史萊姆論壇 - 查看單個文章

psac · 2006-06-15, 05:53 PM

Q:
求助】誰來幫我看看是什麼病毒啊?

【求助】誰來幫我看看是什麼病毒啊?

圖片：

http://img151.imageshack.us/img151/6656/641040006a28e126b42ae301js.jpg

圖片：

http://img81.imageshack.us/img81/460/64104000599788b7e9574478cp.jpg

圖片：

http://img151.imageshack.us/img151/1462/64104000f64b9e41d46a5ca5bg.jpg

每當我打開IE的時候,就會自動彈出許多東西出來要下載.殺軟監控報毒,殺了.下次開IE還是這個情況,但是我掃瞄了硬碟後卻沒有發現病毒...誰知道這個是什麼病毒啊?怎麼解決?

A:

請以hijackthis掃瞄後把結果貼上

1.下載最新官方版本HijackThis 1.99.1:
http://www.merijn.org/files/hijackthis.zip
2.解開hijackthis.zip,執行HijackThis.exe
3.點擊 Do a system scan and save a logfile
4.掃瞄完成後,一個記事本彈出來,把裡面的Log發上來

Q:

Logfile of HijackThis v1.99.1
Scan saved at 17:18:05, on 2006-6-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINPENJR\Win32\pphidpad.exe
C:\WINDOWS\vsnpstd3.exe
F:\Soft4Ever\looknstop\looknstop.exe
F:\Virus Chaser\Vcrmon.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Virus Chaser\spiderml.exe
C:\WINDOWS\system32\oodag.exe
f:\Virus Chaser\SpiderNT.exe
F:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
f:\Virus Chaser\Spiderui.exe
F:\Maxthon\Maxthon.exe
f:\Virus Chaser\Update.exe
G:\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: ThunderIEHelper - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v13.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - G:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo Ie-Bar - {4FCE0A2B-6D48-4B22-AD7A-1ACACABC0B38} - C:\WINDOWS\twuenk_16.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - F:\Tencent\qq\QQIEHelper.dll
O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - G:\PROGRA~1\KUGOO3~1.215\KUGOO3~1.OCX
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [Look 'n' Stop] "f:\Soft4Ever\looknstop\looknstop.exe" -auto
O4 - HKLM\..\Run: [Vcrmon] F:\Virus Chaser\Vcrmon.exe
O4 - HKLM\..\Run: [!ewido] "G:\Program Files\ewido4.0-木螞蟻綠色漢化版\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: 使用 IDM 下載 - G:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: 使用 IDM 下載所有鏈接 - G:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: 使用KuGoo3下載(&K) - G:\PROGRA~1\KUGOO3~1.215\KuGoo3DownX.htm
O8 - Extra context menu item: 使用迅雷下載 - g:\Program Files\Thunder Network\Thunder\geturl.htm
O8 - Extra context menu item: 使用迅雷下載全部鏈接 - g:\Program Files\Thunder Network\Thunder\getallurl.htm
O8 - Extra context menu item: 新增到QQ表情 - F:\Tencent\qq\AddEmotion.htm
O9 - Extra button: 易趣購物 - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
O9 - Extra 'Tools' menuitem: 易趣購物 - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O17 - HKLM\System\CCS\Services\Tcpip\..\{3EFA34E2-DD97-474C-B0CD-6BD87981A6A9}: NameServer = 61.139.2.69 202.96.128.68
O23 - Service: AVKProxy - Unknown owner - C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: 註冊表管理服務 (RegManServ) - Unknown owner - g:\Program Files\Registry Toolkit\RegManServ.exe (file missing)
O23 - Service: Virus Chaser Spider NT (spidernt) - New Technology Wave Inc. - f:\Virus Chaser\SpiderNT.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

A:

修復這三項看看
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

請下載使用工具SREng(點擊這裡下載)中的"智慧式掃瞄"功能,把儲存的log的內容複製-貼上去上來

Q:

2006-06-15,20:15:52

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600)
- 管理權限用戶 - 完整功能

以下內容被選中：
所有的啟動專案（包括註冊表、啟動資料夾、服務等）
瀏覽器載入項
正在執行的工作行程（包括工作行程模塊訊息）
文件關聯

啟動專案
註冊表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<run><> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<PPHIDPAD><C:\WINPENJR\Win32\pphidpad.exe> []
<snpstd3><C:\WINDOWS\vsnpstd3.exe> []
<Look 'n' Stop><"f:\Soft4Ever\looknstop\looknstop.exe" -auto> [Soft4Ever]
<Vcrmon><F:\Virus Chaser\Vcrmon.exe> [New Technology Wave Inc.]
<!ewido><"G:\Program Files\ewido4.0-木螞蟻綠色漢化版\ewido.exe" /minimized> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [Microsoft Corporation]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><F:\美化專版\美化資源\登入界面\releaved\releaved.exe> []

==================================
啟動資料夾
服務
[AVKProxy / AVKProxy]
<"C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe"><N/A>
[O&O Defrag / O&O Defrag]
<C:\WINDOWS\system32\oodag.exe><O&O Software GmbH>
[註冊表管理服務 / RegManServ]
<g:\Program Files\Registry Toolkit\RegManServ.exe><N/A>
[Virus Chaser Spider NT / spidernt]
<f:\Virus Chaser\SpiderNT.exe><New Technology Wave Inc.>
[StarWind iSCSI Service / StarWindService]
<F:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe><Rocket Division Software>

==================================
瀏覽器載入項
[ThunderIEHelper Class]
{0005A87D-D626-4B3A-84F9-1D9571695F55} <C:\WINDOWS\system32\xunleibho_v13.dll, Thunder Networking Technologies,LTD>
[IDMIEHlprObj Class]
{0055C089-8582-441B-A0BF-17B458C2A3A8} <G:\Program Files\Internet Download Manager\IDMIECC.dll, Internet Download Manager Corp., Tonec Inc.>
[Yahoo Ie-Bar]
{4FCE0A2B-6D48-4B22-AD7A-1ACACABC0B38} <C:\WINDOWS\twuenk_16.dll, N/A>
[]
{53707962-6F74-2D53-2644-206D7942484F} <G:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll, Safer Networking Limited>
[QQBrowserHelperObject Class]
{54EBD53A-9BC1-480B-966A-843A333CA162} <F:\Tencent\qq\QQIEHelper.dll, 深圳市騰訊電腦系統有限公司>
[]
{A9930D97-9CF0-42A0-A10D-4F28836579D5} <G:\PROGRA~1\KUGOO3~1.215\KUGOO3~1.OCX, N/A>
[易趣購物]
{DE60714F-AC17-427e-861A-FD60CBDF119A} <http://click2.ad4all.net/url2/urlmanage/url.asp?id=1, N/A>
[ThunderIEHelper Class]
{0005A87D-D626-4B3A-84F9-1D9571695F55} <C:\WINDOWS\system32\xunleibho_v13.dll, Thunder Networking Technologies,LTD>
[IDMIEHlprObj Class]
{0055C089-8582-441B-A0BF-17B458C2A3A8} <G:\Program Files\Internet Download Manager\IDMIECC.dll, Internet Download Manager Corp., Tonec Inc.>
[Windows Genuine Advantage Validation Tool]
{17492023-C23A-453E-A040-C7C580BBF700} <C:\WINDOWS\system32\legitcheckcontrol.dll, Microsoft Corp.>
[Yahoo Ie-Bar]
{4FCE0A2B-6D48-4B22-AD7A-1ACACABC0B38} <C:\WINDOWS\twuenk_16.dll, N/A>
[]
{53707962-6F74-2D53-2644-206D7942484F} <G:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll, Safer Networking Limited>
[QQBrowserHelperObject Class]
{54EBD53A-9BC1-480B-966A-843A333CA162} <F:\Tencent\qq\QQIEHelper.dll, 深圳市騰訊電腦系統有限公司>
[WUWebControl Class]
{6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[Microsoft Web 瀏覽器]
{8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, Microsoft Corporation>
[]
{A9930D97-9CF0-42A0-A10D-4F28836579D5} <G:\PROGRA~1\KUGOO3~1.215\KUGOO3~1.OCX, N/A>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx, Macromedia, Inc.>
[使用 IDM 下載]
<G:\Program Files\Internet Download Manager\IEExt.htm, N/A>
[使用 IDM 下載所有鏈接]
<G:\Program Files\Internet Download Manager\IEGetAll.htm, N/A>
[使用KuGoo3下載(&K)]
<G:\PROGRA~1\KUGOO3~1.215\KuGoo3DownX.htm, N/A>
[使用迅雷下載]
<g:\Program Files\Thunder Network\Thunder\geturl.htm, N/A>
[使用迅雷下載全部鏈接]
<g:\Program Files\Thunder Network\Thunder\getallurl.htm, N/A>
[新增到QQ表情]
<F:\Tencent\qq\AddEmotion.htm, N/A>

