求助 - 中毒Trojan-psw.win32.magania.im - 第2頁

Jackman · 2007-04-15, 12:59 PM

Running processes

後段log)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - D:\Program Files\Inventec\Dreye\DreyeMT\DreyeIEBar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSNDreyePlugin] D:\Program Files\Inventec\Dreye\DreyeMT\msnplugin.exe /h
O4 - HKLM\..\Run: [Corel Painter Essentials 21a] D:\Program Files\Corel\Corel Painter Essentials 2\registration.exe /title="Corel Painter Essentials 2" /date=012507 serial=PE02CBX-0000003-NMD lang=NewFeature1
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [DTVR Agent] D:\Program Files\Dynavision Multimedia\DVB Plus\DVBS\Scheduled.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TLinkAgent] C:\Program Files\VoIPProvider\USB VoIP Personal Gateway\VoIP Agent.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [aol] "D:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Error Safe] "C:\Program Files\Error Safe Free\ERS.exe" /scan
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [NBJ] "D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxmk571YYNZ
O8 - Extra context menu item: Foxy 下載 - res://D:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://D:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0062C9BD-B349-40DE-91A0-755F37ACD559} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: 建立行動最愛... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://C:\Program Files\gohome\goplayer.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://sweetycorpse.spaces.msn.com//...d/MsnPUpld.cab
O16 - DPF: {5F4D222D-5EEE-40A8-8810-5642B4E4F441} (KENCAPI Class) - https://ebank.tcb-bank.com.tw/netban.../FSCAPIATL.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1128939679609
O16 - DPF: {7AD348C0-76CD-4FC0-B514-1CDD2F767212} (GTDControl Control) - http://www.camangi.com/GTD/GTD.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/instal...sinstaller.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Active Virus Shield (AVP) - AOL - D:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - d:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - D:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - D:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: 自動 LiveUpdate 排程器 - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

--
End of file - 12116 bytes

Jackman · 2007-04-15, 01:01 PM

C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
d:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
d:\Program Files\NetLimiter 2 Monitor\NLClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Inventec\Dreye\DreyeMT\msnplugin.exe
D:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\PROGRA~1\MICROS~2\rapimgr.exe
D:\PROGRA~1\Yahoo!\YAHOO!~1\YahooWidgetEngine.exe
D:\PROGRA~1\Yahoo!\YAHOO!~1\YahooWidgetEngine.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Going32\Utils\Going7.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\若涵\桌面\HiJackThis_v2(2).exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v13.dll
O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

plunderer · 2007-04-15, 02:41 PM

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - (no file)

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)

O9 - Extra button: (no name) - {0062C9BD-B349-40DE-91A0-755F37ACD559} - (no file)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
SharedTaskScheduler Registry key autorun
Only a CWS variant has been known to use this. Consult a HJT expert before cleaning anything.

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
File Missing
When a file is missing, you should always have HijackThis fix the item.

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe (file missing)

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - D:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
File Missing
When a file is missing, you should always have HijackThis fix the item.

O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - D:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe (file missing)

O23 - Service: 自動 LiveUpdate 排程器 - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

上面這些是檔案遺失或沒必要的, 都可選擇修復

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
Unknown Item
日文輸入法

O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
IMEKRMIG6.1
韓文輸入法

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
拼音輸入法

這幾項若用不到也可選擇修復, 少佔記憶體

其他看不出有病毒或木馬的痕跡

2007-04-25, 02:04 AM

我的狀況是防毒軟體AVS偵測Trojan-psw.win32.nilage.bjn位在C:\WINDOWS\System32\msdll.dll
先前進安全模式刪除了感染的檔案以及登錄檔
不過重新開機後，依然如故，所以想麻煩plunderer兄看看，謝謝
用 HiJackThis 掃描的結果如下

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 01:03:30, on 2007/4/25
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Installer\services.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ProcessTamer\ProcessTamerTray.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\titiong\桌面\HiJackThis_v2.exe

F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\Program Files\Windows Media Player\svchost.exe,C:\WINDOWS\Installer\services.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: UIInstaller - {BD58119C-C4F2-40A1-A801-EAC57281D476} - C:\Program Files\TrustView\TrustView Web Client Agent\TrustWeb.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1644491937-838170752-1801674531-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &全部使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: About TrustView - res://C:\Program Files\TrustView\TrustView Web Client Agent\TrustWeb.dll/MenuItem.htm
O8 - Extra context menu item: 下載編碼內容(&D.S.Lite) - C:\綠色軟體放置區\DSLite2\dl_text.html
O8 - Extra context menu item: 下載編碼內容(S&martGet) - C:\Documents and Settings\titiong\桌面\SmartGet1.1\dl_text.html
O8 - Extra context menu item: 下載編碼檔案內容(&D.S.Lite) - C:\綠色軟體放置區\DSLite2\dl_url.html
O8 - Extra context menu item: 使用 S&martGet 下載 - C:\Documents and Settings\titiong\桌面\SmartGet1.1\dl_link.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 轉換到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 轉換為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 轉換連結目標到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 轉換連結目標為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 轉換選定的連結到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: 轉換選定的連結為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: 轉換選擇內容到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 轉換選擇內容為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\綠色軟體放置區\DSLite2\DSLite.exe (file missing)
O9 - Extra 'Tools' menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\綠色軟體放置區\DSLite2\DSLite.exe (file missing)
O16 - DPF: {4A0D1F1A-015A-48EA-81B4-FB61F76DF4B4} (WAPI Class) - http://www.ncrpcp.gov.tw/tv/installwapi/setup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1157209101315
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.tpgpd.gov.tw/viewer/activ...ivexviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C456D051-88C8-424F-A0D3-146DD5171A4D}: NameServer = 168.95.192.1 168.95.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

