最近很容易中毒
 

不知道走什麼霉運
最近很容易中毒
然後NOD32 老是後知後覺

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 上午 08:56:09, on 2007/7/2
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Inventec\Dreye\DreyeMT\msnplugin.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\ASUS\ASUS Probe\AsusProb.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ching-Ping Yang\桌面\HiJackThis_v2.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ODBCJET.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - C:\Program Files\Inventec\Dreye\DreyeMT\DreyeIEBar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [MSNDreyePlugin] C:\Program Files\Inventec\Dreye\DreyeMT\msnplugin.exe /h
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\ASUS Probe\AsusProb.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: 下載編碼內容(&D.S.Lite) - C:\Documents and Settings\Ching-Ping Yang\桌面\DSLite2\dl_text.html
O8 - Extra context menu item: 下載編碼內容(S&martGet) - C:\Documents and Settings\Ching-Ping Yang\桌面\SmartGet1.2\dl_text.html
O8 - Extra context menu item: 下載編碼檔案內容(&D.S.Lite) - C:\Documents and Settings\Ching-Ping Yang\桌面\DSLite2\dl_url.html
O8 - Extra context menu item: 使用 S&martGet 下載 - C:\Documents and Settings\Ching-Ping Yang\桌面\SmartGet1.2\dl_link.htm
O8 - Extra context menu item: 轉換到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 轉換為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 轉換連結目標到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 轉換連結目標為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 轉換選定的連結到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: 轉換選定的連結為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: 轉換選擇內容到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 轉換選擇內容為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\Documents and Settings\Ching-Ping Yang\桌面\DSLite2\DSLite.exe
O9 - Extra 'Tools' menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\Documents and Settings\Ching-Ping Yang\桌面\DSLite2\DSLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw
O15 - Trusted Zone: http://arcaonline.arcabit.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://milkygp.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor...n/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144384069520
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/XTools.cab
O16 - DPF: {C2C16510-10F4-46FE-A82C-4846435EBDEB} (p3muzset Class) - http://player.muz.co.kr/package/p3muzset.cab
O16 - DPF: {E4F500BF-C1A3-11D6-9697-0090961B771E} (VCR.Scan) - http://www.viruschaser.com/Kor/vc4w_ocx/Vcrscan.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: ZipExt32 - {35CEC8A3-2BE6-11D2-8773-92E220524140} - C:\WINDOWS\Downloaded Program Files\ZipExt32.dll (file missing)
O21 - SSODL: AceExt - {35CEC8A3-2BE6-11D2-8773-92E220524150} - C:\WINDOWS\system32\AceExt32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

--
End of file - 12062 bytes

Antivirus Version Update Result
AhnLab-V3 2007.6.30.0 06.29.2007 no virus found
AntiVir 7.4.0.37 07.01.2007 HEUR/Crypted
Authentium 4.93.8 06.29.2007 no virus found
Avast 4.7.997.0 07.02.2007 no virus found
AVG 7.5.0.476 07.01.2007 no virus found
BitDefender 7.2 07.02.2007 GenPack:Trojan.Downloader.VB.AGZ
CAT-QuickHeal 9.00 06.30.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 07.01.2007 no virus found
DrWeb 4.33 07.02.2007 no virus found
eSafe 7.0.15.0 06.30.2007 Suspicious Trojan/Worm
eTrust-Vet 30.8.3752 06.29.2007 no virus found
Ewido 4.0 07.01.2007 no virus found
FileAdvisor 1 07.02.2007 no virus found
Fortinet 2.91.0.0 07.01.2007 W32/VB.AG!tr
F-Prot 4.3.2.48 06.29.2007 no virus found
F-Secure 6.70.13030.0 07.02.2007 no virus found
Ikarus T3.1.1.8 07.01.2007 Backdoor.Win32.Bifrose.DF
Kaspersky 4.0.2.24 07.02.2007 no virus found
McAfee 5064 06.29.2007 New Malware.dq
Microsoft 1.2701 07.01.2007 no virus found
NOD32v2 2368 07.01.2007 Win32/TrojanDownloader.VB.ANF
Norman 5.80.02 06.29.2007 no virus found
Panda 9.0.0.4 07.01.2007 no virus found
Sophos 4.19.0 06.28.2007 no virus found
Sunbelt 2.2.907.0 06.29.2007 no virus found
Symantec 10 07.02.2007 W32.SillyDC
TheHacker 6.1.6.140 06.28.2007 no virus found
VBA32 3.12.0.2 07.02.2007 suspected of Trojan-PSW.Game.63 (paranoid heuristics)
VirusBuster 4.3.23:9 07.01.2007
Webwasher-Gateway 6.0.1 07.01.2007 Heuristic.Crypted

