推 timmy5519:MS08-067 快裝吧 02/22 09:43
1.問題描述:要是接網路線 就無法動彈
AVAST PRO無反應
ad-aware se PRO無偵測到危險
請在下面說明碰到的中毒情形,越詳細越好(可貼圖說明):
2.掃毒報告:看工具管理員有ISASS.exe此程式執行
請先使用掃毒軟體執行全機掃描後將掃毒結果傳到置底空間
Combofix :ComboFix 09-02-19.01 - WHO 2009-02-21 23:41:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.950.1.1028.18.767.401 [GMT 8:00]
執行位置: c:\documents and settings\WHO\桌面\ComboFix.exe
* 成功創造新還原點
注意 - 這台電腦沒有安裝恢復控制台 !!
.
((((((((((((((((((((((((( 2009-01-21 至 2009-02-21 的新的檔案 )))))))))))))))))))))))))))))))
.
2009-02-21 01:42 . 2009-02-21 01:42 <DIR> d-------- c:\documents and settings\WHO\Application Data\Lavasoft
2009-02-21 01:34 . 2009-02-21 01:34 <DIR> d-------- c:\program files\Alwil Software
2009-02-21 01:05 . 2009-02-21 23:36 <DIR> d-------- c:\documents and settings\WHO\桌面
2009-02-21 01:05 . 2009-02-21 00:23 <DIR> dr------- c:\documents and settings\WHO\「開始」功能表
2009-02-21 01:05 . 2009-02-21 01:05 <DIR> d-------- c:\documents and settings\WHO
.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 15:42 1,606 ----a-w c:\windows\system32\PerfStringBackup.TMP
2009-02-20 16:55 --------- d-----w c:\program files\microsoft frontpage
.
------- Sigcheck -------
2001-10-10 23:10 430080 2b0e480e975ee51f2d5ce5f068fed6e2 c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="c:\documents and settings\WHO\桌面\Ad-Aware SE Professional\Ad-Watch.exe" [2106-02-07 517632]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2001-09-06 13312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-06 81000]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\CTFMON.EXE" [2001-09-06 13312]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2001-09-06 04:00 13312 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2001-09-06 04:00 208949 c:\windows\ime\IMJP8_1\imjpmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2001-08-02 07:14 1077277 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2001-09-06 04:00 737360 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2001-09-06 04:00 737360 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-02-21 114768]
.
.
------- 而外的掃描 -------
.
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-21 23:42:48
Windows 5.1.2600 NTFS
掃描被隱藏的進程 。。。
掃描被隱藏的啟動組 。。。
掃描被隱藏的文件 。。。
掃描完成
被隱藏的檔案: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Avast\?悐灀送攤烓밪P*S* .Current]
@="c:\\Program Files\\Alwil Software\\Avast4\\ChineseT\\vpsupd.wav"
[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Avast\?悐灀送攤烓밪P*S* .Modified]
@="c:\\Program Files\\Alwil Software\\Avast4\\ChineseT\\vpsupd.wav"
[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\S-1-5-21-1715567821-1647877149-839522115-1003\AppEvents\Schemes\Apps\Avast\?悐灀送攤烓밪P*S* .Current]
@="c:\\Program Files\\Alwil Software\\Avast4\\ChineseT\\vpsupd.wav"
[HKEY_USERS\S-1-5-21-1715567821-1647877149-839522115-1003\AppEvents\Schemes\Apps\Avast\?悐灀送攤烓밪P*S* .Modified]
@="c:\\Program Files\\Alwil Software\\Avast4\\ChineseT\\vpsupd.wav"
[HKEY_USERS\S-1-5-21-1715567821-1647877149-839522115-1003\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"
.
--------------------- 運行進程下的動態鏈接庫 ---------------------
- - - - - - - > 'winlogon.exe'(520)
c:\windows\system32\ODBC32.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
- - - - - - - > 'lsass.exe'(576)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
c:\windows\System32\dssenh.dll
.
完成時間: 2009-02-21 23:43:53
ComboFix-quarantined-files.txt 2009-02-21 15:43:51
Pre-Run: 39,444,389,888 位元組可用
Post-Run: 39,436,562,432 位元組可用
92
EFIX :[code]
efix 5.0 20090205.15 - 2009-02-21 1:33:52.96 - ntfs
Microsoft Windows XP - WHO
執行位置: F:\efix.exe
* 已建立系統還原點.
提示:
未安裝安全性更新 KB958644 [MS08-067]
未安裝安全性更新 KB960714 [MS08-078]
================================================================================
EF刪除的檔案列表:
沒有刪除任何檔案.
================================================================================
EF修改的登錄值列表:
沒有刪除任何登錄值.
================================================================================
各磁碟根目錄含有隱藏屬性的資料夾 :
d--h--w 0 2009-02-20 13:05:32 D:\WUTemp
d--h--w 0 2008-12-28 09:06:20 F:\.Trashes
d--h--w 0 2008-12-28 09:06:20 F:\.Spotlight-V100
================================================================================
各磁碟根目錄含有隱藏屬性的檔案 :
---ha-w 4,096 2008-12-28 09:06:20 F:\._.Trashes
********** Created 2009-01 -- 2009-02 Files: **********
NO Files.
.
********** Modified 2008-12 -- 2009-02 files: **********
NO Files.
.
================================================================================
執行中的程序:
[PID: 960] C:\WINDOWS\system32\spoolsv.exe [Microsoft Corporation]
[PID: 1104] C:\WINDOWS\System32\alg.exe [Microsoft Corporation]
[PID: 832] C:\WINDOWS\System32\conime.exe [Microsoft Corporation]
[PID: 1984] C:\WINDOWS\System32\wbem\wmiprvse.exe [Microsoft Corporation]
[PID: 324] F:\setupchtpro.exe [N/A]
[PID: 1800] C:\WINDOWS\System32\imapi.exe [Microsoft Corporation]
================================================================================
登錄值列表 *** 注意 : 部分正常值不會顯示 ***
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SHARED TOOLS\MSCONFIG\startupreg\ctfmon.exe]
"command"="C:\WINDOWS\system32\ctfmon.exe" [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SHARED TOOLS\MSCONFIG\startupreg\IMJPMIG8.1]
"command"="C:\WINDOWS\ime\IMJP8_1\imjpmig.exe" [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SHARED TOOLS\MSCONFIG\startupreg\MSMSGS]
"command"="C:\Program Files\Messenger\msmsgs.exe" [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SHARED TOOLS\MSCONFIG\startupreg\PHIME2002A]
"command"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SHARED TOOLS\MSCONFIG\startupreg\PHIME2002ASync]
"command"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [Microsoft Corporation]
HKCR - open command:
htmlfile: C:\Program Files\Internet Explorer\iexplore.exe -nohome
1862fc1943b25fafac14ac5248690426 2001-09-06 04:00 21504 C:\WINDOWS\system32\userinit.exe
1862fc1943b25fafac14ac5248690426 2001-09-06 04:00 21504 C:\WINDOWS\system32\dllcache\userinit.exe
05646ff8c5dfb537a2abb133831fca29 2001-09-06 04:00 1000960 C:\WINDOWS\explorer.exe
05646ff8c5dfb537a2abb133831fca29 2001-09-06 04:00 1000960 C:\WINDOWS\system32\dllcache\explorer.exe
"C:\WINDOWS\system32\WUAUCLT1.EXE" not found.
沒有數位簽章的系統檔案
2001-10-10 23:10 430080 C:\WINDOWS\system32\WINLOGON.EXE [Microsoft Corporation]
--> 2001-10-10 23:10 430080 C:\WINDOWS\system32\winlogon.exe [Sigcheck failed.]
================================================================================
服務 \ 驅動 列表:
顯示方式 : 啟動狀態 服務名稱;顯示名稱;檔案名稱
啟動狀態 : S0 = Boot Start S1 = System Start S2 = Auto Start S3 = Manual Start S4 = Disable S9 = Unknow
================================================================================
IE 首頁設定:
Internet Explorer Version: 6.0.2600.0000
HKLM - Extensions: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
================================================================================
磁碟空間 C: - 38,581,129,216 位元組可用
磁碟空間 F: - 4,335,894,528 位元組可用
================================================================================
掃描結束時間: 2009-02-21 1:34:19.04
[/CODE]
--
※ 發信站: 批踢踢實業坊(ptt.cc)
◆ From: 122.100.83.236