==================================
正在執行的工作行程
[PID: 728][\SystemRoot\System32\smss.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 808][\??\C:\WINDOWS\system32\csrss.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 832][\??\C:\WINDOWS\system32\winlogon.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 876][C:\WINDOWS\system32\services.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 888][C:\WINDOWS\system32\lsass.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160>
[PID: 1108][C:\WINDOWS\system32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1156][C:\WINDOWS\system32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160>
[PID: 1252][C:\WINDOWS\System32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160>
[PID: 1372][C:\WINDOWS\system32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160>
[PID: 1496][C:\WINDOWS\system32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160>
[PID: 1636][C:\WINDOWS\system32\spoolsv.exe] <Microsoft Corporation><5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)>
[PID: 1844][C:\WINDOWS\Explorer.EXE] <Microsoft Corporation><6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\Program Files\StormCodec\Codecs\mmfinfo.dll] <N/A><N/A>
[C:\Program Files\StormCodec\Codecs\mkunicode.dll] <N/A><N/A>
[G:\Program Files\小工具集合\Fastcopy\fastext1.dll] <SHIROUZU Hiroaki><1, 3, 0, 0>
[G:\Program Files\Internet Download Manager\IDMIECC.dll] <Internet Download Manager Corp., Tonec Inc.><1, 0, 2, 1>
[C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160>
[C:\WINDOWS\twuenk_16.dll] <N/A><N/A>
[G:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll] <Safer Networking Limited><1, 4, 0, 0>
[G:\PROGRA~1\KUGOO3~1.215\KUGOO3~1.OCX] <N/A><N/A>
[F:\解壓工具\WinRAR\rarext.dll] <N/A><N/A>
[C:\WINDOWS\system32\PathCopyEx.dll] <><1, 0, 0, 1>
[f:\Virus Chaser\Shellexe.dll] <New Technology Wave Inc.><5, 0, 0, 0>
[g:\Program Files\Unlocker\UnlockerCOM.dll] <N/A><N/A>
[C:\WINDOWS\FastFolders.dll] <DeskSoft><3.0.0>
[PID: 1952][C:\WINPENJR\Win32\pphidpad.exe] <N/A><N/A>
[PID: 1960][C:\WINDOWS\vsnpstd3.exe] <><1, 0, 1, 2>
[PID: 1976][F:\Soft4Ever\looknstop\looknstop.exe] <Soft4Ever><2, 0, 0, 5>
[C:\WINDOWS\system32\fwapi.dll] <Soft4Ever><4.01>
[F:\Soft4Ever\looknstop\plugin_language.dll] <><1, 0, 0, 1>
[PID: 1988][F:\Virus Chaser\Vcrmon.exe] <New Technology Wave Inc.><5, 0, 0, 101>
[PID: 2000][C:\WINDOWS\system32\ctfmon.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 256][F:\Virus Chaser\spiderml.exe] <Doctor Web, Ltd.><4.33.0.09160>
[F:\Virus Chaser\vchaser.dll] <N/A><N/A>
[F:\Virus Chaser\drwspcnt.dll] <Doctor Web, Ltd.><4.33.0.09160>
[C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160>
[PID: 396][C:\WINDOWS\system32\oodag.exe] <O&O Software GmbH><8.0.1341>
[C:\WINDOWS\system32\OODAGRS.DLL] <O&O軟件股份有限公司><8.0.1.1319>
[C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160>
[PID: 592][f:\Virus Chaser\SpiderNT.exe] <New Technology Wave Inc.><5, 0, 1, 104>
[PID: 640][F:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe] <Rocket Division Software><2.6.1 Build 0x20050401>
[C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160>
[PID: 700][C:\WINDOWS\system32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\WINDOWS\system32\dsnpstd3.dll] <><1, 1, 0, 1>
[PID: 752][C:\WINDOWS\system32\wdfmgr.exe] <Microsoft Corporation><5.2.3790.1230 built by: dnsrv(bld4act)>
[PID: 1272][f:\Virus Chaser\Spiderui.exe] <New Technology Wave Inc.><5, 0, 1, 104>
[PID: 1836][C:\WINDOWS\System32\alg.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160>
[PID: 3600][F:\Maxthon\Maxthon.exe] <Maxthon International Ltd.><1, 5, 2, 21>
[F:\Maxthon\maxzlib.dll] < ><1, 0, 0, 2>
[F:\Maxthon\Plugin\ViewSource\ViewSrc.dll] <><1, 0, 0, 1>
[C:\WINDOWS\system32\xunleibho_v13.dll] <Thunder Networking Technologies,LTD><4, 6, 0, 48>
[F:\Maxthon\Services\RealTime\real_time.dll] <><1, 0, 0, 1>
[C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160>
[PID: 1820][C:\WINDOWS\system32\wuauclt.exe] <Microsoft Corporation><5.8.0.2469 built by: lab01_n(wmbla)>
[PID: 3620][G:\sreng2\SREng2\SREng.exe] <Smallfrogs Studio><2.0.21.505>
[C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160>

