[中毒] 中了e8main0.dll 小紅傘無法掃描與更新
在system32資料夾裡,有這個檔案 e8main0.dll
查了資料知道是隨身碟病毒
用E-Fix跑過之後出來的內容如下 請好心人幫忙解惑
[code]
script code: 12733
efix 5.2 20090613.07 - 2009-06-13 23:02:11.48 - ntfs
Microsoft Windows XP Service Pack 3 Service - Admin
執行位置: C:\Documents and Settings\Admin\My Documents\EFIX\EF.exe
AV: AntiVir Desktop (Avira GmbH) None - Enabled
* 已建立系統還原點.
提示:
START HTA GUI Failed.
================================================================================
EF刪除的檔案列表:
沒有刪除任何檔案.
================================================================================
EF修改的登錄值列表:
沒有刪除任何登錄值.
================================================================================
EF刪除的檔案備份位置列表:
c:\vpqdgkx.com => C:\ef_backup\backup\c\vpqdgkx.com.vir
c:\WINDOWS\AhnRpta.exe => C:\ef_backup\backup\c\WINDOWS\AhnRpta.exe.vir
e:\vpqdgkx.com => C:\ef_backup\backup\e\vpqdgkx.com.vir
f:\vpqdgkx.com => C:\ef_backup\backup\f\vpqdgkx.com.vir
g:\vpqdgkx.com => C:\ef_backup\backup\g\vpqdgkx.com.vir
h:\vpqdgkx.com => C:\ef_backup\backup\h\vpqdgkx.com.vir
================================================================================
AUTORUN.INF:
<資料夾> C:\autorun.inf
<資料夾> E:\autorun.inf
<資料夾> F:\autorun.inf
<資料夾> G:\autorun.inf
<資料夾> H:\autorun.inf
================================================================================
各磁碟根目錄含有隱藏屬性的資料夾和檔案 :
2008-09-12 22:52:57 . 2009-06-13 22:06:19 ARHS--- 281 C:\boot.ini
2001-10-12 00:06:54 . 2001-10-12 00:06:54 ARHS--- 213830 C:\bootfont.bin
2008-09-12 15:14:36 . 2008-09-12 15:14:36 ARHS--- 0 C:\IO.SYS
2008-09-12 15:14:36 . 2008-09-12 15:14:36 ARHS--- 0 C:\MSDOS.SYS
2004-08-04 06:38:34 . 2004-08-04 06:38:34 ARHS--- 47564 C:\NTDETECT.COM
2004-08-04 06:59:38 . 2008-09-13 15:38:06 ARHS--- 257728 C:\ntldr
2008-09-12 22:49:00 . 2009-06-13 21:17:55 A-HS--- 2145386496 C:\pagefile.sys
2008-09-16 18:51:11 . 2009-04-09 15:56:45 A-H---- 232 C:\sqmdata00.sqm
2008-09-16 18:55:08 . 2009-04-09 18:21:28 A-H---- 232 C:\sqmdata01.sqm
2008-09-27 17:37:04 . 2009-04-11 09:40:13 A-H---- 232 C:\sqmdata02.sqm
2008-10-10 07:29:02 . 2009-04-11 09:40:25 A-H---- 232 C:\sqmdata03.sqm
2008-12-04 02:54:08 . 2009-04-12 15:51:16 A-H---- 232 C:\sqmdata04.sqm
2008-12-05 21:37:52 . 2009-04-13 21:47:21 A-H---- 232 C:\sqmdata05.sqm
2008-12-08 20:07:16 . 2009-04-13 21:47:58 A-H---- 232 C:\sqmdata06.sqm
2008-12-17 20:28:18 . 2009-04-13 22:25:13 A-H---- 232 C:\sqmdata07.sqm
2008-12-17 20:28:26 . 2009-04-23 10:34:53 A-H---- 232 C:\sqmdata08.sqm
2008-12-17 20:29:28 . 2009-04-28 23:00:57 A-H---- 232 C:\sqmdata09.sqm
2008-12-19 01:32:56 . 2009-05-17 00:09:36 A-H---- 232 C:\sqmdata10.sqm
2008-12-19 01:33:07 . 2009-05-28 02:31:28 A-H---- 232 C:\sqmdata11.sqm
2008-12-19 01:33:13 . 2009-06-03 22:16:36 A-H---- 232 C:\sqmdata12.sqm