--
End of file - 8800 bytes

plunderer · 2007-04-25, 07:43 AM

msdll.dll 是被其他程式產生的, 所以只刪除 msdll.dll 當下次開機後還是會再生

C:\WINDOWS\Installer\services.exe

F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\Program Files\Windows Media Player\svchost.exe,C:\WINDOWS\Installer\services.exe,

上面這兩個要修復, 然後刪除C:\WINDOWS\Installer\services.exe 及 C:\Program Files\Windows Media Player\svchost.exe (這兩個目錄不應該有那兩個檔案)

2007-04-25, 08:59 AM

plunderer兄所說的「兩個要修復」是指：在HiJackThis的程式下勾選「F2」在點選「Fix Checked」嗎？需要在安全模式下？還是一般模式即可？

另外，在「顯示所有檔案與資料夾」的模式下，找不到「C:\WINDOWS\Installer\services.exe」、「 C:\Program Files\Windows Media Player\svchost.exe」
是「兩個要修復」執行後才能發現嗎？
不知何故？還請賜教

謝謝

plunderer · 2007-04-25, 10:56 AM

C:\WINDOWS\Installer\services.exe

F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\Program Files\Windows Media Player\svchost.exe,C:\WINDOWS\Installer\services.exe,

這兩行都要勾選, 然後按「Fix Checked」直接修復, 不需安全模式下

資料夾選項 => 檢示 => 取消 "隱藏保護的作業系統檔案'
「C:\WINDOWS\Installer\services.exe」、「 C:\Program Files\Windows Media Player\svchost.exe」這兩個程式應該還在, 不然不會有C:\WINDOWS\Installer\services.exe 這個進程, 也不會產生 msdll.dll

若還是看不到, 就以安全模式登入 windows 再刪
或者用 BlackLight 掃描隱藏的檔案及進程, 然後按其提示步驟使用...很容易
https://europe.f-secure.com/exclude/blacklight/fsbl.exe

2007-04-25, 09:12 PM

謝謝plunderer兄的告知
「F2」與「C:\WINDOWS\Installer\services.exe」已經清除掉了
雖然還是沒有找到「 C:\Program Files\Windows Media Player\svchost.exe」
不過用BlackLight掃描後顯示「No hidden items found」
AVS也沒有再跑出有木馬的消息
我想應該是解除了吧
不過還是再將刪除後HiJackThis的掃描結果貼上
請plunderer兄確定是否已經清除完畢
謝謝

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 09:06:49, on 2007/4/25
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ProcessTamer\ProcessTamerTray.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\titiong\桌面\fsbl.exe
C:\WINDOWS\Explorer.EXE
I:\HiJackThis_v2.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: UIInstaller - {BD58119C-C4F2-40A1-A801-EAC57281D476} - C:\Program Files\TrustView\TrustView Web Client Agent\TrustWeb.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &全部使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: About TrustView - res://C:\Program Files\TrustView\TrustView Web Client Agent\TrustWeb.dll/MenuItem.htm
O8 - Extra context menu item: 下載編碼內容(&D.S.Lite) - C:\綠色軟體放置區\DSLite2\dl_text.html
O8 - Extra context menu item: 下載編碼內容(S&martGet) - C:\Documents and Settings\titiong\桌面\SmartGet1.1\dl_text.html
O8 - Extra context menu item: 下載編碼檔案內容(&D.S.Lite) - C:\綠色軟體放置區\DSLite2\dl_url.html
O8 - Extra context menu item: 使用 S&martGet 下載 - C:\Documents and Settings\titiong\桌面\SmartGet1.1\dl_link.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 轉換到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 轉換為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 轉換連結目標到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 轉換連結目標為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 轉換選定的連結到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: 轉換選定的連結為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: 轉換選擇內容到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 轉換選擇內容為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\綠色軟體放置區\DSLite2\DSLite.exe (file missing)
O9 - Extra 'Tools' menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\綠色軟體放置區\DSLite2\DSLite.exe (file missing)
O16 - DPF: {4A0D1F1A-015A-48EA-81B4-FB61F76DF4B4} (WAPI Class) - http://www.ncrpcp.gov.tw/tv/installwapi/setup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1157209101315
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.tpgpd.gov.tw/viewer/activ...ivexviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C456D051-88C8-424F-A0D3-146DD5171A4D}: NameServer = 168.95.192.1 168.95.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

--
End of file - 8539 bytes

plunderer · 2007-04-25, 10:03 PM

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\綠色軟體放置區\DSLite2\DSLite.exe (file missing)
O9 - Extra 'Tools' menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\綠色軟體放置區\DSLite2\DSLite.exe (file missing)
這三行順便修復, 檔案已不在了
其他沒問題

2007-04-26, 08:34 AM

已經修復，再次感謝！！

2007-04-27, 05:37 PM

已偵測到：木馬程式 Trojan-PSW.Win32.Magania.im 正在執行的模組：services.exe\services.exe
已偵測到：木馬程式 Trojan-PSW.Win32.Magania.pc 檔案：J:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TL7RMWU9\help[1].exe
將在電腦重新啟動時被刪除：木馬程式 Trojan-PSW.Win32.Magania.pc 檔案：J:\WINDOWS\system32\msdll.dll

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 下午 05:10:15, on 2007/4/27
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
J:\WINDOWS\System32\smss.exe
J:\WINDOWS\system32\winlogon.exe
J:\WINDOWS\system32\services.exe
J:\WINDOWS\system32\lsass.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\spoolsv.exe
J:\WINDOWS\Explorer.EXE
J:\Program Files\Kaspersky Internet Security 6.0\Kaspersky Internet Security 6.0\avp.exe
J:\WINDOWS\system32\ctfmon.exe
J:\Program Files\KKBOX\KKBOX_Tray.exe
J:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
J:\WINDOWS\system32\SVCH0ST.EXE
J:\Program Files\Kaspersky Internet Security 6.0\Kaspersky Internet Security 6.0\avp.exe
J:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
J:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
J:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
J:\WINDOWS\system32\nvsvc32.exe
J:\Program Files\Raxco\PerfectDisk\PDSched.exe
J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
J:\WINDOWS\system32\zhhlmnh.exe
J:\Program Files\JY007-II\JY007.exe
J:\Program Files\JY007-II\JY007.exe
J:\Program Files\Internet Explorer\IEXPLORE.EXE
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\system32\MSRundll.exe
J:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
J:\WINDOWS\system32\notepad.exe
J:\Program Files\KKBOX\KKBOX.exe
J:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\help.exe
J:\Program Files\Xi\NetTransport 2\NetTransport.exe
J:\Documents and Settings\Administrator\My Documents\下載資料\HiJackThis_v2.exe