==================================
文件關聯
.TXT Error. [C:\WINDOWS\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM Error. [C:\WINDOWS\hh.exe %1]
.HLP Error. [C:\WINDOWS\winhlp32.exe %1]
.INI Error. [C:\WINDOWS\NOTEPAD.EXE %1]
.INF Error. [C:\WINDOWS\NOTEPAD.EXE %1]
.VBS Error. [wscript.exe "%1" %*]
.JS Error. [NOTEPAD.EXE %1]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

==================================

謝謝了,幫我分析下..並且!

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
我修復了,沒用,請幫忙分析下上面的

A:

下載安裝Windows流氓軟件清理大師 http://www.crsky.com/soft/6700.html
下載安裝惡意軟件清理助手http://www.crsky.com/soft/6251.html

R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo Ie-Bar - {4FCE0A2B-6D48-4B22-AD7A-1ACACABC0B38} - C:\WINDOWS\twuenk_16.dll
然後修復這兩個。

重新啟動後進入安全模式執行軟件進行清理，並刪除上述文件。

2006-06-15, 05:53 PM	#27 (permalink)
psac 榮譽會員榮譽勳章勳章總數19 UID - 3662 在線等級: 註冊日期: 2002-12-07 住址: 木柵市立動物園文章: 17381 精華: 2 現金: 5253 金幣資產: 33853 金幣	Q: 求助】誰來幫我看看是什麼病毒啊? 【求助】誰來幫我看看是什麼病毒啊? 圖片：圖片：圖片：每當我打開IE的時候,就會自動彈出許多東西出來要下載.殺軟監控報毒,殺了.下次開IE還是這個情況,但是我掃瞄了硬碟後卻沒有發現病毒...誰知道這個是什麼病毒啊?怎麼解決? A: 請以hijackthis掃瞄後把結果貼上 1.下載最新官方版本HijackThis 1.99.1: http://www.merijn.org/files/hijackthis.zip 2.解開hijackthis.zip,執行HijackThis.exe 3.點擊 Do a system scan and save a logfile 4.掃瞄完成後,一個記事本彈出來,把裡面的Log發上來 Q: Logfile of HijackThis v1.99.1 Scan saved at 17:18:05, on 2006-6-15 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINPENJR\Win32\pphidpad.exe C:\WINDOWS\vsnpstd3.exe F:\Soft4Ever\looknstop\looknstop.exe F:\Virus Chaser\Vcrmon.exe C:\WINDOWS\system32\ctfmon.exe F:\Virus Chaser\spiderml.exe C:\WINDOWS\system32\oodag.exe f:\Virus Chaser\SpiderNT.exe F:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe f:\Virus Chaser\Spiderui.exe F:\Maxthon\Maxthon.exe f:\Virus Chaser\Update.exe G:\HijackThis.exe R3 - Default URLSearchHook is missing O2 - BHO: ThunderIEHelper - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v13.dll O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - G:\Program Files\Internet Download Manager\IDMIECC.dll O2 - BHO: Yahoo Ie-Bar - {4FCE0A2B-6D48-4B22-AD7A-1ACACABC0B38} - C:\WINDOWS\twuenk_16.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - F:\Tencent\qq\QQIEHelper.dll O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - G:\PROGRA~1\KUGOO3~1.215\KUGOO3~1.OCX O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe O4 - HKLM\..\Run: [Look 'n' Stop] "f:\Soft4Ever\looknstop\looknstop.exe" -auto O4 - HKLM\..\Run: [Vcrmon] F:\Virus Chaser\Vcrmon.exe O4 - HKLM\..\Run: [!ewido] "G:\Program Files\ewido4.0-木螞蟻綠色漢化版\ewido.