大家来看看这状况！(页 1) - 病毒救援区 - 卡饭论坛 _杀毒软件_防火墙_HIPS_反病毒_计算机安全

liuhuanming 发表于 2008-8-22 19:32

大家来看看这状况！

今天下午在网易的一个什么奥运有关的网页上看奥运录象，突然卡巴提示：
2008-8-22 18:40:23 进程C:\WINDOWS\system32\ntsd.exe (PID: 204)：试图嵌入自身到其它进程被阻止。（是经我点阻止后才阻止的）。然后系统出了ntsd.exe和conime.exe， 360自己退了，系统时间被改，卡巴被禁。
我反映算快，马上断网，把时间改了过来，启动了360。但是扫描的结果是什么也没有......卡巴也是，什么都没扫到。电脑重起后时间也还正常，没被再次改过去！
各位帮我看看，这到底什么情况啊：

2008-8-22 18:40:23 进程C:\WINDOWS\system32\ntsd.exe (PID: 204)：试图嵌入自身到其它进程被阻止。
2008-8-22 18:40:25 进程C:\WINDOWS\system32\ntsd.exe (PID: 204)：试图嵌入自身到其它进程被阻止。
2008-8-22 18:40:26 进程C:\WINDOWS\system32\ntsd.exe (PID: 204)：试图嵌入自身到其它进程被阻止。
1987-8-22 18:40:17 授权许可文件的激活日期不正确。
系统日期可能被更改。
1987-8-22 18:41:59 进程 (PID 3568)试图访问卡巴斯基互联网安全套装进程(PID 236)，但操作已经被自我保护组件所阻止。您不需要操作。
1987-8-22 18:41:59 进程 (PID 3568)试图访问卡巴斯基互联网安全套装进程(PID 764)，但操作已经被自我保护组件所阻止。您不需要操作。
2008-8-22 18:46:42 更新成功完成
2008-8-22 18:48:06 进程 (PID 4024)试图访问卡巴斯基互联网安全套装进程(PID 236)，但操作已经被自我保护组件所阻止。您不需要操作。
2008-8-22 18:48:06 进程 (PID 4024)试图访问卡巴斯基互联网安全套装进程(PID 764)，但操作已经被自我保护组件所阻止。您不需要操作。

对了，出事的时候TT多了两个网页，也不知道什么时候多出来的，看奥运太专心了。当时急着关TT，忘了哪个网站了，我在想，是不是网页上挂的马？
我现在什么毒也查不出，反倒不塌实了......

funix 发表于 2008-8-22 21:23

不踏实。上传sreng日志看看

liuhuanming 发表于 2008-8-22 22:09

谢谢能帮我看看吗？？

[CODE]

2008-08-22,22:03:14

System Repair Engineer 2.6.11.992
Smallfrogs ([url]http://www.KZTechs.com[/url])

Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件
进程特权扫描

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<AVP><"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe">  [(Verified)Kaspersky Lab]
<360Safetray><C:\Program Files\360safe\safemon\360tray.exe /start>  [(Verified)Qizhi Software (beijing) Co. Ltd]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
<UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
<WinlogonNotify: klogon><C:\WINDOWS\system32\klogon.dll>  [(Verified)Kaspersky Lab]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
<Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
<Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
<通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing]

==================================
启动文件夹
N/A

==================================
服务
[卡巴斯基互联网安全套装 7.0 / AVP][Running/Auto Start]
  <"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r><Kaspersky Lab>
[BoBoTurbo / BoBoTurbo][Stopped/Manual Start]
  <C:\WINDOWS\system32\boboturbo\boboturbo.exe><广州易播信息科技有限公司>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[NVIDIA Display Driver Service / NVSvc][Stopped/Disabled]
  <C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>

==================================
驱动程序
[EagleNT / EagleNT][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\drivers\EagleNT.sys><N/A>
[gdrv / gdrv][Stopped/Manual Start]
  <\??\C:\WINDOWS\gdrv.sys><Windows (R) 2000 DDK provider>
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus][Running/Manual Start]
  <system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[Service for Realtek HD Audio (WDM) / IntcAzAudAddService][Running/Manual Start]
  <system32\drivers\RtkHDAud.sys><Realtek Semiconductor Corp.>
[JRAID / JRAID][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\jraid.sys><JMicron Technology Corp.>
[kl1 / kl1][Running/Boot Start]
  <\SystemRoot\system32\drivers\kl1.sys><Kaspersky Lab>
[klif / klif][Running/System Start]
  <\??\C:\WINDOWS\system32\drivers\klif.sys><Kaspersky Lab>
[Kaspersky Anti-Virus NDIS Filter / klim5][Running/Manual Start]
  <system32\DRIVERS\klim5.sys><Kaspersky Lab>
[nv / nv][Running/Manual Start]
  <system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver / RTLE8023xp][Running/Manual Start]
  <system32\DRIVERS\Rtenicxp.sys><Realtek Semiconductor Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[TesSafe / TesSafe][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\TesSafe.sys><TENCENT>

