史萊姆論壇 - 查看單個文章

psac · 2006-06-14, 08:37 PM

Q:

CPU無援無故100%

開機我按CTRL+ALT+DELETE CPU就100% 過了一秒 CPU有正常關掉再按
CPU又100% 鬱悶機卡。。。
我的系統是WINXP 是不是病毒？

A:

可能中了間諜程式..不過先用hijackthis掃瞄'

1.下載最新官方版本HijackThis 1.99.1:
http://www.merijn.org/files/hijackthis.zip
2.解開hijackthis.zip,執行HijackThis.exe
3.點擊 Do a system scan and save a logfile
4.掃瞄完成後,一個記事本彈出來,把裡面的Log發上來

Q:
你看看哪個工作行程佔了大量的CPU啊

A:

工作行程都沒有特別大的

Logfile of HijackThis v1.99.1
Scan saved at 16:30:10, on 2006-6-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CNNIC\Cdn\cdnup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\VIPTray.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Thunder Network\Thunder\Thunder.exe
D:\121\HijackThis.exe

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v8.dll
O2 - BHO: MyIEHelper Class - {16A770A0-0E87-4278-B748-2460D64A8386} - C:\Documents and Settings\All Users\Application Data\Microsoft\IEHelper\IEHelper_8888.dll
O2 - BHO: BrowserHelper Class - {2D99E8F4-56B7-457B-9A92-61B5D247D263} - C:\WINDOWS\system32\WinDefendor.dll
O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll
O2 - BHO: CAISHOW TOOLBAR - {3AF40CB8-B3BA-4E2D-8968-4BF8DB172997} - C:\Program Files\CaiShow Tech\CaiShow\BrowerHelper.dll
O2 - BHO: 網路加速 - {5673A7C0-95CC-4646-BB07-3BD71234CEF9} - C:\WINDOWS\system32\MicrosoftNet.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE
O4 - HKCU\..\Run: [caishowmanage] C:\Program Files\CaiShow Tech\CaiShow\UpdateManager.EXE
O4 - Global Startup: IE-BAR.lnk = ?
O8 - Extra context menu item: &使用迅雷下載 - C:\Program Files\Thunder Network\Thunder\geturl.htm
O8 - Extra context menu item: &使用迅雷下載全部鏈接 - C:\Program Files\Thunder Network\Thunder\getallurl.htm
O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\QQ2005\AddToNetDisk.htm
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部鏈接 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 匯出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\QQ2005\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\QQ2005\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\QQ2005\SendMMS.htm
O8 - Extra context menu item: 用炫彩圖鈴發送該圖片 - C:\Program Files\CaiShow Tech\CaiShow\SendMMS.htm
O9 - Extra button: 中文上網 - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll
O9 - Extra 'Tools' menuitem: 中文上網 - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll
O9 - Extra button: 微軟 - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.microsoft.com/china/index.htm (file missing)
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\QQ2005\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: 騰訊QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\QQ2005\QQ.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdnns.dll
O11 - Options group: [CDNCLIENT] 中文上網
O17 - HKLM\System\CCS\Services\Tcpip\..\{A668D9A3-C551-438A-8088-8212FEA42836}: NameServer = 202.100.192.68 202.100.199.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{A67DBC2B-1ECB-447A-A753-36E5C307F052}: NameServer = 202.100.192.68,202.100.192.8
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: VIPTray - Unknown owner - C:\WINDOWS\System32\VIPTray.exe

Q:

可是之前沒有啊。。。

A:

暈，你按CTRL+ALT+DELETE，會出現短暫如是100%正常現象啊

O10 - Unknown file in Winsock LSP: c:\windows\system32\cdnns.dll
O11 - Options group: [CDNCLIENT] 中文上網
O23 - Service: VIPTray - Unknown owner - C:\WINDOWS\System32\VIPTray.exe
這個幹掉

O2 - BHO: MyIEHelper Class - {16A770A0-0E87-4278-B748-2460D64A8386} - C:\Documents and Settings\All Users\Application Data\Microsoft\IEHelper\IEHelper_8888.dll
O2 - BHO: BrowserHelper Class - {2D99E8F4-56B7-457B-9A92-61B5D247D263} - C:\WINDOWS\system32\WinDefendor.dll
O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll
O2 - BHO: CAISHOW TOOLBAR - {3AF40CB8-B3BA-4E2D-8968-4BF8DB172997} - C:\Program Files\CaiShow Tech\CaiShow\BrowerHelper.dll
O23 - Service: VIPTray - Unknown owner - C:\WINDOWS\System32\VIPTray.exe
修復這些,使用惡意軟件清理助手(有鏈接)卸載流氓軟件

卸載 IE-BAR

用HijackThis修復下面項
O2 - BHO: BrowserHelper Class - {2D99E8F4-56B7-457B-9A92-61B5D247D263} - C:\WINDOWS\system32\WinDefendor.dll
O23 - Service: VIPTray - Unknown owner - C:\WINDOWS\System32\VIPTray.exe

下載Dr.Web CureIT!
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
執行殺毒，先會自動掃瞄記憶體工作行程和啟動項，自動掃瞄結束後，手工選中所有的硬碟分區再次殺毒.
最後把殺毒報告發上來 File->Save report list

