求助 - 中毒Trojan-psw.win32.magania.im

quasar · 2007-03-16, 06:37 AM

執行模組service.exe\service.exe
我用卡巴司機找出來的刪不掉一直出現~~

莊孝偉 · 2007-03-16, 08:36 AM

陪一下
有一說您試試看
您可以看一下KAV或KIS的log file,確定一下病毒檔案所在位置如:
------------------------------------------------------------------------------------
木馬所在位置如下
C:\DOCUME~1\柚子\LOCALS~1\TEMP\4JZNUH.DLL<---這個檔案就是木馬
木馬程式 Trojan-PSW.Win32.Nilage.ayp 檔案： c:\documents and settings\柚子\local settings\temp\4jznuh.dll
未發現：木馬程式 Trojan-PSW.Win32.Nilage.awo 正在執行的模組： svchost.exe\svchost.exe
已刪除：木馬程式 Trojan-PSW.Win32.Magania.im 正在執行的模組： rundl132.exe\rundl132.exe
以上是卡巴掃出來滴
-----------------------------------------------------------------------------------
然後再進安全模式去殺檔案,若該檔刪不掉可以去下載強制刪檔的程式,若是病毒有載入.dll檔,就必需regsvr32 /u (檔名.dll)將它御下後; 才可再去該路徑刪除該檔~
_________________

plunderer · 2007-03-16, 09:30 AM

用 HiJackThis 掃描
http://www.trendsecure.com/portal/en...ackThis_v2.exe
看看日誌有什麼不正常的地方, 勾選並按 "Fix", 然後重新開機, 再直接刪除可疑的檔案

若看不懂, 把 log 貼上來

quasar · 2007-03-16, 08:05 PM

還是有木馬~這木馬出來好久了卡巴司機怎沒解藥??
先試plunderer 大大的~

引用:

用 HiJackThis 掃描
http://www.trendsecure.com/portal/en...ackThis_v2.exe
看看日誌有什麼不正常的地方, 勾選並按 "Fix", 然後重新開機, 再直接刪除可疑的檔案若看不懂, 把 log 貼上來

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 下午 10:10:29, on 2007/3/16
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\installer\services.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\cyt\桌面\HiJackThis_v2.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,c:\windows\installer\services.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] ; C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] ; "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AnyDVD] ; D:\drivers\anydvd\AnyDVD3813\AnyDVD 3.8.1.3\破解檔\AnyDVD.exe
O4 - HKLM\..\Run: [Acronis?True?Image Monitor] ;
O4 - HKLM\..\Run: [NvCplDaemon] ; RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] ; nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] ; C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] ; %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LogitechRegisterVideoApplications] ; "C:\Program Files\Logitech\Video\InstallHelper.exe" /register /runnow
O4 - HKLM\..\Run: [LVCOMSX] ; C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] ; C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] ; C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [iTunesHelper] ; C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] ; C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] ; RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] ; "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] ; "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [hip2p] ; C:\Program Files\hip2p\hip2p.exe min
O4 - HKCU\..\Run: [foxy] ; "C:\Program Files\Foxy\Foxy.exe" -tray
O4 - HKCU\..\Run: [Yahoo! Pager] ; "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: Google 搜尋(&G) - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: 使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: 網頁防護程式 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmestw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmestw.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://www.moda.com.tw
O15 - Trusted Zone: http://www.moda.com.tw
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125832696322
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {D7ACADB6-228C-11D3-A4A4-00105AE3ADFA} (S21UiCtlWeb 控制組件) - http://s21web.open2u.com.tw/app/channel/s21WebOCX.cab
O16 - DPF: {DFA7638A-E3B5-4B30-9F4A-F18C38F13640} (PowerCam Player) - http://www.ddc.com.tw/event/cape_2005/player.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{885ECC04-AE51-4492-A5DF-64B8C4E35F76}: NameServer = 61.64.127.1,61.64.127.2
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod 服務 (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O24 - Desktop Component 0: (no name) - http://webmail.nou.edu.tw/cgi-bin/do...g/image002.jpg

--
End of file - 8542 bytes

GaMNiA · 2007-03-17, 09:00 AM

引用:

作者: quasar

Running processes:
c:\windows\installer\services.exe

F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,c:\windows\installer\services.exe,

把上面的勾選，然後按 [Fix Checked]，完成後重新開機。
重新開機後，再用「檔案總管」把 c:\windows\installer\services.exe 刪除。

plunderer · 2007-03-17, 09:51 AM

樓上說的正確

還有, 你的記憶體真多...啟動項目多得驚人...不過日文輸入法應該用不到吧?
O4 - HKLM\..\Run: [IMJPMIG8.1] ; C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

