[令网吧惨绝人寰的病毒]汗颜... bbs.ikaka.com

小泉烧香 - 2007-3-9 4:58:00

[CODE]

2007-03-09,04:41:32

System Repair Engineer 2.3.13.690
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<NvCplDaemon><; RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup> [(Verified)NVIDIA Corporation]
<PubwinClient><; C:\Program Files\Hintsoft\PubwinClient\PubwinClient.exe> [N/A]
<NvMediaCenter><; RunDLL32.exe NvMCTray.dll,NvTaskbarInit> [(Verified)NVIDIA Corporation]
<Alcmtr><; ALCMTR.EXE> [(Verified)Realtek Semiconductor Corp.]
<BigDog303><; C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)> [N/A]
<Domino><; C:\WINDOWS\Domino.EXE> [N/A]
<DU Meter><; C:\Program Files\DU Meter\DUMeter.exe> [N/A]
<HF_GameClient><; E:\聊天对战\浩方对战平台\gameclient.exe> [上海浩方在线信息技术有限公司]
<IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Corporation]
<NMGameX_AutoRun><; C:\WINDOWS\system32\Rundll32.exe NMGameX.dll,LiveProcess /aa> [N/A]
<nwiz><; nwiz.exe /install> [N/A]
<PHIME2002A><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Corporation]
<PHIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Corporation]
<RTHDCPL><; RTHDCPL.EXE> [(Verified)Realtek Semiconductor Corp.]
<runeip><; D:\Rising\AntiSpyware\runiep.exe> [N/A]
<SkyTel><; SkyTel.EXE> [(Verified)Realtek Semiconductor Corp.]
<StormCodec_Helper><; "C:\Program Files\Ringz Studio\StormSet.exe" /S /opti> [N/A]
<upxdnd><; C:\DOCUME~1\ym\LOCALS~1\Temp\upxdnd.exe> [N/A]
<VMSnap3><; C:\WINDOWS\VMSnap3.EXE> [Vimicro]
<wxClient><; C:\WINDOWS\system32\Clsmn.exe> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<internet><C:\WINDOWS\system\taskmgr.exe /scan> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Corporation]
<Userinit><userinit.exe,> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
<PostBootReminder><%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Corporation]
<CDBurn><%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Corporation]
<WebCheck><%SystemRoot%\system32\webcheck.dll> [(Verified)Microsoft Corporation]
<SysTray><C:\WINDOWS\system32\stobject.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
<WinlogonNotify: crypt32chain><crypt32.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
<WinlogonNotify: cryptnet><cryptnet.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
<WinlogonNotify: cscdll><cscdll.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
<WinlogonNotify: ScCertProp><wlnotify.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
<WinlogonNotify: Schedule><wlnotify.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
<WinlogonNotify: sclgntfy><sclgntfy.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
<WinlogonNotify: SensLogn><WlNotify.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
<WinlogonNotify: termsrv><wlnotify.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
<WinlogonNotify: wlballoon><wlnotify.dll> [(Verified)Microsoft Corporation]

==================================

小泉烧香 - 2007-3-9 4:59:00

启动文件夹
N/A

==================================
服务
[ASP.NET State Service / aspnet_state][Stopped/Manual Start]
<C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe><Microsoft Corporation>
[锐起无盘XP客户端服务 / DlxpCltSrv][Running/Auto Start]
<C:\Program Files\Richtech\Dlxp\CltSrv.exe><N/A>
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[InstallDriver Table Manager / IDriverT][Stopped/Manual Start]
<"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"><Macrovision Corporation>
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
<C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>