R3 - URLSearchHook: Yahoo!奇摩捷徑列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - J:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=J:\WINDOWS\system32\userinit.exe,J:\WINDOWS\Installer\services.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - J:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - J:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Jpeg Class - {4970DA77-DB06-4EB9-AAB5-77AF0CC77310} - J:\WINDOWS\system32\fe83.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - J:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - j:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - J:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - J:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: ALiBaBar_Helper - {CE439C63-384A-747A-A357-23D96B5D652B} - J:\PROGRA~1\ALiBaBar\ALiBaBar.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - J:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: ALiBaBar - {0A1375E1-56C2-11D6-8E45-8933A0FB5235} - J:\PROGRA~1\ALiBaBar\ALiBaBar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - J:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - j:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo!奇摩捷徑列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - J:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] ; "J:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [NvCplDaemon] ; RUNDLL32.EXE J:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] ; nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] ; RUNDLL32.EXE J:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus CX2900 Series] ; J:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBFP.EXE /FU "J:\WINDOWS\TEMP\E_S93.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [EPSON 單據] ; J:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBFP.EXE /FU "J:\WINDOWS\TEMP\E_S10.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [CJIMETIPSYNC] ; J:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] J:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [nTrayFw] ; J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NWEReboot] ;
O4 - HKLM\..\Run: [NeroFilterCheck] ; J:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "J:\Program Files\Kaspersky Internet Security 6.0\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [] ;
O4 - HKLM\..\Run: [RTHDCPL] ; RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ; ALCMTR.EXE
O4 - HKLM\..\Run: [tfkkjel] ; J:\Program Files\Hemera\tfkkjel.exe
O4 - HKCU\..\Run: [ctfmon.exe] J:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSONreg] ; c:\Program Files\Bridgewell\epsonreg\notify.exe
O4 - HKCU\..\Run: [KKBOX Tray Icon] J:\Program Files\KKBOX\KKBOX_Tray.exe
O4 - HKCU\..\Run: [swg] J:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] ; "J:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ravtask] J:\WINDOWS\system32\SVCH0ST.EXE
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: 使用影音傳送帶下載 - J:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - J:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 剪貼簿文字: 簡 > 繁 - res://J:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
O8 - Extra context menu item: 剪貼簿文字: 繁 > 簡 - res://J:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://J:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 新增到廣告 - J:\Program Files\Kaspersky Internet Security 6.0\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: 網頁: [簡體] 顯示 - res://J:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
O8 - Extra context menu item: 網頁: [繁體] 顯示 - res://J:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
O9 - Extra button: 網頁 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - J:\Program Files\Kaspersky Internet Security 6.0\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - J:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .UVR: J:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66F069C1-9A85-436B-9617-16ABFB883E0F}: NameServer = 168.95.192.1 168.95.1.1
O20 - AppInit_DLLs: "J:\PROGRA~1\KASPER~1.0\KASPER~1.0\adialhk.dll"
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - J:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - J:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - J:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - J:\Program Files\Kaspersky Internet Security 6.0\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - J:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - J:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - J:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - J:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - J:\Program Files\Raxco\PerfectDisk\PDSched.exe

--
End of file - 9416 bytes

plunderer · 2007-04-27, 08:35 PM

哇! 木馬養殖場....

J:\WINDOWS\system32\SVCH0ST.EXE
J:\WINDOWS\system32\zhhlmnh.exe
J:\WINDOWS\system32\MSRundll.exe
J:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\help.exe

F2 - REG:system.ini: UserInit=J:\WINDOWS\system32\userinit.exe,J:\WINDOWS\Installer\services.exe

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKCU\..\Run: [ravtask] J:\WINDOWS\system32\SVCH0ST.EXE

上面這些都要勾選並修復, 然後以安全模式進入windows, 刪除上述所有列出的檔案((J:\WINDOWS\system32\userinit.exe 千萬別刪)
注意:
J:\WINDOWS\system32\SVCH0ST.EXE => 肯定是木馬
J:\WINDOWS\system32\SVCHOST.EXE => 正常系統文件
自己看看差別在哪, 可別刪錯了

2007-04-29, 11:34 PM

可以幫我看一下嗎...
我用好多線上掃毒都不知道有沒有掃乾淨...
我是用卡巴掃毒..他顯示有毒的檔案室services.exe
謝謝~~~

Logfile of HijackThis v1.98.0
Scan saved at 下午 11:24:30, on 2007/4/29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Installer\services.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
E:\Program Files\Lexmark 5400 Series\lxctmon.exe
E:\Program Files\Lexmark 5400 Series\ezprint.exe
E:\WINDOWS\vsnphv71.exe
E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
E:\Program Files\Gigabyte\ET5\GUI.exe
E:\WINDOWS\system32\lxctcoms.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\system32\conime.exe
E:\Program Files\Sleipnir_cht\Sleipnir.exe
F:\程式檔\hijackthis23344\hijackthis23344.exe