==================================
浏览器加载项
[FG2CatchUrl]
  {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} <C:\Program Files\FlashGet network\FlashGet\ComDlls\bhoCATCH.dll, FlashGet>
[SafeMon Class]
  {B69F34DD-F0F9-42DC-9EDD-957187DA688D} <C:\Program Files\360safe\safemon\safemon.dll, 360.CN>
[Web 反病毒统计]
  {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll, Kaspersky Lab>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[DLoader Class]
  {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} <C:\WINDOWS\Downloaded Program Files\downloader.dll, Sina Com>
[BoBoControl Class]
  {EC0978ED-24E3-403C-AB7A-060E388553E6} <C:\WINDOWS\system32\BoBo_ActiveX_V3.ocx, 广州易播信息科技有限公司>
[FG2CatchUrl]
  {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} <C:\Program Files\FlashGet network\FlashGet\ComDlls\bhoCATCH.dll, FlashGet>
[SafeMon Class]
  {B69F34DD-F0F9-42DC-9EDD-957187DA688D} <C:\Program Files\360safe\safemon\safemon.dll, 360.CN>
[使用快车(Flas&hGet)下载]
  <C:\Program Files\FlashGet network\FlashGet\ComDlls\Bholink.htm, N/A>
[使用快车(Flash&Get)下载全部链接]
  <C:\Program Files\FlashGet network\FlashGet\ComDlls\Bhoall.htm, N/A>
[添加到QQ表情]
  <D:\Tencent\QQ\AddEmotion.htm, N/A>
[添加到反广告条]
  <C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm, N/A>

==================================
正在运行的进程
[PID: 948 / SYSTEM][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1008 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1032 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\WINDOWS\system32\klogon.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1076 / SYSTEM][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1088 / SYSTEM][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll]  [Kaspersky Lab, 7.0.5.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.42]
[PID: 1228 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1360 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll]  [Kaspersky Lab, 7.0.1.325]
[PID: 1488 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll]  [Kaspersky Lab, 7.0.1.325]
[PID: 1588 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll]  [Kaspersky Lab, 7.0.5.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.42]
[PID: 1716 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll]  [Kaspersky Lab, 7.0.5.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.42]
[PID: 156 / latte][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll]  [Kaspersky Lab, 7.0.5.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.42]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\360safe\safemon\safemon.dll]  [360.CN, 4, 2, 0, 1005]
[C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\system32\nvcpl.dll]  [NVIDIA Corporation, 6.14.11.6218]
[C:\WINDOWS\system32\NVRSZHC.DLL]  [NVIDIA Corporation, 6.14.11.6218]
[C:\WINDOWS\system32\nvapi.dll]  [NVIDIA Corporation, 6.14.11.6218]
[C:\WINDOWS\system32\nvshell.dll]  [, ]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\MSVCP80.dll]  [Microsoft Corporation, 8.00.50727.42]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\prremote.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\prloader.dll]  [Kaspersky Lab, 7.0.1.325]
[PID: 256 / latte][C:\Program Files\360safe\safemon\360tray.exe]  [奇虎网, 4, 1, 8, 1004]
[C:\Program Files\360safe\safemon\safemon.dll]  [360.CN, 4, 2, 0, 1005]
[C:\Program Files\360safe\safemon\SafeKrnl.dll]  [奇虎网, 4, 2, 0, 1001]
[C:\Program Files\360safe\AntiAdwa.dll]  [360Safe.com, 4, 2, 0, 1001]
[C:\Program Files\360safe\live.dll]  [360.cn, 1, 0, 1, 1027]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll]  [Kaspersky Lab, 7.0.5.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.42]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll]  [Kaspersky Lab, 7.0.1.325]