==================================
驱动程序
[EagleNT / EagleNT][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\drivers\EagleNT.sys><N/A>
[genfs / genfs][Running/Boot Start]
<31 - 连到系统上的设备没有发挥作用。
><N/A>
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus][Running/Manual Start]
<system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[Service for Realtek HD Audio (WDM) / IntcAzAudAddService][Running/Manual Start]
<system32\drivers\RtkHDAud.sys><Realtek Semiconductor Corp.>
[kmsinput / kmsinput][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\drivers\kmsinput.sys><N/A>
[Netgroup Packet Filter / NPF][Running/Manual Start]
<system32\drivers\npf.sys><CACE Technologies>
[npkcrypt / npkcrypt][Stopped/Auto Start]
<\??\C:\tm\TMDlls\npkcrypt.sys><N/A>
[nv / nv][Running/Manual Start]
<system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[oreans32 / oreans32][Stopped/System Start]
<\??\C:\WINDOWS\system32\drivers\oreans32.sys><N/A>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsAntiSpyware / RsAntiSpyware][Running/Boot Start]
<\SystemRoot\system32\drivers\RsBoot.sys><Beijing Rising>
[RTKCPFXP / RTKCPFXP][Stopped/Manual Start]
<\??\C:\Program Files\Richtech\Dlxp\RTKCPFXP.SYS><N/A>
[Realtek 10/100/1000 NIC Family all in one NDIS XP Driver / RTL8023xp][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\Rtnicxp.sys><Realtek Semiconductor Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>
[TCP/IP Protocol Driver / Tcpip][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\tcpip.sys><Microsoft Corporation>
[vmfilter303 / vmfilter303][Stopped/Manual Start]
<system32\drivers\vmfilter303.sys><Vimicro Corporation>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
<system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
[AONI PC Cam(Vimicro301 Neptune) / ZSMC303][Stopped/Manual Start]
<System32\Drivers\usbVM303.sys><Vimicro Corporation>

==================================

小泉烧香 - 2007-3-9 4:59:00

浏览器加载项
[QQBrowserHelperObject Class]
{54EBD53A-9BC1-480B-966A-843A333CA162} <E:\聊天对战\QQ\QQIEHelper.dll, N/A>
[Thunder Browser Helper]
{889D2FEB-5411-4565-8998-1DD2C5261283} <d:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_004.dll, Thunder Networking Technologies,LTD>
[QQBrowserHelperObject Class]
{54EBD53A-9BC1-480B-966A-843A333CA162} <E:\聊天对战\QQ\QQIEHelper.dll, N/A>
[Thunder Browser Helper]
{889D2FEB-5411-4565-8998-1DD2C5261283} <d:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_004.dll, Thunder Networking Technologies,LTD>
[Microsoft Scriptlet Component]
{AE24FDAE-03C6-11D1-8B76-0080C744F389} <C:\WINDOWS\system32\mshtml.dll, Microsoft Corporation>
[RDS.DataSpace]
{BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[&使用迅雷下载]
<d:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm, N/A>
[&使用迅雷下载全部链接]
<d:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm, N/A>
[上传到QQ网络硬盘]
<E:\聊天对战\QQ\AddToNetDisk.htm, N/A>
[添加到QQ自定义面板]
<E:\聊天对战\QQ\AddPanel.htm, N/A>
[添加到QQ表情]
<E:\聊天对战\QQ\AddEmotion.htm, N/A>
[用QQ彩信发送该图片]
<E:\聊天对战\QQ\SendMMS.htm, N/A>

