一个新病毒（说新也不算新，至少卡巴查不出）baohe在来看看~ bbs.ikaka.com

yubis - 2005-7-27 18:11:00

引用:

【MPZ911的贴子】看名字是种植者什么什么栏或是工具条之类的，不算病毒，算是恶意程序~我的老卡也没抱，我用记事本打开发现里面还有注册表项~
...........................

HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}]
@="Elite SideBar"

[HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\Control]

[HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\Implemented Categories]

[HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\Implemented Categories\{00021493-0000-0000-C000-000000000046}]

[HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\InprocServer32]
@=""
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\Insertable]

[HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\MiscStatus]
@="0"

[HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\MiscStatus\1]
@="131473"

[HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\ProgID]
@="CGBand.CGBandObj.1"

[HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\Programmable]

[HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\TypeLib]
@="{8AA59E15-6E81-415C-B299-1ADFB50C8E1A}"

[HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\Version]
@="1.0"

[HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\VersionIndependentProgID]
@="CGBand.CGBandObj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}]
@="&EliteSideBar"

[HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\Programmable]

[HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\InprocServer32]
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\Insertable]

[HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\MiscStatus]
@="0"

[HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\MiscStatus\1]
@="131473"

[HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\Instance\InitPropertyBag]
@="0"

[HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\InprocServer32]
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteSideBar]
"UpdateDate"="010101"
"FirstTimeStarted"=dword:00000001
"version"="08"
P4 V S _ V E R S I O N _ I N F O ?稔 S t r i n g F i l e I n f o 0 4 1 9 0 4 b 0 6 F i l e V e r s i o n 1 , 0 , 0 , 1 : P r o d u c t V e r s i o n 1 , 0 , 0 , 1 D V a r F i l e I n f o $ T r a n s l a t i o n ? 幕せ鸦椿莼蓟杌龌 ? ? $? KERNEL32.DLL SHELL32.dll SHLWAPI.dll LoadLibraryA GetProcAddress ExitProcess ShellExecuteA SHSetValueA

还真是这样咧，我也不太清楚它想干什么

【火影】我爱罗 - 2005-7-27 18:16:00

是的瑞星和反间谍专家现在都报哦

baohe - 2005-7-27 18:33:00

引用:

【【火影】我爱罗的贴子】是的瑞星和反间谍专家现在都报哦
...........................

建一个文件夹。
注册表改动被SSM挡住了。
卡巴斯基确实不报。

附件: 1558472005727183331.jpg

dxpdl - 2005-7-27 18:35:00

请问Backdoor.GPigeon.ej 和Backdoor.BlackHole.k 怎么杀啊！！
瑞星都杀不了啊！我还是用正版的呢！！谢谢啦！！

艾玛 - 2005-7-27 18:35:00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}]
@=""

一款AD软件

艾玛 - 2005-7-27 18:36:00

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitefjg32.exe

【火影】我爱罗 - 2005-7-27 18:49:00

我电脑正常吗?

HijackThis_zww汉化版扫描日志 V1.99.1
保存于 18:45:33, 日期 2005-7-27
操作系统： Windows XP SP1 (WinNT 5.01.2600)
浏览器： Internet Explorer v6.00 SP1 (6.00.2800.1106)

当前运行的进程：
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\services.exe
C:\Program Files\NewRemoteControl\NewRmtService.exe
C:\Program Files\Common Files\DeviceManager\lxdevclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\3721\Dlaccel\YDownloader.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\Ulead Systems\Ulead Photo Express 4.0 Trial\CalCheck.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\happyhome\幸福飞梭\lxswitch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\DeviceManager\DeviceManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\WinTools\WSup.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\CDM\urxfjovdus.exe
C:\Program Files\HijackThis1991汉化版\HijackThis1991zww.exe