2008-12-19 01:33:26 . 2009-04-03 11:41:01 A-H---- 232 C:\sqmdata13.sqm
2008-12-19 01:33:29 . 2009-04-03 23:59:41 A-H---- 232 C:\sqmdata14.sqm
2008-12-19 01:33:33 . 2009-04-04 13:26:57 A-H---- 232 C:\sqmdata15.sqm
2008-12-19 01:33:34 . 2009-04-04 23:41:56 A-H---- 232 C:\sqmdata16.sqm
2008-12-19 01:33:38 . 2009-04-07 00:12:03 A-H---- 232 C:\sqmdata17.sqm
2008-12-19 01:33:46 . 2009-04-09 14:17:03 A-H---- 232 C:\sqmdata18.sqm
2008-12-19 01:33:51 . 2009-04-09 14:54:36 A-H---- 232 C:\sqmdata19.sqm
2008-09-16 18:51:11 . 2009-04-09 15:56:45 A-H---- 244 C:\sqmnoopt00.sqm
2008-09-16 18:55:08 . 2009-04-09 18:21:28 A-H---- 244 C:\sqmnoopt01.sqm
2008-09-27 17:37:04 . 2009-04-11 09:40:13 A-H---- 244 C:\sqmnoopt02.sqm
2008-10-10 07:29:02 . 2009-04-11 09:40:25 A-H---- 244 C:\sqmnoopt03.sqm
2008-12-04 02:54:08 . 2009-04-12 15:51:16 A-H---- 244 C:\sqmnoopt04.sqm
2008-12-05 21:37:52 . 2009-04-13 21:47:21 A-H---- 244 C:\sqmnoopt05.sqm
2008-12-08 20:07:16 . 2009-04-13 21:47:58 A-H---- 244 C:\sqmnoopt06.sqm
2008-12-17 20:28:18 . 2009-04-13 22:25:13 A-H---- 244 C:\sqmnoopt07.sqm
2008-12-17 20:28:26 . 2009-04-23 10:34:53 A-H---- 244 C:\sqmnoopt08.sqm
2008-12-17 20:29:28 . 2009-04-28 23:00:57 A-H---- 244 C:\sqmnoopt09.sqm
2008-12-19 01:32:56 . 2009-05-17 00:09:36 A-H---- 244 C:\sqmnoopt10.sqm
2008-12-19 01:33:07 . 2009-05-28 02:31:28 A-H---- 244 C:\sqmnoopt11.sqm
2008-12-19 01:33:13 . 2009-06-03 22:16:36 A-H---- 244 C:\sqmnoopt12.sqm
2008-12-19 01:33:26 . 2009-04-03 11:41:01 A-H---- 244 C:\sqmnoopt13.sqm
2008-12-19 01:33:29 . 2009-04-03 23:59:41 A-H---- 244 C:\sqmnoopt14.sqm
2008-12-19 01:33:33 . 2009-04-04 13:26:57 A-H---- 244 C:\sqmnoopt15.sqm
2008-12-19 01:33:34 . 2009-04-04 23:41:56 A-H---- 244 C:\sqmnoopt16.sqm
2008-12-19 01:33:38 . 2009-04-07 00:12:03 A-H---- 244 C:\sqmnoopt17.sqm
2008-12-19 01:33:46 . 2009-04-09 14:17:03 A-H---- 244 C:\sqmnoopt18.sqm
2008-12-19 01:33:51 . 2009-04-09 14:54:36 A-H---- 244 C:\sqmnoopt19.sqm
2009-06-13 22:06:16 . 2009-06-13 22:06:19 ARHS--- <DIR> C:\cmdcons
2008-09-15 18:39:36 . 2009-06-13 21:33:25 --H---- <DIR> C:\Config.Msi
2009-06-13 22:10:48 . 2009-06-13 22:10:48 --HS--- <DIR> C:\RECYCLER
2008-09-12 22:49:11 . 2009-06-13 22:04:48 --HS--- <DIR> C:\System Volume
Information
2009-01-05 11:44:22 . 2009-01-05 11:44:22 -RH---- <DIR> E:\MSOCache
2008-09-15 17:52:29 . 2008-09-15 17:52:29 --HS--- <DIR> E:\RECYCLER
2008-09-12 17:20:51 . 2008-09-12 17:22:55 --HS--- <DIR> E:\System Volume
Information
2008-09-15 21:04:22 . 2008-09-15 21:04:24 --HS--- <DIR> F:\Recycled
2008-09-15 21:04:22 . 2008-09-15 21:04:24 --HS--- <DIR> F:\System Volume
Information
2009-06-02 22:56:23 . 2009-06-02 22:56:24 A-HS--- 4096 G:\Thumbs.db
2008-10-07 13:59:22 . 2008-10-07 13:59:22 --HS--- <DIR> G:\FOUND.000