==================================

小泉烧香 - 2007-3-9 4:59:00

正在运行的进程
[PID: 456][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 508][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 548][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\sfc_os.dll] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 592][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 604][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 784][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1004][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1024][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\System32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1088][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1252][C:\Program Files\Richtech\Dlxp\CltSrv.exe] [N/A, N/A]
[PID: 1296][C:\WINDOWS\system32\nvsvc32.exe] [NVIDIA Corporation, 6.14.10.9131]
[PID: 1684][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Hintsoft\PubwinClient\HintSock.dll] [N/A, 1, 0, 0, 9]
[C:\WINDOWS\system32\nvcpl.dll] [NVIDIA Corporation, 6.14.10.9131]
[C:\WINDOWS\system32\NVRSZHC.DLL] [NVIDIA Corporation, 6.14.10.9131]
[C:\WINDOWS\system32\nvshell.dll] [N/A, N/A]
[C:\Program Files\WinRAR\rarext.dll] [N/A, N/A]
[E:\聊天对战\QQ\MFC42.DLL] [Microsoft Corporation, 6.00.8665.0]
[E:\聊天对战\QQ\qdshm.dll] [, 1, 0, 101, 20]
[PID: 1776][C:\Program Files\Hintsoft\PubwinClient\PubwinClient.exe] [N/A, N/A]
[C:\Program Files\Hintsoft\PubwinClient\log4cpp.dll] [N/A, N/A]
[C:\Program Files\Hintsoft\PubwinClient\MSVCP71.dll] [N/A, N/A]
[C:\Program Files\Hintsoft\PubwinClient\MSVCR71.dll] [N/A, N/A]
[C:\Program Files\Hintsoft\PubwinClient\Crypto.dll] [N/A, N/A]
[C:\Program Files\Hintsoft\PubwinClient\LIBEAY32.dll] [N/A, N/A]
[C:\Program Files\Hintsoft\PubwinClient\MSVCRTD.dll] [N/A, N/A]
[C:\Program Files\Hintsoft\PubwinClient\MFC71.DLL] [N/A, N/A]
[C:\WINDOWS\system32\MFC71CHS.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\msxml4.dll] [Microsoft Corporation, 4.20.9818.0]
[C:\Program Files\Hintsoft\PubwinClient\Skins\Skins.dll] [N/A, N/A]
[C:\Program Files\Hintsoft\PubwinClient\Update.dll] [N/A, N/A]
[C:\WINDOWS\system32\wpcap.dll] [CACE Technologies, 3, 1, 0, 27]
[C:\WINDOWS\system32\packet.dll] [CACE Technologies, 3, 1, 0, 27]
[C:\WINDOWS\system32\WanPacket.dll] [CACE Technologies, 3, 1, 0, 27]
[C:\Program Files\Hintsoft\PubwinClient\RcvApi.dll] [N/A, N/A]
[C:\Program Files\Hintsoft\PubwinClient\HintSock.dll] [N/A, 1, 0, 0, 9]
[C:\WINDOWS\system32\mscoree.dll] [Microsoft Corporation, 1.1.4322.573]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorie.dll] [Microsoft Corporation, 1.1.4322.573]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll] [Microsoft Corporation, 1.1.4322.573]
[C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx] [Adobe Systems, Inc., 9,0,28,0]
[PID: 1784][C:\WINDOWS\system32\RunDLL32.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\NvMCTray.dll] [NVIDIA Corporation, 6.14.10.9131]
[C:\WINDOWS\system32\NVRSZHC.DLL] [NVIDIA Corporation, 6.14.10.9131]
[C:\Program Files\Hintsoft\PubwinClient\HintSock.dll] [N/A, 1, 0, 0, 9]
[PID: 1792][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Hintsoft\PubwinClient\HintSock.dll] [N/A, 1, 0, 0, 9]
[PID: 772][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 996][C:\WINDOWS\system32\conime.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Hintsoft\PubwinClient\HintSock.dll] [N/A, 1, 0, 0, 9]
[PID: 1992][C:\Documents and Settings\ym\桌面\SREng.EXE] [Smallfrogs Studio, 2.3.13.690]
[C:\Program Files\Hintsoft\PubwinClient\HintSock.dll] [N/A, 1, 0, 0, 9]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\sfc_os.dll] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Documents and Settings\ym\桌面\Plugins\SRECXTMG.SRE] [Smallfrogs Studio, 1, 5, 0, 55]

==================================
文件关联
.TXT Error. [C:\WINDOWS\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM Error. [C:\WINDOWS\hh.exe %1]
.HLP Error. [C:\WINDOWS\winhlp32.exe %1]
.INI Error. [C:\WINDOWS\NOTEPAD.EXE %1]
.INF Error. [C:\WINDOWS\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

小泉烧香 - 2007-3-9 5:00:00

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
[D:\]
[AutoRun]
OPEN=setup.exe
shellexecute=setup.exe
shell\打开(&O)\command=setup.exe
[E:\]
[AutoRun]
OPEN=setup.exe
shellexecute=setup.exe
shell\打开(&O)\command=setup.exe

==================================
HOSTS 文件
127.0.0.1 about-blank.cc
127.0.0.1 hao.allxun.com
127.0.0.1 kzxf.com
127.0.0.1 vod.mmdy.org
127.0.0.1 www.123wa.com
127.0.0.1 www.4199.com
127.0.0.1 www.71791.com
127.0.0.1 www.7939.com
127.0.0.1 www.9505.com
127.0.0.1 www.feixue.net
127.0.0.1 www.kzxf.com
127.0.0.1 www.my123.com
127.0.0.1 www.piaoxue.com
127.0.0.1 www.xfkz.com
127.0.0.1 xfkz.com

==================================
API HOOK
N/A

==================================

小泉烧香 - 2007-3-9 5:02:00

这个网吧有还原卡,可是还是不能阻止病毒的入侵
这个日志是开机后马上扫的...进程中没有特别的情况...
但是经过一段时间(几分钟或者几小时)的使用后,会出现大量垃圾进程占用系统资源...
网吧所有机器无一幸免...

