Re: [求救] uret463.exe + 無法上網

看板AntiVirus (防毒)作者l60km (/hr)時間16年前 (2009/09/14 17:26)推噓7(7推 0噓 3→)

留言10則, 4人參與討論串2/2 (看更多)

以下是跑Efix的log，因為無法傳上網、內容又很多，所以重發一篇文。 -------------------------------------------------------------------------- 4.93 2009-09-14 16:36:28.328 [CODE] EFIX 4.93 08-11-17.03 - CYF 2009-09-14 16:38:56.84 - FAT32 Microsoft Windows XP [版本 5.1.2600] - Service Pack 3 執行位置: C:\Documents and Settings\CYF\桌面\其他 ======================================================= EFix刪除的檔案列表: c:\autorun.inf c:\bunip.bat c:\docume~1\cyf\locals~1\temp\uret463.exe d:\autorun.inf d:\bunip.bat ======================================================= EFix刪除的登錄值列表: [-HKEY_CLASSES_ROOT\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}] [-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}] [HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS] "{BB4C402F-882A-4526-8C08-51278EA437C1}"=- ======================================================= EFix刪除的檔案備份位置列表: c:\iscwam2h.cmd => C:\NEFix\backup\files\c\iscwam2h.cmd c:\j0.exe => C:\NEFix\backup\files\c\j0.exe c:\atymi09.bat => C:\NEFix\backup\files\c\atymi09.bat c:\lwd.bat => C:\NEFix\backup\files\c\lwd.bat c:\mm6q.exe => C:\NEFix\backup\files\c\mm6q.exe c:\tan3yt.bat => C:\NEFix\backup\files\c\tan3yt.bat c:\autorun.inf => C:\NEFix\backup\files\c\autorun.inf c:\bunip.bat => C:\NEFix\backup\files\c\bunip.bat c:\WINDOWS\system32\rttrwq.exe => C:\NEFix\backup\files\c\WINDOWS\system32\rttrwq.exe c:\DOCUME~1\CYF\LOCALS~1\Temp\uret463.exe => C:\NEFix\backup\files\c\DOCUME~1\CYF\LOCALS~1\Temp\uret463.exe d:\autorun.inf => C:\NEFix\backup\files\d\autorun.inf d:\iscwam2h.cmd => C:\NEFix\backup\files\d\iscwam2h.cmd d:\j0.exe => C:\NEFix\backup\files\d\j0.exe d:\atymi09.bat => C:\NEFix\backup\files\d\atymi09.bat d:\lwd.bat => C:\NEFix\backup\files\d\lwd.bat d:\mm6q.exe => C:\NEFix\backup\files\d\mm6q.exe d:\tan3yt.bat => C:\NEFix\backup\files\d\tan3yt.bat d:\bunip.bat => C:\NEFix\backup\files\d\bunip.bat g:\autorun.inf => C:\NEFix\backup\files\g\autorun.inf g:\iscwam2h.cmd => C:\NEFix\backup\files\g\iscwam2h.cmd ======================================================= 各磁碟根目錄含有隱藏和系統屬性的資料夾 : d-sh--w 0 2008-04-27 03:00:18 D:\vod_cache_data ======================================================= 各磁碟根目錄含有隱藏和系統屬性的檔案 : --sh--r 123,992 2009-09-12 14:18:00 D:\mm6q.exe --sh--r 121,483 2009-09-02 02:17:24 D:\j0.exe --sha-w 7,168 2008-01-16 03:35:04 D:\Thumbs.db ======================================================= Created 2009-08 -- 2009-09 Files: 2009-09-12 . 2009-09-12 18:10 d--hs---- C:\FOUND.003 2009-09-12 . 2009-09-12 11:58 d-------- C:\46880033a0fa8be95ea59b4d5e3b45 2009-09-09 . 2009-09-09 09:40 d--hs---- C:\FOUND.002 2009-08-28 . 2009-08-28 22:18 d--hs---- C:\FOUND.001 2009-08-16 . 2009-08-16 06:48 d-------- C:\1e194f716fdced21c7451e715d5096 2009-09-14 . 2009-09-14 14:36 d-------- C:\WINDOWS\ie8updates 2009-09-14 . 2009-09-14 14:35 d-------- C:\WINDOWS\WBEM 2009-09-14 . 2009-09-14 14:34 d--h----- C:\WINDOWS\ie8 2009-08-16 . 2009-08-16 06:48 d-------- C:\WINDOWS\SxsCaPendDel 2009-09-14 . 2009-09-14 14:27 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2009-09-12 . 2009-09-12 16:41 d-------- C:\Program Files\Sony 2009-09-12 . 