2008-10-27 19:23:52 . 2008-10-27 19:23:52 --HS--- <DIR> G:\FOUND.001
2006-01-23 23:20:13 . 2006-01-23 23:20:14 --HS--- <DIR> G:\Recycled
2009-02-14 09:28:18 . 2009-02-14 09:28:18 --HS--- <DIR> G:\FOUND.002
2009-04-29 19:42:26 . 2009-04-29 19:42:26 --HS--- <DIR> G:\FOUND.003
2009-05-29 08:48:46 . 2009-05-29 08:48:46 --HS--- <DIR> G:\FOUND.004
2006-01-24 00:11:48 . 2006-01-24 00:11:50 --H---- <DIR> G:\drv
2007-02-24 00:26:19 . 2007-02-24 00:26:20 --HS--- <DIR> G:\System Volume
Information
2009-06-02 22:56:30 . 2009-06-02 22:56:32 A-HS--- 4096 H:\Thumbs.db
2006-01-23 23:20:13 . 2008-09-15 17:52:29 --HS--- <DIR> H:\RECYCLER
2006-01-23 21:47:50 . 2007-09-01 13:22:43 --HS--- <DIR> H:\System Volume
Information
********** Created 2009-05 -- 2009-06 Files: **********
2009-06-13 22:04:49 . 2009-06-08 08:10:10 a------ 155136 C:\WINDOWS\PEV.exe
2009-06-13 22:04:49 . 2009-04-20 12:56:28 a------ 31232 C:\WINDOWS\NIRCMD.exe
2009-06-13 22:04:49 . 2000-08-31 08:00:00 a------ 98816 C:\WINDOWS\sed.exe
2009-06-13 22:04:49 . 2000-08-31 08:00:00 a------ 80412 C:\WINDOWS\grep.exe
2009-06-13 22:04:49 . 2000-08-31 08:00:00 a------ 68096 C:\WINDOWS\zip.exe
2009-06-13 22:04:49 . 2000-08-31 08:00:00 a------ 212480
C:\WINDOWS\SWXCACLS.exe
2009-06-13 22:04:49 . 2000-08-31 08:00:00 a------ 161792 C:\WINDOWS\SWREG.exe
2009-06-13 22:04:49 . 2000-08-31 08:00:00 a------ 136704 C:\WINDOWS\SWSC.exe
2009-06-13 22:04:42 . 2009-06-13 22:04:42 ------- <DIR> C:\WINDOWS\ERDNT
2009-06-13 21:34:09 . 2009-06-13 21:34:11 ------- <DIR> C:\WINDOWS\LastGood
2009-06-13 21:34:06 . 2009-02-13 14:22:54 a------ 95576
C:\WINDOWS\system32\drivers\avipbb.sys
2009-06-13 21:34:06 . 2009-02-13 11:50:02 a------ 28376
C:\WINDOWS\system32\drivers\ssmdrv.sys
2009-06-13 21:34:06 . 2009-02-13 11:29:11 a------ 22360
C:\WINDOWS\system32\drivers\avgntmgr.sys
2009-06-13 21:34:06 . 2009-02-13 11:17:49 a------ 45416
C:\WINDOWS\system32\drivers\avgntdd.sys
2009-06-13 21:13:47 . 2009-06-13 21:13:47 ------- <DIR> C:\Program Files\VS
Revo Group
2009-06-13 20:12:20 . 2001-08-17 13:52:30 unknow- 18688
C:\WINDOWS\system32\dllcache\cdaudio.sys
2009-06-13 20:12:20 . 2001-08-17 13:52:30 a------ 18688
C:\WINDOWS\system32\drivers\cdaudio.sys
2009-06-13 20:11:23 . 2009-06-13 23:01:15 ------- <DIR> C:\Documents and
Settings\Admin\My Documents\EFIX
2009-06-13 19:28:57 . 2009-02-13 11:31:26 a------ 55640
C:\WINDOWS\system32\drivers\avgntflt.sys
2009-06-12 02:49:08 . 2009-06-12 02:49:08 -rhs--- 81408
C:\WINDOWS\system32\843wee1.dll
2009-06-10 21:55:39 . 2009-06-10 21:55:39 ------- <DIR> C:\Program Files\USB
Vibration
2009-06-07 21:23:48 . 2009-06-07 21:23:48 ------- <DIR> C:\Program
Files\XemiComputers
2009-05-22 08:39:38 . 2009-05-22 08:39:38 ------- <DIR> C:\Program
Files\GoldWave
.