liuhuanming 发表于 2008-8-22 22:09

[PID: 280 / latte][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 804 / LOCAL SERVICE][C:\WINDOWS\system32\wdfmgr.exe]  [Microsoft Corporation, 5.2.3790.1230 built by: dnsrv(bld4act)]
[PID: 3764 / latte][D:\Tencent\QQ\QQ.exe]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\QQBaseClassInDll.dll]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\QQHelperDll.dll]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\BasicCtrlDll.dll]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\MFC42.DLL]  [Microsoft Corporation, 6.00.8665.0]
[C:\Program Files\360safe\safemon\safemon.dll]  [360.CN, 4, 2, 0, 1005]
[D:\Tencent\QQ\RICHED32.DLL]  [Microsoft Corporation, 5.00.2134.1]
[D:\Tencent\QQ\RICHED20.dll]  [Microsoft Corporation, 5.31.23.1218]
[D:\Tencent\QQ\QQAPI.dll]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\LoginCtrl.dll]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\LoginCtrlRes.dll]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\QQRes.dll]  [TENCENT, 8,0,776,1805]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll]  [Kaspersky Lab, 7.0.5.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.42]
[D:\Tencent\QQ\QQMainFrame.dll]  [N/A, ]
[D:\Tencent\QQ\gdiplus.dll]  [Microsoft Corporation, 5.1.3102.2180 (xpsp_sp2_rtm.040803-2158)]
[D:\Tencent\QQ\QQPlugin.dll]  [N/A, ]
[D:\Tencent\QQ\UnReadMsgMgr.dll]  [N/A, ]
[D:\Tencent\QQ\CQQApplication.dll]  [N/A, ]
[D:\Tencent\QQ\FlashAvatarDll.dll]  [, 1, 4, 0, 1]
[D:\Tencent\QQ\NewSkin.dll]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\MailSummary.dll]  [TENCENT, 8,0,777,1805]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll]  [Kaspersky Lab, 7.0.1.325]
[D:\Tencent\QQ\vbscript.dll]  [Microsoft Corporation, 5.6.0.7426]
[C:\WINDOWS\system32\msdmo.dll]  [, ]
[D:\Tencent\QQ\OEMApplication.dll]  [TENCENT, 8,0,777,1805]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dll]  [Kaspersky Lab, 7.0.1.325]
[D:\Tencent\QQ\QQKnowledgeSearch.dll]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\QQGroupMng.dll]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\QQAllInOne.dll]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\SCCore.dll]  [TENCENT, 1, 6, 0, 2]
[D:\Tencent\QQ\CameraDll.dll]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\QQPet.dll]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\QQSpace.dll]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\UserDefinedHead.dll]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\QQConfigPlugin.dll]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\QQCustomFace.dll]  [N/A, ]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll]  [Kaspersky Lab, 7.0.1.325]
[D:\Tencent\QQ\QQSysMsgMng.dll]  [N/A, ]
[D:\Tencent\QQ\QRingMng.dll]  [N/A, ]
[D:\Tencent\QQ\QQAvatar.dll]  [N/A, ]
[D:\Tencent\QQ\LongConnection.dll]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\PhoneAPI.dll]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\DialerAllinOne.dll]  [tencent, 1, 4, 0, 0]
[C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[D:\Tencent\QQ\BQQApplication.dll]  [N/A, ]
[D:\Tencent\QQ\CommercesMng.dll]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\PersonalDesktop.dll]  [TENCENT, 8,0,777,1805]
[D:\Tencent\QQ\QQAddr.dll]  [深圳市腾讯计算机系统有限公司, 5, 0, 101, 330]
[D:\Tencent\QQ\QQSceneMng.dll]  [N/A, ]
[D:\Tencent\QQ\AddrSearch.dll]  [腾讯科技（深圳）有限公司, 2, 2, 1, 15]
[C:\WINDOWS\system32\msadp32.acm]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 4048 / latte][D:\Tencent\QQ\TXPlatform.exe]  [Tencent, 1, 0, 170, 0]
[C:\Program Files\360safe\safemon\safemon.dll]  [360.CN, 4, 2, 0, 1005]
[PID: 3912 / latte][D:\Tencent\TT\bin\TTraveler.exe]  [Tencent, 4, 11, 0, 8]
[D:\Tencent\TT\bin\TTUtilWidget.dll]  [Tencent, 4, 11, 0, 8]
[D:\Tencent\TT\bin\ATL80.DLL]  [Microsoft Corporation, 8.00.50727.42]
[D:\Tencent\TT\bin\MSVCP80.dll]  [Microsoft Corporation, 8.00.50727.42]
[D:\Tencent\TT\bin\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.42]
[D:\Tencent\TT\bin\detoured.dll]  [Microsoft Corporation, Express Version 2.1 Build_216]
[C:\Program Files\360safe\safemon\safemon.dll]  [360.CN, 4, 2, 0, 1005]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll]  [Kaspersky Lab, 7.0.5.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.42]
[D:\Tencent\TT\bin\TTStore.dll]  [Tencent, 4, 11, 0, 8]
[D:\Tencent\TT\bin\sqlite3.dll]  [N/A, ]
[D:\Tencent\TT\bin\PlatformWidget.dll]  [Tencent, 4, 11, 0, 8]
[D:\Tencent\TT\bin\TTMainFrame.dll]  [Tencent, 4, 11, 0, 8]
[D:\Tencent\TT\bin\UpdateUtil.dll]  [N/A, ]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dll]  [Kaspersky Lab, 7.0.1.325]
[D:\Tencent\TT\bin\TTMBrowser.dll]  [Tencent, 4, 11, 0, 8]
[D:\Tencent\TT\bin\TTabMgr.dll]  [Tencent, 4, 11, 0, 8]
[D:\Tencent\TT\bin\TTSkin.dll]  [Tencent, 4, 11, 0, 8]
[D:\Tencent\TT\bin\vbscript.dll]  [Microsoft Corporation, 5.7.0.16535]
[D:\Tencent\TT\bin\TTPluginMng.dll]  [Tencent, 4, 11, 0, 8]
[D:\Tencent\TT\Plugins\3TTWeather\TTWeather.dll]  [Tencent, 1.0.0.1]
[D:\Tencent\TT\Plugins\WebInfo\WebToolbar.dll]  [Tencent, 1.0.0.1]
[D:\Tencent\TT\bin\FavoriteLogical.dll]  [Tencent, 4, 11, 0, 8]
[D:\Tencent\TT\bin\TSupport.dll]  [TENCENT Inc., 1, 2, 11, 201]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll]  [Kaspersky Lab, 7.0.1.325]
[D:\Tencent\TT\bin\TTHtmlApp.dll]  [Tencent, 4, 11, 0, 8]
[D:\Tencent\TT\bin\TTFilter.dll]  [Tencent, 4, 11, 0, 8]
[D:\Tencent\TT\bin\TTNetwork.dll]  [Tencent, 4, 11, 0, 8]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\klscav.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\prremote.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\MSVCP80.dll]  [Microsoft Corporation, 8.00.50727.42]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\prloader.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\prkernel.ppl]  [Kaspersky Lab, 7.0.1.325]
[c:\program files\kaspersky lab\kaspersky internet security 7.0\params.ppl]  [Kaspersky Lab, 7.0.1.325]
[c:\program files\kaspersky lab\kaspersky internet security 7.0\pxstub.ppl]  [Kaspersky Lab, 7.0.1.325]
[c:\program files\kaspersky lab\kaspersky internet security 7.0\tempfile.ppl]  [Kaspersky Lab, 7.0.1.325]
[C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx]  [Adobe Systems, Inc., 9,0,124,0]
[C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1452 / latte][E:\SREng\SREngLdr.EXE]  [Smallfrogs Studio, 2.6.11.992]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll]  [Kaspersky Lab, 7.0.5.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.42]
[PID: 3272 / latte][E:\SREng\SREaafaf735.EXE]  [Smallfrogs Studio, 2.6.11.992]
[C:\Program Files\360safe\safemon\safemon.dll]  [360.CN, 4, 2, 0, 1005]
[E:\SREng\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll]  [Kaspersky Lab, 7.0.5.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\MSVCR80.dll]  [Microsoft Corporation, 8.00.50727.42]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll]  [Kaspersky Lab, 7.0.1.325]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dll]  [Kaspersky Lab, 7.0.1.325]
[E:\SREng\Plugins\NTFSTREAM.SRE]  [Smallfrogs Studio, 1, 0, 0, 5]

