2007-04-15, 02:41 PM | #16 (permalink) |
長老會員
|
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - (no file) O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing) O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing) O9 - Extra button: (no name) - {0062C9BD-B349-40DE-91A0-755F37ACD559} - (no file) O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll SharedTaskScheduler Registry key autorun Only a CWS variant has been known to use this. Consult a HJT expert before cleaning anything. O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing) File Missing When a file is missing, you should always have HijackThis fix the item. O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe (file missing) O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - D:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe (file missing) File Missing When a file is missing, you should always have HijackThis fix the item. O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - D:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe (file missing) O23 - Service: 自動 LiveUpdate 排程器 - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing) 上面這些是檔案遺失或沒必要的, 都可選擇修復 O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 Unknown Item 日文輸入法 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE IMEKRMIG6.1 韓文輸入法 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC 拼音輸入法 這幾項若用不到也可選擇修復, 少佔記憶體 其他看不出有病毒或木馬的痕跡 |
__________________ 刑天舞干戚
|
|
送花文章: 6,
|
有 2 位會員向 plunderer 送花:
|
2007-04-16, 02:45 AM | #17 (permalink) | |
|
引用:
Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 上午 02:42:07, on 2007/4/16 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Raxco\PerfectDisk\PDSched.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\KKman\KKMAN.exe C:\Program Files\Outlook Express\msimn.exe C:\Documents and Settings\windwing\桌面\HiJackThis_v2.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll O2 - BHO: ALiBaBar_Helper - {CE439C63-384A-747A-A357-23D96B5D652B} - C:\PROGRA~1\ALiBaBar\ALiBaBar.dll O3 - Toolbar: ALiBaBar - {0A1375E1-56C2-11D6-8E45-8933A0FB5235} - C:\PROGRA~1\ALiBaBar\ALiBaBar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user') O8 - Extra context menu item: Foxy 下載 - res://D:\Tools\Foxy\Foxy.exe/download.htm O8 - Extra context menu item: Foxy 搜尋 - res://D:\Tools\Foxy\Foxy.exe/search.htm O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/ZH-TW/.../GAME_UNO1.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{49709E85-5AE5-421F-AD4F-E31DF6745A82}: NameServer = 168.95.1.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{A8EC1C07-18FC-452A-A03A-1150AA6EAC7B}: NameServer = 168.95.1.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{49709E85-5AE5-421F-AD4F-E31DF6745A82}: NameServer = 168.95.1.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{49709E85-5AE5-421F-AD4F-E31DF6745A82}: NameServer = 168.95.1.1 O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll O18 - Protocol: ipp - (no CLSID) - (no file) O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL O18 - Protocol: msdaipp - (no CLSID) - (no file) O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: AVP Control Centre Service (AVPCC) - Kaspersky Labs. - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: KAV Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 8265 bytes |
|
送花文章: 0,
|
2007-04-16, 04:38 AM | #18 (permalink) |
長老會員
|
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: msdaipp - (no CLSID) - (no file) File Missing When a file is missing, you should always have HijackThis fix the item. O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) 上面幾項檔案已不存在, 可以修復 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll 這兩個 Yahoo Toolbar 我是建議修復(Yahoo toolbar 是有爭議的工具, 盡量別用) 其他看起來正常....你覺得系統有什麼不對勁的地方嗎? |
送花文章: 6,
|
2007-04-16, 11:13 AM | #19 (permalink) |
管理員
|
plunderer兄~~
HiJackThis <=這工具是做什麼用的? 看了你很多文章你都叫人用這掃描結果給你看..... |
__________________ 我是史版A大,錢的數量決定電腦的力量 我是給女孩修電腦長大的,經驗豐富技術過硬,就沒有我修不好的電腦 |
|
送花文章: 79394,
|
向 a471 送花的會員:
|
anotherlevel (2007-05-05)
感謝您發表一篇好文章 |
2007-04-16, 02:23 PM | #20 (permalink) |
長老會員
|
HijackThis可以快速掃描電腦並創建一個列表. 這個列表包括如下各項