2009-09-12 11:58 d-------- C:\Program Files\Microsoft Silverlight 2009-09-07 . 2009-09-07 22:32 d-------- C:\Program Files\PCMan 2009-08-24 . 2009-08-24 17:10 d-------- C:\Program Files\VSTPlugins 2009-08-24 . 2009-08-24 17:09 d-------- C:\Program Files\Overture 4.0 繁體中文版 2009-08-22 . 2009-08-22 13:17 d-------- C:\Program Files\TTPlayer PLUS 2009-08-18 . 2009-08-18 12:32 d-------- C:\Program Files\Softland 2009-08-11 . 2009-08-11 11:40 d-------- C:\Program Files\DAUM 2009-08-10 . 2009-08-10 04:44 d-------- C:\Program Files\MyMaji 2009-08-05 . 2009-08-05 11:02 d-------- C:\Program Files\StuffPlug3 2009-08-02 . 2009-08-02 15:02 d-------- C:\Program Files\nEO iMAGING 2009-09-14 . 2009-09-14 16:33 dr-h----- C:\Documents and Settings\CYF\Recent 2009-09-12 . 2009-09-12 16:47 d-------- C:\Documents and Settings\All Users\SonicStage 2009-09-12 . 2009-09-12 22:18 -r-hs---- 123992 C:\mm6q.exe 2009-09-01 . 2009-09-01 17:10 --ah----- 268 C:\sqmdata14.sqm 2009-09-01 . 2009-09-02 10:17 -r-hs---- 121483 C:\j0.exe 2009-08-31 . 2009-08-31 19:38 --ah----- 232 C:\sqmdata13.sqm 2009-08-31 . 2009-08-31 18:29 --ah----- 232 C:\sqmdata12.sqm 2009-08-02 . 2009-08-02 14:42 --ah----- 292 C:\sqmdata11.sqm 2009-09-14 . 2008-10-16 14:06 --a------ 208744 C:\WINDOWS\SYSTEM32\muweb.dll 2009-09-14 . 2008-10-16 14:06 --a------ 23400 C:\WINDOWS\SYSTEM32\mucltui.dll.mui 2009-09-14 . 2008-10-16 14:06 --a------ 268648 C:\WINDOWS\SYSTEM32\mucltui.dll 2009-09-12 . 2007-01-13 08:24 --a------ 770048 C:\WINDOWS\SYSTEM32\CDDBUISony.dll 2009-09-12 . 2007-01-13 08:25 --a------ 532480 C:\WINDOWS\SYSTEM32\CddbPlaylist2Sony.dll 2009-09-12 . 2007-01-13 08:22 --a------ 589824 C:\WINDOWS\SYSTEM32\CddbMusicIDSony.dll 2009-09-12 . 2007-01-13 08:24 --a------ 73728 C:\WINDOWS\SYSTEM32\CddbLinkSony.dll 2009-09-12 . 2007-01-13 08:22 --a------ 655360 C:\WINDOWS\SYSTEM32\CDDBControlSony.dll 2009-09-12 . 2007-01-13 08:27 --a------ 69632 C:\WINDOWS\SYSTEM32\CddbLangZTSony.dll 2009-08-22 . 2009-08-22 11:44 -r-hs---- 119296 C:\WINDOWS\SYSTEM32\mkfght0.dll 2009-08-18 . 2009-08-12 12:50 --a------ 18632 C:\WINDOWS\SYSTEM32\dopdfmi6.dll 2009-08-18 . 2009-08-12 12:50 --a------ 21192 C:\WINDOWS\SYSTEM32\dopdfmn6.dll 2009-08-04 . 2009-08-04 13:21 --a------ 114 C:\WINDOWS\SYSTEM32\cid_store.dat 2009-09-12 . 2005-10-31 10:46 --------- 36679 C:\WINDOWS\SYSTEM32\DRIVERS\NETMD052.sys 2009-09-12 . 2003-11-10 12:31 --------- 36232 C:\WINDOWS\SYSTEM32\DRIVERS\NETMD033.sys 2009-09-12 . 2003-04-01 18:55 --------- 35319 C:\WINDOWS\SYSTEM32\DRIVERS\NETMD031.sys 2009-09-12 . 2002-08-08 15:51 --------- 38951 C:\WINDOWS\SYSTEM32\DRIVERS\NETMDUSB.sys 2009-08-22 . 2001-08-17 13:52 --a------ 18688 C:\WINDOWS\SYSTEM32\DRIVERS\cdaudio.sys ======================================================= 執行中的程序: C:\Program Files\Intel\Wireless\Bin\EvtEng.exe <Intel Corporation> C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe <Intel Corporation> C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe <Avira GmbH> C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe <Avira GmbH> C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe <Intel Corporation> C:\WINDOWS\system32\wdfmgr.exe <Microsoft Corporation> C:\WINDOWS\System32\alg.exe <Microsoft Corporation> C:\WINDOWS\system32\wscntfy.exe <Microsoft Corporation> C:\WINDOWS\AhnRpta.exe <Microsoft Corporation> C:\WINDOWS\ATK0100\HControl.exe <N/A> C:\Program Files\Wireless Console 2\wcourier.exe <N/A> C:\Program Files\Synaptics\SynTP\SynTPEnh.exe <Synaptics, Inc.