM 3D Audio Driver / ALCXSENS][Running/Manual Start]
- <system32\drivers\ALCXSENS.SYS><Sensaura Ltd>
- [Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
- <system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
- [AVG Anti-Spyware Clean Driver / AvgAsCln][Running/System Start]
- <System32\DRIVERS\AvgAsCln.sys><GRISOFT, s.r.o.>
- [basic2 / basic2][Stopped/Manual Start]
- <System32\DRIVERS\HSF_BSC2.sys><Conexant>
- [Creative SBLive! Gameport / ctljystk][Stopped/Manual Start]
- <System32\DRIVERS\ctljystk.sys><Creative Technology Ltd.>
- [Creative SB Live! (WDM) / emu10k][Stopped/Manual Start]
- <system32\drivers\emu10k1m.sys><Creative Technology Ltd.>
- [Creative Interface Manager Driver (WDM) / emu10k1][Stopped/Manual Start]
- <system32\drivers\ctlfacem.sys><Creative Technology Ltd.>
- [HSFHWBS2 / HSFHWBS2][Running/Manual Start]
- <System32\DRIVERS\HSFHWBS2.sys><Conexant Systems>
- [HSF_DP / HSF_DP][Running/Manual Start]
- <System32\DRIVERS\HSF_DP.sys><Conexant Systems>
- [hsf_msft / hsf_msft][Stopped/Manual Start]
- <System32\DRIVERS\HSF_MSFT.sys><Conexant>
- [kl1 / kl1][Running/Boot Start]
- <\SystemRoot\System32\drivers\kl1.sys><Kaspersky Lab>
- [klif / klif][Running/System Start]
- <\??\C:\WINDOWS\System32\drivers\klif.sys><Kaspersky Lab>
- [mdmxsdk / mdmxsdk][Running/Auto Start]
- <System32\DRIVERS\mdmxsdk.sys><Conexant>
- [nv / nv][Running/Manual Start]
- <System32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
- [Direct Parallel Link Driver / Ptilink][Running/Manual Start]
- <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
- [Rksample / Rksample][Stopped/Manual Start]
- <System32\DRIVERS\HSF_SAMP.sys><Conexant>
- [Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver / rtl8139][Running/Manual Start]
- <System32\DRIVERS\R8139n51.SYS><Realtek Semiconductor Corporation>
- [Secdrv / Secdrv][Stopped/Manual Start]
- <System32\DRIVERS\secdrv.sys><N/A>
- [Creative SoundFont Manager Driver (WDM) / sfman][Stopped/Manual Start]
- <system32\drivers\sfmanm.sys><Creative Technology Ltd.>
- [SiS AGP Filter / SISAGP][Running/Boot Start]
- <\SystemRoot\System32\DRIVERS\SISAGPX.sys><Silicon Integrated Systems Corporation>
- [SiSide / SiSide][Running/Boot Start]
- <\SystemRoot\System32\DRIVERS\siside.sys><Silicon Integrated Systems Corp.>
- [TSP / TSP][Stopped/Manual Start]
- <\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab>
- [Conexant Setup API / UIUSys][Stopped/Manual Start]
- <system32\drivers\UIUSys.sys><Conexant>
- [winachsf / winachsf][Running/Manual Start]
- <System32\DRIVERS\HSF_CNXT.sys><Conexant Systems>
- [PCANDIS5 NDIS Protocol Driver / PCANDIS5][Running/Manual Start]
- <\??\C:\WINDOWS\System32\PCANDIS5.SYS><Printing Communications Assoc., Inc. (PCAUSA)>
- ==================================
- 浏览器加载项
- [FGCatchUrl]
- {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} <E:\Program Files\FlashGet\jccatch.dll, [url]www.flashget.com[/url]>
- [Web反病毒保护 统计]
- {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <E:\Program Files\Kaspersky\scieplugin.dll, Kaspersky Lab>
- [@shdoclc.dll,-866]
- {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
- [快车]
- {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} <E:\PROGRA~1\FLASHGET\flashget.exe, FlashGet.com>
- [电台(&R)]
- {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\System32\msdxm.ocx, Microsoft Corporation>
- [快车(FlashGet)]
- {E0E899AB-F487-11D5-8D29-0050BA6940E3} <E:\PROGRA~1\FLASHGET\fgiebar.dll, Amaze Soft>
- [FGCatchUrl]