F2 - REG:system.ini: UserInit=E:\WINDOWS\system32\userinit.exe,E:\WINDOWS\Installer\services.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark 工具列 - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - E:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Lexmark 工具列 - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - E:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] E:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] E:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CJIMETIPSYNC] E:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] E:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [lxctmon.exe] "E:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "E:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "E:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SNPHV71] E:\WINDOWS\vsnphv71.exe
O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [EasyTuneV] E:\Program Files\Gigabyte\ET5\ETcall.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?SystemRoot%\Installer\{AC76BA86-1028-0000-7760-000000000002}\SC_Acrobat.exe
O8 - Extra context menu item: 加入廣告橫幅攔截 - E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 轉換到現有 PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 轉換為 Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 轉換連結目標到現有 PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 轉換連結目標為 Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 轉換選定的連結到現有 PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: 轉換選定的連結為 Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: 轉換選擇內容到現有 PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 轉換選擇內容為 Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall 線上掃毒) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {12755229-656A-4508-BC94-2DA4D314B4C8} (CathayMyATM.ATMFunc) - https://www.mybank.com.tw/myatm/cab/CathayMyATM.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5C253D25-00FD-4703-9924-E53792DF98C9} (CathayMyATM2.EsConn) - https://www.mybank.com.tw/MyATM/cab/CathayMyATM2.CAB
O16 - DPF: {5D5EF079-C21D-47EE-9249-D4E89C8D3E43} (BullCSP Class) - https://my.taishinbank.com.tw/ActiveX/eATM/Bull.cab
O16 - DPF: {603B9E6C-0467-4C23-8098-ACC2ED6FEB75} (TSBankTSCC Class) - https://my.taishinbank.com.tw/ActiveX/eATM/TSBANK.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (趨勢科技線上掃毒程式) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: E:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

plunderer · 2007-04-30, 01:35 AM

引用:

作者: kayfang

可以幫我看一下嗎...
我用好多線上掃毒都不知道有沒有掃乾淨...
我是用卡巴掃毒..他顯示有毒的檔案室services.exe
謝謝~~~

E:\WINDOWS\Installer\services.exe

F2 - REG:system.ini: UserInit=E:\WINDOWS\system32\userinit.exe,E:\WINDOWS\Installer\services.exe,

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe

上面這些都要勾選並修復, 然後以安全模式進入windows, 刪除WINDOWS\Installer\services.exe

2007-05-04, 10:31 AM

用AVS掃瞄出在services\services.exe
以下是掃瞄報告，麻煩一下，感謝(文字過多分為3則)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\KKBOX\KKBOX_Tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PhxPsSvr.exe
C:\WINDOWS\system32\PhxVtSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\Program Files\Easy File Sharing Web Server\fsws.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\javaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Installer\services.exe
K:\HiJackThis_v2.exe

2007-04-15, 12:59 PM	#1 (permalink)
Jackman 註冊會員榮譽勳章勳章總數 UID - 266259 在線等級: 註冊日期: 2007-04-15 文章: 11 精華: 0 現金: 11 金幣資產: 11 金幣	對不起漏掉一大片,但是檔案超出10000字元怎麼刪? Running processes後段log) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - D:\Program Files\Inventec\Dreye\DreyeMT\DreyeIEBar.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MSNDreyePlugin] D:\Program Files\Inventec\Dreye\DreyeMT\msnplugin.exe /h O4 - HKLM\..\Run: [Corel Painter Essentials 21a] D:\Program Files\Corel\Corel Painter Essentials 2\registration.exe /title="Corel Painter Essentials 2" /date=012507 serial=PE02CBX-0000003-NMD lang=NewFeature1 O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [DTVR Agent] D:\Program Files\Dynavision Multimedia\DVB Plus\DVBS\Scheduled.exe O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [TLinkAgent] C:\Program Files\VoIPProvider\USB VoIP Personal Gateway\VoIP Agent.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [aol] "D:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Error Safe] "C:\Program Files\Error Safe Free\ERS.exe" /scan O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [NBJ] "D:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxmk571YYNZ O8 - Extra context menu item: Foxy 下載 - res://D:\Program Files\Foxy\Foxy.exe/download.htm O8 - Extra context menu item: Foxy 搜尋 - res://D:\Program Files\Foxy\Foxy.exe/search.htm O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {0062C9BD-B349-40DE-91A0-755F37ACD559} - (no file) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra 'Tools' menuitem: 建立行動最愛... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://C:\Program Files\gohome\goplayer.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://sweetycorpse.spaces.msn.com//...d/MsnPUpld.cab O16 - DPF: {5F4D222D-5EEE-40A8-8810-5642B4E4F441} (KENCAPI Class) - https://ebank.tcb-bank.com.tw/netban.../FSCAPIATL.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1128939679609 O16 - DPF: {7AD348C0-76CD-4FC0-B514-1CDD2F767212} (GTDControl Control) - http://www.camangi.com/GTD/GTD.cab O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/instal...sinstaller.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Active Virus Shield (AVP) - AOL - D:\Program Files\AOL\Active Virus Shield\avp.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing) O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe (file missing) O23 - Service: NetLimiter (nlsvc) - Locktime Software - d:\Program Files\NetLimiter 2 Monitor\nlsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - D:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe (file missing) O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - D:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe (file missing) O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: 自動 LiveUpdate 排程器 - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing) -- End of file - 12116 bytes

	送花文章: 2, 收花文章: 0 篇, 收花: 0 次

2007-04-15, 01:01 PM	#2 (permalink)
Jackman 註冊會員榮譽勳章勳章總數 UID - 266259 在線等級: 註冊日期: 2007-04-15 文章: 11 精華: 0 現金: 11 金幣資產: 11 金幣	前半段log C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\system32\spoolsv.exe D:\Program Files\AOL\Active Virus Shield\avp.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE d:\Program Files\NetLimiter 2 Monitor\nlsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE d:\Program Files\NetLimiter 2 Monitor\NLClient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\Program Files\Inventec\Dreye\DreyeMT\msnplugin.exe D:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\SOUNDMAN.EXE D:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe D:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe D:\Program Files\Microsoft ActiveSync\wcescomm.exe D:\PROGRA~1\MICROS~2\rapimgr.exe D:\PROGRA~1\Yahoo!\YAHOO!~1\YahooWidgetEngine.exe D:\PROGRA~1\Yahoo!\YAHOO!~1\YahooWidgetEngine.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\system32\svchost.exe C:\Going32\Utils\Going7.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\若涵\桌面\HiJackThis_v2(2).exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v13.dll O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