這些是多餘的
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

這是沒用的
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

2007-04-16, 02:45 AM

引用:

作者: plunderer

用 HiJackThis 掃描
http://www.trendsecure.com/portal/en...ackThis_v2.exe
看看日誌有什麼不正常的地方, 勾選並按 "Fix", 然後重新開機, 再直接刪除可疑的檔案

若看不懂, 把 log 貼上來

各位大大好,我是新會員,我也有類似的問題,我把掃描後貼上來請求各位的幫忙,謝謝

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 上午 02:42:07, on 2007/4/16
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\KKman\KKMAN.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\windwing\桌面\HiJackThis_v2.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: ALiBaBar_Helper - {CE439C63-384A-747A-A357-23D96B5D652B} - C:\PROGRA~1\ALiBaBar\ALiBaBar.dll
O3 - Toolbar: ALiBaBar - {0A1375E1-56C2-11D6-8E45-8933A0FB5235} - C:\PROGRA~1\ALiBaBar\ALiBaBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Foxy 下載 - res://D:\Tools\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://D:\Tools\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/ZH-TW/.../GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49709E85-5AE5-421F-AD4F-E31DF6745A82}: NameServer = 168.95.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8EC1C07-18FC-452A-A03A-1150AA6EAC7B}: NameServer = 168.95.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{49709E85-5AE5-421F-AD4F-E31DF6745A82}: NameServer = 168.95.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{49709E85-5AE5-421F-AD4F-E31DF6745A82}: NameServer = 168.95.1.1
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVP Control Centre Service (AVPCC) - Kaspersky Labs. - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: KAV Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8265 bytes

plunderer · 2007-04-16, 04:38 AM

O18 - Protocol: ipp - (no CLSID) - (no file)

O18 - Protocol: msdaipp - (no CLSID) - (no file)
File Missing
When a file is missing, you should always have HijackThis fix the item.

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

上面幾項檔案已不存在, 可以修復

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
這兩個 Yahoo Toolbar 我是建議修復(Yahoo toolbar 是有爭議的工具, 盡量別用)

其他看起來正常....你覺得系統有什麼不對勁的地方嗎?

a471 · 2007-04-16, 11:13 AM

plunderer兄~~

HiJackThis <=這工具是做什麼用的?

看了你很多文章你都叫人用這掃描結果給你看.....

2007-05-05, 05:33 PM

引用:

作者: plunderer

用 HiJackThis 掃描
http://www.trendsecure.com/portal/en...ackThis_v2.exe
看看日誌有什麼不正常的地方, 勾選並按 "Fix", 然後重新開機, 再直接刪除可疑的檔案

若看不懂, 把 log 貼上來

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 下午 05:55:00, on 2007/5/4
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\M\桌面\HiJackThis_v2.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\Installer\services.exe,
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD41765B-1234-4F25-A4E4-D7E4229D1A0C}: NameServer = 168.95.192.1 168.95.1.1
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5746 bytes

這位大大麻煩救命...我是電腦白痴不知道要案哪個才是檢查全部的檔案...原先最後是顯示3000多的bytes...後來我用最後一個None開頭的東西檢查變成現在5746bytes~看不太懂英文~可以幫忙小女子作詳細的操作說明嗎?拜託了~感激不盡耶!!!

2007-03-27, 04:50 PM

我之前也中過這個東東
我的ZoneAlarm Pro告訴我services.exe有不尋常行為
我就禁止它，誰知它竟然LOAD爆我的CPU到99%
我入安全模式開ZoneAlarm看
發現我系統中有兩個services.exe
一個是在system32中，另一個是在installer中
installer是用來放windows installer的msi檔的
怎麼會有個exe在那裡？
而且ZoneAlarm找不到它的版本資訊，我就認定了它是木馬
我在Program Control中設定了為Kill，禁止它運行
亦到installer中刪了它。但我還是搞不懂我是如何中了這東西

之後ZoneAlarm又告訴我services.exe要存取網絡
（我有什麼服務要存取網絡呢？）
我掃了Spyware，發現了Alexa
（又是這可惡的東西，不知怎搞經常有些網站在你瀏覽時
　總會不問因由，就給你自動安裝Alexa）
這是用來掘取輸入資料的，難道那些網管真的這麼想害人嗎？

Jackman · 2007-04-15, 08:59 AM

大家好

我是用AOL Active Virus Shield防毒，今天顯示中了Trojan-PSW.Win32.Magania.im在File C:windows\system32\msdll.dll, 用Active Virus Shield卻無法刪除，請問怎麼辦？

謝謝

plunderer · 2007-04-15, 11:15 AM

用 HijackThis 或 System Repair Engineer 掃描系統, 然後把 log 貼上來

HijackThis
http://www.trendsecure.com/portal/en...ackThis_v2.exe

System Repair Engineer
http://download.kztechs.com/files/sreng2.zip

Jackman · 2007-04-15, 11:53 AM

但是我重新開機後那防毒軟體就找不到病毒了，只是擔心...

