[中毒] 網路連線無法,但已連線的又正常。
1.問題描述:
我不知道這個毒是中多久了,因為今天才出現問題,才想說掃毒看看...。
今天回家後發現網路有連線,但網頁、msn等等都無法開啟,重開機後,在剛連上網路
時,pcman、msn和網頁都可以開啟,但過一下子(不到一分鐘),開啟新網頁時就連不上
,已經連線的bbs站台和msn卻可以正常使用,但將他關閉or斷線後就又連不上,如果把
網路連線中斷,再重新連線時,又有10幾20秒的時間可以連上,隨即又開始無法開網頁
,重新整理400多次還連不上,我想應該不是數據機或是網路的問題,因為室友的電腦
和網路都很正常。
2.掃毒報告:
抱歉現在沒有辦法開網頁,不知道怎麼上傳那個東西,我是用Norton掃的,掃出來
的有三個中毒,原本還有其他的也有掃到,不過那幾個我有找到檔案,把他丟到垃圾桶
,後再刪除掉了,而這三個如下:
レベル タイトル 處理
低レベル Tracking Cookie 無償のスキャナで除去不能
高レベル W32.Spybot.Worm 無償のスキャナで除去不能
高レベル W32.SillyDC 無償のスキャナで除去不能
レベル應該是危險性吧,タイトル應該是病毒名稱,而後面不知啥意思,反正無法刪除
(我也搞不懂為啥會出現日文的Norton),至於病毒的位置如下:
リスク名 リスク種類 檔案位置
Tracking Cookie Cookie 這個沒有看到檔案位置,只有一堆類似
e-mail的東西,都是Cookie@xxxxxx.com/
如Cookie:lu@fastclick.net/
Cookie:lu@badongo.com/
W32.Spybot.Worm ウ イ ル ス c:\windows\system32\drivers\sysmon.exe
u i ru su 他有寫個"處理"和"感染",位置都是這個,
我到該資料夾找不到該檔案。
c:\windows\system32\drivers\lbtwiz.exe
而這個只有寫感染,也找不到檔案。
W32.SillyDC ウイルス 同上面W32.Spybot.Worm的第一個,
c:\windows\system32\drivers\sysmon.exe
也是找不到檔案
找到的資料大概就這樣了,不知道各位大大有沒有點頭緒可以幫助在下> <"!!
3.系統輔助分析軟體掃描報告:
如無法使用網路請看精華區 1 - 8 使用方式
這個等等研究完精華區1-8後補上
4.報告連結:
請將掃描報告(log)貼於下方 (上面的全要)
Combofix :
Hijackthis:
SRENG :
掃毒報告 :
唔...我掃完看到的東西都寫在第二點上了@@"
缺得就是那三項各點進去時看到的東西,我加上來好了。
第一個
cookie:
Cookie:lu@send.microad.jp/
Cookie:lu@imrworldwide.com/cgi-bin
Cookie:lu@ad.zanox.com/
Cookie:lu@msnaccountservices.112.2o7.net/
Cookie:lu@ads.pointroll.com/
Cookie:lu@m.webtrends.com/
Cookie:lu@casalemedia.com/
Cookie:lu@azjmp.com/
Cookie:lu@hitbox.com/
Cookie:lu@ad.yieldmanager.com/
Cookie:lu@msnportal.112.2o7.net/
Cookie:lu@apmebf.com/
Cookie:lu@rm.yieldmanager.com/
Cookie:lu@advertising.com/
Cookie:lu@adbrite.com/
Cookie:lu@www.badongo.com/
Cookie:lu@4megaupload.powered-by.zango.com/
Cookie:lu@bs.serving-sys.com/
Cookie:lu@yieldmanager.com/
Cookie:lu@atdmt.com/
Cookie:lu@ads.addynamix.com/
Cookie:lu@doubleclick.net/
Cookie:lu@searchportal.information.com/
Cookie:lu@specificclick.net/
Cookie:lu@statse.webtrendslive.com/
Cookie:lu@statcounter.com/
Cookie:lu@yahoojapan.112.2o7.net/
Cookie:lu@adsrevenue.net/
Cookie:lu@questionmarket.com/
Cookie:lu@ehg-comcast.hitbox.com/
Cookie:lu@zedo.com/
Cookie:lu@microsoftwga.112.2o7.net/
Cookie:lu@fastclick.net/
Cookie:lu@badongo.com/
Cookie:lu@yadro.ru/
Cookie:lu@content.liveuniverse.com/
Cookie:lu@d3.zedo.com/
Cookie:lu@hotrank.com.tw/
Cookie:lu@overture.com/
Cookie:lu@www7.addfreestats.com/cgi-bin
Cookie:lu@kontera.com/
Cookie:lu@adopt.specificclick.net/
Cookie:lu@img522.imageshack.us/
Cookie:lu@revenue.net/
Cookie:lu@serving-sys.com/
Cookie:lu@xxxcounter.com/
Cookie:lu@realmedia.com/
Cookie:lu@dealtime.com/
Cookie:lu@wl003.sibulla.com/sibulog/
Cookie:lu@adultfriendfinder.com/
Cookie:lu@server.iad.liveperson.net/hc/9285139
Cookie:lu@rakuten.112.2o7.net/
Cookie:lu@tradedoubler.com/
Cookie:lu@kakakucom.112.2o7.net/
Cookie:lu@server.iad.liveperson.net/
Cookie:lu@com.com/
Cookie:lu@tribalfusion.com/
Cookie:lu@toplist.cz/
Cookie:lu@cms.trafficmp.com/
Cookie:lu@stats.adbrite.com/
Cookie:lu@stat.dealtime.com/
Cookie:lu@underarmour.112.2o7.net/
Cookie:lu@2o7.net/
第二個
処理:
c:\windows\system32\drivers\sysmon.exe
感染:
c:\windows\system32\drivers\sysmon.exe
レジストリ:
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunServices\
->Firewall Controls
HKEY_USERS\S-1-5-21-343818398-1647877149-1801674531-1003\Software\Microsoft\
Windows\CurrentVersion\RunServices\->Firewall Controls
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunServices\->
Firewall Controls
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices\->
Firewall Controls
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\->Firewall Controls
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\->SFCScan
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell
Extensions\->246545
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell
Extensions\->665578
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell
Extensions\->7686743
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell
Extensions\->rrrun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\->
Microsoft Visual Application
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List\->C:\WINDOWS\
system32\dllcache\winsno.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunServices\->
ATI Video Driver Controls
HKEY_USERS\S-1-5-21-343818398-1647877149-1801674531-1003\Software\Microsoft\
Windows\CurrentVersion\RunServices\->ATI Video Driver Controls
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunServices\->
ATI Video Driver Controls
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices\->
ATI Video Driver Controls