==================================
文件关联
.TXT  Error. [C:\WINDOWS\notepad.exe %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  Error. ["hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  Error. [C:\WINDOWS\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1    localhost
127.0.0.1 c0mo.com
127.0.0.1 gxgxy.net
127.0.0.1 pvs360.com
127.0.0.1 sl8cjs.cn
127.0.0.1 windowsupdeta.cn
127.0.0.1 up.22x44.com
127.0.0.1 my.531jx.cn
127.0.0.1 nx.51ylb.cn
127.0.0.1 llboss.com
127.0.0.1 down.malasc.cn
127.0.0.1 d2.llsging.com
127.0.0.1 171817.171817.com
127.0.0.1 wg.47255.com
127.0.0.1 [url]www.tomwg.com[/url]
127.0.0.1 tp.shpzhan.cn
127.0.0.1 1.joppnqq.com
127.0.0.1 xx.exiao01.com
127.0.0.1 [url]www.22aaa.com[/url]
127.0.0.1 ilove.com
127.0.0.1 xxx.mmma.biz
127.0.0.1 [url]www.868wg.com[/url]
127.0.0.1 2.joppnqq.com
127.0.0.1 1.jopanqc.com
127.0.0.1 yu.8s7.net
127.0.0.1 1.jopmmqq.com
127.0.0.1 cao.kv8.info
127.0.0.1 xtx.kv8.info
127.0.0.1 new.749571.com
127.0.0.1 xxx.vh7.biz
127.0.0.1 1.jopenkk.com
127.0.0.1 d.93se.com
127.0.0.1 3.joppnqq.com
127.0.0.1 xxx.j41m.com
127.0.0.1 1.jopenqc.com
127.0.0.1 xxx.m111.biz
127.0.0.1 down.18dd.net
127.0.0.1 [url]www.333292.com[/url]
127.0.0.1 qqq.hao1658.com
127.0.0.1 qqq.dzydhx.com
127.0.0.1 [url]www.exiao01.com[/url]
127.0.0.1 [url]www.cike007.cn[/url]

