主題: 首頁綁架者剋星HijackThis 日誌分析!!!
查看單個文章
舊 2006-07-13, 05:36 PM   #35 (permalink)
psac
榮譽會員
 
psac 的頭像
榮譽勳章
UID - 3662
在線等級: 級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時
註冊日期: 2002-12-07
住址: 木柵市立動物園
文章: 17381
現金: 5253 金幣
資產: 33853 金幣
預設
Q:

【求助】請大俠看看我的電腦中了什麼病毒

症狀: 每次開機之後殺軟件自動檢測到很多被病毒感染的.EXE文件,沒辦,只有將被感染的文件冊除.但這樣電腦裡很多軟件因此不能用.很煩人.請大俠指點.
我用的是卡吧, 病毒就是清理不完.每次開機就會有提示有病毒
掃瞄日誌如下:
Logfile of HijackThis v1.99.1
Scan saved at 下午 09:00:49, on 2006-07-12
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\crypserv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINPENJR\Win32\pphidpad.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\Twain_32\F6580\HotKey.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\TurboFTP\tftpsvc.exe
D:\WINDOWS\System32\ctfmon.exe
D:\PROGRA~1\COMMON~1\DATADY~1\ACTIVE~1\WEBCAC~1.EXE
D:\Program Files\ACD\ACDSee\ACDSee.exe
D:\WINDOWS\system32\ntvdm.exe
D:\Documents and Settings\A Xing\桌面\HijackThis.exe

R3 - URLSearchHook: Tencent Url Search Hook - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - D:\WINDOWS\Downloaded Program Files\TBHMain.dll
O2 - BHO: Tencent Browser Helper - {0C7C23EF-A848-485B-873C-0ED954731014} - D:\WINDOWS\Downloaded Program Files\TBHMain.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - D:\Program Files\Tencent\QQ\QQIEHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - D:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PPHIDPAD] D:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [HotKey] D:\WINDOWS\Twain_32\F6580\HotKey.exe
O4 - HKLM\..\Run: [shoket] D:\WINDOWS\System32\SHELLEXT\svchs0t.exe
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: Download all by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 新增到QQ自定義面板 - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 新增到QQ自定義面板 - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - D:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - D:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: PowerWord - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - D:\PROGRA~1\KINGSOFT\XDICT\ieplugin.DLL
O9 - Extra button: Joyo - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - D:\PROGRA~1\KINGSOFT\XDICT\ieplugin.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: 騰訊QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ嚃粗馱撿沭扢離 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\Program Files\Tencent\QQ\QQIEHelper.dll
O11 - Options group: [TBH] QQ華硊戲刲坰
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Crypkey License - Unknown owner - D:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TurboFTP Sync Service (TBFTPSyncService) - TurboSoft,Inc - D:\Program Files\TurboFTP\tftpsvc.exe
O23 - Service: WebCacheService - Data Dynamics - D:\PROGRA~1\COMMON~1\DATADY~1\ACTIVE~1\WEBCAC~1.EXE




A:

請提供殺毒軟件發現EXE感染病毒的具體名稱
1)再次執行HijackThis軟件,選擇掃瞄系統報告
掃瞄完畢後,勾選下列專案並選擇修復
O4 - HKLM\..\Run: [shoket] D:\WINDOWS\System32\SHELLEXT\svchs0t.exe



並把...強烈建議到Windows Update把修正檔都裝上


描述:000
圖片:
http://bbs.crsky.com/1128632305/Mon_0607/64_90095_0ce896dcd0b7a5d.jpg

描述:111
圖片:
http://bbs.crsky.com/1128632305/Mon_0607/64_90095_be020f649de051e.jpg

問題依舊,此病毒專門感染共享文夾的中exe文件,
如下圖:



A:掃瞄日誌如下:
Logfile of HijackThis v1.99.1
Scan saved at 上午 09:31:37, on 2006-07-13
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\crypserv.exe
D:\WINDOWS\system32\slserv.exe
D:\Program Files\SoftEther\SoftEther.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\WFXSVC.EXE
D:\Program Files\Symantec\WinFax\WFXMOD32.EXE
D:\WINDOWS\slrundll.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Microtek\ScanWizard DI\ScannerFinder.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Symantec\WinFax\WFXCTL32.EXE
D:\Documents and Settings\ACCOUNT\桌面\HijackThis.exe

R3 - URLSearchHook: 捇誥翑忒 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - D:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O2 - BHO: yPhtb - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - D:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yphtb.dll
O2 - BHO: Anti Fish - {38928D50-8A48-44C2-945F-D2F23F771410} - D:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yangling.dll
O2 - BHO: 捇誥翑忒 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - D:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - D:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL
O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - D:\PROGRA~1\KuGoo3\KUGOO3~1.OCX
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - D:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 捇誥翑忒 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - D:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\win32\pphidpad.exe
O4 - HKLM\..\Run: [ScannerFinder] D:\Program Files\Microtek\ScanWizard DI\ScannerFinder.exe
O4 - HKLM\..\Run: [KAVPersonal50] D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 妏蚚KuGoo3狟婥(&K) - D:\Program Files\KuGoo3\KuGoo3DownX.htm
O8 - Extra context menu item: 新增到QQ自定義面板 - D:\D盤\紅葉\雜\qq\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - D:\D盤\紅葉\雜\qq\AddEmotion.htm
O8 - Extra context menu item: 氝樓善捇誥隆堐(&Y) - res://D:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
O8 - Extra context menu item: 新增QQ伺服器端我的最愛 - D:\D盤\紅葉\雜\qq\NAF.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - D:\D盤\紅葉\雜\qq\SendMMS.htm
O8 - Extra context menu item: 雅虎搜索 - res://D:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1109986659564
O23 - Service: Crypkey License - Unknown owner - D:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoftEther Virtual LAN Card (SoftEther) - Unknown owner - D:\Program Files\SoftEther\SoftEther.exe" service (file missing)
O23 - Service: TurboFTP Sync Service (TBFTPSyncService) - TurboSoft,Inc - D:\Program Files\TurboFTP\tftpsvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - D:\WINDOWS\System32\WFXSVC.EXE




A:
此病毒會感染exe文件。
請關閉系統還原,更新windows,關閉不需要的共享,設置複雜的管理員密碼。
斷網進入安全模式查殺病毒。
__________________
http://bbsimg.qianlong.com/upload/01/08/29/68/1082968_1136014649812.gif
psac 目前離線  
送花文章: 3, 收花文章: 1631 篇, 收花: 3205 次