	送花文章: 2, 收花文章: 0 篇, 收花: 0 次

2007-04-15, 02:41 PM	#3 (permalink)
plunderer 長老會員榮譽勳章勳章總數8 UID - 74024 在線等級: 註冊日期: 2003-05-31 文章: 1399 精華: 0 現金: 507220 金幣資產: 608580 金幣	R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - (no file) O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing) O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing) O9 - Extra button: (no name) - {0062C9BD-B349-40DE-91A0-755F37ACD559} - (no file) O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll SharedTaskScheduler Registry key autorun Only a CWS variant has been known to use this. Consult a HJT expert before cleaning anything. O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing) File Missing When a file is missing, you should always have HijackThis fix the item. O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe (file missing) O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - D:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe (file missing) File Missing When a file is missing, you should always have HijackThis fix the item. O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - D:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe (file missing) O23 - Service: 自動 LiveUpdate 排程器 - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing) 上面這些是檔案遺失或沒必要的, 都可選擇修復 O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 Unknown Item 日文輸入法 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE IMEKRMIG6.1 韓文輸入法 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC 拼音輸入法這幾項若用不到也可選擇修復, 少佔記憶體其他看不出有病毒或木馬的痕跡
	__________________ 刑天舞干戚
	送花文章: 6, 收花文章: 575 篇, 收花: 1747 次

2007-04-25, 02:04 AM	#4 (permalink)
ceauto 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:	麻煩plunderer兄看看我的狀況是防毒軟體AVS偵測Trojan-psw.win32.nilage.bjn位在C:\WINDOWS\System32\msdll.dll 先前進安全模式刪除了感染的檔案以及登錄檔不過重新開機後，依然如故，所以想麻煩plunderer兄看看，謝謝用 HiJackThis 掃描的結果如下 Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 01:03:30, on 2007/4/25 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Installer\services.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AOL\Active Virus Shield\avp.exe C:\PROGRA~1\CACHEM~1\CachemanXP.exe C:\Program Files\cFosSpeed\spd.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\cFosSpeed\cFosSpeed.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ProcessTamer\ProcessTamerTray.exe C:\Program Files\Rainlendar\Rainlendar.exe C:\Program Files\Raxco\PerfectDisk\PDEngine.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\titiong\桌面\HiJackThis_v2.exe F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\Program Files\Windows Media Player\svchost.exe,C:\WINDOWS\Installer\services.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: UIInstaller - {BD58119C-C4F2-40A1-A801-EAC57281D476} - C:\Program Files\TrustView\TrustView Web Client Agent\TrustWeb.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-21-1644491937-838170752-1801674531-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Administrator') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &全部使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: About TrustView - res://C:\Program Files\TrustView\TrustView Web Client Agent\TrustWeb.dll/MenuItem.htm O8 - Extra context menu item: 下載編碼內容(&D.S.Lite) - C:\綠色軟體放置區\DSLite2\dl_text.html O8 - Extra context menu item: 下載編碼內容(S&martGet) - C:\Documents and Settings\titiong\桌面\SmartGet1.1\dl_text.html O8 - Extra context menu item: 下載編碼檔案內容(&D.S.Lite) - C:\綠色軟體放置區\DSLite2\dl_url.html O8 - Extra context menu item: 使用 S&martGet 下載 - C:\Documents and Settings\titiong\桌面\SmartGet1.1\dl_link.htm O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: 轉換到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: 轉換為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: 轉換連結目標到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: 轉換連結目標為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: 轉換選定的連結到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: 轉換選定的連結為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: 轉換選擇內容到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: 轉換選擇內容為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\綠色軟體放置區\DSLite2\DSLite.exe (file missing) O9 - Extra 'Tools' menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\綠色軟體放置區\DSLite2\DSLite.exe (file missing) O16 - DPF: {4A0D1F1A-015A-48EA-81B4-FB61F76DF4B4} (WAPI Class) - http://www.ncrpcp.gov.tw/tv/installwapi/setup.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1157209101315 O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.tpgpd.gov.tw/viewer/activ...ivexviewer.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C456D051-88C8-424F-A0D3-146DD5171A4D}: NameServer = 168.95.192.1 168.95.1.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe -- End of file - 8800 bytes
ceauto 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:
	送花文章: 0, 收花文章: 0 篇, 收花: 0 次

2007-04-25, 07:43 AM	#5 (permalink)
plunderer 長老會員榮譽勳章勳章總數8 UID - 74024 在線等級: 註冊日期: 2003-05-31 文章: 1399 精華: 0 現金: 507220 金幣資產: 608580 金幣	msdll.dll 是被其他程式產生的, 所以只刪除 msdll.dll 當下次開機後還是會再生 C:\WINDOWS\Installer\services.exe F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\Program Files\Windows Media Player\svchost.exe,C:\WINDOWS\Installer\services.exe, 上面這兩個要修復, 然後刪除C:\WINDOWS\Installer\services.exe 及 C:\Program Files\Windows Media Player\svchost.exe (這兩個目錄不應該有那兩個檔案) 此帖於 2007-04-25 08:18 AM 被 plunderer 編輯.