ActiveX模組 BHOs (瀏覽器幫助物件) 瀏覽器工具條 瀏覽器主語以及預設使用的搜索引擎 Internet Explorer的外掛程式 layered service providers 開機時啟動的程序與服務 代理伺服器 藉由 log 的分析來判斷系統運作是否有異常...只不過分析日誌需要一點系統知識, 一般人不容易看得懂, 也可把 log 貼到專門分析的網站自動分析, 但分析後的提示還是需要用戶自己判斷 但HijackThis 未必能掃描出的所有的系統異常, 即使找到, 部份項目還需其他專門工具來解決問題 事實上 System Repair Engineer 比較強, 掃描項目及日誌也完整多了, 但也更複雜, 一般人更看不懂 |
送花文章: 6,
|
有 3 位會員向 plunderer 送花:
|
2007-04-16, 07:10 PM | #21 (permalink) | |
管理員
|
引用:
喔~這樣阿.....那我屬於看不懂得 |
|
送花文章: 79394,
|
向 a471 送花的會員:
|
anotherlevel (2007-05-05)
感謝您發表一篇好文章 |
2007-04-25, 02:04 AM | #22 (permalink) |
|
麻煩plunderer兄看看
我的狀況是防毒軟體AVS偵測Trojan-psw.win32.nilage.bjn位在C:\WINDOWS\System32\msdll.dll
先前進安全模式刪除了感染的檔案以及登錄檔 不過重新開機後,依然如故,所以想麻煩plunderer兄看看,謝謝 用 HiJackThis 掃描的結果如下 Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 01:03:30, on 2007/4/25 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Installer\services.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AOL\Active Virus Shield\avp.exe C:\PROGRA~1\CACHEM~1\CachemanXP.exe C:\Program Files\cFosSpeed\spd.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\cFosSpeed\cFosSpeed.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ProcessTamer\ProcessTamerTray.exe C:\Program Files\Rainlendar\Rainlendar.exe C:\Program Files\Raxco\PerfectDisk\PDEngine.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\titiong\桌面\HiJackThis_v2.exe F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\Program Files\Windows Media Player\svchost.exe,C:\WINDOWS\Installer\services.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: UIInstaller - {BD58119C-C4F2-40A1-A801-EAC57281D476} - C:\Program Files\TrustView\TrustView Web Client Agent\TrustWeb.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-21-1644491937-838170752-1801674531-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Administrator') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &全部使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: About TrustView - res://C:\Program Files\TrustView\TrustView Web Client Agent\TrustWeb.dll/MenuItem.htm O8 - Extra context menu item: 下載編碼內容(&D.S.Lite) - C:\綠色軟體放置區\DSLite2\dl_text.html O8 - Extra context menu item: 下載編碼內容(S&martGet) - C:\Documents and Settings\titiong\桌面\SmartGet1.1\dl_text.html O8 - Extra context menu item: 下載編碼檔案內容(&D.S.Lite) - C:\綠色軟體放置區\DSLite2\dl_url.html O8 - Extra context menu item: 使用 S&martGet 下載 - C:\Documents and Settings\titiong\桌面\SmartGet1.1\dl_link.htm O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: 轉換到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: 轉換為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: 轉換連結目標到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: 轉換連結目標為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: 轉換選定的連結到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: 轉換選定的連結為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: 轉換選擇內容到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: 轉換選擇內容為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\綠色軟體放置區\DSLite2\DSLite.exe (file missing) O9 - Extra 'Tools' menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\綠色軟體放置區\DSLite2\DSLite.exe (file missing) O16 - DPF: {4A0D1F1A-015A-48EA-81B4-FB61F76DF4B4} (WAPI Class) - http://www.ncrpcp.gov.tw/tv/installwapi/setup.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1157209101315 O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.tpgpd.gov.tw/viewer/activ...ivexviewer.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C456D051-88C8-424F-A0D3-146DD5171A4D}: NameServer = 168.95.192.1 168.95.1.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe -- End of file - 8800 bytes |
送花文章: 0,
|
2007-04-25, 07:43 AM | #23 (permalink) |
長老會員
|
msdll.dll 是被其他程式產生的, 所以只刪除 msdll.dll 當下次開機後還是會再生
C:\WINDOWS\Installer\services.exe F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\Program Files\Windows Media Player\svchost.exe,C:\WINDOWS\Installer\services.exe, 上面這兩個要修復, 然後刪除C:\WINDOWS\Installer\services.exe 及 C:\Program Files\Windows Media Player\svchost.exe (這兩個目錄不應該有那兩個檔案) 此帖於 2007-04-25 08:18 AM 被 plunderer 編輯. |
送花文章: 6,
|
有 2 位會員向 plunderer 送花:
|
2007-04-25, 08:59 AM | #24 (permalink) |
|
不好意思!在詢問一下plunderer兄
plunderer兄所說的「兩個要修復」是指:在HiJackThis的程式下勾選「F2」在點選「Fix Checked」嗎?需要在安全模式下?還是一般模式即可?
