|
引用 | 編輯
張小奇^^
2007-02-20 18:19 |
樓主
▼ |
||
x0
今天重灌完一掃就出現了該如何防治?查了一下是個木馬病毒 ps 我還是從網路抓了 這版本(WINXP PRO CHT SP2) 的xp以後掃毒一直出現  x0
|
|||
|
引用 | 編輯
andy33448
2007-02-22 09:25 |
1樓
▲ ▼ |
|
或許在燒錄的時候被感染了 或許是存在ISO裡
這樣搞不出什麼名堂的 因為早就鎖住在裡面了.. 不如換一個版本吧 這片就拿去當杯墊吧.. x0
|
|
|
引用 | 編輯
ajdfajdfl
2007-03-16 19:55 |
2樓
▲ ▼ |
|
清除木馬程式 Trojan-PSW.Win32.Nilage.awo 方法如下:
一.關閉木馬程式 1.首先,開啟工作管理員(Ctrl+Alt+Del) 2.找到 svchost.exe (有很多個,找到"使用者名稱"是自己名字那個,他就是木馬偽裝的。) 3.右鍵→結束處理程序 二.刪除登錄檔讓他不再開啟 1.開始→執行→輸入regedit (開啟登錄編輯程式) 2.找到機碼 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 右邊的Userinit的資料 C:\WINDOWS\system32\userinit.exe,C:\Program files\Windows Media Player\Svchost.exe 3.在資料上點兩下,把數值資料裡〝 ,C:\Program files\......Svchost.exe〞的部份刪掉,然後關閉。 三.刪除木馬檔案 1.找到資料夾C:\Program files\Windows Media Player 2.把 Svchost 刪掉即可。 x0
|
|
|
引用 | 編輯
彗星風采
2007-03-16 22:40 |
3樓
▲ ▼ |
|
建議樓主在安全模式下執行全系統掃毒看看能否把木馬刪除...
如果問題仍未解決..請提供防軟所掃到的中毒名稱及詳細路徑.. 並參考置頂工具跑一份SREng報表貼上來以供判讀..  x0
|
|
|
引用 | 編輯
gunstyle
2007-09-03 11:43 |
4樓
▲ ▼ |
|
請問大大,我也是nilage的受害者之一,看到樓上大大的解決方法後,想要試試,可是我在scvhost的名稱裡不知道該刪哪個(可能是之前灌xp,都一直按下一步,所以是預設的名稱)
 所以想請問各大大,我該刪的scvhost名稱是哪一個呢,感恩   x0
|
|
|
引用 | 編輯
彗星風采
2007-09-03 12:31 |
5樓
▲ ▼ |
下面是引用gunstyle於2007-09-03 11:43發表的 Re:請問各位大大中了這個毒要如何解才完整Trojan-PSW.Win32.Nilage.:如果大大您名稱沒有打錯的話..scvhost絕對是有問題的檔案喔!所以都可以刪除....正常的是svchost.. x0
|
|
|
引用 | 編輯
gunstyle
2007-09-03 13:10 |
6樓
▲ ▼ |
下面是引用彗星風采於2007-09-03 12:31發表的 Re:Re:請問各位大大中了這個毒要如何解才完整Trojan-PSW.Win32.Nilage.:  ,是我打錯了,看來我記憶力不是很好 我開啟工作管理員後,有很多svchost的檔案,可使用者名稱不同,我現在是不知道要刪哪一個svchost,然後我從中發現有兩個 樣的使用者名稱,檔名是「system」,這兩個各佔的記憶體分別為2028k跟5084k~是這兩個出錯的嗎  ,其餘的svchost的使用者名稱則為「NETWORK SERVICE」!(這個也有兩組 ) 最後一個就是「LOCAL SERVICE」,感恩大大啊~~可以幫我解感一下嗎 謝謝 x0
|
|
|
引用 | 編輯
彗星風采
2007-09-03 14:02 |
7樓
▲ ▼ |
下面是引用gunstyle於2007-09-03 13:10發表的 Re:Re:Re:請問各位大大中了這個毒要如何解才完整Trojan-PSW.Win32.Nilage.:建議樓主可以始用工具Icesword切換至Processes模式觀察svchost.exe的位置在哪?如果不是在C:\WINDOWS\system32底下那就絕對有問題.. x0
|
|
|
引用 | 編輯
gunstyle
2007-09-05 09:30 |
8樓
▲ ▼ |
|
複製程式
2007-09-05,02:14:57
System Repair Engineer 2.5.16.900
Smallfrogs ([url]http://www.KZTechs.com[/url])
Windows XP Professional Service Pack 2 (Build 2600) - 管理許可權用戶 - 完整功能
以下內容被選中:
所有的啟動項目(包括註冊表、開機檔案夾、服務等)
流覽器載入項
正在運行的進程(包括進程模組資訊)
文件關聯
Winsock 提供者
Autorun.inf
HOSTS 文件
進程特權掃描
啟動專案
註冊表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Publisher]
<PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Windows Publisher]
<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows Publisher]
<avgnt><"C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min> [Avira GmbH]
<SoundMan><SOUNDMAN.EXE> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
<Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
<Address Book 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
<N/A><C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install> [Microsoft Corporation]
==================================
開機檔案夾
N/A
==================================
服務
[AntiVir PersonalEdition Classic Scheduler / AntiVirScheduler][Running/Auto Start]
<"C:\Program Files\AntiVir PersonalEdition Classic\sched.exe"><Avira GmbH>
[AntiVir PersonalEdition Classic Guard / AntiVirService][Running/Auto Start]
<"C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe"><Avira GmbH>
[ASP.NET State Service / aspnet_state][Stopped/Manual Start]
<C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe><Microsoft Corporation>
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[PDEngine / PDEngine][Stopped/Manual Start]
<"C:\Program Files\Raxco\PerfectDisk\PDEngine.exe"><Raxco Software, Inc.>
[PDScheduler / PDSched][Running/Auto Start]
<"C:\Program Files\Raxco\PerfectDisk\PDSched.exe"><Raxco Software, Inc.>
==================================
驅動程式
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
<system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[avgio / avgio][Running/System Start]
<\??\C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys><Avira GmbH>