	送花文章: 6, 收花文章: 575 篇, 收花: 1747 次

2007-04-25, 08:59 AM	#6 (permalink)
ceauto 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:	不好意思！在詢問一下plunderer兄 plunderer兄所說的「兩個要修復」是指：在HiJackThis的程式下勾選「F2」在點選「Fix Checked」嗎？需要在安全模式下？還是一般模式即可？另外，在「顯示所有檔案與資料夾」的模式下，找不到「C:\WINDOWS\Installer\services.exe」、「 C:\Program Files\Windows Media Player\svchost.exe」是「兩個要修復」執行後才能發現嗎？不知何故？還請賜教謝謝
ceauto 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:
	送花文章: 0, 收花文章: 0 篇, 收花: 0 次

2007-04-25, 10:56 AM	#7 (permalink)
plunderer 長老會員榮譽勳章勳章總數8 UID - 74024 在線等級: 註冊日期: 2003-05-31 文章: 1399 精華: 0 現金: 507220 金幣資產: 608580 金幣	C:\WINDOWS\Installer\services.exe F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\Program Files\Windows Media Player\svchost.exe,C:\WINDOWS\Installer\services.exe, 這兩行都要勾選, 然後按「Fix Checked」直接修復, 不需安全模式下資料夾選項 => 檢示 => 取消 "隱藏保護的作業系統檔案' 「C:\WINDOWS\Installer\services.exe」、「 C:\Program Files\Windows Media Player\svchost.exe」這兩個程式應該還在, 不然不會有C:\WINDOWS\Installer\services.exe 這個進程, 也不會產生 msdll.dll 若還是看不到, 就以安全模式登入 windows 再刪或者用 BlackLight 掃描隱藏的檔案及進程, 然後按其提示步驟使用...很容易 https://europe.f-secure.com/exclude/blacklight/fsbl.exe

	送花文章: 6, 收花文章: 575 篇, 收花: 1747 次

2007-04-25, 09:12 PM	#8 (permalink)
ceauto 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:	謝謝plunderer兄的告知「F2」與「C:\WINDOWS\Installer\services.exe」已經清除掉了雖然還是沒有找到「 C:\Program Files\Windows Media Player\svchost.exe」不過用BlackLight掃描後顯示「No hidden items found」 AVS也沒有再跑出有木馬的消息我想應該是解除了吧不過還是再將刪除後HiJackThis的掃描結果貼上請plunderer兄確定是否已經清除完畢謝謝 Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 09:06:49, on 2007/4/25 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AOL\Active Virus Shield\avp.exe C:\PROGRA~1\CACHEM~1\CachemanXP.exe C:\Program Files\cFosSpeed\spd.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\cFosSpeed\cFosSpeed.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ProcessTamer\ProcessTamerTray.exe C:\Program Files\Rainlendar\Rainlendar.exe C:\Program Files\Raxco\PerfectDisk\PDEngine.exe C:\PROGRA~1\Mozilla Firefox\firefox.exe C:\Documents and Settings\titiong\桌面\fsbl.exe C:\WINDOWS\Explorer.EXE I:\HiJackThis_v2.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: UIInstaller - {BD58119C-C4F2-40A1-A801-EAC57281D476} - C:\Program Files\TrustView\TrustView Web Client Agent\TrustWeb.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &全部使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: About TrustView - res://C:\Program Files\TrustView\TrustView Web Client Agent\TrustWeb.dll/MenuItem.htm O8 - Extra context menu item: 下載編碼內容(&D.S.Lite) - C:\綠色軟體放置區\DSLite2\dl_text.html O8 - Extra context menu item: 下載編碼內容(S&martGet) - C:\Documents and Settings\titiong\桌面\SmartGet1.1\dl_text.html O8 - Extra context menu item: 下載編碼檔案內容(&D.S.Lite) - C:\綠色軟體放置區\DSLite2\dl_url.html O8 - Extra context menu item: 使用 S&martGet 下載 - C:\Documents and Settings\titiong\桌面\SmartGet1.1\dl_link.htm O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: 轉換到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: 轉換為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: 轉換連結目標到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: 轉換連結目標為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: 轉換選定的連結到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: 轉換選定的連結為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: 轉換選擇內容到現有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: 轉換選擇內容為 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\綠色軟體放置區\DSLite2\DSLite.exe (file missing) O9 - Extra 'Tools' menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\綠色軟體放置區\DSLite2\DSLite.exe (file missing) O16 - DPF: {4A0D1F1A-015A-48EA-81B4-FB61F76DF4B4} (WAPI Class) - http://www.ncrpcp.gov.tw/tv/installwapi/setup.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1157209101315 O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.tpgpd.gov.tw/viewer/activ...ivexviewer.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C456D051-88C8-424F-A0D3-146DD5171A4D}: NameServer = 168.95.192.1 168.95.1.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe -- End of file - 8539 bytes
ceauto 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:
	送花文章: 0, 收花文章: 0 篇, 收花: 0 次

2007-04-25, 10:03 PM	#9 (permalink)
plunderer 長老會員榮譽勳章勳章總數8 UID - 74024 在線等級: 註冊日期: 2003-05-31 文章: 1399 精華: 0 現金: 507220 金幣資產: 608580 金幣	O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\綠色軟體放置區\DSLite2\DSLite.exe (file missing) O9 - Extra 'Tools' menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\綠色軟體放置區\DSLite2\DSLite.exe (file missing) 這三行順便修復, 檔案已不在了其他沒問題

	送花文章: 6, 收花文章: 575 篇, 收花: 1747 次

2007-04-26, 08:34 AM	#10 (permalink)
ceauto 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:	已經修復，再次感謝！！
ceauto 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:
	送花文章: 0, 收花文章: 0 篇, 收花: 0 次