另外,在「顯示所有檔案與資料夾」的模式下,找不到「C:\WINDOWS\Installer\services.exe」、「 C:\Program Files\Windows Media Player\svchost.exe」 是「兩個要修復」執行後才能發現嗎? 不知何故?還請賜教 謝謝 |
送花文章: 0,
|
2007-04-25, 10:56 AM | #25 (permalink) |
長老會員
|
C:\WINDOWS\Installer\services.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\Program Files\Windows Media Player\svchost.exe,C:\WINDOWS\Installer\services.exe, 這兩行都要勾選, 然後按 「Fix Checked」直接修復, 不需安全模式下 資料夾選項 => 檢示 => 取消 "隱藏保護的作業系統檔案' 「C:\WINDOWS\Installer\services.exe」、「 C:\Program Files\Windows Media Player\svchost.exe」這兩個程式應該還在, 不然不會有C:\WINDOWS\Installer\services.exe 這個進程, 也不會產生 msdll.dll 若還是看不到, 就以安全模式登入 windows 再刪 或者用 BlackLight 掃描隱藏的檔案及進程, 然後按其提示步驟使用...很容易 https://europe.f-secure.com/exclude/blacklight/fsbl.exe |
送花文章: 6,
|
2007-04-25, 09:12 PM | #26 (permalink) |
|
謝謝plunderer兄的告知
「F2」與「C:\WINDOWS\Installer\services.exe」已經清除掉了 雖然還是沒有找到「 C:\Program Files\Windows Media Player\svchost.exe」 不過用BlackLight掃描後顯示「No hidden items found」 AVS也沒有再跑出有木馬的消息 我想應該是解除了吧 不過還是再將刪除後HiJackThis的掃描結果貼上 請plunderer兄確定是否已經清除完畢 謝謝 Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 09:06:49, on 2007/4/25 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AOL\Active Virus Shield\avp.exe C:\PROGRA~1\CACHEM~1\CachemanXP.exe C:\Program Files\cFosSpeed\spd.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\cFosSpeed\cFosSpeed.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ProcessTamer\ProcessTamerTray.exe C:\Program Files\Rainlendar\Rainlendar.exe C:\Program Files\Raxco\PerfectDisk\PDEngine.exe C:\PROGRA~1\Mozilla Firefox\firefox.exe C:\Documents and Settings\titiong\桌面\fsbl.exe C:\WINDOWS\Explorer.EXE I:\HiJackThis_v2.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: UIInstaller - {BD58119C-C4F2-40A1-A801-EAC57281D476} - C:\Program Files\TrustView\TrustView Web Client Agent\TrustWeb.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &全部使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: About TrustView - res://C:\Program Files\TrustView\TrustView Web Client Agent\TrustWeb.dll/MenuItem.htm O8 - Extra context menu item: 下載編碼內容(&D.S.Lite) - C:\綠色軟體放置區\DSLite2\dl_text.html O8 - Extra context menu item: 下載編碼內容(S&martGet) - C:\Documents and Settings\titiong\桌面\SmartGet1.1\dl_text.html O8 - Extra context menu item: 下載編碼檔案內容(&D.S.Lite) - C:\綠色軟體放置區\DSLite2\dl_url.html O8 - Extra context menu item: 使用 S&martGet 下載 - C:\Documents and Settings\titiong\桌面\SmartGet1.1\dl_link.htm O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: 轉換到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: 轉換為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: 轉換連結目標到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: 轉換連結目標為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: 轉換選定的連結到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: 轉換選定的連結為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: 轉換選擇內容到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: 轉換選擇內容為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\綠色軟體放置區\DSLite2\DSLite.exe (file missing) O9 - Extra 'Tools' menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\綠色軟體放置區\DSLite2\DSLite.exe (file missing) O16 - DPF: {4A0D1F1A-015A-48EA-81B4-FB61F76DF4B4} (WAPI Class) - http://www.ncrpcp.gov.tw/tv/installwapi/setup.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1157209101315 O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.tpgpd.gov.tw/viewer/activ...ivexviewer.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C456D051-88C8-424F-A0D3-146DD5171A4D}: NameServer = 168.95.192.1 168.95.1.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe -- End of file - 8539 bytes |
送花文章: 0,
|
2007-04-25, 10:03 PM | #27 (permalink) |
長老會員
|
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\綠色軟體放置區\DSLite2\DSLite.exe (file missing) O9 - Extra 'Tools' menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\綠色軟體放置區\DSLite2\DSLite.exe (file missing) 這三行順便修復, 檔案已不在了 其他沒問題 |
