求救！中了rootkit.win32.agent.bef，附日志 - 瑞星卡卡安全论坛bbs.ikaka.com

瑞星卡卡安全论坛技术交流区 反病毒/反流氓软件论坛求救！中了rootkit.win32.agent.bef，附日志

	瑞星“1+2”全新解决方案巡展在广州画上圆满句号		叶院长揭秘：瑞星如何运用AI技术革新网络安全		俄乌冲突加剧网络攻击风险白俄罗斯政府遭APT攻击		瑞星ESM防病毒系统助力矿业大学筑牢网络安全防线
	实力拉满瑞星第四十七次通过VB100测评		携手老友，拥抱新精彩 —— 新论坛新活动，感谢你的陪伴		护航司法，瑞星助力山西省高院构建安全防线		人工智能在网络安全领域的风险和机遇

1

1 / 1 页

跳转页

[求助] 求救！中了rootkit.win32.agent.bef，附日志

Scalpel 拙长孩提狮帖子:100 注册: 2004-12-04 来自:	发表于： 2008-07-15 21:08 \| 只看楼主短消息资料字号：小中大 1楼求救！中了rootkit.win32.agent.bef，附日志同时连带着又中了 Trojan.PSW.Win32.GameOL.org Trojan.PSW.Win32.SunOnline.pj Trojan.PSW.Win32.QQPass.doa Trojan.Win32.Undef.jip Trojan.PSW.Win32.GameOL.nvl Trojan.PSW.Win32.GameOL.oek Trojan.PSW.Win32.GameOL.nwa Trojan.PSW.Win32.Mapdimp.m Trojan.PSW.Win32.GameOL.opc 求大大们分析下我的日志吧！用户系统信息：Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) ) 附件: 文件名:SREngLOG.log 下载次数:102 文件类型:application/octet-stream 文件大小: 上传时间:2008-7-15 21:07:47 描述:log
Scalpel 拙长孩提狮帖子:100 注册: 2004-12-04 来自:	分享到：

QQ凌帆飘泊而立狮帖子:587 注册: 2006-07-07 来自:四川成都	发表于： 2008-07-15 21:18 \| 短消息资料字号：小中大 2楼回复: 求救！中了rootkit.win32.agent.bef，附日志用xdelbox删除这些文件 C:\WINDOWS\system32\sgdewg.dll C:\WINDOWS\system32\fsrgeb.dll C:\WINDOWS\system32\tdggrz.dll C:\WINDOWS\system32\jggtsr.dll C:\WINDOWS\system32\zefdst.dll C:\WINDOWS\system32\tdfhex.dll C:\WINDOWS\system32\rfdswc.dll 用Sreng工具删除以下镜像劫持 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe] <IFEO[AntiArp.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrvAnti.exe] <IFEO[DrvAnti.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe] <IFEO[drwadins.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebscd.exe] <IFEO[drwebscd.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe] <IFEO[drwebupw.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe] <IFEO[filemon.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe] <IFEO[GFRing3.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.exe] <IFEO[GFUpd.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.exe] <IFEO[GuardField.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.EXE] <IFEO[OllyDBG.EXE]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyICE.EXE] <IFEO[OllyICE.EXE]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe] <IFEO[procexp.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavXP.exe] <IFEO[RavXP.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RawCopy.exe] <IFEO[RawCopy.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe] <IFEO[regmon.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegTool.exe] <IFEO[RegTool.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe] <IFEO[rfwProxy.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe] <IFEO[rfwstub.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderml.exe] <IFEO[spiderml.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spidernt.exe] <IFEO[spidernt.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderui.exe] <IFEO[spiderui.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spml_set.exe] <IFEO[spml_set.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe] <IFEO[taskmgr.exe]><ntsd -d> [N/A] 工具下载使用请见版主天月的帖子http://bbs.ikaka.com/showtopic-8442813-1.aspx
QQ凌帆飘泊而立狮帖子:587 注册: 2006-07-07 来自:四川成都

豪斯登堡新郎社区嘉宾帖子:4234 注册: 2007-11-09 来自:	发表于： 2008-07-15 21:45 \| 短消息资料字号：小中大 3楼回复：求救！中了rootkit.win32.agent.bef，附日志 [复制到剪贴板] CODE: 启动项目注册表 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] <NWEReboot><> [N/A] <racer><> [N/A] <HBmhly><"C:\WINDOWS\system32\HBmhly.exe" -r> [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] <{DC3D30AE-0380-4151-8934-EE98A34B0370}><C:\WINDOWS\system32\mfdesy.dll> [File is missing] <{E8A3B193-77E3-4FB3-986D-F4FA4828BAFC}><C:\WINDOWS\system32\wklsdd.dll> [File is missing] <{C0595A7E-2E2F-4B34-A83A-019270A0A464}><C:\WINDOWS\system32\tdffdl.dll> [File is missing] <{8C41B7F7-3168-400D-A702-0E7EFE0BA304}><C:\WINDOWS\system32\sgdewg.dll> [] <{17DFD111-BF3A-4CB4-ADB0-88FCBFE69821}><> [N/A] <{45AADFAA-DD36-42AB-83AD-0521BBF58C24}><> [N/A] <{461D2AB4-29A5-45C2-9134-D52272D3DE38}><C:\WINDOWS\system32\rfdswc.dll> [] <{A9895933-6636-4281-BC58-EE6DE2AF96E3}><C:\WINDOWS\system32\ddserh.dll> [File is missing] <{841529CB-7F77-4B99-A895-B5441E0D302F}><C:\WINDOWS\system32\jfrwdh.dll> [File is missing] <{B29583D8-033A-4B9F-8553-7C5458F3FB8E}><C:\WINDOWS\system32\jdsaex.dll> [File is missing] <{7914E0AA-ECCB-4311-B584-C49538227824}><C:\WINDOWS\system32\jhfrxz.dll> [File is missing] <{F99DEFDD-200B-4410-B572-E90883D527D2}><C:\WINDOWS\system32\wrqszl.dll> [] <{73AE86E6-7F03-4C3B-8980-FB1DA157D3C7}><C:\WINDOWS\system32\fmcvxy.dll> [File is missing] <{EB71E0B3-E97D-4D30-8733-E28266467617}><> [N/A] <{5E907A48-400E-4EA8-9792-FFAE052D59E9}><C:\WINDOWS\system32\pedadt.dll> [File is missing] <{84143967-B645-4BFF-B873-DA1DC886E9A7}><C:\WINDOWS\system32\cedafb.dll> [File is missing] <{EA5D4B0E-B8CE-4761-8C7E-5D26369F0EC6}><C:\WINDOWS\system32\fsrgeb.dll> [] <{4D165A2A-4BC1-4CA8-8299-08E05AAAB5A4}><C:\WINDOWS\system32\tdggrz.dll> [] <{CAED0F3B-DF8B-4DBF-BB20-8DFBC3199068}><C:\WINDOWS\system32\jggtsr.dll> [] <{28EB3777-3E23-4E72-8449-A992D09D24C3}><C:\WINDOWS\system32\zefdst.dll> [] <{0B846B26-BFE6-4E8E-A948-1DB17B77B483}><C:\WINDOWS\system32\tdfhex.dll> [] <{00070007-0007-0007-0007-00070007BB15}><C:\WINDOWS\system32\dpvvoxmh.dll> [File is missing] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] <dpvvoxmh.dll><C:\WINDOWS\system32\dpvvoxmh.dll> [File is missing] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe] <IFEO[AntiArp.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrvAnti.exe] <IFEO[DrvAnti.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe] <IFEO[drwadins.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebscd.exe] <IFEO[drwebscd.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe] <IFEO[drwebupw.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe] <IFEO[filemon.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe] <IFEO[GFRing3.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.exe] <IFEO[GFUpd.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.exe] <IFEO[GuardField.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.EXE] <IFEO[OllyDBG.EXE]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyICE.EXE] <IFEO[OllyICE.EXE]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe] <IFEO[procexp.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavXP.exe] <IFEO[RavXP.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RawCopy.exe] <IFEO[RawCopy.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe] <IFEO[regmon.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegTool.exe] <IFEO[RegTool.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe] <IFEO[rfwProxy.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe] <IFEO[rfwstub.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderml.exe] <IFEO[spiderml.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spidernt.exe] <IFEO[spidernt.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderui.exe] <IFEO[spiderui.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spml_set.exe] <IFEO[spml_set.exe]><ntsd -d> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe] <IFEO[taskmgr.exe]><ntsd -d> [N/A] ================================== 启动文件夹 [self] <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\self.bat --> [File is missing]><N> ================================== ================================== 驱动程序 [HBKernel Driver / HBKernel][Running/Boot Start] <\SystemRoot\system32\DRIVERS\HBKernel.sys><N/A> [NTGDT / NTGDT][Running/System Start] <\??\C:\WINDOWS\system32\Drivers\NTGDT.SYS><N/A> [PSSdk21 / PSSdk21][Stopped/Manual Start] <\??\C:\WINDOWS\system32\Drivers\HNPsSdk.drv><N/A> [PsSdk30 / PsSdk30][Stopped/Manual Start] <\??\C:\WINDOWS\system32\Drivers\PsSdk30.drv><N/A> [vstqn / vstqn][Stopped/Manual Start] <\??\C:\DOCUME~1\w\LOCALS~1\Temp\_tmp.bat><N/A> ================================== 浏览器加载项 [IE_ADS Class] {F8E2D735-5D21-4B00-B6DE-D82ED0CA8B63} <C:\WINDOWS\system32\yg.dll, > ================================== 正在运行的进程 [PID: 396 / w][C:\WINDOWS\system32\HBmhly.exe] [N/A, ] [C:\WINDOWS\system32\tdfhex.dll] [N/A, ] [C:\WINDOWS\system32\rfdswc.dll] [N/A, ] [C:\WINDOWS\system32\jggtsr.dll] [N/A, ] [C:\WINDOWS\system32\tdggrz.dll] [N/A, ] [C:\WINDOWS\system32\wrqszl.dll] [N/A, ] [C:\WINDOWS\system32\sgdewg.dll] [N/A, ] [C:\WINDOWS\system32\zefdst.dll] [N/A, ] [C:\WINDOWS\system32\fsrgeb.dll] [N/A, ] ================================== 进程特权扫描特殊特权被允许： SeDebugPrivilege [PID = 396, C:\WINDOWS\SYSTEM32\HBMHLY.EXE] 特殊特权被允许： SeLoadDriverPrivilege [PID = 396, C:\WINDOWS\SYSTEM32\HBMHLY.EXE] ================================== 不认识我没关系，因为我也不认识你。
豪斯登堡新郎社区嘉宾帖子:4234 注册: 2007-11-09 来自:

<<上一主题|下一主题>>

1

1 / 1 页

跳转页

页面顶部

Powered by Discuz!NT