[avgntflt / avgntflt][Running/Manual Start]
<\??\C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys><Avira GmbH>
[avipbb / avipbb][Running/System Start]
<system32\DRIVERS\avipbb.sys><Avira GmbH>
[nv / nv][Running/Manual Start]
<system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Padus ASPI Shell / pfc][Running/Manual Start]
<system32\drivers\pfc.sys><Padus, Inc.>
[直接平行連接埠連結驅動程式 / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>
[ssmdrv / ssmdrv][Running/System Start]
<system32\DRIVERS\ssmdrv.sys><Avira GmbH>
[NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller / yukonwxp][Running/Manual Start]
<system32\DRIVERS\yk51x86.sys><Marvell>
==================================
流覽器載入項
[AcroIEHlprObj Class]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[NTIECatcher Class]
{C56CB6B0-0D96-11D6-8C65-B2868B609932} <C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll, Xi>
[ALiBaBar_Helper]
{CE439C63-384A-747A-A357-23D96B5D652B} <C:\PROGRA~1\ALiBaBar\ALiBaBar.dll, Alfred, C. S. Li>
[ALiBaBar]
{0A1375E1-56C2-11D6-8E45-8933A0FB5235} <C:\PROGRA~1\ALiBaBar\ALiBaBar.dll, Alfred, C. S. Li>
[AcroIEHlprObj Class]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[NTIECatcher Class]
{C56CB6B0-0D96-11D6-8C65-B2868B609932} <C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll, Xi>
[ALiBaBar_Helper]
{CE439C63-384A-747A-A357-23D96B5D652B} <C:\PROGRA~1\ALiBaBar\ALiBaBar.dll, Alfred, C. S. Li>
[使用影音傳送帶下載]
<C:\Program Files\Xi\NetTransport 2\NTAddLink.html, N/A>
[使用影音傳送帶下載全部連結]
<C:\Program Files\Xi\NetTransport 2\NTAddList.html, N/A>
[剪貼簿文字: 簡 > 繁]
<res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad, N/A>
[剪貼簿文字: 繁 > 簡]
<res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim, N/A>
[網頁: [簡體] 顯示]
<res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim, N/A>
[網頁: [繁體] 顯示]
<res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad, N/A>
==================================
正在運行的進程
[PID: 588 / SYSTEM][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 656 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 680 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 732 / SYSTEM][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 744 / SYSTEM][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 912 / SYSTEM][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 988 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1164 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1248 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1428 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1476 / SYSTEM][C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe] [Avira GmbH, 7.00.00.52]
[C:\Program Files\AntiVir PersonalEdition Classic\avevtlog.dll] [Avira GmbH, 7.00.00.18]
[C:\Program Files\AntiVir PersonalEdition Classic\guardmsg.dll] [Avira GmbH, 7.00.10.01]
[C:\Program Files\AntiVir PersonalEdition Classic\sqlite3.dll] [, 3, 3, 10, 0]
[C:\Program Files\AntiVir PersonalEdition Classic\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\AntiVir PersonalEdition Classic\AVPREF.DLL] [Avira GmbH, 7.00.02.01]
[C:\Program Files\AntiVir PersonalEdition Classic\SMTPLIB.DLL] [Avira GmbH, 1.2.0.13]
[C:\Program Files\AntiVir PersonalEdition Classic\AVEWIN32.DLL] [Avira GmbH, 7.4.0.12]
[PID: 1804 / Administrator][C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe] [Avira GmbH, 7.00.04.05]
[C:\Program Files\AntiVir PersonalEdition Classic\MFC71U.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\Program Files\AntiVir PersonalEdition Classic\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\AntiVir PersonalEdition Classic\avgcmxp.dll] [Avira GmbH, 7.00.04.00]
[C:\Program Files\AntiVir PersonalEdition Classic\AVWINLL.DLL] [Avira GmbH, 1.0.0.7]
[PID: 1824 / Administrator][C:\WINDOWS\SOUNDMAN.EXE] [Realtek Semiconductor Corp., 5.1.0.30]