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunServices\->
Microsoft Directxsp
HKEY_USERS\S-1-5-21-343818398-1647877149-1801674531-1003\Software\Microsoft\
Windows\CurrentVersion\RunServices\->Microsoft Directxsp
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunServices\->
Microsoft Directxsp
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices\->
Microsoft Directxsp
HKEY_CLASSES_ROOT\CLSID\{1C047C97-CA7F-BAF1-05A4-AEBA271281ED}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\->ATI Video Driver Controls
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\->Microsoft Directxsp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\->ATI
Video Driver Controls
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\->Microsoft
Directxsp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell
Extensions\->1123
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell
Extensions\->112
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->AntiVirusOverride:0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->FirewallOverride:0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\->Shell:Explorer.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\->Start:4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry->Start:2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr->Start:3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole->EnableDCOM:Y
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
Auto Update->AUOptions:3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center->UpdatesDisableNotify:0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control->
WaitToKillServiceTimeout:20000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon->SFCDisable:0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa->restrictanonymous:0
感染:
c:\windows\system32\drivers\lbtwiz.exe
第三個
処理:
c:\windows\system32\drivers\systmon.exe
感染:
c:\windows\system32\drivers\systmon.exe
ファイル:
c:\documents and settings\lu\local settings\temp\~df129c.tmp
c:\documents and settings\lu\local settings\temp\~df16c6.tmp
c:\documents and settings\lu\local settings\temp\~df1eaf.tmp
c:\documents and settings\lu\local settings\temp\~df2f94.tmp
c:\documents and settings\lu\local settings\temp\~df3147.tmp
c:\documents and settings\lu\local settings\temp\~df31a7.tmp
c:\documents and settings\lu\local settings\temp\~df4ff0.tmp
c:\documents and settings\lu\local settings\temp\~df513e.tmp
c:\documents and settings\lu\local settings\temp\~df527f.tmp
c:\documents and settings\lu\local settings\temp\~df5914.tmp
c:\documents and settings\lu\local settings\temp\~df5e6a.tmp
c:\documents and settings\lu\local settings\temp\~df6a1b.tmp
c:\documents and settings\lu\local settings\temp\~df8816.tmp
c:\documents and settings\lu\local settings\temp\~df8b8e.tmp
c:\documents and settings\lu\local settings\temp\~df9961.tmp
c:\documents and settings\lu\local settings\temp\~dfadf3.tmp
c:\documents and settings\lu\local settings\temp\~dfbdb9.tmp
c:\documents and settings\lu\local settings\temp\~dfd6a.tmp
c:\documents and settings\lu\local settings\temp\~dfe600.tmp
c:\documents and settings\lu\local settings\temp\~dfe7a5.tmp
c:\documents and settings\lu\local settings\temp\~dfede4.tmp
レジストリ:
HKEY_USERS\S-1-5-21-343818398-1647877149-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System->DisableRegistryTools:0
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System->DisableRegistryTools:0
HKEY_USERS\S-1-5-21-343818398-1647877149-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced->ShowSuperHidden:1
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer->NoDriveTypeAutoRun:0
HKEY_USERS\S-1-5-21-343818398-1647877149-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer->NoDriveTypeAutoRun:0
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer->NoDriveTypeAutoRun:0
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer->NoDriveTypeAutoRun:0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon->Shell:Explorer.exe
HKEY_USERS\S-1-5-21-343818398-1647877149-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\->HideFileExt:0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon->Shell
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run->SYSTMON.EXE
感染:
c:\documents and settings\lu\local settings\temporary internet
files\content.ie5\ufsf0bhx\tw[1].exe
好多...希望大家看得懂 > <
第三個最後寫的那個感染,tw[1].exe我有找到,然後剛剛丟到垃圾桶刪除了。
--
※ 發信站: 批踢踢實業坊(ptt.cc)
◆ From: 61.227.193.146
→
12/15 03:10, , 1F
12/15 03:10, 1F
討論串 (同標題文章)
以下文章回應了本文:
完整討論串 (本文為第 1 之 4 篇):