主題: 首頁綁架者剋星HijackThis 日誌分析!!!
查看單個文章
舊 2006-06-13, 01:16 AM   #22 (permalink)
psac
榮譽會員
 
psac 的頭像
榮譽勳章
UID - 3662
在線等級: 級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時
註冊日期: 2002-12-07
住址: 木柵市立動物園
文章: 17381
現金: 5253 金幣
資產: 33853 金幣
預設
Q:
這是什麼意思?

http://202.96.82.55/frame_ztgame.html

上面的地址是我上網時自動彈出的廣告,就是無論上什麼網都瘋狂彈!

這個地址最後轉到 www.ztgame.com.cn

而且紅色的部分會經常變,最後轉到的廣告也會不同!


真是鬱悶



A:
可能瀏覽器被劫持了。

建議用Hijackthis (常用推薦)掃個LOG貼出來大家容易看些。



Q:

Logfile of HijackThis v1.99.1
Scan saved at 1:11:28, on 2006-06-12
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\internat.exe
C:\KAV6\Kavpfw.EXE
C:\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [KAVRun] C:\KAV6\KAVRun.EXE
O4 - HKLM\..\Run: [iDuba Personal FireWall] C:\KAV6\Kavpfw.EXE
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [iDuba Personal FireWall] C:\KAV6\Kavpfw.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: 使用網際快車下載 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用網際快車下載全部鏈接 - C:\Program Files\FlashGet\jc_all.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABE5247D-EF27-48F1-A36D-F71634CD97E7}: NameServer = 202.96.69.38 202.96.64.68
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINNT\system32\urlmon.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - Protocol: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINNT\wc98pp.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINNT\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINNT\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINNT\system32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\Web Components\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINNT\system32\mshtml.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kingsoft AntiVirus Service (KAVSvc) - kingsoft Antivirus - C:\KAV6\KAVSvc.EXE



IP地址「202.96.82.55」的WHOIS訊息如下:
http://whois.domaintools.com/202.96.82.55


Whois Record
IP Information
Record Type: IP Address
Cached Whois: 2006-06-11
IP Location: China - Beijing - Beijing - Shenyang Public Info Service Corp
Blacklist Status: Currently Listed (history)

Whois Record

inetnum: 202.96.82.0 - 202.96.82.255
netname: SHENYANG-PUBLIC-INFO-SERVICE-CORP
descr: Shenyang Public Info Service Corp
descr: Shenyang City Heping Borough
country: CN
admin-c: TX17-AP
tech-c: TX17-AP
mnt-by: MAINT-CNCGROUP-LN
status: ASSIGNED NON-PORTABLE
changed: 20010607
changed: 20040927
source: APNIC

route: 202.96.64.0/19
descr: CNC Group CHINA169 Liaoning Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: 20060118
source: APNIC

person: Tang Xuezhong
address: Shenyang
country: CN
phone: +86-24-85890279
e-mail:
nic-hdl: TX17-AP
mnt-by: MAINT-NULL
changed: 20010524
source: APNIC


A:



修復一下:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

日誌沒有別的問題,改用sreng掃瞄一下。



Q:2006-06-12,17:16:23

System Repair Engineer 2.0.12.350 (2.0 RC 1)
Windows 2000 Professional Service Pack 4 - 管理權限用戶 - 完整功能

以下內容被選中:
所有的啟動專案(包括註冊表、啟動資料夾、服務等)
瀏覽器載入項
正在執行的工作行程(包括工作行程模塊訊息)
文件關聯


啟動專案
註冊表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Internat.exe><internat.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<iDuba Personal FireWall><C:\KAV6\Kavpfw.EXE>
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><>
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<run><>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<KAVRun><C:\KAV6\KAVRun.EXE>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<iDuba Personal FireWall><C:\KAV6\Kavpfw.EXE>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<Userinit><C:\WINNT\system32\userinit.exe,>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<StormCodec_Helper><; "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S

/opti>

==================================
啟動資料夾
服務
[Crypkey License / Crypkey License]
<crypserv.exe><Kenonic Controls Ltd.>
[Logical Disk Manager Administrative Service / dmadmin]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[DriveHealth / DriveHealth]
<C:\Downloads\DriveHealth2.0.30\dhcore.exe><Helexis Software Development>
[Kingsoft AntiVirus Service / KAVSvc]
<C:\KAV6\KAVSvc.EXE><kingsoft Antivirus>
[NVIDIA Driver Helper Service / NVSvc]
<C:\WINNT\system32\nvsvc32.exe><NVIDIA Corporation>

==================================
瀏覽器載入項
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash8b.ocx,

Macromedia, Inc.>
[使用網際快車下載]
<C:\Program Files\FlashGet\jc_link.htm, N/A>
[使用網際快車下載全部鏈接]
<C:\Program Files\FlashGet\jc_all.htm, N/A>

==================================
正在執行的工作行程
[PID: 152][\SystemRoot\System32\smss.exe] <Microsoft Corporation><5.00.2195.6601>
[PID: 176][\??\C:\WINNT\system32\csrss.exe] <Microsoft Corporation><5.00.2195.6601>
[PID: 196][\??\C:\WINNT\system32\winlogon.exe] <Microsoft Corporation><5.00.2195.6997>
[PID: 224][C:\WINNT\system32\services.exe] <Microsoft Corporation><5.00.2195.7035>
[C:\WINNT\system32\dmserver.dll] <VERITAS Software Corp.><2195.6605.297.3>
[PID: 236][C:\WINNT\system32\lsass.exe] <Microsoft Corporation><5.00.2195.7011>
[PID: 388][C:\WINNT\system32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 428][C:\WINNT\System32\svchost.exe] <Microsoft Corporation><5.00.2134.1>
[PID: 500][C:\WINNT\Explorer.EXE] <Microsoft Corporation><5.00.3700.6690>
[C:\Program Files\WinRAR\rarext.dll] <N/A><N/A>
[C:\WINNT\system32\mp3infp.dll] <win32lab.com><2.52.12.0>
[C:\KAV6\KAVEXT.DLL] <Kingsoft Corp.><2002, 5, 24, 6>
[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll] <Adobe Systems,

Inc.><7.0.0.0>
[PID: 596][C:\KAV6\Kavpfw.EXE] <Kingsoft Corporation><2004, 8, 16, 295>
[C:\KAV6\KAVMLM.DLL] <Kingsoft Corporation><2003.11.12.10>
[C:\KAV6\PFWScanC.dll] <KingSoft><2002, 4, 12, 3>
[C:\KAV6\KAMsgBox.dll] <><2002.9.27.30>
[C:\KAV6\NetShare.dll] <Kingsoft Antivirus><2004, 2, 20, 67>
[C:\KAV6\KAEPlat.DLL] <Kingsoft Corp.><2004, 11, 26, 53>
[C:\KAV6\KAEMem.DAT] <Kingsoft><2004, 11, 9, 11>
[C:\KAV6\KAEQSCAN.DLL] <Kingsoft Corp><2004, 3, 26, 69>
[C:\KAV6\KAVLogFn.dll] <N/A><2003, 11, 26, 16>
[PID: 604][C:\WINNT\system32\internat.exe] <Microsoft Corporation><5.00.2920.0000>
[PID: 380][C:\Documents and Settings\Sloan\桌面\SREng\SREng.exe] <Smallfrogs

Studio><2.0.12.350>

==================================
文件關聯
.TXT Error. [NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["D:\WINNT\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

==================================
__________________
http://bbsimg.qianlong.com/upload/01/08/29/68/1082968_1136014649812.gif
psac 目前離線  
送花文章: 3, 收花文章: 1631 篇, 收花: 3205 次