[PID: 1836 / Administrator][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1956 / SYSTEM][C:\Program Files\AntiVir PersonalEdition Classic\sched.exe] [Avira GmbH, 7.00.00.46]
[C:\Program Files\AntiVir PersonalEdition Classic\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\AntiVir PersonalEdition Classic\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\Program Files\AntiVir PersonalEdition Classic\schedr.dll] [Avira GmbH, 7.00.22.00]
[C:\Program Files\AntiVir PersonalEdition Classic\avevtlog.dll] [Avira GmbH, 7.00.00.18]
[C:\Program Files\AntiVir PersonalEdition Classic\sqlite3.dll] [, 3, 3, 10, 0]
[PID: 120 / LOCAL SERVICE][C:\WINDOWS\system32\wdfmgr.exe] [Microsoft Corporation, 5.2.3790.1230 built by: DNSRV(bld4act)]
[PID: 388 / SYSTEM][C:\Program Files\Raxco\PerfectDisk\PDSched.exe] [Raxco Software, Inc., 6, 0, 0, 34]
[C:\Program Files\Raxco\PerfectDisk\PDCommon.dll] [Raxco Software, Inc., 6, 0, 0, 34]
[C:\Program Files\Raxco\PerfectDisk\PDLangEN.dll] [Raxco Software, Inc., 6, 0, 0, 34]
[C:\Program Files\Raxco\PerfectDisk\PDSchedPS.dll] [Raxco Software, Inc., 6, 0, 0, 34]
[C:\Program Files\Raxco\PerfectDisk\PDEnginePS.dll] [Raxco Software, Inc., 6, 0, 0, 34]
[C:\Program Files\Common Files\Raxco\AutoUpdps.dll] [Raxco Software, Inc., 6, 0, 0, 5]
[PID: 928 / LOCAL SERVICE][C:\WINDOWS\System32\alg.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 500 / SYSTEM][C:\WINDOWS\system32\wuauclt.exe] [Microsoft Corporation, 5.4.3790.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2028 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 896 / Administrator][C:\WINDOWS\explorer.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll] [Adobe Systems Incorporated, 6.0.1.2003110300]
[C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll] [Xi, 1.91.12]
[C:\Program Files\Xi\NetTransport 2\MFC42.DLL] [Microsoft Corporation, 6.00.9782.0]
[C:\PROGRA~1\ALiBaBar\ALiBaBar.dll] [Alfred, C. S. Li, 4.0.3.0]
[C:\Program Files\WinRAR\rarext.dll] [N/A, ]
[C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll] [Avira GmbH, 7.00.00.10]
[C:\Program Files\AntiVir PersonalEdition Classic\MFC71U.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\Program Files\AntiVir PersonalEdition Classic\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\Audiodev.dll] [Microsoft Corporation, 5.2.3790.3646 built by: DNSRV(bld4act)]
[PID: 1716 / Administrator][C:\Program Files\AntiVir PersonalEdition Classic\avcenter.exe] [Avira GmbH, 7.01.00.05]
[C:\Program Files\AntiVir PersonalEdition Classic\MFC71U.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\Program Files\AntiVir PersonalEdition Classic\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\AntiVir PersonalEdition Classic\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\Program Files\AntiVir PersonalEdition Classic\ccmainrc.dll] [Avira GmbH, 7.1.1.0]
[C:\Program Files\AntiVir PersonalEdition Classic\ccguard.dll] [Avira GmbH, 7.00.01.21]
[C:\Program Files\AntiVir PersonalEdition Classic\ccgrdrc.dll] [Avira GmbH, 7.0.2.0]
[C:\Program Files\AntiVir PersonalEdition Classic\ccgen.dll] [Avira GmbH, 7.01.00.01]
[C:\Program Files\AntiVir PersonalEdition Classic\ccgenrc.dll] [Avira GmbH, 7.1.0.0]
[C:\Program Files\AntiVir PersonalEdition Classic\ccprofil.dll] [Avira GmbH, 7.01.00.06]
[C:\Program Files\AntiVir PersonalEdition Classic\ccscanrc.dll] [Avira GmbH, 7.01.02.00]
[C:\Program Files\AntiVir PersonalEdition Classic\cclic.dll] [Avira GmbH, 7.1.0.1]
[C:\Program Files\AntiVir PersonalEdition Classic\cclicrc.dll] [Avira GmbH, 7.1.0.0]
[C:\Program Files\AntiVir PersonalEdition Classic\ccquamgr.dll] [Avira GmbH, 7.01.00.05]
[C:\Program Files\AntiVir PersonalEdition Classic\ccquarc.dll] [Avira GmbH, 7.1.0.0]
[C:\Program Files\AntiVir PersonalEdition Classic\ccreport.dll] [Avira GmbH, 7.01.00.02]
[C:\Program Files\AntiVir PersonalEdition Classic\ccreporc.dll] [Avira GmbH, 7.1.1.0]
[C:\Program Files\AntiVir PersonalEdition Classic\ccsched.dll] [Avira GmbH, 7.01.00.04]
[C:\Program Files\AntiVir PersonalEdition Classic\ccscherc.dll] [Avira GmbH, 7.1.1.0]
[C:\Program Files\AntiVir PersonalEdition Classic\ccupdate.dll] [Avira GmbH, 7.01.00.01]
[C:\Program Files\AntiVir PersonalEdition Classic\ccupdrc.dll] [Avira GmbH, 7.1.0.2]
[C:\Program Files\AntiVir PersonalEdition Classic\ccev.dll] [Avira GmbH, 7.01.00.02]
[C:\Program Files\AntiVir PersonalEdition Classic\ccevrc.dll] [Avira GmbH, 7.01.00.01]
[C:\WINDOWS\system32\Audiodev.dll] [Microsoft Corporation, 5.2.3790.3646 built by: DNSRV(bld4act)]
[PID: 1260 / Administrator][G:\20070820桌面資料\20070813桌面data\sreng2\SREngPS.EXE] [Smallfrogs Studio, 2.5.16.900]
[G:\20070820桌面資料\20070813桌面data\sreng2\Lang\1028.DLL] [System Repair Engineer, 2.5.16.900]
[G:\20070820桌面資料\20070813桌面data\sreng2\Upload\3rdUpd.DLL] [Smallfrogs Studio, 2, 1, 0, 15]
==================================
文件關聯
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
N/A
==================================
Autorun.inf
[I:\]
[AutoRun]
open=ntdelect.com
;shell\open=Open(&O)
shell\open\Command=ntdelect.com
shell\open\Default=1
;shell\explore=Manager(&X)
shell\explore\Command=ntdelect.com
==================================
HOSTS 文件
127.0.0.1 localhost
==================================
進程特權掃描
特殊特權被允許: SeLoadDriverPrivilege [PID = 1476, C:\PROGRAM FILES\ANTIVIR PERSONALEDITION CLASSIC\AVGUARD.EXE]
特殊特權被允許: SeLoadDriverPrivilege [PID = 1804, C:\PROGRAM FILES\ANTIVIR PERSONALEDITION CLASSIC\AVGNT.EXE]
特殊特權被允許: SeLoadDriverPrivilege [PID = 1716, C:\PROGRAM FILES\ANTIVIR PERSONALEDITION CLASSIC\AVCENTER.EXE]
==================================
API HOOK
N/A
==================================
隱藏進程
N/A
==================================
x0
|
|
|
引用 | 編輯
gunstyle
2007-09-05 09:33 |
9樓
▲ ▼ |
~忘了順便打上來,八樓的se報告是我家電腦的 可我實在是看不出什麼問題,也不知道如何刪毒,現在還不知道我倒底還有中什麼毒,墾請各大大幫忙看看我電腦是出了啥問題啊>"< 是不是全都是nilage木馬惹的禍呢 萬事拜託啦  x0
|
|
|
引用 | 編輯
upside
2007-09-05 12:45 |
10樓
▲ ▼ |
|
Autorun.inf
[I:\] [AutoRun] open=ntdelect.com ;shell\open=Open(&O) shell\open\Command=ntdelect.com shell\open\Default=1 ;shell\explore=Manager(&X) shell\explore\Command=ntdelect.com 這是一種隨身碟病毒 俗稱 KAV0 建議直接更換別套防毒軟體 並更新到最新病毒碼 大都可以查殺此毒 x0
|
|
|
引用 | 編輯
gunstyle
2007-09-05 15:12 |
11樓
▲ ▼ |
謝謝大大~~可是我掃毒都會掃到這樣的毒「W32/nilage.A.2」,這個也是KAVO嗎?我爬文後自認為他是木馬,然後我把他寄生的EXE檔隔離後,因為前陣子必須用電腦,然而重灌,就把我所 有的EXE檔給刪掉了   ,害得我現在什麼安裝檔都沒有 ,我現在用的是免費的ANTIVIR防毒,大大有沒有推賤的防毒軟體啊 x0
|
|
|
引用 | 編輯
gunstyle
2007-09-05 21:47 |
13樓
▲ ▼ |
|
感恩!我已經換防軟了,下面是我在掃毒後用se再度掃瞄的,可以幫我看看還有什麼問題嗎感恩 ---------------------------------------------------------------------------------------------------------------------------------------------- 複製程式
2007-09-05,21:43:37
System Repair Engineer 2.5.16.900
Smallfrogs ([url]http://www.KZTechs.com[/url])
Windows XP Professional Service Pack 2 (Build 2600) - 管理許可權用戶 - 完整功能
以下內容被選中:
所有的啟動項目(包括註冊表、開機檔案夾、服務等)
流覽器載入項
正在運行的進程(包括進程模組資訊)
文件關聯
Winsock 提供者
Autorun.inf
HOSTS 文件
進程特權掃描
啟動專案
註冊表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Windows Publisher]
<MsnMsgr><"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background> [(Verified)Microsoft Corporation]
<Yahoo! Pager><"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet> [(Verified)Yahoo! Inc.]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Publisher]
<SoundMan><SOUNDMAN.EXE> [(Verified)Microsoft Windows Publisher]
<NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<nwiz><nwiz.exe /install> [NVIDIA Corporation]
<NvMediaCenter><RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<CJIMETIPSYNC><C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync> [(Verified)Microsoft Corporation]
<PHIMETIPSYNC><C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync> [(Verified)Microsoft Corporation]