小泉烧香 - 2007-3-9 5:03:00

希望各位朋友能帮帮忙,杀不了还练技术呢...小弟在此先谢谢了

小泉烧香 - 2007-3-9 5:05:00

对了,还有经过我使用一段时间后.
出现了gggg.exe这个典型进程.可是又有其他病毒的特征,
由于太杂了,找不到病毒的原文件..
希望大家能帮帮忙``

小泉烧香 - 2007-3-9 5:05:00

本人全天在线等消息...

基督山伯爵2 - 2007-3-9 9:11:00

Autorun.inf
[D:\]
[AutoRun]
OPEN=setup.exe
shellexecute=setup.exe
shell\打开(&O)\command=setup.exe
[E:\]
[AutoRun]
OPEN=setup.exe
shellexecute=setup.exe
shell\打开(&O)\command=setup.exe
<upxdnd><; C:\DOCUME~1\ym\LOCALS~1\Temp\upxdnd.exe> [N/A]
HOSTS 文件
127.0.0.1 about-blank.cc
127.0.0.1 hao.allxun.com
127.0.0.1 kzxf.com
127.0.0.1 vod.mmdy.org
127.0.0.1 www.123wa.com
127.0.0.1 www.4199.com
127.0.0.1 www.71791.com
127.0.0.1 www.7939.com
127.0.0.1 www.9505.com
127.0.0.1 www.feixue.net
127.0.0.1 www.kzxf.com
127.0.0.1 www.my123.com
127.0.0.1 www.piaoxue.com
127.0.0.1 www.xfkz.com
127.0.0.1 xfkz.com
<internet><C:\WINDOWS\system\taskmgr.exe /scan> [N/A]

flonline - 2007-3-9 9:19:00

跟我貌似一样的问题看置顶第一个帖子...

我是看完也没弄明白 - -#

所写的进程文件我都没有...

就一个GGG.exe

xiaoyueIQ - 2007-3-9 9:22:00

上超级主题里...猫叔有
GGG.exe分析

小泉烧香 - 2007-3-9 13:04:00

可以确定是ggg.exe吗?
为什么有时候还有典型的CMD.EXE的进程呢/
还有好多类似internat的伪装进程(注意区别net和nat)

小泉烧香 - 2007-3-9 13:14:00

对了,听别人说,前两天还金猪烧过香..

PS:本人并非网吧工作人员,只不过看到这样棘手的问题想增加自己的见识,学习一些知识...

小泉烧香 - 2007-3-9 13:29:00

继续在线等..

afkp4e7 - 2007-3-9 13:36:00

网吧的机器用的还是千兆的网卡
很是烧包啊

<upxdnd><; C:\DOCUME~1\ym\LOCALS~1\Temp\upxdnd.exe> [N/A]
我遇到的这个东西好象还扫描同网段的其他机器利用漏洞感染别的电脑

[锐起无盘XP客户端服务 / DlxpCltSrv][Running/Auto Start]
<C:\Program Files\Richtech\Dlxp\CltSrv.exe><N/A>
这个是个什么东西啊

小泉烧香 - 2007-3-9 13:44:00

引用:

【afkp4e7的贴子】网吧的机器用的还是千兆的网卡
很是烧包啊

<upxdnd><; C:\DOCUME~1\ym\LOCALS~1\Temp\upxdnd.exe> [N/A]
我遇到的这个东西好象还扫描同网段的其他机器利用漏洞感染别的电脑

[锐起无盘XP客户端服务 / DlxpCltSrv][Running/Auto Start]
<C:\Program Files\Richtech\Dlxp\CltSrv.exe><N/A>
这个是个什么东西啊
………………

对对对,就是感染其他电脑..
那个XP客户端是机器上没有实质的硬盘,通过啥啥整的,所有机器里的游戏啥的都一样,我也是听别人说的..

afkp4e7 - 2007-3-9 13:51:00

无盘工作站网吧也能用
没听说过
一个80g硬盘才300多还不舍得买

mopery - 2007-3-9 13:54:00

D:\setup.exe

找到这个文件..