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 下午 03:51:31, on 2007/4/15
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
d:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
d:\Program Files\NetLimiter 2 Monitor\NLClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Inventec\Dreye\DreyeMT\msnplugin.exe
D:\Program Files\Picasa2\PicasaMediaDetector.exe

plunderer · 2007-04-15, 12:13 PM

log 不完整...
不過正在執行的程序看起來沒問題

2007-03-16, 06:37 AM	#1
quasar 長老會員榮譽勳章勳章總數15 UID - 6696 在線等級: 註冊日期: 2002-12-08 文章: 12085 精華: 0 現金: 311 金幣資產: 6570606 金幣	求助 - 中毒Trojan-psw.win32.magania.im 執行模組service.exe\service.exe 我用卡巴司機找出來的刪不掉一直出現~~

	送花文章: 63581, 收花文章: 9830 篇, 收花: 56093 次

2007-03-16, 08:36 AM	#2 (permalink)
莊孝偉註冊會員榮譽勳章勳章總數9 UID - 258986 在線等級: 註冊日期: 2006-12-17 文章: 2245 精華: 0 現金: 5984 金幣資產: 21152 金幣	陪一下有一說您試試看您可以看一下KAV或KIS的log file,確定一下病毒檔案所在位置如: ------------------------------------------------------------------------------------ 木馬所在位置如下 C:\DOCUME~1\柚子\LOCALS~1\TEMP\4JZNUH.DLL<---這個檔案就是木馬木馬程式 Trojan-PSW.Win32.Nilage.ayp 檔案： c:\documents and settings\柚子\local settings\temp\4jznuh.dll 未發現：木馬程式 Trojan-PSW.Win32.Nilage.awo 正在執行的模組： svchost.exe\svchost.exe 已刪除：木馬程式 Trojan-PSW.Win32.Magania.im 正在執行的模組： rundl132.exe\rundl132.exe 以上是卡巴掃出來滴 ----------------------------------------------------------------------------------- 然後再進安全模式去殺檔案,若該檔刪不掉可以去下載強制刪檔的程式,若是病毒有載入.dll檔,就必需regsvr32 /u (檔名.dll)將它御下後; 才可再去該路徑刪除該檔~ _________________

	送花文章: 9114, 收花文章: 2043 篇, 收花: 8026 次

2007-03-16, 09:30 AM	#3 (permalink)
plunderer 長老會員榮譽勳章勳章總數8 UID - 74024 在線等級: 註冊日期: 2003-05-31 文章: 1399 精華: 0 現金: 507220 金幣資產: 608580 金幣	用 HiJackThis 掃描 http://www.trendsecure.com/portal/en...ackThis_v2.exe 看看日誌有什麼不正常的地方, 勾選並按 "Fix", 然後重新開機, 再直接刪除可疑的檔案若看不懂, 把 log 貼上來
	__________________ 刑天舞干戚
	送花文章: 6, 收花文章: 575 篇, 收花: 1747 次

2007-03-17, 09:51 AM	#6 (permalink)
plunderer 長老會員榮譽勳章勳章總數8 UID - 74024 在線等級: 註冊日期: 2003-05-31 文章: 1399 精華: 0 現金: 507220 金幣資產: 608580 金幣	樓上說的正確還有, 你的記憶體真多...啟動項目多得驚人...不過日文輸入法應該用不到吧? O4 - HKLM\..\Run: [IMJPMIG8.1] ; C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 這些是多餘的 O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') 這是沒用的 O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

	送花文章: 6, 收花文章: 575 篇, 收花: 1747 次

2007-04-16, 04:38 AM	#8 (permalink)
plunderer 長老會員榮譽勳章勳章總數8 UID - 74024 在線等級: 註冊日期: 2003-05-31 文章: 1399 精華: 0 現金: 507220 金幣資產: 608580 金幣	O18 - Protocol: ipp - (no CLSID) - (no file) O18 - Protocol: msdaipp - (no CLSID) - (no file) File Missing When a file is missing, you should always have HijackThis fix the item. O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) 上面幾項檔案已不存在, 可以修復 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll 這兩個 Yahoo Toolbar 我是建議修復(Yahoo toolbar 是有爭議的工具, 盡量別用) 其他看起來正常....你覺得系統有什麼不對勁的地方嗎?