<AVP><"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"> [(Verified)Kaspersky Lab]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Component Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll> [(Verified)Kaspersky Lab]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
<WinlogonNotify: klogon><C:\WINDOWS\system32\klogon.dll> [(Verified)Kaspersky Lab]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
<Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
<Address Book 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
<N/A><C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install> [Microsoft Corporation]
==================================
開機檔案夾
N/A
==================================
服務
[ASP.NET State Service / aspnet_state][Stopped/Manual Start]
<C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe><Microsoft Corporation>
[Kaspersky Internet Security 7.0 / AVP][Running/Auto Start]
<"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r><Kaspersky Lab>
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
<C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>
[PDEngine / PDEngine][Stopped/Manual Start]
<"C:\Program Files\Raxco\PerfectDisk\PDEngine.exe"><Raxco Software, Inc.>
[PDScheduler / PDSched][Running/Auto Start]
<"C:\Program Files\Raxco\PerfectDisk\PDSched.exe"><Raxco Software, Inc.>
==================================
驅動程式
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
<system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[kl1 / kl1][Running/Boot Start]
<\SystemRoot\system32\drivers\kl1.sys><Kaspersky Lab>
[klif / klif][Running/System Start]
<\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab>
[Kaspersky Anti-Virus NDIS Filter / klim5][Running/Manual Start]
<system32\DRIVERS\klim5.sys><Kaspersky Lab>
[nv / nv][Running/Manual Start]
<system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Padus ASPI Shell / pfc][Running/Manual Start]
<system32\drivers\pfc.sys><Padus, Inc.>
[直接平行連接埠連結驅動程式 / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>
[SVKP / SVKP][Running/Auto Start]
<\??\C:\WINDOWS\system32\SVKP.sys><AntiCracking>
[NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller / yukonwxp][Running/Manual Start]
<system32\DRIVERS\yk51x86.sys><Marvell>
==================================
流覽器載入項
[AcroIEHlprObj Class]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[Windows Live Sign-in Helper]
{9030D464-4C02-4ABF-8ECC-5164760863C6} <C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll, Microsoft Corporation>
[NTIECatcher Class]
{C56CB6B0-0D96-11D6-8C65-B2868B609932} <C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll, Xi>
[網頁防護統計]
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll, Kaspersky Lab>
[參考資料(&R)]
{92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL, Microsoft Corporation>
[a-squared Scanner]
{BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} <C:\WINDOWS\DOWNLO~1\asquared.ocx, Emsi Software GmbH>
[AcroIEHlprObj Class]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[Windows Media Player]
{6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Windows Live Sign-in Helper]
{9030D464-4C02-4ABF-8ECC-5164760863C6} <C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll, Microsoft Corporation>
[NTIECatcher Class]
{C56CB6B0-0D96-11D6-8C65-B2868B609932} <C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll, Xi>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx, Adobe Systems, Inc.>
[使用影音傳送帶下載]
<C:\Program Files\Xi\NetTransport 2\NTAddLink.html, N/A>
[使用影音傳送帶下載全部連結]
<C:\Program Files\Xi\NetTransport 2\NTAddList.html, N/A>
[剪貼簿文字: 簡 > 繁]
<res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad, N/A>
[剪貼簿文字: 繁 > 簡]
<res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim, N/A>
[匯出至 Microsoft Office Excel(&X)]
<res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>
[新增至廣告橫幅防護]
<C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm, N/A>
[網頁: [簡體] 顯示]
<res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim, N/A>