发送 bin59420@yahoo.com.cn

小泉烧香 - 2007-3-9 14:00:00

没问题mopery大哥,我下班到了家门口就给您发!!这网吧要是坏了,可急人了,我们同事没事就找我一起去玩玩游戏,连聚会地点都没了，还玩啥啊..您等我消息,我一定第一时间给您发,谢谢您!!

baohe - 2007-3-9 16:22:00

【回复“小泉烧香”的帖子】
1、用IceSword禁止进程创建；删除下列启动、服务、驱动项：
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Domino><; C:\WINDOWS\Domino.EXE> [N/A]
<upxdnd><; C:\DOCUME~1\ym\LOCALS~1\Temp\upxdnd.exe> [N/A]
<wxClient><; C:\WINDOWS\system32\Clsmn.exe> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<internet><C:\WINDOWS\system\taskmgr.exe /scan> [N/A]
驱动程序
[EagleNT / EagleNT][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\drivers\EagleNT.sys><N/A>
[genfs / genfs][Running/Boot Start]
<31 - 连到系统上的设备没有发挥作用。
><N/A>
驱动程序
[oreans32 / oreans32][Stopped/System Start]
<\??\C:\WINDOWS\system32\drivers\oreans32.sys><N/A>
[Netgroup Packet Filter / NPF][Running/Manual Start]
<system32\drivers\npf.sys><CACE Technologies>
2、用IceSword删除上述各项指向的文件。删除D、E根目录下的setup.exe和autorun.inf。
3、修复hosts文件；修复文件关联。

____________
以下是不明启动项（请自己确认是否正常）：
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
<WinlogonNotify: crypt32chain><crypt32.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
<WinlogonNotify: cryptnet><cryptnet.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
<WinlogonNotify: cscdll><cscdll.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
<WinlogonNotify: ScCertProp><wlnotify.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
<WinlogonNotify: Schedule><wlnotify.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
<WinlogonNotify: sclgntfy><sclgntfy.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
<WinlogonNotify: SensLogn><WlNotify.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
<WinlogonNotify: termsrv><wlnotify.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
<WinlogonNotify: wlballoon><wlnotify.dll> [(Verified)Microsoft Corporation]

bravoliuliu - 2007-3-9 16:46:00

看来楼主的问题很有震撼力，两个斑竹都来给你回复了，我的问题都没人给我去看看，哇……………………………………

jmbt - 2007-3-9 17:13:00

病毒
<Domino><; C:\WINDOWS\Domino.EXE> [N/A]
<DU Meter><; C:\Program Files\DU Meter\DUMeter.exe> [N/A]

afkp4e7 - 2007-3-9 17:20:00

标题比较诱人

小泉烧香 - 2007-3-9 17:47:00

猫叔太谢谢了...我这就联系他们去试试

mopery大哥我现在把病毒样本发给你...

猫叔你要么??

小泉烧香 - 2007-3-10 12:47:00

..

taylor05771 - 2007-3-10 19:17:00

C:\DOCUME~1\ym\LOCALS~1\Temp\upxdnd.exe

还有那个D盘E盘根目录下 setup.exe 一起加密码123 压缩
发到zhz010266@njude.com.cn

另外此蠕虫可确定为王云禾的杰作

咕噜猪zzZ睡觉觉 - 2007-3-10 19:52:00

Autorun.inf
[D:\]
[AutoRun]
OPEN=setup.exe
shellexecute=setup.exe
shell\打开(&O)\command=setup.exe
[E:\]
[AutoRun]
OPEN=setup.exe
shellexecute=setup.exe
shell\打开(&O)\command=setup.exe
超级问题
可能是金猪
遗留

小泉烧香 - 2007-3-11 18:06:00

嗯是挺麻烦的
金猪中过,不过被一个比较2的"技术网管"弄了一下,现在是好了,
可是还是有很多不稳定因素,
CMD的进程也见过
ggg.exe的进程也见过
有时候开网页会出现某某网站的恶意连接,至今没有弄好,
mopery大哥要的样本我也发过去了，没有回信..

mopery - 2007-3-11 18:47:00

引用:

【小泉烧香的贴子】嗯是挺麻烦的
金猪中过,不过被一个比较2的"技术网管"弄了一下,现在是好了,
可是还是有很多不稳定因素,
CMD的进程也见过
ggg.exe的进程也见过
有时候开网页会出现某某网站的恶意连接,至今没有弄好,
mopery大哥要的样本我也发过去了，没有回信..

………………

我已经回复..

样本有点问题最好多来几个..

如网警所说可能是王云禾的作品..

另外. 可能是 HnCSBoy 的作品死神之吻..

样本无法运行无法确认..

瑞星卡卡安全论坛