	送花文章: 6, 收花文章: 575 篇, 收花: 1747 次

2007-04-16, 11:13 AM	#9 (permalink)
a471 管理員榮譽勳章勳章總數18 UID - 236673 在線等級: 註冊日期: 2002-12-06 住址: 打狗文章: 53362 精華: 0 現金: 318 金幣資產: 41767760 金幣	plunderer兄~~ HiJackThis <=這工具是做什麼用的? 看了你很多文章你都叫人用這掃描結果給你看.....
	__________________ 我是史版A大，錢的數量決定電腦的力量我是給女孩修電腦長大的，經驗豐富技術過硬，就沒有我修不好的電腦
	送花文章: 79400, 收花文章: 22263 篇, 收花: 80315 次

2007-03-27, 04:50 PM	#11 (permalink)
ricky6083146 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:	我之前也中過這個東東我的ZoneAlarm Pro告訴我services.exe有不尋常行為我就禁止它，誰知它竟然LOAD爆我的CPU到99% 我入安全模式開ZoneAlarm看發現我系統中有兩個services.exe 一個是在system32中，另一個是在installer中 installer是用來放windows installer的msi檔的怎麼會有個exe在那裡？而且ZoneAlarm找不到它的版本資訊，我就認定了它是木馬我在Program Control中設定了為Kill，禁止它運行亦到installer中刪了它。但我還是搞不懂我是如何中了這東西之後ZoneAlarm又告訴我services.exe要存取網絡（我有什麼服務要存取網絡呢？）我掃了Spyware，發現了Alexa （又是這可惡的東西，不知怎搞經常有些網站在你瀏覽時　總會不問因由，就給你自動安裝Alexa）這是用來掘取輸入資料的，難道那些網管真的這麼想害人嗎？
ricky6083146 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:
	送花文章: 0, 收花文章: 0 篇, 收花: 0 次

2007-04-15, 08:59 AM	#12 (permalink)
Jackman 註冊會員榮譽勳章勳章總數 UID - 266259 在線等級: 註冊日期: 2007-04-15 文章: 11 精華: 0 現金: 11 金幣資產: 11 金幣	Trojan-PSW.Win32.Magania.im中毒了大家好我是用AOL Active Virus Shield防毒，今天顯示中了Trojan-PSW.Win32.Magania.im在File C:windows\system32\msdll.dll, 用Active Virus Shield卻無法刪除，請問怎麼辦？謝謝

	送花文章: 2, 收花文章: 0 篇, 收花: 0 次

2007-04-15, 11:15 AM	#13 (permalink)
plunderer 長老會員榮譽勳章勳章總數8 UID - 74024 在線等級: 註冊日期: 2003-05-31 文章: 1399 精華: 0 現金: 507220 金幣資產: 608580 金幣	用 HijackThis 或 System Repair Engineer 掃描系統, 然後把 log 貼上來 HijackThis http://www.trendsecure.com/portal/en...ackThis_v2.exe System Repair Engineer http://download.kztechs.com/files/sreng2.zip

	送花文章: 6, 收花文章: 575 篇, 收花: 1747 次

2007-04-15, 11:53 AM	#14 (permalink)
Jackman 註冊會員榮譽勳章勳章總數 UID - 266259 在線等級: 註冊日期: 2007-04-15 文章: 11 精華: 0 現金: 11 金幣資產: 11 金幣	麻煩您了但是我重新開機後那防毒軟體就找不到病毒了，只是擔心... Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 下午 03:51:31, on 2007/4/15 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\system32\spoolsv.exe D:\Program Files\AOL\Active Virus Shield\avp.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE d:\Program Files\NetLimiter 2 Monitor\nlsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE d:\Program Files\NetLimiter 2 Monitor\NLClient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\Program Files\Inventec\Dreye\DreyeMT\msnplugin.exe D:\Program Files\Picasa2\PicasaMediaDetector.exe

	送花文章: 2, 收花文章: 0 篇, 收花: 0 次

2007-04-15, 12:13 PM	#15 (permalink)
plunderer 長老會員榮譽勳章勳章總數8 UID - 74024 在線等級: 註冊日期: 2003-05-31 文章: 1399 精華: 0 現金: 507220 金幣資產: 608580 金幣	log 不完整... 不過正在執行的程序看起來沒問題

	送花文章: 6, 收花文章: 575 篇, 收花: 1747 次

Google 提供的廣告