[網頁: [繁體] 顯示]
<res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad, N/A>
==================================
正在運行的進程
[PID: 976 / SYSTEM][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1068 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1152 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll] [Kaspersky Lab, 7.0.0.125]
[C:\WINDOWS\system32\klogon.dll] [Kaspersky Lab, 7.0.0.125]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1196 / SYSTEM][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1208 / SYSTEM][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll] [Kaspersky Lab, 7.0.0.125]
[PID: 1376 / SYSTEM][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll] [Kaspersky Lab, 7.0.0.125]
[PID: 1484 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll] [Kaspersky Lab, 7.0.0.125]
[PID: 1600 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll] [Kaspersky Lab, 7.0.0.125]
[C:\WINDOWS\system32\wups2.dll] [Microsoft Corporation, 7.0.6000.381 (winmain(wmbla).070730-1740)]
[PID: 1700 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll] [Kaspersky Lab, 7.0.0.125]
[PID: 1796 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1980 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll] [Kaspersky Lab, 7.0.0.125]
[C:\WINDOWS\system32\mdimon.dll] [Microsoft Corporation, 11.3.1897.0]
[C:\WINDOWS\System32\spool\PRTPROCS\W32X86\mdippr.dll] [Microsoft Corporation, 11.3.1897.0]
[PID: 380 / Administrator][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dll] [Kaspersky Lab, 7.0.0.125]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll] [Adobe Systems Incorporated, 6.0.1.2003110300]
[C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll] [Xi, 1.91.12]
[C:\Program Files\Xi\NetTransport 2\MFC42.DLL] [Microsoft Corporation, 6.00.9782.0]
[C:\Program Files\Microsoft Office\OFFICE11\msohev.dll] [Microsoft Corporation, 11.0.5510]
[PID: 572 / Administrator][C:\WINDOWS\SOUNDMAN.EXE] [Realtek Semiconductor Corp., 5.1.0.30]
[PID: 600 / Administrator][C:\WINDOWS\system32\RUNDLL32.EXE] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\NvMcTray.dll] [NVIDIA Corporation, 6.14.10.6085]
[PID: 636 / Administrator][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 644 / Administrator][C:\Program Files\MSN Messenger\MsnMsgr.Exe] [Microsoft Corporation, 8.1.0178.00]
[C:\Program Files\MSN Messenger\MSNCore.dll] [Microsoft Corporation, 8.1.0178.00]
[C:\Program Files\MSN Messenger\msidcrl40.dll] [Microsoft Corporation, 4.100.313.1]
[C:\Program Files\MSN Messenger\ContactsUX.dll] [Microsoft Corporation, 8.1.0178.00]
[C:\Program Files\MSN Messenger\msgslang.8.1.0178.00.dll] [Microsoft Corporation, 8.1.0178.00]
[C:\Program Files\MSN Messenger\msgsres.dll] [Microsoft Corporation, 8.1.0178.00]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\MSN Messenger\MSGSWCAM.dll] [Microsoft Corporation, 8.1.0178.00]
[C:\WINDOWS\system32\sirenacm.dll] [Microsoft Corp., 8.1.0178.00]
[C:\WINDOWS\system32\msdmo.dll] [, ]
[C:\Program Files\MSN Messenger\lmcdata.dll] [Microsoft Corporation, 8.1.0178.00]
[C:\Program Files\MSN Messenger\contact.dll] [Microsoft Corporation, 8.1.0178.00]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\MSN Messenger\dfsr.dll] [Microsoft Corporation, 8.1.0178.00]
[C:\Program Files\MSN Messenger\abssm.dll] [Microsoft Corporation, 8.1.0178.00]
[C:\Program Files\MSN Messenger\usnsvcps.dll] [Microsoft Corporation, 8.1.0178.00]
[C:\Program Files\MSN Messenger\custsat.dll] [Microsoft Corporation, 9.0.3790.2428 (srv03_sp1_qfe.050422-1043)]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\klscav.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\prremote.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\prloader.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\prkernel.ppl] [Kaspersky Lab, 7.0.0.125]
[c:\program files\kaspersky lab\kaspersky internet security 7.0\params.ppl] [Kaspersky Lab, 7.0.0.125]
[c:\program files\kaspersky lab\kaspersky internet security 7.0\pxstub.ppl] [Kaspersky Lab, 7.0.0.125]
[c:\program files\kaspersky lab\kaspersky internet security 7.0\tempfile.ppl] [Kaspersky Lab, 7.0.0.125]
[C:\WINDOWS\system32\MSTCIPHA.IME] [Microsoft Corporation, 6.5.5515.0]
[C:\WINDOWS\system32\LIUNT.IME] [Microsoft Corporation, 4.00.950]
[PID: 712 / SYSTEM][C:\WINDOWS\system32\nvsvc32.exe] [NVIDIA Corporation, 6.14.10.6085]
[PID: 556 / LOCAL SERVICE][C:\WINDOWS\system32\wdfmgr.exe] [Microsoft Corporation, 5.2.3790.1230 built by: DNSRV(bld4act)]
[PID: 1108 / SYSTEM][C:\Program Files\Raxco\PerfectDisk\PDSched.exe] [Raxco Software, Inc., 6, 0, 0, 34]
[C:\Program Files\Raxco\PerfectDisk\PDCommon.dll] [Raxco Software, Inc., 6, 0, 0, 34]
[C:\Program Files\Raxco\PerfectDisk\PDLangEN.dll] [Raxco Software, Inc., 6, 0, 0, 34]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Raxco\PerfectDisk\PDSchedPS.dll] [Raxco Software, Inc., 6, 0, 0, 34]
[C:\Program Files\Raxco\PerfectDisk\PDEnginePS.dll] [Raxco Software, Inc., 6, 0, 0, 34]
[C:\Program Files\Common Files\Raxco\AutoUpdps.dll] [Raxco Software, Inc., 6, 0, 0, 5]
[PID: 1672 / Administrator][C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe] [Yahoo! Inc., 8,1,0,0]
[C:\PROGRA~1\Yahoo!\MESSEN~1\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\PROGRA~1\Yahoo!\MESSEN~1\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\Yahoo!\Shared\YbSkin2.dll] [Yahoo! Inc., 2006, 10, 11, 1]
[C:\PROGRA~1\Yahoo!\MESSEN~1\res_msgr.dll] [Yahoo! Inc., 8,5,0,1]
[PID: 2184 / LOCAL SERVICE][C:\WINDOWS\System32\alg.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3808 / SYSTEM][C:\Program Files\MSN Messenger\usnsvc.exe] [Microsoft Corporation, 8.1.0178.00]
[C:\Program Files\MSN Messenger\usnsvcps.dll] [Microsoft Corporation, 8.1.0178.00]
[PID: 3460 / Administrator][C:\Program Files\Mozilla Firefox\firefox.exe] [Mozilla Corporation, 1.8.1: 2006101023]
[C:\Program Files\Mozilla Firefox\js3250.dll] [Netscape Communications Corporation, 4.0]
[C:\Program Files\Mozilla Firefox\nspr4.dll] [Netscape Communications Corporation, 4.6.3]
[C:\Program Files\Mozilla Firefox\xpcom_core.dll] [Mozilla Foundation, 1.8.1: 2006101023]
[C:\Program Files\Mozilla Firefox\plc4.dll] [Netscape Communications Corporation, 4.6.3]
[C:\Program Files\Mozilla Firefox\plds4.dll] [Netscape Communications Corporation, 4.6.3]
[C:\Program Files\Mozilla Firefox\smime3.dll] [Mozilla Foundation, 3.11.3 Basic ECC]
[C:\Program Files\Mozilla Firefox\nss3.dll] [Mozilla Foundation, 3.11.3 Basic ECC]
[C:\Program Files\Mozilla Firefox\softokn3.dll] [Mozilla Foundation, 3.11.3 Basic ECC]
[C:\Program Files\Mozilla Firefox\ssl3.dll] [Mozilla Foundation, 3.11.3 Basic ECC]
[C:\Program Files\Mozilla Firefox\xpcom_compat.dll] [Mozilla Foundation, 1.8.1: 2006101023]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Mozilla Firefox\components\myspell.dll] [Mozilla Foundation, 1.8.1: 2006101023]
[C:\Program Files\Mozilla Firefox\components\jar50.dll] [Mozilla Foundation, 1.8.1: 2006101023]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Mozilla Firefox\components\spellchk.dll] [Mozilla Foundation, 1.8.1: 2006101023]
[C:\Program Files\Mozilla Firefox\freebl3.dll] [Mozilla Foundation, 3.11.3 Basic ECC]
[C:\Program Files\Mozilla Firefox\nssckbi.dll] [Mozilla Foundation, 1.62]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll] [, ]
[C:\WINDOWS\system32\Macromed\Common\SwSupport.dll] [Macromedia, Inc., 10.0r210]
[C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8qayjb64.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll] [ , 1, 0, 9, 1]
[C:\Program Files\Mozilla Firefox\xpcom.dll] [Mozilla Foundation, 1.8.1: 2006101023]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\klscav.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\prremote.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\prloader.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\prkernel.ppl] [Kaspersky Lab, 7.0.0.125]