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: 使用 IDM 下載 - G:\Program Files\Internet Download Manager\IEExt.htm O8 - Extra context menu item: 使用 IDM 下載所有鏈接 - G:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: 使用KuGoo3下載(&K) - G:\PROGRA~1\KUGOO3~1.215\KuGoo3DownX.htm O8 - Extra context menu item: 使用迅雷下載 - g:\Program Files\Thunder Network\Thunder\geturl.htm O8 - Extra context menu item: 使用迅雷下載全部鏈接 - g:\Program Files\Thunder Network\Thunder\getallurl.htm O8 - Extra context menu item: 新增到QQ表情 - F:\Tencent\qq\AddEmotion.htm O9 - Extra button: 易趣購物 - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing) O9 - Extra 'Tools' menuitem: 易趣購物 - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing) O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll O14 - IERESET.INF: SEARCH_PAGE_URL= O14 - IERESET.INF: START_PAGE_URL= O17 - HKLM\System\CCS\Services\Tcpip\..\{3EFA34E2-DD97-474C-B0CD-6BD87981A6A9}: NameServer = 61.139.2.69 202.96.128.68 O23 - Service: AVKProxy - Unknown owner - C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe (file missing) O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe O23 - Service: 註冊表管理服務 (RegManServ) - Unknown owner - g:\Program Files\Registry Toolkit\RegManServ.exe (file missing) O23 - Service: Virus Chaser Spider NT (spidernt) - New Technology Wave Inc. - f:\Virus Chaser\SpiderNT.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe A: 修復這三項看看 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present 請下載使用工具SREng(點擊這裡下載)中的"智慧式掃瞄"功能,把儲存的log的內容複製-貼上去上來 Q: 2006-06-15,20:15:52 System Repair Engineer 2.0.21.505 (2.0 RC 2) Smallfrogs (http://www.KZTechs.com) Windows XP Professional Service Pack 2 (Build 2600) - 管理權限用戶 - 完整功能以下內容被選中：所有的啟動專案（包括註冊表、啟動資料夾、服務等）瀏覽器載入項正在執行的工作行程（包括工作行程模塊訊息）文件關聯啟動專案註冊表 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [Microsoft Corporation] [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] <run><> [] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] <PPHIDPAD><C:\WINPENJR\Win32\pphidpad.exe> [] <snpstd3><C:\WINDOWS\vsnpstd3.exe> [] <Look 'n' Stop><"f:\Soft4Ever\looknstop\looknstop.exe" -auto> [Soft4Ever] <Vcrmon><F:\Virus Chaser\Vcrmon.exe> [New Technology Wave Inc.] <!ewido><"G:\Program Files\ewido4.0-木螞蟻綠色漢化版\ewido.exe" /minimized> [] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] <shell><Explorer.exe> [Microsoft Corporation] <Userinit><C:\WINDOWS\system32\userinit.exe,> [Microsoft Corporation] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows] <AppInit_DLLs><> [] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] <UIHost><F:\美化專版\美化資源\登入界面\releaved\releaved.exe> [] ================================== 啟動資料夾服務 [AVKProxy / AVKProxy] <"C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe"><N/A> [O&O Defrag / O&O Defrag] <C:\WINDOWS\system32\oodag.exe><O&O Software GmbH> [註冊表管理服務 / RegManServ] <g:\Program Files\Registry Toolkit\RegManServ.exe><N/A> [Virus Chaser Spider NT / spidernt] <f:\Virus Chaser\SpiderNT.exe><New Technology Wave Inc.