> C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe <ASUSTeK Computer Inc.> C:\WINDOWS\system32\igfxtray.exe <Intel Corporation> C:\WINDOWS\system32\hkcmd.exe <Intel Corporation> C:\WINDOWS\system32\igfxpers.exe <Intel Corporation> C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe <Avira GmbH> C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe <Intel Corporation> C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe <Intel Corporation> C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe <Intel Corporation> C:\Program Files\Common Files\Real\Update_OB\realsched.exe <RealNetworks, Inc.> C:\Program Files\Rainlendar2\Rainlendar2.exe <N/A> C:\Program Files\PPStream\ppsap.exe <PPStream Inc> C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe <Intel Corporation> C:\WINDOWS\ATK0100\ATKOSD.exe <N/A> C:\Program Files\Stardock\Fences\Fences.exe <Stardock Corporation> C:\WINDOWS\system32\cmd.exe <Microsoft Corporation> C:\WINDOWS\explorer.exe <Microsoft Corporation> 系統執行程序中沒有檔案資訊的動態連結檔: C:\WINDOWS\EXPLORER.EXE => C:\WINDOWS\system32\e8main0.dll 2008-04-15 00:30 61819 ======================================================= HOSTS: Hosts Path: C:\WINDOWS\System32\drivers\etc\hosts 登錄值列表 *** 注意 : 部分正常值不會顯示 *** [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-15 00:30 15360] "Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2009-02-21 16:18 4333568] "PPS Accelerator"="C:\Program Files\PPStream\ppsap.exe" [2008-12-11 18:06 210296] "ertyuop"="C:\WINDOWS\system32\rttrwq.exe" [File Not Found.] "dorfgwe"="C:\DOCUME~1\CYF\LOCALS~1\Temp\uret463.exe" [File Not Found.] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00 208952] "HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-02-22 21:40 106496] "High Definition Audio 屬性頁捷徑"=HDAShCut.exe [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe] "Wireless Console 2"="C:\Program Files\Wireless Console 2\wcourier.exe" [2005-10-17 17:09 987136] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-20 23:26 761945] "ABLKSR"="C:\WINDOWS\ABLKSR\ABLKSR.exe" [2006-01-02 19:14 61440] "Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 17:13 86016] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-27 22:55 98304] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-27 22:52 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-27 22:55 118784] "DrvIcon"="C:\Program Files\Vista Drive Icon\DrvIcon.exe" [2007-07-05 03:59 45056] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55 667718] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56 602182] "EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2005-12-28 12:00 569413] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-11-17 22:29 185896] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024] "PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2007-03-22 19:17 98656] "CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2007-03-22 19:17 66400] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-15 00:30 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"="C:\Program Files\Stardock\Fences\DesktopDock.dll" [2009-02-26 04:49 517480 C:\Program Files\Stardock\Fences\DesktopDock.dll] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{BB4C402F-882A-4526-8C08-51278EA437C1}"="C:\WINDOWS\system32\e8main0.dll" [2008-04-15 00:30 61819 C:\WINDOWS\system32\e8main0.dll] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000123B4-9B42-4900-B3F7-F4B073EFC214}] . 