********** Modified 2009-04 -- 2009-06 files: **********
2009-06-13 22:57:05 a------ 1069062 C:\WINDOWS\WindowsUpdate.log
2009-06-13 22:32:04 a------ 69 C:\WINDOWS\system32\liubox
2009-06-13 22:09:27 a------ 227 C:\WINDOWS\system.ini
2009-06-13 21:47:52 a------ 717069 C:\WINDOWS\setupapi.log
2009-06-13 21:18:13 a------ 159 C:\WINDOWS\wiadebug.log
2009-06-13 21:18:12 a------ 49 C:\WINDOWS\wiaservc.log
2009-06-13 19:42:20 a------ 140044 C:\WINDOWS\updspapi.log
2009-06-13 03:10:27 a------ 1001848 C:\WINDOWS\system32\FNTCACHE.DAT
2009-06-13 03:03:14 a------ 658 C:\WINDOWS\win.ini
2009-06-13 03:02:37 a------ 95351 C:\WINDOWS\ntdtcsetup.log
2009-06-13 03:02:37 a------ 493924 C:\WINDOWS\iis6.log
2009-06-13 03:02:37 a------ 26952 C:\WINDOWS\ocmsn.log
2009-06-13 03:02:37 a------ 22556 C:\WINDOWS\tabletoc.log
2009-06-13 03:02:37 a------ 201075 C:\WINDOWS\tsoc.log
2009-06-13 03:02:37 a------ 1374 C:\WINDOWS\imsins.log
2009-06-13 03:02:36 a------ 222057 C:\WINDOWS\ocgen.log
2009-06-13 03:02:33 a------ 1374 C:\WINDOWS\imsins.BAK
2009-06-12 09:01:12 a------ 196608 C:\WINDOWS\system32\drivers\nStandard.bin
2009-06-12 02:49:08 -rhs--- 81408 C:\WINDOWS\system32\843wee1.dll
2009-06-08 08:10:10 a------ 155136 C:\WINDOWS\PEV.exe
2009-06-02 00:51:12 a------ 23635392 C:\WINDOWS\system32\MRT.exe
2009-05-07 23:32:00 unknow- 340992 C:\WINDOWS\system32\dllcache\localspl.dll
2009-05-07 23:32:00 a------ 340992 C:\WINDOWS\system32\localspl.dll
2009-04-29 12:42:06 unknow- 827392 C:\WINDOWS\system32\dllcache\wininet.dll
2009-04-29 12:42:05 unknow- 233472 C:\WINDOWS\system32\dllcache\webcheck.dll
2009-04-29 12:42:05 unknow- 1159680 C:\WINDOWS\system32\dllcache\urlmon.dll
2009-04-29 12:42:04 unknow- 671232 C:\WINDOWS\system32\dllcache\mstime.dll
2009-04-29 12:42:04 unknow- 477696 C:\WINDOWS\system32\dllcache\mshtmled.dll
2009-04-29 12:42:04 unknow- 44544 C:\WINDOWS\system32\dllcache\pngfilt.dll
2009-04-29 12:42:04 unknow- 193024 C:\WINDOWS\system32\dllcache\msrating.dll
2009-04-29 12:42:04 unknow- 105984 C:\WINDOWS\system32\dllcache\url.dll
2009-04-29 12:42:04 unknow- 102912 C:\WINDOWS\system32\dllcache\occache.dll
2009-04-29 12:42:03 unknow- 3596288 C:\WINDOWS\system32\dllcache\mshtml.dll
2009-04-29 12:42:00 unknow- 52224 C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2009-04-29 12:42:00 unknow- 459264 C:\WINDOWS\system32\dllcache\msfeeds.dll
2009-04-29 12:42:00 unknow- 27648 C:\WINDOWS\system32\dllcache\jsproxy.dll
2009-04-29 12:42:00 unknow- 1830912 C:\WINDOWS\system32\dllcache\inetcpl.cpl
2009-04-29 12:42:00 ------- 27648 C:\WINDOWS\system32\jsproxy.dll
2009-04-29 12:42:00 ------- 1830912 C:\WINDOWS\system32\inetcpl.cpl
2009-04-29 12:41:59 unknow- 6066176 C:\WINDOWS\system32\dllcache\ieframe.dll
2009-04-29 12:41:59 unknow- 44544 C:\WINDOWS\system32\dllcache\iernonce.dll
2009-04-29 12:41:59 unknow- 268288 C:\WINDOWS\system32\dllcache\iertutil.dll
2009-04-29 12:41:59 a------ 6066176 C:\WINDOWS\system32\ieframe.dll
2009-04-29 12:41:59 a------ 268288 C:\WINDOWS\system32\iertutil.dll
2009-04-29 12:41:59 ------- 44544 C:\WINDOWS\system32\iernonce.dll
2009-04-29 12:41:57 unknow- 78336 C:\WINDOWS\system32\dllcache\ieencode.dll
2009-04-29 12:41:57 unknow- 385024 C:\WINDOWS\system32\dllcache\iedkcs32.dll
2009-04-29 12:41:57 a------ 78336 C:\WINDOWS\system32\ieencode.dll
2009-04-29 12:41:57 ------- 385024 C:\WINDOWS\system32\iedkcs32.dll
2009-04-29 12:41:56 unknow- 383488 C:\WINDOWS\system32\dllcache\ieapfltr.dll
2009-04-29 12:41:56 unknow- 230400 C:\WINDOWS\system32\dllcache\ieaksie.dll
2009-04-29 12:41:56 unknow- 153088 C:\WINDOWS\system32\dllcache\ieakeng.dll
2009-04-29 12:41:56 a------ 383488 C:\WINDOWS\system32\ieapfltr.dll