> [StarWind iSCSI Service / StarWindService] <F:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe><Rocket Division Software> ================================== 瀏覽器載入項 [ThunderIEHelper Class] {0005A87D-D626-4B3A-84F9-1D9571695F55} <C:\WINDOWS\system32\xunleibho_v13.dll, Thunder Networking Technologies,LTD> [IDMIEHlprObj Class] {0055C089-8582-441B-A0BF-17B458C2A3A8} <G:\Program Files\Internet Download Manager\IDMIECC.dll, Internet Download Manager Corp., Tonec Inc.> [Yahoo Ie-Bar] {4FCE0A2B-6D48-4B22-AD7A-1ACACABC0B38} <C:\WINDOWS\twuenk_16.dll, N/A> [] {53707962-6F74-2D53-2644-206D7942484F} <G:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll, Safer Networking Limited> [QQBrowserHelperObject Class] {54EBD53A-9BC1-480B-966A-843A333CA162} <F:\Tencent\qq\QQIEHelper.dll, 深圳市騰訊電腦系統有限公司> [] {A9930D97-9CF0-42A0-A10D-4F28836579D5} <G:\PROGRA~1\KUGOO3~1.215\KUGOO3~1.OCX, N/A> [易趣購物] {DE60714F-AC17-427e-861A-FD60CBDF119A} <http://click2.ad4all.net/url2/urlmanage/url.asp?id=1, N/A> [ThunderIEHelper Class] {0005A87D-D626-4B3A-84F9-1D9571695F55} <C:\WINDOWS\system32\xunleibho_v13.dll, Thunder Networking Technologies,LTD> [IDMIEHlprObj Class] {0055C089-8582-441B-A0BF-17B458C2A3A8} <G:\Program Files\Internet Download Manager\IDMIECC.dll, Internet Download Manager Corp., Tonec Inc.> [Windows Genuine Advantage Validation Tool] {17492023-C23A-453E-A040-C7C580BBF700} <C:\WINDOWS\system32\legitcheckcontrol.dll, Microsoft Corp.> [Yahoo Ie-Bar] {4FCE0A2B-6D48-4B22-AD7A-1ACACABC0B38} <C:\WINDOWS\twuenk_16.dll, N/A> [] {53707962-6F74-2D53-2644-206D7942484F} <G:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll, Safer Networking Limited> [QQBrowserHelperObject Class] {54EBD53A-9BC1-480B-966A-843A333CA162} <F:\Tencent\qq\QQIEHelper.dll, 深圳市騰訊電腦系統有限公司> [WUWebControl Class] {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation> [Microsoft Web 瀏覽器] {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, Microsoft Corporation> [] {A9930D97-9CF0-42A0-A10D-4F28836579D5} <G:\PROGRA~1\KUGOO3~1.215\KUGOO3~1.OCX, N/A> [Shockwave Flash Object] {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx, Macromedia, Inc.> [使用 IDM 下載] <G:\Program Files\Internet Download Manager\IEExt.htm, N/A> [使用 IDM 下載所有鏈接] <G:\Program Files\Internet Download Manager\IEGetAll.htm, N/A> [使用KuGoo3下載(&K)] <G:\PROGRA~1\KUGOO3~1.215\KuGoo3DownX.htm, N/A> [使用迅雷下載] <g:\Program Files\Thunder Network\Thunder\geturl.htm, N/A> [使用迅雷下載全部鏈接] <g:\Program Files\Thunder Network\Thunder\getallurl.htm, N/A> [新增到QQ表情] <F:\Tencent\qq\AddEmotion.htm, N/A> ================================== 正在執行的工作行程 [PID: 728][\SystemRoot\System32\smss.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)> [PID: 808][\??