2007-04-27, 05:37 PM	#11 (permalink)
louhj 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:	有人能幫幫忙看看嗎? 感謝已偵測到：木馬程式 Trojan-PSW.Win32.Magania.im 正在執行的模組：services.exe\services.exe 已偵測到：木馬程式 Trojan-PSW.Win32.Magania.pc 檔案：J:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TL7RMWU9\help[1].exe 將在電腦重新啟動時被刪除：木馬程式 Trojan-PSW.Win32.Magania.pc 檔案：J:\WINDOWS\system32\msdll.dll Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 下午 05:10:15, on 2007/4/27 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: J:\WINDOWS\System32\smss.exe J:\WINDOWS\system32\winlogon.exe J:\WINDOWS\system32\services.exe J:\WINDOWS\system32\lsass.exe J:\WINDOWS\system32\svchost.exe J:\WINDOWS\System32\svchost.exe J:\WINDOWS\system32\spoolsv.exe J:\WINDOWS\Explorer.EXE J:\Program Files\Kaspersky Internet Security 6.0\Kaspersky Internet Security 6.0\avp.exe J:\WINDOWS\system32\ctfmon.exe J:\Program Files\KKBOX\KKBOX_Tray.exe J:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe J:\WINDOWS\system32\SVCH0ST.EXE J:\Program Files\Kaspersky Internet Security 6.0\Kaspersky Internet Security 6.0\avp.exe J:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe J:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe J:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe J:\WINDOWS\system32\nvsvc32.exe J:\Program Files\Raxco\PerfectDisk\PDSched.exe J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe J:\WINDOWS\system32\zhhlmnh.exe J:\Program Files\JY007-II\JY007.exe J:\Program Files\JY007-II\JY007.exe J:\Program Files\Internet Explorer\IEXPLORE.EXE J:\WINDOWS\system32\svchost.exe J:\WINDOWS\system32\MSRundll.exe J:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe J:\WINDOWS\system32\notepad.exe J:\Program Files\KKBOX\KKBOX.exe J:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\help.exe J:\Program Files\Xi\NetTransport 2\NetTransport.exe J:\Documents and Settings\Administrator\My Documents\下載資料\HiJackThis_v2.exe R3 - URLSearchHook: Yahoo!奇摩捷徑列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - J:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll F2 - REG:system.ini: UserInit=J:\WINDOWS\system32\userinit.exe,J:\WINDOWS\Installer\services.exe, O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - J:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - J:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Jpeg Class - {4970DA77-DB06-4EB9-AAB5-77AF0CC77310} - J:\WINDOWS\system32\fe83.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - J:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - j:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - J:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - J:\Program Files\Xi\NetTransport 2\NTIEHelper.dll O2 - BHO: ALiBaBar_Helper - {CE439C63-384A-747A-A357-23D96B5D652B} - J:\PROGRA~1\ALiBaBar\ALiBaBar.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - J:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: ALiBaBar - {0A1375E1-56C2-11D6-8E45-8933A0FB5235} - J:\PROGRA~1\ALiBaBar\ALiBaBar.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - J:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - j:\program files\google\googletoolbar1.dll O3 - Toolbar: Yahoo!奇摩捷徑列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - J:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [IMJPMIG8.1] ; "J:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [NvCplDaemon] ; RUNDLL32.EXE J:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] ; nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] ; RUNDLL32.EXE J:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [EPSON Stylus CX2900 Series] ; J:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBFP.EXE /FU "J:\WINDOWS\TEMP\E_S93.tmp" /EF "HKLM" O4 - HKLM\..\Run: [EPSON 單據] ; J:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBFP.EXE /FU "J:\WINDOWS\TEMP\E_S10.tmp" /EF "HKLM" O4 - HKLM\..\Run: [CJIMETIPSYNC] ; J:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [PHIMETIPSYNC] J:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [nTrayFw] ; J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe O4 - HKLM\..\Run: [NWEReboot] ; O4 - HKLM\..\Run: [NeroFilterCheck] ; J:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [AVP] "J:\Program Files\Kaspersky Internet Security 6.0\Kaspersky Internet Security 6.0\avp.exe" O4 - HKLM\..\Run: [] ; O4 - HKLM\..\Run: [RTHDCPL] ; RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ; ALCMTR.EXE O4 - HKLM\..\Run: [tfkkjel] ; J:\Program Files\Hemera\tfkkjel.exe O4 - HKCU\..\Run: [ctfmon.exe] J:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [EPSONreg] ; c:\Program Files\Bridgewell\epsonreg\notify.exe O4 - HKCU\..\Run: [KKBOX Tray Icon] J:\Program Files\KKBOX\KKBOX_Tray.exe O4 - HKCU\..\Run: [swg] J:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [msnmsgr] ; "J:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ravtask] J:\WINDOWS\system32\SVCH0ST.EXE O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: 使用影音傳送帶下載 - J:\Program Files\Xi\NetTransport 2\NTAddLink.html O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - J:\Program Files\Xi\NetTransport 2\NTAddList.html O8 - Extra context menu item: 剪貼簿文字: 簡 > 繁 - res://J:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad O8 - Extra context menu item: 剪貼簿文字: 繁 > 簡 - res://J:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://J:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: 新增到廣告 - J:\Program Files\Kaspersky Internet Security 6.0\Kaspersky Internet Security 6.0\ie_banner_deny.htm O8 - Extra context menu item: 網頁: [簡體] 顯示 - res://J:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim O8 - Extra context menu item: 網頁: [繁體] 顯示 - res://J:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad O9 - Extra button: 網頁 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - J:\Program Files\Kaspersky Internet Security 6.0\Kaspersky Internet Security 6.0\scieplugin.dll O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - J:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O12 - Plugin for .UVR: J:\Program Files\Internet Explorer\Plugins\NPUPano.dll O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{66F069C1-9A85-436B-9617-16ABFB883E0F}: NameServer = 168.95.192.1 168.95.1.1 O20 - AppInit_DLLs: "J:\PROGRA~1\KASPER~1.0\KASPER~1.0\adialhk.dll" O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - J:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - J:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - J:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - J:\Program Files\Kaspersky Internet Security 6.0\Kaspersky Internet Security 6.0\avp.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - J:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe O23 - Service: Google Updater Service (gusvc) - Google - J:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - J:\WINDOWS\system32\nvsvc32.exe O23 - Service: PDEngine - Raxco Software, Inc. - J:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - J:\Program Files\Raxco\PerfectDisk\PDSched.exe -- End of file - 9416 bytes
louhj 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:
	送花文章: 0, 收花文章: 0 篇, 收花: 0 次