2009-04-29 12:41:56 ------- 230400 C:\WINDOWS\system32\ieaksie.dll
2009-04-29 12:41:56 ------- 153088 C:\WINDOWS\system32\ieakeng.dll
2009-04-29 12:41:55 unknow- 63488 C:\WINDOWS\system32\dllcache\icardie.dll
2009-04-29 12:41:55 unknow- 347136 C:\WINDOWS\system32\dllcache\dxtmsft.dll
2009-04-29 12:41:55 unknow- 214528 C:\WINDOWS\system32\dllcache\dxtrans.dll
2009-04-29 12:41:55 unknow- 133120 C:\WINDOWS\system32\dllcache\extmgr.dll
2009-04-29 12:41:55 a------ 63488 C:\WINDOWS\system32\icardie.dll
2009-04-29 12:41:55 a------ 124928 C:\WINDOWS\system32\advpack.dll
2009-04-29 12:41:55 ------- 347136 C:\WINDOWS\system32\dxtmsft.dll
2009-04-29 12:41:55 ------- 214528 C:\WINDOWS\system32\dxtrans.dll
2009-04-29 12:41:55 ------- 133120 C:\WINDOWS\system32\extmgr.dll
2009-04-28 17:04:20 a------ 389120 C:\WINDOWS\system32\html.iec
2009-04-28 17:04:02 unknow- 70656 C:\WINDOWS\system32\dllcache\ie4uinit.exe
2009-04-28 17:04:02 unknow- 13824 C:\WINDOWS\system32\dllcache\ieudinit.exe
2009-04-28 17:04:02 a------ 13824 C:\WINDOWS\system32\ieudinit.exe
2009-04-28 17:04:02 ------- 70656 C:\WINDOWS\system32\ie4uinit.exe
2009-04-25 13:27:50 unknow- 636088 C:\WINDOWS\system32\dllcache\iexplore.exe
2009-04-25 13:26:23 unknow- 161792 C:\WINDOWS\system32\dllcache\ieakui.dll
2009-04-25 13:26:23 ------- 161792 C:\WINDOWS\system32\ieakui.dll
2009-04-23 12:45:43 a------ 10358 C:\WINDOWS\KB939683.log
2009-04-22 14:43:50 a------ 128238 C:\WINDOWS\spupdsvc.log
2009-04-22 03:01:04 a------ 14630 C:\WINDOWS\KB941569.log
2009-04-22 03:00:51 a------ 12247 C:\WINDOWS\KB929399.log
2009-04-22 03:00:28 a------ 6190 C:\WINDOWS\KB959772.log
2009-04-22 03:00:23 a------ 21857 C:\WINDOWS\KB952069.log
2009-04-22 03:00:18 a------ 5324 C:\WINDOWS\KB954154.log
2009-04-21 20:08:05 a------ 16832 C:\WINDOWS\system32\amcompat.tlb
2009-04-20 12:56:28 a------ 31232 C:\WINDOWS\NIRCMD.exe
2009-04-20 07:59:45 a------ 4640 C:\WINDOWS\KB961118.log
2009-04-20 03:47:38 unknow- 1846784 C:\WINDOWS\system32\dllcache\win32k.sys
2009-04-18 22:50:59 a------ 0 C:\WINDOWS\nsreg.dat
2009-04-18 08:53:01 a------ 26318 C:\WINDOWS\KB959426.log
2009-04-18 08:52:57 a------ 25317 C:\WINDOWS\KB961373.log
2009-04-18 08:52:34 a------ 16301 C:\WINDOWS\KB956572.log
2009-04-18 08:52:23 a------ 14732 C:\WINDOWS\KB952004.log
2009-04-18 08:52:09 a------ 13266 C:\WINDOWS\KB960803.log
2009-04-18 08:51:06 a------ 8811 C:\WINDOWS\KB923561.log
2009-04-15 22:52:00 unknow- 585216 C:\WINDOWS\system32\dllcache\rpcrt4.dll
2009-04-14 08:22:48 a------ 1409 C:\WINDOWS\setupact.log
2009-04-13 16:25:22 a------ 165336 C:\WINDOWS\system32\mod_wmp.dll
2009-04-13 16:25:16 a------ 160216 C:\WINDOWS\system32\mod_hp.dll
2009-04-13 16:25:14 a------ 317912 C:\WINDOWS\system32\mod_dana.dll
2009-04-13 16:25:08 a------ 474072 C:\WINDOWS\system32\DanaX.ocx
.
================================================================================
執行中的程序:
[PID: 800] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [Avira GmbH]
[PID: 728] C:\WINDOWS\system32\HPZipm12.exe [HP]
[PID: 700] C:\WINDOWS\system32\nvsvc32.exe [NVIDIA Corporation]
[PID: 668] C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe [Apache
Software Foundation]
[PID: 652] C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
[Microsoft Corporation]
[PID: 628] C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe [N/A]
[PID: 572] C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone
Monitor\epmworker.exe [Sony Ericsson Mobile Communications AB]
[PID: 564] C:\Program Files\Java\jre6\bin\jqs.exe [Sun Microsystems, Inc.]
[PID: 496] C:\WINDOWS\ATKKBService.exe [ASUSTeK COMPUTER INC.]