2009-01-16 10:35 134344 C:\Program Files\Orbitdownloader\orbitcth.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] . 2004-12-14 01:56 63136 c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}] . 2008-11-17 22:29 370296 C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP MD5: f7a2245d8bd832d1e7a01c26d5e6efd0 2008-04-15 00:30 978432 C:\WINDOWS\explorer.exe MD5: 453888766da789f18fbbf5b20e4bc17f 2004-08-04 20:00 976896 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe MD5: f7a2245d8bd832d1e7a01c26d5e6efd0 2008-04-15 00:30 978432 C:\WINDOWS\ServicePackFiles\i386\explorer.exe MD5: 613d7c29c9e3e2375971da7e42e4e330 2008-04-15 00:31 25088 C:\WINDOWS\system32\userinit.exe MD5: f3a20a3c6a4df7fe038f4cca70080b10 2004-08-04 20:00 23552 C:\WINDOWS\$NtServicePackUninstall$\userinit.exe MD5: 613d7c29c9e3e2375971da7e42e4e330 2008-04-15 00:31 25088 C:\WINDOWS\ServicePackFiles\i386\userinit.exe 沒有數位簽章的系統檔案 MD5: a29e1209f925a0e9b330e11da5fc7bab 2008-06-20 19:51 361600 C:\WINDOWS\SYSTEM32\DRIVERS\TCPIP.SYS <Microsoft Corporation> C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696] 服務 \ 驅動列表: 顯示方式 : 啟動狀態服務名稱;顯示名稱;檔案名稱啟動狀態 : S0 = Boot Start S1 = System Start S2 = Auto Start S3 = Manual Start S4 = Disable S9 = Unknow S3 GarenaPEngine;GarenaPEngine;"C:\DOCUME~1\CYF\LOCALS~1\Temp\GUG178.tmp" [File Not Found.] S3 napagent;Network Access Protection Agent;"C:\WINDOWS\System32\qagentrt.dll" [2008-04-15 00:29 282112] S3 npggsvc;nProtect GameGuard Service;"C:\WINDOWS\system32\GameMon.des -service" [File Not Found.] 可能被修改數值的系統服務 \ 驅動數值 (參考用) : S0 ACPIEC;Microsoft Embedded Controller Driver;"C:\WINDOWS\SYSTEM32\DRIVERS\ACPIEC.sys" [2004-08-04 20:00 11648] S3 MTsensor;ATK0100 ACPI UTILITY;"C:\WINDOWS\SYSTEM32\DRIVERS\ATKACPI.sys" [2005-02-17 23:07 5632] 工作排程資料夾內的資料: 2008-11-17 C:\WINDOWS\TASKS\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [] 2009-09-11 C:\WINDOWS\TASKS\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57 558424] ======================================================= catchme 0.3.1361 W2K/XP/Vista - userland rootkit detector by Gmer, hxxp://www.gmer.net 掃描被隱藏的檔案：掃描被隱藏的程序：掃描被隱藏的啟動模組：被隱藏的檔案數量：0 . ======================================================= 4.93 2008-11-18 07:31:29.343 C:\NEFIX\BACKUP\LOG1.TXT 4.93 2009-02-16 03:14:19.484 C:\NEFIX\BACKUP\LOG2.TXT 4.93 2009-02-16 03:17:18.609 C:\NEFIX\BACKUP\LOG3.TXT 4.93 2009-08-22 12:35:36.765 C:\NEFIX\BACKUP\LOG4.TXT 4.93 2009-08-31 10:23:48.062 C:\NEFIX\BACKUP\LOG5.TXT 4.93 2009-09-11 17:44:55.250 C:\NEFIX\BACKUP\LOG6.TXT ======================================================= 磁碟空間 C: - 19,795,378,176 位元組可用磁碟空間 D: - 1,332,871,168 位元組可用掃描結束時間: 2009-09-14 16:42:18.26 [/CODE] -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 61.224.48.104