\C:\WINDOWS\system32\csrss.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)> [PID: 832][\??\C:\WINDOWS\system32\winlogon.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)> [PID: 876][C:\WINDOWS\system32\services.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)> [PID: 888][C:\WINDOWS\system32\lsass.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)> [C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160> [PID: 1108][C:\WINDOWS\system32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)> [PID: 1156][C:\WINDOWS\system32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)> [C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160> [PID: 1252][C:\WINDOWS\System32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)> [C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160> [PID: 1372][C:\WINDOWS\system32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)> [C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160> [PID: 1496][C:\WINDOWS\system32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)> [C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160> [PID: 1636][C:\WINDOWS\system32\spoolsv.exe] <Microsoft Corporation><5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)> [PID: 1844][C:\WINDOWS\Explorer.EXE] <Microsoft Corporation><6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)> [C:\Program Files\StormCodec\Codecs\mmfinfo.dll] <N/A><N/A> [C:\Program Files\StormCodec\Codecs\mkunicode.dll] <N/A><N/A> [G:\Program Files\小工具集合\Fastcopy\fastext1.dll] <SHIROUZU Hiroaki><1, 3, 0, 0> [G:\Program Files\Internet Download Manager\IDMIECC.dll] <Internet Download Manager Corp., Tonec Inc.><1, 0, 2, 1> [C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160> [C:\WINDOWS\twuenk_16.dll] <N/A><N/A> [G:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll] <Safer Networking Limited><1, 4, 0, 0> [G:\PROGRA~1\KUGOO3~1.215\KUGOO3~1.OCX] <N/A><N/A> [F:\解壓工具\WinRAR\rarext.dll] <N/A><N/A> [C:\WINDOWS\system32\PathCopyEx.dll] <><1, 0, 0, 1> [f:\Virus Chaser\Shellexe.dll] <New Technology Wave Inc.><5, 0, 0, 0> [g:\Program Files\Unlocker\UnlockerCOM.dll] <N/A><N/A> [C:\WINDOWS\FastFolders.dll] <DeskSoft><3.0.0> [PID: 1952][C:\WINPENJR\Win32\pphidpad.exe] <N/A><N/A> [PID: 1960][C:\WINDOWS\vsnpstd3.exe] <><1, 0, 1, 2> [PID: 1976][F:\Soft4Ever\looknstop\looknstop.exe] <Soft4Ever><2, 0, 0, 5> [C:\WINDOWS\system32\fwapi.dll] <Soft4Ever><4.01> [F:\Soft4Ever\looknstop\plugin_language.dll] <><1, 0, 0, 1> [PID: 1988][F:\Virus Chaser\Vcrmon.exe] <New Technology Wave Inc.><5, 0, 0, 101> [PID: 2000][C:\WINDOWS\system32\ctfmon.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)> [PID: 256][F:\Virus Chaser\spiderml.exe] <Doctor Web, Ltd.><4.33.0.09160> [F:\Virus Chaser\vchaser.dll] <N/A><N/A> [F:\Virus Chaser\drwspcnt.dll] <Doctor Web, Ltd.><4.33.0.09160> [C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160> [PID: 396][C:\WINDOWS\system32\oodag.exe] <O&O Software GmbH><8.0.1341> [C:\WINDOWS\system32\OODAGRS.DLL] <O&O軟件股份有限公司><8.0.1.1319> [C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160> [PID: 592][f:\Virus Chaser\SpiderNT.exe] <New Technology Wave Inc.><5, 0, 1, 104> [PID: 640][F:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe] <Rocket Division Software><2.6.1 Build 0x20050401> [C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160> [PID: 700][C:\WINDOWS\system32\svchost.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)> [C:\WINDOWS\system32\dsnpstd3.dll] <><1, 1, 0, 1> [PID: 752][C:\WINDOWS\system32\wdfmgr.exe] <Microsoft Corporation><5.2.3790.1230 built by: dnsrv(bld4act)> [PID: 1272][f:\Virus Chaser\Spiderui.exe] <New Technology Wave Inc.><5, 0, 1, 104> [PID: 1836][C:\WINDOWS\System32\alg.exe] <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)> [C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160> [PID: 3600][F:\Maxthon\Maxthon.exe] <Maxthon International Ltd.><1, 5, 2, 21> [F:\Maxthon\maxzlib.dll] < ><1, 0, 0, 2> [F:\Maxthon\Plugin\ViewSource\ViewSrc.dll] <><1, 0, 0, 1> [C:\WINDOWS\system32\xunleibho_v13.dll] <Thunder Networking Technologies,LTD><4, 6, 0, 48> [F:\Maxthon\Services\RealTime\real_time.dll] <><1, 0, 0, 1> [C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160> [PID: 1820][C:\WINDOWS\system32\wuauclt.exe] <Microsoft Corporation><5.8.0.2469 built by: lab01_n(wmbla)> [PID: 3620][G:\sreng2\SREng2\SREng.exe] <Smallfrogs Studio><2.0.21.505> [C:\WINDOWS\system32\DRWEBSP.DLL] <Doctor Web, Ltd.><4.33.0.09160> ================================== 文件關聯 .TXT Error. [C:\WINDOWS\NOTEPAD.EXE %1] .EXE OK. ["%1" %] .COM OK. ["%1" %] .PIF OK. ["%1" %] .REG OK. [regedit.exe "%1"] .BAT OK. ["%1" %] .SCR OK. ["%1" /S] .CHM Error. [C:\WINDOWS\hh.exe %1] .HLP Error. [C:\WINDOWS\winhlp32.exe %1] .INI Error. [C:\WINDOWS\NOTEPAD.EXE %1] .INF Error. [C:\WINDOWS\NOTEPAD.EXE %1] .VBS Error. [wscript.exe "%1" %*] .JS Error. [NOTEPAD.EXE %1] .LNK OK. [{00021401-0000-0000-C000-000000000046}] ================================== Winsock 提供者 ================================== 謝謝了,幫我分析下..並且! O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present 我修復了,沒用,請幫忙分析下上面的 A: 下載安裝Windows流氓軟件清理大師 http://www.crsky.com/soft/6700.html 下載安裝惡意軟件清理助手http://www.crsky.com/soft/6251.html R3 - Default URLSearchHook is missing O2 - BHO: Yahoo Ie-Bar - {4FCE0A2B-6D48-4B22-AD7A-1ACACABC0B38} - C:\WINDOWS\twuenk_16.dll 然後修復這兩個。重新啟動後進入安全模式執行軟件進行清理，並刪除上述文件。
	__________________
	送花文章: 3, 收花文章: 1631 篇, 收花: 3205 次