[PID: 4052] C:\WINDOWS\system32\wbem\wmiprvse.exe [Microsoft Corporation]
[PID: 3852] C:\WINDOWS\System32\alg.exe [Microsoft Corporation]
[PID: 3608] C:\WINDOWS\system32\conime.exe [Microsoft Corporation]
[PID: 3064] C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
[Hewlett-Packard Co.]
[PID: 3004] C:\Program Files\Common Files\Teleca Shared\Generic.exe [Teleca
AB]
[PID: 224] C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[Hewlett-Packard Co.]
[PID: 2040] C:\Program Files\QuickTime\qttask.exe [Apple Computer, Inc.]
[PID: 2032] C:\Program Files\Java\jre6\bin\jusched.exe [Sun Microsystems,
Inc.]
[PID: 1964] C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[RealNetworks, Inc.]
[PID: 1956] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[Hewlett-Packard]
[PID: 1912] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [Cyberlink Corp.]
[PID: 1884] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [Adobe
Systems Inc.]
[PID: 1868] C:\WINDOWS\RTHDCPL.EXE [Realtek Semiconductor Corp.]
[PID: 180] C:\WINDOWS\system32\ctfmon.exe [Microsoft Corporation]
[PID: 168] C:\Program Files\Rainlendar2\Rainlendar2.exe [N/A]
[PID: 1660] C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe [Apache
Software Foundation]
[PID: 1532] C:\WINDOWS\system32\wbem\wmiprvse.exe [Microsoft Corporation]
[PID: 1468] C:\Program Files\Avira\AntiVir Desktop\avguard.exe [Avira GmbH]
[PID: 1416] C:\WINDOWS\system32\spoolsv.exe [Microsoft Corporation]
[PID: 1276] C:\Program Files\Avira\AntiVir Desktop\sched.exe [Avira GmbH]
[PID: 1200] C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
[Ulead Systems, Inc.]
================================================================================
登錄值列表 *** 注意 : 部分正常值不會顯示 ***
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [Microsoft Corporation]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [N/A]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [Ahead Software AG]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\ime\IMJP8_1\imjpmig.exe" [Microsoft Corporation]
"RTHDCPL"="C:\WINDOWS\RTHDCPL.exe" [Realtek Semiconductor Corp.]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat
7.0\Distillr\acrotray.exe" [Adobe Systems Inc.]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft
Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [Microsoft Corp.]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft
Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [Microsoft Corp.]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[Cyberlink Corp.]
"NvCplDaemon"="C:\WINDOWS\system32\nvcpl.dll" [NVIDIA Corporation]
"nwiz"="C:\WINDOWS\system32\nwiz.exe" [N/A]
"HP Software Update"="C:\Program Files\HP\HP Software Update\hpwuSchd2.exe"
[Hewlett-Packard]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
[RealNetworks, Inc.]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application
Launcher\Application Launcher.exe" [N/A]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Acrobat
7.0\Reader\reader_sl.exe" [Adobe Systems Incorporated]
"UVS10 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio
10\uvPL.exe" [Ulead Systems, Inc.]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [Sun
Microsystems, Inc.]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [Apple Computer,
Inc.]
"avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [Avira GmbH]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" - 2006-10-18 21:47
133632 C:\WINDOWS\system32\WPDShServiceObj.dll
[HKEY_LOCAL_MACHINE\~\Explorer\Browser Helper
Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Explorer\Browser Helper
Objects\{1F364306-AA45-47B5-9F9D-39A8B94E7EF1}]
[HKEY_LOCAL_MACHINE\~\Explorer\Browser Helper
Objects\{259F616C-A300-44F5-B04A-ED001A26C85C}]
[HKEY_LOCAL_MACHINE\~\Explorer\Browser Helper
Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
2008-09-16 18:30 370296 C:\Program Files\Real\RealOne
Player\rpbrowserrecordplugin.dll
[HKEY_LOCAL_MACHINE\~\Explorer\Browser Helper
Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
2006-12-18 04:18 231160 C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll
[HKEY_LOCAL_MACHINE\~\Explorer\Browser Helper
Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2009-03-09 05:18 35840 C:\Program Files\Java\jre6\bin\jp2ssv.dll
[HKEY_LOCAL_MACHINE\~\Explorer\Browser Helper
Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
2009-03-09 05:18 73728 C:\Program
Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SHARED
TOOLS\MSCONFIG\startupreg\ASUSGamerOSD]
"command"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [ASUSTeK Computer
Inc.]
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SHARED
TOOLS\MSCONFIG\startupreg\DAEMON Tools Lite]
"command"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [DT Soft Ltd]
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SHARED TOOLS\MSCONFIG\startupreg\dvd43]
"command"="C:\Program Files\dvd43\dvd43_tray.exe" [File Not Found.]
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SHARED
TOOLS\MSCONFIG\startupreg\MSMSGS]
"command"="C:\Program Files\Messenger\msmsgs.exe" [File Not Found.]