[c:\program files\kaspersky lab\kaspersky internet security 7.0\params.ppl] [Kaspersky Lab, 7.0.0.125]
[c:\program files\kaspersky lab\kaspersky internet security 7.0\pxstub.ppl] [Kaspersky Lab, 7.0.0.125]
[c:\program files\kaspersky lab\kaspersky internet security 7.0\tempfile.ppl] [Kaspersky Lab, 7.0.0.125]
[C:\WINDOWS\system32\javacypt.dll] [Microsoft Corporation, 5.00.3810]
[C:\WINDOWS\system32\msjava.dll] [Microsoft Corporation, 5.00.3810]
[C:\WINDOWS\system32\VMHELPER.DLL] [Microsoft Corporation, 5.00.3810]
[C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx] [Adobe Systems, Inc., 9,0,45,0]
[C:\WINDOWS\system32\JIT.DLL] [Microsoft Corporation, 5.00.3810]
[C:\WINDOWS\system32\javart.dll] [Microsoft Corporation, 5.00.3810]
[PID: 4072 / Administrator][C:\WINDOWS\system32\conime.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2076 / Administrator][F:\Warcraft III私輔\War3.exe] [evaxp.com kenshin, 1, 21, 0, 6263]
[F:\Warcraft III私輔\storm.dll] [Blizzard Entertainment, 1.09]
[F:\Warcraft III私輔\mss32.dll] [N/A, ]
[F:\Warcraft III私輔\w3lh.dll] [N/A, ]
[F:\Warcraft III私輔\Game.dll] [Blizzard Entertainment, 1, 21, 0, 6263]
[F:\Warcraft III私輔\ijl15.dll] [Intel Corporation, 1,5,4,36]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll] [Kaspersky Lab, 7.0.0.125]
[F:\Warcraft III私輔\redist\miles\Mp3dec.asi] [N/A, ]
[F:\Warcraft III私輔\redist\miles\Mssdolby.m3d] [N/A, ]
[F:\Warcraft III私輔\redist\miles\Msseax2.m3d] [N/A, ]
[F:\Warcraft III私輔\redist\miles\Mssfast.m3d] [N/A, ]
[F:\Warcraft III私輔\redist\miles\Reverb3.flt] [N/A, ]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll] [Kaspersky Lab, 7.0.0.125]
[PID: 3676 / Administrator][G:\20070820桌面資料\sreng2\SREngPS.EXE] [Smallfrogs Studio, 2.5.16.900]
[G:\20070820桌面資料\sreng2\Lang\1028.DLL] [System Repair Engineer, 2.5.16.900]
[G:\20070820桌面資料\sreng2\Upload\3rdUpd.DLL] [Smallfrogs Studio, 2, 1, 0, 15]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll] [Kaspersky Lab, 7.0.0.125]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll] [Kaspersky Lab, 7.0.0.125]
==================================
文件關聯
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
N/A
==================================
Autorun.inf
N/A
==================================
HOSTS 文件
127.0.0.1 localhost
==================================
進程特權掃描
特殊特權被允許: SeLoadDriverPrivilege [PID = 1108, C:\PROGRAM FILES\RAXCO\PERFECTDISK\PDSCHED.EXE]
特殊特權被允許: SeLoadDriverPrivilege [PID = 3460, C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE]
特殊特權被允許: SeLoadDriverPrivilege [PID = 2076, F:\WARCRAFT III私輔\WAR3.EXE]
==================================
API HOOK
RVA 錯誤: LoadLibraryA (危險等級: 高, 被下麵模組所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
RVA 錯誤: LoadLibraryExA (危險等級: 高, 被下麵模組所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
RVA 錯誤: LoadLibraryExW (危險等級: 高, 被下麵模組所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
RVA 錯誤: LoadLibraryW (危險等級: 高, 被下麵模組所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
RVA 錯誤: GetProcAddress (危險等級: 高, 被下麵模組所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
==================================
隱藏進程
N/A
==================================
x0
|
|
|
引用 | 編輯
gunstyle
2007-09-06 01:28 |
15樓
▲ |
|
那可以請問一下嗎 API HOOK RVA 錯誤: LoadLibraryA (危險等級: 高, 被下麵模組所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys) RVA 錯誤: LoadLibraryExA (危險等級: 高, 被下麵模組所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys) RVA 錯誤: LoadLibraryExW (危險等級: 高, 被下麵模組所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys) RVA 錯誤: LoadLibraryW (危險等級: 高, 被下麵模組所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys) RVA 錯誤: GetProcAddress (危險等級: 高, 被下麵模組所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys) 是什麼意思啊 x0
|
|