- {FB5DA724-162B-11D3-8B9B-AA70B4B0B524} <E:\Program Files\FlashGet\jccatch.dll, [url]www.flashget.com[/url]>
- [&使用网际快车下载]
- <E:\Program Files\FlashGet\jc_link.htm, N/A>
- [&使用网际快车下载全部链接]
- <E:\Program Files\FlashGet\jc_all.htm, N/A>
- [上传到QQ网络硬盘]
- <E:\Program Files\qq\AddToNetDisk.htm, N/A>
- [添加到QQ自定义面板]
- <E:\Program Files\qq\AddPanel.htm, N/A>
- [添加到QQ表情]
- <E:\Program Files\qq\AddEmotion.htm, N/A>
- [用QQ彩信发送该图片]
- <E:\Program Files\qq\SendMMS.htm, N/A>
- ==================================
- 正在运行的进程
- [PID: 476][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
- [PID: 552][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
- [PID: 576][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
- [C:\WINDOWS\System32\klogon.dll] [Kaspersky Lab, 6.0.2.621]
- [PID: 620][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
- [PID: 632][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
- [PID: 804][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
- [PID: 856][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
- [E:\Program Files\Kaspersky\adialhk.dll] [Kaspersky Lab, 6.0.2.621]
- [PID: 940][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
- [PID: 976][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
- [PID: 1244][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]
- [E:\Program Files\Kaspersky\scrchpg.dll] [Kaspersky Lab, 6.0.2.621]
- [C:\WINDOWS\System32\nvshell.dll] [NVIDIA Corporation, 6.14.10.5303]
- [C:\WINDOWS\System32\NVWRSZHC.DLL] [NVIDIA Corporation, 6.14.10.5303]
- [PID: 1308][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)]
- [PID: 1836][C:\WINDOWS\SOUNDMAN.EXE] [Realtek Semiconductor Corp., 5.1.14]
- [PID: 1924][C:\Program Files\Common Files\Real\Update_OB\realsched.exe] [RealNetworks, Inc., 0.1.0.3427]
- [PID: 1940][C:\WINDOWS\System32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
- [PID: 1956][C:\WINDOWS\System32\RUNDLL32.EXE] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
- [C:\WINDOWS\System32\NVMCTRAY.DLL] [NVIDIA Corporation, 6.14.10.5303]
- [C:\WINDOWS\System32\NVRSZHC.DLL] [NVIDIA Corporation, 6.14.10.5303]
- [PID: 2028][C:\WINDOWS\System32\nvsvc32.exe] [NVIDIA Corporation, 6.14.10.5303]
- [PID: 1432][C:\WINDOWS\System32\conime.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
- [PID: 1680][E:\软件\sreng2\SREng.EXE] [Smallfrogs Studio, 2.3.13.690]
- [E:\Program Files\Kaspersky\adialhk.dll] [Kaspersky Lab, 6.0.2.621]
- ==================================
- 文件关联
- .TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
- .EXE OK. ["%1" %*]
- .COM OK. ["%1" %*]
- .PIF OK. ["%1" %*]
- .REG OK. [regedit.exe "%1"]
- .BAT OK. ["%1" %*]
- .SCR OK. ["%1" /S]
- .CHM OK. ["C:\WINDOWS\hh.exe" %1]
- .HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
- .INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
- .INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
- .VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
- .JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
- .LNK OK. [{00021401-0000-0000-C000-000000000046}]
- ==================================
- Winsock 提供者
- N/A
- ==================================
- Autorun.inf
- N/A
- ==================================
- HOSTS 文件
- 127.0.0.1 localhost
- ==================================
- API HOOK
- 警告!System Repair Engineer 提醒
- 你下面的函数内容与预期值不符,他
- 们可能被一些恶意的软件所修改:
- RVA 错误: LoadLibraryA
- RVA 错误: LoadLibraryExA
- RVA 错误: LoadLibraryExW
- RVA 错误: LoadLibraryW
- ==================================
复制代码 |