C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\D2FUGHNM\Update-KB3303-x86[1].zip;感染了病毒
-------------------------------------------------------------------------------------------------------------------------------------------
2007-04-04,08:26:25
System Repair Engineer 2.4.12.806
Smallfrogs ([url]http://www.KZTechs.com[/url])
Windows XP Professional Service Pack 1 (Build 2600) - Administrative User - Completed Functions Allowed
Follow item(s) have been choosed:
All Boot Items (Including Registry, Startup Folders, Services and so on)
Browser Add-ons
Runing Processes (Including process model information)
File Associations
Winsock Provider
Autorun.Inf
HOSTS File
Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\System32\ctfmon.exe> [(Verified)Microsoft Windows XP Publisher]
<MsnMsgr><"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background> [Microsoft Corporation]
<WebOffice 3.0(1)><C:\Program Files\Novax\Netask Messenger\webclient.exe> [Novax Corp.]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows XP Publisher]
<PHIME2002ASync><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Windows XP Publisher]
<PHIME2002A><C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows XP Publisher]
<SunJavaUpdateSched><C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe> [Sun Microsystems, Inc.]
<ccApp><"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"> [N/A]
<vptray><C:\PROGRA~1\SYMANT~1\VPTray.exe> [N/A]
<AWMON><"C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows XP Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows XP Publisher]
[color=#ff0000][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dtcclzex]
<WinlogonNotify: dtcclzex><C:\WINDOWS\System32\dtcclzex.dll>[/color] [N/A]
[color=#ff0000][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iasnx9tc][/color]
[color=#ff0000]<WinlogonNotify: iasnx9tc><C:\WINDOWS\System32\iasnx9tc.dll>[/color] [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
<WinlogonNotify: WgaLogon><WgaLogon.dll> [Microsoft Corp.]
==================================
Startup Folders
[Microsoft Office]
<C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\Microsoft Office.lnk --> C:\PROGRA~1\MICROS~2\Office10\OSA.EXE [Microsoft Corporation]><N>
[Netask Messenger]
<C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\Netask Messenger.lnk --> C:\PROGRA~1\Novax\NETASK~1\WEBCLI~1.EXE [Novax Corp.]><N>
[Adobe Reader Speed Launch]
<C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\Adobe Reader Speed Launch.lnk --> C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [Adobe Systems Incorporated]><N>
[UltraVNC Server]
<C:\Documents and Settings\user\「開始」功能表\程式集\啟動\UltraVNC Server.lnk --> C:\PROGRA~1\UltraVNC\winvnc.exe [UltraVNC]><N>
==================================
Services
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Kaspersky Anti-Virus Service / kavsvc][Running/Auto Start]
<"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 5.0 for Windows Workstations\kavsvc.exe"><Kaspersky Lab>
[Kaspersky Network Agent / klnagent][Running/Auto Start]
<"C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe"><Kaspersky Lab>
[Machine Debug Manager / MDM][Running/Auto Start]
<"C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"><Microsoft Corporation>
[Pml Driver HPZ12 / Pml Driver HPZ12][Stopped/Manual Start]
<C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe><HP>
==================================
Drivers
[Intel(r) 82801 Audio Driver Install Service (WDM) / ac97intc][Running/Manual Start]
<system32\drivers\ac97intc.sys><Intel Corporation>
[Intel(R) PRO Adapter Driver / E100B][Running/Manual Start]
<System32\DRIVERS\e100b325.sys><Intel Corporation>
[KL1 driver / kl1][Running/Boot Start]
<\SystemRoot\System32\drivers\kl1.sys><Kaspersky Lab>
[KLIF driver / klif][Running/System Start]
<System32\drivers\klif.sys><Kaspersky Labs>
[KLMC driver / klmc][Running/System Start]
<System32\drivers\klmc.sys><Kaspersky Lab>
[nv4 / nv4][Running/Manual Start]
<System32\DRIVERS\nv4.sys><NVIDIA Corporation>
[直接平行連接埠連結驅動程式 / Ptilink][Running/Manual Start]
<System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Secdrv / Secdrv][Stopped/Manual Start]
<System32\DRIVERS\secdrv.sys><N/A>
==================================
Browser Add-ons
[Yahoo! Toolbar Helper]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} <C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll, Yahoo! Inc.>
[AcroIEHlprObj Class]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[SSVHelper Class]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} <C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll, Sun Microsystems, Inc.>
[Messenger]
{FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\MSMSGS.EXE, Microsoft Corporation>
[收音機(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\System32\msdxm.ocx, Microsoft Corporation>
[Yahoo!奇摩捷徑列]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} <C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll, Yahoo! Inc.>
[Crystal Report Viewer Control 9]