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SHARED
TOOLS\MSCONFIG\startupreg\NeroFilterCheck]
"command"="C:\WINDOWS\system32\NeroCheck.exe" [Ahead Software Gmbh]
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SHARED
TOOLS\MSCONFIG\startupreg\QuickTime Task]
"command"="C:\Program Files\QuickTime\qttask.exe" [Apple Computer, Inc.]
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SHARED TOOLS\MSCONFIG\startupreg\Ulead
AutoDetector v2]
"command"="C:\Program Files\Common Files\Ulead
Systems\AutoDetector\Monitor.exe" [Ulead Systems, Inc.]
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能
表^程式集^啟動^Adobe Acrobat Speed Launcher.lnk]
"command"="C:\WINDOWS\Installer\{AC76BA86-1028-0000-7760-000000000002}\SC_Acrobat.exe"
[N/A]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoDriveTypeAutoRun=0x143
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
HonorAutoRunSetting=0x1
NoDriveTypeAutoRun=0x143
[hku\.default\software\microsoft\windows\currentversion\policies\explorer]
NoDriveTypeAutoRun=0x143
C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital
Imaging\bin\hpqtra08.exe [ 2005-05-11 23:23:26 282624 ]
================================================================================
服務 \ 驅動 列表:
顯示方式 : 啟動狀態 服務名稱;顯示名稱;檔案名稱
R2 JavaQuickStarterService;Java Quick Starter;C:\Program
Files\Java\jre6\bin\jqs.exe [Sun Microsystems, Inc.]
R2 MRUWebService;MRU Web Service;C:\Program
Files\Marvell\61xx\Apache2\bin\Apache.exe [Apache Software Foundation]
S3 napagent;Network Access Protection Agent;C:\WINDOWS\System32\qagentrt.dll
[Microsoft Corporation]
S2 SCPDFReadSpool;SolidConverterPDFReadSpool;C:\WINDOWS\Installer\MSI30D.tmp
[Solid Documents, LLC]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program
Files\Avira\AntiVir Desktop\sched.exe [Avira GmbH]
R3 asusgsb;ASUS Virtual Video Capture Device
Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [ASUSTeK Computer Inc.]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet
Controller;C:\WINDOWS\system32\DRIVERS\l151x86.sys [Atheros Communications,
Inc.]
R0 mv61xx;mv61xx;C:\WINDOWS\system32\DRIVERS\mv61xx.sys [Marvell
Semiconductor, Inc.]
S3 s616bus;Sony Ericsson Device 616 driver
(WDM);C:\WINDOWS\system32\DRIVERS\s616bus.sys [MCCI Corporation]
S3 s616mdfl;Sony Ericsson Device 616 USB WMC Modem
Filter;C:\WINDOWS\system32\DRIVERS\s616mdfl.sys [MCCI Corporation]
S3 s616mdm;Sony Ericsson Device 616 USB WMC Modem
Driver;C:\WINDOWS\system32\DRIVERS\s616mdm.sys [MCCI Corporation]
S3 s616mgmt;Sony Ericsson Device 616 USB WMC Device Management Drivers
(WDM);C:\WINDOWS\system32\DRIVERS\s616mgmt.sys [MCCI Corporation]
S3 s616nd5;Sony Ericsson Device 616 USB Ethernet Emulation SEMC616
(NDIS);C:\WINDOWS\system32\DRIVERS\s616nd5.sys [MCCI Corporation]
S3 s616obex;Sony Ericsson Device 616 USB WMC OBEX
Interface;C:\WINDOWS\system32\DRIVERS\s616obex.sys [MCCI Corporation]
S3 s616unic;Sony Ericsson Device 616 USB Ethernet Emulation SEMC616
(WDM);C:\WINDOWS\system32\DRIVERS\s616unic.sys [MCCI Corporation]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys
[ASUSTeK COMPUTER INC.]
================================================================================
[HKLM\System\CurrentControlSet\Services\sptd]
ImagePath = C:\WINDOWS\system32\Drivers\sptd.sys [N/A]
================================================================================
IE 首頁設定:
Internet Explorer Version: 7.0.5730.13
HKLM - Start Page = hxxp://www.myspace.com/
HKCU - Start Page = hxxp://tw.yahoo.com/
HKCU - Extra menu item: 使用 FlashGet 下載 - C:\Program Files\FlashGet
Network\Flashget\ComDlls\Bholink.htm
HKCU - Extra menu item: 全部使用 FlashGet 下載 - C:\Program Files\FlashGet
Network\Flashget\ComDlls\Bhoall.htm
HKCU - Extra menu item: 匯出至 Microsoft Office Excel(&X) -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
HKCU - Extra menu item: 轉換到現有 PDF - res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
HKCU - Extra menu item: 轉換為 Adobe PDF - res://C:\Program
Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
HKCU - Extra menu item: 轉換連結目標到現有 PDF - res://C:\Program
Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
HKCU - Extra menu item: 轉換連結目標為 Adobe PDF - res://C:\Program
Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
HKCU - Extra menu item: 轉換選定的連結到現有 PDF - res://C:\Program
Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
HKCU - Extra menu item: 轉換選定的連結為 Adobe PDF - res://C:\Program
Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
HKCU - Extra menu item: 轉換選擇內容到現有 PDF - res://C:\Program
Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
HKCU - Extra menu item: 轉換選擇內容為 Adobe PDF - res://C:\Program
Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
HKLM - Extensions: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
Diagnostic\xpnetdiag.exe
DNS: {76D023ED-B723-4D45-9226-837CCFF36AD3} - 168.95.1.1
================================================================================
Win32/Conficker worm has not been found active in the memory.
