|
中 Infostealer.Lineage 病毒
物件名稱: C:Windows\system32\kerne0223.dll
病毒名稱: Infostealer.Lineaque 採取動作: 無法存取檔案 請問各位 高手 我的Norton 掃出這隻病毒 而且跑出顯示如上列情況的視窗 該視窗無法關閉 只能強迫關防毒軟體 請問有何辦法可以解決呢? 謝謝各位 指教 |
五個免費線上掃毒的網站
基於最近許多木馬連結盛行,在此提供幾個線上掃毒網站與掃毒軟體。 請別抱怨為何沒中文,會附上說明,有免費掃毒網站就很不錯了,現在大部份線上掃毒都要收費。 由於網站與推薦軟體很多,分為兩部分,一部分是可以在線上掃瞄,不需要安裝在電腦上,在瀏覽器上就可掃瞄。 另一種就必須安裝了,且部分為英文軟體,請審慎考慮使用。 連結已經儘量確保為該軟體原公司的下載網站,或是台灣各大學的FTP下載,以免為了掃毒又中毒。 第一部分:線上掃毒網站 ●第一個: 趨勢科技HouseCall ( http://housecall.trendmicro.com/hous...start_corp.asp ) 這個是趨勢的掃毒網站,一開始要你選擇國家,請選HongKong,接著就會出現確定安裝掃瞄引擎畫面,請按【是】,接著磁碟機畫面,選好之後,將自動清除打勾,最後按【開始掃瞄】。 這個可以清除病毒與木馬,以及壓縮檔。 ●第二個: 賽門鐵克(Symantec)網路安全診斷室 ( http://security.symantec.com/default...d=tw&venid=sym) 賽門鐵克(Symantec)網路安全診斷室(第二進入點) ( http://security.symantec.com/sscv6/h...BYNCJEIMXQKCDT) 此為賽門鐵克(Symantec)的安全診斷室,你可以選擇入侵弱點偵測或病毒偵測,因為需下載掃瞄引擎,因此就會出現確定安裝掃瞄引擎畫面,請按是。之後中文畫面請自行操作。 但有些電腦會因ActiveX的原因無法使用,目前解決方式只有一個,在確定安裝掃瞄引擎畫面的地方,請勾選【永遠信任.....】,再按下是,如果還是不能使用請試下面兩個。 另外此網站壓縮檔內容無法掃瞄,且這個網站提供的「病毒偵測」不提供修復功能。 ●第三個: WindowSecurity.com ( http://www.windowsecurity.com/trojanscan/ ) 此為一專門掃木馬病毒網站,一般病毒是否可掃我並不清楚。 連到網站後,按下中間的【Scan my computer for Trojans!】,之後也是會有要安裝掃瞄引擎的確定視窗,請按【是】,接著就會出現磁碟機畫面。 選擇你要掃瞄的磁碟機,確定左邊的選項為[Prompt]後,按下面的【Start Scan】按鈕即可。 使用Win2000/XP的可能會出現下面的東西: Unable to scan C:/System Volume Information - 存取被拒。 那是系統資料夾,預設就是不被任何人存取,不是木馬,不用擔心。掃瞄完成請按【Stop Scan】回到主畫面或直接關掉。 掃瞄結果解說: Memory not infected 記憶體沒被感染 Scan folder: 掃瞄資料夾: Total number of files is 876, number of infected files is 0 檔案掃瞄總數是876個,感染木馬的檔案數是0 Average files per second is 264, average file size is 4962555 平均每秒掃瞄264個檔案,平均檔案大小是4962555 目前該網站病毒碼資料庫已經更新到2004/7/7 ●第四個: 另一著名廠商McAfee的線上掃瞄,台灣也有賣中文版單機板7.0版。 http://msn.mcafee.com/root/mfs/scan.asp 一開始也是會有要安裝掃瞄引擎的確定視窗,請按【是】或【Yes】。 預設值會選擇【Drive C】,也就是你的C磁碟機,不用更動直接按下【Scan】就開始掃瞄了。 這個站缺點是只能掃瞄C磁碟機,以及你的【我的文件】資料夾與【Windows】資料夾,如果你的【我的文件】不是設定在C磁碟機還可以用這個掃,如果你是自己設定放在其他磁碟機,然後沒更動你的【我的文件】目的設定的話就得用別的嚕。 另這個只能掃病毒,不能掃木馬喔。 ●第五個: 熊貓線上掃瞄 ( http://www.pandasoftware.com.tw/freescan/activescan.htm ) 著名的熊貓白金版的線上掃瞄版,以下是他的說明內比較重要的一段,其他請看該頁說明。 Panda ActiveScan只能讓您手動執行掃瞄與解毒。 一段,其他請看該頁說明。 Panda ActiveScan只能讓您手動執行掃瞄與解毒。 將虛線已下複製然後改名為fix_cmdregedit.zip.vbs 後執行此為解決 regedit 被鎖住的問題 ............................................................................................................................ Set WshShell = WScript.CreateObject("WScript.Shell") With WScript.CreateObject("WScript.Shell") On Error Resume Next .RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools" .RegDelete "HKCU\Software\Policies\Microsoft\Windows\System\DisableCMD" .RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr" .RegDelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr" End With Mybox = MsgBox(jobfunc & enab & vbCR & "Finished!", 4096, t) .............................................................................................................................. .. 將虛線已下複製然後改名為 exe_class.reg 後執行此為附檔名EXE的執行檔無法執行使用 ............................................................................................................................. Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\.exe] @="exefile" "Content Type"="application/x-msdownload" [HKEY_CLASSES_ROOT\.exe\PersistentHandler] @="{098f2470-bae0-11cd-b579-08002b30bfeb}" ............................................................................................................................ |
引用:
中毒!斷離線.安全模式查殺....天堂木馬變種 HijackThis 1.99.1 可查看被加載入的登錄 貼上看... http://www.majorgeeks.com/download3155.html http://www.slime2.com.tw/forums/show...ght=HijackThis http://www.slime2.com.tw/forums/show...ght=HijackThis 請先進入安全模式 執行>regedit>HKEY_CURRENT_USER>SOFTWARE>Microsoft>Windows>CurrentVersion>Run 刪除Kerne0223 = "%System%\Kerne0223.exe"登錄值 到資料夾C:\Windows\System32 找到 Kerne0223.exe 手動刪除 再次進入登錄檔編輯器 執行>regedit>HKEY_CLASSES_ROOT>CLSID>{3EA18648-FAF6-490D-9C92-8FD729028A58}>InprocServer32 刪除 @ = "%System%\RegistryInfo2.dll" 在HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Explorer>ShellExecuteHooks 刪除 {3EA18648-FAF6-490D-9C92-8FD729028A58} 重新開機即可 |
謝謝兩位大大 花那麼多心思時間幫忙
試了好多可以進入登錄編輯器 但無法 執行regedit>HKEY_CURRENT_USER>SOFTWARE>Microsoft>Windows>CurrentVersion>Run 如果是 直接到磁碟機 也無法直接刪除那個檔案 桌面上的 我的電腦捷徑 也消失了 請問 各位 高手 該怎麼解決? 謝謝大家 |
引用:
HijackThis 1.99.1下載這軟體...貼上來看... http://www.infos-du-net.com/telecharger/HijackThis.html |
Logfile of HijackThis v1.99.1
Scan saved at 下午 09:38:32, on 2006/6/6 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\Config\svhost32.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\Kerne0223.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Yahoo!\Messenger\YPager.exe C:\Program Files\Internet Explorer\iexplore.exe F:\自己抓的程式\HijackThis.exe O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IMJPMIG8.1] ; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [fzg] C:\WINDOWS\Config\svhost32.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Kerne0223] C:\WINDOWS\system32\Kerne0223.exe O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O10 - Unknown file in Winsock LSP: c:\windows\system32\mprxpau.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mprxpau.dll O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...74/mcfscan.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Filter: text/x-mrml - {C51721BE-858B-4A66-A8BF-D2882FF49820} - C:\Program Files\Common Files\A&W\MidRadio.ocx O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe 不好意思 麻煩您費心了 |
引用:
要不再放心,可再smart SCAN,(選英文) System Repair Engineer (SREng) 的智慧式掃瞄,掃瞄一個報告上來 , http://www.kztechs.com/sreng/sreng2.zip http://www.slime2.com.tw/forums/showthread.php?t=176477 |
2006-06-13,13:16:57
System Repair Engineer 2.0.21.505 (2.0 RC 2) Smallfrogs (http://www.KZTechs.com) Windows XP Professional Service Pack 2 (Build 2600) - Administrative User - Completed Functions Allowed Follow item(s) have been choosed: All Boot Items (Including Registry, Startup Folders, Services and so on) Browser Add-ons Runing Processes (Including process model information) File Associations Boot Items Registry [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] (ctfmon.exe)(C:\WINDOWS\system32\ctfmon.exe) [Microsoft Corporation] (Kerne0223)(C:\WINDOWS\system32\Kerne0223.exe) [] [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] (load)() [] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] (IMJPMIG8.1)(; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32) [Microsoft Corporation] (ccApp)("C:\Program Files\Common Files\Symantec Shared\ccApp.exe") [Symantec Corporation] (CJIMETIPSYNC)(C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync) [Microsoft Corp.] (PHIMETIPSYNC)(C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync) [Microsoft Corp.] (Symantec NetDriver Monitor)(C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer) [Symantec Corporation] (NeroFilterCheck)(C:\WINDOWS\system32\NeroCheck.exe) [Ahead Software Gmbh] (WinampAgent)(C:\Program Files\Winamp\winampa.exe) [] (fzg)(C:\WINDOWS\Config\svhost32.exe) [] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] (shell)(Explorer.exe) [Microsoft Corporation] (Userinit)(C:\WINDOWS\system32\userinit.exe,) [Microsoft Corporation] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows] (AppInit_DLLs)() [] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] (UIHost)(logonui.exe) [Microsoft Corporation] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] ({3EA18648-FAF6-490D-9C92-8FD729028A58})(C:\WINDOWS\system32\RegistryInfo.dll) [] ({8E3526E3-F160-437B-9095-46A011877CBE})(C:\WINDOWS\system32\pKerme123.dll) [] |
Startup Folders
Services [Symantec Event Manager / ccEvtMgr] ("C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe")(Symantec Corporation) [Symantec Password Validation / ccPwdSvc] ("C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe")(Symantec Corporation) [Symantec Settings Manager / ccSetMgr] ("C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe")(Symantec Corporation) [Norton AntiVirus Auto-Protect Service / navapsvc] ("C:\Program Files\Norton AntiVirus\navapsvc.exe")(Symantec Corporation) [Norton AntiVirus Firewall Monitor Service / NPFMntor] ("C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe")(Symantec Corporation) [SAVScan / SAVScan] ("C:\Program Files\Norton AntiVirus\SAVScan.exe")(Symantec Corporation) [ScriptBlocking Service / SBService] (C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe)(Symantec Corporation) [Symantec Network Drivers Service / SNDSrvc] ("C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe")(Symantec Corporation) [Symantec SPBBCSvc / SPBBCSvc] ("C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe")(Symantec Corporation) [Symantec Core LC / Symantec Core LC] (C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe)(Symantec Corporation) |
Browser Add-ons
[CNavExtBho Class] {BDF3E430-B101-42AD-A544-FADC6B084872} (C:\Program Files\Norton AntiVirus\NavShExt.dll, Symantec Corporation) [把σ戈(&R)] {92780B25-18CC-41C8-B9BE-3C9C571A8263} (C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL, Microsoft Corporation) [Yahoo! Messenger] {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} (C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE, N/A) [Norton AntiVirus] {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} (C:\Program Files\Norton AntiVirus\NavShExt.dll, Symantec Corporation) [Symantec AntiVirus scanner] {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (C:\WINDOWS\Downloaded Program Files\avsniff.dll, Symantec Corporation) [Symantec RuFSI Utility Class] {644E432F-49D3-41A1-8DD5-E099162EEEC5} (C:\WINDOWS\Downloaded Program Files\rufsi.dll, Symantec Corporation) [Housecall ActiveX 6.5] {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll, TrendMicro Deutschland GmbH) [McFreeScan Class] {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll, McAfee, Inc.) [QuickTime Object] {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (C:\WINDOWS\system32\QTPlugin.ocx, Apple Computer, Inc.) [Windows Media Player] {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (C:\WINDOWS\system32\wmpdxm.dll, Microsoft Corporation) [Norton AntiVirus] {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} (C:\Program Files\Norton AntiVirus\NavShExt.dll, Symantec Corporation) [Windows Media Player] {6BF52A52-394A-11D3-B153-00C04F79FAA6} (C:\WINDOWS\system32\wmp.dll, Microsoft Corporation) [RealPlayer Stream Handler] {A1A41E11-91DB-4461-95CD-0C02327FD934} (C:\WINDOWS\system32\rmoc3260.dll, RealNetworks, Inc.) [CNavExtBho Class] {BDF3E430-B101-42AD-A544-FADC6B084872} (C:\Program Files\Norton AntiVirus\NavShExt.dll, Symantec Corporation) [Shockwave Flash Object] {D27CDB6E-AE6D-11CF-96B8-444553540000} (C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx, Macromedia, Inc.) [MessengerChecker Class] {DA4F543C-C8A9-4E88-9A79-548CBB46F18F} (C:\Program Files\Yahoo!\Messenger\YPagerChecker.dll, TODO: (Company name)) [Messenger Class] {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} (, N/A) [ㄏノ紇肚癳盿更] (C:\Program Files\Xi\NetTransport 2\NTAddLink.html, N/A) [ㄏノ紇肚癳盿更场硈挡] (C:\Program Files\Xi\NetTransport 2\NTAddList.html, N/A) [蹲 Microsoft Office Excel(&X)] (res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A) |