送花文章: 6,
|
向 plunderer 送花的會員:
|
ceauto (2007-04-26)
感謝您發表一篇好文章 |
2007-04-27, 05:37 PM | #29 (permalink) |
|
有人能幫幫忙看看嗎? 感謝
已偵測到:木馬程式 Trojan-PSW.Win32.Magania.im 正在執行的模組:services.exe\services.exe
已偵測到:木馬程式 Trojan-PSW.Win32.Magania.pc 檔案:J:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TL7RMWU9\help[1].exe 將在電腦重新啟動時被刪除:木馬程式 Trojan-PSW.Win32.Magania.pc 檔案:J:\WINDOWS\system32\msdll.dll Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 下午 05:10:15, on 2007/4/27 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: J:\WINDOWS\System32\smss.exe J:\WINDOWS\system32\winlogon.exe J:\WINDOWS\system32\services.exe J:\WINDOWS\system32\lsass.exe J:\WINDOWS\system32\svchost.exe J:\WINDOWS\System32\svchost.exe J:\WINDOWS\system32\spoolsv.exe J:\WINDOWS\Explorer.EXE J:\Program Files\Kaspersky Internet Security 6.0\Kaspersky Internet Security 6.0\avp.exe J:\WINDOWS\system32\ctfmon.exe J:\Program Files\KKBOX\KKBOX_Tray.exe J:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe J:\WINDOWS\system32\SVCH0ST.EXE J:\Program Files\Kaspersky Internet Security 6.0\Kaspersky Internet Security 6.0\avp.exe J:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe J:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe J:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe J:\WINDOWS\system32\nvsvc32.exe J:\Program Files\Raxco\PerfectDisk\PDSched.exe J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe J:\WINDOWS\system32\zhhlmnh.exe J:\Program Files\JY007-II\JY007.exe J:\Program Files\JY007-II\JY007.exe J:\Program Files\Internet Explorer\IEXPLORE.EXE J:\WINDOWS\system32\svchost.exe J:\WINDOWS\system32\MSRundll.exe J:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe J:\WINDOWS\system32\notepad.exe J:\Program Files\KKBOX\KKBOX.exe J:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\help.exe J:\Program Files\Xi\NetTransport 2\NetTransport.exe J:\Documents and Settings\Administrator\My Documents\下載資料\HiJackThis_v2.exe R3 - URLSearchHook: Yahoo!奇摩捷徑列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - J:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll F2 - REG:system.ini: UserInit=J:\WINDOWS\system32\userinit.exe,J:\WINDOWS\Installer\services.exe, O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - J:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - J:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Jpeg Class - {4970DA77-DB06-4EB9-AAB5-77AF0CC77310} - J:\WINDOWS\system32\fe83.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - J:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - j:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - J:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - J:\Program Files\Xi\NetTransport 2\NTIEHelper.dll O2 - BHO: ALiBaBar_Helper - {CE439C63-384A-747A-A357-23D96B5D652B} - J:\PROGRA~1\ALiBaBar\ALiBaBar.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - J:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: ALiBaBar - {0A1375E1-56C2-11D6-8E45-8933A0FB5235} - J:\PROGRA~1\ALiBaBar\ALiBaBar.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - J:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - j:\program files\google\googletoolbar1.dll O3 - Toolbar: Yahoo!奇摩捷徑列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - J:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [IMJPMIG8.1] ; "J:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [NvCplDaemon] ; RUNDLL32.EXE J:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] ; nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] ; RUNDLL32.EXE J:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [EPSON Stylus CX2900 Series] ; J:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBFP.EXE /FU "J:\WINDOWS\TEMP\E_S93.tmp" /EF "HKLM" O4 - HKLM\..\Run: [EPSON 單據] ; J:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBFP.EXE /FU "J:\WINDOWS\TEMP\E_S10.tmp" /EF "HKLM" O4 - HKLM\..