BYR Achieve · 镜像论坛

用了一个游戏外挂程序，在线扫描39款杀软只有4款报警告，今天开机时候防火墙提示explorer.exe向美国什么大学的一个IP发出连接请求，估计是被注入了…… 文件在附件里，大家帮忙分析一下生成了什么文件，改动了注册表哪里之类的……目前手头的杀软都杀不到这个马…… 附件(840KB) explorer.exe Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:25:09, on 2009-2-4 Platform: Windows 2003 SP2 (WinNT 5.02.3790) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\System32\SCardSvr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\FengYun\FYFireWall.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\msdtc.exe C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe D:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe D:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.172\HijackThis.exe R3 - URLSearchHook: (no name) - {F08555B0-9CC3-11D2-AA8E-000000000000} - (no file) O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll O2 - BHO: WebDetectorBHO - {43BEAFD9-E005-483D-A367-146BA6C8A32E} - d:\Program Files\Tudou\飞速Tudou\tudouDetector.dll O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [FY_FireWall] C:\Program Files\FengYun\FYFireWall.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user') O8 - Extra context menu item: 使用迅雷下载 - D:\Program Files\Thunder Network\Thunder\Program\geturl.htm O8 - Extra context menu item: 使用迅雷下载全部链接 - D:\Program Files\Thunder Network\Thunder\Program\getallurl.htm O9 - Extra button: (no name) - AutorunsDisabled - (no file) O15 - ESC Trusted Zone: http://*.update.microsoft.com O15 - ESC Trusted Zone: http://runonce.msn.com O15 - ESC Trusted Zone: http://*.update.microsoft.com (HKLM) O15 - ESC Trusted Zone: http://*.windowsupdate.microsoft.com (HKLM) O15 - ESC Trusted Zone: http://go.microsoft.com (HKLM) O15 - ESC Trusted Zone: http://msdn.microsoft.com (HKLM) O15 - ESC Trusted Zone: http://oca.microsoft.com (HKLM) O15 - ESC Trusted Zone: http://support.microsoft.com (HKLM) O15 - ESC Trusted Zone: http://technet.microsoft.com (HKLM) O15 - ESC Trusted Zone: http://windowsupdate.microsoft.com (HKLM) O15 - ESC Trusted Zone: http://www.microsoft.com (HKLM) O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM) O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (EditCtrl Class) - https://img.alipay.com/download/2121/aliedit.cab O16 - DPF: {642D2749-A4FC-49C5-8384-E39E009EBCDD} (XiaoNei Album Uploader Class) - http://xnimg.cn/xnalbum.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{20C01676-25E0-46FA-9833-99C351B1875D}: NameServer = 211.98.2.4 211.98.4.1 O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

求教大侠帮忙分析一下