{2DEF4530-8CE6-41C9-84B6-A54536C90213} <C:\WINDOWS\Downloaded Program Files\CRViewer9.dll, Crystal Decisions>
[YInstStarter Class]
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} <C:\PROGRA~1\YAHOO!\Common\yinsthelper.dll, Yahoo! Inc.>
[TreeEditor Class]
{7B468F35-D212-4C44-BF24-002977F4C0A7} <C:\WINDOWS\Downloaded Program Files\ted.dll, 超華資訊股份有限公司[[email]sunsheng@ms5.hinet.net[/email]]>
[Java Plug-in]
{8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll, Sun Microsystems, Inc.>
[CHTAuthC Class]
{A68902FF-6FE8-4DAF-A1DB-1B20BE7FEF7F} <C:\WINDOWS\Downloaded Program Files\CHTAuthClient.dll, 中華電信研究所>
[Java Plug-in]
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.5.0_06]
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll, Sun Microsystems, Inc.>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx, Macromedia, Inc.>
[匯出至 Microsoft Excel(&X)]
<res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000, N/A>
==================================
Running Processes
[PID: 612][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 684][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1888][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]
[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll] [Adobe Systems, Inc., 7.0.0.0]
[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll] [Adobe Systems Incorporated, 7.0.5.2005092300]
[C:\WINDOWS\System32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 5.0 for Windows Workstations\shellex.dll] [Kaspersky Lab, 5.0.712.1]
[PID: 280][C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe] [Sun Microsystems, Inc., 5.0.60.5]
[PID: 508][C:\WINDOWS\System32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 532][C:\Program Files\Novax\Netask Messenger\webclient.exe] [Novax Corp., 3, 50, 0, 0]
[C:\Program Files\Novax\Netask Messenger\MFC42.DLL] [Microsoft Corporation, 6.02.4131.0]
[C:\Program Files\Novax\Netask Messenger\WCS_SYSTEMTRAY.DLL] [WebStorage Corp., 1, 0, 1, 3]
[C:\Program Files\Novax\Netask Messenger\Hook.dll] [WebStorage Corp., 1, 0, 1, 1]
[PID: 1268][C:\Program Files\UltraVNC\winvnc.exe] [UltraVNC, 1.1.0.0]
[PID: 2504][C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe] [Lavasoft Sweden, 6.2.0.208]
[PID: 2596][C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe] [Lavasoft Sweden, 3.1.2.17]
[PID: 4000][C:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]
[C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll] [Yahoo! Inc., 2006, 10, 26, 1]
[C:\Program Files\Yahoo!\Companion\Installs\cpn\YTabBar.dll] [Yahoo!, 2006.10.17.1]
[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll] [Adobe Systems Incorporated, 7.0.5.2005092300]
[C:\WINDOWS\System32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll] [Sun Microsystems, Inc., 5.0.60.5]
[C:\Program Files\Yahoo!\Companion\Installs\cpn\pubmod.dll] [Yahoo! Inc., 2005, 12, 16, 1]
[C:\Program Files\Yahoo!\Companion\Installs\cpn\ypubc.dll] [Yahoo! Inc., 2006.1.25.01]
[C:\Program Files\Yahoo!\Companion\Installs\cpn\YMERemote.dll] [Yahoo! Inc., 2006, 7, 27, 1]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 5.0 for Windows Workstations\scrchpg.dll] [Kaspersky Lab, 5.0.712.20]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 5.0 for Windows Workstations\scbridge.dll] [Kaspersky Lab, 5.0.712.1]
[C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 5.0 for Windows Workstations\klipc.dll] [Kaspersky Lab, 5.0.712.0]
[C:\WINDOWS\System32\MSTCIPHA.IME] [Microsoft Corporation, 5.1.0.60]
[C:\Program Files\Common Files\Microsoft Shared\Ink\PENCHT.DLL] [Microsoft Corporation, 1.0.1038.0]
[C:\Program Files\Common Files\Microsoft Shared\IME\MSTCIA\Applet\chtskdic.dll] [Microsoft Corporation, 8.0.0.1912]
[C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx] [Macromedia, Inc., 8,0,22,0]
[PID: 3316][C:\WINDOWS\system32\taskmgr.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 2184][C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe] [Sun Microsystems, Inc., 5.0.60.5]
[PID: 3288][C:\Documents and Settings\user\桌面\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
==================================
File Associations
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock Provider
N/A
==================================
Autorun.Inf
N/A
==================================
HOSTS File
127.0.0.1 localhost
==================================
API HOOK
RVA Error: LoadLibraryA (Dangerous Level: Generic, Hooked by Module: Dest Addr: 0xF5DEE6E0)
RVA Error: LoadLibraryExA (Dangerous Level: Generic, Hooked by Module: Dest Addr: 0xF5DEE820)
RVA Error: LoadLibraryExW (Dangerous Level: Generic, Hooked by Module: Dest Addr: 0xF5DEE8E0)
RVA Error: LoadLibraryW (Dangerous Level: Generic, Hooked by Module: Dest Addr: 0xF5DEE780)
==================================
Hidden Process
[441] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 5.0 for Windows Workstations\klswd.exe
[497] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 5.0 for Windows Workstations\kav.exe
[2037] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 5.0 for Windows Workstations\kavsvc.exe
==================================