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
F3 - REG:win.ini: run=C:\WINDOWS\services.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O2 - BHO: (no name) - {3800F09B-A433-E00C-0EC3-40907854A8A0} - C:\WINDOWS\CDM\urxfjovdus.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - D:\Program Files\Tencent\qq\QQIEHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O3 - IE工具栏增项: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O3 - IE工具栏增项: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - IE工具栏增项: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O3 - IE工具栏增项: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll
O4 - 启动项HKLM\\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - 启动项HKLM\\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 启动项HKLM\\Run: [NewRmtService ] C:\Program Files\NewRemoteControl\NewRmtService.exe
O4 - 启动项HKLM\\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - 启动项HKLM\\Run: [nwiz] nwiz.exe /install
O4 - 启动项HKLM\\Run: [lxdevclient] C:\Program Files\Common Files\DeviceManager\lxdevclient.exe
O4 - 启动项HKLM\\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - 启动项HKLM\\Run: [cesmain.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\Ces\cmail.dll,Rundll32
O4 - 启动项HKLM\\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - 启动项HKLM\\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - 启动项HKLM\\Run: [KAVRUN] G:\KAV4U\KAVRUN.EXE
O4 - 启动项HKLM\\Run: [NMGameX_AutoRun] C:\WINDOWS\System32\Rundll32.exe NMGameX.dll,LiveProcess /aa
O4 - 启动项HKLM\\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - 启动项HKLM\\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - 启动项HKLM\\Run: [dl_accel] C:\Program Files\3721\Dlaccel\YDownloader.exe
O4 - 启动项HKLM\\Run: [RfwMain] "E:\瑞星防火墙2005\Rising\Rfw\rfwmain.exe" -Startup
O4 - 启动项HKLM\\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - 启动项HKLM\\Run: [HELPER] C:\WINDOWS\System32\china.exe -N
O4 - 启动项HKLM\\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - 启动项HKLM\\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - 启动项HKLM\\Run: [YDTMain.exe] C:\PROGRA~1\YDT\YDTMain.exe
O4 - 启动项HKLM\\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - 启动项HKLM\\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - 启动项HKLM\\Run: [iqbc1a7i] C:\WINDOWS\System32\iqbc1a7i.exe
O4 - 启动项HKLM\\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - 启动项HKLM\\Run: [msxct] msxct.exe
O4 - 启动项HKLM\\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 - 启动项HKLM\\Run: [utwxyh] C:\WINDOWS\utwxyh.exe
O4 - 启动项HKLM\\Run: [Grsy045Au] C:\WINDOWS\qugjhq.exe
O4 - 启动项HKLM\\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - 启动项HKLM\\Run: [services] C:\WINDOWS\services.exe
O4 - 启动项HKLM\\Run: [KAVPersonal50] "D:\kaspersky\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - 启动项HKLM\\RunServices: [MS Auto-IPSec Protection] MSASP32.exe
O4 - 启动项HKLM\\RunServices: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - 启动项HKCU\\RunServices: [services] C:\WINDOWS\services.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Ulead Photo Express Calendar Checker.lnk = D:\Program Files\Ulead Systems\Ulead Photo Express 4.0 Trial\CalCheck.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - IE右键菜单中的新增项目: &使用下载加速专家下载 - C:\Program Files\3721\Dlaccel\geturl.htm
O9 - 浏览器额外的按钮: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm?pid=U_bjbta_922 (file missing)
O9 - 浏览器额外的按钮: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - 浏览器额外的按钮: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - 浏览器额外的按钮: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - 浏览器额外的按钮: 3721中文邮 - {5D73EE86-05F1-49ed-B850-E423120EC329} - http://cmail.3721.com?fb=client (file missing)
O9 - 浏览器额外的按钮: 上网助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 - 浏览器额外的按钮: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - 浏览器额外的“工具”菜单项: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - 浏览器额外的按钮: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\Tencent\qq\QQ.EXE

【火影】我爱罗 - 2005-7-27 18:49:00

O9 - 浏览器额外的“工具”菜单项: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\Tencent\qq\QQ.EXE
O9 - 浏览器额外的按钮: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\Program Files\Tencent\qq\QQIEHelper.dll
O9 - 浏览器额外的“工具”菜单项: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\Program Files\Tencent\qq\QQIEHelper.dll
O9 - 浏览器额外的按钮: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - 浏览器额外的按钮: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - 浏览器额外的“工具”菜单项: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - 浏览器额外的按钮: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - 浏览器额外的“工具”菜单项: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - 浏览器额外的按钮: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - 浏览器额外的“工具”菜单项: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O11 - Options group: [!CNS] 网络实名
O14 - IERESET.INF: START_PAGE_URL=http://www.legend.com
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://www.xbm2.com/iii/x.chm::/load.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c267.cab
O16 - DPF: {15DDE989-CD45-4561-BF99-D22C0D5C2B74} - http://image2.sina.com.cn/home/ddtsource/ddt.cab
O16 - DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} (WebActivater Control) - http://game.qq.com/QQGame2.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {56A7DC70-E102-4408-A34A-AE06FEF01586} (天下搜索) - http://iebar.t2t2.com/iebar.cab
O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} (V3ProX Control) - http://www.ahn.com.cn/aspservice/plugin/myv3.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/website.ocx
O16 - DPF: {ABA7CC7F-019D-47DB-A0D2-B3C2B3AC1B44} (Fc2Boot Class) - http://210.51.5.80/fun/system/fc2boot.cab
O16 - DPF: {C0C13879-6A17-429E-80F1-60B23FC1F720} (FcBoot Class) - http://210.51.180.119/game/system/activex/fcboot.cab
O16 - DPF: {C8BD9ACB-F7EC-48E6-BB2F-DAADC6789E9A} (Kingsoft DUBA OnlineScan) - http://211.152.52.102/duba/antiscan/update/OCX/KAVClean.CAB
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildAppNonUS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E585503-55D0-44A8-BD4B-E8E4FFAE8657}: NameServer = 202.106.0.20 202.106.46.151
O18 - 列举现有的协议: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - Winlogon Notify: skwinlogon - C:\WINDOWS\SYSTEM32\dll.dll
O23 - NT 服务: iPod 服务 (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - NT 服务: kavsvc - Kaspersky Lab - D:\kaspersky\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - NT 服务: LEGEND DeviceManager Service (lxdmg) - Unknown owner - C:\Program Files\Common Files\DeviceManager\DeviceManager.exe
O23 - NT 服务: lxswitch - Unknown owner - C:\happyhome\幸福飞梭\lxswitch.exe
O23 - NT 服务: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - NT 服务: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - NT 服务: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

瑞星卡卡安全论坛