2007-04-27, 08:35 PM	#12 (permalink)
plunderer 長老會員榮譽勳章勳章總數8 UID - 74024 在線等級: 註冊日期: 2003-05-31 文章: 1399 精華: 0 現金: 507220 金幣資產: 608580 金幣	哇! 木馬養殖場.... J:\WINDOWS\system32\SVCH0ST.EXE J:\WINDOWS\system32\zhhlmnh.exe J:\WINDOWS\system32\MSRundll.exe J:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\help.exe F2 - REG:system.ini: UserInit=J:\WINDOWS\system32\userinit.exe,J:\WINDOWS\Installer\services.exe O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKCU\..\Run: [ravtask] J:\WINDOWS\system32\SVCH0ST.EXE 上面這些都要勾選並修復, 然後以安全模式進入windows, 刪除上述所有列出的檔案((J:\WINDOWS\system32\userinit.exe 千萬別刪) 注意: J:\WINDOWS\system32\SVCH0ST.EXE => 肯定是木馬 J:\WINDOWS\system32\SVCHOST.EXE => 正常系統文件自己看看差別在哪, 可別刪錯了此帖於 2007-04-30 01:38 AM 被 plunderer 編輯.

	送花文章: 6, 收花文章: 575 篇, 收花: 1747 次

2007-04-29, 11:34 PM	#13 (permalink)
kayfang 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:	可以幫我看一下嗎... 我用好多線上掃毒都不知道有沒有掃乾淨... 我是用卡巴掃毒..他顯示有毒的檔案室services.exe 謝謝~~~ Logfile of HijackThis v1.98.0 Scan saved at 下午 11:24:30, on 2007/4/29 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\system32\spoolsv.exe E:\WINDOWS\Installer\services.exe E:\WINDOWS\Explorer.EXE E:\WINDOWS\RTHDCPL.EXE E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe E:\Program Files\Lexmark 5400 Series\lxctmon.exe E:\Program Files\Lexmark 5400 Series\ezprint.exe E:\WINDOWS\vsnphv71.exe E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe E:\Program Files\Gigabyte\ET5\GUI.exe E:\WINDOWS\system32\lxctcoms.exe E:\WINDOWS\system32\ctfmon.exe E:\Program Files\MSN Messenger\MsnMsgr.Exe E:\WINDOWS\system32\nvsvc32.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\system32\wuauclt.exe E:\WINDOWS\system32\conime.exe E:\Program Files\Sleipnir_cht\Sleipnir.exe F:\程式檔\hijackthis23344\hijackthis23344.exe F2 - REG:system.ini: UserInit=E:\WINDOWS\system32\userinit.exe,E:\WINDOWS\Installer\services.exe, O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Lexmark 工具列 - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - E:\Program Files\Lexmark Toolbar\toolband.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Lexmark 工具列 - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - E:\Program Files\Lexmark Toolbar\toolband.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [JMB36X IDE Setup] E:\WINDOWS\JM\JMInsIDE.exe O4 - HKLM\..\Run: [36X Raid Configurer] E:\WINDOWS\system32\JMRaidSetup.exe boot O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [CJIMETIPSYNC] E:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [PHIMETIPSYNC] E:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [lxctmon.exe] "E:\Program Files\Lexmark 5400 Series\lxctmon.exe" O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "E:\Program Files\Lexmark 5400 Series\fm3032.exe" /s O4 - HKLM\..\Run: [EzPrint] "E:\Program Files\Lexmark 5400 Series\ezprint.exe" O4 - HKLM\..\Run: [LXCTCATS] rundll32 E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [SNPHV71] E:\WINDOWS\vsnphv71.exe O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [EasyTuneV] E:\Program Files\Gigabyte\ET5\ETcall.exe O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?SystemRoot%\Installer\{AC76BA86-1028-0000-7760-000000000002}\SC_Acrobat.exe O8 - Extra context menu item: 加入廣告橫幅攔截 - E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: 轉換到現有 PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: 轉換為 Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: 轉換連結目標到現有 PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: 轉換連結目標為 Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: 轉換選定的連結到現有 PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: 轉換選定的連結為 Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: 轉換選擇內容到現有 PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: 轉換選擇內容為 Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall 線上掃毒) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {12755229-656A-4508-BC94-2DA4D314B4C8} (CathayMyATM.ATMFunc) - https://www.mybank.com.tw/myatm/cab/CathayMyATM.CAB O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {5C253D25-00FD-4703-9924-E53792DF98C9} (CathayMyATM2.EsConn) - https://www.mybank.com.tw/MyATM/cab/CathayMyATM2.CAB O16 - DPF: {5D5EF079-C21D-47EE-9249-D4E89C8D3E43} (BullCSP Class) - https://my.taishinbank.com.tw/ActiveX/eATM/Bull.cab O16 - DPF: {603B9E6C-0467-4C23-8098-ACC2ED6FEB75} (TSBankTSCC Class) - https://my.taishinbank.com.tw/ActiveX/eATM/TSBANK.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (趨勢科技線上掃毒程式) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - AppInit_DLLs: E:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
kayfang 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:
	送花文章: 0, 收花文章: 0 篇, 收花: 0 次

2007-05-04, 10:31 AM	#15 (permalink)
kuopeiwen 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:	用AVS掃瞄出在services\services.exe 以下是掃瞄報告，麻煩一下，感謝(文字過多分為3則) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AOL\Active Virus Shield\avp.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\AOL\Active Virus Shield\avp.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\KKBOX\KKBOX_Tray.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\PhxPsSvr.exe C:\WINDOWS\system32\PhxVtSvr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe C:\Program Files\Easy File Sharing Web Server\fsws.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Skype\Plugin Manager\SkypePM.exe C:\Program Files\Outlook Express\msimn.exe C:\WINDOWS\system32\javaw.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\Installer\services.exe K:\HiJackThis_v2.exe
kuopeiwen 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:
	送花文章: 0, 收花文章: 0 篇, 收花: 0 次

Google 提供的廣告