\Run: [CJIMETIPSYNC] ; J:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [PHIMETIPSYNC] J:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [nTrayFw] ; J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe O4 - HKLM\..\Run: [NWEReboot] ; O4 - HKLM\..\Run: [NeroFilterCheck] ; J:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [AVP] "J:\Program Files\Kaspersky Internet Security 6.0\Kaspersky Internet Security 6.0\avp.exe" O4 - HKLM\..\Run: [] ; O4 - HKLM\..\Run: [RTHDCPL] ; RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ; ALCMTR.EXE O4 - HKLM\..\Run: [tfkkjel] ; J:\Program Files\Hemera\tfkkjel.exe O4 - HKCU\..\Run: [ctfmon.exe] J:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [EPSONreg] ; c:\Program Files\Bridgewell\epsonreg\notify.exe O4 - HKCU\..\Run: [KKBOX Tray Icon] J:\Program Files\KKBOX\KKBOX_Tray.exe O4 - HKCU\..\Run: [swg] J:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [msnmsgr] ; "J:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ravtask] J:\WINDOWS\system32\SVCH0ST.EXE O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: 使用影音傳送帶下載 - J:\Program Files\Xi\NetTransport 2\NTAddLink.html O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - J:\Program Files\Xi\NetTransport 2\NTAddList.html O8 - Extra context menu item: 剪貼簿文字: 簡 > 繁 - res://J:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad O8 - Extra context menu item: 剪貼簿文字: 繁 > 簡 - res://J:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://J:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: 新增到廣告 - J:\Program Files\Kaspersky Internet Security 6.0\Kaspersky Internet Security 6.0\ie_banner_deny.htm O8 - Extra context menu item: 網頁: [簡體] 顯示 - res://J:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim O8 - Extra context menu item: 網頁: [繁體] 顯示 - res://J:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad O9 - Extra button: 網頁 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - J:\Program Files\Kaspersky Internet Security 6.0\Kaspersky Internet Security 6.0\scieplugin.dll O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - J:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O12 - Plugin for .UVR: J:\Program Files\Internet Explorer\Plugins\NPUPano.dll O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{66F069C1-9A85-436B-9617-16ABFB883E0F}: NameServer = 168.95.192.1 168.95.1.1 O20 - AppInit_DLLs: "J:\PROGRA~1\KASPER~1.0\KASPER~1.0\adialhk.dll" O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - J:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - J:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - J:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - J:\Program Files\Kaspersky Internet Security 6.0\Kaspersky Internet Security 6.0\avp.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - J:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe O23 - Service: Google Updater Service (gusvc) - Google - J:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - J:\WINDOWS\system32\nvsvc32.exe O23 - Service: PDEngine - Raxco Software, Inc. - J:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - J:\Program Files\Raxco\PerfectDisk\PDSched.exe -- End of file - 9416 bytes |
送花文章: 0,
|
2007-04-27, 08:35 PM | #30 (permalink) |
長老會員
|
哇! 木馬養殖場....
J:\WINDOWS\system32\SVCH0ST.EXE J:\WINDOWS\system32\zhhlmnh.exe J:\WINDOWS\system32\MSRundll.exe J:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\help.exe F2 - REG:system.ini: UserInit=J:\WINDOWS\system32\userinit.exe,J:\WINDOWS\Installer\services.exe O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKCU\..\Run: [ravtask] J:\WINDOWS\system32\SVCH0ST.EXE 上面這些都要勾選並修復, 然後以安全模式進入windows, 刪除上述所有列出的檔案((J:\WINDOWS\system32\userinit.exe 千萬別刪) 注意: J:\WINDOWS\system32\SVCH0ST.EXE => 肯定是木馬 J:\WINDOWS\system32\SVCHOST.EXE => 正常系統文件 自己看看差別在哪, 可別刪錯了 此帖於 2007-04-30 01:38 AM 被 plunderer 編輯. |
送花文章: 6,
|
向 plunderer 送花的會員:
|
anotherlevel (2007-05-05)
感謝您發表一篇好文章 |