Do you want to perform scanning and cleaning anyway? (y/n)
Nothing was found.
Checking for Win32/Conficker.AA files:
Nothing was found.
================================================================================
A: -Removable Disk- No Assess
C: -Local Disk- Size: 104855834624 FreeSpace: 76047208448 NTFS
D: -Compact Disc- No Assess
E: -Local Disk- Size: 215206191104 FreeSpace: 29752156160 NTFS
F: -Local Disk- Size: 31438061568 FreeSpace: 10883891200 FAT32
G: -Local Disk- Size: 20964163584 FreeSpace: 10495197184 FAT32
H: -Local Disk- Size: 27587555328 FreeSpace: 14023098368 NTFS
I: -Compact Disc- No Assess
J: -Compact Disc- No Assess
掃描結束時間: 2009-06-13 23:02:41.46
[/CODE]
如使用者確定有中毒情形但無法解決時請依照此篇依序處理過.
如一樣無法解決則請至第4點描述中毒情形並附上系統分析報告.
1.請先更新安全性更新MS08-067 (KB958644) MS08-068 (KB957097)
http://www.microsoft.com/taiwan/technet/security/bulletin/MS08-067.mspx
http://www.microsoft.com/taiwan/technet/security/bulletin/ms08-068.mspx
2.請使用暫存檔清除軟體清除暫存資料並重開機
ATF Cleaner: http://sylovanas.blogspot.com/2009/04/atf-cleaner.html
3.如掃毒位置在System Volume Information資料夾內請將系統還原關閉
關閉方式: http://support.microsoft.com/kb/310405/zh-tw
4.如上述處理過後皆無法解決時,則請描述中毒的檔案位置以及處理過程
並附上系統分析報告
處理過程:
掃毒報告( 或中毒的檔案名稱位置 ):
系統分析報告的下載位置和使用說明 (下列連結內有附使用說明 ):
請將掃描過後的文字報告利用免費空間或chi39大提供的空間上傳後貼至下方
Combofix:
http://sylovanas.blogspot.com/2009/04/combofix.html
Hijackthis:
http://www.trendsecure.com/portal/en-US/threat_analytics/HiJackThis.exe
執行後,選 Do A System Scan And Save A Logfile
將跑完後開啟的文字檔案傳到置底空間Po上來
Sreg:
http://sylovanas.blogspot.com/2009/04/system-repair-engineer-sreng.html
執行順序 Combofix -> hijackthis -> Sreng
此處報告為需了解你系統內有何程式啟動和常駐所必須要的報告
Combofix :
Hijackthis:
SRENG :
掃毒報告 :
--
※ 發信站: 批踢踢實業坊(ptt.cc)
◆ From: 59.104.122.111
推
06/13 23:32, , 1F
06/13 23:32, 1F
→
06/13 23:33, , 2F
06/13 23:33, 2F
→
06/13 23:33, , 3F
06/13 23:33, 3F
→
06/14 12:15, , 4F
06/14 12:15, 4F
推
06/14 17:30, , 5F
06/14 17:30, 5F
→
06/14 17:30, , 6F
06/14 17:30, 6F
推
06/14 19:14, , 7F
06/14 19:14, 7F
→
06/15 11:14, , 8F
06/15 11:14, 8F
→
06/15 11:17, , 9F
06/15 11:17, 9F
推
06/15 13:52, , 10F
06/15 13:52, 10F
→
06/15 19:48, , 11F
06/15 19:48, 11F
→
06/15 19:49, , 12F
06/15 19:49, 12F
→
06/15 19:50, , 13F
06/15 19:50, 13F
→
06/15 19:50, , 14F
06/15 19:50, 14F
→
06/15 19:50, , 15F
06/15 19:50, 15F
→
06/15 19:51, , 16F
06/15 19:51, 16F
推
06/15 19:53, , 17F
06/15 19:53, 17F
→
06/15 19:53, , 18F
06/15 19:53, 18F
→
06/15 20:13, , 19F
06/15 20:13, 19F
推
06/15 21:16, , 20F
06/15 21:16, 20F
→
06/15 23:04, , 21F
06/15 23:04, 21F
推
06/15 23:17, , 22F
06/15 23:17, 22F
→
06/15 23:26, , 23F
06/15 23:26, 23F