刪除下面文件

C:\WINDOWS\system32\WinDefendor.dll
C:\WINDOWS\System32\VIPTray.exe

2006-06-14, 08:37 PM	#26 (permalink)
psac 榮譽會員榮譽勳章勳章總數19 UID - 3662 在線等級: 註冊日期: 2002-12-07 住址: 木柵市立動物園文章: 17381 精華: 2 現金: 5253 金幣資產: 33853 金幣	Q: CPU無援無故100% 開機我按CTRL+ALT+DELETE CPU就100% 過了一秒 CPU有正常關掉再按 CPU又100% 鬱悶機卡。。。我的系統是WINXP 是不是病毒？ A: 可能中了間諜程式..不過先用hijackthis掃瞄' 1.下載最新官方版本HijackThis 1.99.1: http://www.merijn.org/files/hijackthis.zip 2.解開hijackthis.zip,執行HijackThis.exe 3.點擊 Do a system scan and save a logfile 4.掃瞄完成後,一個記事本彈出來,把裡面的Log發上來 Q: 你看看哪個工作行程佔了大量的CPU啊 A: 工作行程都沒有特別大的 Logfile of HijackThis v1.99.1 Scan saved at 16:30:10, on 2006-6-14 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\CNNIC\Cdn\cdnup.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\UPHClean\uphclean.exe C:\WINDOWS\System32\VIPTray.exe C:\WINDOWS\system32\conime.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Thunder Network\Thunder\Thunder.exe D:\121\HijackThis.exe O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v8.dll O2 - BHO: MyIEHelper Class - {16A770A0-0E87-4278-B748-2460D64A8386} - C:\Documents and Settings\All Users\Application Data\Microsoft\IEHelper\IEHelper_8888.dll O2 - BHO: BrowserHelper Class - {2D99E8F4-56B7-457B-9A92-61B5D247D263} - C:\WINDOWS\system32\WinDefendor.dll O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll O2 - BHO: CAISHOW TOOLBAR - {3AF40CB8-B3BA-4E2D-8968-4BF8DB172997} - C:\Program Files\CaiShow Tech\CaiShow\BrowerHelper.dll O2 - BHO: 網路加速 - {5673A7C0-95CC-4646-BB07-3BD71234CEF9} - C:\WINDOWS\system32\MicrosoftNet.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE O4 - HKCU\..\Run: [caishowmanage] C:\Program Files\CaiShow Tech\CaiShow\UpdateManager.EXE O4 - Global Startup: IE-BAR.lnk = ? O8 - Extra context menu item: &使用迅雷下載 - C:\Program Files\Thunder Network\Thunder\geturl.htm O8 - Extra context menu item: &使用迅雷下載全部鏈接 - C:\Program Files\Thunder Network\Thunder\getallurl.htm O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\QQ2005\AddToNetDisk.htm O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html O8 - Extra context menu item: 使用影音傳送帶下載全部鏈接 - C:\Program Files\Xi\NetTransport 2\NTAddList.html O8 - Extra context menu item: 匯出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\QQ2005\AddPanel.htm O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\QQ2005\AddEmotion.htm O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\QQ2005\SendMMS.htm O8 - Extra context menu item: 用炫彩圖鈴發送該圖片 - C:\Program Files\CaiShow Tech\CaiShow\SendMMS.htm O9 - Extra button: 中文上網 - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll O9 - Extra 'Tools' menuitem: 中文上網 - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll O9 - Extra button: 微軟 - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.microsoft.com/china/index.htm (file missing) O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\QQ2005\QQ.EXE (file missing) O9 - Extra 'Tools' menuitem: 騰訊QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\QQ2005\QQ.EXE (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\cdnns.dll O11 - Options group: [CDNCLIENT] 中文上網 O17 - HKLM\System\CCS\Services\Tcpip\..\{A668D9A3-C551-438A-8088-8212FEA42836}: NameServer = 202.100.192.68 202.100.199.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{A67DBC2B-1ECB-447A-A753-36E5C307F052}: NameServer = 202.100.192.68,202.100.192.8 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: VIPTray - Unknown owner - C:\WINDOWS\System32\VIPTray.exe Q: 可是之前沒有啊。。。 A: 暈，你按CTRL+ALT+DELETE，會出現短暫如是100%正常現象啊 O10 - Unknown file in Winsock LSP: c:\windows\system32\cdnns.dll O11 - Options group: [CDNCLIENT] 中文上網 O23 - Service: VIPTray - Unknown owner - C:\WINDOWS\System32\VIPTray.exe 這個幹掉 O2 - BHO: MyIEHelper Class - {16A770A0-0E87-4278-B748-2460D64A8386} - C:\Documents and Settings\All Users\Application Data\Microsoft\IEHelper\IEHelper_8888.dll O2 - BHO: BrowserHelper Class - {2D99E8F4-56B7-457B-9A92-61B5D247D263} - C:\WINDOWS\system32\WinDefendor.dll O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll O2 - BHO: CAISHOW TOOLBAR - {3AF40CB8-B3BA-4E2D-8968-4BF8DB172997} - C:\Program Files\CaiShow Tech\CaiShow\BrowerHelper.dll O23 - Service: VIPTray - Unknown owner - C:\WINDOWS\System32\VIPTray.exe 修復這些,使用惡意軟件清理助手(有鏈接)卸載流氓軟件卸載 IE-BAR 用HijackThis修復下面項 O2 - BHO: BrowserHelper Class - {2D99E8F4-56B7-457B-9A92-61B5D247D263} - C:\WINDOWS\system32\WinDefendor.dll O23 - Service: VIPTray - Unknown owner - C:\WINDOWS\System32\VIPTray.exe 下載Dr.Web CureIT! ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe 執行殺毒，先會自動掃瞄記憶體工作行程和啟動項，自動掃瞄結束後，手工選中所有的硬碟分區再次殺毒. 最後把殺毒報告發上來 File->Save report list 刪除下面文件 C:\WINDOWS\system32\WinDefendor.dll C:\WINDOWS\System32\VIPTray.exe 此帖於 2006-06-16 01:10 AM 被 psac 編輯.
	__________________
	送花文章: 3, 收花文章: 1631 篇, 收花: 3205 次