==================================
进程特权扫描
特殊特权被允许： SeLoadDriverPrivilege [PID = 1452, E:\SRENG\SRENGLDR.EXE]

==================================
API HOOK
RVA  错误： LoadLibraryA (危险等级: 高,  被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\f.sys笚T)
RVA  错误： LoadLibraryExA (危险等级: 高,  被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\緁.sys)
RVA  错误： LoadLibraryExW (危险等级: 高,  被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\鉋緁.sys)
RVA  错误： LoadLibraryW (危险等级: 高,  被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\思緁.sys)
RVA  错误： GetProcAddress (危险等级: 高,  被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\[櫢f.sys)

==================================
隐藏进程
N/A

==================================

[/CODE]

Echo.晞 发表于 2008-8-22 23:14

启动项里面去掉 shmgrate.exe，并搜索他，清掉（删不掉尝试文件粉碎，unlocker之类的，置顶帖内有工具）

用windows清理助手清理一遍，尝试一下清除掉boboturbo（流氓软件）

CHM关联需要修复

funix 发表于 2008-8-22 23:43

回复 5楼 EnchanterKnight 的帖子

shmgrate.exe这个有问题吗？应该是良民吧

Echo.晞 发表于 2008-8-23 08:52

进程文件:    shmgrate.exe
进程名称: [color=red]Trojan.W32.GASTER[/color]
英文描述: shmgrate.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a secur信揖息俄进恐程朱库铀息灭processlib.net耍bbs.processlib.net釜[url]www.processlib.net邮www.processlib.net[/url]慢ity risk and should be removed from your system.
进程分析: unknown

分享知识收获快乐
提供进程详细信息及解决办法
分享您的经验,让更多人受益!
进程位置: unknown
程序用途: unknown
作者: unknown
属于: Trojan.W32.GASTER

安全等级 (0-5): 4 (N/A无危险 5最危险)
间碟软件: 否
广告软件: 否
病毒: 是
木马: 是

系统进程: 否
应用程序: 否
后台程序: 是
使用访问: 是
访问互联网: 是

秋叶濛濛 发表于 2008-8-23 09:34

[quote]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
<Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE> [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE> [N/A][/quote]

这两项没有问题
参考[url=http://hi.baidu.com/teyqiu/blog/item/6369ddc499efcdc839db4924.html]http://hi.baidu.com/teyqiu/blog/ ... efcdc839db4924.html[/url]

ahzsmzkf 发表于 2008-8-23 09:56

校验一下MD值，我是F1CFE5DD5FC11D3220A4AC485F56BA7D[:13:]

liuhuanming 发表于 2008-8-23 15:45

感谢大家

真的很感谢大家的帮助！
shmgrate.exe这东西说法太多，不过我个人觉得如果是病毒的话，能引起这么多人注意卡巴的病毒库更新应该是能跟的上的，现在查下来没报，应该是未被感染吧！
BOBO我也已经删了，当初是为了看电影才装的！
不过还是有一问题不明：那个改我时间的东西怎么查不到？有没有可能是被网页恶意代码改的？（我不是很懂，只是猜测）

liuhuanming 发表于 2008-8-23 16:10

推测！

我做了个推测，虽然没什么技术可言，但还是希望大家能解答：
我看奥运录象时，在毫无察觉中多了两个网页窗口（可能是我鼠标滚轮所至，有过类似情况发生），该网页的恶意代码先把我360杀了，然后又启用ntsd.exe企图杀掉卡巴（被我阻止）未果，篡改了系统时间费掉卡巴，因我发现的早，及时断网，所以还未下载到任何木马或病毒.....

我这么想合理不？？？[:15:] [:15:]

页: [1]

卡饭论坛's Archiver