主題: 首頁綁架者剋星HijackThis 日誌分析!!!
查看單個文章
舊 2006-06-14, 03:01 PM   #25 (permalink)
psac
榮譽會員
 
psac 的頭像
榮譽勳章
UID - 3662
在線等級: 級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時
註冊日期: 2002-12-07
住址: 木柵市立動物園
文章: 17381
現金: 5253 金幣
資產: 33853 金幣
預設
【解決了】卡巴斯基,ewido都殺不掉的Adware.look2me!
Q:

圖片:
http://img147.imageshack.us/img147/6820/641770694bf8957ee515da97cm.jpg

http://img160.imageshack.us/img160/5964/6417706999ed6d46d4235158zv.jpg


今天同事的電腦用卡巴,和ewido3.5查殺時都發現有Adware.look2me,
可是每次都是無法清除,常存系統記憶體和啟動。安全模式都無法清除!
正常模式,卡巴一查殺就系統變為藍底白字畫面,鬱悶!



A:

請用 HijackThis 掃瞄一個logfile,把內容貼上來以方便分析
1. 下載 HijackThis 1.99.1,儲存到桌面後再解壓
2. 執行 hijackthis.exe ,按 Do a system scan and save a logfile
3. 掃瞄完成後,一個記事本視窗會彈出來,把內容貼上來

PS: 請勿自行胡亂修復HijackThis掃瞄內的專案



Q:

Logfile of HijackThis v1.99.1
Scan saved at 22:17:35, on 2006-6-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Lotus\Notes\檢測待辦文件.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\桌面\HijackThis.exe

O4 - HKLM\..\Run: [ZYCSearchWDF] C:\Lotus\Notes\檢測待辦文件.exe
O4 - HKLM\..\Run: [KAVPersonal50] "d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: 卡巴斯基反黑客.lnk = D:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: 匯出到 Microsoft Excel(&x) - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 匯出到 Microsoft Office Excel(&X) - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\休閒遊戲\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\休閒遊戲\QQ.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F831FA1-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file://D:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1143186608781
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday 控件) - file://D:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563722-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://D:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://192.10.27.7/dss/webinst/WebInst.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview 控件) - file://D:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9A352C4-58CF-4167-85FF-01D79BCC1058}: NameServer = 192.10.37.1,192.10.37.33
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\fn4021hmg.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: kavsvc - Kaspersky Lab - d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


A:




看到Look2Me的專案
a) 下載Look2Me-Destroyer ,儲存到桌面上
b) 執行 Look2Me-Destroyer.exe , 在 Run this program as a task 打勾,之後會提示你過一會就會自動再次執行
c) 當 Look2Me-Destroyer 自動執行,按 Scan for L2M button,這時候你的桌面圖示可能會消失
d) 掃瞄完成後,按 Remove L2M button ,當完成後, Look2Me-Destroyer 會提示你將會關閉電腦
e) 電腦關閉後,再次啟動你的電腦,把桌面Look2Me-Destroyer.txt 或C:\Look2Me-Destroyer.txt 的內容貼上來,並掃瞄一個新的HijackThis log上來



Q:

hijackthis.log已經上傳,順便說明一下,每次重啟系統後,掃瞄發現system32下面後綴名為dll的帶病毒文件名稱都不一樣!


Look2Me-Destroyer.exe , 在 Run this program as a task 打勾後,連續幾分鐘後,一直沒有反應,沒有出現自動再次執行,怎麼辦

A:

遲了一點回覆~~剛剛走開了一會
不要緊
a) 下載F-Look2Me ,儲存到桌面上
b) 把f-look2me.zip壓縮包裝解開到桌面,執行 f-look2me.exe , 按 Y 繼續
c) F-Look2Me 找到 Look2Me 後, 會提示你要重新啟動
d) 重新啟動電腦後,把 F-Look2Me.log (不是f-look2me.txt) 的內容貼上來,並掃瞄一個新的HijackThis log上來




Q:

2006-05-14 08:01:13 INFO F-Look2Me Removal Tool ver 1.00.0
2006-05-14 08:01:13 INFO Copyright (c) 2006, F-Secure Corporation. All rights reserved.
2006-05-14 08:01:13 WARN Disclaimer of Warranty on Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND. F-SECURE EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
2006-05-14 08:01:13 WARN For full license terms please visit:
2006-05-14 08:01:13 WARN http://www.f-secure.com/products/license-terms/
2006-05-14 08:01:17 INFO Agreed.
2006-05-14 08:01:17 WARN Look2Me found: C:\WINDOWS\system32\r8p8li7u18.dll
2006-05-14 08:01:17 WARN F-Look2Me will now create and start a service to remove the adware.
2006-05-14 08:01:17 INFO F-Look2Me Removal Tool ver 1.00.0
2006-05-14 08:01:17 INFO Copyright (c) 2006, F-Secure Corporation. All rights reserved.
2006-05-14 08:01:17 WARN Disclaimer of Warranty on Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND. F-SECURE EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
2006-05-14 08:01:17 WARN For full license terms please visit:
2006-05-14 08:01:17 WARN http://www.f-secure.com/products/license-terms/
2006-05-14 08:01:17 INFO Service running.
2006-05-14 08:01:17 ERROR Failed to unlock file C:\WINDOWS\system32\r8p8li7u18.dll
2006-05-14 08:01:17 WARN Unlocking file C:\WINDOWS\system32\guard.tmp failed.
2006-05-14 08:01:17 WARN Suspected file not possible to scan C:\WINDOWS\system32\guard.tmp
2006-05-14 08:01:17 WARN Unlocking file C:\WINDOWS\system32\mrastmib.dll failed.
2006-05-14 08:01:17 WARN Suspected file not possible to scan C:\WINDOWS\system32\mrastmib.dll
2006-05-14 08:01:18 WARN Unlocking file C:\WINDOWS\system32\xrnroll.dll failed.
2006-05-14 08:01:18 WARN Suspected file not possible to scan C:\WINDOWS\system32\xrnroll.dll
2006-05-14 08:01:18 WARN Unlocking file C:\WINDOWS\system32\dnrq0195e.dll failed.
2006-05-14 08:01:18 WARN Suspected file not possible to scan C:\WINDOWS\system32\dnrq0195e.dll
2006-05-14 08:01:18 WARN Unlocking file C:\WINDOWS\system32\dnj6011se.dll failed.
2006-05-14 08:01:18 WARN Suspected file not possible to scan C:\WINDOWS\system32\dnj6011se.dll
2006-05-14 08:01:19 WARN Unlocking file C:\WINDOWS\system32\dnr6019se.dll failed.
2006-05-14 08:01:19 WARN Suspected file not possible to scan C:\WINDOWS\system32\dnr6019se.dll
2006-05-14 08:01:19 WARN Unlocking file C:\WINDOWS\system32\enn2l15o1.dll failed.
2006-05-14 08:01:19 WARN Suspected file not possible to scan C:\WINDOWS\system32\enn2l15o1.dll
2006-05-14 08:01:19 WARN Unlocking file C:\WINDOWS\system32\e020lafm1d2a.dll failed.
2006-05-14 08:01:19 WARN Suspected file not possible to scan C:\WINDOWS\system32\e020lafm1d2a.dll
2006-05-14 08:01:20 WARN Unlocking file C:\WINDOWS\system32\en68l1ju1.dll failed.
2006-05-14 08:01:20 WARN Suspected file not possible to scan C:\WINDOWS\system32\en68l1ju1.dll
2006-05-14 08:01:20 WARN Unlocking file C:\WINDOWS\system32\r8p8li7u18.dll failed.
2006-05-14 08:01:20 WARN Suspected file not possible to scan C:\WINDOWS\system32\r8p8li7u18.dll
2006-05-14 08:01:25 ERROR Infection was found. An error occurred in the disinfection process.
2006-05-14 08:01:25 INFO Exiting, return value 11



Logfile of HijackThis v1.99.1
Scan saved at 8:04:48, on 2006-6-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Lotus\Notes\檢測待辦文件.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\桌面\HijackThis.exe

O4 - HKLM\..\Run: [ZYCSearchWDF] C:\Lotus\Notes\檢測待辦文件.exe
O4 - HKLM\..\Run: [KAVPersonal50] "d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: 卡巴斯基反黑客.lnk = D:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: 匯出到 Microsoft Excel(&x) - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 匯出到 Microsoft Office Excel(&X) - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\休閒遊戲\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\休閒遊戲\QQ.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F831FA1-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file://D:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1143186608781
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday 控件) - file://D:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563722-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://D:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://192.10.27.7/dss/webinst/WebInst.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview 控件) - file://D:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9A352C4-58CF-4167-85FF-01D79BCC1058}: NameServer = 192.10.37.1,192.10.37.33
O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\en68l1ju1.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: kavsvc - Kaspersky Lab - d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



報告一下:
1.我採取了Tabc的:
a) 下載F-Look2Me ,儲存到桌面上
b) 把f-look2me.zip壓縮包裝解開到桌面,執行 f-look2me.exe , 按 Y 繼續
c) F-Look2Me 找到 Look2Me 後, 會提示你要重新啟動
d) 重新啟動電腦後,把 F-Look2Me.log (不是f-look2me.txt) 的內容貼上來,並掃瞄一個新的HijackThis log上來
2.然後下載ff上的System Repair Engineer 這個工具
3.重啟後,用卡巴殺毒後,似乎已經殺完了

呵呵,十分感謝你!
不知道Tabc還有什麼建議?要不要再掃瞄一個HijackThis log日誌上來?




A:


HijackThis log中還有沒有O20專案 ?
如果沒有就可以了

如果沒有問題,記得把是改做【解決了】




Q:


中午吃飯去了,不好意思

剛剛掃瞄了一下,還是有O20,可是卡巴掃瞄記憶體和啟動項時沒有了:


Logfile of HijackThis v1.99.1
Scan saved at 12:05:41, on 2006-6-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Lotus\Notes\檢測待辦文件.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Lotus\Notes\nNOTESMM.EXE
D:\Program Files\AutoCAD 2004\acad.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\Documents and Settings\Administrator\桌面\殺毒\HijackThis.exe

O4 - HKLM\..\Run: [ZYCSearchWDF] C:\Lotus\Notes\檢測待辦文件.exe
O4 - HKLM\..\Run: [KAVPersonal50] "d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [PHIME2002A] ; C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] ; C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [TCASUTIEXE] ; TCAUDIAG -on
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: 卡巴斯基反黑客.lnk = D:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: 匯出到 Microsoft Excel(&x) - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 匯出到 Microsoft Office Excel(&X) - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\休閒遊戲\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\休閒遊戲\QQ.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F831FA1-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file://D:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1143186608781
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday 控件) - file://D:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563722-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://D:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://192.10.27.7/dss/webinst/WebInst.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview 控件) - file://D:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9A352C4-58CF-4167-85FF-01D79BCC1058}: NameServer = 192.10.27.8,192.10.37.33
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\irj8l51u1.dll (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: kavsvc - Kaspersky Lab - d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



A:

那就修復好了....
檔案已經沒有了....
可說用HijackThis 修復一下就行
__________________
http://bbsimg.qianlong.com/upload/01/08/29/68/1082968_1136014649812.gif
psac 目前離線  
送花文章: 3, 收花文章: 1631 篇, 收花: 3205 次