大大要不要再多裝個軟體防火牆？並定期用反間諜軟體掃瞄PC？

小弟現在使用的軟體防火牆：COMODO Firewall Pro（免費，有官方中文介面）、Agnitum Outpost Firewall 1.0.1817.1645（免費，很舊的版本，不過吃系統資源小，適合舊機器使用，只是ftpfilt.dll這個核心模組易導致當機，要手動拿掉）。

小弟現在常用的反間諜軟體：AVG Anti-Spyware Free Edition 7.5。

其實我是認為
只要有良好的上網習慣、平時間不要亂點來路不明的連接
不要下載來路不明可疑的檔案、不要亂逛來路不明的網站
基本上，要養成良好習慣，要中毒都很困難

我的防毒軟體都是拿來心安的
我之前用諾頓，現在用avast
跳出病毒的視窗機會，少之又少，非常少見
我也有用BT抓東西，也逛網站，就差我沒玩線上遊戲

養成良好的上網習慣才是真正最好的防毒軟體

防火牆以前有用
可是後來發現
我根本到最後都會開放通過
有跟沒有差不多....

至於良好習慣...我也知道
問題在於
這毒(木馬)是在學校內部流竄
實驗的data 我又不能不開

很煩

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ODBCJET.exe,

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O21 - SSODL: ZipExt32 - {35CEC8A3-2BE6-11D2-8773-92E220524140} - C:\WINDOWS\Downloaded Program Files\ZipExt32.dll (file missing)

O21 - SSODL: AceExt - {35CEC8A3-2BE6-11D2-8773-92E220524150} - C:\WINDOWS\system32\AceExt32.dll (file missing)

勾選並修復上述項目, 重新開機, 以安全模式登入windows, 刪除 C:\WINDOWS\system32\ODBCJET.exe

"後知後覺" 總比 "不知不覺" 好....:on_07:

你不是走霉運, 最近容易中毒可能的原因:
1. 常用 DSLite 及 SmartGet 下載到不明程式
2. USB 磁碟到處用

我已經照您的方式刪除
不過...既然system32內的檔不能亂刪,為什麼可以這麼處理?我很好奇



這兩種中毒原因
我比較傾向第二種...因為我DSL通常是回家才用桌上電腦使用

至於USB...這我沒辦法,大家的資料都這麼存取
我比較火的是NOD32 老偵查不出來
每次都中鏢了才告訴我....
偵測的到,卻又無法及時防護.....
難道這暗示我該換防毒軟體了 :on_22:

system32內的檔只是"不能亂刪", 並非不能刪...有問題的當然要刪

用 USB 磁碟是無法避免的, 但別讓電腦自動讀取光碟或可攜式裝置, 就可避免插上已被感染的USB磁碟時自動讀取....隨時看看USB磁碟根目錄內有無 autorun.inf , 有就刪除

NOD 算不錯了, 你中的標大概都是經過綑綁或加殼加密過, 這類檔案任何防毒軟體都防不勝防, 能查出被釋放出來的檔案就算不錯了, 除非你用 HIPS 軟體監控程式的動作(若不怕煩的話)

這我倒有興趣了
麻煩是不怕
怕是不知道怎麼操縱

不知道那兒可以找到HIPS 軟體監控程式

國外的 SSM, Safe'n'Sec, GSS 都不錯, 大陸也有些 HIPS 軟體, 不過完全成熟的幾乎沒有

HIPS 軟體主要在於對行為的判斷及規則的設定
國內論壇關於 HIPS 軟體的相關訊息很少, 大陸的論壇較多

我目前是用這個:
http://forum.slime.com.tw/showthread.php?t=199835
已出到1.4 beta, 不過還不是很穩定

感謝指教:on_79: