病毒backdoor/heidong.2005.hook怎麼殺？

psac · 2005-08-25, 06:54 AM

Q:
病毒backdoor/heidong.2005.hook怎麼殺？
今天用江民2005發現在C:\WINNT\system32\keyspy.dll中有backdoor/heidong.2005.hook病毒，移除失敗，提示重啟移除。重啟還能殺出來，怎麼辦？

A:

用HijackThis 掃瞄一個logfile,把內容貼上來以方便分析~
1. 下載 HijackThis 1.99.1,儲存到桌面後再解壓
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
2. 執行hijackthis.exe,按"Do a system scan and save a logfile"
3. 掃瞄完成後,一個記事本視窗把會彈出來,把內容貼上來

PS: 請勿自行胡亂修復HijackThis掃瞄內的項目

Q:

Logfile of HijackThis v1.99.1
Scan saved at 17:26:36 上午, on 2005-8-23
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundl32.exe
C:\WINNT\dlhost.exe
D:\PROGRA~1\江民\KV2005\KVSrvXP_1.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
D:\Program Files\FireWall\PFW.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\internat.exe
D:\Program Files\Bizpartner\Agent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\conime.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\PhotoshopCS 8.01\Photoshop.exe
D:\Program Files\迅雷4\Thunder\Thunder.exe
D:\Program Files\迅雷4\Thunder\TDUpdate.exe
D:\Program Files\迅雷4\Thunder\MediaIssue\Issue.exe
C:\Documents and Settings\Administrator\桌面\hijackthis\HijackThis.exe

R3 - URLSearchHook: 上網助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\Assist\asbar.dll
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINNT\system32\xunleibho_v5.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\adobe Reader 7.01\ActiveX\AcroIEHelper.dll
O2 - BHO: BrowseHelper Class - {80BF4637-D65B-43F3-BB60-C5DD3D5FB7B9} - D:\Program Files\江民\KV2005\KvShell_1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: DownloadBHO T2BHO - {B1D147E7-873E-4909-8127-695D9BB78728} - C:\WINNT\Downloaded Program Files\CONFLICT.2\barhelp.dll (file missing)
O2 - BHO: AssistII - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\Assist\asbar.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O2 - BHO: SFP Class - {F236CC5A-F6E4-4011-9EED-C52FDF51CE3D} - C:\WINNT\system32\Sbhoplin.dll
O3 - Toolbar: @msdxmLC.dll,-1@2052,電台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: 天下搜尋 - {56A7DC70-E102-4408-A34A-AE06FEF01586} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: 上網助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\Assist\asbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

psac · 2005-08-25, 06:57 AM

O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} - C:\WINNT\system32\SHDOCVW.DLL
O3 - Toolbar: 江民殺毒工作列 - {B5A34A93-D538-43A7-8371-864CB6148D12} - D:\Program Files\江民\KV2005\KvShell_1.dll
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINNT\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NMGameX_AutoRun] C:\WINNT\system32\Rundll32.exe NMGameX.dll,LiveProcess /aa
O4 - HKLM\..\Run: [FireWall] D:\Program Files\FireWall\PFW.exe
O4 - HKLM\..\Run: [SKYNET Personal FireWall] D:\Program Files\FireWall\PFW.exe
O4 - HKLM\..\Run: [KvMonXP] D:\Program Files\江民\KV2005\KVMonXP.kxp /auto
O4 - HKLM\..\Run: [helper.dll] C:\WINNT\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [BpAgent] d:\Program Files\Bizpartner\Agent.exe
O4 - Startup: 迅雷4.lnk = ?
O8 - Extra context menu item: !搜一搜 - res://C:\WINNT\DOWNLO~1\CnsMinEx.dll/1003
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &使用迅雷下載 - D:\Program Files\迅雷4\Thunder\geturl.htm
O8 - Extra context menu item: &使用迅雷下載全部連接 - D:\Program Files\迅雷4\Thunder\getAllurl.htm
O8 - Extra context menu item: Alexa Web Search - http://client.alexa.com/holiday/scri...ons/search.htm
O8 - Extra context menu item: Get Alexa Data - http://client.alexa.com/holiday/scri...s/sitedata.htm
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/scri...ons/mailto.htm
O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/scri...ns/related.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/scri...ons/review.htm
O8 - Extra context menu item: 反向連接 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: 類似網頁 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: 快取的網頁抓圖 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: 手機簡信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: 發佈訊息 - {0713E8D1-850A-101B-AFC0-5210102A8DAA} - (no file)
O9 - Extra button: Yahoo 1G電子信箱 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: 尋寶樂趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - Extra button: 上網助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenge...ger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 修復瀏覽器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 清理上網記錄 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\kvwspxp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\kvwspxp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\kvwspxp.dll
O11 - Options group: [!CNS] 網路實名
O16 - DPF: {56A7DC70-E102-4408-A34A-AE06FEF01586} (天下搜尋) - http://iebar.t2t2.com/iebar.cab
O16 - DPF: {58CDB34C-B4D7-418B-A0FB-C4C8A01C2F0E} - http://dl.51.net/download/diybar.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124676920000
O17 - HKLM\System\CCS\Services\Tcpip\..\{7699EFB9-8554-435A-98F5-587746D8DAEC}: NameServer = 192.168.0.1
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows Management Hdfya (Explorer) - Unknown owner - C:\WINNT\system32\rundl32.exe
O23 - Service: Windows Management Instrfygz (Fygz) - Unknown owner - C:\WINNT\dlhost.exe
O23 - Service: KVSrvXP_1 - JiangMin New Tech Ltd. - D:\PROGRA~1\江民\KV2005\KVSrvXP_1.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

psac · 2005-08-25, 07:00 AM

A:

1. 用工作管理器結束以下工作
C:\WINNT\system32\rundl32.exe
C:\WINNT\dlhost.exe

2. 用HijackThis修復以下的項目(在項目前的方格打勾,按Fix checked)
O23 - Service: Windows Management Hdfya (Explorer) - Unknown owner - C:\WINNT\system32\rundl32.exe
O23 - Service: Windows Management Instrfygz (Fygz) - Unknown owner - C:\WINNT\dlhost.exe

3. 重新啟動,移除以下檔案
C:\WINNT\dlhost.exe
C:\WINNT\system32\rundl32.exe
C:\WINNT\system32\keyspy.dll

Q:
兩個工作都結束不了~~~
都提示拒絕訪問

A:推薦icesword冰刃。很強的dd。可以既時取代病毒文件，哈哈。結束除了系統內核的其他工作。
可以用KILLBOX.輸入路徑.然後移除.

Q:
用了，還是不讓移除

Q:
試試用木馬輔助搜尋器 2005
http://down.huigezi.net/hgz/fint2005.exe

把兩個工作打勾,一起結束它們

q:

謝謝，工作可以禁止了~~有戲，正在進行下面的步驟，解決了來報喜~~

問題解決，現在正在全面掃瞄，臨時沒有發現那個病毒~~，具體操作方法：
1，用木馬輔助搜尋器 2005結束
C:\WINNT\system32\rundl32.exe
C:\WINNT\dlhost.exe
兩個工作
2，用HijackThis修復以下的項目
O23 - Service: Windows Management Hdfya (Explorer) - Unknown owner - C:\WINNT\system32\rundl32.exe
O23 - Service: Windows Management Instrfygz (Fygz) - Unknown owner - C:\WINNT\dlhost.exe

3. 移除以下檔案（註：不重啟，不然前兩個工作又出來了）
C:\WINNT\dlhost.exe
C:\WINNT\system32\rundl32.exe
C:\WINNT\system32\rundl32.cfg
C:\WINNT\system32\keyspy.dll （這個可能一時不讓刪，過一會就可以了，要不就用軟體強行刪掉）
C:\WINNT\system32\keylog.txt （裡面是鍵盤記錄）
C:\!Submit\keyspy.dll （後來用江民又掃瞄出來的）

真是太感謝你了！！！！下面是hijackthis日誌，勞煩老兄看看還有沒有問題：

Logfile of HijackThis v1.99.1
Scan saved at 15:33:35 上午, on 2005-8-24
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
D:\PROGRA~1\江民\KV2005\KVSrvXP_1.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
D:\Program Files\FireWall\PFW.exe
D:\Program Files\江民\KV2005\KVMonXP.kxp
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\internat.exe
D:\Program Files\Bizpartner\Agent.exe
D:\Program Files\江民\KV2005\TrojDie.kxp
D:\Program Files\江民\KV2005\KvXP.kxp
C:\WINNT\system32\DllHost.exe
D:\Program Files\江民\KV2005\KRegEx.exe
C:\WINNT\system32\DllHost.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\conime.exe
D:\Program Files\hijackthis\HijackThis.exe

psac · 2005-08-25, 07:02 AM

R3 - URLSearchHook: 上網助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\Assist\asbar.dll
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINNT\system32\xunleibho_v5.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\adobe Reader 7.01\ActiveX\AcroIEHelper.dll
O2 - BHO: BrowseHelper Class - {80BF4637-D65B-43F3-BB60-C5DD3D5FB7B9} - D:\Program Files\江民\KV2005\KvShell_1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: DownloadBHO T2BHO - {B1D147E7-873E-4909-8127-695D9BB78728} - C:\WINNT\Downloaded Program Files\CONFLICT.2\barhelp.dll (file missing)
O2 - BHO: AssistII - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\Assist\asbar.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll
O2 - BHO: SFP Class - {F236CC5A-F6E4-4011-9EED-C52FDF51CE3D} - C:\WINNT\system32\Sbhoplin.dll
O3 - Toolbar: @msdxmLC.dll,-1@2052,電台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: 天下搜尋 - {56A7DC70-E102-4408-A34A-AE06FEF01586} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: 上網助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\Assist\asbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} - C:\WINNT\system32\SHDOCVW.DLL
O3 - Toolbar: 江民殺毒工作列 - {B5A34A93-D538-43A7-8371-864CB6148D12} - D:\Program Files\江民\KV2005\KvShell_1.dll
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINNT\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NMGameX_AutoRun] C:\WINNT\system32\Rundll32.exe NMGameX.dll,LiveProcess /aa
O4 - HKLM\..\Run: [SKYNET Personal FireWall] D:\Program Files\FireWall\PFW.exe
O4 - HKLM\..\Run: [KvMonXP] D:\Program Files\江民\KV2005\KVMonXP.kxp /auto
O4 - HKLM\..\Run: [helper.dll] C:\WINNT\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [BpAgent] d:\Program Files\Bizpartner\Agent.exe
O8 - Extra context menu item: !搜一搜 - res://C:\WINNT\DOWNLO~1\CnsMinEx.dll/1003
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &使用迅雷下載 - D:\Program Files\迅雷4\Thunder\geturl.htm
O8 - Extra context menu item: &使用迅雷下載全部連接 - D:\Program Files\迅雷4\Thunder\getAllurl.htm
O8 - Extra context menu item: Alexa Web Search - http://client.alexa.com/holiday/scri...ons/search.htm
O8 - Extra context menu item: Get Alexa Data - http://client.alexa.com/holiday/scri...s/sitedata.htm
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/scri...ons/mailto.htm
O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/scri...ns/related.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/scri...ons/review.htm
O8 - Extra context menu item: 反向連接 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: 類似網頁 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: 快取的網頁抓圖 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: 手機簡信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: 發佈訊息 - {0713E8D1-850A-101B-AFC0-5210102A8DAA} - (no file)
O9 - Extra button: Yahoo 1G電子信箱 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: 尋寶樂趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - Extra button: 上網助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenge...ger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 修復瀏覽器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 清理上網記錄 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\kvwspxp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\kvwspxp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\kvwspxp.dll
O11 - Options group: [!CNS] 網路實名
O16 - DPF: {56A7DC70-E102-4408-A34A-AE06FEF01586} (天下搜尋) - http://iebar.t2t2.com/iebar.cab
O16 - DPF: {58CDB34C-B4D7-418B-A0FB-C4C8A01C2F0E} - http://dl.51.net/download/diybar.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124676920000
O17 - HKLM\System\CCS\Services\Tcpip\..\{7699EFB9-8554-435A-98F5-587746D8DAEC}: NameServer = 192.168.0.1
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows Management Hdfya (Explorer) - Unknown owner - C:\WINNT\system32\rundl32.exe (file missing)
O23 - Service: Windows Management Instrfygz (Fygz) - Unknown owner - C:\WINNT\dlhost.exe (file missing)
O23 - Service: KVSrvXP_1 - JiangMin New Tech Ltd. - D:\PROGRA~1\江民\KV2005\KVSrvXP_1.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

psac · 2005-08-25, 07:10 AM

Q:

進入註冊表:
展開: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
把這兩個鍵移除:Explorer和Fygz

C:\!Submit\keyspy.dll （後來用江民又掃瞄出來的）
這個是KILLBOX移除前的制作備份.
可以移除.

C:\WINNT\dlhost.exe
C:\WINNT\system32\rundl32.exe
C:\WINNT\system32\rundl32.cfg
這三個應該移除了吧?

A:
C:\WINNT\dlhost.exe
C:\WINNT\system32\rundl32.exe
C:\WINNT\system32\rundl32.cfg
這三個應該移除了吧?
都已經刪了~~

進入註冊表:
展開: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
把這兩個鍵移除:Explorer和Fygz
幹什麼用的？

C:\!Submit\keyspy.dll （後來用江民又掃瞄出來的）
這個是KILLBOX移除前的制作備份.
可以移除.
什麼意思？不太懂

Q:

這兩個是病毒的服務.
進入註冊表HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
找到它們兩個Explorer和Fygz.右鍵移除

C:\!Submit\keyspy.dll
這個是KILLBOX移除病毒文件前的制作備份(避免移除出現錯誤)
可以把這個制作備份移除.

A:

明白~~~謝謝！！！！沒有其他的問題了 !

2005-08-25, 06:54 AM	#1
psac 榮譽會員榮譽勳章勳章總數19 UID - 3662 在線等級: 註冊日期: 2002-12-07 住址: 木柵市立動物園文章: 17381 精華: 2 現金: 5253 金幣資產: 33853 金幣	病毒backdoor/heidong.2005.hook怎麼殺？ Q: 病毒backdoor/heidong.2005.hook怎麼殺？今天用江民2005發現在C:\WINNT\system32\keyspy.dll中有backdoor/heidong.2005.hook病毒，移除失敗，提示重啟移除。重啟還能殺出來，怎麼辦？ A: 用HijackThis 掃瞄一個logfile,把內容貼上來以方便分析~ 1. 下載 HijackThis 1.99.1,儲存到桌面後再解壓 http://www.spywareinfo.com/~merijn/files/hijackthis.zip 2. 執行hijackthis.exe,按"Do a system scan and save a logfile" 3. 掃瞄完成後,一個記事本視窗把會彈出來,把內容貼上來 PS: 請勿自行胡亂修復HijackThis掃瞄內的項目 Q: Logfile of HijackThis v1.99.1 Scan saved at 17:26:36 上午, on 2005-8-23 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\rundl32.exe C:\WINNT\dlhost.exe D:\PROGRA~1\江民\KV2005\KVSrvXP_1.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\inetsrv\inetinfo.exe C:\WINNT\Explorer.EXE D:\Program Files\FireWall\PFW.exe C:\WINNT\system32\rundll32.exe C:\WINNT\system32\internat.exe D:\Program Files\Bizpartner\Agent.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINNT\system32\conime.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE D:\Program Files\PhotoshopCS 8.01\Photoshop.exe D:\Program Files\迅雷4\Thunder\Thunder.exe D:\Program Files\迅雷4\Thunder\TDUpdate.exe D:\Program Files\迅雷4\Thunder\MediaIssue\Issue.exe C:\Documents and Settings\Administrator\桌面\hijackthis\HijackThis.exe R3 - URLSearchHook: 上網助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\Assist\asbar.dll O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINNT\system32\xunleibho_v5.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\adobe Reader 7.01\ActiveX\AcroIEHelper.dll O2 - BHO: BrowseHelper Class - {80BF4637-D65B-43F3-BB60-C5DD3D5FB7B9} - D:\Program Files\江民\KV2005\KvShell_1.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: DownloadBHO T2BHO - {B1D147E7-873E-4909-8127-695D9BB78728} - C:\WINNT\Downloaded Program Files\CONFLICT.2\barhelp.dll (file missing) O2 - BHO: AssistII - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\Assist\asbar.dll O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll O2 - BHO: SFP Class - {F236CC5A-F6E4-4011-9EED-C52FDF51CE3D} - C:\WINNT\system32\Sbhoplin.dll O3 - Toolbar: @msdxmLC.dll,-1@2052,電台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: 天下搜尋 - {56A7DC70-E102-4408-A34A-AE06FEF01586} - (no file) O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: 上網助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\Assist\asbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
	__________________
	送花文章: 3, 收花文章: 1631 篇, 收花: 3205 次

2005-08-25, 06:57 AM	#2 (permalink)
psac 榮譽會員榮譽勳章勳章總數19 UID - 3662 在線等級: 註冊日期: 2002-12-07 住址: 木柵市立動物園文章: 17381 精華: 2 現金: 5253 金幣資產: 33853 金幣	O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} - C:\WINNT\system32\SHDOCVW.DLL O3 - Toolbar: 江民殺毒工作列 - {B5A34A93-D538-43A7-8371-864CB6148D12} - D:\Program Files\江民\KV2005\KvShell_1.dll O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINNT\DOWNLO~1\CnsMin.dll,Rundll32 O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NMGameX_AutoRun] C:\WINNT\system32\Rundll32.exe NMGameX.dll,LiveProcess /aa O4 - HKLM\..\Run: [FireWall] D:\Program Files\FireWall\PFW.exe O4 - HKLM\..\Run: [SKYNET Personal FireWall] D:\Program Files\FireWall\PFW.exe O4 - HKLM\..\Run: [KvMonXP] D:\Program Files\江民\KV2005\KVMonXP.kxp /auto O4 - HKLM\..\Run: [helper.dll] C:\WINNT\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32 O4 - HKCU\..\Run: [Internat.exe] internat.exe O4 - HKCU\..\Run: [BpAgent] d:\Program Files\Bizpartner\Agent.exe O4 - Startup: 迅雷4.lnk = ? O8 - Extra context menu item: !搜一搜 - res://C:\WINNT\DOWNLO~1\CnsMinEx.dll/1003 O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &使用迅雷下載 - D:\Program Files\迅雷4\Thunder\geturl.htm O8 - Extra context menu item: &使用迅雷下載全部連接 - D:\Program Files\迅雷4\Thunder\getAllurl.htm O8 - Extra context menu item: Alexa Web Search - http://client.alexa.com/holiday/scri...ons/search.htm O8 - Extra context menu item: Get Alexa Data - http://client.alexa.com/holiday/scri...s/sitedata.htm O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/scri...ons/mailto.htm O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/scri...ns/related.htm O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/scri...ons/review.htm O8 - Extra context menu item: 反向連接 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: 類似網頁 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: 快取的網頁抓圖 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O9 - Extra button: 手機簡信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing) O9 - Extra button: 發佈訊息 - {0713E8D1-850A-101B-AFC0-5210102A8DAA} - (no file) O9 - Extra button: Yahoo 1G電子信箱 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing) O9 - Extra button: 尋寶樂趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing) O9 - Extra button: 上網助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing) O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenge...ger.yahoo.com/ (file missing) O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing) O9 - Extra 'Tools' menuitem: 修復瀏覽器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing) O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing) O9 - Extra 'Tools' menuitem: 清理上網記錄 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing) O10 - Unknown file in Winsock LSP: c:\winnt\system32\kvwspxp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\kvwspxp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\kvwspxp.dll O11 - Options group: [!CNS] 網路實名 O16 - DPF: {56A7DC70-E102-4408-A34A-AE06FEF01586} (天下搜尋) - http://iebar.t2t2.com/iebar.cab O16 - DPF: {58CDB34C-B4D7-418B-A0FB-C4C8A01C2F0E} - http://dl.51.net/download/diybar.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124676920000 O17 - HKLM\System\CCS\Services\Tcpip\..\{7699EFB9-8554-435A-98F5-587746D8DAEC}: NameServer = 192.168.0.1 O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Windows Management Hdfya (Explorer) - Unknown owner - C:\WINNT\system32\rundl32.exe O23 - Service: Windows Management Instrfygz (Fygz) - Unknown owner - C:\WINNT\dlhost.exe O23 - Service: KVSrvXP_1 - JiangMin New Tech Ltd. - D:\PROGRA~1\江民\KV2005\KVSrvXP_1.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

	送花文章: 3, 收花文章: 1631 篇, 收花: 3205 次

2005-08-25, 07:00 AM	#3 (permalink)
psac 榮譽會員榮譽勳章勳章總數19 UID - 3662 在線等級: 註冊日期: 2002-12-07 住址: 木柵市立動物園文章: 17381 精華: 2 現金: 5253 金幣資產: 33853 金幣	A: 1. 用工作管理器結束以下工作 C:\WINNT\system32\rundl32.exe C:\WINNT\dlhost.exe 2. 用HijackThis修復以下的項目(在項目前的方格打勾,按Fix checked) O23 - Service: Windows Management Hdfya (Explorer) - Unknown owner - C:\WINNT\system32\rundl32.exe O23 - Service: Windows Management Instrfygz (Fygz) - Unknown owner - C:\WINNT\dlhost.exe 3. 重新啟動,移除以下檔案 C:\WINNT\dlhost.exe C:\WINNT\system32\rundl32.exe C:\WINNT\system32\keyspy.dll Q: 兩個工作都結束不了~~~ 都提示拒絕訪問 A:推薦icesword冰刃。很強的dd。可以既時取代病毒文件，哈哈。結束除了系統內核的其他工作。可以用KILLBOX.輸入路徑.然後移除. Q: 用了，還是不讓移除 Q: 試試用木馬輔助搜尋器 2005 http://down.huigezi.net/hgz/fint2005.exe 把兩個工作打勾,一起結束它們 q: 謝謝，工作可以禁止了~~有戲，正在進行下面的步驟，解決了來報喜~~ 問題解決，現在正在全面掃瞄，臨時沒有發現那個病毒~~，具體操作方法： 1，用木馬輔助搜尋器 2005結束 C:\WINNT\system32\rundl32.exe C:\WINNT\dlhost.exe 兩個工作 2，用HijackThis修復以下的項目 O23 - Service: Windows Management Hdfya (Explorer) - Unknown owner - C:\WINNT\system32\rundl32.exe O23 - Service: Windows Management Instrfygz (Fygz) - Unknown owner - C:\WINNT\dlhost.exe 3. 移除以下檔案（註：不重啟，不然前兩個工作又出來了） C:\WINNT\dlhost.exe C:\WINNT\system32\rundl32.exe C:\WINNT\system32\rundl32.cfg C:\WINNT\system32\keyspy.dll （這個可能一時不讓刪，過一會就可以了，要不就用軟體強行刪掉） C:\WINNT\system32\keylog.txt （裡面是鍵盤記錄） C:\!Submit\keyspy.dll （後來用江民又掃瞄出來的）真是太感謝你了！！！！下面是hijackthis日誌，勞煩老兄看看還有沒有問題： Logfile of HijackThis v1.99.1 Scan saved at 15:33:35 上午, on 2005-8-24 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\svchost.exe D:\PROGRA~1\江民\KV2005\KVSrvXP_1.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\inetsrv\inetinfo.exe C:\WINNT\Explorer.EXE D:\Program Files\FireWall\PFW.exe D:\Program Files\江民\KV2005\KVMonXP.kxp C:\WINNT\system32\rundll32.exe C:\WINNT\system32\internat.exe D:\Program Files\Bizpartner\Agent.exe D:\Program Files\江民\KV2005\TrojDie.kxp D:\Program Files\江民\KV2005\KvXP.kxp C:\WINNT\system32\DllHost.exe D:\Program Files\江民\KV2005\KRegEx.exe C:\WINNT\system32\DllHost.exe C:\WINNT\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINNT\system32\conime.exe D:\Program Files\hijackthis\HijackThis.exe

	送花文章: 3, 收花文章: 1631 篇, 收花: 3205 次

2005-08-25, 07:02 AM	#4 (permalink)
psac 榮譽會員榮譽勳章勳章總數19 UID - 3662 在線等級: 註冊日期: 2002-12-07 住址: 木柵市立動物園文章: 17381 精華: 2 現金: 5253 金幣資產: 33853 金幣	R3 - URLSearchHook: 上網助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\Assist\asbar.dll O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINNT\system32\xunleibho_v5.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\adobe Reader 7.01\ActiveX\AcroIEHelper.dll O2 - BHO: BrowseHelper Class - {80BF4637-D65B-43F3-BB60-C5DD3D5FB7B9} - D:\Program Files\江民\KV2005\KvShell_1.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: DownloadBHO T2BHO - {B1D147E7-873E-4909-8127-695D9BB78728} - C:\WINNT\Downloaded Program Files\CONFLICT.2\barhelp.dll (file missing) O2 - BHO: AssistII - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\Assist\asbar.dll O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINNT\DOWNLO~1\CnsHook.dll O2 - BHO: SFP Class - {F236CC5A-F6E4-4011-9EED-C52FDF51CE3D} - C:\WINNT\system32\Sbhoplin.dll O3 - Toolbar: @msdxmLC.dll,-1@2052,電台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: 天下搜尋 - {56A7DC70-E102-4408-A34A-AE06FEF01586} - (no file) O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: 上網助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\Assist\asbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} - C:\WINNT\system32\SHDOCVW.DLL O3 - Toolbar: 江民殺毒工作列 - {B5A34A93-D538-43A7-8371-864CB6148D12} - D:\Program Files\江民\KV2005\KvShell_1.dll O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINNT\DOWNLO~1\CnsMin.dll,Rundll32 O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NMGameX_AutoRun] C:\WINNT\system32\Rundll32.exe NMGameX.dll,LiveProcess /aa O4 - HKLM\..\Run: [SKYNET Personal FireWall] D:\Program Files\FireWall\PFW.exe O4 - HKLM\..\Run: [KvMonXP] D:\Program Files\江民\KV2005\KVMonXP.kxp /auto O4 - HKLM\..\Run: [helper.dll] C:\WINNT\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32 O4 - HKCU\..\Run: [Internat.exe] internat.exe O4 - HKCU\..\Run: [BpAgent] d:\Program Files\Bizpartner\Agent.exe O8 - Extra context menu item: !搜一搜 - res://C:\WINNT\DOWNLO~1\CnsMinEx.dll/1003 O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &使用迅雷下載 - D:\Program Files\迅雷4\Thunder\geturl.htm O8 - Extra context menu item: &使用迅雷下載全部連接 - D:\Program Files\迅雷4\Thunder\getAllurl.htm O8 - Extra context menu item: Alexa Web Search - http://client.alexa.com/holiday/scri...ons/search.htm O8 - Extra context menu item: Get Alexa Data - http://client.alexa.com/holiday/scri...s/sitedata.htm O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/scri...ons/mailto.htm O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/scri...ns/related.htm O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/scri...ons/review.htm O8 - Extra context menu item: 反向連接 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: 類似網頁 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: 快取的網頁抓圖 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O9 - Extra button: 手機簡信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing) O9 - Extra button: 發佈訊息 - {0713E8D1-850A-101B-AFC0-5210102A8DAA} - (no file) O9 - Extra button: Yahoo 1G電子信箱 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing) O9 - Extra button: 尋寶樂趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing) O9 - Extra button: 上網助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing) O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenge...ger.yahoo.com/ (file missing) O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing) O9 - Extra 'Tools' menuitem: 修復瀏覽器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing) O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing) O9 - Extra 'Tools' menuitem: 清理上網記錄 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing) O10 - Unknown file in Winsock LSP: c:\winnt\system32\kvwspxp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\kvwspxp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\kvwspxp.dll O11 - Options group: [!CNS] 網路實名 O16 - DPF: {56A7DC70-E102-4408-A34A-AE06FEF01586} (天下搜尋) - http://iebar.t2t2.com/iebar.cab O16 - DPF: {58CDB34C-B4D7-418B-A0FB-C4C8A01C2F0E} - http://dl.51.net/download/diybar.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124676920000 O17 - HKLM\System\CCS\Services\Tcpip\..\{7699EFB9-8554-435A-98F5-587746D8DAEC}: NameServer = 192.168.0.1 O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Windows Management Hdfya (Explorer) - Unknown owner - C:\WINNT\system32\rundl32.exe (file missing) O23 - Service: Windows Management Instrfygz (Fygz) - Unknown owner - C:\WINNT\dlhost.exe (file missing) O23 - Service: KVSrvXP_1 - JiangMin New Tech Ltd. - D:\PROGRA~1\江民\KV2005\KVSrvXP_1.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

	送花文章: 3, 收花文章: 1631 篇, 收花: 3205 次

2005-08-25, 07:10 AM	#5 (permalink)
psac 榮譽會員榮譽勳章勳章總數19 UID - 3662 在線等級: 註冊日期: 2002-12-07 住址: 木柵市立動物園文章: 17381 精華: 2 現金: 5253 金幣資產: 33853 金幣	Q: 進入註冊表: 展開: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services 把這兩個鍵移除:Explorer和Fygz C:\!Submit\keyspy.dll （後來用江民又掃瞄出來的）這個是KILLBOX移除前的制作備份. 可以移除. C:\WINNT\dlhost.exe C:\WINNT\system32\rundl32.exe C:\WINNT\system32\rundl32.cfg 這三個應該移除了吧? A: C:\WINNT\dlhost.exe C:\WINNT\system32\rundl32.exe C:\WINNT\system32\rundl32.cfg 這三個應該移除了吧? 都已經刪了~~ 進入註冊表: 展開: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services 把這兩個鍵移除:Explorer和Fygz 幹什麼用的？ C:\!Submit\keyspy.dll （後來用江民又掃瞄出來的）這個是KILLBOX移除前的制作備份. 可以移除. 什麼意思？不太懂 Q: 這兩個是病毒的服務. 進入註冊表HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services 找到它們兩個Explorer和Fygz.右鍵移除 C:\!Submit\keyspy.dll 這個是KILLBOX移除病毒文件前的制作備份(避免移除出現錯誤) 可以把這個制作備份移除. A: 明白~~~謝謝！！！！沒有其他的問題了 !

	送花文章: 3, 收花文章: 1631 篇, 收花: 3205 次

Google 提供的廣告